Re: 3.8 beta requests
Theo de Raadt wrote: Of course not. HOW CAN IT? Get real! The hardware is STILL only providing permissions at the page level! If you have aggressive amounts of ram and/or patience you could have something along the malloc.conf P-option for ALL sizes. Of course it would suck for any app more complex than sleep but for the sake of argument... Apparently the new malloc(3) implementation doesn't stop me from writing past the end of buffer as long as I am inside the last page. (Please forgive me beforehand if I am missing something too obvious)
Re: package installation script hints
Paul de Weerd wrote: On Fri, Aug 26, 2005 at 12:06:29AM +0200, Marc Espie wrote: | 2 - How is pkg_add -u working for people? | | It works fine for me. I don't know about other people yet, you tell me... I haven't used it very much yet, but so far everything works great for me. But this is just basic pkg_add -u/pkg_add -r use, couple of packages, nothing fancy. Good stuff so far ;) So thanks, Marc. I tried cd /usr/ports/cat/someport and then make update clean and it worked like a charm for updating-after-building.
Re: i386 binaries on amd64
Tony Lambiris wrote: In reading some mailing lists, I noticed some people pass in the -m32 flag when compiling to compile 32bit instead of 64bit... I added the flag to the Makefile and everything compiles except when I try to link all the objects into an executable, I get these errors: /usr/bin/ld: warning: i386 architecture of input file `some.o' is incompatible with i386:x86-64 output Is compiling this way possible at all? No.
Re: openAFS or arla support?
ober wrote: Do you guys prefer --with-transarc paths? So let me know as I am writing it as we speak. The goal is to allow you to install a single server AFS cell with a single script. I use it the old version on Linux fine. However would like feedback for transarc/non transarc paths. I'd prefer to have it ports-lookalike and have everything not end up under /usr, even though Transarc once liked it that way. If it ends up as a port eventually, it still needs to put everything under /usr/local (or whatever PORTSBASEDIR is at the time)
Re: Ports changes web page is badly out of date
Landry Breuil wrote: http://www.openbsd.org/portsplus/index.html which is referenced by http://www.openbsd.org/plus42.html yeah, perhaps someone feels like start keeping portsplus up to date from now on? please contact me if so. http://ports.openbsd.nu/ homepage would be a good start point to collect information, or creating an automatic system parsing ports-changes@ messages.. but OpenBSD website is fully static, so page would have to be manually updated. Just copying machine-wise from a maillist to a webpage is probably not what you'd want anyhow, but rather like plus.html, where someone (like me) actually does some kind of selection of what actually affects users and what doesn't.
Re: hardening BSD (was systrace/stsh policies)
Eduardo Tongson wrote: Robert Watson's paper discusses concurrency vulnerabilities. Impact include policy bypass and audit trail invalidation. A bypass means it is useless. That pretty much hammered in the last nail on the coffin for security tools based on system call interposition. I actually dont think it is all worthless. Imagine a machine running a server daemon. If you systrace that particurlar daemon to not be able to fork()/exec*() or system(), you could be quite sure it wont start random apps on your machine in case someone manages to trick it somehow. Now, if the attacker already has a local account and/or shell, he might run races and fool the systrace. But if this daemon was the only way for said attacker to gain such shell access, and it can be prevented from doing common stuff needed to get a local shell then you would have a safer system. In this way, systrace might be usable still, even though it wont suffice for systrace'd shells given out to bad guys. Same as all other measures you might have like chroots, stack gaps, randomized mem layouts and library addresses, they never prevent 100% of all attacks, just many of them. On 10/15/07, Steve Shockley [EMAIL PROTECTED] wrote: Joachim Schipper wrote: You should probably do a Google search on systrace before continuing further down this road. In particular, I believe the issue highlighted by Robert Watson has not been fixed yet (although I could be wrong, and would be happy to be wrong in this case). The white paper for the systrace vulnerability was a little bit beyond me; what's the impact of the issue? Is a system running systrace *more* vulnerable than a normal system, or is the problem just that a determined user can circumvent systrace (like the bottom of systrace(1) suggests)? If it's the latter, it seems like it'd still be useful for policy enforcement to some extent.
Re: error building userland - inconsistent operand constraints in an `asm'
fehler404 wrote: dear all, after trying to get along on my own for a while, i finally go so disapointed and unsatisfied and decided that i need help. i always ran into the same problem, so there must be something wrong about my procedure how i build kernel AND userland. # cd /usr/src # make build and that's the point where it ALWAYS stops with exactly the same error message!! i tried it with openbsd version 3.5, version 3.6 and version 3.7. i always run into the same error :-( This part makes no sense to me. I have seen loads and loads of weird compile errors, and other faults while trying to do stuff from release-current, or stable-current or current-flagday and so on, but I hardly believe that doing 3.5-install and your update-to-stable-stuff, 3.6-install and your update-stuff and finally 3.7-install and your update-stuff would give the same error. I might be wrong but it seems to be an infinitesimally small chance of getting the same error (which noone else have seen) on three releases in a row. /usr/src/lib/libpthread/arch/i386/_atomic_lock.c: In function `_atomic_lock': /usr/src/lib/libpthread/arch/i386/_atomic_lock.c:22: inconsistent operand constraints in an `asm' *** Error code 1 -- Janne Johansson Sektionen fvr IT Media, Stockholms Universitet Frescati Hagvdg 10 106 91 STOCKHOLM http://www.it.su.se
Re: quick malloc guard patch
Jonathan Thornburg wrote: when malloc gets a request with a size equal to the size of a pointer, we can allocate a whole page, and return a pointer 4 bytes from the end. the four bytes allocated are useable, but don't touch the fifth or any later ones. (8 bytes on 64bit archs). Is the plan to make this the default behavior, or just to add it as another option selectable by /etc/malloc.conf? This would make all 4/8-byte mallocs take up one page(4k) each if I understand this correctly. That's fine for debugging, but probably too expensive for normal usage. -- Janne Johansson Sektionen fvr IT Media, Stockholms Universitet Frescati Hagvdg 10 106 91 STOCKHOLM http://www.it.su.se
Re: Serial console from sparc to i386?
Mike Sazhin wrote: Hello, I want to try sparc with OpenBSD and see if it is useful for what I do. I do not have a monitor or keyboard that can go with it so I hope to be able to install using a serial console. I have done this on i386 to i386. Now I want to know if (with the proper cable, and what kind might it be?) it is possible to run a serial console on the sparc and control it from an i386. Or are the two systems so different that that is impossible? Are there any other ways to install OpenBSD without monitor/keyboard? Thanks, Mike PS This is the system I have if it makes a difference: Sun ULTRA 1 Creator 3D UltraSPARC 167MHz 128MB RAM I've done that, installed an sparc5 with no keyboard, no monitor and only a serial null cable to a i386 obsd that handled both netbooting the sparc and talking console with it. No problems.
Re: Can't make 3.7-stable release (tries to exceed capacity of /dev/svnd0a?)
Adam Fabian wrote: I've tried building an OpenBSD release from the 3.7-stable branch a few times in the last few days, on two different i386 machines, and both stopped in the same place. --8-- dd if=bsd.gz of=/mnt/bsd bs=512 /mnt: write failed, file system is full dd: /mnt/bsd: No space left on device --8-- # uname -a OpenBSD noc.hillconet.net 3.7 GENERIC#0 i386 (I was running the 3.7-stable GENERIC kernel both times I tried. The userland, etc. builds and installs, too, just can't make the release.) Here's a complete dmesg from one of the machines that it failed to build on: (the other is pretty similar, and I believe both failures were identical, though I didn't save the last log, because I figured I probably did something wrong): OpenBSD 3.7-stable (GENERIC) #0: Sun Jul 10 14:53:01 CDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Celeron (GenuineIntel 686-class, 128KB L2 cache) 468 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXS R real mem = 199794688 (195112K) avail mem = 175558656 (171444K) This is really something for the archives. A problem description with really good info, and a dmesg too, even though it actually wasn't needed. Newbies, see how this guy did *not* get flamed for including both relevant, and irrelevant info and got his problem solved really quick. If one could only get coming generations to see this problem report too... -- Janne Johansson Sektionen fvr IT Media, Stockholms Universitet Frescati Hagvdg 10 106 91 STOCKHOLM http://www.it.su.se
Re: VPN behind a router, now with OpenVPN
Helio Santana wrote: Hi, I've disabled AH in my sysctl.conf but it doesn't work... No I have been trying to do with OpenVPN. After read all how-to, and some samples the connection successfull with 2 obsd behind routers. It's very simple to do... I can see servers, but, how can I do to check my connections is encrypted? Last days with IPSEC, doing an tcpdump -i enc0 gives me 'private/confidential)... but now, how can I do? tcpdump the external interfaces, looking at packets on the udp port you selected for OpenVPN. (5000 for openvpn 1.x, and 1194 for ovpn2.x) -- Janne Johansson Sektionen fvr IT Media, Stockholms Universitet Frescati Hagvdg 10 106 91 STOCKHOLM http://www.it.su.se
Re: theo
Sophie Laurie wrote: The only thing that spoils OpenBSD is theo de raadt But it caters so well the needs for all the worst nastiest anal-carotid-constriction-software-patent-loving-spam-your-grandma- for-a-dollar-bottom-feeding-killing-babies-in-palestine-and-iraq type organizations to be able to use the OpenBSD codebase in whatever way they like. For which at least Diana Eichert is ever so thankful. ;)
Re: OpenBSD and Kerberos Client
[EMAIL PROTECTED] wrote: Hello all, I'm having a problem setting up kerberos on an OpenBSD system. Please advise as you can. ...8... I then tried kadmin on krbc2, which doesn't work. It doesn't even bother with trying to get to the admin server. It just gives me a prompt 'kadmin'. Perhaps that's an issue? That is how my heimdal kadmins work, so from that you should be able to give kadmin commands, and if they require admin principals (which most do) then it will ask for that password at that time, not before. prompt# kadmin -p myname/[EMAIL PROTECTED] kadmin ank host/[EMAIL PROTECTED] asks for myname/[EMAIL PROTECTED] pw and stuff kadmin ext -k /etc/kerberosV/krb5.keytab host/[EMAIL PROTECTED] ..is how I would add hostkeys to an OBSD host using kadmin.
