Re: Question about FAQ section 10.3

[Nick Holland]

On 10/23/14 21:36, worik wrote:
> "Processes local and package scripts in /etc/rc.d" is listed as the last
> thing rc does after boot.
> 
> What does "Processes" mean in this context?

like "processing food" -- do whatever needs to be done.
(not my best analogy, I'll admit)

But yeah. run the scripts that are indicated as needing to be run, they
do whatever they need to do.  USUALLY start daemons, but could be lots
of other things, too.

> Naively I would think this means that the scripts are all executed.  But
> that seems odd in this context as most of (all of?) the scripts take an
> argument that they pass to rc_cmd from rc.subr, and rc is not passing
> "start" to all those scripts.

why do you say that?
Look at the /etc/rc script...yes it does execute each of the rc.d
scripts, and yes it DOES pass "start" to them:

start_daemon()
{
local _n
for _n; do
eval _do=\${${_n}_flags}
if [ X"${_do}" != X"NO" ]; then
/etc/rc.d/${_n} start # <- start!!
fi
done
}

now look how start_daemon is invoked...

> Looking at https://en.wikipedia.org/wiki/Init it seems my naive
> assumption is correct, but why run all those scripts?

um. because that's how we do it?

Before 4.9 or so...we hard-coded the startup process for each daemon in
/etc/rc, we decided to switch to the rc.d process for some additional
flexibility.

I'll admit I was dubious when it was first done, fearing we might be
heading down the idiotic "everything.d" directories that many Linux
distros are now doing, but it turns out I rather like it.

Nick.

Re: Libretto 70CT

[Nick Holland]

On 10/23/14 19:17, Fred wrote:
> On 10/23/14 23:30, Mike Larkin wrote:
>> On Thu, Oct 23, 2014 at 09:59:04PM +0100, Fred wrote:
>>> Hi Sebastian,
>>>
>>> I've just installed -current on my Libretto 70CT - as you can see
>>> from the output below it stoped with:
>>>
>>> kernel: integer divide fault trap, code=0
>>>
>>> Rebooted it and disable it, schsio and softraid and it has now made
>>> it to the end of boot - but it has not yet made it to a login
>>> prompt.
>>>
>>> Last time I tried this I left it running for about a week - and
>>> still did not make it to a login prompt.
>>>
>>> hth
>>>
>>> Fred
>>>
>>> PS I've CC misc@ for the archives rather than clog up ports@
>>>
>>> Script started on Thu Oct 23 21:10:34 2014
>>> port:fred ~> cu -l /dev/cuaU0
>>> Connected to /dev/cuaU0 (speed 9600)
> OpenBSD/i386 BOOT 3.26
>>> boot>
>>> \|/-\|/booting hd0a:/bsd: 
>>> -\|/-9699132\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\+1067500
>>>  
>>> [72+403280|/-\|/-\|/-\|/-\|/-\|/-\+397651|/-\|/-\|/-\|/-\|/-\|/-\|]=0xb083b0
>>> entry point at 0x200120
>>>
>>> [ using 801416 bytes of bsd ELF symbol table ]
>>> Copyright (c) 1982, 1986, 1989, 1991, 1993
>>> The Regents of the University of California.  All rights reserved.
>>> Copyright (c) 1995-2014 OpenBSD. All rights reserved.
>>> http://www.OpenBSD.org
>>>
>>> OpenBSD 5.6-current (GENERIC) #415: Wed Oct 22 11:33:32 MDT 2014
>>>  dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
>>> cpu0: Intel Pentium/MMX ("GenuineIntel" 586-class) 121 MHz
>>> cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,MMX
>>> real mem  = 16412672 (15MB)
>>> avail mem = 3915776 (3MB)
>>
>> For what it's worth, 16MB doesn't appear to be enough anymore.
>> qemu with 16MB hangs at the same place as you're reporting, but
>> configuring it for 20MB RAM seems to boot ok. It's pretty slow
>> but it does work.
>>
>> -ml
>>
> 
> Memory is definately an issue on my Libretto 70CT - but I think there 
> might be more to it especially when you go back to 4.4 when if first 
> displayed this issue...
> 
> I might consign it to OpenBSD 4.3 :~)

Really, that's about when 16M became Just Too Little, it has been a long
time.  And...you know, I'm not going to apologize for that. :)

2.7 worked pretty well on 16M RAM, iirc.  By 3.4, I'm pretty sure you
were swapping before you completed a login.

As a labor of love, you could strip a lot of stuff out of the kernel and
see if you could make something that worked, but it really isn't worth it.

Nick.

Re: Question about FAQ section 10.3

[Nick Holland]

On 10/23/14 22:28, Worik Stanton wrote:
> On 24/10/14 14:53, Nick Holland wrote:
>> On 10/23/14 21:36, worik wrote:
>>> "Processes local and package scripts in /etc/rc.d" is listed as the last
>>> thing rc does after boot.
>>>
>>> What does "Processes" mean in this context?
>>
>> like "processing food" -- do whatever needs to be done.
>> (not my best analogy, I'll admit)
>>
> 
> [snip]
> 
>> Look at the /etc/rc script...yes it does execute each of the rc.d
>> scripts, and yes it DOES pass "start" to them:
> 
> [snip]
> 
>> now look how start_daemon is invoked...
> 
> Interesting.  In /etc/rc start_daemon is called for specific named
> scripts.  Except that (at line 520) it runs it for all scripts in
> $pkg_scripts

note here, because I get this confused myself: pkg_scripts are for added
PACKAGES.  Not stock stuff.
PLUS...stock stuff is enabled in one way (daemon_flags="") vs. being
added to pkg_scripts.

> My shell scripting is really bad (I am going to have to up my game there
> if I am going to stick around here) but it seems it is set to an empty
> string in rc.conf

yep.  Now it exists...but is empty.
YOU get to set that.

> (Mis)reading the FAQ I thought it meant *all* scripts in /etc/rc.d were
> "Processed". .  It actually says "...local and packaged scripts...".  So
> if a package wants to be sure it is run at startup does it write that
> into the rc.conf where mine says...

processed...as appropriate.  That may mean "ignore". :)

> # rc.d(8) packages scripts
> # started in the specified order and stopped in reverse order
> 
> pkg_scripts=
> 
> I installed postgresql (with pkg_add) and it did not change this, I had
> to change /etc/rc.local by hand.  Is there some reason why postgresql
> should not be started after a reboot?  Have I completely got the wrong
> end of the stick?

read through that section closer...  for things you want to start and
stop in the "normal" OpenBSD way, put them in rc.conf.local.  rc.local
is for things that the "normal" way isn't appropriate for.  For example,
I maintain a system where there is a daemon installed that is not
perfectly stable -- it just shuts down once in a while.  It would work
just fine from its rc.d script -- until it stops.  So, I've got a little
script that runs it in a loop; when it crashes, wait a few seconds, then
re-launch, and that's invoked in rc.local.

Yes, there are lots of reasons why various packages should not be
started at boot, and even more reasons why the ORDER of applications
starting is critical, and something that only an administrator will
know.  For reasons of order alone, I don't think you will ever see
pkg_add start daemons automatically.

I know many DBAs who prefer that database engines are started manually.
 I'm not personally in agreement with that, I like my systems to fire up
automatically at boot (something about enjoying uninterrupted
vacations), but whatever, and having seen some really unstable apps, in
some cases there might be good arguments for this, though the better
logic would be "fix your damn app!".

Other packages have both daemon and userland modes -- rsync is one of
those.  You certainly don't want rsync running as a daemon just because
you installed rsync.

In a hostile network environment, you don't want unconfigured apps
starting at boot.  Install, configure, test, THEN configure to start at
boot (then reboot to make sure it really works).

Nick.

Re: X11 screen blanking issue

[Nick Holland]

On 10/24/14 20:57, frantisek holop wrote:
> Christian Weisgerber, 24 Oct 2014 21:46:
>> On 2014-10-24, frantisek holop  wrote:
>> 
>> > ok, it seems a paused mplayer could be the reason.
>> > is that expected?
>> 
>> Yes.  MPlayer disables screen blanking.  When you watch a movie,
>> you usually don't press keys or move the mouse, but you still don't
>> want your screen to switch off.
> 
> i agree, but usually the screen moves :)
> i think the state should be restored also upon pausing
> the movie, at least it makes sense to me.

I'd say this falls very much under the category of "personal preference".

Sounds like you are assuming if you pause the movie, that no one cares
what is on the screen -- i.e., bathroom trip, answer the phone, etc.
While often the case, there's a whole different reason: Because you wish
to see and examine what is on the screen at that moment.  You really
don't want a display in the middle of a discussion of the fine points of
composition of the scene to suddenly go blank because the computer
decided you are having a long stop at the bathroom, right?

That's somewhat of a long-standing tradition: I have a 60+ year old
movie projector which does much the same thing -- when you "pause" the
movie, a heat filter is put in between the projector bulb and the film
to keep the bulb from melting the film, and if I recall properly, the
fan kicks up in speed a bit to keep the air moving past the film and the
filter from over heating.  You COULD just power down the projector,
too...but that's the "off" switch, not the "pause" lever.

Personally, I'm slowly losing interest in screen blanking.  LCD screens
draw little power when on, they don't burn like CRTs did.  I do often
let the blanker turn the screens off for me, but that's mostly because I
know it will, if I'm not lazy, I'll hit the power switches on the monitors.

A laptop plugged into the wall...why power down the screen at all?  A
laptop running on batteries...if you aren't going to use it, why not
just suspend it?  No, I don't fully embrace what I'm advocating there,
but I'm having trouble explaining to myself why I don't.  I find myself
annoyed by blanking far more often than I say, "I'm so glad my screen
just blanked", and I'm inclined to think that means I'm doing it wrong.

Nick.

Mirror openbsd.cs.toronto.edu is currently broke

[Nick Holland]

Due to an administrative error (hint: I'm the administrator :-/ ),
openbsd.cs.toronto.edu dumped its copy of most of the OpenBSD
distribution files that it serves.

It is currently refilling, but this will take a few days before it is
where I want it to be.  To minimize further downstream damage, rsync is
disabled for now

My apologies for the inconvenience this causes.

THIS DOES NOT impact the replication of the CVS served by this mirror.



For the curious, and perhaps as an educational lesson, what happened:

Late last night (error one: scripting when tired) I was editing the
scripts that download from the upstream mirror to include updates to the
new release.  Totally routine.

While there, thought, "would be nice if the logging included some more
information about something".  Added a couple lines to include that
(error 2: adding unneeded features just before things get critical).
That required moving one line that determined the log file name from
down where it was to higher up in the script.  Moved the two lines
(error number 3 and the doozie: that second line was NOT about the log
file name!!!).  This moved the calculation of the exclude rules (the
second line) to the wrong place, so it excluded nothing...including
things it should have excluded.  The new, intended changes were tested,
they worked great, but the exclusion rule kicked in a couple hours later
and started purging data.

Nick.

Re: Mirror openbsd.cs.toronto.edu is currently broke

[Nick Holland]

On 11/01/14 13:53, Clint Sand wrote:
> On Sat, Nov 01, 2014 at 04:00:04PM +0100, Jan Stary wrote:
>> On Nov 01 09:07:15, n...@holland-consulting.net wrote:
>> > For the curious, and perhaps as an educational lesson, what happened:
>> > Late last night (error one: scripting when tired) I was editing the
>> > scripts that download from the upstream mirror to include updates to the
>> > new release.  Totally routine.
>> 
>> Just out of curiosity (I am not even affected):
>> is there such a script somewhere in the tree,
>> or do mirror maintainers write their own?
> 
> Jan, details here: http://www.openbsd.org/anoncvs.shar

Um. no. nothing to do with it.
this script is for CVS, which I explicitly said was NOT impacted.  It is
also only ONE part of what it takes to run even a CVS mirror.


To answer the OP, mirror systems are all a little different, hardware
running over a range of capabilities, so there's no one set or even
template of scripts mirror maintainers use.

Sitting down and writing up a set of notes for mirror maintainers is on
my list of things to do.

Nick.
--
It's impossible for words to describe what is necessary to those who do
not know what Heartbleed means.

Re: 5.4 instead of 5.5 in faq1.html

[Nick Holland]

On 11/01/14 15:26, Eduardo Lopes wrote:
> In http://www.openbsd.org/faq/faq1.html#WhatsNew:
> 
> "The complete list of changes made to OpenBSD 5.4 to create OpenBSD 5.6 
> can[...]"
> 
> I think that 5.4 was left behind, wasn't it? 
> 

yep, thanks

Nick.

Re: Upgrade56.html instead of Upgrade54.html

[Nick Holland]

On 11/02/14 18:15, Mario St-Gelais wrote:
> http://www.openbsd.org/faq/faq5.html#BldBinary
> [Quote]
> It is recommended that you install the binary by using the "Upgrade" option
> of the install media. If that is not possible, you can also unpack the
> binaries as described here. Regardless, you must do the entire upgrade
> process, including creating any users or other /etc directory changes needed.
> [/Quote]
> 
> ...as described here...  here should link to
> http://www.openbsd.org/faq/upgrade56.html instead of
> http://www.openbsd.org/faq/upgrade54.html I presume.
> 
> Mario St-Gelais
> 

yes, and two others, too.  Thanks!

Nick.

Re: Mirror openbsd.cs.toronto.edu is NO LONGER broke

[Nick Holland]

All supported and close-to-supported versions of OpenBSD have been 
reloaded (5.4, 5.5, 5.6 and -current snapshots), rsync is back on.


Again ... my apologies for the inconvenience at a most inopportune time.

Nick.

On 11/01/14 09:06, Nick Holland wrote:

Due to an administrative error (hint: I'm the administrator :-/ ),
openbsd.cs.toronto.edu dumped its copy of most of the OpenBSD
distribution files that it serves.

It is currently refilling, but this will take a few days before it is
where I want it to be.  To minimize further downstream damage, rsync is
disabled for now

My apologies for the inconvenience this causes.

THIS DOES NOT impact the replication of the CVS served by this mirror.

Re: Migrating users from one machine to another

[Nick Holland]

On 11/15/13 05:10, John Tate wrote:
> I want to migrate users from one machine to another, I was hoping
> someone had a script. I basically want to copy every user with a UID
>>= 1000 and their password to the new system. I have copied their home
> directories with rsync, so it would be good if it could also chmod the
> permissions back.
> 

not sure why you need a script...
The exact details depends on what is different between the systems
currently and desired to be different ultimately.

Start with the old /etc/master.passwd file, fix things that are missing,
remove things you don't want, copy it over and and run pwd_mkdb.  If the
starting and ending machines are supposed to be "identical", no fixing
should be needed.

Nick.

Re: How-to: dualboot Windows 8.1 and OpenBSD 5.4

[Nick Holland]

On 11/17/13 12:53, Wesley MOUEDINE ASSABY wrote:
> Le 2013-11-17 20:27, dmitry.sensei a écrit :
>> What about 1Tb disk? Is CHS mode correct for this disks?
> 
> I done the test using Virtualization.
> Not tried with a physical hard drive 1 TB.

The smallest common non-SSD laptop drive is probably around 500G now,
and 1TB is routine on desktops.  At least some (many? most?) of these
machines are now shipping with UEFI boot, and a lot of them will be
pre-loaded with Windows, with minimal resources to reload Windows from
scratch.

The target (and worst-case) audience is the person who bought a laptop
or desktop pre-loaded with Windows 8, and wants to install OpenBSD with
as little disruption to the existing system as possible.

I appreciate the efforts, but we need something more comprehensive.

Sounds like I need to go buy a modern Windows system. :-/

Nick.



> 
> 
>> 17.11.2013 20:20 пользователь "Wesley MOUEDINE ASSABY"
>>  напи�ал:
>>
>>> Hi
>>>
>>> I just tested this. It works nice for me.
>>>
>>> I have a Windows 8.1 on a hard drive 15 GB (A full one partition).
>>> So i want to install OpenBSD 5.4 and have multiboot.
>>>
>>> -1- Reduce the disk using disk management (MMC snap)
>>> i reduced Windows partition, i have now a second partition 1GB.
>>> Put OpenBSD 5.4 CD, and reboot.
>>>
>>> -2- Install OpenBSD using CHS (Be careful!)
>>> OpenBSD is now installed, eject cd, and reboot to windows
>>> # fdisk -e 3
>>>
>>> -3- Download the tool dd for windows
>>> http://www.chrysocome.net/dd [1]
>>> Unzip dd-0.6beta3 and do :
>>>
>>> open "cmd" as administrator and do:
>>> dd --list
>>> # this will list device (we are looking for partition 2 (openbsd)
>>>
>>> dd if=\?DeviceHarddisk0Partition2 of=openbsd.pbr bs=512 count=1
>>> # This record OpenBSD PBR
>>> Copy the file openbsd.pbr to the root c:
>>>
>>> -4- Modify boot.ini using bcdedit
>>> In a cmd console (need administrator rights)
>>> bcdedit /create /d "OpenBSD 5.4" /application boot sector
>>> # copy the identifier and paste it to the 4 following lines
>>> # For me, identifier is : {0eae31b8-4f98-11e3-8260-00264aa3d5ac}
>>>
>>> bcdedit /set {0eae31b8-4f98-11e3-8260-00264aa3d5ac} device boot
>>> bcdedit /set {0eae31b8-4f98-11e3-8260-00264aa3d5ac} path openbsd.pbr
>>> bcdedit /set {0eae31b8-4f98-11e3-8260-00264aa3d5ac} device 
>>> partition=c:
>>> bcdedit /displayorder {0eae31b8-4f98-11e3-8260-00264aa3d5ac} 
>>> /addlast
>>>
>>> -5- Reboot, you re done!
>>> As Dmitri said, windows 8.1 load graphical before you have the boot 
>>> choice.
>>> And when you choose OpenBSD, the box reboot and load OpenBSD.
>>>
>>> I hope this helps!!
>>> If you want i can do a better how-to with snapshots, and put it on 
>>> the web.
>>> Or contribute to the FAQ!*
>>>
>>> Cheers,
>>>
>>> Wesley MOUEDINE ASSABY
>>> http://www.mouedine.net [2]
>>
>>
>> Links:
>> --
>> [1] http://www.chrysocome.net/dd
>> [2] http://www.mouedine.net

Re: Patch to remove "adult" content from spamd(8) man page

[Nick Holland]

On 11/21/2013 12:33 PM, J. Lewis Muir wrote:

I found some of the example email addresses and domains in the spamd(8)
man page to be somewhat "adult" in nature.  If given the choice, I'd
choose to read the man page without the adult content.  Here's a patch
against -current that replaces the adult examples with "cleaner"
alternatives.  Would a developer be willing to accept this patch?


you want really dirty smut?  We got LAWYERS e-mail addresses in the man 
pages.  Talk about something to keep the kids away from...


I don't think that's gonna fly.
Those particular ones almost qualify as a signature -- anyone who's 
worked with the project for a while will look at those and say, "Oh, I 
know who wrote this!"


Stuff like this is part of the fun for people developing OpenBSD (and 
hopefully, fun for some of the users).  Please understand that we don't 
want anyone to take away our fun.


As someone who works in a "professional" environment, where results 
don't matter as long as the word "Enterprise grade" is attached to the 
product, and security is important, as long as it doesn't get in the way 
of ANYTHING else, and failure is fine, as long as there's an outside 
company you can blame it on, a little unprofessionalism is a relief.


Nick.

Re: FAQ 7.3

[Nick Holland]

On 11/21/2013 09:22 AM, Paolo Aglialoro wrote:

Yes tmux would be a hack i use it already on sparc64 over ssh.

But here the idea was using just vanilla console with the least possible
clutter. The idea of fb on console could enable the porting of software
like the fbi picture viewer on linux, but if the scrollback gets disabled
the loss to me is more than the benefit.


well, if you really don't like it and don't wish to use X, turn off the 
DRM with UKC> and "disable inteldrm" or "disable radeondrm", and your 
old text mode console will be back.  And X will be broke.


As you are running on a laptop, I'd suspect the lack of X will be a far 
bigger showstopper.  Personally, I happily trade the scrollback for the 
better than 80x25 text mode (80x25 is so..1970s), and use tmux or an 
xterm if I want scrollback.


But yes, faq7.3 (among others...DRM has complicated much of this page!) 
needs to be updated (oops).


Nick.



  Il 21/nov/2013 13:43 "Stefan Sperling"  ha scritto:


On Thu, Nov 21, 2013 at 01:05:34PM +0100, Paolo Aglialoro wrote:

Hi all,

since installing 5.4 release on my amd64 laptop I am enjoying really nice
(sun like!) fonts due to the implemented framebuffer for CLI.

Unfortunately scrollback with shift+pgup does not work anymore and faq

7.3

does not mention this at all.

What should i do to have scrollback again?

Btw, to mitigate this fact, is there maybe a mode to determine the

geometry

of cli framebuffer, like 80x50 or 100x40 etc?

Thanks


tmux(1) has a scroll-back buffer ('Ctrl-b [' to enter copy mode,
use arrow or pgup/pgdown keys to scroll, use 'q' to exit copy mode).
Not quite the same, but perhaps that will help you.

Re: is zeroing CRYPT needed?

[Nick Holland]

On 11/25/13 04:07, obsd, cgi wrote:
> according to:
> http://www.openbsd.org/cgi-bin/man.cgi?query=bioctl
> 
> dd if=/dev/zero of=/dev/rsd3c bs=1m count=1
> 
> is needed. but Why?
> 

I've actually found it more useful to zero the raw RAID partition than
the "assembled" softraid "disk".  This takes care of the case where
previous softraid disks had been created, which can be quite frustrating
when they pop up again unexpectedly.

That's from experience...haven't been able to convince the softraid
developers, so I suspect there's something to *also* zeroing the
assembled disk.

It takes but a couple seconds to do.  Just do it.

Nick.

Re: is zeroing CRYPT needed?

[Nick Holland]

On 11/26/13 04:29, Luca Ferrari wrote:
> On Tue, Nov 26, 2013 at 9:49 AM, obsd, cgi  wrote:
>> Wouldn't it be much easier that before I create the bioctl softraid CRYPTO
>> I would dd zero the psychical disk for the first.. dunno, 10 MBytes?
> 
> I don't see how and why it should be easier. We are talking about a
> single line dd command with a different target and count, isn't it?
> 
> Luca

not only that, zeroing the physical disk doesn't resolve the problem you
may run into.

