Re: 3.8 beta requests

[Janne Johansson]

Theo de Raadt wrote:

Of course not.  HOW CAN IT?  Get real!  The hardware is STILL only
providing permissions at the page level!


If you have aggressive amounts of ram and/or patience you could have 
something along the malloc.conf P-option for ALL sizes.
Of course it would suck for any app more complex than sleep but for 
the sake of argument...



Apparently the new malloc(3) implementation doesn't stop me from writing past 
the end of buffer as long as I am inside the last page.
(Please forgive me beforehand if I am missing something too obvious)

Re: package installation script hints

[Janne Johansson]

Paul de Weerd wrote:

On Fri, Aug 26, 2005 at 12:06:29AM +0200, Marc Espie wrote:
|  2 - How is pkg_add -u working for people?
| 
| It works fine for me. I don't know about other people yet, you tell me...


I haven't used it very much yet, but so far everything works great for
me. But this is just basic pkg_add -u/pkg_add -r use, couple of
packages, nothing fancy.

Good stuff so far ;) So thanks, Marc.


I tried cd /usr/ports/cat/someport and then make update clean and it 
worked like a charm for updating-after-building.

Re: i386 binaries on amd64

[Janne Johansson]

Tony Lambiris wrote:
In reading some mailing lists, I noticed some people pass in the -m32 
flag when compiling to compile 32bit instead of 64bit... I added the 
flag to the Makefile and everything compiles except when I try to link 
all the objects into an executable, I get these errors:


/usr/bin/ld: warning: i386 architecture of input file `some.o' is 
incompatible with i386:x86-64 output


Is compiling this way possible at all?


No.

Re: openAFS or arla support?

[Janne Johansson]

ober wrote:

Do you guys prefer --with-transarc paths?

So let me know as I am writing it as we speak.
The goal is to allow you to install a single server AFS cell with a 
single script. I use it the old version on Linux fine.

However would like feedback for transarc/non transarc paths.


I'd prefer to have it ports-lookalike and have everything not end up 
under /usr, even though Transarc once liked it that way. If it ends up 
as a port eventually, it still needs to put everything under /usr/local 
(or whatever PORTSBASEDIR is at the time)

Re: Ports changes web page is badly out of date

[Janne Johansson]

Landry Breuil wrote:

http://www.openbsd.org/portsplus/index.html
which is referenced by
http://www.openbsd.org/plus42.html

yeah, perhaps someone feels like start keeping portsplus up to date
from now on? please contact me if so.


http://ports.openbsd.nu/ homepage would be a good start point to
collect information, or creating an automatic system parsing
ports-changes@ messages.. but OpenBSD website is fully static, so page
would have to be manually updated.


Just copying machine-wise from a maillist to a webpage is probably not 
what you'd want anyhow, but rather like plus.html, where someone (like 
me) actually does some kind of selection of what actually affects users 
and what doesn't.

Re: hardening BSD (was systrace/stsh policies)

[Janne Johansson]

Eduardo Tongson wrote:

Robert Watson's paper discusses concurrency vulnerabilities. Impact
include policy bypass and audit trail invalidation. A bypass means it
is useless. That pretty much hammered in the last nail on the coffin
for security tools based on system call interposition.



I actually dont think it is all worthless. Imagine a machine running a 
server daemon. If you systrace that particurlar daemon to not be able to 
fork()/exec*() or system(), you could be quite sure it wont start random 
apps on your machine in case someone manages to trick it somehow.


Now, if the attacker already has a local account and/or shell, he might 
run races and fool the systrace. But if this daemon was the only way for 
said attacker to gain such shell access, and it can be prevented from 
doing common stuff needed to get a local shell then you would have a 
safer system.


In this way, systrace might be usable still, even though it wont suffice 
for systrace'd shells given out to bad guys. Same as all other measures 
you might have like chroots, stack gaps, randomized mem layouts and 
library addresses, they never prevent 100% of all attacks, just many of 
them.



On 10/15/07, Steve Shockley [EMAIL PROTECTED] wrote:

Joachim Schipper wrote:

You should probably do a Google search on systrace before continuing
further down this road. In particular, I believe the issue highlighted
by Robert Watson has not been fixed yet (although I could be wrong, and
would be happy to be wrong in this case).

The white paper for the systrace vulnerability was a little bit beyond
me; what's the impact of the issue?  Is a system running systrace *more*
vulnerable than a normal system, or is the problem just that a
determined user can circumvent systrace (like the bottom of systrace(1)
suggests)?  If it's the latter, it seems like it'd still be useful for
policy enforcement to some extent.

Re: error building userland - inconsistent operand constraints in an `asm'

[Janne Johansson]

fehler404 wrote:
 dear all,
 
 after trying to get along on my own for a while, i finally go so disapointed
 and unsatisfied and decided that i need help. i always ran into the same
 problem, so there must be something wrong about my procedure how i build
 kernel AND userland.

 # cd /usr/src
 # make build
 
 and that's the point where it ALWAYS stops with exactly the same error
 message!!
 i tried it with openbsd version 3.5, version 3.6 and version 3.7. i always
 run into the same error :-(

This part makes no sense to me. I have seen loads and loads of weird
compile errors, and other faults while trying to do stuff from
release-current, or stable-current or current-flagday and so on, but

I hardly believe that doing 3.5-install and your update-to-stable-stuff,
3.6-install and your update-stuff and finally 3.7-install and your
update-stuff would give the same error. I might be wrong but it seems
to be an infinitesimally small chance of getting the same error (which
noone else have seen) on three releases in a row.

 /usr/src/lib/libpthread/arch/i386/_atomic_lock.c: In function
 `_atomic_lock':
 /usr/src/lib/libpthread/arch/i386/_atomic_lock.c:22: inconsistent operand
 constraints in an `asm'
 *** Error code 1
 


-- 
Janne Johansson
Sektionen fvr IT  Media, Stockholms Universitet
Frescati Hagvdg 10
106 91 STOCKHOLM
http://www.it.su.se

Re: quick malloc guard patch

[Janne Johansson]

Jonathan Thornburg wrote:
 when malloc gets a request with a size equal to the size of a pointer, we
 can allocate a whole page, and return a pointer 4 bytes from the end. 
 the
 four bytes allocated are useable, but don't touch the fifth or any later
 ones.  (8 bytes on 64bit archs).
 
 Is the plan to make this the default behavior, or just to add it as
 another option selectable by /etc/malloc.conf?

This would make all 4/8-byte mallocs take up one page(4k) each if I
understand this correctly.

That's fine for debugging, but probably too expensive for normal usage.

-- 
Janne Johansson
Sektionen fvr IT  Media, Stockholms Universitet
Frescati Hagvdg 10
106 91 STOCKHOLM
http://www.it.su.se

Re: Serial console from sparc to i386?

[Janne Johansson]

Mike Sazhin wrote:


Hello,

I want to try sparc with OpenBSD and see if it is useful for what I 
do. I do
not have a monitor or keyboard that can go with it so I hope to be 
able to
install using a serial console. I have done this on i386 to i386. Now 
I want to
know if (with the proper cable, and what kind might it be?) it is 
possible

to run a serial console on the sparc and control it from an i386. Or are
the two systems so different that that is impossible? Are there any other
ways to install OpenBSD without monitor/keyboard?

Thanks,
Mike

PS This is the system I have if it makes a difference:

Sun ULTRA 1 Creator 3D UltraSPARC 167MHz 128MB RAM

I've done that, installed an sparc5 with no keyboard, no monitor and 
only a serial null cable to a i386 obsd that handled both netbooting the 
sparc and talking console with it. No problems.

Re: Can't make 3.7-stable release (tries to exceed capacity of /dev/svnd0a?)

[Janne Johansson]

Adam Fabian wrote:
 I've tried building an OpenBSD release from the 3.7-stable branch a
 few times in the last few days, on two different i386 machines, and
 both stopped in the same place.

--8--

 dd if=bsd.gz of=/mnt/bsd bs=512
 
 /mnt: write failed, file system is full
 dd: /mnt/bsd: No space left on device

--8--

 # uname -a
 OpenBSD noc.hillconet.net 3.7 GENERIC#0 i386
 
 (I was running the 3.7-stable GENERIC kernel both times I tried.  The
 userland, etc. builds and installs, too, just can't make the release.)
 
 Here's a complete dmesg from one of the machines that it failed to build
 on: (the other is pretty similar, and I believe both failures were
 identical, though I didn't save the last log, because I figured I
 probably did something wrong):
 
 OpenBSD 3.7-stable (GENERIC) #0: Sun Jul 10 14:53:01 CDT 2005
 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
 cpu0: Intel Celeron (GenuineIntel 686-class, 128KB L2 cache) 468 MHz
 cpu0:
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXS
 R
 real mem  = 199794688 (195112K)
 avail mem = 175558656 (171444K)

This is really something for the archives. A problem description with
really good info, and a dmesg too, even though it actually wasn't
needed. Newbies, see how this guy did *not* get flamed for including
both relevant, and irrelevant info and got his problem solved really quick.

If one could only get coming generations to see this problem report too...

-- 
Janne Johansson
Sektionen fvr IT  Media, Stockholms Universitet
Frescati Hagvdg 10
106 91 STOCKHOLM
http://www.it.su.se

Re: VPN behind a router, now with OpenVPN

[Janne Johansson]

Helio Santana wrote:
 Hi,
 I've disabled AH in my sysctl.conf but it doesn't work...
 
 No I have been trying to do with OpenVPN. After read all how-to, and
 some samples the connection successfull with 2 obsd behind routers.
 It's very simple to do... I can see servers, but, how can I do to
 check my connections is encrypted?
 