Re: OpenBSD and Kerberos Client
[EMAIL PROTECTED] wrote: -Original Message- From: Janne Johansson [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 05, 2007 11:09 AM To: David Rogal Cc: misc@openbsd.org Subject: Re: OpenBSD and Kerberos Client [EMAIL PROTECTED] wrote: Hello all, I'm having a problem setting up kerberos on an OpenBSD system. Please advise as you can. ...8... I then tried kadmin on krbc2, which doesn't work. It doesn't even bother with trying to get to the admin server. It just gives me a prompt 'kadmin'. Perhaps that's an issue? That is how my heimdal kadmins work, so from that you should be able to give kadmin commands, and if they require admin principals (which most do) then it will ask for that password at that time, not before. prompt# kadmin -p myname/[EMAIL PROTECTED] kadmin ank host/[EMAIL PROTECTED] asks for myname/[EMAIL PROTECTED] pw and stuff kadmin ext -k /etc/kerberosV/krb5.keytab host/[EMAIL PROTECTED] ..is how I would add hostkeys to an OBSD host using kadmin. Thanks for that! I tried it, but kadmin doesn't do anything useful. It just hangs - doesn't even time out. Tcpdump and ktrace show that kadmin on the OpenBSD box has a quick chat with Kerberos on the Linux box, but kadmin doesn't like whatever it receives. I think that's because of what Viq has to say about Heimdal and MIT Kerberos being incompatible - at least in respect to kadmin. I've also found some people complaining that keytabs created on a different server than the one in which they are meant for do not work very well. If I can't use Heimdal's kadmin to create the keytab and I can't use one created remotely, then I simply can't use Heimdal. A 'catch 22' which makes OpenBSD unusable for us in this circumstance. Perhaps this is an incentive for Heimdal developers to get kadmin to work with MIT Kerberos. That would help increase its userbase. I dont think the last part necessarily is connected to the first. Just because the administrative programs/interfaces might not be interoperable, I still think you should be able to acquire host-keys with either software. Might I suggest you try this from the OBSD box: /usr/sbin/ktutil -k /etc/kerberosV/krb5.keytab get \ -p myname/[EMAIL PROTECTED] host/[EMAIL PROTECTED]
Re: OpenBSD and Kerberos Client
[EMAIL PROTECTED] wrote: Might I suggest you try this from the OBSD box: /usr/sbin/ktutil -k /etc/kerberosV/krb5.keytab get \ -p myname/[EMAIL PROTECTED] host/[EMAIL PROTECTED] Same problem, it just hangs. Please note that kinit / klist work just fine. Kadmin and ktutil both hang. Looks like administrative functions are the problem. Perhaps I've got something misconfigured? Perhaps, but I think you will have to take it on the heimdal lists, I'm fairly sure it does interoprate with various kinds of krb5 implementations, not just the MIT one. We make the AD hang of our heimdal servers here, so if heimdal can talk to Bill-kerberos, it should manage MIT too. ;)
Re: linker scripts
Constantine Kousoulos wrote: Having a linux background (and a limited NetBSD experience), i expected to find linker scripts in the kernel source code. However, this is simply not true for most architectures. What is the logic behind the lack of linker scripts? Do you have an actual problem or are you trying to invent one?
Re: IBM T60 - APM issues
atstake atstake wrote: On 6/27/07, viq [EMAIL PROTECTED] wrote: $ grep apmhalt /etc/sysctl.conf #machdep.apmhalt=1 # 1=powerdown hack, try if halt -p doesn't work Thanks but that didn't help. At the monent I'm thinking of re-compiling the kernel as someone mentioned (off the list) that I need to enable acpi in the kernel. I was wondering if there's something I could enable from the UKC prompt as mentioned here: http://openbsd.org/faq/faq5.html#Options and thus avoid re-compiling the kernel altogether. config -ef /mykernelname UKC enable acpi ### acpi enabled UKC quit writing modified kernel. Like that. or, for a one-shot testing, just give boot -c at the boot prompt to get into the UKC to test it once. If it works, run the above trick to make it stick.
Re: VPN works but not when using CARP interface
James Rippas wrote: Help/suggestions greatly appreciated. I don't know where to look next. I'm not sure, but this part doesn't look good. 213733.723906 Default attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC 213733.723978 Default message_negotiate_sa: no compatible proposal found 213733.724049 Default dropped message from X.X.X.4 port 63065 due to notification type NO_PROPOSAL_CHOSEN
Re: What is our ultimate goal??
Henning Brauer wrote: * Mayuresh Kathe [EMAIL PROTECTED] [2008-02-20 14:07]: (not that now I can do anything about it, all's lost for me) Could you please read http://research.sun.com/minds/2007-0710/ yeah, i did, lots of marketing blubber, lots of bla bla, lots of vague indications, nothing concrete, nothing technical. Mostly Lets fix Slow-aris is what I saw. Unless you are in a slow-aris situation, moving to whatever they did might not be an improvement. ;)
Re: There's something about OpenBSD...
[EMAIL PROTECTED] wrote: For instance 'ggrep -r ...' instead of 'grep -r ...' to search recursively with gnu grep (a worthless feature imho). Displaying the name of the file and the matched line nicely like grep -r does is not elegant with find + grep without using a script or a long and inelegant alias - or if it is, I'd be interested in how it can be done in case I need to work on some ancient unix. $ find DIR -type f -print0 | xargs -0 grep PATTERN which, unlike 'find ... -exec' is just as fast as 'grep -r', and unlike 'grep -r', will skip special devices, symlinks, etc. # uname -a SunOS dumbhost.test.se 5.10 Generic_118855-33 i86pc i386 i86pc # find /etc -type f -print0 find: bad option -print0 find: [-H | -L] path-list predicate-list But yes, its probably bad to start one grep per file.
Re: BSD Documentation License?
Ted Walther wrote: [snip] (The 2/3-term BSD license meant to do basically the same, but it used more words to do the same. The old 4-term BSD license included some terms to make University of California benefit from advertising, if there was going to be any.) I have been generating midi, ogg, pdf, and mp3 files of some old, out-of-copyright music. I have been releasing them and the source that generates them under the Creative Commons license. Do you recommend the 3 term BSD license for this particular use instead? Or would the 2 term one be better? The BSD license is about using copyright, for which I believe you have no claim in the media files you mention.
Re: Forcing ports install
On Wed, 2008-04-02 at 22:33 +1000, N J wrote: Basically my question is how do I get the port to install without having to remove then old package and dependencies first? I'm trying to build pidgin out of the ports tree. Tried: set env FORCE_PKG_REGISTER Tried: make install FORCE_PKG_REGISTER The question you should be asking yourself is: Why do I try freebsd solutions to openbsd problems? If you start your quest at www.openbsd.org - and from there read up on the FAQ and/or the manual pages (which do not contain FORCE_PKG_REGISTER) then you get an openbsd solution to what I hope is an openbsd problem. There is a whole chapter in the FAQ on ports/packages. Perhaps it contains your solution? [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Kerberos ~/.k5user file
On Mon, 2008-04-07 at 20:48 -0700, Clint Pachl wrote: Is the ~/.k5user file supported in OpenBSD's Heimdal implementation? I'm ... BTW, what is /root/.klogin? Is it for kerberos 4? It doesn't have a man Yes, it is (was) for krb4. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: wpa now in current?!