People tend to be creatures of habit.  Given no reason to do otherwise,
people tend to do the same thing over and over.

So...today, you take a couple disks, zero the first 10MB, put a 1G boot
partition and make the rest RAID, then build a mirrored set, do your
testing, and call it done.

Tomorrow, you take the same disk, zero the first 10MB, put a 1GB boot
partition on it, and make the rest RAID, and intend to build a crypto
RAID partition on it.  Except...Poof! your RAID1 chunk is baaack!  Why?
 Because you didn't touch the softraid data which is 1GB up the disk.

Done this a few times. :-/

Just zero the RAID partition.
Then, especially in the case of crypto, zero the RAID disk, too.

(yeah, I just slightly changed my advice.  Thinking about it further,
fdisk and disklabel sometimes have got really confused by things that
don't look right.  I think things have been improving there, but I'm not
sure all edge cases have been fixed.  If you zero the RAID partition
BEFORE creating a RAID1, odds are what is there will look like a lot of
zeros.  Crypto...almost certainly it WON'T look like a lot of zeros, and
it might be useful to put it to a lot of zeros first.  So, zeroing the
partitions then zeroing the softraid "disk" is the safest and easiest.
Can you skip one?  Maybe.  If it fails, trust me, you will lose all the
time you think you saved, many times over)

Nick.

Re: Help troubleshooting performance problem

[Nick Holland]

On 12/01/13 06:20, John Hynes wrote:
> OK, just to clarify:
> 
> The kernel is 5.3 with the official patches applied, no other modifications.
> 
> I read through the changes for 5.4 and certainly, there has been a ton of
> work done, and I will upgrade soon.  Nothing listed in the changes seems
> like it would directly address a problem like this, so I'd guess it's not a
> bug though.  It certainly *seems* like it could be a hardware problem
> that's just not throwing an error (yet).
> 
> So, I guess what I'm asking everyone is: Other than what I've done, what
> are some ways I can investigate this further to determine where the problem
> lies?  For example, let's say it *is* a failing hard drive in the softraid,
> and the system just hasn't failed the drive yet, because the operations
> still complete, just really slowly.  What tools/techniques could I use to
> see that a process is waiting for a disk operation that's taking forever to
> complete?
> 
> Thanks,
> 
> -John

I've got one of these machines (Sun X2100 M2).  I had performance
problems in the past with it, similar to what you described, simple
tasks which seemed to hang on disk I/O where disk I/O shouldn't have
been a problem.  I credited the problem to the nvidia chipset.

I did recently blow the dust off the machine and put 5.4-current on it,
and -- SO FAR -- it's running pretty darned well.

The way the disks are connected to the main board, if you swap the red
and blue SATA cables, you can route them to the PCIe slot rather than
the on-board SATA connectors, and you may be able to put a third-party
SATA controller to work with them (or you may not -- I made a VERY quick
attempt at this recently, thinking I'd maybe be able to get AHCI
performance out of it, and the thing booted the OpenBSD kernel but the
controller (which I have used elsewhere without issue) didn't initialize
properly, and so I had no disks after boot.  Upon disassembly, I found
the card was working its way loose, and it was late, so I didn't spend a
lot of time trying to figure out exactly what was wrong, and I just
switched back to my on-board SATA...which has been working fine for a
week or so now).

But really...it's an nvidia machine.  if it works at all, you should be
happy... I'd not trust it too far

That being said...there are some nasty disk failure modes I've seen more
than once, where a disk will start doing retries over and over until a
successful read takes place...and then it will go on to the next read,
with lots of retries ... etc.  The result is a painfully slow machine,
and it is somewhat hard to diagnose since the drive never returns an
error to the OS.  If you have disk activity lights for each disk, it's
actually trivial to see where the machine is hung, but this machine's
manufacturer doesn't feel that disk activity lights are useful (idiots.
Blame Sun this time).

Nick.

> 
> 
> 
> On Sat, Nov 30, 2013 at 9:39 PM, Kenneth R Westerback <
> kwesterb...@rogers.com> wrote:
> 
>> On Sat, Nov 30, 2013 at 07:04:44PM -0600, Shawn K. Quinn wrote:
>> > On Sat, Nov 30, 2013, at 03:55 PM, Kenneth R Westerback wrote:
>> > > On Sat, Nov 30, 2013 at 04:02:58PM -0500, John Hynes wrote:
>> > > > OpenBSD 5.3 (GENERIC.MP) #0: Fri Sep 13 04:11:52 EDT 2013
>> > > > j...@hytronix-gw1.hytronix.com:/usr/src/sys/arch/amd64/compile/
>> > > > GENERIC.MP
>> > >
>> > > Try 5.4 or -current.
>> > >
>> > > Issues with non-home-compiled kernels are more interesting.
>> >
>> > I thought as long as it was an unmodified GENERIC or GENERIC.MP that the
>> > issue was still valid. Is this no longer the case?
>> >
>> > --
>> >   Shawn K. Quinn
>> >   skqu...@rushpost.com
>> >
>>
>> Sure - but if it's unmodified, why compile a new one? And John did
>> not state in his email that it was unmodified.
>>
>>  Ken

Re: PXE boot RHEL 6.3 or OL 6.3 from OpenBSD 5.4

[Nick Holland]

On 12/01/13 07:48, mufurcz wrote:
> On 1/12/2013 10:31 PM, Jiri B wrote:
>> On Sun, Dec 01, 2013 at 10:20:55PM +1100, mufurcz wrote:
>>> Greetings,
>>>
>>> It is possible to PXE boot other OSs (like RHEL 6.3 and/or OL 6.3)
>>> with pxeboot.  If so, can somebody point me to a valid PXE
>>> configuration.
>>
>> No because pxeboot is "a modified version of the i386 second-stage
>> bootstrap program, boot(8),"... That said, it is OpenBSD specific.
>>
>> Check iPXE, http://ipxe.org/howto/chainloading. Problem is that
>> dhcpd in default OpenBSD installation does not support the way
>> how to escape netboot looping. Thus you have to use ISC dhcpd or
>> another dhcpd, or you have to compile undionly.kpxe yourself
>> with embedded script. There's compilation issue of iPXE on OpenBSD,
>> see http://forum.ipxe.org/showthread.php?tid=7135.
>>
>> Description of loop problem:
>>
>> * dhcp client ->  tftp server
>> * get's undionly.kpxe
>> * undionly.kpxe (iPXE) again tries dhcp...
>> * loop :-)
>>
>> Feel free to help with iPXE compilation.
>>
>> jirib
> 
> Uhm, got it, I read the boot(8) man, however, I am curious, in the 
> `Hitchhiker's Guide to OpenBSD` reads "Can I boot other kinds of kernels 
> using PXE other than bsd.rd?  Yes, although with the tools currently in 
> OpenBSD, PXE booting is primarily intended for installing the OS."  I 
> read this:  `other OpenBSD kernels (only) than bsd.rd'.

The FAQ is about OpenBSD, the page is about OpenBSD, I kinda assumed
people would understand that by "other kinds of kernels" I meant
"OpenBSD kernels", and not suddenly jump way off topic here.

I'm not a big fan of trying to deal with every imaginable way someone
could misunderstand something, but adding one word might make it more
clear, and I do seem to recall having wondered myself if I could boot
other OSses this way...so I have changed it to read "Can I boot other
kinds of OpenBSD kernels using PXE ..."

Nick.

Re: Keeping OpenBSD up2date

[Nick Holland]

Short version: you are doing it wrong.

On 12/08/13 09:49, Lars Bonnesen wrote:
> I like OpenBSD for it's easiness, straight forwardness and simpleness on
> daily usage. Unfortunately with the last releases, I find keeping OpenBSD
> up2date between releases to be confusing. Please help me on this one:
> 
> Well... I have been quite happy using cvsup to keep my src and ports
> up2date, but it seems that this is getting quite impossible to use lately,
> as the servers I normally use to pull from seem to block cvsup. )-:
> 
> Then I read that cvsync seem to be the way to go... although I can't get it
> to work proberly.

why are you using cvsync?  Why do you want to maintain your own repository?

ok, I'm deleting the rest of this out of fear that someone else might
think this is the process.

Go read http://www.openbsd.org/faq/faq5.html
Start at the very first line, and go at least to 5.4.  Pay very very
close attention to sections 5.1, 5.2, 5.3 and 5.4.  (yes, I repeat
myself -- there's nothing in this first part you get to skip reading)

Be very careful to read (and follow) what it tells you to do, NOT what
you think it is telling you to do.  Your use of non-words like "up2date"
is telling me you are trying to use some other model on OpenBSD.

Nick.

Re: Single process needing a lot of memory

[Nick Holland]

On 12/13/2013 09:10 AM, Zé Loff wrote:

On Fri, Dec 13, 2013 at 02:44:26PM +0100, Peter Hessler wrote:

On 2013 Dec 13 (Fri) at 13:24:41 + (+), Zé Loff wrote:
:On Fri, Dec 13, 2013 at 07:16:06AM -0600, Shawn K. Quinn wrote:
:>
:> I think R is using virtual memory as best it can, and I seriously doubt
:> you will get anything resembling satisfactory performance without
:> upgrading the RAM (memory) to 8Gb.


[snip]


:> So: 1) segment this problem such that R never needs more than about 3Gb
:> of RAM in one run if possible, 2) upgrade the RAM, or 3) give R a very
:> long time to complete the task at hand and back up your hard disk
:> regularly because it will get a workout.


[snip]


Using swap is a bug.  Buy more ram.


Thanks for your answers (and Marc's too, BTW). I never meant swapping to
be more than a workaround, I wasn't expecting good performance. But I
never expected it to render the machine virtually useless like it does,
hence the first post. Off to the shop, then.



swap is intended for things that are not currently being used much to be 
pushed out of the way "for now" until they are needed again, presumably 
much later (relatively speaking)


It works great (relatively) when you have lots of stuff loaded and 
running but are using only little parts at a time, when you can dump a 
big chunk of unused RAM to disk, and bring in a big chunk of now desired 
data from disk into RAM.


That's not what you are doing.

You have ONE application which is using huge amounts of data, that it is 
thrashing all over.  Odds are, if it was able to chunk the data up so it 
could work on one little part, then another little part, then another 
little part, 1) it would probably work great for you. 2) it would 
probably just do this, keeping most of the data on disk, rather than 
sucking it all into RAM.


If your app wants one "number" off something that is swapped out, it has 
to bring in the whole swapped out page just to read or write that one value.


You are running into the fact that memory is accessed on the order of 
nanoseconds, and disk is accessed on the order of milliseconds, TIMES 
the fact that any one location in RAM can be accessed almost as quickly 
as any other location in RAM, but to get data swapped to disk requires a 
painfully slow swap process of (relatively) huge blocks of data.


you could be looking at million-to-one performance ratio here. 
Something that could run in a minute in RAM might run for years in swap 
(that messes up your upgrade plans :).


Your application is a textbook example of "When swap fails".  OpenBSD 
might be able to manage its swap use better, but nothing will save you 
from what you are trying to do.  (well... ok, long, long ago... I've 
seen some mainframes which, after you hit their physical RAM limits 
(16MB, iirc), swapped to ... huge (for the day) RAM disks.  But even 
then, the act of swapping big pages of data out to get access to 
individal values of data would be several orders of magnitude slower 
than a direct RAM access),


Nick.

Re: Are xdm configs overwritten on upgrade?

[Nick Holland]

On 12/14/13 08:31, Laurence Rochfort wrote:
> Hello,
> 
> I want to prevent xconsole starting with xdm. I see it is started in
> /etc/X11/xdm/Xsetup_0.
> 
> Is there a user or system specific file for xdm conf files as there are for
> /etc/rc.conf? If not, and I modify Xsetup_0 will it be overwritten on OS
> upgrade?

up to you. :)

The standard upgrade process automatically touches nothing in /etc.
Read the upgrade docs, they explicitly tell you etcXX.tgz and xetcXX.tgz
are not installed during the upgrade.

They handled by the sysmerge process...but they are handled like all
other /etc files -- you are given the choice of keeping the old,
installing the new, or merging for some combination of the two.

Nick.

Re: Live usb stick quite slow

[Nick Holland]

On 12/13/13 04:08, Jérôme Frgacic wrote:
> Hi misc,
> 
> I have installed OpenBSD on an USB stick (a Kingston DataTraveler G3).
> Nevertheless, the system is quite slow... For example, I recently install
> firefox or, more precisely, those packages:
> 
...[snip lots of packages]...
> 
> which have a total size of 67Mo and it tooks ~17min to finish. If I compute
> correctly, this give me an average of ~67ko/sec which, I think, is quite bad.
> I precise that I download and store all the packages on an mfs partition, so
> this is really the time consumed to install them. Also, all the partitions are
> mounted with the softdep and the noatime options.

good start, definitely.
Keep in mind, dividing total package size by time required produces a
number with units of "bytes of packages installed per second", which is
not overly interesting, and VERY different from "bytes written per
second", as a lot of work goes into a package install beyond a single
linear file write.

> Is this normal ? Did I make any mistakes in the organisation of the system on
> the stick ? Is there something I can do to improve the performance of the I/O
> ?

First of all... USB isn't fast, flash is not fast.
Aaaannddd you have an nvidia based machine.


> Below, you will find the output of the fdisk, disklabel, usbdevs and dmesg
> commands.
> 
> Kind regards,
> 
> Jérôme
> 
> ---
> 
> # fdisk sd0
> Disk: sd0 geometry: 3762/255/63 [60437492 Sectors]
> Offset: 0 Signature: 0xAA55
> Starting Ending LBA Info:
>  #: id  C   H   S -  C   H   S [   start:size ]
> ---
>  0: 0B  0   1   2 -522  43  33 [  64: 8388608 ] Win95 
> FAT-32
>  1: 00  0   0   0 -  0   0   0 [   0:   0 ] unused
>   
>  2: 00  0   0   0 -  0   0   0 [   0:   0 ] unused
>   
> *3: A6523   0   1 -   3761 254  63 [ 8401995:52034535 ] OpenBSD   
>   

you *MIGHT* find a small improvement if your OpenbSD partition is
aligned to a 4k (8 sector) count.  Would be interesting, I would bet it
wouldn't be "human noticable" (i.e., at least 2x performance), but might
be statistically significant.  And I might be wrong -- it might be
noticable.
...
> # dmesg
> OpenBSD 5.4 (GENERIC.MP) #44: Tue Jul 30 12:13:32 MDT 2013
> dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
...[snip.  Thanks for providing... lots of nvidia hw]

Would be interesting to try your test on a non-nvidia machine.

Nick.

Re: [OpenBSD-5.4/amd64] Lenovo T430 hangs in X

[Nick Holland]

On 12/23/2013 10:11 AM, Alexei Malinin wrote:

On 12/23/13 17:59, Alexey E. Suslikov wrote:

Alexei Malinin  mail.ru> writes:


OpenBSD 5.4 (GENERIC.MP) #41: Tue Jul 30 15:30:02 MDT 2013
 deraadt  amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

I would recommend trying -current first and back with another report.


Thank you, your advise is good but the notebook is my work instrument
and unfortunately I have no enough time now to install -current and check.

Are there other ways to troubleshoot my problem?


The first step is always to see if the problem has been solved already. 
 Where it would be solved is in -current.  Odds are, unless it is a 
regression (i.e., 5.3 worked, 5.4 doesn't), there will be no fix for 5.4 
release.  Lots has changed since 5.4 already.


I'm not sure what you are expecting for "troubleshooting" when you 
refuse to do the most logical next step that may fix the problem, or at 
least get you closer to where the fix will happen.  Any fixes you help 
develop will be applied to -current first, and probably only.


Nick.

Re: cleaning old files

[Nick Holland]

On 01/08/14 03:10, Didier Wiroth wrote:
> Hello,
> I've been updating my computer from binaries over the years, I'm mostly 
> running current.
> What is the best way to clean/delete old (zombie unused) binary, libraries 
> /etc files ...?
> How are you doing it?
> Thank you very much for your feedback!
> Didier

rm ?

I think your actual question is how do you FIND the files you can delete...

And that...unfortunately, is the difficult question.

IF you do everything The OpenBSD Way...  upgrading the entire system,
using applications only from the OpenBSD package management system, and
upgrading those, it's pretty easy -- look for files that are older than
the most recently installed binaries, remove those.

The problem is...if you have any programs installed through any way
other than OpenBSD ports and packages, you have to make sure those are
upgraded BEFORE removing libraries that might be needed by them.

Generally, I don't do it.  Usually, by the time there's a space problem,
I've upgraded the hardware (you know ... from a 20 year old machine to a
16 year old machine!) or completely reloaded for other reasons.  When
that's not the case, I just go into the directories that have bloated
excessively, find the oldest files, rm them.

Files in the /etc directory are usually too small to worry about.
/usr/lib are usually the ones I go after.

Nick.

Re: Security

[Nick Holland]

On 01/10/14 01:36, agrquinonez wrote:
...
[compromised box]
...
> Ideas are going to be really appreciated, because i am not a technical guy.

ok, this is the unpopular answer, but here it is anyway:
Stop.  You should not be running your own web and mail server.

Years ago, I used to say that I could make a good case that anyone
running a mail server or DNS server should require a license, for much
the same reason as one should have a driver's license to drive on public
roads: to indicate you have some minimum level of skill so you don't
hurt others on the road.  (NOT that I would in any way welcome more
government involvement in the Internet).

(I've run mail servers for around 35,000 users and maybe a hundred
domains, and DNS for hundreds of domains...I'd consider myself BARELY
sufficiently skilled to pass my hypothetical license requirement.  I'm
also probably better than 80+% of the people running DNS and e-mail
systems in the Corporate World.  Be scared.)

I exempted running a webserver because I felt that your average website
was "safe" to other people...kinda like painting your own car -- you may
do a lousy job, but no one has to look at your car/site.  Well, these
days of web applications pretty much means I was wrong, and yes, they
are just as able to harm others on the Internet as mail and dns servers
-- maybe even more so these days.

If you don't know how to track down what happened -- and more
importantly, don't know how to KEEP it from happening in the first place
-- you should not be running services on the Internet.  Using OpenBSD
does not render your system unbreakable, any more than putting a five
year old behind the wheel of a "safe" car makes them or the world "safe".


As for what happened in your case, with a total lack of facts from you,
I'm going to say you left a guessable password on an account.  Someone
then threw a list of a few thousand username and password combinations
at it, succeeded, and moved in, probably within 24 hours of your setup.
 If you think your password was really clever, that was almost CERTAINLY
your problem, I've seen these lists, they are funny -- you can just
imagine people patting themselves on the back over how clever their
password is...and there it is on the list to be tried on thousands of
boxes an hour.

The key thing to know is that Internet attacks are not a "oh, I was
unlucky here" thing -- if you expose a service, you are under CONSTANT
attack, if you have any kind of vulnerability, it WILL be exploited, and
rather soon.

Nick.

Re: faq addition: working with mfs disks?

[Nick Holland]

On 01/26/14 11:31, éÌØÑ ûÉÐÉÃÉÎ wrote:
> hello,
> 
> what do you think of adding a faq item which will give example how /tmp (or
> any other write intensive temp disk partition) can be stored in mfs drive?
> 
> Ilya Shipitsin
> 

well... no.

First, at this point, tmpfs is hopefully going to be replacing mfs (see
mount_tmpfs(8)).

Second, a reference in the FAQ to the man page would be good (for 5.5 or
later), but beyond that, as the concept is pretty simple, any
deficiencies should be addressed in the man page.

Nick.

Re: Upgrade path from 4.1?

[Nick Holland]

On 02/06/14 05:49, davy wrote:
> Hi,
> 
> I’ve recently was asked to take over the maintenance of an old
> OpenBSD machine, which has not been updated in the last 7 years.
> 
> Currently the machine has been running for close to 1000 days on 4.1.
> It has been a while since I worked with OpenBSD (shame on me), and
> I’m really not sure what the best way would be to upgrade this
> machine, knowning I don’t have a serial or local access to the box.
> 
> Can I do a 4.1 -> 5.4 in one shot?
> 
> thx! Davy
> 

You have a seven+ year old machine, with comparibly old disks.

My suggestion:
Build out a new machine using -current (yes, not 5.4.  you have a big
bump coming with 5.4 to 5.5, but if you install -current now, you are
over the bump...then start back on releases/stable with 5.5).  Configure
the new machine exactly as you want it.  Now, put it in service, decom
the old machine...or minimum, swap the disks out of the old machine with
these newly configured disks.

This way, you never lose your functioning system...and you can freshen
your hardware, too.

Nick.

Re: Documentation on rc.conf.local lacks important warning

[Nick Holland]

On 02/09/14 14:31, VaZub wrote:
> Sorry, my bad - I assumed that it was only natural for newcomers to
> copy the file and edit it afterwards instead of creating it from
> scratch to override some values.

If you can figure out how to help me write documentation to override
people's assumptions, please let me know.  I feel a Get Rich Quick
coming on if you can...

> Obviously, this assumption was based
> on my ignorance and therefore wrong. You are also right to point out
> that to "copy the lines" is not the same as "copy the whole file" - I
> must have missed this particular distinction.
> 
> The only thing I can put in my defense is that I might have been
> mislead to some extent by a particular piece of text -
> http://www.openbsd.org/faq/upgrade47.html#rc.conf. Of course, it is
> outdated and should not be taken for granted in regards to version
> 5.4, but it was one of few leads I've found when trying to fix my
> problem with rc.conf.local file.

And if you noticed the CONTEXT (you have in the past edited the wrong
file) and the warning part in italics (delete the line that re-invokes
this same file -- there twice, in slightly different wording!), it would
have been quite useful today, too.

> Nevertheless, please forgive me for my foolish assumptions and for
> taking your time. And thanks for clearing things up.

There's an art to getting people to read what is on the page and not
what is in their mind.  I may be better than some at this, but
obviously, I have a long way to go. :)

Nick.

Re: new to OpenBSD and have a few questions

[Nick Holland]

On 02/09/14 18:30, d...@genunix.com wrote:
>> > question two is honestly : I don't know.  Yet.  :-\
>>
>> One of the Frequently Asked Questions, apparently. :-)
> 
> ah .. there I NOW see :  Other platforms do not need or use fdisk(8).
> 

right.