 Last days with IPSEC, doing an tcpdump -i enc0 gives me
 'private/confidential)... but now, how can I do?

tcpdump the external interfaces, looking at packets on the udp port you
selected for OpenVPN. (5000 for openvpn 1.x, and 1194 for ovpn2.x)

-- 
Janne Johansson
Sektionen fvr IT  Media, Stockholms Universitet
Frescati Hagvdg 10
106 91 STOCKHOLM
http://www.it.su.se

Re: theo

[Janne Johansson]

Sophie Laurie wrote:

The only thing that spoils OpenBSD is theo de raadt


But it caters so well the needs for all the worst nastiest
anal-carotid-constriction-software-patent-loving-spam-your-grandma-
for-a-dollar-bottom-feeding-killing-babies-in-palestine-and-iraq
type organizations to be able to use the OpenBSD codebase in whatever
way they like.

For which at least Diana Eichert is ever so thankful. ;)

Re: OpenBSD and Kerberos Client

[Janne Johansson]

[EMAIL PROTECTED] wrote:

Hello all, I'm having a problem setting up kerberos on an OpenBSD
system. Please advise as you can.


...8...


I then tried kadmin on krbc2, which doesn't work. It doesn't even bother
with trying to get to the admin server. It just gives me a prompt
'kadmin'. Perhaps that's an issue?


That is how my heimdal kadmins work, so from that you should be able to
give kadmin commands, and if they require admin principals (which most 
do) then it will ask for that password at that time, not before.


prompt# kadmin -p myname/[EMAIL PROTECTED]
kadmin ank host/[EMAIL PROTECTED]
asks for myname/[EMAIL PROTECTED] pw and stuff

kadmin ext -k /etc/kerberosV/krb5.keytab host/[EMAIL PROTECTED]

..is how I would add hostkeys to an OBSD host using kadmin.

Re: OpenBSD and Kerberos Client

[Janne Johansson]

[EMAIL PROTECTED] wrote:

-Original Message-

From: Janne Johansson [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 05, 2007 11:09 AM
To: David Rogal
Cc: misc@openbsd.org
Subject: Re: OpenBSD and Kerberos Client

[EMAIL PROTECTED] wrote:

Hello all, I'm having a problem setting up kerberos on an OpenBSD
system. Please advise as you can.

...8...


I then tried kadmin on krbc2, which doesn't work. It doesn't even
bother with trying to get to the admin server. It just gives me a
prompt 'kadmin'. Perhaps that's an issue?

That is how my heimdal kadmins work, so from that you should be able

to give

kadmin commands, and if they require admin principals (which most
do) then it will ask for that password at that time, not before.

prompt# kadmin -p myname/[EMAIL PROTECTED]
kadmin ank host/[EMAIL PROTECTED]
asks for myname/[EMAIL PROTECTED] pw and stuff

kadmin ext -k /etc/kerberosV/krb5.keytab host/[EMAIL PROTECTED]

..is how I would add hostkeys to an OBSD host using kadmin.


Thanks for that! I tried it, but kadmin doesn't do anything useful. It
just hangs - doesn't even time out. Tcpdump and ktrace show that kadmin
on the OpenBSD box has a quick chat with Kerberos on the Linux box, but
kadmin doesn't like whatever it receives. I think that's because of what
Viq has to say about Heimdal and MIT Kerberos being incompatible - at
least in respect to kadmin.

I've also found some people complaining that keytabs created on a
different server than the one in which they are meant for do not work
very well. If I can't use Heimdal's kadmin to create the keytab and I
can't use one created remotely, then I simply can't use Heimdal. A
'catch 22' which makes OpenBSD unusable for us in this circumstance.

Perhaps this is an incentive for Heimdal developers to get kadmin to
work with MIT Kerberos. That would help increase its userbase.


I dont think the last part necessarily is connected to the first. Just 
because the administrative programs/interfaces might not be 
interoperable, I still think you should be able to acquire host-keys 
with either software.


Might I suggest you try this from the OBSD box:
/usr/sbin/ktutil -k /etc/kerberosV/krb5.keytab get \
-p myname/[EMAIL PROTECTED] host/[EMAIL PROTECTED]

Re: OpenBSD and Kerberos Client

[Janne Johansson]

[EMAIL PROTECTED] wrote:

Might I suggest you try this from the OBSD box:
/usr/sbin/ktutil -k /etc/kerberosV/krb5.keytab get \
-p myname/[EMAIL PROTECTED] host/[EMAIL PROTECTED]


Same problem, it just hangs.

Please note that kinit / klist work just fine. Kadmin and ktutil both
hang. Looks like administrative functions are the problem. Perhaps I've
got something misconfigured?


Perhaps, but I think you will have to take it on the heimdal lists, I'm 
fairly sure it does interoprate with various kinds of krb5 
implementations, not just the MIT one. We make the AD hang of our 
heimdal servers here, so if heimdal can talk to Bill-kerberos, it should 
manage MIT too. ;)

Re: linker scripts

[Janne Johansson]

Constantine Kousoulos wrote:
Having a linux background (and a limited NetBSD experience), i expected 
to find linker scripts in the kernel source code. However, this is 
simply not true for most architectures. What is the logic behind the 
lack of linker scripts?


Do you have an actual problem or are you trying to invent one?

Re: IBM T60 - APM issues

[Janne Johansson]

atstake atstake wrote:

On 6/27/07, viq [EMAIL PROTECTED] wrote:

$ grep apmhalt /etc/sysctl.conf
#machdep.apmhalt=1  # 1=powerdown hack, try if halt -p 
doesn't work


Thanks but that didn't help.

At the monent I'm thinking of re-compiling the kernel as someone
mentioned (off the list) that I need to enable acpi in the kernel. I
was wondering if there's something I could enable from the UKC prompt
as mentioned here: http://openbsd.org/faq/faq5.html#Options and thus
avoid re-compiling the kernel altogether.


config -ef /mykernelname
UKC enable acpi
### acpi enabled
UKC quit
writing modified kernel.

Like that.

or, for a one-shot testing, just give boot -c at the
boot
prompt to get into the UKC to test it once. If it works, run the above 
trick to make it stick.

Re: VPN works but not when using CARP interface

[Janne Johansson]

James Rippas wrote:

Help/suggestions greatly appreciated.  I don't know where to look next.


I'm not sure, but this part doesn't look good.


213733.723906 Default attribute_unacceptable: ENCRYPTION_ALGORITHM:
got AES_CBC, expected 3DES_CBC
213733.723978 Default message_negotiate_sa: no compatible proposal found
213733.724049 Default dropped message from X.X.X.4 port 63065 due to
notification type NO_PROPOSAL_CHOSEN

Re: What is our ultimate goal??

[Janne Johansson]

Henning Brauer wrote:

* Mayuresh Kathe [EMAIL PROTECTED] [2008-02-20 14:07]:

(not that now I can do anything about it, all's lost for me)
Could you please read http://research.sun.com/minds/2007-0710/


yeah, i did, lots of marketing blubber, lots of bla bla, lots of vague 
indications, nothing concrete, nothing technical.


Mostly Lets fix Slow-aris is what I saw. Unless you are in a 
slow-aris situation, moving to whatever they did might not be an 
improvement. ;)

Re: There's something about OpenBSD...

[Janne Johansson]

[EMAIL PROTECTED] wrote:

For instance 'ggrep -r ...' instead of 'grep -r ...' to search recursively
with gnu grep (a worthless feature imho).

Displaying the name of the file and the matched line nicely like grep -r
does is not elegant with find + grep without using a script or a long
and inelegant alias - or if it is, I'd be interested in how it can be
done in case I need to work on some ancient unix.


$ find DIR -type f -print0 | xargs -0 grep PATTERN

which, unlike 'find ... -exec' is just as fast as 'grep -r', and unlike
'grep -r', will skip special devices, symlinks, etc.



# uname -a
SunOS dumbhost.test.se 5.10 Generic_118855-33 i86pc i386 i86pc
#  find /etc -type f -print0
find: bad option -print0
find: [-H | -L] path-list predicate-list

But yes, its probably bad to start one grep per file.

Re: BSD Documentation License?

[Janne Johansson]

Ted Walther wrote:

[snip]

(The 2/3-term BSD license meant to do basically the same, but it used
more words to do the same.  The old 4-term BSD license included some
terms to make University of California benefit from advertising, if
there was going to be any.)


I have been generating midi, ogg, pdf, and mp3 files of some old,
out-of-copyright music.  I have been releasing them and the source that
generates them under the Creative Commons license.
Do you recommend the 3 term BSD license for this particular use instead?
Or would the 2 term one be better?


The BSD license is about using copyright, for which I believe you have 
no claim in the media files you mention.

Re: Forcing ports install

[Janne Johansson]

On Wed, 2008-04-02 at 22:33 +1000, N J wrote:
 Basically my question is how do I get the port to install without
 having to remove then old package and dependencies first?
 I'm trying to build pidgin out of the ports tree.

 Tried: set env FORCE_PKG_REGISTER
 Tried: make install FORCE_PKG_REGISTER

The question you should be asking yourself is:
Why do I try freebsd solutions to openbsd problems?

If you start your quest at www.openbsd.org - and from there read up on
the FAQ and/or the manual pages (which do not contain
FORCE_PKG_REGISTER) then you get an openbsd solution to what I hope is
an openbsd problem.

There is a whole chapter in the FAQ on ports/packages. Perhaps it
contains your solution?

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: Kerberos ~/.k5user file

[Janne Johansson]

On Mon, 2008-04-07 at 20:48 -0700, Clint Pachl wrote:
 Is the ~/.k5user file supported in OpenBSD's Heimdal implementation? I'm

...

 BTW, what is /root/.klogin? Is it for kerberos 4? It doesn't have a man

Yes, it is (was) for krb4.

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: wpa now in current?!

[Janne Johansson]

Stephan A. Rickauer wrote:

Great stuff. I just hope all those who whined for years about not having
WPA in OpenBSD are now man enough to give back by donating some money.
No excuses.