Stephan A. Rickauer wrote: Great stuff. I just hope all those who whined for years about not having WPA in OpenBSD are now man enough to give back by donating some money. No excuses. WPA-PSK only and for a limited number of drivers. That what I said! http://undeadly.org/cgi?action=articlesid=20080416195151pid=25mode=expanded ..and did.
Re: Really large drives (was Re: Is there a badblocks-equivalent for OpenBSD?)
On Sun, 2008-04-20 at 22:53 -0500, Matthew Weigel wrote: David Gwynne wrote: solaris suffers from this problem. you cant use big disks with 32bit solaris kernels. For UFS, at least, but doesn't ZFS on i386 (not amd64) scale? The filesystem yes, but the block addressing no. I had to split a large raid into lots-of-lessthan1T parts and run zfs on top of them to get a large filesystem on solarisx86-10 lately. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: How to HIDE OpenBSD as user-agent?
On Tue, 2008-04-29 at 06:18 -0600, macintoshzoom wrote: How to HIDE OpenBSD as user-agent? For security reasons it is sometimes interesting to hide GLOBALLLY th O.S. you are running on AGAINST GIVING ANY CLUE TO HACKERS ABOUT HOW TO ATTACK YOU. Which of course is bullshit, since the last 10+ years. They will attack you, OpenBSD or not. What matters is not if you claim to be windows95 or not, but if you in fact are vulnerable or not. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: OpenBSD's AFS informations
Bruno Carnazzi wrote: So, I'd like to know if OpenBSD's AFS could do the following (I assume that our actual file servers are replaced by OpenBSD AFS cells) : * Gently synchronize/distribute 2 physical file servers in 1 logical file server (real time is not needed) Yes. * Does it scale well (new AFS cells, new clients) ? Yes. * Does it support a quota mechnism ? Yes, * Implementation and Administration cost (we are 2 bright guys :) ? Hard to tell. Poeple that have done AFS once seldom stops doing it, so there must be something in it to hook us afs-admins * What about the file permissions ? Is that Windows 2k3-friendly (ACL) ? It has ACL's, but they aren't the same as any other OSs implementation. * Why OpenBSD devs re-writed an AFS instead of reusing OpenAFS ? They didn't, they imported arla. Before OpenAFS, it wasn't free either. * Integration with ActiveDirectory for authentication ? Yes, that is possible. * Recovery of a lost cell ? ? There are backup solutions for AFS, if that is what you're asking. Both commercial stuff that talks afs, and some tape-support-code in openafs to do it without external programs too.
Re: Assembly Language Programs
Alessandro Coppelli wrote: Hi to all. I am interested to developing a little assembly language programs. I rode the article written by Thomas Sommers ( http://user.nj.net/~tms/hello.html ) I followed author's instructions but at the end of compilation as -o name.o name.s ld -o name name.o what I have is #./name #ksh: Operation not permitted Someone knows what is happenig ? Ale Either you haven't set the x-flag on the binary, or the partition where you are is mounted with noexec, is my guess.
Re: pf and pmtu discovery
Lars Weste wrote: Hi, with scrub in all set at the firewall, will openbsd handle icmp packets of type unreach code needfrag automatically, because of the statefulness? scrub no-df fixes this, no?
Last call for swedes wanting to attend the fundraiser event.
http://slackathon2006.unix.se for info (in swedish), attach /index_en.html for an (almost 100% updated) english version. It's tomorrow (3rd of June) at the Stockholm University, so this really is the last call, but in case I missed some of you swedes when spamming all local lists and forums, and you have the day off tomorrow, come by and donate! We'll play with trunk(4)ed Gbit-interfaces, hear Niklas Hallqvist, Artur Grabowski, Hans Insulander and others talk about OpenBSD and networking/security stuff in general, and generally have a nice social event. Since there are no/few good events where you can meet openbsd people in .se, this is your chance! See you (and your cash) there! /Janne
Re: kernel settings for pf default block
c.s.r.c.murthy wrote: Hello Matthew, block all in pf.conf is ok, but it will go away when the rules are flushed for known/unknown reasons. I feel it is desirable to have a kernel parameter that does default blocking when all rules are flushed. But the default blocking will go away when the kernel parameters are flushed for known/unknown reasons too. Perhaps a setting for the network drivers so that if the pf.conf goes, and the kernel parameter are lost it can still block packets. But hey, if the setting goes away
Re: Question related to automaticly encrypted /tmp /vat/tmp (like swap..?)
Daniel A. Ramaley wrote: I have not seen documented how mfs allocates memory, so i just did a quick test. On a machine with 205 MB of RAM free i mounted a 128 MB mfs. Free RAM dropped to 199 MB; only 6 MB used! So OpenBSD must only allocate RAM for sectors that have actually been written to. Since the system is not using any more RAM than it has to, i think i'll switch to using mfs for /tmp as well. mount_mfs uses mmap(), which in turn will only use those pages which the program actually touches. An unused (large) mfs will not take up much ram, and if it does, it can swap out seldom used pages too.
Re: OT: (don't open if you don't like) Kerberized FTP client/Server
Eric Pancer wrote: On Mon, 2006-07-17 at 20:34:36 -0600, Bob Beck wrote... Authenticating using kerberos and ftp is possible, but why use clear text passwords. Set up ssh to use kerberos and use sftp/scp. There are many windows things out there to provide a bozo front end to sftp/scp. i.e. WinSCP, Secure Iexporer, etc. etc. I think he meant a kerberized ftp client, which means the password should never go across the wire. I know umich used to have one, and it had a private directive, but I don't think it's around anymore. - Eric There is one here. http://www.stacken.kth.se/~thn/ktelnet/
Re: OT: (don't open if you don't like) Kerberized FTP client/Server
Jan Johansson [EMAIL PROTECTED] wrote: Gustavo Rios [EMAIL PROTECTED] wrote: What kind of ftp client have you been using on windows for such task? Is it possible to have such environment working with standard openbsd ftp server ? KTelnet does Kerberized FTP but I would suggest using SSH/SCP because the clients are better. http://www.stacken.kth.se/~thn/ktelnet/beta/ It's really weird to have someone with the same name as you, living close to you and in the same computer club as you posting the same answers you do. We really need to synchronize whose turn it is to answer next time something obvious to us both comes up. ;) /Janne - no, you're not getting duplicates on misc@ - Johansson
Re: Process dies when it reaches a size of 1GB.
Joe Gibbens wrote: I'm running squid-transparent on 3.9, and the process dies every time it reaches 1GB. FATAL: xcalloc: Unable to allocate 1 blocks of 4108 bytes! The system has 2GB ram # ulimit -aH time(cpu-seconds)unlimited file(blocks) unlimited coredump(blocks) unlimited data(kbytes) 1048576 - (where is this limit configured?) /sys/arch/i386/include/vmparam.h:#defineMAXDSIZ (1024*1024*1024)/* max data size */ Note though, I could not go to 2G on amd64, since the kernel elf-loader code would act up while compiling (and other parts later might aswell!), but I did try 1.5G with a complete make build going through. stack(kbytes)32768 lockedmem(kbytes)1907008 memory(kbytes) 1907008 nofiles(descriptors) 1024 processes532 How do I change the 1GB maximum data segment size? ulimit -d does not seem to change anything. Also, how do the limits in login.conf apply? The _squid user is in the daemon class, and that class is set to a data size of infinity? The resource limits are inherited from the hard limit that vmparam.h sets of course, so if you manage to increase it, the the login.conf infinity should go up also. You wont reach 2G though, if I can make a guess.
Re: squid process dies when it reaches a size of 1GB.
Joe Gibbens wrote: Thanks for the reply Janne. So my only way to run a process over 1GB in size is a custom kernel? Is Yes, as of now, on i386. there an easier way to run a large cache with a process size over 1GB? You can do other things aswell, like bumping cachepct to ~12 with config -ef /bsd (I believe there is a limit close to 256M for filesystem cache on obsd, and you're having 2G ram gives 12 percent for that) Not much help there, but at least something. I can re-configure the memory usage, but it would be nice to be able to utilize more of my physical memory without having to go with a custom kernel. Hack away, solve the issues! =) (Or pay someone to do it for you/us)
Re: OpenBSD 4.0 - Where is it?
ICMan wrote: I admit that I am not the most up to date on the release process, but why is 4.0 not out on the FTP server yet if people are receiving it in their homes on CD? And how do I get on that list of people who get the pre-release? Folks who pre-order gets an advantage. The rest of us has to wait 4 more days for the FTP to release it.
Re: small, random essay on performance tuning, was: remove....