Little trick in life: use phrases like "I didn't see an explaination of
..." instead of "it didn't explain ..."

The first is probably 100% correct and can never be proven wrong.  The
second can easily be proven wrong. :)

Ok.  Now, start at the VERY VERY top of
http://www.openbsd.org/faq/faq14.html
That "glossy" section (I'm going to take that as a complement.  You,
sir, are quite glossy yourself, today! :) is jam packed full of info,
most of it quite important.  Not all of it is relevant to all platforms
(and sparc / sparc64 are two of the oddballs in that regard), but there
are pretty good clues in there about which are which, and an
acknowledgement that this IS confusing...

Now... do the same with the installation instructions in faq4.html.  I
know, the first sections of most documentation can be skipped over, but
I try to leave that stuff out all together.

The first section of faq9.html is also highly recommended for those
coming from other systems.  The rest is Linux based and not of much
interest to you.

First section of faq5.html is also very important to understand, and it
sounds like you need to read through faq15.html as well.

Nick.

Re: More OpenBSD on Hacker News -- RBAC and jails anyone?

[Nick Holland]

On 02/23/14 21:09, openda...@hushmail.com wrote:
> Hello,
> 
> Got some more layman's questions here after reading
> [url snipped]
> 
>> > OpenBSD for security
>>
>> I dunno, I hear this a lot. Sure OpenBSD has created and implemented
>> some (often very bleeding edge) hardening features, but nothing that
>> hasn't seen the light of day in something like GRSecuriy.
>>
>> But the lack of other security layers and constructs seem puzzling 
>> to me. No RBAC-based system like selinux? No attempt to secure the 
>> supply chain until very recently with package signing? Chroot 
>> functionality inferior to something like FreeBSD's jails?
>>
>> Not to mention that many services you would deploy an OpenBSD server
>> for are provided by ports and not the base system, forgoing the 
>> strict auditing that OpenBSD provides.
>>
>> [... snip ...]
>> 
> 
> 1. Why doesn't OpenBSD have something like RBAC?

Security means a lot of different things to different people.  If you
are running an old-style multi-user system (i.e., lots of people have
terminals on their desk, all logging into the Big Computer In Another
Room), where most of the users are of very limited access rights, and
you need to carefully manage what they are getting to, yes RBAC ("Role
Based Access Control) is a great help.  And maybe OpenBSD isn't your
first choice.

However, OpenBSD systems are often deployed for web services or network
services (or single-user systems like desktops).  The only people with
access to the OpenBSD command prompt are usually either moderately
trusted or have administrative rights through sudo anyway.  For this,
RBAC is just extra baggage, something that's more likely to be exploited
than to be useful.

OpenBSD's security model is more about -- as I phrase it -- keeping the
bastards out, not controlling them (or hoping to control them) after
they are in.  Making life difficult for attackers once they get into
your system is usually not going to be overly productive, and usually
makes administration of the system much more difficult, which often
creates NEW security problems of their own.  While people like to talk
about "Defense in depth" -- and it is not a bad idea -- your best goal
is to keep the bastards on the outside of your systems, as once they are
in, they can utilize anything you don't have perfectly bolted down to
accomplish their goals (and yes, that statement puts me opposite a lot
of people making a lot of money chasing down bad guys AFTER they
inflitrate systems).

In the Real World: First thing most people do on an SElinux system is
disable SELinux.  At that point, all the RBAC "features" are now just
pure glossy advertising -- worthless.  For fear of breaking things, the
Linux people have chosen to put a big on-off switch on SELinux...and so
given a choice between fixing applications and turning off the
switch...people just turn off the switch.  ANY claimed benefits of
SELinux are ONLY there if it is enabled and used properly.


> 2. Is chroot really inferior to FreeBSD jails?

define "inferior".
Properly implemented, a chroot is pretty close to doing exactly what it
claims to do.  Combined with good coding, like privilge separation, it
can make apps pretty darned secure.  But, it is hard to retrofit onto
poorly designed apps.

Stuffing a poorly designed app into a FreeBSD jail may be better than
running it as it was intended, but history has shown that poorly
designed applications are usually security problems, and a jail may not
prevent that at all.  At best, a jail will prevent Application A from
messing with Application B or the underlying OS, but it won't help one
bit in keeping Application A from being exploited, and if the exploit is
"useful", mission accomplished.

Jails look like a maintenance nightmare...  created by building from
source? oh my...  Haven't done this myself, but it doesn't look like fun
on a large number of machines.  Or a machine I have 30 minutes to do an
upgrade on.  or 90% of the machines here in my house.


As for GRSecurity...well, looking at their website, it is still a bunch
of patches for Linux to be applied by the user; it still doesn't seem to
be incorporated into any mainline Linux distros.  I suspect this says
far more about the Linux mindset than the merits of GRSecurity (even if
the GRSecurity implementation sucked horribly...FIX IT and then
incorporate it!  Sheesh!)

What's different about OpenBSD is that the features like stack smash
protection and W^X are in the base system, on all possible platforms
(and a few that didn't seem possible at first!), always on, and there's
no easy "off-switch", so crapplications HAVE to be improved in order to
work.  I can't prove this (and I doubt anyone could), but I suspect that
OpenBSD has resulted in more improvements to programs commonly used on
Linux than GRSecurity has.

A lot of people like to say "OpenBSD doesn't matter because few uses
it", if that's true, then I think it is safe to say that "GRSecurity
matters even less".  

Re: Vision 2020: Making OpenBSD the world's fastest OS

[Nick Holland]

On 03/05/14 10:08, openda...@hushmail.com wrote:
> Anybody have any thoughts on how to achieve this?
> 
> Thanks.
> 
> O.D.

Wrong people.  That would be Linux.
Probably wrong time.  That would be about ten years ago.

I hope by 2020, people will maybe realize that being the fastest is far
from the most important quality -- perhaps people will realize that
security is very very critical in 95% of all computer applications...
something the OpenBSD project will have been pushing for 25 years by then.

Something like 13 years ago, a few kids sat in the parking lot of a
Lowe's store (a large US home improvement store chain), using their
idiotic wireless network to get into the store's network, and then to
the corporate network.  Public reaction: "Evil hackers!"...cost Lowes
virtually nothing in damages or public relations (though they have NEVER
got a dime of my business since).

Last year, Target (a large general products store chain in the US,
probably elsewhere) discovered someone had used their bad security to
skim off millions of credit card records...and saw customers stay away
in huge quantities.  Customers are starting to recognize that it isn't
just the bad guys -- if you don't implement proper security, you are as
much to blame as those that exploit your bad design.

Raw computer power continues to increase.  It would be nice to stop
counting stupid benchmarks and start looking at "are we keeping our data
and the data our customers entrust to us safe"?

(not to say there aren't places where OpenBSD's performance could be
increased, but the idea of taking an OS oriented to security and
claiming you want to make it the "fastest" is quite missing the point)

Nick.

Re: Left side and bottom of boot text console off of screen now

[Nick Holland]

On 03/08/14 08:51, Chris Bennett wrote:
> As of this update, I have had these two portions of the screen move off
> of visible area.

"this update" ... from what?
I'm going to assume from a pre-radeondrm version.
> 
> ++
> | |  |
> | |  |
> | |text console  |
> | |  |
> | |  |
> | |  |
> | |  |
> | |  |
> +-|--+
> ++
> 
> Everything else is working fine.
> 
> Chris Bennett

Radeon DRM...looks like a desktop, so I'm guessing you have a VGA
connected LCD monitor.

note the amount of guessing I'm doing here.

radeondrm runs the video in a graphics mode it didn't used to run in, so
you will probably have to re-adjust your monitor.  Fill the screen
("top" might do it sufficiently), and hit the "auto adjust" button,
tweek if needed with the manual adjustments.

Nick.

> OpenBSD 5.5 (GENERIC.MP) #315: Wed Mar  5 09:37:46 MST 2014
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 6156910592 (5871MB)
> avail mem = 5984403456 (5707MB)
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.5 @ 0x9f400 (30 entries)
> bios0: vendor American Megatrends Inc. version "P01-B1" date 03/06/2010
> bios0: Gateway DX4300
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP APIC MCFG SLIC OEMB HPET AWMI SSDT
> acpi0: wakeup devices PCE2(S4) PCE3(S4) PCE4(S4) PCE5(S4) PCE6(S4) PCE7(S4) 
> PCE9(S4) PCEA(S4) PCEB(S4) PCEC(S4) SBAZ(S4) UAR1(S3) UAR2(S3) PS2K(S3) 
> PS2M(S3) P0PC(S4) [...]
> acpitimer0 at acpi0: 3579545 Hz, 32 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: AMD Athlon(tm) 7750 Dual-Core Processor, 2700.52 MHz
> cpu0: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,ITSC
> cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 
> 64b/line 16-way L2 cache, 2MB 64b/line 32-way L3 cache
> cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative
> cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative
> cpu0: AMD erratum 721 detected and fixed
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 200MHz
> cpu0: mwait min=64, max=64, C-substates=0.0.0.0.0, IBE
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: AMD Athlon(tm) 7750 Dual-Core Processor, 2700.17 MHz
> cpu1: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,ITSC
> cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 
> 64b/line 16-way L2 cache, 2MB 64b/line 32-way L3 cache
> cpu1: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative
> cpu1: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative
> cpu1: AMD erratum 721 detected and fixed
> cpu1: smt 0, core 1, package 0
> ioapic0 at mainbus0: apid 2 pa 0xfec0, version 21, 24 pins
> acpimcfg0 at acpi0 addr 0xe000, bus 0-255
> acpihpet0 at acpi0: 14318180 Hz
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus 1 (P0P1)
> acpiprt2 at acpi0: bus -1 (PCE2)
> acpiprt3 at acpi0: bus -1 (PCE3)
> acpiprt4 at acpi0: bus 2 (PCE5)
> acpiprt5 at acpi0: bus -1 (PCE6)
> acpiprt6 at acpi0: bus 3 (P0PC)
> acpicpu0 at acpi0: PSS
> acpicpu1 at acpi0: PSS
> acpitz0 at acpi0: critical temperature is 105 degC
> acpibtn0 at acpi0: PWRB
> cpu0: 2700 MHz: speeds: 2700 1400 MHz
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "AMD RS780 Host" rev 0x00
> ppb0 at pci0 dev 1 function 0 "AMD RS780 PCIE" rev 0x00
> pci1 at ppb0 bus 1
> radeondrm0 at pci1 dev 5 function 0 "ATI Radeon HD 3200" rev 0x00
> drm0 at radeondrm0
> radeondrm0: apic 2 int 18
> azalia0 at pci1 dev 5 function 1 "ATI RS780 HD Audio" rev 0x00: msi
> azalia0: no supported codecs
> ppb1 at pci0 dev 5 function 0 "AMD RS780 PCIE" rev 0x00: msi
> pci2 at ppb1 bus 2
> mskc0 at pci2 dev 0 function 0 "Marvell Yukon 88E8071" rev 0x16, Yukon-2 
> Extreme rev. B0 (0x2): apic 2 int 17
> msk0 at mskc0 port A: address 00:22:68:67:ee:9c
> eephy0 at msk0 phy 0: 88E1149 Gigabit PHY, rev. 1
> ahci0 at pci0 dev 17 function 0 "ATI SBx00 SATA" rev 0x00: apic 2 int 22, 
> AHCI 1.1
> scsibus0 at ahci0: 32 targets
> sd0 at scsibus0 targ 0 lun 0:  SCSI3 0/direct 
> fixed t10.ATA_Maxtor_6Y080M0_Y2B4ERCE_
> sd0: 76293MB, 512 bytes/sector, 15625 sectors
> cd0 at scsibus0 targ 1 lun 0:  ATAPI 5/cdrom 
> removable
> ohci0 at pci0 dev 18 function 0 "ATI SB700 USB" rev 0x00: apic 2 int 16, 
> version 1.0, legacy 

Re: Left side and bottom of boot text console off of screen now

[Nick Holland]

On 03/08/14 09:26, Chris Bennett wrote:
> On Sat, Mar 08, 2014 at 09:06:54AM -0500, Nick Holland wrote:
>> On 03/08/14 08:51, Chris Bennett wrote:
>> > As of this update, I have had these two portions of the screen move off
>> > of visible area.
>> 
>> "this update" ... from what?
>> I'm going to assume from a pre-radeondrm version.
> 
> Yes, from quite a while back.
> Only get internet here now through my new smartphone.
> 
>> > 
>> > ++
>> > | |  |
>> > | |  |
>> > | |text console  |
>> > | |  |
>> > | |  |
>> > | |  |
>> > | |  |
>> > | |  |
>> > +-|--+
>> > ++
>> > 
>> > Everything else is working fine.
>> > 
>> > Chris Bennett
>> 
>> Radeon DRM...looks like a desktop, so I'm guessing you have a VGA
>> connected LCD monitor.
>> 
> 
> No, HDMI
> 
>> note the amount of guessing I'm doing here.
>> 
>> radeondrm runs the video in a graphics mode it didn't used to run in, so
>> you will probably have to re-adjust your monitor.  Fill the screen
>> ("top" might do it sufficiently), and hit the "auto adjust" button,
>> tweek if needed with the manual adjustments.
>> 
> 
> It is a TV that accepts VGA, HDMI, etc.
> There are no "tweek" adjustments.

oof.  I got one of those, an old Dell thing.  Accepts lots of things,
does none of them well, it seems.  I'm still thinking you have a monitor
problem more than a computer problem, though certainly not supposed to
happen with DVI.  'course, I've had that discussion with my old Dell
thing, and it was wholly unimpressed with my logic.

Is your monitor really 1920x1080?  that's what radeondrm thinks it is.
That's kinda what my bluray player thought of my monitor, come to think
of it (it isn't), which is also shifted off to one side, iirc.

> I only use this console for sysmerge, but that would now be very
> difficult to use, since I couldn't see the options.
> 
> Chris

ok, sounds like you have painful connectivity and a cranky monitor (or a
video combination with a bug), so for the moment, I'd suggest just
disabling the radeondrm driver via ukc>, and it will revert to the old
style text mode, which will probably work Just Fine for you.

boot> boot -c
bla bla bla
ukc> disable radeondrm
*nnn radeondrm disabled
ukc> quit
[happy (hopefully) boot]

IF you have another monitor of any kind of any attachment, I'd like to
verify your problem persists with it or goes away (without the UKC hack,
of course)

Nick.

Re: Broken links on faq

[Nick Holland]

On 03/12/14 22:35, ropers wrote:
> On 13 March 2014 00:23, Maurice McCarthy wrote:
>> On the typo http://[url snipped]/faq//faq1.html an extra "faq/" is placed ...
>> where it should not be.
> 
> It isn't really *placed*.
> 
> If you look at the HTML source, you'll see that the links that (only)
> *seem* to be "acting up" in connection with the mistyped URL are just
> ordinary relative links; e.g.:
> 
> | Our
> | goals place emphasis on correctness,
> | security, standardization, and
> | portability.
> 
> It's just that your browser (and my Firefox) seems to --in this context
> at least-- interpret the "//" as an extra level in the hierarchy, so
> the "start from www.openbsd.org/faq/ and go one level up to reach
> www.openbsd.org/" seems to become "start from www.openbsd.org/faq//
> and go one level up to reach www.openbsd.org/faq/" (which doesn't have
> e.g. a goals.html).
> 
> The inconsistency arises because on the one hand, the "//" is accepted
> as equivalent to "/" (which is why you're getting a page at all with
> the mistyped URL), but then on the other hand, the "//" is parsed as
> two hierarchy levels.
> So "//" counts as 1 on the way *down* the hierarchy, but it counts as
> 2 on the way back *up*.

not exactly.

ok, you go to ...faq//faq1.html
The OS on the webserver takes you to [htmldocs]/faq//faq1.html.  OpenBSD
(and I believe most unix-like OSs) ignores the extra slash.

...but your browser doesn't.

So...when you click on goals your browser
lops off one slash and submits a url to the server --
   http://.../faq/goals.html
which is wrong.

> I'm not actually sure if this behaviour is canonical, and/or whether
> it's a bug or not, either in Firefox or (also) in the HTTPD. To my
> naive mind making assumptions that are based on bugger all, the "//"
> ought to take you back to the root, but I haven't read the RFC/spec.
> Maybe someone else knows this off the top of their head?
> 
> regards,
> --ropers
> 
> PS: Okay, so I have at least skimmed parts of
> https://tools.ietf.org/html/rfc3986#section-3 - but specifically as
> the question how //s ought to be treated, I'm none the wiser.
> Apparently the only place the RFC really envisages //s is in front of
> the authority (domain name part), i.e.after http: or similar. But then
> the RFC doesn't strictly say that //s were illegal in any other place.
> If anyone else knows this, I'd be much obliged for cluebat
> ministrations.

It is really much simpler than that.

The OP's URL is *WRONG*. Plain and simple.  It shouldn't be on the
OpenBSD website at all, and it shouldn't be elsewhere, either.  It
shouldn't have been submitted to the OpenBSD web servers with the
expectation of success.  The fact that the web server returned something
looking useful has to do with what the underlying OS does with double
slashes -- just ignores them, but it isn't required/desired/whatever.
It is entirely possible to write a web server which would do something
totally different with double slashes.

So..the fact that relative links against an incorrect URL don't work is
not really an issue.  If there's an issue here (and I don't believe
there is), maybe the webserver should have 404'd on the initial URL.

(I saw a discussion recently where the idea came up of increasing
donations by by changing 404 errors to 402.  Yeah, I had to look it up,
too.  So I expect everyone who participates in this thread WILL be
buying a CD set soon. :)

Nick.

Re: ffs2

[Nick Holland]

On 03/16/14 17:43, Juan Francisco Cantero Hurtado wrote:
> On Sun, Mar 16, 2014 at 09:53:29PM +0100, carsten.ku...@arcor.de wrote:
>> > i just want to know how to format a partition in OpenBSD for ffs2 ?
>> 
>> You could have a look in the newfs(8) manpage for the option "-O". -O 2 
>> should be FFS2.
>> 
> 
> But don't use FFS2 for /. OpenBSD can't boot from FFS2.
> 

And in general, don't use -O2 either, as OpenBSD switches from ffs to
ffs2 when you get big enough on its own.  Just let it do its magic, the
days of having to twist knobs for file systems should have been over
quite some years ago.

(Exception: when you make a partition small enough to be ffs, but plan
to growfs it later to a bigger size -- growfs works on ffs and ffs2, but
doesn't convert from one to the other.  Oh poo.  Just realized I forgot
to do this recently... )

Nick.

Re: ffs2

[Nick Holland]

On 03/17/14 21:24, Stuart Henderson wrote:
> On 2014-03-17, Nick Holland  wrote:
>> (Exception: when you make a partition small enough to be ffs, but plan
>> to growfs it later to a bigger size -- growfs works on ffs and ffs2, but
>> doesn't convert from one to the other.  Oh poo.  Just realized I forgot
>> to do this recently... )
> 
> But you have another similar system in a carp cluster so you can
> rebuild without downtime, right? :)

Actually, yes. ;)

(I was wondering who would figure out what I was refering to...  Stuart
wasn't my first guess, but he was my third. :)

Nick.

Re: ffs2

[Nick Holland]

On 03/17/14 22:19, Adam Thompson wrote:
> OK, obviously I missed something.  How do you resize ffs filesystems without 
> a dump/restore step?
> -Adam

man growfs

short version:
 * check your backup.
 * dismount partition in question
 * enlarge the disklabel partition by changing the endpoint
 * run growfs on that partition
 * fsck
 * mount
 * grin.

It is really easy, very fast.

It isn't a fancy volume management system, but if you design and plan
your systems right, it is more than you probably need.  You can only
enlarge partitions, and only by changing the endpoint.  I firmly believe
that most uses of "volume managers" is more an excuse to poorly design
systems from the beginning and hide the foolishness later, and pat
yourself on the back for having something else to put on your resume.

Of course, if you have two machines which hold the same data on them in
a CARP pair (as I do), you just rebuild the second (standby) one the way
you want it, copy your data back to it, promote it to master, and do the
same for the other machine.

Nick.

> On March 17, 2014 8:40:34 PM CDT, Nick Holland  
> wrote:
>>On 03/17/14 21:24, Stuart Henderson wrote:
>>> On 2014-03-17, Nick Holland  wrote:
>>>> (Exception: when you make a partition small enough to be ffs, but
>>plan
>>>> to growfs it later to a bigger size -- growfs works on ffs and ffs2,
>>but
>>>> doesn't convert from one to the other.  Oh poo.  Just realized I
>>forgot
>>>> to do this recently... )
>>> 
>>> But you have another similar system in a carp cluster so you can
>>> rebuild without downtime, right? :)
>>
>>Actually, yes. ;)
>>
>>(I was wondering who would figure out what I was refering to...  Stuart
>>wasn't my first guess, but he was my third. :)
>>
>>Nick.

Re: Setup a RAID

[Nick Holland]

On 03/19/14 09:30, Matias Moreno Meringer wrote:
> Hi!
> 
> Have a 5.4 currently installed in sd0 and want to build a softraid1 to use
> the disk in conjunction with a secondary sd1.
> 
> I know a way to build the raid at installation point, but not sure how to
> do it after the installation without reinstalling. Is possible?
> 
> Thanks,
> Matias.-
> 

depends...if you left unallocated disk space sufficient to build a new
RAID partition and copy your data over, sure.

Otherwise, it is rebuild from scratch.

Nick.

Re: upgrades no longer allow ftp for sets

[Nick Holland]

On 03/25/14 21:09, n...@leviacomm.net wrote:
> Thanks and I understand the reasoning.  The current ftp server won't be
> able to do http and use of siteXX files prevents using an external
> source.  Will nfs be supported or am I going to need more hardware?

I'm not understanding something here, and I think most of the rest of us
are missing it, as well.

You can pick up hardware capable of serving http to all your machines
for upgrade off my curb today.  Really, it takes almost nothing to build
a very capable web server for static content.  Since you are probably
talking about only one or two platforms, a small SSD can hold all the
files and packages, put into a seven year old computer with SATA
interface, and ta-da, you got a $100 (or way less) http server that will
absolutely kick ***.