WPA-PSK only and for a limited number of drivers.


That what I said!
http://undeadly.org/cgi?action=articlesid=20080416195151pid=25mode=expanded

..and did.

Re: Really large drives (was Re: Is there a badblocks-equivalent for OpenBSD?)

[Janne Johansson]

On Sun, 2008-04-20 at 22:53 -0500, Matthew Weigel wrote:
 David Gwynne wrote:

  solaris suffers from this problem. you cant use big disks with 32bit
  solaris kernels.

 For UFS, at least, but doesn't ZFS on i386 (not amd64) scale?

The filesystem yes, but the block addressing no. I had to split a large
raid into lots-of-lessthan1T parts and run zfs on top of them to get a
large filesystem on solarisx86-10 lately.

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: How to HIDE OpenBSD as user-agent?

[Janne Johansson]

On Tue, 2008-04-29 at 06:18 -0600, macintoshzoom wrote:
 How to HIDE OpenBSD as user-agent?

 For security reasons it is sometimes interesting to hide GLOBALLLY th
 O.S. you are running on AGAINST GIVING ANY CLUE TO HACKERS ABOUT HOW TO
 ATTACK YOU.


Which of course is bullshit, since the last 10+ years. They will attack
you, OpenBSD or not. What matters is not if you claim to be windows95 or
not, but if you in fact are vulnerable or not.

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: OpenBSD's AFS informations

[Janne Johansson]

Bruno Carnazzi wrote:

So, I'd like to know if OpenBSD's
AFS could do the following (I assume that our actual file servers are
replaced by OpenBSD AFS cells) :
  * Gently synchronize/distribute 2 physical file servers in 1 logical
file server (real time is not needed)


Yes.


  * Does it scale well (new AFS cells, new clients) ?


Yes.


  * Does it support a quota mechnism ?


Yes,


  * Implementation and Administration cost (we are 2 bright guys :) ?


Hard to tell. Poeple that have done AFS once seldom stops doing it, so 
there must be something in it to hook us afs-admins



  * What about the file permissions ? Is that Windows 2k3-friendly (ACL) ?


It has ACL's, but they aren't the same as any other OSs implementation.


  * Why OpenBSD devs re-writed an AFS instead of reusing OpenAFS ?


They didn't, they imported arla. Before OpenAFS, it wasn't free either.


  * Integration with ActiveDirectory for authentication ?


Yes, that is possible.


  * Recovery of a lost cell ?


?
There are backup solutions for AFS, if that is what you're asking.
Both commercial stuff that talks afs, and some tape-support-code
in openafs to do it without external programs too.

Re: Assembly Language Programs

[Janne Johansson]

Alessandro Coppelli wrote:

Hi to all.
I am interested to developing a little
assembly language programs.

I rode the article written by Thomas Sommers
( http://user.nj.net/~tms/hello.html )
I followed author's instructions but at the end of compilation

  as -o name.o name.s
  ld -o name name.o

what I have is

 #./name
 #ksh: Operation not permitted


 Someone knows what is happenig ?

Ale



Either you haven't set the x-flag on the binary, or the partition
where you are is mounted with noexec, is my guess.

Re: pf and pmtu discovery

[Janne Johansson]

Lars Weste wrote:

Hi,

with scrub in all set at the firewall, will openbsd handle icmp packets 
of type unreach code needfrag automatically, because of the statefulness?


scrub no-df fixes this, no?

Last call for swedes wanting to attend the fundraiser event.

[Janne Johansson]

http://slackathon2006.unix.se for info (in swedish),
attach /index_en.html for an (almost 100% updated) english version.

It's tomorrow (3rd of June) at the Stockholm University, so this really 
is the last call, but in case I missed some of you swedes when spamming 
all local lists and forums, and you have the day off tomorrow, come by 
and donate!


We'll play with trunk(4)ed Gbit-interfaces, hear Niklas Hallqvist, Artur 
Grabowski, Hans Insulander and others talk about OpenBSD and 
networking/security stuff in general, and generally have a nice social 
event. Since there are no/few good events where you can meet openbsd 
people in .se, this is your chance!


See you (and your cash) there!

/Janne

Re: kernel settings for pf default block

[Janne Johansson]

c.s.r.c.murthy wrote:

Hello Matthew,
	block all in pf.conf is ok, but it will go away when the rules are 
flushed for known/unknown reasons. I feel it is desirable to have a 
kernel parameter that does default blocking when all rules are flushed.


But the default blocking will go away when the kernel parameters are 
flushed for known/unknown reasons too. Perhaps a setting for the 
network drivers so that if the pf.conf goes, and the kernel parameter 
are lost it can still block packets. But hey, if the setting goes away

Re: Question related to automaticly encrypted /tmp /vat/tmp (like swap..?)

[Janne Johansson]

Daniel A. Ramaley wrote:
 I have not seen 
documented how mfs allocates memory, so i just did a quick test. On a 
machine with 205 MB of RAM free i mounted a 128 MB mfs. Free RAM 
dropped to 199 MB; only 6 MB used! So OpenBSD must only allocate RAM 
for sectors that have actually been written to. Since the system is not 
using any more RAM than it has to, i think i'll switch to using mfs 
for /tmp as well.


mount_mfs uses mmap(), which in turn will only use those pages which the 
program actually touches. An unused (large) mfs will not take up much 
ram, and if it does, it can swap out seldom used pages too.

Re: OT: (don't open if you don't like) Kerberized FTP client/Server

[Janne Johansson]

Eric Pancer wrote:

On Mon, 2006-07-17 at 20:34:36 -0600, Bob Beck wrote...


Authenticating using kerberos and ftp is possible, but why
use clear text passwords. Set up ssh to use kerberos and use sftp/scp.
There are many windows things out there to provide a bozo front end to
sftp/scp. i.e. WinSCP, Secure Iexporer, etc. etc.


I think he meant a kerberized ftp client, which means the password should
never go across the wire. I know umich used to have one, and it had a
private directive, but I don't think it's around anymore.

- Eric



There is one here.
http://www.stacken.kth.se/~thn/ktelnet/

Re: OT: (don't open if you don't like) Kerberized FTP client/Server

[Janne Johansson]

Jan Johansson [EMAIL PROTECTED] wrote:

Gustavo Rios [EMAIL PROTECTED] wrote:

What kind of ftp client have you been using on windows
for such task? Is it possible to have such environment working with
standard openbsd ftp server ?


KTelnet does Kerberized FTP but I would suggest using SSH/SCP
because the clients are better.

http://www.stacken.kth.se/~thn/ktelnet/beta/



It's really weird to have someone with the same name as you, living 
close to you and in the same computer club as you posting the same 
answers you do.


We really need to synchronize whose turn it is to answer next time 
something obvious to us both comes up. ;)


/Janne - no, you're not getting duplicates on misc@ - Johansson

Re: Process dies when it reaches a size of 1GB.

[Janne Johansson]

Joe Gibbens wrote:

I'm running squid-transparent on 3.9, and the process dies every time
it reaches 1GB.
FATAL: xcalloc: Unable to allocate 1 blocks of 4108 bytes!
The system has 2GB ram

# ulimit -aH
time(cpu-seconds)unlimited
file(blocks) unlimited
coredump(blocks) unlimited
data(kbytes) 1048576  - (where is this limit configured?)


/sys/arch/i386/include/vmparam.h:#defineMAXDSIZ 
(1024*1024*1024)/* max data size */


Note though, I could not go to 2G on amd64, since the kernel elf-loader 
code would act up while compiling (and other parts later might aswell!), 
but I did try 1.5G with a complete make build going through.



stack(kbytes)32768
lockedmem(kbytes)1907008
memory(kbytes)   1907008
nofiles(descriptors) 1024
processes532

How do I change the 1GB maximum data segment size?  ulimit -d does not
seem to change anything.  Also, how do the limits in login.conf apply?
The _squid user is in the daemon class, and that class is set to a
data size of infinity?


The resource limits are inherited from the hard limit that vmparam.h 
sets of course, so if you manage to increase it, the the login.conf 
infinity should go up also. You wont reach 2G though, if I can make a 
guess.

Re: squid process dies when it reaches a size of 1GB.

[Janne Johansson]

Joe Gibbens wrote:

Thanks for the reply Janne.
 
So my only way to run a process over 1GB in size is a custom kernel?  Is 


Yes, as of now, on i386.

there an easier way to run a large cache with a process size over 1GB?  


You can do other things aswell, like bumping cachepct to ~12 with
config -ef /bsd (I believe there is a limit close to 256M for filesystem 
cache on obsd, and you're having 2G ram gives 12 percent for that)

Not much help there, but at least something.

I can re-configure the memory usage, but it would be nice to be able to 
utilize more of my physical memory without having to go with a custom 
kernel.


Hack away, solve the issues! =)
(Or pay someone to do it for you/us)

Re: OpenBSD 4.0 - Where is it?

[Janne Johansson]

ICMan wrote:
I admit that I am not the most up to date on the release process, but 
why is 4.0 not out on the FTP server yet if people are receiving it in 
their homes on CD?  And how do I get on that list of people who get the 
pre-release?


Folks who pre-order gets an advantage. The rest of us has to wait 4 more 
days for the FTP to release it.

Re: small, random essay on performance tuning, was: remove....

[Janne Johansson]

On Sat, 2008-06-07 at 13:23 +0300, Lars Noodin wrote:
  It seems from the messages, and my limited
 experience, that many come to OpenBSD from other systems where messing
 with the kernel is both required and expected[1], that includes Linux
 and FreeBSD.

 [1]   Case in point see AFS client problem in Ubuntu:
   https://bugs.launchpad.net/ubuntu/+source/openafs/+bug/191353


Seems like the discussion that one points to ends with you just need to
compile the OpenAFS kernel module, not the kernel.
Try another case-in-point.