On Sat, 2008-06-07 at 13:23 +0300, Lars Noodin wrote: It seems from the messages, and my limited experience, that many come to OpenBSD from other systems where messing with the kernel is both required and expected[1], that includes Linux and FreeBSD. [1] Case in point see AFS client problem in Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openafs/+bug/191353 Seems like the discussion that one points to ends with you just need to compile the OpenAFS kernel module, not the kernel. Try another case-in-point. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: vsftpd [more secure]
Saulo Bozzi wrote: *Name* *Version* vsftpd http://vsftpd.beasts.org/ 1.1.3 vsftpd http://vsftpd.beasts.org/ 1.2.2 vsftpd http://vsftpd.beasts.org/ 1.2.2 vsftpd http://vsftpd.beasts.org/ 2.0.1 vsftpd http://vsftpd.beasts.org/ 2.0.4 what version should i use? what is more secure...the last version...2.0.6 or 2.0.4 or 1.3?! Ask the vsftpd guys?
Re: vsftpd [more secure]
Saulo Bozzi wrote: my question is to the system administrator. that know about vsftpd. thnkz. regardsbye. ..and my reply was to a person that thinks the Ford car owner maillist is the optimal place to ask for driving directions from London to Paris. If the vsftpd guys/forums/maillists can't tell which of their versions is the most secure, I strongly suggest you dont run that software.
Re: anoncvs.se.openbsd.org: No space left on device
On Mon, 2008-06-16 at 19:44 +0200, Martin Toft wrote: Hi misc@ I get the following error message when updating the xenocara module from anoncvs.se.openbsd.org: I'll talk to them. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: CARP not leaving backup state
William Stuart wrote: Hello everyone, I am sorry for not mentioning it was a vmWare instance. The packet replay seemed to be the culprit. This occured when we moved the image to a vmWare host running vmWare ESX 3.5 from 3.0. Our working theory is that under 3.5 pernicious mode works differently than under 3.0 and replays all of the traffic. Has anyone else experienced this problem? We have also experienced problems with CARP when moving ESX from 3.0i to 3.5. No solution yet.
Re: compiling tools
Joachim Schipper wrote: I think that the best way for me to use ccache is to be able to revector the CC and C++ compilers ... but I'm not certain, could I just put something like make CC=ccache build as my main compilation command (after, of course, I do the dependencies) and get the compioler revectored to my ccache tool? http://marc.theaimsgroup.com/?l=openbsd-miscm=109043549403999w=2 seems to suggest that putting the appropriate CC= line in /etc/mk.conf might work; this is not documented in mk.conf(5). http://marc.theaimsgroup.com/?l=openbsd-portsm=116060629621783w=2 suggests likewise, and points to another possible solution, provided you have quite a few Zauruses. Dont forget, ccache does a checksum of the preprocessed .c file and the compiler in order to not use old .o's if your compiler is replaced. When doing a make build, the compiler is rebuilt _twice_, so you are definately guaranteed not to ever get any gain from ccache on make builds. As for distcc, various parts of the build tree have makefiles that can handle -jX, whereas others might not. Noone seems to have researched which parts do as of now.
Re: HTTP URL filtering?
Daniel Ouellet wrote: Toni Mueller wrote: I don't want to generally deny, or slow down, IE users of the site (I can't), but only want to deny them range requests. I didn't find a knob in Apache to do this. If anyone else does, I'm still interested. May be I am thick here, I still don't understand what you are after here. You can block access with: Order Allow,Deny Allow from all Deny from w.x.y.z/xx And with something like: BrowserMatchNoCase \MSIE 5.5 browser=MSIE_5.5 and SetEnvIf, you can do clever things. I didn't put a lots of thoughts in the last piece here as I use that for blocking some specific traffic and the like, but I don't see why it woudln't be possible. Then I use something like: RewriteRule Your rule here http://%{REMOTE_ADDR}/ [L,E=nolog:1] But that needs to be specific for each setup you want to use. I would need to spend time thinking about it, but I would think it's possible to do. Not easy, but possible. Some reading is needed. Todays post on Undeadly about the Layer-7 SSL load balancer almost looked as if it could do just this, at least if you could identify win-machines with the OS fingerprinting, and send all IE (hence all winders users) to a relay that would change so that the server doesn't announce range capabilities. Perhaps a long-winded way of solving this, if there is no other simple knob in apache to turn ranges off.
Re: Missing security announcements
All this chatter now isn't going to change anything when the next errata comes out. You want security announcement? Do something to make it happen! Ted, everybody knows that's not going to happen. I remember having asked the same question YEARS AGO and nothing has changed since then. Reading those two next to eachother says everything.
Re: Using a separate boot partition
Stuart Henderson wrote: I'm backing ben here : OpenBSD / should be small enough to fit it entirely into a boot partition. /etc/{master.,}passwd and /etc/{s,}pwd.db can grow pretty large on some systems... # wc -l /etc/passwd 118993 # ls -lh /etc/*db -rw-r--r-- 1 root wheel75.2M Nov 14 08:34 /etc/pwd.db -rw-r- 1 root _shadow 75.2M Nov 14 08:34 /etc/spwd.db Yup.
Re: Research for a Software Security paper
Jose de Paula Eufrasio Junior wrote: Hello, before anything else, I did read all material about the OpenBSD security policies on the website. ... I read the documentation on the site already and would like to get some more info about the process. ... 2) The OpenBSD and OpenSSH code is always available or they have periodic releases? Does those releases, if they exist, have any security specific treatment or auditing? You said twice above that you read all materials and couldn't figure out if the code is always available or have periodic releases? Booo.
Re: Research for a Software Security paper
Jose de Paula Eufrasio Junior wrote: On Thu, Nov 20, 2008 at 7:44 AM, Janne Johansson [EMAIL PROTECTED] wrote: You said twice above that you read all materials and couldn't figure out if the code is always available or have periodic releases? Booo. As I also said: I used the same questions on all projects I researched so they are not specific questions. I just repeated (copy-pasted) the questions I used before, I know the answers to some, but not to all. I was just assuring all projects answered the same questions to make the proccess equal. It's the do my homework part that got me. I was just assuring all the projects answered one part each of my homework
Re: /usr/obj slice size
Josh Grosse wrote: On Mon, 15 Dec 2008 14:24:18 +, Dave Wilson wrote ...I'm trying to create a 2G MFS for /usr/obj, but if I go much above 200 with mount_mfs I get an error... For /usr/obj on i386, my userland build script creates two MFS mounts, builds sparse files on them, assigns the sparse files to svnd1 and svnd2, concatenates them with softraid, and mounts the newly formatted larger MFS-ish partition as part of its setup steps. I do one for obj, one for obj/lib and one for obj/gnu which makes it all work even though the limit is at 1G for i386. Just make the first get populated from a skeleton dir having lib and gnu there already so they can mount onto something: swap/usr/obj mfs rw,async,-s=1924000,-P/usr/skel-obj 0 0 swap/usr/obj/lib mfs rw,async,-s=1936000 0 0 swap/usr/obj/gnu mfs rw,async,-s=1936000 0 0
Re: OpenBSD 4.4 amd64 bsd.mp can't detect 4GB memory
Owain Ainsworth wrote: Enabling bigmem=1: Also, from sys/arch/amd64/amd64/machdep.c: /* Tweakable by config(8) */ How? That diff was never commited. Config needs to know about it before it can change it. I did a similar config(8) patch for when PAE was in the same situation, so if someone desperately wants to make his/her config bigmem-aware and wants a hint on how to turn a random int on from config(8): http://people.su.se/~jj/obsd/config-pae.diff
Re: www@
Jordi Espasa Clofent wrote: Hi all, I've sent a mail to www@ about some questions to build a mirror but no response at moment. ?Who's behind this mail account? It is a mailing list.
Re: script
Nick Guenther wrote: Does anybody provide a commercial shell scripting??? for i in Don't wait Buy Things Now Save Now $0.99 Get your instant trial account now Double Your Sales Calls, Free Script Demo; do echo $i done Like that? Hey man, that wasn't just 'commercial grade', that was Enterprise(tm) ready! Almost ready to be: #!/usr/games/fortune 500 ...
Re: Port ZFS to OpenBSD
Khalid Schofield wrote: Dev's. What are the chances of getting a port of ZFS to OpenBSD? If you just sit and wait for it, I'd say: zero to very-little.
Re: Port ZFS to OpenBSD
Dieter wrote: What are the chances of getting a port of ZFS to OpenBSD? I can't quite bring myself to run solaris since it lacks so much of what I love about OpenBSD and Linux is back to square one because of the reasons I moved to OpenBSD. Have you ruled out FreeBSD? Why are so many people so hot for ZFS? From what little I've read about it, it sounds very complex, which means bugs and a nasty learning curve. Not something I'm interested in trusting my data to. Then again, you give the zfs a name, and throw it a list of raw devices and you can have that filesystem 'newfs'ed, writeable, nfsexported and running in a more than usual fault-tolerant raided mode in mere seconds regardless of size. Some admins value that. (except the nfs part, but it's optional)
Re: Polite enquiry as to if anyone is working on 64 bit time_t, and if so, what's the plan?