I find it unlikely your existing FTP server can't have a web server
added and pointed at the same directory your FTP is being served from
now, unless it is some bizarre little appliance thing, in which case,
you would really benefit from an upgrade, performance-wise.

So...is there a real problem in your environment that makes FTP more
desirable?  If so, I'm sure a lot of us would like to be educated on
this...or is it just a reluctance to change?

Nick.

Re: Seagate ST3250310AS not recognized

[Nick Holland]

On 03/26/14 16:59, Charlie Farinella wrote:
> I'm trying to install OpenBSD 5.4 on a Dell Vostro 400, it's several
> years old but not ancient.  4GB RAM, 250GB Seagate ST3250310AS hard
> drive.  The installation goes normally until it tries to find the
> hard drive and then tells me no hard drive is available.
> 
> I've wiped the drive (it had ESXi on it before), repartitioned it,
> unpartitioned it, installed Linux, installed FreeBSD all without
> problem, but no matter what I do to it, OpenBSD won't see it.
> 
> I would really like to get this working so any suggestions or
> guidance is very much appreciated.

First of all, your report sucks.
Normally, I try to just ignore bad reports, even when I have a possible
W.A.G., but I'm going to try something new...  I'm going to say you owe
the project a $50 donation if I'm right.  And if I'm wrong, you get to
buy the 5.5 CDs when they come out and say "ha ha! you were WRONG!"

First of all, if you hooked the drive up properly and it is seen in the
bios and all, it isn't a matter of the /drive/ not being recognized, or
anything on the drive left over, there's something wrong with the
handling of the drive by the interface.

All that stuff that goes scrolling by the screen on boot?  it's
important. it's called the "dmesg".  Read it, it will tell you why
things didn't work.  You may well have to interpret things, but
somewhere on your dmesg, the chip that is your SATA interface will show
up, and right there, it will probably give you a good idea why it isn't
acting like a disk interface.  And while it looks like gibberish, it's
actually fairly readable.

My wild guess: you have an ahci interface (this is good), configured in
the BIOS for RAID (this is bad).  Dell shipped a lot of machines with
one disk, with the interface configured in the BIOS as a "RAID".  This
is really just a lame BIOS-assisted OS-based RAID system, like most
cheap RAID options, but if the OS doesn't support the RAID idea and it
is a multi-booting system, bad things can happen when the BIOS "helps"
you by copying one drive over your other drive, so OpenBSD (and at least
some Linux kernels, I've seen) won't touch the drive if it was in the
unsupported RAID configuration mode.

Nick.

Re: pf to redirect local dns traffic to another port

[Nick Holland]

On 03/29/14 17:09, Stéphane Guedon wrote:
> Hello
> 
> I am currently trying to run two nameserver on the same Openbsd 
> server.
> 
> The first one is an autoritative (let's say bind or nsd, no one cares).
> the second will be dnsmasq.
> 
> You guess the objective of the construction : give local answers from 
> dhcp leases to local requests, and give autoritatives for the internet 
> requests.

you are getting sloppy with terms here.  You aren't being authoritative
for Internet requests -- you are doing recursive resolution.  You are
authoritative on your internal stuff only.

Also...  for -current, BIND has been replaced by NSD and Unbound, so you
might wish to run -current for this project to minimize changes in the
near future.

> That's for the presentation.
> 
> I can run dnsmasq on a different port, but how do I give my local hosts 
> the idea of interrogating a non standard dns port ?
> Then I though I could drive the traffic from my LAN to the port where 
> dnsmasq is running on.

The easier way is to run your DNS resolver on a different IP Address,
not a different port, than your authoritative DNS.  BIND is something of
an address slut, it connects with every address by default, so you will
have to restrict it in the config to just the ports you want.  I don't
recall what NSD/Unbound do by default, but they are at least
configurable to not be stupid and connect up with just the address you
want them to connect to.

So...run your resolver on the external port, run the authoritative on
localhost, configure the resolver to query the authoritative (on
127.0.0.1) for local info, and the general Internet DNS for everything
else.  Your DHCP server populates your authoritative server, your
machines query the external address, and all Just Works.

And remember: if you wish to get more complicated, you can have lots of
localhosts. (127.0.0.2, 127.0.0.3 ...) and attach different services to
each.

Nick.

Re: OpenBSD Website, multilanguage faq

[Nick Holland]

On 04/03/14 04:29, Wesley MOUEDINE ASSABY wrote:
> Hi
> 
> There's no anymore multilanguage pages ?

The problem was that few of the translations were kept up to date or
complete.  Really, I'm amazed that the (volunteer) translators could
keep up as well as they did, but it wasn't generally as up to date as
things needed to be.

Old documentation is as bad or worse than no documentation.

And realistically, OpenBSD is rather English-centric.  Let's pretend the
website was perfectly and instantly translated into your preferred
language...
...then you want to see the details of something mentioned briefly in
the FAQ and type
man pf.conf
boom.  English.  Only.

Error messages?  English only.

And so on.

Perfect world?  No, far from it.  But it is the best we can do right now.


Granted, I've lost my most valuable proofreading team...and one of my
key tools to keeping me humble:  When I would write something I was very
proud of...then get a correction of my basic English from someone for
whom English is a fourth or fifth language, it's hard to get an inflated
ego. :)

Nick.

Re: Only two holes in a heck of a long time, but why?

[Nick Holland]

On 04/03/14 22:04, Martin Braun wrote:
...
> Maybe I am just plain stupid, but could someone explain to me the point in
> "bragging" about only two remote holes in the default install, when the
> default install is useless before you add some content to the system,
> unless you're running a web server serving static content only.

Let's pretend your statement about the default install being "useless"
hadn't been totally disproved already...

If you are building a big, complicated house, the first thing you need
is a solid foundation.  Now, you can build the rest of the house poorly
or well, but if the foundation is bad, the house is not going to be
solid, no matter the effort put into it.

The start to a good structure is a solid foundation.

Yes, put crapplications on OpenBSD, and you won't have good security
(though -- you MAY get lucky and have OpenBSD save your *** anyway).
But put good applications on a bad platform, you are unlikely to have
good security.

Now, you have been taking shortcuts to get bad applications running on
"easy" OSs (which probably means you were able to google for complete
"how-tos" so you didn't have to understand your task at hand), and I'm
sure like most people, you figure, what does it matter?  You can always
blame the attackers, you can say "everything has bugs", "nothing is
perfect", and all the other excuses and evasions people have used.  News
flash: the world is changing -- The general public is starting to
realize that the people they entrust with their data ARE responsible for
the security of that data, and not quite willing to accept the same old
crap excuses anymore.

Nick.

Re: feature patch -> replace /etc/crontab by /etc/cron.d/

[Nick Holland]

On 04/08/14 16:35, Remy wrote:
> Hi guys,
> 
> here is a simple patch to replace /etc/crontab by /etc/cron.d/.
> You need to manually mkdir /etc/cron.d.
> 

um. eight days late.  I look forward to your contribution next year, but
try to hit the right date next time.

Nick.

Re: OpenBSD on IBM Power

[Nick Holland]

On 04/13/14 20:47, Zeljko Jovanovic wrote:
> On 09.04.2014. 18:24, Fil Di Noto wrote:
>> Is there any hope of OpenBSD running on IBM Power hardware (System P,
>> LPAR) in the future?
> ...
>> OS on that hardware without cooperation from IBM? I don't see any
>> Linux distros that do not have a relationship with IBM that run on
>> Power.
> 
> Slackware Linux has an IBM port, although it has not been updated for several 
> years now: http://www.slack390.org

um. Linux kernel 2.4?  Are you kidding me?  dead dead dead.

> I am not sure what are the differences between largest IBM machines (System 
> Z, 
> formerly known as System/390), and smaller systems such as System P. But I am 
> sure that Slackware project certainly does not have a relationship with any 
> company.
> 
> By the way, as you probably know, Slackware is the oldest surviving Linux 
> distribution, and adversises as the most "UNIX-like" among Linuxes. Also, its 
> /etc layout is of BSD type, not System V like in other Linux distribution. 
> The 
> overall "look and feel" after instalation is similar to OpenBSD. Even the BSD 
> games packages, with fortune program enabled by default is there. :)

There are a bunch of things that are needed for an OpenBSD port,
including at least:
1) Interest by a developer.
2) Hardware in the developer's hand.
3) Availability of hardware for other developers at a reasonable price.
4) A user base to stimulate #1

There's not a lot of hardware out there to be had, not a lot of it in
developer's hands, and what's there isn't overly cheap.  And it probably
won't do anything better than other hardware out there to stimulate
developer interest, either.

I've got a couple IBM Power machines -- one with the performance of
maybe a iMac G3, the other with the performance of a single processor
G5.  I could put a second processor in it, IF I could find an IBM
processor module for a price I was willing to pay ($5 might do it.  $20,
definitely not.  "free" would be the only "definitely" for me).

As I recall, some years ago, someone managed to use a NetBSD boot loader
to boot an OpenBSD kernel on something akin to my G3-ish machine, and
the bloody thing actually kinda came up (missing a lot of hw, but still).

The problem is... so what?  If I do something serious with either of
these machines, my ability to get a spare /cheaply/ is low, and for a
fraction of the price and power consumption, I can get a BETTER in every
way i386 or amd64 system...or a scrap MacPPC system.

There's a lot of reasons developers can be interested in particular
hardware when pure logic might dictate that "mainstream Intel-ish is
better" but I'm not seeing much about those IBM systems to make them
overly lovable from either a purely rational or emotional standpoint.

If you disagree, go ahead, do the work to make it run, submit the code,
keep it running, and your reward will be seeing a new platform supported
by OpenBSD...as long as you do the work to keep it running.  Wow, that
sounds really depressing when I put it that way.

Nick.

Re: PI-like board for OpenBSD?

[Nick Holland]

On 04/19/14 21:01, Martin Braun wrote:
> Hi
> 
> I know that there isn't going to be any support for the Rasberry-PI,
> but I have been looking for something similar that runs OpenBSD
> without any problems.
> 
> I am mainly interested because of the low power consumption and
> because I want to have this box running 24/7 with OpenBSD.
> 
> I mainly need it for OpenSMTPD and Nginx stuff, so graphics isn't
> important, but I also don't want to fiddle around with special cables
> and stuff, ie. it should be relatively easy to install OpenBSD.
> 
> I already have a couple of R-PI's running XBMC and I have a Cubox
> running Debian.
> 
> Any recommendations for a mini box that runs OpenBSD without problems?
> 
> Kind regards.

http://www.openbsd.org/armv7.html

I'm kinda fond of the BeagleBone Black boards.  similar size to the
Raspberry Pi boards.  No USB support at this point.

A bunch of people will yell "Soekris!".  But then, they yell that for
every question.  ;)

There is also Alix boards, which I've seen people sing the praises of.

On the other hand, I recently built a three-port firewall system using
an old P3-ish 700MHz Celeron desktop and a CF->IDE adapter -- measured
power draw: 27W when idle.  Yeah, a lot more power than a Beaglebone,
but it was basically free, and a heck of a lot more powerful than any of
the ARM systems we support.  "free" is a big head-start when it comes to
saving money on electricity.

I've found a fair number of used "appliance" devices and "network
terminals" which are basically just special purpose PCs.  Again, not as
low power as the ARM systems, but again, starting price of "near free"
is hard to beat.

Nick.

Re: Dell PE R210 won't boot from install54.iso CD

[Nick Holland]

On 04/22/14 12:08, Mike Grau wrote:
> Hello,
> 
> I'm new to OpenBSD and hope someone here has been able to install
> OpenBSD on a Dell PE  R210. It will not boot the install CD (made from
> install54.iso). Here's the console:
> 
> CD-ROM: 82
> Loading /5.4/AMD64/CDBOOT
> probing: pc0 com0 com1 mem[624K 3061M a20=on]
> disk:
> 
>_
> 
> 
> The R210 _does_ boot from a linux install disk, and this same OpenBSD
> install CD does boot when used in a Dell Optiplex GX520.
> 
> Is there something that needs to be done more than setting the boot
> sequence in the bios for the PE R210 boot from the CD?

obviously, it IS trying to boot from the CD.  However, it appears to be
choking on something, and it appears to be disk related.

This is curious -- I've run OpenBSD on R200s, R710, R820, R310 and a
whole lot of other machines AROUND your R210, but not an R210.

At that point, the boot loader (which it loaded successfully from CD) is
looking for BIOS disk devices.  Look for things in the BIOS that it
could be tripping over -- on-board SD card flash (recovery card?  Can't
remember what they call it), floppy (yeah, Dell doesn't have a floppy in
the R210, but there might still be floppy support in the bios), DRAC,
etc.  Make sure you have the most recent BIOS on the machine

On my laptop I just happen to have handy, the cdboot process looks like
this:

CD-ROM: 9F
Loading /5.5/I386/CDBOOT
probing: pc0 com0 com1 apm pci mem[639K 510M a20=on]
disk: fd0 hd0+ cd0
>> OpenBSD/i386 CDBOOT 3.23
boot>

So we can see you are hanging at the disk enumeration step.

Oh...um...are you actually on a monitor and keyboard, or are you using a
serial console?  Funny things can happen if the BIOS was doing
redirection, then figures the OS is loaded and hands control of the
serial port over to the OS at that point.  Not EXACTLY where I'd expect
that error, but ...
IF you are using a serial console, you would want to add a
/etc/boot.conf file to your CD with the serial redirection command on it
("set tty com0").

Nick.

Re: No hw.setperf on Intel Atom CPU D2550 64bit system

[Nick Holland]

On 04/30/14 21:56, Jonathan Gray wrote:
> On Wed, Apr 30, 2014 at 07:28:16PM +0200, Thomas Bohl wrote:
>> Am 30.04.2014 05:23, schrieb Jonathan Gray:
>> >On Tue, Apr 29, 2014 at 10:22:29PM +0200, Thomas Bohl wrote:
>> >>cpu0 at mainbus0: apid 0 (boot processor)
>> >>cpu0: Intel(R) Atom(TM) CPU D2550 @ 1.86GHz, 1867.07 MHz
>> >>cpu0: 
>> >>FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,ITSC
>> >
>> >We only do speedstep if the processor advertises that speedstep is
>> >supported in cpuid (ie there should be a 'EST' flag above).
>> >
>> >According to
>> >http://ark.intel.com/products/65470/Intel-Atom-Processor-D2550-(1M-Cache-1_86-GHz)
>> >it doesn't do speedstep as well.
>> >
>> >i386 fakes a table with high/low values for older processors that
>> >still have a fsb, which was mostly used before the code to fetch
>> >tables from acpi was added.
>> 
>> Thank you for your explanation.
>> i386 it is then.
> 
> It wouldn't hurt to check with md5 -tt and/or a power meter
> to see if there is actually a difference between
> hw.setperf=0 and hw.setperf=100.
> 

A power meter would be more "useful" -- at least the first generation of
Atom systems, the Northbridge chip drew more power than the CPU (really
-- the heatsink and fan was on the Northbridge chip, NOT the CPU!!  This
may explain the lack of speedstep); if you could wack the CPU down to
zero power consumption (you can't), it would hardly have changed the
TOTAL system power draw at all.

Nick.

Re: Firefox tweaking

[Nick Holland]

On 04/30/14 08:45, Mihai Popescu wrote:
> Hello,
> 
> I am running a very recent snapshot and I want to try Firefox again (now at
> version -28.0p0). It seems that I get some unresponsive behaviour, like
> intermitent scrolling, long delays for content rendering, etc. I must say
> that I had no crash whatsoever. I am using Openbox as a window manager. I
> have no plugins or extension installed in Firefox.
> 
> My dmesg is at the bottom, but I want to ask for a few tweaks for Firefox
> tuning if those are available, please. If my hardware is too weak, then I
> will go back to Chromium wich works faster for now.

I think your hw is just too weak.  I've got an amd64x3 w/4G RAM, and it
is definitely showing the strain that Mozilla products put on it

I did just fire up Firefox on a little i7 laptop I recently got -- dual
core, hyperthreaded i7 chip, 8G RAM (and a tiny SSD).  wow, I don't
recall firefox coming up that fast in quite some time.  Guess I need to
replace my desktop now.

Nick.


> Thank you.
> 
> OpenBSD 5.5-current (GENERIC) #63: Tue Apr 29 02:37:44 MDT 2014
> t...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: Intel(R) Pentium(R) 4 CPU 3.20GHz ("GenuineIntel" 686-class) 3.20 GHz
> cpu0:
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,CNXT-ID,xTPR,PERF
> real mem  = 1072132096 (1022MB)
> avail mem = 1042214912 (993MB)
...

Re: a man.openbsd.org oddity, and a cvsweb niggle

[Nick Holland]

On 8/16/21 9:06 AM, Stuart Henderson wrote:
...

Speaking of backend code I don't know how to find, much less submit a diff for:
For folders that are entirely in the Attic[0], could
cvsweb.openbsd.org somehow be convinced to display these only in the
actual Attic, and not list them in the parent's directory list?  Or if
that's not feasible, to maybe show a marker behind the names of
folders that don't contain anything?
Something like [in the Attic] or [all contents in the Attic] or
[empty] or [Attic]?


Sounds like a bunch of recursive scanning would be needed. Not sure it's worth
it when the git expprt exists.. cvaweb is in ports but I don't know if it's the
same version which runs on cvsweb.openbsd.org.


Yes, the version on cvsweb.openbsd.org is the one in ports.
There is/was a newer port submitted, but didn't get committed.  I wasn't too
excited about using the newer one as it had a LOT of additional dependencies
which are always "fun" (not really) to cram into a chroot and keep updated.

Nick.

Re: Run a command on "last day of month"

[Nick Holland]

On 9/1/21 5:50 AM, Joel Carnat wrote:

Hello,

I would like to run a command on "the last day of each month".

  From what I understood reading the crontab(5) manpage, the simplest way
would be setting day-of-month to "28-31". But this would mean running
the command 4 times for months that have 31 days.

Is there a simpler/better way to configure crontab(1) to run a command
on "the last day of month" only ?

Thank you,
Joel C.



Just run your script every day, and first thing in the script, check to see
if it is the last day of the month -- and quickly exit if it isn't.  Very
cheap to do and relatively easy if you know a good trick to do it.

http://holland-consulting.net/scripts/endofmonth.html

Find the last day of the month:
   $ set $(cal)
   $ shift $(($# - 1))
   $ echo $1
   30

Compare to today:
   $ date "+%d"
   1

rather easy, and fairly portable.
You could probably stuff it into a one-liner in a crontab, but I would not
recommend it.


Nick.

Re: CARP Cold Spare

[Nick Holland]

On 9/24/21 6:13 PM, Don Tek wrote:

Would there be any ‘problem’ with configuring a 2-machine CARP
setup and then just keeping one machine powered-off until needed?

I realize this defeats live failover, but this is not a requirement
for my customer.

I just want them to be able to, in the event of a primary machine
failure, power-on the secondary and have it take over.  Logic here is
to otherwise not have the secondary sucking power off the UPS’s in
the event of a power failure, or in general.

Legit?



Technically, should work fine.
Administratively?  you got a mess on your hands.

With a fair amount of certainty, I can say you will run into at least
the following administrative problems:
* users added/changed to live box, not duplicated to spare.
* Updates done to live box, not to spare
* rule changes done to live box, not to spare.
* Other settings changed on live box, not duplicated to spare.

None of these are intrinsically CARP issues or solved by CARP at all
but all of them are are going to be complicated by having a machine that
is off when changes are made to the live one.  All these issues have to
be considered with a CARP setup, but with a machine powered off, you KNOW
they won't be dealt with in a timely manner...which means they won't be
there when you need them.

If your goal is really to have one machine running, I'd suggest skipping
CARP, and just mirror the drives on the primary and keep spare hw in
reserve, and keep good backups of ALL configuration information.  Drive
fails?  you got a mirror.  HW fails?  you got spare, move the drives,
bring it up.  Keep it simple, you will be happier.

Nick.

Re: athn AP

[Nick Holland]

On 10/16/21 7:40 AM, Jan Stary wrote:

> > o Worked around a problem with certain athn(4) hardware that caused
> >   problem when running in HostAP mode with clients that use Tx
> >   aggregation.


About a year ago, a gave up on having an athn in an ALIX as may home AP,
and just connected a TP-Link AP. That has its disadvantages, but the
actual wifi traffic got much better in terms of reliability and throughput.

Would people now recommend running an AP "natively",
i.e. a wifi card (plus the anthenas) on and OpenBSD box
over running wifi over a dedicated device?


For a few reasons, I much prefer an external Access Point
A big one is, in my life firewalls are located in a place where APs
would be sub-optimal. Even back when I ran an OpenBSD access point,
(back in the wi(4) days!) it was a separate box well away from the
main firewall.

Nick.

Re: proper way to grow softraid partition

[Nick Holland]

On 10/27/21 1:11 PM, kasak wrote:

Hello misc!

I want to replace my two 2TB hdd, joined in raid1.

I have two 4TB drives, and I want to replace smaller drives with them.

it wouldn't be a problem, if i had some spare sata ports, but in my pc i
have only one left.

So, I can attach only one of this 4 tb drives at the same time.


I think, maybe I can attach new 4 tb drive to old raid as a third
volume, wait for it "repair",


Unfortunately, unless something changed when I wasn't looking, you can't
change the number of drives in a softraid RAID1 after creation.  I really
wish you could.


and then remove 2 tb drives, add one more 4 tb and "repair" raid again.

I don't know, will this operation actually grow my partition, or it is a
bad idea from the beginning?


nope, you would end up with a 2T RAID partition on a 4G drive.  Which is
fine, except you didn't achieve your goal.


Alternate, can i create raid 1 volume from just one drive, rsync files
between raids and after add another disk?


Again, you can't change the number of drives in a softraid RAID1 set after
creation.  And you can't change the size of a softraid partition.

What I would (and have) done is this, assuming this is your only computer
available:
* extract both your 2T drives.
* insert both 4T drives, build a RAID1 set.
* Insert ONE of the old 2T drives and ONE of the 4T drives into your system.
On boot, you end up with two degraded arrays...but that will work for your
purposes!
* Copy the data from the old disks to the new disks
* Change fstab
* Remove the old 2T disk, and replace with the 4T disk left over, rebuild
the degraded array onto the 4T disk.
* DONE!