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: vsftpd [more secure]

[Janne Johansson]

Saulo Bozzi wrote:

*Name* *Version*
 vsftpd http://vsftpd.beasts.org/ 1.1.3
 vsftpd http://vsftpd.beasts.org/ 1.2.2
 vsftpd http://vsftpd.beasts.org/ 1.2.2
 vsftpd http://vsftpd.beasts.org/ 2.0.1
 vsftpd http://vsftpd.beasts.org/ 2.0.4
what version should i use?
what is more secure...the last version...2.0.6 or 2.0.4 or 1.3?!


Ask the vsftpd guys?

Re: vsftpd [more secure]

[Janne Johansson]

Saulo Bozzi wrote:

my question is to the system administrator.
that know about vsftpd.
 
thnkz.
 
regardsbye.




..and my reply was to a person that thinks the Ford car owner maillist 
is the optimal place to ask for driving directions from London to Paris.


If the vsftpd guys/forums/maillists can't tell which of their versions 
is the most secure, I strongly suggest you dont run that software.

Re: anoncvs.se.openbsd.org: No space left on device

[Janne Johansson]

On Mon, 2008-06-16 at 19:44 +0200, Martin Toft wrote:
 Hi misc@

 I get the following error message when updating the xenocara module from
 anoncvs.se.openbsd.org:

I'll talk to them.

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: CARP not leaving backup state

[Janne Johansson]

William Stuart wrote:

Hello everyone,

I am sorry for not mentioning it was a vmWare instance.  The packet 
replay seemed to be the culprit.


This occured when we moved the image to a vmWare host running vmWare ESX 
3.5 from 3.0.  Our working theory is that under 3.5 pernicious mode 
works differently than under 3.0 and replays all of the traffic.


Has anyone else experienced this problem?


We have also experienced problems with CARP when moving ESX from 3.0i to 
3.5. No solution yet.

Re: compiling tools

[Janne Johansson]

Joachim Schipper wrote:

I think that the best way for me to use ccache is to be able to
revector the CC and C++ compilers ... but I'm not certain, could I just
put something like

make CC=ccache build

as my main compilation command (after, of course, I do the dependencies)
and get the compioler revectored to my ccache tool?


http://marc.theaimsgroup.com/?l=openbsd-miscm=109043549403999w=2 seems
to suggest that putting the appropriate CC= line in /etc/mk.conf might
work; this is not documented in mk.conf(5).
http://marc.theaimsgroup.com/?l=openbsd-portsm=116060629621783w=2
suggests likewise, and points to another possible solution, provided you
have quite a few Zauruses.


Dont forget, ccache does a checksum of the preprocessed .c file and the 
compiler in order to not use old .o's if your compiler is replaced.
When doing a make build, the compiler is rebuilt _twice_, so you are 
definately guaranteed not to ever get any gain from ccache on make builds.


As for distcc, various parts of the build tree have makefiles that can 
handle -jX, whereas others might not. Noone seems to have researched 
which parts do as of now.

Re: HTTP URL filtering?

[Janne Johansson]

Daniel Ouellet wrote:

Toni Mueller wrote:

I don't want to generally deny, or slow down, IE users of the site (I
can't), but only want to deny them range requests. I didn't find a knob
in Apache to do this. If anyone else does, I'm still interested.


May be I am thick here, I still don't understand what you are after 
here. You can block access with:


Order Allow,Deny
Allow from all
Deny from w.x.y.z/xx

And with something like:
BrowserMatchNoCase \MSIE 5.5 browser=MSIE_5.5
and SetEnvIf, you can do clever things.

I didn't put a lots of thoughts in the last piece here as I use that for 
blocking some specific traffic and the like, but I don't see why it 
woudln't be possible.


Then I use something like:

RewriteRule Your rule here  http://%{REMOTE_ADDR}/  [L,E=nolog:1]

But that needs to be specific for each setup you want to use.

I would need to spend time thinking about it, but I would think it's 
possible to do. Not easy, but possible. Some reading is needed.


Todays post on Undeadly about the Layer-7 SSL load balancer almost 
looked as if it could do just this, at least if you could identify 
win-machines with the OS fingerprinting, and send all IE (hence all
winders users) to a relay that would change so that the server doesn't 
announce range capabilities.


Perhaps a long-winded way of solving this, if there is no other simple 
knob in apache to turn ranges off.

Re: Missing security announcements

[Janne Johansson]

 All this chatter now isn't going to change anything when the next
errata comes out.  You want security announcement? Do something to
make it happen!


 Ted,

 everybody knows that's not going to happen.
 I remember having asked the same question YEARS AGO and
 nothing has changed since then.

Reading those two next to eachother says everything.

Re: Using a separate boot partition

[Janne Johansson]

Stuart Henderson wrote:

I'm backing ben here : OpenBSD / should be small enough to fit it
entirely into a boot partition.


/etc/{master.,}passwd and /etc/{s,}pwd.db can grow pretty large
on some systems...


# wc -l  /etc/passwd
  118993
# ls -lh /etc/*db
-rw-r--r--  1 root  wheel75.2M Nov 14 08:34 /etc/pwd.db
-rw-r-  1 root  _shadow  75.2M Nov 14 08:34 /etc/spwd.db

Yup.

Re: Research for a Software Security paper

[Janne Johansson]

Jose de Paula Eufrasio Junior wrote:

Hello, before anything else, I did read all material about the OpenBSD
security policies on the website. 

...

I read the documentation on the site already and would like to get some
more info about the process.

...

2) The OpenBSD  and OpenSSH code is always available or they have
periodic releases? Does those releases, if they exist, have any
security specific treatment or auditing?


You said twice above that you read all materials and couldn't figure out 
if the code is always available or have periodic releases? Booo.

Re: Research for a Software Security paper

[Janne Johansson]

Jose de Paula Eufrasio Junior wrote:

On Thu, Nov 20, 2008 at 7:44 AM, Janne Johansson [EMAIL PROTECTED] wrote:


You said twice above that you read all materials and couldn't figure out if
the code is always available or have periodic releases? Booo.


As I also said:

I used the same questions on all
projects I researched so they are not specific questions.

I just repeated (copy-pasted) the questions I used before, I know the answers to
some, but not to all. I was just assuring all projects answered the
same questions to make the proccess equal.


It's the do my homework part that got me.

I was just assuring all the projects answered one part each of my homework

Re: /usr/obj slice size

[Janne Johansson]

Josh Grosse wrote:

On Mon, 15 Dec 2008 14:24:18 +, Dave Wilson wrote

...I'm trying 
to create a 2G MFS for /usr/obj, but if I go much above 200 with 
mount_mfs I get an error...


For /usr/obj on i386, my userland build script creates two MFS mounts, builds
sparse files on them, assigns the sparse files to svnd1 and svnd2,
concatenates them with softraid, and mounts the newly formatted larger
MFS-ish partition as part of its setup steps.



I do one for obj, one for obj/lib and one for obj/gnu which makes
it all work even though the limit is at 1G for i386.
Just make the first get populated from a skeleton dir having lib and gnu
there already so they can mount onto something:


swap/usr/obj mfs rw,async,-s=1924000,-P/usr/skel-obj 0 0
swap/usr/obj/lib mfs rw,async,-s=1936000 0 0
swap/usr/obj/gnu mfs rw,async,-s=1936000 0 0

Re: OpenBSD 4.4 amd64 bsd.mp can't detect 4GB memory

[Janne Johansson]

Owain Ainsworth wrote:

Enabling bigmem=1:

Also, from sys/arch/amd64/amd64/machdep.c:
   /* Tweakable by config(8) */
How?


That diff was never commited. Config needs to know about it before it
can change it.


I did a similar config(8) patch for when PAE was in the same situation, 
so if someone desperately wants to make his/her config bigmem-aware and 
wants a hint on how to turn a random int on from config(8):

http://people.su.se/~jj/obsd/config-pae.diff

Re: www@

[Janne Johansson]

Jordi Espasa Clofent wrote:

Hi all,

I've sent a mail to www@ about some questions to build a mirror but no 
response at moment.

?Who's behind this mail account?



It is a mailing list.

Re: script

[Janne Johansson]

Nick Guenther wrote:

Does anybody provide a commercial shell scripting???


for i in Don't wait Buy Things Now Save Now $0.99 Get your
instant trial account now Double Your Sales Calls, Free Script
Demo; do
  echo $i
done

Like that?


Hey man, that wasn't just 'commercial grade', that was Enterprise(tm) ready!
Almost ready to be:
#!/usr/games/fortune 500
...

Re: Port ZFS to OpenBSD

[Janne Johansson]

Khalid Schofield wrote:

Dev's.
What are the chances of getting a port of ZFS to OpenBSD?


If you just sit and wait for it, I'd say: zero to very-little.

Re: Port ZFS to OpenBSD

[Janne Johansson]

Dieter wrote:
What are the chances of getting a port of ZFS to OpenBSD? I can't  
quite bring myself to run solaris since it lacks so much of what I  
love about OpenBSD and Linux is back to square one because of the  
reasons I moved to OpenBSD.


Have you ruled out FreeBSD?

Why are so many people so hot for ZFS?  From what little I've read
about it, it sounds very complex, which means bugs and a nasty learning
curve.  Not something I'm interested in trusting my data to.


Then again, you give the zfs a name, and throw it a list of raw devices 
and you can have that filesystem 'newfs'ed, writeable, nfsexported and 
running in a more than usual fault-tolerant raided mode in mere seconds 
regardless of size.


Some admins value that. (except the nfs part, but it's optional)

Re: Polite enquiry as to if anyone is working on 64 bit time_t, and if so, what's the plan?