2011/10/19 Bruce Drake br...@zectro.com I found mention of a possible move to 64 bit time_t back in 2005 and 3.9 was mentioned, but I see it hasn't happened. Is there a plan, like for instance making all platforms, even 32 bit 64 bit time_t, like I think NetBSD have tried/trying to do? Can some one give a brief list of what needs to change, forgetting about ports, like UFS etc. that would be greatly appreciated. A lot of protocols? Its of no use if my machine knows it is Jan-1-2040 today if the HTTP cache-expires says you may cache this until Jan-1-1904 or the ntpd thinks UTC is at 1904 and I'm a bit off. -- To our sweethearts and wives. May they never meet. -- 19th century toast
Re: Polite enquiry as to if anyone is working on 64 bit time_t, and if so, what's the plan?
2011/10/19 Michael T. Davis dav...@ecr6.ohio-state.edu I found mention of a possible move to 64 bit time_t back in 2005 and 3.9 was mentioned, but I see it hasn't happened. Is there a plan, like for instance making all platforms, even 32 bit 64 bit time_t, like I think NetBSD have tried/trying to do? Can some one give a brief list of what needs to change, forgetting about ports, like UFS etc. that would be greatly appreciated. A lot of protocols? Its of no use if my machine knows it is Jan-1-2040 today if the HTTP cache-expires says you may cache this until Jan-1-1904 or the ntpd thinks UTC is at 1904 and I'm a bit off. You seem to be saying that applications need to be patched before the underlying operating system (OS) can be considered. But isn't the OS responsible for providing the glue (e.g. time-related include files and libraries) with which applications are built? (This is coming from a casual user, so if I made the wrong inference from your statement, I'm happy to be corrected.) What I meant was as you say, we can change the include file to say use 64 bits for time and recompile some apps, but if the database file format or the over-the-wire formats don't support 64 bits for specifying time, you'd be screwed anyway. That's why applications, formats and protocols need to change, since many of them use 32 bits today. -- To our sweethearts and wives. May they never meet. -- 19th century toast
Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it
2011/11/8 Mostaf Faridi mostafafar...@gmail.com Sorry for my bad English I , only understand is this pf.conf work in openbsd 5 or no .? Which part I must edit and change it The part where you hope someone else will do the work so you don't have to know what your own firewall is doing, and why. -- To our sweethearts and wives. May they never meet. -- 19th century toast
Re: What is wrong with this pf config
2011/12/11 John Tate j...@johntate.org So I have a suggestion worth considering, if the line block in all does not appear pfctl -nf should perhaps spit out a warning. Much like you've done with your pretty compilers over there. There are still lots of reasons to run PF even if you don't want block in all for a default, so whining on all the other uses you couldn't imagine would not be very productive. -- To our sweethearts and wives. May they never meet. -- 19th century toast
Re: OpenVPN issues on 5.0
2011/12/16 Erling Westenvik erling.westen...@gmail.com Links to foolproof HOWTO's will be much appreciated! Nature has thwarted all attempts to make such HOWTOs by make ever better fools, which probably is why you: ...but I have spent two days Googling, reading tons of HOWTO's and trying out different solutions, but without being able to solve the issue. Not to say you are a fool, but HOWTOs for anything else than the most simple stuff can't cover all cases, which means you still must understand things or the HOWTO will not help you and instead lead you astray in the wrong direction, making you look foolish when you in reality wanted help. In the long run, learning the stuff you attempt to do instead of wasting two days following someone elses bad advice is better spent. -- To our sweethearts and wives. May they never meet. -- 19th century toast
Re: OpenVPN issues on 5.0
2011/12/22 Erling Westenvik erling.westen...@gmail.com: Sorry for bumping this here @ misc when my question propably belong to some OpenVPN forum, but it seems like no-one out there can say much on OpenVPN issues that appears to be OpenBSD spesific. What puzzles me is that I cannot make the tun-interface show up in the route table on the server: DestinationGateway Flags Refs Use Mtu Prio Iface defaultAAA.BB.CCC.D UGS 3 1101 -8 url0 127/8 127.0.0.1 UGRS 00 331968 lo0 127.0.0.1 127.0.0.1 UH 20 331964 lo0 192.168.2/24 link#5UC 10 -4 acx0 192.168.2.200 00:16:ea:b3:65:d0 UHLc 1 400 -4 acx0 192.168.3/24 link#2UC 20 -4 bge0 192.168.3.106 00:1e:4f:95:19:1d UHLc 1 1582 -4 bge0 192.168.3.200 fe:e1:ba:d7:c3:24 UHLc 0 28 -4 bge0 193.90.160/20 link#6UC 10 -4 url0 AAA.BB.CCC.D 00:90:1a:42:6d:81 UHLc 10 -4 url0 AAA.BB.CCC.DDD 127.0.0.1 UGHS 00 331968 lo0 224/4 127.0.0.1 URS 00 331968 lo0 /etc/hostname.tun0 link0 up !/usr/local/sbin/openvpn --config /etc/openvpn/server.conf /etc/hostname.bridge0 add bge0 add acx0 up What does ifconfig tun0 say? When I did openvpn before I mostly didn't start openvpn from the tun config file myself, but rather start openvpn and make that one bring up tuns for me, but I would assume that if the tunnel goes up and then down and if it takes the tun0 down until the tunnel can be taken up again, the network that tun0 belonged to would not show in the routing table until it gets back up again. Any interface that has an address and that is up would somehow make an entry in the routing tables. -- To our sweethearts and wives. May they never meet. -- 19th century toast
Re: yt_execution_fails_due_to_lua_error-[4.9-stable]
2012/1/20 soko.tica soko.t...@gmail.com: Hello, I was trying to download a youtube video from a box running 4.9 stable, but got the following error: = Getting http://www.youtube.com/watch?v=i7pkyDUX5uM ... /usr/local/bin/lua: /usr/local/share/lua/5.1/base.lua:433: stack traceback: [C]: in function 'error' /usr/local/share/lua/5.1/base.lua:433: in function 'assert' /usr/local/bin/yt:158: in main chunk [C]: ? Also, if you add the URL with a leading space yt will spew errors. (happens to me sometimes while pasting in URLs into a set of 's) -- To our sweethearts and wives. May they never meet. -- 19th century toast
Re: Routerboard RB600 and hifn(4)
I think accelerator cards need to provide both checksumming (md5 or sha1) and crypto in HW before its actually any use. Otherwise you will spend most of your time copying data around. 2012/1/22 Stefan Johansson steve.johans...@telia.com: Hello! Does anyone on the list have experience with a hifn(4) card (such as the Soekris vpn1411) in a Routerboard RB600? I'm using it for an ipsec tunnel (isakmpd between RB600 and an other OpenBSD i386 box) and would like to know if it will give me any performance increase before I purchase one? Today I get about 12 Mb/s through the tunnel and 60-70 Mb/s outside. I am measuring this with iperf on OpenBSD 5.0 and the RB600 CPU is set to 533MHz. /Stefan -- To our sweethearts and wives. May they never meet. -- 19th century toast
Re: Build libc separately
I think this would be a good case of If you don't know how to do it, it is the wrong solution to your problem. Or, you will get a really decent amount of training in how to recover broken installations. 2012/1/24 Serguey Kuritsin kuritsin_...@mail.ru: Hello! I need to compile libc with different compiler (llvm) separately from other parts of source tree (i.e. compilation of other parts is unnecessary) and keep it in special directory (both includes and libs). Can you please give me some clues how to perform it? Some pointers to Make infrastructure would be great. I apologize for my English. -- To our sweethearts and wives. May they never meet. -- 19th century toast
Re: Long delay updating xenocara source tree?