Now...since you have ONE spare port still, I'd actually cheat and remove
one 2T disk, and put both new disks in place, build the array, and copy
over. Fix fstab, remove the old 2T disk, done.

HOWEVER, something else to consider -- from later messages, sounds like you
have a non-RAID boot drive and RAID data drives.  I SUSPECT you could build
out your new 4T array as a bootable softraid and move your boot drive data
AND the 2T of old data all to the one 4T array and still have a lot of new
space (a basic OpenBSD install is barely noticeable in a 4T disk!).  Now
you have redundancy in both boot and data, and one less disk, which will be
a small power reduction, and one less point of failure.

Nick.

openbsd.cs.toronto.edu mirror issue

[Nick Holland]

Hiya.
The OpenBSD.cs.toronto.edu mirror is having some issues, I'm
hopefully taking care of those right now, but it will take a
a number of hours while to be back up to a fully operational
state.

Services are off until it is fixed.  Sorry for any inconveniences.

Nick.

Re: libdmx removal incomplete?

[Nick Holland]

On 11/28/21 6:17 PM, Alexander wrote:
...

Lastly: From your emails it seems to me that the use of sysclean after
upgrading is very much encouraged if not necessary. Then why is it not
included in base (especially when it's developed by OpenBSD developers)?
Or am I misunderstanding the requirements for inclusion of packages in
base?


VERY WRONG (as others have said).

I've been using OpenBSD since v2.4, I have never run a "clean up" tool of
any kind.  I reinstall only when replacing hardware, the rest of the time,
I run upgrades, I run snapshots and update frequently so I get a lot of
old files piling up at times.  And they just don't matter.

Occasionally, I have manually deleted old libraries when I have
run a system too long and an old HD starts getting tight on space, but
that is usually an indicator that I should probably be looking at swapping
out the hardware because it has done its time and I've probably got
something better.  And often not even then:

  $ ls -lt /usr/lib/|tail -4
  -r--r--r--  1 root  bin274965 Feb  9  2012 libpcap.so.6.0
  -r--r--r--  1 root  bin240930 Feb  9  2012 libkvm.so.12.0
  -r--r--r--  1 root  bin323995 Feb  9  2012 libexpat.so.9.0
  -r--r--r--  1 root  bin   2593417 Feb  9  2012 libc.so.62.0

(wow. that's an old machine.)

Using an automatic cleanup tool is far more likely to CAUSE problems
than to fix problems.  I'm not saying they /often/ cause problems,
but since old files laying around basically never cause problems other
than a small amount of space, there's some risk and almost no gain.

That machine with files left over from 2012?  It's got a 40G hard disk.
You will have trouble convincing me in 2021 that you are running out
of disk space and thus need to "clean" your system.

  $ dmesg|grep ^wd
  wd0 at pciide0 channel 0 drive 0: 
  wd0: 16-sector PIO, LBA48, 38146MB, 78125000 sectors
  wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4

(to be fair, that machine fell off the 'net for a few years, I assumed
it had died.  Then it suddenly came back on line, so I brought it up to
-current, so it skipped a lot of releases.  But it's /usr partition is
well under 50% full, so it has some life left...)

Nick.

Re: dd: /dev/rsd1c: device not configured

[Nick Holland]

On 11/30/21 8:36 AM, Luca Ferrari wrote:

Hi,
I'm trying to install 7.0 in a virtual box machine using full disk
encryption, following
. I've done it on
real hardware without a problem, but I'm not understanding the error
in the virtual box machine. In particular, I cannot copy random data
on the disk before doing the effective encryption.
This is what I do, after entering the shell at the very first prompt:


# sysctl hw.disknames
hw.disknames=wd0:,cd0:,rd0:7c72fe60b4e2338d

# ls  /dev/rsd*c
/dev/rsd0c


I wonder if that is what you think it is.


Uhm, why is sd0 there and does not appear in the hw.disknames?
However, I tried to configure the sd1 device:


the devices in /dev are not dynamically created...they are whatever is
in the /dev directory when it was created, you can add and remove drives,
the entries in /dev/ will not change on their own -- but you might have
to change 'em.

Install kernels have a very deficient set of drives in /dev


# cd /dev
# sh MAKEDEV sd1
# dd if=/dev/urandom of=/dev/rsd1c bs=1m
dd: /dev/rsd1c: device not configured


There was no sd0, or sd1 in your hw.disknames output.  So why do you
think you can write to something that doesn't exist?


# ls /dev/rsd1c
/dev/rsd1c

What am I missing here?


A lot.
For one, the guy who wrote that is a bit of a jerk.  Rather than taking
you by the nose and telling you what keys to hit, he kinda expects you
to read and understand the whole article...and in fact, the whole page.
And yeah, he really wants you to UNDERSTAND what you are doing.
Total jerk, I know.
Humor him, start at the top, work all the way to the bottom.  Part of
the reason it's in the order it's in is because that's how he wrote
parts of it, but some of it is because the later stuff builds on the
earlier stuff.

But...  Your machine has only a "wd" device.  In that, you will create
a new encrypted "disk", which will be of type sd, sd0 in this case,
since you don't have an sd0 already. Then you will install to that.

The obvious errors you have are you are trying to use devices you don't
actually have on your machine, even though you have a dev file by a
suggestive name.  My machine here has /dev entries for sd0 to sd9, and
wd0 to wd3, and there are no wd devices and only three sd devices.

I'm a little suspicious of that sd0 in your /dev directory -- was it
there all along, or did it just pop up when you dd'd to /dev/rsd0c and
created a file with a name that annoyingly matches a drive device name?
The recent installs I've done, the boot kernel had NO sd devices at all
until I MAKEDEV'd 'em...but you might be using a different install
kernel than I was using.  Good news, a reboot will clear and recreate
the /dev directory on install kernels (not on an installed machine, of
course).

Nick.

Re: Problems with a fresh install not finding SSD drive over floppy img HTML5/KVM

[Nick Holland]

On 11/30/21 3:30 PM, Chris Bennett wrote:

After looking over the list, it looks like many SSD's have compatibility
problems, so I'm just going to switch over to a spinning drive.

Sorry for the noise.



categorical nonsense.

SSDs work.  Cheap ones work, expensive ones work.  Some work better than
others,  I wish cost predicted success, hasn't in my experience, but
some IBM branded SAN SSD drives have had an oddly low rate of failure at
work...but then each drive probably costs as much as one of my cars,
and stores a very modest amount of data...so maybe at the really high
end you get what you pay for.  maybe.

I've had nothing but problems with /some/ Samsung drives, good luck
with some junk no-name drives, but the key thing is...if the SATA or SAS
port the drive is plugged into works, the drive will be recognized and
work (though maybe better or worse than you wish...but that's not an OS
issue).

For a system to boot, the BIOS must support the drive.  For the system
to get installed, the OS must support the drive.  You can boot a kernel
from a disk the OS doesn't recognize, and you can install the OS to a
drive the system can't boot from.  The fact that you "see" the drive in
the BIOS means only that the drive is hooked up properly.  Doesn't
indicate OS support.

Make sure your BIOS is set to support the drives as "AHCI" if that's an
option.  If you see "RAID", that won't work for good reasons.  If the
drive is attached to a real RAID controller, the controller may not be
supported, or you may have it configured wrong (i.e., the drives are there,
but not configured on the RAID Card, so the RAID card isn't presenting
"drives" to the OS).

Provide useful info rather than stomping your feet and saying "it worked
before!".  Obviously, things are different.  The answer is almost
certainly in the dmesg.

Nick.

Re: /etc/bsd.re-config - change a device?

[Nick Holland]

On 11/30/21 3:12 PM, Paul B. Henson wrote:

Thanks much for the info guys; something to look forward to in 7.1 :).


hint: snapshots that do what you need beat releases that don't.

Nick.



On 11/30/2021 4:17 AM, Stuart Henderson wrote:

On 2021-11-30, Paul de Weerd  wrote:

On Tue, Nov 30, 2021 at 08:46:34AM -, Stuart Henderson wrote:
| On 2021-11-29, Paul B. Henson  wrote:
| > I'm upgrading to OpenBSD 7 and I was happy to see the new support for
| > /etc/bsd.re-config to allow modified kernels to be automatically
| > rebuilt. However, one of the changes I need to make is updating the IRQ
| > on com2, as my bios assigns it a non-standard value 8-/.
| >
| > I can't figure out how to do that? Is it supported? When I put "change
| > com2" in /etc/bsd.re-config, config interactively asks me:
| >
| > change [n]
| >
| > I tried "change com2 y" and "change com2", then "y" on the next line,
| > but the first gave an error and the second still prompted interactively.
| >
| > Are the only changes supported by /etc/bsd.re-config those that don't
| > need further input?
|
| Currently yes. jcs@ has a diff to change this but it needs review.

I believe this has been committed on November 20:

https://marc.info/?l=openbsd-cvs&m=163737802014911&w=2

However, that means that it won't work in OpenBSD 7.0, you will need
to run something newer (which, at the moment, means -current /
snapshots).


Ah good catch, thanks.

Re: disk lights on but top showed nothing!

[Nick Holland]

On 1/1/22 3:08 PM, Luke Small wrote:

6 disk raid 10 15000 rpm array (2 mirroring x 3 striping) with a raid card
which can handle a maximum of 8 disks. It didn’t last forever.

mfii0 at pci12 dev 0 function 0 "Symbios Logic MegaRAID SAS2208" rev 0x05:
msi
mfii0: "LSI MegaRAID SAS 9271-8i", firmware 23.28.0-0010, 1024MB cache
scsibus2 at mfii0: 64 targets
sd0 at scsibus2 targ 0 lun 0: 
naa.600605b00902fb50217c572a11e3e137
sd0: 418464MB, 512 bytes/sector, 857014272 sectors

[...snip...]


On Sat, Jan 1, 2022 at 4:22 AM Crystal Kolipe 
wrote:


On Sat, Jan 01, 2022 at 12:01:28AM -0600, Luke Small wrote:
> The lights on my server which shows that the disks are busy were on and
not
> just flashing and I looked at top and usually it???s because security is
> running, but this time NOTHING! I even killed Firefox and by far the
> busiest thing on there was top! pftop didn???t seem especially busy
either!

From the extremely limited information you've given, it's hard to diagnose
the problem.

In future, please include the output of dmesg and the output of relevant
commands in problem reports.  This answers questions such as: how many
disks are in this server?  Are they part of an array?

...

Definitely see your problem...most of your dmesg is missing!
(when people ask for a dmesg, it's the entire dmesg, not the chunk YOU
think is interesting)

However, seeing that you have a HW RAID card and an array on it, I'm pretty
sure you WILL be seeing disk activity as the HW RAID card does its things on
the disks with nothing going on at the OS or application level.

Is that ALL you are seeing?  Can't say.  But disk activity on a HW RAID card
is just normal.  Disk activity from processes using very little processor is
also not unexpected, but I'd expect the disk lights on the HW RAID attached
drives to periodically flicker even if sitting at the boot> prompt.

And...if you are running firefox or any other browser, you have a LOT of
packages loaded on your system.  Good luck trying to quiet all of them.
(better idea: don't fight it).

Nick.

Re: HP Probook audio only playing on left speaker

[Nick Holland]

On 1/9/22 8:51 PM, Jordan Geoghegan wrote:

Hello,

I have an HP Probook (dmesg below) that is only playing audio from the
left headphone speaker. No matter how I try I cannot get any audio to
play over the right side speaker. I have very little experience
debugging audio issues on OpenBSD as everything has largely "just
worked" for me over the years in that regard. Any insight or advice
would be greatly appreciated!

Here is the output from mixerctl:

  ...[snipped for size]...

My first thought is "HW problem".

IF it is the internal speaker not working, have you tried an external
speaker set?  If external, do both internals work?
Have you verified both channels work with some other OS?

Nick.

Re: Nagios check_by_ssh

[Nick Holland]

On 1/10/22 6:33 PM, F Bax wrote:

nagios install creates user _nagios with login = /sbin/nologin
I have some OpenBSD systems not configured to send email to external
addresses; there is one system (host0) that is configured to send email
outside. I wish to use nagios on host0 to monitor the other systems and
send notifications to an offsite email address. I was thinking that some
sort of restricted shell (only access to /usr/local/libexec/nagios/) would
be appropriate. Anyone able to provide a clue how this can be accomplished?
Is there a best practices document for using check_by_ssh in OpenBSD?
Frank


ok, I'm totally lost as to what e-mail has to do with your question.

Been a while since I managed setting up new services on Nagios, but if you
are having your nagios server monitor other systems by SSH, you probably
want to have passwords disabled on the monitored node accounts, use keys
and IP address restrictions.  Setting up a restricted shell or a chroot is
probably going to be very frustrating and in the end, not very productive.

What you ask for is basically what the nagios nrpe modules are about --
avoiding full logins.  NRPE runs various tests and answers queries about
the results.

The monitoring service account on the monitored nodes should be unpriv'd, no
doas access.  If you need to monitor something only root can tell you, have
a process run periodically as root on the monitored machine and drop a
status report in some place the monitor service account can read it, then
digest it on the nagios server.

I look at monitoring systems as "read only" apps.  Some people disagree
with me...but I consider those people wrong. :)

Nick.

Re: HW raid adapter - Adaptec 8405 SGL

[Nick Holland]

On 1/13/22 5:58 AM, Stuart Henderson wrote:

On 2022-01-13, Aleksander Dzierżanowski  wrote:

Hi,

Is 'Adaptec 8405 SGL' hardware raid controller working under OpenBSD?
I saw there is *some* Adaptec support, but the model is not listed explicitly.
Please advise if I should try to rent a dedicaated server with such card
or simply avoid this configuration.


Avoid.

Look for mfii for fast/advanced RAID or maybe mpii for something more basic.


Yeah, you don't want to use Adaptec for anything other than maybe
leveling your table.

Consolidation of old posts into one spot here:
https://nickh.org/warstories/adaptec.html

Nick.

Re: arrayfire?

[Nick Holland]

On 2/3/22 11:25 AM, Raul Miller wrote:

Currently, openbsd has no arrayfire port (see: arrayfire.org).

Arrayfire is a computational interface to gpu hardware.

I am not looking for someone to port arrayfire to openbsd -- but I
would like to know if such a port seems viable (are there obvious
failure modes which would likely prevent such a port from succeeding?)


so ... a userland application that goes directly to GPU hardware.
Or...really, ANY hardware.  That's kinda a bad thing for security.

As I recall, GPU hardware has access to basically all the RAM in a
computer...so now a userland app could program the GPU to put anything
you wanted in any part of memory?

This doesn't seem to fit very well with the OpenBSD goals.

Nick,

Re: Passage about licensing from OpenBSD documentation

[Nick Holland]

On 2/6/22 11:57 PM, Ibsen S Ripsbusker wrote:

My great and good friends,

Like 20 years ago while trying to install OpenBSD
for the first time I read a short passage in OpenBSD
documentation that I really liked. Does anyone know
where I can find it?

The passage that said very directly that we license OpenBSD
permissively because we know our software is especially
good in comparison to the consistently broken proprietary
majority and we prefer that proprietary projects copy our good
software so they don't create more broken software.

With appreciation,
Ibsen


Probably be one of these two pages, I think:

https://www.openbsd.org/goals.html
https://www.openbsd.org/policy.html

I call it the "Microsoft Question": which do you fear more?
1) That MS uses your code and profits from your work
   --> you might want to consider the GPL license

2) That MS DOESN'T use your code and reinvents it badly
   --> You might want to use an ISC/BSD license.

The OpenBSD project would greatly prefer that their code be
reused, rather than re-invented poorly.

Nick.

Re: What happened to www/art on CVSWeb? Why is it empty?

[Nick Holland]

On 2/10/22 6:34 AM, Kacper Wilgus wrote:

I tried to download some artwork from these pages:

https://www.openbsd.org/art1.html
https://www.openbsd.org/art2.html
https://www.openbsd.org/art3.html

But only the first one has an image, the rest of them give me 404
errors and I swear they used to be there just a year ago. And the
wayback machine proves this. Was it an error, or copyright issues?
It seems wierd it was just snapped out of existence without any warning.



art[123].html hasn't been referenced from the main page since OpenBSD 5.8
(see the removal in version 1.686 of index.html, and they are not currently
referenced in any page on the website other than art[123].html so I think
it is safe to say it was not being maintained and deleted at some point.

I have no other info than it looks like the "problem" is more the
continued existence of art[123].html more than the missing images.

Nick.

Re: Syncing users between two OpenBSD systems

[Nick Holland]

On 2/21/22 7:10 PM, Dave Wilson wrote:

Hi all,

I am setting up a pair of OpenBSD jump boxes, to be a pair of bastion hosts
of a large network.
I would like to have a primary and backup, with the same set of users on
each one.
I do not want to use YP or any other form of authentication server, because
part of the use case for these machines is that they are the jumping off
point for fixing everything else when things are broken.

I am aware that OpenBSD goes to some length to ensure the integrity of the
files /etc/passwd, master.passwd, group et al, providing various utilities
to manipulate them and even vipw for those rare occasions when you want to
edit the raw files, so I am very reluctant to just rsync files from the
primary to the backup, bypassing these protections.

Is there a clean way to do this sort of user synchronisation? I can write a
script which will run useradd (or userdel etc) on one machine and then the
other, but if there is a "correct" way to do such a thing, I would rather
do that than reinvent the wheel.


Actually, rsync'ing the important files works very well.  The important
files are just text files...nice and simple.  One user, one line.

THAT BEING SAID, unless the machines are all very identical, you
will have an issue with different systems having different application
users.  Off the top of my head, something like this should work:

On master system, extract your human users that need to be replicated:
   # grep ":/home/" /etc/master.passwd >/tmp/adminusers.master.passwd
   # grep '*:[0-9][0-9][0-9][0-9]:' /etc/group >/tmp/adminusers.group

(neither of those grep lines is universally correct, both make
assumptions.  Understand my goal; don't copy my example blindly.)

copy those two adminusers.* files to the target machine

Now... on the target machines, grep -v the :/home/" and four digit
group number lines OUT of the  master.passwd files to temp files, tack
the new info into the end of the temp files, do some basic error checking
including running "pwd_mkdb -c" to validate your new file, and making
sure that the number of lines different between the old and the temp
files are within a user or two, if all looks good, mv the temp files
to replace the permanent ones and run pwd_mkdb for real.

I'd suggest considering moving the user keys from ~/.ssh/authorized_keys
to something akin to /etc/ssh/keys/, then you only have to
sync that one directory.  That's the "AuthorizedKeysFile" option in
/etc/ssh/sshd_config.  Cool trick I learned waaay too recently. :)

Oh wait. you said just two redundant boxes. well, rsync will work great.
Just make sure you go the right direction.  No, wrap it in a script that
makes it go the right direction.  Dyslexics untie!

Nick.

Re: no serial access anymore after upgrade

[Nick Holland]

On 2/22/22 8:21 AM, Thomas wrote:

Hello,

I have a bunch of firewall and router devices with serial ports only. No
vga ports at all. After upgrading two of the devices to 7.0 I lose
access to the console after the boot process has finished. Last thing
that is printed on the screen is the date. Normally the log-in prompt is
showing up after that. After boot I'm now not able to access the server
via serial console at all anymore.

Has anyone made the same experience after upgrading?

Thanks and have a nice day,
Thomas


/etc/boot.conf
stty com0
set tty com0



IF you are getting the dmesg output but not the login prompt, sounds
like you lost the change to the tty00 line in /etc/ttys, it should
look something like:
  tty00   "/usr/libexec/getty std.115200" vt220on secure

HOW that happened is worthy of investigation. sysmerge should not
have blindly overwritten that file, but you might have done it
manually not remembering that's an important file.

Nick.



dmesg:

OpenBSD 7.0 (GENERIC.MP) #5: Mon Jan 31 09:09:02 MST 2022

[snipped for size, but thanks!]

Re: 12-hour vs. 24-hour clock format

[Nick Holland]

On 2/22/22 3:02 PM, Svyatoslav Mishyn wrote:

Hi,

just wondering why are some programs using 12-hour/24-hour clock format
by default?

For instance, 12-hour clock format:
w(1)/uptime(1)
Should it be fixed?

24-hour clock format:
date(1)
ls(1)
stat(1)
systat(1)
top(1)


Well...  keep in mind, if this were "fixed", it would break a lot of
existing scripts.  I see a lot of pain here.

HOWEVER, if OpenBSD is out in left field here, compared to say, Solaris 9,
other BSDs ... maybe it should be fixed (you will note a suspicious absence
in my list.  I really don't care what an OS that sorts AaBbCc rather than
ABCabc does, that ain't unix).

As for the "why"...
There is a certain logic to the current list.  "w" and "uptime" are often
run by humans and having a more "human friendly" display isn't bad since a
lot of peole don't do 24 hour clocks well.  The others are often run as
part of scripts.  As someone who does a lot of scripting, inconsistency
between apps is not a problem for me.  Changing the output format is a
really big problem.

Nick.

Re: OpenBSD Networking questions request answers

[Nick Holland]

On 2/28/22 8:49 PM, Haiyan, YanX wrote:

Hi misc,

I am installing OpenBSD, following the configuration wizard, I configured a 
static IP as follows:


  [...all real info not actually provided, so not useful...]
 

But after the installation is complete, I can't access the Internet. When I 
execute the ping command, it appears
ping: sendmsg: No route to host.
When I do ping www.google.com it doesn't do anything.


so dns is not working.
 

The specific commands are as follows:
ping 104.193.88.77
PING 104.193.88.77(104.193.88.77): 56 data bytes
ping: sendmsg: No route to host
ping: wrote 104.193.88.77 64 chars, ret=-1

Is this what is the reason?


One or more of the things you didn't tell us is wrong.


I can guarantee that this network port is normal, and my IP, Netmask, and 
Gateway configuration are correct


I am pretty sure you are not correct on that guarantee.


can you help me?
thanks


Ping your external address.  It should work (I'm not really sure how
that would fail, actually, but a positive result is satisfying)

Ping something else on your network.  That should work.  If not,
you have a very basic network config issue.

ping your gateway by doing this:
 $ ping `cat /etc/mygate`

If you can ping your gateway, then there's something blocking you there,
otherwise you aren't getting to your gateway.