[Janne Johansson]

2011/10/19 Bruce Drake br...@zectro.com

 I found mention of a possible move to 64 bit time_t back in 2005 and 3.9
 was mentioned, but I see it hasn't happened. Is there a plan, like for
 instance making all platforms, even 32 bit 64 bit time_t, like I think
 NetBSD have tried/trying to do?
  Can some one give a brief list of what needs to change, forgetting about
 ports, like UFS etc. that would be greatly appreciated.

 A lot of protocols?
Its of no use if my machine knows it is Jan-1-2040 today if the HTTP
cache-expires says you may cache this until Jan-1-1904 or the ntpd thinks
UTC is at 1904 and I'm a bit off.

-- 
 To our sweethearts and wives.  May they never meet. -- 19th century toast

Re: Polite enquiry as to if anyone is working on 64 bit time_t, and if so, what's the plan?

[Janne Johansson]

2011/10/19 Michael T. Davis dav...@ecr6.ohio-state.edu

  I found mention of a possible move to 64 bit time_t back in 2005 and 3.9
  was mentioned, but I see it hasn't happened. Is there a plan, like for
  instance making all platforms, even 32 bit 64 bit time_t, like I think
  NetBSD have tried/trying to do?
   Can some one give a brief list of what needs to change, forgetting
 about
  ports, like UFS etc. that would be greatly appreciated.
 
  A lot of protocols?
 Its of no use if my machine knows it is Jan-1-2040 today if the HTTP
 cache-expires says you may cache this until Jan-1-1904 or the ntpd
 thinks
 UTC is at 1904 and I'm a bit off.

 You seem to be saying that applications need to be patched before
 the underlying operating system (OS) can be considered.  But isn't the OS
 responsible for providing the glue (e.g. time-related include files and
 libraries) with which applications are built?  (This is coming from a
 casual
 user, so if I made the wrong inference from your statement, I'm happy to be
 corrected.)


What I meant was as you say, we can change the include file to say use 64
bits for time and recompile some apps, but if the database file format or
the over-the-wire formats don't support 64 bits for specifying time, you'd
be screwed anyway. That's why applications, formats and protocols need to
change, since many of them use 32 bits today.

-- 
 To our sweethearts and wives.  May they never meet. -- 19th century toast

Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

[Janne Johansson]

2011/11/8 Mostaf Faridi mostafafar...@gmail.com

 Sorry for my bad English I , only understand is this pf.conf work in
 openbsd 5 or no .? Which part I must edit and change it


The part where you hope someone else will do the work so you don't have to
know what your own firewall is doing, and why.

-- 
 To our sweethearts and wives.  May they never meet. -- 19th century toast

Re: What is wrong with this pf config

[Janne Johansson]

2011/12/11 John Tate j...@johntate.org


 So I have a suggestion worth considering, if the line block in all does
 not appear pfctl -nf should perhaps spit out a warning. Much like you've
 done with your pretty compilers over there.


There are still lots of reasons to run PF even if you don't want block in
all for a default, so whining on all the other uses you couldn't imagine
would not be very productive.

-- 
 To our sweethearts and wives.  May they never meet. -- 19th century toast

Re: OpenVPN issues on 5.0

[Janne Johansson]

2011/12/16 Erling Westenvik erling.westen...@gmail.com

  Links to foolproof HOWTO's will be much
 appreciated!

Nature has thwarted all attempts to make such HOWTOs by make ever
better fools, which probably is why you:

 ...but I have spent two days Googling,
 reading tons of HOWTO's and trying out different solutions, but
without
 being able to solve the issue.

Not to say you are a fool, but HOWTOs for anything else than the most
simple stuff can't cover all cases, which means you still must
understand things or the HOWTO will not help you and instead lead you
astray in the wrong direction, making you look foolish when you in
reality wanted help. In the long run, learning the stuff you attempt
to do instead of wasting two days following someone elses bad advice
is better spent.

--
 To our sweethearts and wives.  May they never meet. -- 19th century toast

Re: OpenVPN issues on 5.0

[Janne Johansson]

2011/12/22 Erling Westenvik erling.westen...@gmail.com:
 Sorry for bumping this here @ misc when my question propably belong to
 some OpenVPN forum, but it seems like no-one out there can say much on
 OpenVPN issues that appears to be OpenBSD spesific.

 What puzzles me is that I cannot make the tun-interface show up in the
 route table on the server:

 DestinationGateway   Flags Refs  Use   Mtu Prio Iface
 defaultAAA.BB.CCC.D  UGS  3 1101 -8 url0
 127/8  127.0.0.1 UGRS 00 331968 lo0
 127.0.0.1  127.0.0.1 UH   20 331964 lo0
 192.168.2/24   link#5UC   10 -4 acx0
 192.168.2.200  00:16:ea:b3:65:d0 UHLc 1  400 -4 acx0
 192.168.3/24   link#2UC   20 -4 bge0
 192.168.3.106  00:1e:4f:95:19:1d UHLc 1 1582 -4 bge0
 192.168.3.200  fe:e1:ba:d7:c3:24 UHLc 0   28 -4 bge0
 193.90.160/20  link#6UC   10 -4 url0
 AAA.BB.CCC.D   00:90:1a:42:6d:81 UHLc 10 -4 url0
 AAA.BB.CCC.DDD 127.0.0.1 UGHS 00 331968 lo0
 224/4  127.0.0.1 URS  00 331968 lo0

 /etc/hostname.tun0 
 link0
 up
 !/usr/local/sbin/openvpn --config /etc/openvpn/server.conf


 /etc/hostname.bridge0 
 add bge0
 add acx0
 up


What does ifconfig tun0 say?

When I did openvpn before I mostly didn't start openvpn from the tun
config file myself, but rather start openvpn and make that one bring
up tuns for me, but I would assume that if the tunnel goes up and then
down and if it takes the tun0 down until the tunnel can be taken up
again, the network that tun0 belonged to would not show in the routing
table until it gets back up again. Any interface that has an address
and that is up would somehow make an entry in the routing tables.

--
 To our sweethearts and wives.  May they never meet. -- 19th century toast

Re: yt_execution_fails_due_to_lua_error-[4.9-stable]

[Janne Johansson]

2012/1/20 soko.tica soko.t...@gmail.com:
 Hello,

 I was trying to download a youtube video from a box running 4.9
 stable, but got the following error:
 =
 Getting http://www.youtube.com/watch?v=i7pkyDUX5uM ...
 /usr/local/bin/lua: /usr/local/share/lua/5.1/base.lua:433:
 stack traceback:
[C]: in function 'error'
/usr/local/share/lua/5.1/base.lua:433: in function 'assert'
/usr/local/bin/yt:158: in main chunk
[C]: ?

 

Also, if you add the URL with a leading space yt will spew errors.
(happens to me sometimes while pasting in URLs into a set of  's)

--
 To our sweethearts and wives.  May they never meet. -- 19th century toast

Re: Routerboard RB600 and hifn(4)

[Janne Johansson]

I think accelerator cards need to provide both checksumming (md5 or
sha1) and crypto in HW before its actually any use. Otherwise you will
spend most of your time copying data around.

2012/1/22 Stefan Johansson steve.johans...@telia.com:
 Hello!

 Does anyone on the list have experience with a hifn(4) card (such as the
 Soekris vpn1411)
 in a Routerboard RB600?
 I'm using it for an ipsec tunnel (isakmpd between RB600 and an other
OpenBSD
 i386 box)
 and would like to know if it will give me any performance increase before I
 purchase one?

 Today I get about 12 Mb/s through the tunnel and 60-70 Mb/s outside.
 I am measuring this with iperf on OpenBSD 5.0 and the RB600 CPU is set to
 533MHz.

 /Stefan




--
 To our sweethearts and wives.  May they never meet. -- 19th century toast

Re: Build libc separately

[Janne Johansson]

I think this would be a good case of If you don't know how to do it,
it is the wrong solution to your problem.
Or, you will get a really decent amount of training in how to recover
broken installations.

2012/1/24 Serguey Kuritsin kuritsin_...@mail.ru:
 Hello!

 I need to compile libc with different compiler (llvm) separately from
 other parts of source tree (i.e. compilation of other parts is
 unnecessary) and keep it in special directory (both includes and libs).
 Can you please give me some clues how to perform it? Some pointers to
 Make infrastructure would be great.

 I apologize for my English.




--
To our sweethearts and wives. May they never meet. -- 19th century toast

Re: Long delay updating xenocara source tree?

[Janne Johansson]

2012/1/31 Dave Anderson d...@daveanderson.com:

 I do have a slowish ADSL link (384Kbps/1536Kbps) which would limit me to
 very roughly 1MB/min outbound, so I took advice to use '-z 9' to
 compress data and that reduced the total time for a xenocara source tree
 update from about 11 hours to about 2.5 hours.  (Though I discovered
 that not all servers support compression.)

if they do anoncvs over ssh, you can ask ssh to compress the data
instead of having cvs do it, for those servers.

--
 To our sweethearts and wives.  May they never meet. -- 19th century toast

Re: Is fdisk partition a must for a non-system disk on i386

[Janne Johansson]

2012/2/7 Alan Cheng bsdp...@gmail.com:
 Hello list,

 I'm playing around with fdisk on a vmware virtual machine with 5.0 i386.
 Despite what's in FAQ14.4, I found I can still create disklabel partitions
 without a fdisk partition (no fdisk -i $disk) on a blank disk.

 I'm confused. So my question is:
  1. Is fdisk partition a must for a NON-SYSTEM disk on i386?
  2. what is the disadvantage of using a disklabel partition without fdisk
 partition in above mentioned scenario?

fdisk and disklabel aren't really optional in that sense.
Every disk (at least on PC derivates) should have one A6 partition,
and a disklabel to match the area inside that fdisk partition.

You can fake around it in various ways, but there is seldom a real
need to, so why bother doing it in odd ways? It will perhaps bite you
in the long run to do it in non-standard ways.