2012/1/31 Dave Anderson d...@daveanderson.com: I do have a slowish ADSL link (384Kbps/1536Kbps) which would limit me to very roughly 1MB/min outbound, so I took advice to use '-z 9' to compress data and that reduced the total time for a xenocara source tree update from about 11 hours to about 2.5 hours. (Though I discovered that not all servers support compression.) if they do anoncvs over ssh, you can ask ssh to compress the data instead of having cvs do it, for those servers. -- To our sweethearts and wives. May they never meet. -- 19th century toast
Re: Is fdisk partition a must for a non-system disk on i386
2012/2/7 Alan Cheng bsdp...@gmail.com: Hello list, I'm playing around with fdisk on a vmware virtual machine with 5.0 i386. Despite what's in FAQ14.4, I found I can still create disklabel partitions without a fdisk partition (no fdisk -i $disk) on a blank disk. I'm confused. So my question is: 1. Is fdisk partition a must for a NON-SYSTEM disk on i386? 2. what is the disadvantage of using a disklabel partition without fdisk partition in above mentioned scenario? fdisk and disklabel aren't really optional in that sense. Every disk (at least on PC derivates) should have one A6 partition, and a disklabel to match the area inside that fdisk partition. You can fake around it in various ways, but there is seldom a real need to, so why bother doing it in odd ways? It will perhaps bite you in the long run to do it in non-standard ways. -- To our sweethearts and wives. May they never meet. -- 19th century toast
Re: Is fdisk partition a must for a non-system disk on i386
The rules are different for different architectures, different disks (usb and whatever) and so on, so you can't really map every possible device on all machines into one neat rule. But telling people to use fdisk and disklabel to get it right will be the least painful way to get it as common as it can be. So, some apple-ipad-while-on-usb will be a disk with no partitions and a filesystem on top of the sdXc, or someone sets up their CF disk like that, or someone manages to get two A6 partitions on the same disk and not confuse himself, but this may not mean its a good idea. 2012/2/7 Alan Cheng bsdp...@gmail.com: thanks Janne for the explanation. I thought a fdisk partition on i386 is *required* after reading FAQ14/man pages and I was a bit surprised to be able to create a disklabel partition without doing fdisk -i. so I wrote to the list for help on what I mis-understood ... thanks. Alan On Tue, Feb 7, 2012 at 3:41 PM, Janne Johansson icepic...@gmail.com wrote: 2012/2/7 Alan Cheng bsdp...@gmail.com: Hello list, I'm playing around with fdisk on a vmware virtual machine with 5.0 i386. Despite what's in FAQ14.4, I found I can still create disklabel partitions without a fdisk partition (no fdisk -i $disk) on a blank disk. I'm confused. So my question is: 1. Is fdisk partition a must for a NON-SYSTEM disk on i386? 2. what is the disadvantage of using a disklabel partition without fdisk partition in above mentioned scenario? fdisk and disklabel aren't really optional in that sense. Every disk (at least on PC derivates) should have one A6 partition, and a disklabel to match the area inside that fdisk partition. You can fake around it in various ways, but there is seldom a real need to, so why bother doing it in odd ways? It will perhaps bite you in the long run to do it in non-standard ways. -- To our sweethearts and wives. May they never meet. -- 19th century toast -- To our sweethearts and wives. May they never meet. -- 19th century toast
Re: pgt firmware ...
2012/2/26 Wesley M. open...@e-solutions.re: Try this : add wget package using pkg_add -vi wget wget http://firmware.openbsd.org/firmware/5.0/pgt-firmware-1.2p2.tgz Or skip getting wget alltogether and just use the /usr/bin/ftp which can talk http good enough for this. Or, skip getting the package down locally and just give pkg_add the url directly and notice how it can DL stuff for itself. -- To our sweethearts and wives. May they never meet. -- 19th century toast
Re: pgt firmware ...
2012/2/27 David Walker davidianwal...@gmail.com: Thank you Peter. I still get the same error message (error line wrapped): pkg_add ./pgt-firmware-1.2p2.tgz Bad pkg_db: No such file or directory at [...] Somethings wrong with my environment but what ... Yes, the thing that makes it impossible for you to run exactly what we tell you to, and instead you add ./name-of-package when pkg_add takes URLs directly. Now exactly what in your environment is doing that, I can't really tell. -- To our sweethearts and wives. May they never meet. -- 19th century toast
Re: Trusting the Installation
2012/2/29 Tomas Bodzar tomas.bod...@gmail.com: On Wed, Feb 29, 2012 at 3:44 AM, Nathan Stiles stiles.nat...@gmail.com I was also expecting the checksum to be served over HTTPS. Some exact reason for that? Especially regarding a lot of issues and flaws discovered during last months/years in various implementations of SSL/certificates/CAs? [...] What are others doing? Other, like the rest of the internet are using those certificate authorities (all 600+ of them?) as if they work, and make users believe that since my browser says Chunghwa Telecom or NetLock Halozatbiztonsagi Kft.is to be trusted, mylocalbank.com showing one of their certs must be fine and dandy Doing what others do isn't always adding to real security. As everyone says, buying the CD is a solution for the really paranoid. Going to a BSD conference where obsd devs and affiliates sell such CDs even mitigate the evil post office CD-swapper issue. If you aren't ready to shell out the bucks for one CD set, then it can't really be important. -- To our sweethearts and wives. May they never meet. -- 19th century toast
Re: may 7 carp addresses be too much on 5.0/amd64 ?
2012/3/2 PP;QQ P(P8P?P8QP8P= chipits...@gmail.com: hello! we are running CARP-ed load balancers (carp over different vlans). it was running just great with 6 carp addresses. when we added 7th, randomly we get MASTERs on both server for certain carp interface. After reboot we can get different carp interface on dual MASTER state, and so on. carp negotiations are ok, tcpdump shows them all. both peers see each other. if I put one interface to BACKUP state, it goes to mASTER soon. we are runnung 5.0/amd64 I'm seeing this too. The current work-around is to set the carp to announce to a carppeer to the other box so it doesn't multicast but rather uses unicasts. In my case, the to-be-slave machine doesn't see all the carp announcements from the master, but rather one per minute or so. I have this on Dell amd64 openbsds ranging from 4.8 to 5.0, in all my cases when running on top of vlans (just because that is how we set these up) and running on Extreme Switches. The ips on the vlan interfaces can talk fine, the master hears all carp packets, the slave misses most or all carps from the other. This means that tcpdump on the master shows the higher-skewed carps from the slave also. The odd thing is that its not consistent on all carps either, but rather a few out of many. If I set just those to use carppeer, it sometimes moves over to other carps, but it could have been moving around for a long time, haven't had time to fully investigate this. I have a few non-critical pairs on which to test stuff, it needed. -- B To our sweethearts and wives.B May they never meet. -- 19th century toast
Re: may 7 carp addresses be too much on 5.0/amd64 ?
2012/3/3 Janne Johansson icepic...@gmail.com: when we added 7th, randomly we get MASTERs on both server for certain carp interface. After reboot we can get different carp interface on dual MASTER state, and so on. carp negotiations are ok, tcpdump shows them all. both peers see each other. if I put one interface to BACKUP state, it goes to mASTER soon. we are runnung 5.0/amd64 I'm seeing this too. I have this on Dell amd64 openbsds ranging from 4.8 to 5.0, in all my cases when running on top of vlans (just because that is how we set these up) and running on Extreme Switches. And to answer Camiels Q, we have preempt=1 -- To our sweethearts and wives. May they never meet. -- 19th century toast
Re: My OpenBSD 5.0 installation experience (long rant)
2012/3/12 Fredrik Staxeng fst...@update.uu.se: So you state that the fact that if one chooses to use the whole disk, the whole disk is used needs further documentation? Once upon a time, mkfs used to make a 10-second pause before starting. That's the way you do it. That is an answer to the question How? (actually a bad one, as if the user didn't read messages before hitting [Enter], he probably won't do it after doing so), while my statement implied more of Why? you didn't address at all. I jumped into the middle here, I know. I think the 10-second delay is a brilliant solution. Much better than an are you sure? question. I think that there is a large probability that the user will spend that time reading the message, and consider whether he really wants to do it. And as soon as the first I spent those 10 seconds reading the scrollback or web comics, and now my data is gone has occurred, we make it 20 seconds. Then 30. And after that, thousands of installations are delayed by minutes each just to accommodate people that 1. don't think OS installations warrants backups when mixing and multibooting and 2. don't read what they answer anyhow... -- To our sweethearts and wives. May they never meet. -- 19th century toast
Re: may 7 carp addresses be too much on 5.0/amd64 ?