I'm guessing you have a typo in your IP address or gateway causing the
gateway to not be in the same subnet as your machine...but you provided
no hard details, so it's just basic troubleshooting.  Static IP configuration
definitely works with OpenBSD, so pretty sure you have something wrong,
declaring your config was correct and beyond question will prevent you
from fixing the problem.

Nick.

Re: disk i/o test

[Nick Holland]

On 3/3/22 7:59 AM, Mihai Popescu wrote:

Hello,

I am trying to test some disk i/o speeds and I am stumbled on two questions:
1. Does it matter if I set in BIOS Legacy or AHCI for the drive,
regarding the read/write performance?


anywhere between "big difference" and "OH WOW, I CAN'T BELIEVE THEY EVEN
PROVIDE THIS LEGACY OPTION!".  Really, you don't want to use "legacy".
Cool thing, you can ignore the BIOS warnings about changing the setting
and being no longer able to boot, OpenBSD handles that well.


2. Can you suggest a sane disk I/O benchmark, writing from RAM to disk
(i.e. cp /dev/null )?


really, your best benchmark is your work you need to do.  But if you are
looking for repeatable benchmarks, dd'ing FROM /dev/zero or TO /dev/null
is a starting point (use a larger block size than the default -- "bs=1m"
gives you easy to read info info out of "pkill -info dd", but also
consider untaring ports.tar.gz or src.tar.gz.


I am on snapshots for amd64 and I think i have a really slow writing
to disk on OpenBSD only.


You mention "legacy" options in the BIOS, you may be running an old
machine.  But also look at softdep and noatime mount options, softdep
is a HUGE performance gain, noatime is a nice little kick with seemingly
zero consequences (it does defeat a standard Unix file system feature,
but I've not come across anything that uses file access time stamps).

Nick.

Re: OpenBSD on WatchGuard devices

[Nick Holland]

On 3/9/22 4:27 AM, Markus Rosjat wrote:

Hi list,

has someone out there ever attemted to reuse  WatchGuard devices? If so
can he point out some hints on how to go about it?
We have a few devices laying around here and i dont see the point in not
trying to reuse them.

Cheers



I haven't used Watchguard devices, and you didn't specify WHICH watchguard
device (there appear to be many), but I've recycled a lot of things over
the years that didn't look like conventional computers.  General tricks:

1) Verify platform.  IF the device has an amd64 or i386 compatible processor,
you will very possibly, maybe even "probably" succeed.  If it is something
else, not so likely, to the point that I'd almost say, "give it up", unless
you get lucky with tip "1a" below.
1a) is it some off-the-shelf device in a case?  I had used some commercial
firewall appliances that turned out to be Soekris boards in a box. If the
off-the-shelf device is supported, you are good.
1b) I've seen some devices in the past that had multiple apparent network
ports, but only one actual network adapter and a switch chip that did vlans.
That will probably be frustrating on OpenBSD, unless you just need one
port.

2) Are the specs reasonable, if not, can they be made reasonable?  a 150mhz
processor with 64M RAM will probably not be satisfying.

3) What's the storage options?  Flash devices (CF, USB) will probably be
frustratingly slow during the KARL and library re-link on boot, though once
booted, will work just fine.

4) What are the console options?  Some devices have VGA and USB ports easily
accessible, others will require a serial console.  If this is your first
experience with serial console, you might find it frustrating.  Some have
VGA and USB ports, but they are hidden (my current FW is a repurposed Citrix
box.  The VGA port was hiding under a chunk of plastic on the front of the
box, easy to find.  There is a single USB port which was embarrassingly hard
to find -- followed the cable off the MoBo and discovered one vent hole on
the back was not a vent hole, but rather the USB port, about as far from the
VGA port as it could be.  sigh.  Fixed with an external USB hub)


Once you have console, watch the thing boot.  If you have a chance to jump
into the BIOS configuration, do so and look around, and make sure things
are set sanely (your likely issues are booting and console redirection).

After that, you have to figure out how to persuade it to boot from a USB,
network, CD or some other device to do the install, or install on another
machine and move the drive to the converted machine.  On new (to me)
hardware, I like to do a final install a release back, then do a test
upgrade, to make sure you figure out any quirks before you have an
unexpected downtime during an upgrade.

Nick.

Re: Advice on catching up with current

[Nick Holland]

On 3/13/22 11:06 AM, Ted Wynnychenko wrote:

Hello

I "had" been following -current since about 5.6.

Unfortunately, due to events not at all related to anything here, I was
unable to keep -current "current" for the last several months.

I would guess my last update was about 8 months ago (6.9 GENERIC.MP#131
amd64).

Now that things have stabilized for me somewhat, I was hoping to get back on
track.

My thought was to use the most recent snapshot, and then follow the 6.9->7.0
upgrade guide and then the "Following -current" guide.


That will probably work Just Fine, but ...
If you are willing to do a couple more steps, you MIGHT find it better to
go from where you are to 7.0 release, do the 7.0 steps, then from 7.0 to the
current snapshot.

Me, I'd just go all the way and clean up the mess afterwards.  There's
usually not much mess.  But if you have had a stressful few months, taking
the slightly safer approach might be wise.
 

I am just wondering if this is the "best" way to proceed?

Right now I wouldn't have the time to reinstall OpenBSD completely/from
scratch.


oh, I almost never do that, unless a machine is repurposed.

Last time I felt the NEED to do that, my 2008 vintage netbook had a 100MB root
partition (and probably no /usr/local).  Well, that's not really a good idea
with modern OpenBSD.  Otherwise, I think that machine had mostly stayed "just
upgraded" since I got it in 2008. (It got a bigger HD at one point, but I
think I imaged the drive over to the new drive).

Nick.

Re: How much does battle-testing weigh?

[Nick Holland]

On 3/14/22 4:31 PM, the guy who couldn't solve a trivial problem
 without vi on the install media wrote:


Billions of companies world wide use the Linux kernel and several of
the major Linux distributions daily. It would stand to reason that that
would make a lot more bugs be discovered.

The OpenBSD project can have the best coding practice, the best handle
on security mitigations, the best default options, but if very few
companies worldwide use the system, then it's not very battle-tested.

The famous old message on the website has been removed, but the "Only
two remote holes in the default install, in a heck of a long time!" is
maybe because "no one" is using the system in production except very
few.


That's a fascinating leap of (il)logic.  "I found a change on the
website, and it must be proof of my point!"


How much does battle-testing matter?


By your logic, Windows is the best, as it is most "battle tested",
by probably an order of magnitude greater than all Linux installs
combined.

What matters is people actively looking for problems.
That's not a popular activity with most projects and most OSs.  It is
much more rewarding to most people to add features, not to debug
existing code...and thus, you end up with ... Linux and Mozilla
products.

Economics 101: doesn't matter what you say, it matters what you DO.
Everyone says security is important; few actually give a shit about
it.

Nick.

Re: chroot for go webserver with pledge and unveil

[Nick Holland]

On 3/15/22 6:32 PM, i...@tutanota.com wrote:
...

$ doas chroot -u www -g www /var/www /bin/go-server

But that wouldn't keep it running after a reboot.


The "easy" and historic way:
  man 8 rc
  more specifically, rc.local

The "better" way:
  man 8 rc.d
  (and read the "see also"s.)

Probably going to need to set up a "wrapper" script to do your
chroot'ing.  But that's easy.

Dang, I just realized I need to migrate some old stuff from
rc.local to rc.d.

Nick.

Re: Question about RS232/USB hub device compatibility

[Nick Holland]

On 3/17/22 3:18 PM, Allan Streib wrote:

I have used the two-port version of this with Linux and it "just worked," 
wondering if anyone has used this (or something similar) successfully with OpenBSD? I am 
looking to manage a few switches via their console/RS232 interfaces.

https://www.startech.com/en-us/cards-adapters/icusb2324i


Haven't used /that/ one, but have used a couple, and yes, "Just Worked"
for me as well.  I have USB to eight port serial in remote
production.  The one I have have been around for many years, so unlikely
you would be able to get something that is completely identical.

Here's how one of them shows up in dmesg:
...
uhub2 at uhub0 port 4 configuration 1 interface 0 "NEC product 0x0050" rev 
2.00/1.00 addr 2
uftdi0 at uhub2 port 1 configuration 1 interface 0 "FTDI FT232R USB UART" rev 
2.00/6.00 addr 3
ucom0 at uftdi0 portno 1
uftdi1 at uhub2 port 2 configuration 1 interface 0 "FTDI FT232R USB UART" rev 
2.00/6.00 addr 4
ucom1 at uftdi1 portno 1
uftdi2 at uhub2 port 3 configuration 1 interface 0 "FTDI FT232R USB UART" rev 
2.00/6.00 addr 5
ucom2 at uftdi2 portno 1
uftdi3 at uhub2 port 4 configuration 1 interface 0 "FTDI FT232R USB UART" rev 
2.00/6.00 addr 6
ucom3 at uftdi3 portno 1
uftdi4 at uhub2 port 5 configuration 1 interface 0 "FTDI FT232R USB UART" rev 
2.00/6.00 addr 7
ucom4 at uftdi4 portno 1
uftdi5 at uhub2 port 6 configuration 1 interface 0 "FTDI FT232R USB UART" rev 
2.00/6.00 addr 8
ucom5 at uftdi5 portno 1
uhub3 at uhub2 port 7 configuration 1 interface 0 "NEC hub" rev 2.00/1.00 addr 9
uftdi6 at uhub3 port 1 configuration 1 interface 0 "FTDI FT232R USB UART" rev 
2.00/6.00 addr 10
ucom6 at uftdi6 portno 1
uftdi7 at uhub3 port 2 configuration 1 interface 0 "FTDI FT232R USB UART" rev 
2.00/6.00 addr 11
ucom7 at uftdi7 portno 1
...

One cool thing: the device enumeration is rock solid -- once you
know what device is on what port, it seems to stay that way.

One down side: once in a while, the thing locks up, where OpenBSD
can't open the serial port (iirc, all of them wedge at the same time,
but I'm not going to swear to that).  I'm not sure who's at fault
(OpenBSD or the device), but a reboot does fix it, Which is good,
since I and the systems I manage with it are separated by an
international border and 400km :)

So ... I'd not suggest attaching it to an "important" system, but
rather dedicate an easily rebooted terminal server machine.

Nick.

Re: growfs on an encrypted softraid0

[Nick Holland]

On 3/24/22 8:38 AM, Leo Unglaub wrote:

Hey friends,

i have a 500GB drive that is fully encrypted using a softraid with
raidlevel C. It works perfectly. But now the drive is getting full and i
have to grow it. This server is running in the Hetzner Cloud and
resizing the drive is supported to 10TB.

With an unencrypted partition this works well in OpenBSD. I can use
disklabel and growfs to enlarge the drive, but that does not work with
an encrypted partition.


correct... you can growfs a FS within an encrypted partition, but can not
grow the encrypted partition.


Do you have any recommendations on what the best way forward is in this
case? I tried adding a new 1TB drive and copying all the files over and
just remounting it. But even with the super fast M2. SSD drives in there
it took more than 3 days to finish. (lots of small files, its my email
server)


well, you might want to have a chat with your service provider.  There's
nothing "super fast" about 500g in three days (though my VPS on my primary
web/mail server also brags about SSDs...and the slowest disk performance I
have seen in decades.  I have a note-to-self in the .profile that a
sysupgrade takes 15 minutes to keep me from freaking out during upgrades.
Other systems I have with them have more expected performance.  *shrug*)


Having my email server down for 3 days is not really a good option for
obvious reasons.


might be fun. :)

though if you are worried about just your incoming mail, spinning up a
secondary MX and letting it spool your mail while your primary is down
would be an option.


I also tried doing an initial copy and then using rsync, but because
dovecot (imap server from ports) uses a lot of hardlinks rsync is not
working correctly even with the hard link option (bugs are described in
the rsync man page) and openrsync does not support handling them.


what?  where?  I'm not seeing what you are refering to here.
Also a quick web search isn't showing a problem, but I am seeing a lot
of people using rsync to back up dovecot maildir servers.  (if totally
off-topic to OpenBSD, please advise me off-list)


Do you have any ideas what i can do in this case?
Thanks and greetings


well...  like any HW migration, divide and conquer.
Move the static stuff first live, then move the changing stuff last.

Move everything you can with rsync, then deal with your maildir separately.
I've used "imapsync" before on a 30,000 user e-mail system -- first run
took a day or more, final system-down cutover run took time, but we were
down only a few hours (this was over a decade ago, don't hold me to the
numbers).

dovecot has a "dsync" tool.  Haven't used it, but it would be worth a
look at, I think.

Nick.



Leo


OpenBSD 7.0 (GENERIC.MP) #5: Mon Jan 31 09:09:02 MST 2022

r...@syspatch-70-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4177379328 (3983MB)
avail mem = 4034740224 (3847MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf5ad0 (10 entries)
bios0: vendor Hetzner version "2017" date 11/11/2017
bios0: Hetzner vServer
acpi0 at bios0: ACPI 1.0
acpi0: sleep states S5
acpi0: tables DSDT FACP APIC HPET
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel Xeon Processor (Skylake, IBRS), 2100.34 MHz, 06-55-04
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,AVX512F,AVX512DQ,RDSEED,ADX,SMAP,CLWB,AVX512CD,AVX512BW,AVX512VL,PKU,MD_CLEAR,IBRS,IBPB,SSBD,ARAT,XSAVEOPT,XSAVEC,XGETBV1,MELTDOWN
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 
16-way L2 cache
cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 1000MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel Xeon Processor (Skylake, IBRS), 2100.07 MHz, 06-55-04
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,AVX512F,AVX512DQ,RDSEED,ADX,SMAP,CLWB,AVX512CD,AVX512BW,AVX512VL,PKU,MD_CLEAR,IBRS,IBPB,SSBD,ARAT,XSAVEOPT,XSAVEC,XGETBV1,MELTDOWN
cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 
16-way L2 cache
cpu1: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu1: DTLB 255 4KB

Re: Question how to delete somewhat encrypted partisions / softraid?

[Nick Holland]

On 3/25/22 5:28 AM, soko.tica wrote:

Hello list,

...

But I have failed to proceed before the installation with

# cd /dev && sh MAKEDEV sd1
# dd if=/dev/zero of=/dev/rsd1c bs=1m count=1

So i ended up with unbootable install.


I don't think that is cause and effect.

If you want to start over from scratch (which I agree with others, this
would be a good starting point), I'd just suggest zeroing the first 1MB
of the physical disk.  That will clear all OpenBSD structures from the
physical disk, the softraid encrypted disk, and any (important) evidence
there was a softraid disk there.  I always recommend clearing the start
of the physical disk whenever dealing with RAID because...well, deleting
fdisk and disklabel tables looks good, there's often a lot of "structure"
left on the disk which can sometimes be confusing to the user (or the OS!)
when things suddenly pop back from the seeming dead.

So ... dd /dev/zero over the first 1MB of sd0, start over and see what
you get.

But I think your real problem is the installation didn't go right for
unknown reasons.  You MAY want to start with a simple install, make
sure your machine handles OpenBSD well without the encrypted disk,
before jumping into the full disk encryption (OpenBSD installs are so
fast and relatively painless, no reason to fret about getting everything
"just so" on the first install!).

Nick.

Re: How to determine if WiFi AP is compatible?

[Nick Holland]

On 3/28/22 1:52 PM, Eric Thomas wrote:

I'm trying to determine if a WiFi AP is compatible with OpenBSD. For
example, checking the [Wireless FAQ's](
https://www.openbsd.org/faq/faq6.html#Wireless), I don't see whether the
chipset used by the [UniFi Access Point WiFe 6 Pro](
https://dl.ui.com/ds/u6-pro_ds.pdf) is compatible or not.


Pure access points are just network bridges between a wired network
and the wireless network.  There's no more "OpenBSD compatibility"
with the AP than there is with network switches or cable.  Nothing on
the network sees the "chips" in the AP directly, just a hopefully
coherent radio signal.

That being said, there are lots of different ways APs are configured,
in the old days, it was with a serial cable, but that was too difficult
for many people, so they made it worse with "simpler" tools.  But again,
not an OpenBSD issue, unless those "simpler" tools require Windows.

Now, if you mean, "Does this computer with a wireless NIC in it work as
an AP under OpenBSD", just get an pure Access Point and attach it to
your OpenBSD box, and call it a day.  You can spend a lot of time and
effort making a wireless NIC work as an AP, only to find out it doesn't
do a very good job at it, and your router is not in a good place for
your access point anyway.


I want to know if I need use a particular [switch](
https://store.ui.com/collections/unifi-network-switching/products/usw-lite-16-poe)
to plug the WiFi AP into, or whether I can plug the WiFi AP directly into
the OpenBSD server.


If the AP needs Power over Ethernet, you need a PoE switch or a PoE
injector.  If it has some other way to get power and you don't have
anything else needing PoE, just do that...again, not an OpenBSD issue.

Nick.

Re: openbsd, softraid recovery (I have password)

[Nick Holland]

On 4/2/22 12:56 PM, harold wrote:
...

I tell you my little story in  the attached document,


Just a thought, but you might want to reconsider your means of telling
your story.

For example, I am not in the habit of opening unsolicited PDF documents...

Nick.

Re: openbsd, softraid recovery (I have password)

[Nick Holland]

On 4/3/22 9:44 AM, harold wrote:
...


Hi everybody, good day everyone, ladies and gentlemen..
I’m looking for a way to retrieve back my data vanished accidentally ..
I tell you more :
a/ I had windows and linux mint 18 (gpt/efi)
b/ I add openbsd to these double systems. Now three. Grub2 manages it.


"I have a problem, I'll use grub to fix it"
...now you have two problems.

[various thrashings I couldn't reproduce with the info given, but our
problem count is much more than two now]


L/ I just think I just have to reinstall openbsd. I do it, with the wise
attention to do not affect
mounting point to the raid/home slice, then I can easily get back my
data. A bit like not
formatting /home under linux. I install openbsd.


Hint: when you say "like ... linux", you are almost certainly doing
(or about to do) something wrong.


M/ like a newb after installation I start openbsd and mount back my
softraid partition. It asks for my
password, recognize it. Slice looks empty. Df shows only few kb files.
Data is gone. No backup.



Two points :
*looks like it’s not possible to reinsall openbsd without formatting
everything. A bit sad, where it’s
not said, and I carefuly took attention to not format the softraid
slice. But it did anyway.


No.  That's not true.
Don't define a mount point for a file system on install, it won't get
formatted.  Add it to fstab post-install.  Trivial.
Not done like Linux -- which is wonderful.  OpenBSD has done it this
way for at least 25 years now.  Linux can't say that about much of
anything.


*how a softraid slice could be formatted and my password recognized ?


If you understand how this works, your question becomes meaningless.

Softraid creates imaginary DISKS.
-> Unlocking a Softraid encrypted DISK requires a password.
Disks have partitions.
Partitions hold file systems.
File systems are formatted.  Not "disks".

Got it?  If not, read through https://www.openbsd.org/faq/faq14.html
top-to-bottom until it's understood.


*I tried with testdisk, then photorec, impossible to get a hand of my
data. I didnt used openbsd
since, to hope recover my data. I did not wrote on it since, to avoid
writing/erasing on it.


Well, since BSD FFS has almost zero support in the Linux world (I'm
presuming that's because a solid, stable guest file system with 30
years of history would make Linux's "File System of the Month" look
bad), yeah, I don't think you will see anything.

And think about it a little bit...  If a Linux tool could find data
on an OpenBSD encrypted disk, pretty sure that would be an indicator
of a really big flaw in the encryption.

If you are going to find your data, you need to recreate the disklabel
partitions exactly as they were on the encrypted FFS from OpenBSD.
scan_ffs(8) may help.  Boot from OpenBSD, unlock your encrypted
disk and dig around in it.  But if you formatted the partitions, you
have made quite a mess of the file system.  Blocks of data probably
exist but reassembling them into useful files will be difficult.


If somebody where able to help me to recover my data..


Honestly, not likely to happen.  You aren't providing any hard
information, just a lot of vague and "subject to interpretation"
statements.  I'm going to assume you have written too much where
the old file systems were to pull 'em back from the format.

Here's the thing -- Multibooting is COMPLICATED.  You have to have
a mastery of the boot process of ALL the OSs involved AND master
all the tools used to accomplish multibooting.  This is NOT a good
way to "learn a new OS".  It is a great way to lose all the data
on a multi-booting machine.

You really can't trust Linux tools for multibooting.  They
basically pretend nothing other than Linux and Windows exists.
The more hand-holding a Linux system is, the more likely it is to
be to make bad assumptions about what you are doing, and assume
you are running Windows+Linux.

Also...by design, real encrypted disks are fragile.  Easy to mess
up, almost impossible to recover if messed up.  That's a feature,
not a flaw.

So you have a doubly unstable system.  Backups are critical.  You
didn't have 'em.

Nick.

Re: How to track system changes?

[Nick Holland]

On 4/4/22 11:32 AM, Eric Thomas wrote:

I want to have a high degree of confidence in my system's state
(packages that have been added, configs that have changed, permissions
changed, etc). I've read about "read only filesystems" and the
pro's/con's [here](http://geodsoft.com/howto/harden/OpenBSD/no_changes.htm).

Aside from that, is there a way to...

1. ...hash the file system in some way and monitor for changes? OR
2. ...somehow review changes that have taken place (a log somewhere)?

The goal is to concretely know whether the state of the system has
changed, then point to what EXACTLY has changed.

Anyone doing something similar?

Thank you



Something I came up with which worked out really well at my employer was
a backup system that used rsync and the --link-dest option to make a useful
rotated disk-based backup of current systems.  When they said, "We want some
kind of file integrity monitoring system", I puzzled over all kinds of ways
to look for altered files...but it suddenly hit me -- I HAD a list of all the
altered files -- the output of the rsync --link-dest backup run!

Took that output, ran it through a "grep -vf exclusionlist", where
"exclusionlist" was a list of files (in regex form) I EXPECTED change on...and
I had a daily output of all unexpected changed files.  I called it the
"File Alteration Reporting Tool", but my coworkers thought another name would
be more appropriate for some reason. :D

It was really quite interesting.  Never found a real security breach (yay),
but learned a LOT of new things about the software running on our systems,
and to the point -- we found a few things that prompted us to go kicking trees
to find out what someone had done that we weren't aware of.  I call that 
success.