--
 To our sweethearts and wives.  May they never meet. -- 19th century toast

Re: Is fdisk partition a must for a non-system disk on i386

[Janne Johansson]

The rules are different for different architectures, different disks
(usb and whatever) and so on, so you can't really map every possible
device on all machines into one neat rule. But telling people to use
fdisk and disklabel to get it right will be the least painful way to
get it as common as it can be. So, some apple-ipad-while-on-usb will
be a disk with no partitions and a filesystem on top of the sdXc, or
someone sets up their CF disk like that, or someone manages to get two
A6 partitions on the same disk and not confuse himself, but this may
not mean its a good idea.

2012/2/7 Alan Cheng bsdp...@gmail.com:
 thanks Janne for the explanation.

 I thought a fdisk partition on i386 is *required* after reading FAQ14/man
 pages and I was a bit surprised to be able to create a disklabel partition
 without doing fdisk -i. so I wrote to the list for help on what I
 mis-understood ...

 thanks.
 Alan


 On Tue, Feb 7, 2012 at 3:41 PM, Janne Johansson icepic...@gmail.com
wrote:

 2012/2/7 Alan Cheng bsdp...@gmail.com:
  Hello list,
 
  I'm playing around with fdisk on a vmware virtual machine with 5.0 i386.
  Despite what's in FAQ14.4, I found I can still create disklabel
  partitions
  without a fdisk partition (no fdisk -i $disk) on a blank disk.
 
  I'm confused. So my question is:
   1. Is fdisk partition a must for a NON-SYSTEM disk on i386?
   2. what is the disadvantage of using a disklabel partition without
  fdisk
  partition in above mentioned scenario?

 fdisk and disklabel aren't really optional in that sense.
 Every disk (at least on PC derivates) should have one A6 partition,
 and a disklabel to match the area inside that fdisk partition.

 You can fake around it in various ways, but there is seldom a real
 need to, so why bother doing it in odd ways? It will perhaps bite you
 in the long run to do it in non-standard ways.

 --
  To our sweethearts and wives.  May they never meet. -- 19th century toast





--
 To our sweethearts and wives.  May they never meet. -- 19th century toast

Re: pgt firmware ...

[Janne Johansson]

2012/2/26 Wesley M. open...@e-solutions.re:
 Try this :
 add wget package using pkg_add -vi wget
 wget http://firmware.openbsd.org/firmware/5.0/pgt-firmware-1.2p2.tgz

Or skip getting wget alltogether and just use the /usr/bin/ftp which
can talk http good enough for this.
Or, skip getting the package down locally and just give pkg_add the
url directly and notice how it can DL stuff for itself.


--
 To our sweethearts and wives.  May they never meet. -- 19th century toast

Re: pgt firmware ...

[Janne Johansson]

2012/2/27 David Walker davidianwal...@gmail.com:
 Thank you Peter.
 I still get the same error message (error line wrapped):

 pkg_add ./pgt-firmware-1.2p2.tgz
 Bad pkg_db: No such file or directory at
[...]
 Somethings wrong with my environment but what ...

Yes, the thing that makes it impossible for you to run exactly what we
tell you to, and instead you add ./name-of-package when pkg_add
takes URLs directly.
Now exactly what in your environment is doing that, I can't really tell.

--
 To our sweethearts and wives.  May they never meet. -- 19th century toast

Re: Trusting the Installation

[Janne Johansson]

2012/2/29 Tomas Bodzar tomas.bod...@gmail.com:
 On Wed, Feb 29, 2012 at 3:44 AM, Nathan Stiles stiles.nat...@gmail.com
 I was also expecting the checksum to be served over HTTPS.

 Some exact reason for that? Especially regarding a lot of issues and
 flaws discovered during last months/years in various implementations
 of SSL/certificates/CAs?

[...]

  What are others doing?

Other, like the rest of the internet are using those certificate
authorities (all 600+ of them?) as if they work, and make users
believe that since my browser says Chunghwa Telecom or NetLock
Halozatbiztonsagi Kft.is to be trusted, mylocalbank.com showing one of
their certs must be fine and dandy

Doing what others do isn't always adding to real security.

As everyone says, buying the CD is a solution for the really paranoid.
Going to a BSD conference where obsd devs and affiliates sell such CDs
even mitigate the evil post office CD-swapper issue.
If you aren't ready to shell out the bucks for one CD set, then it
can't really be important.

--
 To our sweethearts and wives.  May they never meet. -- 19th century toast

Re: may 7 carp addresses be too much on 5.0/amd64 ?

[Janne Johansson]

2012/3/2 PP;QQ P(P8P?P8QP8P= chipits...@gmail.com:
 hello!

 we are running CARP-ed load balancers (carp over different vlans).
 it was running just great with 6 carp addresses.

 when we added 7th, randomly we get MASTERs on both server for certain carp
 interface. After reboot we can get different carp interface on dual MASTER
 state, and so on.
 carp negotiations are ok, tcpdump shows them all. both peers see each
other.

 if I put one interface to BACKUP state, it goes to mASTER soon.

 we are runnung 5.0/amd64


I'm seeing this too. The current work-around is to set the carp to
announce to a carppeer to the other box so it doesn't multicast but
rather uses unicasts. In my case, the to-be-slave machine doesn't see
all the carp announcements from the master, but rather one per minute
or so.

I have this on Dell amd64 openbsds ranging from 4.8 to 5.0, in all my
cases when running on top of vlans (just because that is how we set
these up) and running on Extreme Switches.

The ips on the vlan interfaces can talk fine, the master hears all
carp packets, the slave misses most or all carps from the other. This
means that tcpdump on the master shows the higher-skewed carps from
the slave also.

The odd thing is that its not consistent on all carps either, but
rather a few out of many. If I set just those to use carppeer, it
sometimes moves over to other carps, but it could have been moving
around for a long time, haven't had time to fully investigate this.

I have a few non-critical pairs on which to test stuff, it needed.

--
B To our sweethearts and wives.B  May they never meet. -- 19th century toast

Re: may 7 carp addresses be too much on 5.0/amd64 ?

[Janne Johansson]

2012/3/3 Janne Johansson icepic...@gmail.com:

 when we added 7th, randomly we get MASTERs on both server for certain carp
 interface. After reboot we can get different carp interface on dual MASTER
 state, and so on.
 carp negotiations are ok, tcpdump shows them all. both peers see each
other.

 if I put one interface to BACKUP state, it goes to mASTER soon.

 we are runnung 5.0/amd64


 I'm seeing this too.
 I have this on Dell amd64 openbsds ranging from 4.8 to 5.0, in all my
 cases when running on top of vlans (just because that is how we set
 these up) and running on Extreme Switches.

And to answer Camiels Q, we have preempt=1

--
 To our sweethearts and wives.  May they never meet. -- 19th century toast

Re: My OpenBSD 5.0 installation experience (long rant)

[Janne Johansson]

2012/3/12 Fredrik Staxeng fst...@update.uu.se:
 So you state that the fact that if one chooses to use the whole disk,
 the whole disk is used needs further documentation?

 Once upon a time, mkfs used to make a 10-second pause before starting.
 That's the way you do it.

That is an answer to the question How? (actually a bad one, as if the
user didn't read messages before hitting [Enter], he probably won't do
it after doing so), while my statement implied more of Why? you didn't
address at all.

 I jumped into the middle here, I know. I think the 10-second delay is
 a brilliant solution. Much better than an are you sure? question.
 I think that there is a large probability that the user will spend that
 time  reading the message, and consider whether he really wants to do it.

And as soon as the first I spent those 10 seconds reading the
scrollback or web comics, and now my data is gone has occurred, we
make it 20 seconds. Then 30. And after that, thousands of
installations are delayed by minutes each just to accommodate people
that 1. don't think OS installations warrants backups when mixing and
multibooting and 2. don't read what they answer anyhow...

--
 To our sweethearts and wives.  May they never meet. -- 19th century toast

Re: may 7 carp addresses be too much on 5.0/amd64 ?

[Janne Johansson]

2012/3/4 PP;QQ P(P8P?P8QP8P= chipits...@gmail.com:
 thank to Camiel Dobbelaar, carp log at 6 shown ip_output problem, which
 lead me to:

 pass quick proto carp no state

Which doesn't match the PF FAQ which says:
Since CARP is its own protocol it should have an explicit pass rule
in filter rulesets:
pass out on $carp_dev proto carp keep state

I'll test the no state as soon as I can rig one of my previously
failing boxes to not use my carppeer workaround.



 it did the job (I still do not understand how forewall passed 6 interfaces
 and blocked 7th, need to have a closer look, but after that rule everything
 became ok,
 pf stopped blocking carp announces)

 2 MARTA 2012 G. 21:31 POLXZOWATELX favar 889...@gmail.com NAPISAL:

 hi list, we have same problem with carp. (with 45 ip addresses)
 and after reboot, host with advskew 200 became master, and with
 advskew 1 - slave.

 2012/3/2 iLXQ {IPICIN chipits...@gmail.com:
  no, I copied hostname.carpXX, just added advskew 200
  parameters are the same.
 
  2 MARTA 2012 G. 15:25 POLXZOWATELX Otto Moerbeek o...@drijf.net
 NAPISAL:
 
  On Fri, Mar 02, 2012 at 01:53:17PM +0500,  ??? wrote:
 
   hello!
  
   we are running CARP-ed load balancers (carp over different vlans).
   it was running just great with 6 carp addresses.
  
   when we added 7th, randomly we get MASTERs on both server for certain
  carp
   interface. After reboot we can get different carp interface on dual
  MASTER
   state, and so on.
   carp negotiations are ok, tcpdump shows them all. both peers see each
  other.
  
   if I put one interface to BACKUP state, it goes to mASTER soon.
  
   we are runnung 5.0/amd64
  
   Cheers,
   Ilya Shipitsin
 
  Carefully compare the address lists (including masks) on both
  machines. Likely they are not the same.
 