2012/3/4 PP;QQ P(P8P?P8QP8P= chipits...@gmail.com: thank to Camiel Dobbelaar, carp log at 6 shown ip_output problem, which lead me to: pass quick proto carp no state Which doesn't match the PF FAQ which says: Since CARP is its own protocol it should have an explicit pass rule in filter rulesets: pass out on $carp_dev proto carp keep state I'll test the no state as soon as I can rig one of my previously failing boxes to not use my carppeer workaround. it did the job (I still do not understand how forewall passed 6 interfaces and blocked 7th, need to have a closer look, but after that rule everything became ok, pf stopped blocking carp announces) 2 MARTA 2012 G. 21:31 POLXZOWATELX favar 889...@gmail.com NAPISAL: hi list, we have same problem with carp. (with 45 ip addresses) and after reboot, host with advskew 200 became master, and with advskew 1 - slave. 2012/3/2 iLXQ {IPICIN chipits...@gmail.com: no, I copied hostname.carpXX, just added advskew 200 parameters are the same. 2 MARTA 2012 G. 15:25 POLXZOWATELX Otto Moerbeek o...@drijf.net NAPISAL: On Fri, Mar 02, 2012 at 01:53:17PM +0500, ??? wrote: hello! we are running CARP-ed load balancers (carp over different vlans). it was running just great with 6 carp addresses. when we added 7th, randomly we get MASTERs on both server for certain carp interface. After reboot we can get different carp interface on dual MASTER state, and so on. carp negotiations are ok, tcpdump shows them all. both peers see each other. if I put one interface to BACKUP state, it goes to mASTER soon. we are runnung 5.0/amd64 Cheers, Ilya Shipitsin Carefully compare the address lists (including masks) on both machines. Likely they are not the same. B B B B -Otto -- B To our sweethearts and wives.B May they never meet. -- 19th century toast
Re: openldap and openbsd
2011/6/28 Friedrich Locke friedrich.lo...@gmail.com Dear list members, i have just installed openldap from ports (OpenBSD 4.9/amd64) and i am testing it. My doubt is: It seems to me that openldap should be run as user x and group y accordingly the ports collection. The problem is that i want to use kerberos authentication. The system (OS context) is just doing kerberos, but the keytab file is permited acess only to root. How could i run openldap as another user not root and provide it with a ldap/x.y.z ticket? How have you done so? You make a specific keytab for openldap, of course readable by the ldap daemon user. There is no need to stick all keytabs in the host keytab file. -- To our sweethearts and wives. May they never meet. -- 19th century toast
Re: [OT] io event triggered file system synchronisation
2011/7/29 Remco re...@d-compu.dyndns.org frantisek holop wrote: hi there, sorry for the offtopic but there are probably many knowledgeable admins on this list as well. i am looking for a solution that keeps monitoring file system io for all stuff under a certain path and whenever files change/get added/removed it synchronises these changes with multiple remote locations. basically sql replication for file system :] anybody using something like this? I've never used it, I don't know how well it works, but it might fit your needs: http://en.wikipedia.org/wiki/Andrew_File_System AFS has support for (atomically) distributing copies to other fileservers, BUT, the volumes for which you want distribution, there are a number of things to think of. One is that its nothing like fast if you are thinking along SQL terms. It will do incremental diffs when sending changes, but the atomicity doesn't really allow for lightning fast replication. Also, all the replicas are read-only, so you can only write to the master (for that particular volume) server, then you run a command to start the sync to the replication servers. It's not automatic which may be good if you update a lot of related files in a swoop, but can of course be crontabbed or something like that. So yes, it does do parts of whats been asked for above, but perhaps its not what the hidden demands call for. -- To our sweethearts and wives. May they never meet. -- 19th century toast
Re: Slackathon T-Shirts
2011/9/20 OpenBSD Europe m...@openbsdeurope.com Hello folks, We have some left over Slackathon 2011 white t-shirts here of various sizes. We asked for a donation for 200 SEK per shirt on the day. If you would like one please contact us via this email address off list. Of course, they are still *100% donation*. I don't have my camera here right now to show photos of the t-shirts, but maybe someone else has a shot? Sure, http://people.su.se/~jj/obsd/slack2011-tshirt.jpeg -- To our sweethearts and wives. May they never meet. -- 19th century toast
Re: Why so cool OS doesn't have vuln database?
Yuriy Grishin wrote: Indeed you're right. I've got the same experience with php5-gd library. The audit program told that this library is vulnerable but there was no patch available. So this message was about useless. On the other hand in most cases this sort of applications could save admin's time. Ok, so make it work then: 1 Port the apps (easy) 2 Populate the database (huge work) 3 Build up trust so the average paranoid admin wants to use it (?) 4 Profit! I await someone saving my admin time. On the other hand maintaining the database is extremely huge work. It is not for the community. exactly who is the community? You and me and that guy.
Re: Even and Odd numbered OpenBSD versions
Artur Grabowski wrote: Mark Romer romes...@gmail.com writes: Hello, just a simple question. We have here at work a old hand at openbsd and he says he only uses openbsd versions that are even numbered. [...] but what does everything else think? He's odd. Sounds like a candidate for the 2007 years Slackathon! http://people.su.se/~jj/junk/slackathon.png
Re: softraid - speed
Uwe Dippel wrote: I tried again, setting up RAID1 on 2 U320 drives, 15k, as described in softraid(4). Now I find the speed to be too slow. Writing to a single file is kind of okay: [everything/pwd is /mnt, which is a softraid drive, /dev/sd3f] [..] But a dump restore of /usr is a tad sick: [..cut...] I can see at times that the data amount transfered is huge, at other times it is moving by steps of 0.1-0.2 MB/s. Probably it is a problem of number of files, not of size. Any idea what to do to improve the performance? In the generic I restore/unpack a zillion files to a newfs:ed partition, mount it async, which helps the number of files issue, and if it fails in the middle, you will want to restart the restore anyhow, so you just might newfs it again in that case.
Re: softraid
Uwe Dippel wrote: Uwe Dippel udippel at uniten.edu.my writes: To me this seems a result of the sequence at boot: at first we identify the physical drives, that is sd0, sd1, sd2 and sd3 in this case, and only later do we get softraid up, sensibly roaming the RAID one up. Sensibly? Because fstab can't know and will want to mount partitions of a lower number (sd3 in this case), which is always impossible. I do understand the problem of 'no labels'/'no UUID', but the current working will break boot whatever happens: any extra drive, in any slot, will be discovered at boot time before softraid is activated. So it will break 100%, right? Isn't that the case with all fstab entries right now? You get the computer to list some drive before other disks, raid or no raid, and fstab breaks on you.
Re: Get Top 10 Search Engine Ranking at Low Cost
Anton Parol wrote: How does one take advantage of such a good offer, when theres no URL? sadface Hi, *TOP 10 SEARCH ENGINE RANKINGS* You have to prove your google skills by finding them. They should be in the top 10 of search engine rankings, presumably.
Re: OpenBSD as a storage SAN
Lars Nooden wrote: OpenAFS is part of the base distro. No. The base includes arla, an AFS client.
Re: assigning more than 493 MB memory for qemu virtual machines
Siju George wrote: Hi, Trying to assign 512 MB memory to a qemu vrtual machine resulted in the error. $ sudo qemu -m 512 -hda wd0.img -hdb wd1.img -cdrom LATEST-Devel.iso Could not map physical memory -m 493 works -m 494 -m 495 gives segmentation fault Is it a bug in qemu that should be fixed? how can I assign more than 493 MB memory for qemu virtual machines? One more thing, giving a qemu host X Meg memory doesnt mean Qemu only uses X(+little) megs of RAM. I think I saw figures like 2-3x what I gave the guest IIRC, so whatever the limits are, they wont be close to 493M.
Re: mount_xfs in -current gone?
Tim Gruene wrote: I tried using mount_xfs from base45.tgz, but the XFS is not defined in the gerneric kernel. Does anyone know whether mount_xfs is going to come back? Do I have to compile the kernel myself just to mount an xfs-formatted usb-stick? The xfs (that was renamed to nnpfs) is not the SGI journalled filesystem, so no usb stick will be xfs/nnpfs-formatted on obsd 4.5. It's a userspace-filesystem translator to make AFS clients possible on obsd, nothing else.
Re: Sort doesn't sort
Woodchuck wrote: You do not say which version of OpenBSD you are running. I tried your example on current (amd64 and i386) and 4.5 (amd64) and did get the proper results. 4.2 I've been too cowardly to upgrade. I'd have thought that sort might have been frozen in amber a few decades ago, though. http://www.openbsd.org/plus43.html mentions at least two fixes for sort.
Re: dma problem in VIA Nehemiah
sonjaya wrote: # dmesg OpenBSD 4.5-stable (LESCHACO) #0: Mon Aug 10 15:49:13 WIT 2009 r...@localhost:/usr/src/sys/arch/i386/compile/LESCHACO cpu0: VIA Nehemiah (CentaurHauls 686-class) 1 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,SEP,MTRR,PGE,CMOV,PAT,MMX,FXSR,SSE real mem = 502824960 (479MB) [...] root on wd0a swap on wd0b dump on wd0b wd0: transfer error, downgrading to Ultra-DMA mode 3 wd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 3 wd0a: aborted command, interface CRC error reading fsbn 24063776 of 24063776-24063807 (wd0 bn 24063839; cn 1591 tn 125 sn 44), retrying wd0: soft error (corrected) # any clue to make this problem dma mising, i think problem of hard disk but not I got that when I did what the pciide(4) manpage says NOT to do: Quote: For proper operation of UltraDMA 3 and higher modes a 40-pin, 80-conductor cable must be used. On some controllers, the pciide driver can probe the chip and see if it detects that an 80-conductor or 40-conductor cable was used. If not, it will down-grade to UltraDMA 2 mode.
Re: Typo in plus.html
Luca Corti wrote: i instead of li. Thanks.
Re: Supporting OpenBSD
Brad Tilley wrote: On Wed, Sep 9, 2009 at 6:33 AM, Chris Bennett ch...@bennettconstruction.biz wrote: I just signed up for a $5 USD a month subscription using PayPal. I was unaware of that. That's a nice feature. I don't have a PayPal account (don't trust them) I move money from my account into paypal, with the intention of those money may disappear from the face of the earth, then make PP donations using those. No ties to any account or CC for me, so I dont risk anything except what I give to PP in the first place.