Yes, I'm working on re-doing it (i.e., clean slate so my (former)employer has
no gripes (and no internal information disclosure), but if you are adept at
scripting, it wasn't too difficult.

Nick.

Re: RC version internal available only?

[Nick Holland]

On 4/8/22 5:47 AM, Harald Dunkel wrote:

Hi folks,

I would like to upgrade to OpenBSD beta on a Zotac O-series PC. I found
the snapshots directory, but the upgrade71 document appears to be missing.
Do you think it could be included into the snapshots directory, next to
the INSTALL.amd64 file, for example? It could encourage more people to try
out the beta.

Just a suggestion, of course.


Upgrading to a "just before release" snapshot is just like running any other
snapshot, so https://www.openbsd.org/faq/current.html is your friend.

HOWEVER...  the tree has been tagged for 7.1 release, which means that
very soon, snapshots will be going from "pre-release" to "release" to
"beyond release" (7.1-current), if they haven't already. If your goal in
running a snapshot was to make 7.1 better, you probably missed that
opportunity by several weeks.  If you want to run a snapshot in prep
for 7.1-release, you may well have missed that boat, too; you may end up
installing 7.1-current (POST 7.1-release).  If you end up with a
7.1-current install, you are kinda committed to following snapshots
until 7.2.

IF you are looking to get a jump on 7.1 for a new project and are new
enough to OpenBSD to not be super-comfortable with upgrades, I'd suggest
loading 6.9, set up your project, then do an upgrade to 7.0 now to get
comfortable with the upgrade process for your environment, then upgrade
again to 7.1 after it becomes available.

Nick.

Re: tcpdump rotating issue with newsyslog

[Nick Holland]

On 4/10/22 9:39 AM, Yogendra Kumar Chaudhary wrote:

Good Evening Community,

I am running the following command in the OpenBSD 6.2.

*"tcpdump -Nneqt -w tcpdump.pcap -i vic0 &"*

and using the following newsyslog.conf entry for rotating the tcpdump.pcap

# logfile_name  owner:group mode count size when  flags
/home/logs/tcpdump.pcap644   5 10 *z

So when newsyslog checks and  >=10KB size hits, the *tcpdump.pcap* file
will be rotated and  *tcpdump.pcap.0.gz* will be created.

But after this, the size of the file is not increasing.

run the following command to check the file


*#tcpdump -r tcpdump.pcaptcpdump: bad dump file format*

*and the above tcpdump command is still running in the background.*

*So the question is the tcpdump have any issue with rotating the files with
newsyslog?*
*Or am I missing something?*
*Can you please suggest a solution for this?*


I see a couple potential problems.

1) tcpdump -w is writing raw packets out, you probably don't want newsyslog
adding a text log rotated message to your dump file. Look at the "B" flag.

2) You didn't do anything to tell tcpdump to stop dumping to the old file
and use a new one.

So ... I suspect something like this is happening:
 * tcpdump is putting data to a file pointed to by the link "tcpdump.pcap"
 * newsyslog rotates the log file and triggers the compression process.
 * the old file is read by gzip and a new file is created.  (note, the old
   file isn't compressed "in place" -- a new file is created!)
 * gzip deletes the old file link.  Except tcpdump is still sending data to
   the file, but there's no way to access the data.  Kinda cool, you could
   fill your disk with no way to get your data.

So, I'm thinking you probably want a 'b' and a SIGHUP sent to tcpdump.
You can validate my second point by disabling the compression, I suspect
you will see your .0 file continue to grow in size, until it becomes .1, etc.

newsyslog sends a SIGHUP to syslogd, but your output isn't going through
syslogd in this case -- it is coming directly from tcpdump.

I probably got a few things wrong here. :)

Nick.

Re: No valid root disk found when upgrading

[Nick Holland]

On 4/21/22 11:46 AM, michal.lyszc...@bofc.pl wrote:

Hello,

So I have OpenBSD 6.8 (yeah I know), and are trying to upgrade to
6.9 (and version by version until 7.1:)). Problem is that installer
does not see disk. This is my very first time I upgrade OpenBSD,
so I might be missing something simple. I've read through the upgrade
documentation, and tried to google my problem but I could not fix
my problem.

I upgrade with sysupgrade. After boot I try to select root disk:

Available disks are: .
Which disk is the root disk? ('?' for details) ?
sd0: NVMe, Samsung SSD 970, 2B2Q  (232.9G)
Available disks are: .
Which disk is the root disk? ('?' for details) sd0
sd0 is not a valid root disk.
Available disks are: .


Going into shell, /dev/sd0* do not exist. So I tried to create nodes:

upgrade# ./MAKEDEV sd0


Now disklabel shows proper disk info
(label is from samsung 960, even though I have samsung 970 disk.
I migrated some time ago from 960 to 970, guess I must have used
dd to do it, hence label from previous disk. I assure you I have
only 1 disk inserted, and no usb disks).

upgrade# disklabel sd0
# /dev/rsd0c:
type: SCSI
disk: SCSI disk
label: Samsung SSD 960
duid: dc999ef6267325df
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 30401
total sectors: 488397168
boundstart: 1024
boundend: 488397105
drivedata: 0

16 partitions:
#size   offset  fstype [fsize bsize   cpg]
  a:  8400960 1024  4.2BSD   2048 16384 12960
  b: 67119581  8401984swap
  c:4883971680  unused
  d:134223072 75521568  4.2BSD   2048 16384 12960
  e:278652416209744640  4.2BSD   4096 32768 26062
  i:  960   64   MSDOS


fdisk

upgrade# fdisk /dev/rsd0c
Disk: /dev/rsd0c   Usable LBA: 64 to 488397104 [488397168 Sectors]
   #: type [   start: size ]

   1: EFI Sys  [  64:  960 ]
   3: OpenBSD  [1024:488396081 ]


But when I exit shell I still have the very same problem as at the
beginning and I can't select root disk. Strange thing is, that when
I exit shell to installer, and then go back to shell with "!",
/dev/sd0 disappears.


that part is normal; I'm not sure why, but /dev seems to be "cleaned" if you
exit the install script under some (most?) circumstances.


This really isn't a way to work towards figuring out what is going wrong,
but being that a problem with the 6.8 to 6.9 upgrade isn't going to be
fixed at this point, I'm kinda thinking it would be worth just doing a manual
upgrade to 6.9 via copying over the kernel and untaring the files and see if
6.9 to 7.0 goes better.

If you want to play it safe, maybe just copy the new bsd to /bsd69 and
then do a "boot bsd69" and make sure it sees the disks properly before
committing to an actual upgrade.  You will probably get all kinds of nasty
error messages, but if so, you know 6.9 is seeing the disk, and a full
upgrade should be safe.

Nick.

Re: clang 13 space issues with KARL

[Nick Holland]

On 4/25/22 1:23 PM, Peter J. Philipp wrote:

Hi,

I have an openbsd amsterdam vps and KARL is using up so much RAM that it
causes the system to swap.  I recently upgraded it to 7.1 and it's the first
time I had a problem with this (that I noticed).  I have tried to put KARL
into a login.conf'ed (32 MB data limit) user but ld doesn't like that at all
and exits with a memory allocation failure.

What can I do to make KARL reorder_kernel use less memory without buying more
RAM?  I've turned KARL off for now but that's not a real solution and I hate
it.

Is there no option in the clang 13.0.0 linker to store what it would normally
store in memory to disk?  I know it would be slow but KARL doesn't need to
be fast if it's backgrounded.


yep. It is called "swap".  You just reinvented swap. :)
And KARL is backgrounded already.


I've done some homework googling and found this:
https://stackoverflow.com/questions/25197570/llvm-clang-compile-error-with-memory-exhausted

in the checked solution, 1 and 2 are sorta out of the question, but question is
whether we're using a Debug build of clang?  Does anyone know off hand?

While I'm here thinking about possible solutions it would be cool if I could
allocate a 128 MB vmm inside this vmm (cascaded vmm's?) with a stripped down
KARL building kernel and lots of swap, then it can swap all it wants to while
linking and it leaves the system in reasonable memory without swapping in
the main vm.  Perhaps I'm thinking in over-engineering terms here?


"I have a problem with memory consumption.  I know!  I'll solve it adding a VM!"
Now you have many problems.  I really don't think this is a good idea.

How tiny is this VM???  My smallest intel box currently sitting around and
ready to go is a 400MHz celeron with 512MB RAM, i386 platform, so I just
fired it back up and did a few sysupgrades to bring it up to 7.1-current (ok,
"just" isn't applicable here, I started this test yesterday). I did a reboot
and as soon as I could log back in, did so and watched top -- ld topped out
at about 270MB. That is admittedly huge for an OS I used to do builds on
with 128MB and run in production with 32MB but a couple releases ago, I
found that 384MB was the minimum needed to avoid swap on boot. Doesn't look
much worse now (granted, i386 platform.  I don't know what you are running).

If you are trying to run <512MB RAM, I would politely suggest reconsidering
some life choices here. :)

Alternatively, you might want to think about other options.
KARL is great, but even without it, I think you will find OpenBSD is still far
more robust and secure than the systems your bank runs on, so disabling KARL
is not fatal in my mind for otherwise fairly secure systems.  If you wish to
get overly complicated, you could disable KARL on the production machine and
relink a kernel periodically on ANOTHER machine and put it on the prod
machine after it is built (there's your VM.  Just don't put it on an already
resource-starved system!)

Another idea might be to slip "disknice" into /etc/rc where it rebuilds the
kernel.  It is a cute little bit of code TedU@ wrote a number of years ago,
you can find it here:
https://marc.info/?l=openbsd-misc&m=126526614419455&w=2
It won't stop swapping, but *may* help other tasks get some time.  I've found
it useful on disk I/O tied tasks, but never tried it with a swap-bound task.
I have no idea how it would impact a swapping process.  Might solve your
problem, might do nothing ("doing nothing" counts as hurting when you make
changes to system scripts).

Nick.

Re: Unusable resolution on a widescreen monitor during install

[Nick Holland]

On 4/27/22 9:15 AM, David Demelier wrote:

Hello,

I have a lenovo thinkcentre machine connected to 24” LG screen (with
4k resolution), the installer boots fine using UEFI but it looks like
efifb takes a strange “squared” resolution where bottom part of the
console is below the screen so I’m unable to see what I type. I’ve
taken a picture of what’s seen:

http://markand.fr/static/openbsd-resolution.jpeg

I have tried disabling inteldrm using UKC as I’ve seen on some
websites with somewhat similar problem but with no effect. I’ve also
noticed there is no wscons(cfg|ctl) utilities in the installer so I
was unable to blindly type commands to alter the resolution either.
Unfortunately, changing boot video mode using `machine video …` does
not change kernel resolution either.

My only solution for now would be to boot not using UEFI but that’s
something I’d like to avoid if possible.

Do you have any idea why an incorrect resolution is picked up by the
kernel? I’m using install71.img on USB stick FYI.


The installer kernel is very limited in its abilities, and if I understand
UEFI (which I don't), the install kernel is more-or-less locked into using
what the firmware sets up.  "man efifb" kinda hints that I might be right
on this.

In short: probably not a lot you can do with the install kernel to fix
the problem.  And hopefully, once installed, the "real" kernel will be fine
with your monitor.

HOWEVER, 4k monitors and their support are interesting.  I have an old HP
netbook with an AMD competitor to the Intel Atom chips which just took off
and ran with an HDMI 4k monitor, and a much more capable and newer Thinkpad
which didn't work properly at all with 4k (in both OpenBSD and Windows).

You might want to start with a firmware upgrade for your machine in question,
see if that helps.  If not, a few ideas:

* Boot the installer, drop to shell, hit "clear" to put the cursor back at
the top of the screen and do your install, taking defaults as much as
possible to minimize dialog, and defaults for everything after the text rolls
off the bottom of the screen, and clean it up later.

* Do a serial install (aren't I funny?  As if there is a serial port on a
machine with an HDMI port!  But maybe there is...Maybe I should go buy
a lottery ticket, too).

* Try the install with a 1920x1080 or lesser resolution monitor.

* Move the hard disk to another UEFI machine and do the install on it, then
move the disk back, hoping the other machine works better for the installer.

Nick.

Re: creating new partition has corrupted the disklabel ("bad super block")

[Nick Holland]

On 4/30/22 5:16 AM, Sylvain Saboua wrote:

Hello

I have recently got an upgrade for my laptop with a 1TB SSD drive.
I successfully managed to install a dual boot between archlinux and
openbsd, both on encrypted partitions.

Everything was fine with both systems, until the final act of the
dual boot which consists in setting a partition for file sharing> between the 
two operating systems, using encfs on ext2.


So...you want to share an encrypted partition between two unrelated
operating systems.

Pretty sure that's not going to work.  And since you haven't provided
any details of what you did, I'm guessing you don't have a plan to
get around the problems.  Linux and OpenBSD use very different
encryption mechanisms.


Creating this partition in archlinux works fine, but has seemingly
corrupted the disklabel for openbsd : openbsd boots fine until the
disk-checking step comes, whereupon I am informed that the j and k
partitions on the sd1 disklabel are somewhat corrupted:> 
/dev/sd1k (/home): BAD SUPER BLOCK: MAGIC NUMBER WRONG

/dev/sd1j (/usr/obj): BAD SUPER BLOCK: VALUES IN SUPER BLOCK DISAGREE
WITH THOSE IN LAST ALTERNATE

UNEXPECTED INCONSISTENCY; RUN fsck_ffs MANUALLY

Automatic file system check failed: help!
Enter pathname of shell or RETURN for sh:


This absolutely does not imply a corrupted disklabel.  This is a
corrupted partition.  Or an encrypted partition that OpenBSD doesn't
know how to decrypt.
 

(this is an approximate copy of the error messages, I cannot properly
access the system to copy the logs or a full disklabel/fdisk)

How could I solve this ? For now trying a few things with fsck or newfs
didn't work but perhaps I looked in the wrong direction.

Also, this is on an install before the last openbsd 7.0 release.


not sure what that means, but OpenBSD is up to 7.1 now.


I don't know how I can upgrade an encrypted install using the usb
medium, but perhaps if I would this would be a way to solve my problem?


again, not sure what you are asking, but pretty sure the answer is "no".

Encrypted disk OpenBSD systems upgrade very much like unencrypted disk
systems, except you have to type your passphrase a few times (and maybe
say, "Boot THIS OS" a few times for a multiboot system).  An upgrade
may improve hardware support and add new features, but is unlikely to
fix a bad configuration.

If you want to have a common disk space between multiple OSs with full
disk encryption, you will need a non-encrypted space to work with.

But if your goal is a fully encrypted disk, creating a non-encrypted
chunk of disk seems to be defeating a purpose here.  Maybe you should
look at some other ideas:
* Use a USB flash drive or SD flash card.  Put it in when you need to
move files, remove it when you are done.
* External NFS server
* External SFTP server (could be a small VPS, so you could bounce
files between OSs literally anywhere.  Or between users!)

But as I and others have said in the past, multiboot systems are
complicated.

Nick.

Re: Softraid on NVMe

[Nick Holland]

On 5/6/22 9:03 AM, Proton wrote:

Hi,

I'm using softraid 1C on my remote dedicated server, built on two NVMe disks.
It works really well from performance perspective and provide some data 
protection,
but there is no way to check device health status because SMART doesn’t work.
I guess bioctl will tell me only if devices are ‚online’, but nothing more?


wella softraid device isn't a physical device, so, I'm not sure
what you would get that you couldn't get out of bioctl.  I have:
  bioctl softraid0
in my /etc/daily.local, and I also have a backup system that checks softraid
status on all systems (hey, as long as I'm in the neighborhood and doing
stuff as root...)

You can look at the SMART status of the underlying physical devices in
the softraid set exactly as you would non-softraid drives.

So, if you put a lot of faith in SMART (I don't), what are you missing?


Are there any "poor man’s” methods for checking state of devices you would 
suggest
to perform periodically - like ‚cat /dev/rsd0c > /dev/null’ + ‚cat /dev/rsd1c > 
/dev/null’?
Will potential I/O errors or timeouts be reported to stderr or to some system 
log file?


doing read tests like that over the entire underlying drives seems like
a good idea to me. Haven't implemented it so I can't say how it would
respond to real problems, but I can think of only one good way to find
out.  (from experience: how things act when a drive fails are hard to
predict and really hard to test.  So even a dozen "this is how it behaved"
results doesn't tell you what happens for the NEXT failure)

I would definitely want to put some rate limiting on it so you don't
kill performance overall.


As last method I can reboot to linux rescue from time to time, but this would 
be not very convenient.

Should I forget about NVMe and use other option - LSI MegaRaid HW with SSD 
disks attached?


what would you gain there?  Now you could only access what the
controller thinks of the drive's state through bioctl (which
you seemed to think was inadequate for softraid).

In the HW vs. SW RAID argument, I'm firmly in the "either way" camp,
but if I understand your query, you are LOSING info here.

(I've also heard stories about SSDs and HW RAID not playing well
together, but I'm not prepared to defend or refute that statement.
On the other hand, I've seen SSDs work differently enough from what
HW and SW expect that ... nothing would surprise me).

Nick.

HP T430 "Thin Client": Won't sysupgrade without HDMI monitor attached.

[Nick Holland]

here's a weird one.

HP T430 Thin Client, reloaded with OpenBSD.
In it's intended use, it runs Linux in BIOS boot mode.  OpenBSD's
installer will boot that way, but the kernel is unable to see the
16g storage device.  In UEFI boot mode, OpenBSD works well,
including running X.  This machine has ONLY HDMI and DisplayPort
video connections (one each).  There's no com port on the box for
an alternative view of what is going on.

The problem comes when I put them to work without a monitor.

The machine will boot fine, run fine...but sysupgrade fails to upgrade
the system.  It downloads the intended files, it reboots, and a few
moments later, it's back up and running -- the old kernel. Plug an
HDMI monitor in, run sysupgrade again, and it sees the upgrade marker
and does the upgrade.  Textbook Heisenbug :-/

For giggles, I did a sysupgrade -k (keep the files), let it reboot,
in the root directory was bsd.upgrade as expected.  I copied
bsd.upgrade to /bsd, forcing it one way or another to run
bsd.upgrade ... and the result was a hung system.  Never came back
after the reboot, no idea why.  When I moved it to be near an HDMI
monitor, it promptly booted, complained about permissions on
bsd.upgrade, but upgraded perfectly (but I am not sure which of
the two copies of the kernel it used).

What can I do to help provide info to determine what is going on
here?

Nick.

OpenBSD 7.1-current (GENERIC.MP) #493: Tue May  3 12:14:02 MDT 2022
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 1686781952 (1608MB)
avail mem = 1618399232 (1543MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x6a8a7000 (23 entries)
bios0: vendor AMI version "N41 v01.06" date 03/14/2019
bios0: HP HP t430 Thin Client
acpi0 at bios0: ACPI 6.1
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP FPDT FIDT MCFG DBG2 DBGP HPET LPIT APIC NPKT SSDT SSDT 
SSDT SSDT SSDT SSDT SSDT SSDT UEFI DBGP SSDT WDAT NHLT WSMT
acpi0: wakeup devices SIO1(S3) HDAS(S3) XHC_(S4) XDCI(S4) RP01(S4) PXSX(S4) 
RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4) 
RP06(S4) PXSX(S4)
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimcfg0 at acpi0
acpimcfg0: addr 0xe000, bus 0-255
acpihpet0 at acpi0: 1920 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) N4000 CPU @ 1.10GHz, 1096.97 MHz, 06-7a-01
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,UMIP,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu0: 4MB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 19MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.2.4.2.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Celeron(R) N4000 CPU @ 1.10GHz, 1096.97 MHz, 06-7a-01
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,UMIP,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu1: 4MB 64b/line 16-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 120 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (RP01)
acpiprt2 at acpi0: bus -1 (RP02)
acpiprt3 at acpi0: bus 1 (RP03)
acpiprt4 at acpi0: bus 2 (RP04)
acpiprt5 at acpi0: bus -1 (RP05)
acpiprt6 at acpi0: bus -1 (RP06)
acpiec0 at acpi0: not present
acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001
"ALPS0001" at acpi0 not configured
"WCOM508E" at acpi0 not configured
"FS4304" at acpi0 not configured
acpicmos0 at acpi0
"INT33A1" at acpi0 not configured
"PNP0C14" at acpi0 not configured
acpibtn0 at acpi0: PWRB
"USBC000" at acpi0 not configured
"PNP0C14" at acpi0 not configured
acpipwrres0 at acpi0: DRST
acpipwrres1 at acpi0: DRST
acpipwrres2 at acpi0: DRST
acpipwrres3 at acpi0: DRST
acpipwrres4 at acpi0: DRST
acpipwrres5 at acpi0: DRST
acpipwrres6 at acpi0: WRST
acpicpu0 at acpi0: C1(@1 halt!), PSS
acpicpu1 at acpi0: C1(@1 halt!), PSS
acpitz0 at acpi0acpitz0: TZ01: failed to read _TMP
acpitz0: TZ01: failed to read _TMP

acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD1F
cpu0: Enhanced SpeedStep 1096 MHz: speeds: 1101, 1100, 1000, 900, 800 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 

Re: HP T430 "Thin Client": Won't sysupgrade without HDMI monitor attached.

[Nick Holland]

On 5/6/22 12:48 PM, Theo de Raadt wrote:

Florian Obser  wrote:


So, if you end up with a /bsd.upgrade on the running system that is
still mode 0700, your bootloader is on the fritz.

If you have a /bsd.upgrade that's 0600 your bootloader found the kernel
and tried to boot it, but the installer didn't get very far.

If there is no /bsd.upgrade after a reboot and no email to root the
installer got rebooted by a watchdog process, otherwise you got an email
to root detailing the upgrade process.


A very nice 3-way split.


Brilliant, even.
 

Then once you figure out which one of those 3 is happening, it is easy
to reason about how to create further differentiations and see which is
happening.


I was very much guessing it was /boot, but no.
 
-rw---   1 root  wheel   4609699 May  6 13:13 bsd.upgrade


So ... it's booting bsd.upgrade and failing, which explains why copying
bsd.upgrade (aka bsd.rd) to /bsd tossed it into a lala-loop.