  B  B  B  B -Otto




--
B To our sweethearts and wives.B  May they never meet. -- 19th century toast

Re: openldap and openbsd

[Janne Johansson]

2011/6/28 Friedrich Locke friedrich.lo...@gmail.com

 Dear list members,

 i have just installed openldap from ports (OpenBSD 4.9/amd64) and i am
 testing it. My doubt is:

 It seems to me that openldap should be run as user x and group y
 accordingly the ports collection. The problem is that i want to use
 kerberos authentication. The system (OS context) is just doing
 kerberos, but the keytab file is permited acess only to root.

 How could i run openldap as another user not root and provide it with
 a ldap/x.y.z ticket?

 How have you done so?


You make a specific keytab for openldap, of course readable by the ldap
daemon user.
There is no need to stick all keytabs in the host keytab file.

-- 
 To our sweethearts and wives.  May they never meet. -- 19th century toast

Re: [OT] io event triggered file system synchronisation

[Janne Johansson]

2011/7/29 Remco re...@d-compu.dyndns.org

 frantisek holop wrote:

  hi there,
  sorry for the offtopic but there are probably many knowledgeable
  admins on this list as well.
 
  i am looking for a solution that keeps monitoring file system io
  for all stuff under a certain path and whenever files
  change/get added/removed it synchronises these changes with
  multiple remote locations.  basically sql replication for file system :]
 
  anybody using something like this?

 I've never used it, I don't know how well it works, but it might fit your
 needs: http://en.wikipedia.org/wiki/Andrew_File_System


AFS has support for (atomically) distributing copies to other fileservers,
BUT, the volumes for which you want distribution, there are a number of
things to think of.

One is that its nothing like fast if you are thinking along SQL terms. It
will do incremental diffs when sending changes, but the atomicity doesn't
really allow for
lightning fast replication. Also, all the replicas are read-only, so you can
only write to the master (for that particular volume) server, then you run a
command to start the
sync to the replication servers. It's not automatic which may be good if you
update a lot of related files in a swoop, but can of course be crontabbed or
something like that.

So yes, it does do parts of whats been asked for above, but perhaps its not
what the hidden demands call for.

-- 
 To our sweethearts and wives.  May they never meet. -- 19th century toast

Re: Slackathon T-Shirts

[Janne Johansson]

2011/9/20 OpenBSD Europe m...@openbsdeurope.com

 Hello folks,
 We have some left over Slackathon 2011 white t-shirts here of various
 sizes. We asked for a donation for 200 SEK per shirt on the day.
 If you would like one please contact us via this email address off
 list. Of course, they are still *100% donation*. I don't have my
 camera here right now to show photos of the t-shirts, but maybe
 someone else has a shot?


Sure,
http://people.su.se/~jj/obsd/slack2011-tshirt.jpeg

-- 
 To our sweethearts and wives.  May they never meet. -- 19th century toast

Re: Why so cool OS doesn't have vuln database?

[Janne Johansson]

Yuriy Grishin wrote:

Indeed you're right. I've got the same experience with php5-gd library.
The audit program told that this library is vulnerable but there was no 
patch available.

So this message was about useless.
On the other hand in most cases this sort of applications could save 
admin's time.


Ok, so make it work then:
1 Port the apps (easy)
2 Populate the database (huge work)
3 Build up trust so the average paranoid admin wants to use it (?)
4 Profit!

I await someone saving my admin time.


On the other hand maintaining the database is extremely huge work.

It is not for the community.

exactly who is the community?

You and me and that guy.

Re: Even and Odd numbered OpenBSD versions

[Janne Johansson]

Artur Grabowski wrote:

Mark Romer romes...@gmail.com writes:


Hello, just a simple question.  We have here at work a old hand at openbsd
and he says he only uses openbsd versions that are even numbered.

 [...] but what does

everything else think?


He's odd.


Sounds like a candidate for the 2007 years Slackathon!

http://people.su.se/~jj/junk/slackathon.png

Re: softraid - speed

[Janne Johansson]

Uwe Dippel wrote:
I tried again, setting up RAID1 on 2 U320 drives, 15k, as described in 
softraid(4).
Now I find the speed to be too slow. Writing to a single file is kind of 
okay: [everything/pwd is /mnt, which is a softraid drive, /dev/sd3f]


[..]


But a dump  restore of /usr is a tad sick:


[..cut...]


  I can see at times
that the data amount transfered is huge, at other times it is moving by 
steps of 0.1-0.2 MB/s. Probably it is a problem of number of files, not 
of size.


Any idea what to do to improve the performance?


In the generic I restore/unpack a zillion files to a newfs:ed 
partition, mount it async, which helps the number of files
issue, and if it fails in the middle, you will want to restart the 
restore anyhow, so you just might newfs it again in that case.

Re: softraid

[Janne Johansson]

Uwe Dippel wrote:

Uwe Dippel udippel at uniten.edu.my writes:


To me this seems a result of the sequence at boot: at first we identify the
physical drives, that is sd0, sd1, sd2 and sd3 in this case, and only later
do we get softraid up, sensibly roaming the RAID one up. Sensibly? Because
fstab can't know and will want to mount partitions of a lower number 
(sd3 in this case), which is always impossible.


I do understand the problem of 'no labels'/'no UUID', but the current working
will break boot whatever happens: any extra drive, in any slot, will be
discovered at boot time before softraid is activated. So it will break 100%,
right?


Isn't that the case with all fstab entries right now?

You get the computer to list some drive before other disks, raid or no 
raid, and fstab breaks on you.

Re: Get Top 10 Search Engine Ranking at Low Cost

[Janne Johansson]

Anton Parol wrote:

How does one take advantage of such a good offer, when theres no URL?

sadface

Hi,
*TOP 10 SEARCH ENGINE RANKINGS*


You have to prove your google skills by finding them.
They should be in the top 10 of search engine rankings, presumably.

Re: OpenBSD as a storage SAN

[Janne Johansson]

Lars Nooden wrote:

OpenAFS is part of the base distro.


No.
The base includes arla, an AFS client.

Re: assigning more than 493 MB memory for qemu virtual machines

[Janne Johansson]

Siju George wrote:
 Hi,
 
 Trying to assign 512 MB memory to a qemu vrtual machine resulted in the error.
 
 $ sudo qemu -m 512  -hda wd0.img -hdb wd1.img -cdrom LATEST-Devel.iso
 Could not map physical memory
 
 -m 493 works
 -m 494  -m 495 gives segmentation fault

 Is it a bug in qemu that should be fixed?
 how can I assign more than 493 MB memory for qemu virtual machines?

One more thing, giving a qemu host X Meg memory doesnt mean Qemu only
uses X(+little) megs of RAM. I think I saw figures like 2-3x what I gave
the guest IIRC, so whatever the limits are, they wont be close to 493M.

Re: mount_xfs in -current gone?

[Janne Johansson]

Tim Gruene wrote:
 I tried using mount_xfs from base45.tgz, but the XFS is not defined in
 the gerneric kernel. Does anyone know whether mount_xfs is going to come
 back? Do I have to compile the kernel myself just to mount an
 xfs-formatted usb-stick?

The xfs (that was renamed to nnpfs) is not the SGI journalled
filesystem, so no usb stick will be xfs/nnpfs-formatted on obsd 4.5.

It's a userspace-filesystem translator to make AFS clients possible on
obsd, nothing else.

Re: Sort doesn't sort

[Janne Johansson]

Woodchuck wrote:
 You do not say which version of OpenBSD you are running. I tried your
 example on current (amd64 and i386) and 4.5 (amd64) and did get the
 proper results.

 4.2  I've been too cowardly to upgrade.  I'd have thought that sort
 might have been frozen in amber a few decades ago, though.
 

http://www.openbsd.org/plus43.html mentions at least two fixes for sort.

Re: dma problem in VIA Nehemiah

[Janne Johansson]

sonjaya wrote:
 # dmesg
 OpenBSD 4.5-stable (LESCHACO) #0: Mon Aug 10 15:49:13 WIT 2009
 r...@localhost:/usr/src/sys/arch/i386/compile/LESCHACO
 cpu0: VIA Nehemiah (CentaurHauls 686-class) 1 GHz
 cpu0: FPU,V86,DE,PSE,TSC,MSR,SEP,MTRR,PGE,CMOV,PAT,MMX,FXSR,SSE
 real mem  = 502824960 (479MB)

[...]

 root on wd0a swap on wd0b dump on wd0b
 wd0: transfer error, downgrading to Ultra-DMA mode 3
 wd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 3
 wd0a: aborted command, interface CRC error reading fsbn 24063776 of
 24063776-24063807 (wd0 bn 24063839; cn 1591 tn 125 sn 44), retrying
 wd0: soft error (corrected)
 #
 
 any clue to make this problem dma mising, i think problem of hard disk but not

I got that when I did what the pciide(4) manpage says NOT to do:
Quote:
 For proper operation of UltraDMA 3 and higher modes a 40-pin,
80-conductor cable must be used.  On some controllers, the pciide driver
can probe the chip and see if it detects that an 80-conductor or
40-conductor cable was used.  If not, it will down-grade to UltraDMA 2
mode.

Re: Typo in plus.html

[Janne Johansson]

Luca Corti wrote:
 i instead of li.

Thanks.

Re: Supporting OpenBSD

[Janne Johansson]

Brad Tilley wrote:
 On Wed, Sep 9, 2009 at 6:33 AM, Chris Bennett
 ch...@bennettconstruction.biz wrote:
 
 I just signed up for a $5 USD a month subscription using PayPal.
 