Re: how to trace a hardcore-bug in OpenBSD-4.5
paranoid.gand...@googlemail.com wrote: The OS got totaly corrupted. gdb, su, sudo do segfault for example. 8 But later my ssh died again and after that the server finaly broke down. Beyond the point of what fsck can handle. During auto-fsck the box reboots. A good bug I'd say... ran into it now 2 times in less then 5 hours. And I have no clue why or how I triggered it. 8 If there is more I could tell you please do let me know. Any of the My computer has bad hardware tips seem to apply nicely to this kind of symptoms.
Re: Defending OpenBSD Performance
Christiano Farina Haesbaert wrote: Ignore my double posting, my mistake. Dont worry, it adds value to the intarwebs.
Re: managing authorized_keys
Joachim Schipper wrote: There's 400+ unix boxes. I know we can stick keys into authorized_keys, but managing it for a bunch of automated processes seems a bit unwieldy. Have you considered Kerberos? You'll still have to add accounts (or use LDAP, indeed), but at least you don't have to copy the keys everywhere. With some patches, you can use the krb5 host-keys instead of the ssh-host-keys. Then again, any site with 400+ boxes should really have most of them on a automated install procedure anyhow, so sending out authorized_keys using that should be a high priority.
Re: Outbound RST not seen by tcpdump?
Ian Chard wrote: I'm troubleshooting a very strange problem, where my ssh connection to a few different OpenBSD machines drops suddenly, with the client machine receiving a TCP RST from the server. I've taken tcpdump captures on both sides (in different sessions, so the tcpdump process doesn't die with my shell), and the OpenBSD machine's capture doesn't log the RST it apparently sends. There are ISPs that traffic shape their links by killing long-lasting TCP streams by faking the RST in the middle.
Re: Slow HDD speed on Dell E6400
TomC!E! BodEC!r wrote: There must be some funny tricks on those other OS's.But it doesn't matter (I will investigate myself). Now I know more about those random generators and tests for real are ok. Untar of src.tar.gz shows about 9MB/s in iostat(8) and dd ports.tar.gz to some file shows about 22MB/s. Thanks all for their tips and sorry for some of my stupid ideas ;-) Also, untarring lots of small files wont test your I/O in the same way as a dd(1) test, since it will test how often can I make atomic writes to my disk rather than how much data can I move.
Re: Carp basics
Siju George wrote: Is it possible for me to make both fw1 and fw2 listen on ip address 172.17.1.0 and load balance connections through both ISPs? And also make a fail over set up so that when either ISP1 or ISP2 is not functioning all hosts in the network going through the other. http://www.openbsd.org/faq/faq6.html#Multipath might help.
Re: automating 'fsck -y' after a power failure
Joachim Schipper wrote: make a dump of the partition before going to execute potentially data destroying actions? yes, this is sound advice of course. but what are you going to do with the dump if say, fsck is not able to revive the fs? dump it back, run fsck again and answer no at a couple of fsck prompts? how is it going to change anything in the end? Well, if fsck can't revive your partition, you can always try different tools. Something like fsdb may be able to recover part or all of your filesystem even in cases where fsck loses the plot. Also, fsck may fail in the middle due to lack of memory, so moving the dump to a bigger box to make it run through may be a good solution in that case. Or old fsck fails where a -current fsck won't.
Re: poor tcp performance
Jose Fragoso wrote: I am running openbsd 4.2 on a box and I would like help trying to identify networking bottlenecks. While trying to download a file from another obsd box at the network using wget, I get very low rate. 100%[] 61,758,702 2.30M/s 18:03:55 (2.32 MB/s) - `bsd1.1' saved [61758702/61758702] This one above probably uses the default values you posted below: net.inet.tcp.recvspace=16384 net.inet.tcp.sendspace=16384 but.. But when I use iperf, I get quite high transfer rates: TCP window size: 256 KByte ^^^ ..this one sets a higher value for itself. My question is what could be causing the tcp poor performance? Try setting send/recv-space to 256k and re-test with wget in order to actually make the two tests use the same limits. Since the wget test was both to/from another obsd, make sure you change both sides and restart the data serving application at the other end so it picks up the new space (dont know if it is read per connection or per binding of a socket, so a safe bet is to restart the app, I guess)
Re: New functionnality for authpf
BARDOU Pierre wrote: My script loads the rules once, and modifies the table within the rule. When the user disconnects, its IP is removed from the table, and its connections are killed with pfctl -k. boxA ssh remote-computer boxA ssh remote-computer (again) remote-computer exit see both ssh's fail. Probably what this comment was about: (The real fun part here is detach policy)
Re: Moving files around
Brynet wrote: STeve Andre wrote: For simple large files, is there a faster way to move them rather than using mv? I have a lot of large files (10G) that need to be rearranged on which disk they reside on. If the files are on the same partition, mv(1) or ln(1) will be almost instantanous.. otherwise just cp(1) and rm(1). I usually go for rsync -a --remove-sent-files src/ dst/ when crossing filesystem borders, since that one is restartable if it gets interrupted in the middle. mv(1)s are not.
Re: Truncation Data Loss
Nick Guenther wrote: So, as nicely summarized at http://www.h-online.com/open/news/item/Possible-data-loss-in-Ext4-740467.html , ext4 is kind of broken. It won't honor fsync and, as a /feature/, will wait up to two minutes to write out data, leading to lots of files emptied to the great bitbucket in the sky if the machine goes down in that period. There is a very simple explanation for why things are so. Actual data file loss has never been what these things were coded for. filesystem *tree and meta-data*, ie. the structure of how things are knit together, is the main concern. If you lose the filesystem tree structure, you've lost all your files, not just the newest ones. Therefore the goal is safe metadata handling. The result is you can lose specific data in specific (newly written to) files, but the structure of the filesystem is consistant enough for fsck to not damage it. See, since it seems that BSD doesn't have this file-data consistency guarantee, are Linus' worries about ext4's potential data loss just being alarmist? It seems to me that the case described in https://bugs.edge.launchpad.net/ubuntu/+source/linux/+bug/317781/comments/45 is just as likely to happen on OpenBSD--if I run KDE or GNOME and mess around with my settings then quickly murder the system the files will be resurrected empty, right? It seems like some posters in this thread somehow misses the fact that if you have outstanding writes and the box dies. Some of your data dies also. New or old data, something will be missing. From the point your app does a write(), it gets buffered in the I/O handling, it gets buffered by the device driver for the card, it gets buffered in the card probably, it gets buffered on the on-disk memory cache and then it serially hits the platter one bit a a time until its all written. If you have data in this long pipe and the power goes, you will lose data, period. OpenBSD has chosen to try harder to keep the metadata intact, and ext4 doesn't try at all, for the love of speed. Still, you are only moving around the window of opportunity for fail, and sometimes making it larger or smaller, but it is always there. The last comment above should really only read: If I quickly murder my system, the files might be gone. Nothing else. If you have writes going, data loss is a reality. Sometimes more, sometimes less, but its all games with statistics. If ext4 has a 50% chance of killing your files and FFS on obsd has 1%, you might still get to keep your KDE settings on either system or you may lose them all. It shouldn't be news to anyone that Linux always went for fast-and-insecure whereas the BSDs opted for slower-but-safer for the filesystems. Making a fuss about how insecure the penguins are this week feels like a waste of time to me. If you care about your data, you have backups. Regardless of if the probability is 1% or 50%, because for someone out there, the percentages will be against you.
Re: X issue with Nov 24 amd46 snap
Dan Harnett wrote: On Tue, Nov 24, 2009 at 02:58:18PM -0600, Neal Hogan wrote: Earlier today I upgraded my machine to the latest snapshot (nov 24) and there seems to be a problem with X. It starts okay, but then shortly after that it fails to respond to anything but the mouse. Also, the programs that I have running stop (ff35, mplayer, etc). I tried under both scrotwm and cwm . . . same behavior in each case. The freeze doesn't not appear to occur at the same time. During one attempt, all I had open were fetchmail/mutt and ff35 and after several minutes it locked up. However, when started ff35 and then mplayer the lock up occurs more quickly (within seconds). I am able to reproduce this on a ThinkPad X40 (i386), Dell Mini 10v (i386), and ThinkPad T61 (amd64). Previous snapshots worked fine. I open a xterm then run the command 'ls -lR /'. It doesn't take long to freeze. All those systems have Intel integrated graphics. Me too, I updated my kernels yesterday, hoping to get to recent userland during the day and got this very experience twice on my X60s (i386). Intel gfx on it also. Mouse moves, some distorted pixels but apart from that, no life. Caps/num/scroll lock wouldnt flip the LEDs anymore. So something like 2 weeks old userland, and yesterdays -current for kernel reproduces it for me.