Unfortunately, this machine doesn't retain dmesg buffer between boots.

so ... booted bsd.rd with a monitor attached, and grabbed the dmesg below.

I'm looking at this:

   efifb0 at mainbus0: 1920x1080, 32bpp

If the system is booted (bsd) without a monitor attached, that says:

   efifb at mainbus0 not configured

Getting to the boot> prompt, typing "boot bsd.rd", unplugging the monitor
and hitting "ENTER" resulted in a successful boot of the bsd.rd kernel (and
efifb is showing the monitor as connected).

I tried bsd.rd renamed "bsd" so it would only boot bsd.rd, and then firing
the machine up and plugged the monitor in AFTER the boot process (probably)
started hoping to see some indication on the screen of the crash.  Result:
no display until the kernel crashes and the system reboots.

Nick.



OpenBSD 7.1-current (RAMDISK_CD) #468: Tue May  3 12:18:55 MDT 2022
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
real mem = 1686781952 (1608MB)
avail mem = 1631703040 (1556MB)
random: good seed from bootblocks
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x6a8a7000 (23 entries)
bios0: vendor AMI version "N41 v01.06" date 03/14/2019
bios0: HP HP t430 Thin Client
acpi0 at bios0: ACPI 6.1
acpi0: tables DSDT FACP FPDT FIDT MCFG DBG2 DBGP HPET LPIT APIC NPKT SSDT SSDT 
SSDT SSDT SSDT SSDT SSDT SSDT UEFI DBGP SSDT WDAT NHLT WSMT
acpihpet0 at acpi0: 1920 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) N4000 CPU @ 1.10GHz, 1096.97 MHz, 06-7a-01
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,UMIP,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu0: 4MB 64b/line 16-way L2 cache
cpu0: apic clock running at 19MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.2.4.2.1.1, IBE
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 120 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (RP01)
acpiprt2 at acpi0: bus -1 (RP02)
acpiprt3 at acpi0: bus 1 (RP03)
acpiprt4 at acpi0: bus 2 (RP04)
acpiprt5 at acpi0: bus -1 (RP05)
acpiprt6 at acpi0: bus -1 (RP06)
acpiec0 at acpi0: not present
acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001
"ALPS0001" at acpi0 not configured
"WCOM508E" at acpi0 not configured
"FS4304" at acpi0 not configured
acpicmos0 at acpi0
"INT33A1" at acpi0 not configured
"PNP0C14" at acpi0 not configured
"PNP0C0C" at acpi0 not configured
"USBC000" at acpi0 not configured
"PNP0C14" at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpicpu at acpi0 not configured
acpitz at acpi0 not configured
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Gemini Lake Host" rev 0x03
"Intel Gemini Lake GNA" rev 0x03 at pci0 dev 0 function 3 not configured
"Intel UHD Graphics 600" rev 0x03 at pci0 dev 2 function 0 not configured
"Intel Gemini Lake HD Audio" rev 0x03 at pci0 dev 14 function 0 not configured
"Intel Gemini Lake MEI" rev 0x03 at pci0 dev 15 function 0 not configured
ppb0 at pci0 dev 19 function 0 "Intel Gemini Lake PCIE" rev 0xf3: msi
pci1 at ppb0 bus 1
re0 at pci1 dev 0 function 0 "Realtek 8168" rev 0x15: RTL8168H/8111H (0x5400), 
msi, address 04:0e:3c:12:53:85
rgephy0 at re0 phy 7: RTL8251 PHY, rev. 0
ppb1 at pci0 dev 19 function 1 "Intel Gemini Lake PCIE" rev 0xf3: msi
pci2 at ppb1 bus 2
iwm0 at pci2 dev 0 function 0 "Intel Dual Band Wireless-AC 9260" rev 0x29, msix
xhci0 at pci0 dev 21 function 0 "Intel Gemini Lake xHCI" rev 0x03: msi, xHCI 1.0
usb0 at xhci0: U

Re: HP T430 "Thin Client": Won't sysupgrade without HDMI monitor attached.

[Nick Holland]

On 5/6/22 2:30 PM, Nick Holland wrote:

On 5/6/22 12:48 PM, Theo de Raadt wrote:

Florian Obser  wrote:


So, if you end up with a /bsd.upgrade on the running system that is
still mode 0700, your bootloader is on the fritz.

If you have a /bsd.upgrade that's 0600 your bootloader found the kernel
and tried to boot it, but the installer didn't get very far.

If there is no /bsd.upgrade after a reboot and no email to root the
installer got rebooted by a watchdog process, otherwise you got an email
to root detailing the upgrade process.


A very nice 3-way split.


Brilliant, even.
   

Then once you figure out which one of those 3 is happening, it is easy
to reason about how to create further differentiations and see which is
happening.


I was very much guessing it was /boot, but no.
   
-rw---   1 root  wheel   4609699 May  6 13:13 bsd.upgrade


So ... it's booting bsd.upgrade and failing, which explains why copying
bsd.upgrade (aka bsd.rd) to /bsd tossed it into a lala-loop.

Unfortunately, this machine doesn't retain dmesg buffer between boots.

so ... booted bsd.rd with a monitor attached, and grabbed the dmesg below.

I'm looking at this:

 efifb0 at mainbus0: 1920x1080, 32bpp

If the system is booted (bsd) without a monitor attached, that says:

 efifb at mainbus0 not configured

Getting to the boot> prompt, typing "boot bsd.rd", unplugging the monitor
and hitting "ENTER" resulted in a successful boot of the bsd.rd kernel (and
efifb is showing the monitor as connected).

I tried bsd.rd renamed "bsd" so it would only boot bsd.rd, and then firing
the machine up and plugged the monitor in AFTER the boot process (probably)
started hoping to see some indication on the screen of the crash.  Result:
no display until the kernel crashes and the system reboots.

Nick.


Got contacted by someone off-list who told me they "fixed" this problem
on their machine by switching to a serial console, which is cool, but my
machine doesn't have a serial console. (set tty com0 resulted in a hang,
as it was probably waiting for the UART to say, "Sent that first character"
and it never does).

Is it possible that bsd.rd *must* have some kind of output device?
efifb fails to configure without a monitor attached, so no console output?

For giggles, I did a "gop" and a "video" at the boot> prompt, and both came
back with no response, just another boot> prompt.

Nick.

Re: HP T430 "Thin Client": Won't sysupgrade without HDMI monitor attached.

[Nick Holland]

On 5/7/22 5:40 PM, Mike Larkin wrote:

On Fri, May 06, 2022 at 11:39:51PM -0400, Nick Holland wrote:

...

For giggles, I did a "gop" and a "video" at the boot> prompt, and both came
back with no response, just another boot> prompt.



just 'gop' amd 'video'?  These should be "machine gop" and "machine video".


huh. yep.  Just like it says in "man boot", which I did look at, but read
it wrong.  Slightly complicated that "gop" and "video" at the boot> prompt
alone produce no error message and no output.

"machine video" and "machine gop" listed a bunch of valid configs.
Putting "machine gop 1" or "machine video 1" in /etc/boot.conf changed
nothing, still getting a reboot when trying to boot bsd.rd with no
monitor attached, and a successful boot when the monitor is plugged in.

Nick.

Re: OpenBSD ports require xbase set - still true?

[Nick Holland]

On 5/9/22 4:56 PM, Steffen Nurpmeso wrote:

Hello.

Just a rant, not for ports@.
I am installing OpenBSD 7.1 right now; this is only a VM, and
i want to create / manage ports there.
Until now whenever i wanted to do this i had to install xbase,
otherwise the port makefile complained some.  (I am afraid i have
forgotten the details.)  Is this still true?


So you want to "create/manage" ports in an unsupported environment.

What is the "problem" you are trying to solve?
This is 2022.  Hard drives are measured in hundreds of gigabytes
for tiny drives.

Current amd64 snapshot, ungzip'd:
 21.9M bsd*
 22.0M bsd.mp*
  4.4M bsd.rd*
592.0M May 11 15:03 base71.tar
265.0M May 11 15:03 comp71.tar
  6.3M May 11 15:03 game71.tar
 30.5M May 11 15:03 man71.tar
176.0M May 11 15:03 xbase71.tar <-- Not a big deal
 35.0M May 11 15:03 xfont71.tar
 57.5M May 11 15:03 xserv71.tar
 26.6M May 11 15:03 xshare71.tar

I think you have a problem with perspective here.
All of X (not just xbase) is about 300MB, and just isn't worth
worrying about today.  What you save by skipping it, you will
more than make up for by trying to fix the problems you will
make for yourself.

Nick.

Re: calling all PFsync users for experience, gotchas, feedback, tips and tricks

[Nick Holland]

On 5/11/22 3:32 PM, Tom Smyth wrote:

Hello Folks,

We are updating some course material for an upcoming PF firewall course,
and I would like to put a call out to those who use PFsync in a
redundant firewall cluster
about your user experience, have you come across any edge cases?
have you any tips or tricks about PFSync.
have you come across any edge cases / minor misconfigurations /
suboptimal configurations that caused problems, were there some tweaks
you had to make to make your system scale ?

it is likely that people who are running PFSync have  more complicated
firewall configs.

and I would like to see what tuning other people have done in the field.


It's been a few years since I managed a firewall cluster with pfsync, but
one thing I came up with fairly early on is we needed a way to manage rule
changes between the two devices, and I came up with something that I think
is pretty cool, and yet haven't seen anyone else describe something
similar.

Wrote a little script which, when run:
* Compared this script on "this" FW with "Other" FW
* generated a diff between the /etc/pf.conf file on both systems
  (other box assumed to be "old", "this" box assumed to be new)
* Put the diff into a file along with the user ID of the administrator who
  made the changes, prompted the user to enter a description for the change
  above the diff, who approved it, etc.
* If the administrator enters a change log and saves the file:
  * save that file to disk, with a clear date and time stamp.
  * Copy "this" FW's pf.conf file to the "other" system
  * pfctl -f /etc/pf.conf on both systems
  * scp the change log file to the other system
* Probably should look for changes in hostname.*, and deal with their
  changes, too, but I didn't implement that at the time, so I'd be lying
  if I told you I did.  But I recall wishing I had! :D

This way, you have a log of every change made to the system, plus
administrator comments as to why the change was made.  EITHER FW can push
changes to the other, both boxes have a full history, either box can be
used to rebuild the other.  IF you find a problem, a diff to undo it is
easily found.  It makes change control almost a pleasure.  If someone
made a change and forgets to push it to the other, you can see that the
diff is more complicated than you expected (or you made a typo and blew
something out!).

I've used similar scripts for other fully redundant systems, like DNS
servers.  Yes, I'm sure you can do similar things with system management
applications like puppet, etc., but this is completely self-contained,
no extra hw or packages required.  (and yes, DNS has the master/slave
config with zone transfers, but I'd argue this is a better system.)

Nick.

Re: gpt+uefi boot+openbsd+linux

[Nick Holland]

On 5/24/22 6:28 PM, Gustavo Rios wrote:

May some one here suggest a documentation the explains this scenario ? I am
in needof this.

Thanks in advance!


I've actually been experimenting with the UEFI OpenBSD and Windows combo,
though I suspect it is applicable to Linux, as well.

Warning: I'm trying to avoid GRUB as my boot selector.  UEFI is supposed
to be able to do this for us.  So I would rather just use it.  I don't
trust grub to do anything other than Windows and Linux (which is just
Windows re-invented badly).

Short version: wow...there's a lot variety out there on machines.  If you
want one answer for all hardware, that's not gonna happen. :-/
That's about the only certainty I have at this point.  Many UEFI systems
are only designed to boot Windows it seems, the idea of multiple OSs on
one disk didn't occur to some people..

I don't want to use the Windows 10 boot selection process IF I have
another option.  Unlike Windows 7 and before, it seems to boot
95% of Windows, then gives you the menu.  If you pick OpenBSD, it then
totally reboots the machine -- back to the firmware and back up, but
this time to OpenBSD. If you pick Windows, the last 5% loads in a couple
seconds.

IF you install OpenBSD first, you need to puff-out the GPT boot
partition before install.  OpenBSD's default is really tiny, just
enough to boot OpenBSD (as you would expect).  Boot bsd.rd, drop
to shell, MAKEDEV your disk, "fdisk -gb20 sd0" or similar, iirc,
for a 100MB GPT UEFI boot partition.  The default Windows one is
big enough for OpenBSD to share, I'm guessing Linux, as well.

A couple Dell laptops I have with UEFI actually don't suck.  In the BIOS,
there's an option to select various boot targets.  One is "Windows Boot
Manager" or something like that, the others can be loaders pulled out of
the UEFI boot partition.  This ends up working really slickly for dual
booting, and it looks like it would easily extend to multiple OSs.
Basically put each option in your boot list, make the first one your
primary OS (the "no hands" boot).  If you want to boot a different OS,
you hit the boot selection key at the right time (F12? I mark mine with
a bit of paint, so I can't remember what it is).  This brings up a
menu, the menu selections can be readable to humans...  May not be
the ultimate solution for all people, but ... works really well for
me.

I've got a couple older HP systems, not so impressive.  If you to hit
the magic key (F9, iirc) at the right moment, you can poke around
in the boot partition.  Otherwise, it wants to boot a particular OS, and
if I recall properly, I got one booting OpenBSD by default, the other
windows by default, and I have NO IDEA how the default was chosen (or
is it just the firmware on this machine prefers ...?).  One one of them,
I found a 16MB (yes, MB, not GB) SD card, came with an old digicam
(flashback to 12 exposure rolls of film!).  I dropped minirootXX.img
on it, created a /etc/boot.conf file that pointed to pulling the
kernel off hd1a:/bsd and called it done.  Want to run OpenBSD, leave
the SD card in place, want to boot windows, eject the card a little, push
it back in when it's booted.  This is cheesy, doesn't scale to a third OS,
but it works for me in this laptop.

I'm working on a better write-up (with fewer "IIRC"s :) ), but this might
be enough to get you started.

Nick.

Re: bsdtar -O | --to-stdout

[Nick Holland]

On 5/26/22 4:55 AM, Dirty Dawn wrote:

Hi,

i'm looking for a way to reproduce -O flag in bsdtar/gtar using tar
or pax but i didn't find one.

There is a way to do that using standard tar or pax?

Thank you


It generally works better if you tell us what you are wishing
to accomplish, rather than the option some other OS uses.
Sounds like you are trying to send tar output (or input) to
stdin/stdout.

The (a?) common "Unix way" of doing this is specifying the file
name "-".  This trick is portable across many Unixes and many
Unix commands:

  $ tar cf - * |ssh remote "tar xf -"
(tar current directory to stdout, send it via SSH to computer
"remote", and untar in the current directory on the remote
computer)

This works for a lot of commands...

  $ ssh remote "cat /etc/hosts" | diff -u - /etc/hosts

Nick.

Re: Cannot configure wi-fi card

[Nick Holland]

On 5/27/22 10:25 PM, Matsuda Kenji wrote:

Hello.

I just installed OpenBSD 7.1 and am having trouble
setting up a wi-fi card.
There is no wi-fi interface in ifconfig output.
Dmesg says that there is some error configuring NIC:
iwm0 at pci1 dev 0 function 0 "Intel Dual Band Wireless-AC 9260"\
 rev 0x29, msix
iwm0: Failed to wake up the nic.



do you have any options in the system setup that might help?  Maybe
even switching between UEFI and "legacy" boot modes, I have a
machine that refuses to see its storage devices if it is booted in
Legacy mode, but works pretty well in UEFI mode, and I could imagine
it going the other way, too.

Oh...a BIOS upgrade might be in order.

No promises.

Nick.

Re: Convert a Linux VPS to OpenBSD

[Nick Holland]

On 6/20/22 11:47 AM, Étienne wrote:

Hello there,

This is a bit of a long shot, but I'm trying my luck: There used to be a
community thread on Scaleway's documentation website that explained how
to convert a Linux instance to an OpenBSD instance, because no OpenBSD
ISO image was available in their console. It seems that this doc
disappeared as their documentation section has changed format, and I
can't find it on archive.org either. I would like to try and apply the
same process at another VPS provider. Does anyone remember or know how
this was done, and would they be kind enough to summarise it here, please?

Thanks!



Assuming you have console and can do your own install, perhaps doing
a Linux install and leaving a chunk of the beginning of the "disk"
unallocated, then dd the minirootXX.img over the very beginning of
the "disk", then rebooting.  This should get you into the OpenBSD
installer, assuming you actually overwrote the beginning of the
logical disk and not a Linux partition.

A hard reset or "power cycle" might work better than a reboot, as
you don't want the Linux system updating anything on the disk
partition tables after the dd is complete (if "reboot" even works
at that point).

However, you might want to think long and hard about committing to
a VPS that doesn't actively support the OS you wish to install.  What
works today may faceplant tomorrow and they may not care at all to
fix it for you.

Nick.

Re: Fanless amd64 sytem recommendations

[Nick Holland]

On 7/11/22 1:13 AM, B. Atticus Grobe wrote:

I've been running a Hewlett-Packard HP t620 Quad Core TC for a couple of
years now in that role, with the AMD GX-415GA SOC in it. It's the bigger
brother of that found in the APU systems.

The stock configuration usually has 4GB of RAM in them, with a single re(4)
1GBps NIC, and a 16GB mSATA SSD.

I haven't had any issues out of mine, which I got for I believe $50 on
eBay. They seem to be fairly easy to acquire. Another $25 for a power brick
(which amazingly has had no issues either), and you're good to go.

These boxes have eDPI display outputs, and optionally have either an RS-232
serial port or VGA output, along with USB 2 and USB 3.

They come with an embedded version Windows 10, but I've had no issues
running OpenBSD 6.8-7.0 on it, 9front, or LInux. IIRC, it supports EFI
booting, but I've only used legacy BIOS boot.

If you get one from eBay, I would recommend opening it and verifying that
all the internal screws are tight. I had some loose either from shipping or
carelessness on the mSATA hold-down and a few other places.


few notes on a HP T430 Thin Client...which probably apply to some other HP
thin clients, definitely not others.

HP T430: 16GB "disk", 2G RAM Intel N4000 dual core
1) OpenBSD requires the machine be in UEFI mode, which is a change from the
HP linux which requires it be in legacy mode.  If not in UEFI, you have no
storage (for OpenBSD).

2) bsd.rd doesn't work without a monitor or fake monitor plug attached.
Thus, if running headless, you can't do a "sysupgrade" (but can do a
"remote upgrade" without bsd.rd/sysupgrade).  Standard bsd.mp kernel works
just fine.  Friend of mine reports Linux does the same thing.

3) Rather than using a formal HP power pack, you can "fake it" with just
about anything capable of putting out 12-20v and 0.75A or more.  High value
(100k-300k) resistor added between center pin and +V on the computer
overrides the "Is this an HP power pack?" test.  The higher the voltage, the
lower the current draw.  Hint: the parts are tiny, the workspace is cramped,
not a good way to learn to solder. :)

4) Total power dissipation was 4w while compiling a kernel, which took
25 minutes.  2W when idle (according to a wattmeter that had a 1W
granularity on its readings, so +/-1W on the reading).

5) X seems to just work.  Have not used it extensively, though.

6) wired: re(4).  Wireless (IF so equipped): iwm0

IF you happen to be in the Detroit, MI area and want one, I've got
too many, contact me off-list.  Probably cost less than Ebay "shipping".

Nick.

OpenBSD 7.1-current (GENERIC.MP) #0: Sun Jul  3 16:39:00 EDT 2022
n...@springboard.in.nickh.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 1686781952 (1608MB)
avail mem = 1618362368 (1543MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x6a8a7000 (23 entries)
bios0: vendor AMI version "N41 v01.06" date 03/14/2019
bios0: HP HP t430 Thin Client
acpi0 at bios0: ACPI 6.1
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP FPDT FIDT MCFG DBG2 DBGP HPET LPIT APIC NPKT SSDT SSDT 
SSDT SSDT SSDT SSDT SSDT SSDT UEFI DBGP SSDT WDAT NHLT WSMT
acpi0: wakeup devices SIO1(S3) HDAS(S3) XHC_(S4) XDCI(S4) RP01(S4) PXSX(S4) 
RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4) 
RP06(S4) PXSX(S4)
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimcfg0 at acpi0
acpimcfg0: addr 0xe000, bus 0-255
acpihpet0 at acpi0: 1920 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) N4000 CPU @ 1.10GHz, 1096.97 MHz, 06-7a-01
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,UMIP,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu0: 24KB 64b/line 6-way D-cache, 32KB 64b/line 8-way I-cache, 4MB 64b/line 
16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 19MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.2.4.2.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Celeron(R) N4000 CPU @ 1.10GHz, 1096.63 MHz, 06-7a-01
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,UMIP,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
c

Re: Installing sets from /

[Nick Holland]

On 7/13/22 1:11 PM, Vincent Legoll wrote:

Hello,

I was trying to autoinstall OpenBSD 7.1 on a VM when I stumbled upon
something unexpected (to my uneducated eyes) in the installer.

What I'm trying to do may very well fall in the "unsupported" basket,
just tell me. But still, I think I can at least ask if this is
actually intended behavior.

When I used the following answers:

[...]
Location of sets = disk
Is the disk partition already mounted = yes
Pathname to the sets = /
[...]

I expected the setup to look at the / (from the ramdisk), but it
searched in /mnt2 instead.


As a user, I'd expect the response there to be "As would be seen
on the running system."

As a user, I expect it to go something like this:
I put the install sets someplace on the running systemm, say
/home/upgrade or /usr/rel.  I rebooted into bsd.rd, chose
"install" or "upgrade", I expect to answer exactly where I put
the files. How the upgrader or installer does the upgrade or
install, I really don't care."

The installer happens to mount the system hanging off /mnt2,
but I shouldn't have to know that.  I definitely shouldn't have to
include that in my answer (in my opinion)
 ...


Is this in need for a modification, or is it good as-is ?
I can submit a patch if you think it is useful.


Speaking only for myself, I think it is working exactly as I'd
hope right now.

I would spend some time thinking about why you are stuffing the
install files into the ramdisk rather than from an existing
file system or other more supported option.  I think the "proper"
answers will work better for you all around.

Nick.