 I was unaware of that. That's a nice feature. I don't have a PayPal
 account (don't trust them) 

I move money from my account into paypal, with the intention of those
money may disappear from the face of the earth, then make PP donations
using those. No ties to any account or CC for me, so I dont risk
anything except what I give to PP in the first place.

Re: how to trace a hardcore-bug in OpenBSD-4.5

[Janne Johansson]

paranoid.gand...@googlemail.com wrote:
 
 The OS got totaly corrupted.
 gdb, su, sudo do segfault for example.

8

 But later my ssh died again and after that the server finaly
 broke down. Beyond the point of what fsck can handle.
 During auto-fsck the box reboots.
 
 A good bug I'd say... ran into it now 2 times in less then
 5 hours. And I have no clue why or how I triggered it.

8

 If there is more I could tell you please do let me know.

Any of the My computer has bad hardware tips seem to apply nicely to
this kind of symptoms.

Re: Defending OpenBSD Performance

[Janne Johansson]

Christiano Farina Haesbaert wrote:
 Ignore my double posting, my mistake.
 

Dont worry, it adds value to the intarwebs.

Re: managing authorized_keys

[Janne Johansson]

Joachim Schipper wrote:
 There's 400+ unix boxes.  I know we can stick keys into
 authorized_keys, but managing it for a bunch of automated processes
 seems a bit unwieldy.  
 Have you considered Kerberos? You'll still have to add accounts (or use
 LDAP, indeed), but at least you don't have to copy the keys everywhere.
 

With some patches, you can use the krb5 host-keys instead of the
ssh-host-keys.

Then again, any site with 400+ boxes should really have most of them on
a automated install procedure anyhow, so sending out authorized_keys
using that should be a high priority.

Re: Outbound RST not seen by tcpdump?

[Janne Johansson]

Ian Chard wrote:
 I'm troubleshooting a very strange problem, where my ssh connection to a
 few different OpenBSD machines drops suddenly, with the client machine
 receiving a TCP RST from the server.  I've taken tcpdump captures on
 both sides (in different sessions, so the tcpdump process doesn't die
 with my shell), and the OpenBSD machine's capture doesn't log the RST it
 apparently sends.

There are ISPs that traffic shape their links by killing long-lasting
TCP streams by faking the RST in the middle.

Re: Slow HDD speed on Dell E6400

[Janne Johansson]

TomC!E! BodEC!r wrote:
 There must be some funny tricks on those other OS's.But it doesn't
 matter (I will investigate myself).
 Now I know more about those random generators and tests for real are ok.
 Untar of src.tar.gz shows about 9MB/s in iostat(8) and dd ports.tar.gz
 to some file
 shows about 22MB/s.
 
 Thanks all for their tips and sorry for some of my stupid ideas ;-)

Also, untarring lots of small files wont test your I/O in the same way
as a dd(1) test, since it will test how often can I make atomic writes
to my disk rather than how much data can I move.

Re: Carp basics

[Janne Johansson]

Siju George wrote:
 Is it possible for me to make both fw1 and fw2 listen on ip address
 172.17.1.0 and load balance connections through both ISPs?
 And also make a fail over set up so that when either ISP1 or ISP2 is
 not functioning all hosts in the network  going through the other.

http://www.openbsd.org/faq/faq6.html#Multipath
might help.

Re: automating 'fsck -y' after a power failure

[Janne Johansson]

Joachim Schipper wrote:
 make a dump of the partition before going to execute potentially data
 destroying actions?
 yes, this is sound advice of course.  but what are you going
 to do with the dump if say, fsck is not able to revive the fs?
 dump it back, run fsck again and answer no at a couple of
 fsck prompts?  how is it going to change anything in the end?
 
 Well, if fsck can't revive your partition, you can always try different
 tools. Something like fsdb may be able to recover part or all of your
 filesystem even in cases where fsck loses the plot.

Also, fsck may fail in the middle due to lack of memory, so moving the
dump to a bigger box to make it run through may be a good solution in
that case. Or old fsck fails where a -current fsck won't.

Re: poor tcp performance

[Janne Johansson]

Jose Fragoso wrote:
 I am running openbsd 4.2 on a box and I would like
 help trying to identify networking bottlenecks.
 
 While trying to download a file from another obsd
 box at the network using wget, I get very low rate.
 100%[] 61,758,702 2.30M/s
 18:03:55 (2.32 MB/s) - `bsd1.1' saved [61758702/61758702]

This one above probably uses the default values you posted below:
 net.inet.tcp.recvspace=16384
 net.inet.tcp.sendspace=16384

but..

 But when I use iperf, I get quite high transfer rates:
 TCP window size:   256 KByte
^^^
..this one sets a higher value for itself.

 My question is what could be causing the tcp poor performance?

Try setting send/recv-space to 256k and re-test with wget in order to
actually make the two tests use the same limits. Since the wget test was
both to/from another obsd, make sure you change both sides and restart
the data serving application at the other end so it picks up the new
space (dont know if it is read per connection or per binding of a
socket, so a safe bet is to restart the app, I guess)

Re: New functionnality for authpf

[Janne Johansson]

BARDOU Pierre wrote:
 My script loads the rules once, and modifies the table within the rule.
 When the user disconnects, its IP is removed from the table, and its
 connections are killed with pfctl -k.

boxA ssh remote-computer
boxA ssh remote-computer (again)

remote-computer exit
see both ssh's fail.

Probably what this comment was about:
(The real fun part here is detach policy)

Re: Moving files around

[Janne Johansson]

Brynet wrote:
 STeve Andre wrote:
For simple large files, is there a faster way to move them rather
 than using mv?  I have a lot of large files (10G) that need to be
 rearranged on which disk they reside on.

 If the files are on the same partition, mv(1) or ln(1) will be almost
 instantanous.. otherwise just cp(1) and rm(1).

I usually go for rsync -a --remove-sent-files src/ dst/ when crossing
filesystem borders, since that one is restartable if it gets interrupted
in the middle. mv(1)s are not.

Re: Truncation Data Loss

[Janne Johansson]

Nick Guenther wrote:

 So, as nicely summarized at

 http://www.h-online.com/open/news/item/Possible-data-loss-in-Ext4-740467.html
 ,
 ext4 is kind of broken. It won't honor fsync and, as a /feature/, will
 wait up to two minutes to write out data, leading to lots of files
 emptied to the great bitbucket in the sky if the machine goes down in
 that period.
 There is a very simple explanation for why things are so.
 Actual data file loss has never been what these things were coded for.
 filesystem *tree and meta-data*, ie. the structure of how things are
 knit together, is the main concern.  If you lose the filesystem tree
 structure, you've lost all your files, not just the newest ones.
 Therefore the goal is safe metadata handling.  The result is you can
 lose specific data in specific (newly written to) files, but the
 structure of the filesystem is consistant enough for fsck to not damage
 it.

 See, since it seems that BSD doesn't have this file-data consistency
 guarantee, are Linus' worries about ext4's potential data loss just
 being alarmist? It seems to me that the case described in
 https://bugs.edge.launchpad.net/ubuntu/+source/linux/+bug/317781/comments/45
 is just as likely to happen on OpenBSD--if I run KDE or GNOME and mess
 around with my settings then quickly murder the system the files will
 be resurrected empty, right?

It seems like some posters in this thread somehow misses the fact that
if you have outstanding writes and the box dies. Some of your data dies
also. New or old data, something will be missing.

From the point your app does a write(), it gets buffered in the I/O
handling, it gets buffered by the device driver for the card, it gets
buffered in the card probably, it gets buffered on the on-disk memory
cache and then it serially hits the platter one bit a a time until its
all written. If you have data in this long pipe and the power goes, you
will lose data, period.

OpenBSD has chosen to try harder to keep the metadata intact, and ext4
doesn't try at all, for the love of speed. Still, you are only moving
around the window of opportunity for fail, and sometimes making it
larger or smaller, but it is always there.

The last comment above should really only read:
If I quickly murder my system, the files might be gone. Nothing else.

If you have writes going, data loss is a reality. Sometimes more,
sometimes less, but its all games with statistics. If ext4 has a 50%
chance of killing your files and FFS on obsd has 1%, you might still get
to keep your KDE settings on either system or you may lose them all. It
shouldn't be news to anyone that Linux always went for fast-and-insecure
whereas the BSDs opted for slower-but-safer for the filesystems. Making
a fuss about how insecure the penguins are this week feels like a waste
of time to me.

If you care about your data, you have backups.

Regardless of if the probability is 1% or 50%, because for someone out
there, the percentages will be against you.

Re: X issue with Nov 24 amd46 snap

[Janne Johansson]

Dan Harnett wrote:

On Tue, Nov 24, 2009 at 02:58:18PM -0600, Neal Hogan wrote:

Earlier today I upgraded my machine to the latest snapshot (nov 24) and
there seems to be a problem with X. It starts okay, but then shortly
after that it fails to respond to anything but the mouse. Also, the
programs that I have running stop (ff35, mplayer, etc). I tried under both
scrotwm and cwm . . . same behavior in each case.

The freeze doesn't not appear to occur at the same time. During one
attempt, all I had open were fetchmail/mutt and ff35 and after several
minutes it locked up. However, when started ff35 and then mplayer the
lock up occurs more quickly (within seconds).


I am able to reproduce this on a ThinkPad X40 (i386), Dell Mini 10v
(i386), and ThinkPad T61 (amd64).  Previous snapshots worked fine.  I
open a xterm then run the command 'ls -lR /'.  It doesn't take long to
freeze.  All those systems have Intel integrated graphics.


Me too, I updated my kernels yesterday, hoping to get to recent userland 
during the day and got this very experience twice on my X60s (i386). 
Intel gfx on it also.


Mouse moves, some distorted pixels but apart from that, no life. 
Caps/num/scroll lock wouldnt flip the LEDs anymore.
So something like 2 weeks old userland, and yesterdays -current for 
kernel reproduces it for me.