Re: postinstall fixes failed: gid
Ottavio wrote: > [...] > gid fix: > Error groups (FIX MANUALLY): nvmm (missing) > Use the following as a template: > nvmm:*:34:root > and adjust if necessary > [...] > postinstall fixes failed: gid > > My questions are; > 1) Why has this happened? Is this a bug? It has happened because NetBSD tends to the safe side and doesn't add the group itself. You may have number "34" already used for some other group, and you need to resolve things in that case. It may also make sense to add users to the group, see below. > 2) Why do I need a nvmm group? This really dpends on the NVMM software kit. I don't have seen that myself and can't help you there (my only post-8 netbsd is a -current on a lwoly i386, no nvmm there). The nvmm-related man-pages should tell you the purpose of the group. I would expect virtual disks and machine descriptions will belong to that group and so anybody in the group would be allowed to manipulate/add/use/remove VMs. This is just a guess -- RTFM and check how the group is actually used in the filesystem for files and directories. > 3) I've manually added: > nvmm:*:34:root > to the group file and now I have no errors. Is this enough? Yes, well done. (Unless you already had another group 34 already.) > Do I have to rebuild any databases? No. /etc/group is just that plain file and you are done. (In contrast, the user file /etc/passwd is just a clone of /etc/master.passwd and changes to both are done using vipw(8).) Martin Neitzel
Re: BCM43224 driver
Hi John,
> I want to know if there is any chance to enable Broadcom BCM 43224 in netbsd.
> What driver (even similar driver) i could use for this.
congrats on switching from text/html to text/plain. That makes
your mails readable for me (I'm using mail(1) from base) and deserves
a reply.
Most chapter 4 man pages for the various drivers explicitly list
the chips and product brand names supported by the driver.
NetBSD's "man -k" keyword search is now full-text based, and that makes
it much easier to search for drivers or the stat of support.
On NetBSD-8-stable, I get these results:
man -k 43224==> nothing
man -k bmc ==> a single false hit ("bcms" in dhcp-options(5))
man -k braodcom ==> half a dozen broadcom network drivers
Out of the latter, bwi(4) appears to be the closest candidate, but
not a really good match for your hardware. It lists:
HARDWARE
The following cards are among those supported by the bwi driver:
Card Chip Bus Standard
Buffalo WLI-CB-G54 BCM4306CardBus b/g
Buffalo WLI3-CB-G54L BCM4318CardBus b/g
Buffalo WLI-PCI-G54S BCM4306PCI b/g
Dell Wireless 1370 BCM4318Mini PCIb/g
Dell Wireless 1470 BCM4318Mini PCIb/g
Dell Truemobile 1400 BCM4309Mini PCIb/g
Dell Latitude D505 BCM4306PCI b/g
Apple AirPort Extreme b/g
Alas, the "43224" doesn't appear to be closely related to this 43xy chip
family.
That's the general idea to look for a driver. It also makes sense
to "man -k" for product or model names. You *might* be more lucky
with NetBSD-9 or -current, I didn't check these.
Usually, NetBSD will auto-detect all hardware which it supports.
So don't expect too much. These "man -k" checks are best before
you invest in new hardware to see wether it would be supported.
Martin Neitzel
pkgs for i386 netbsd-9.0
Hi there!
A week ago, the first set of binary pkgs appeared for i386 netbsd-9.0
systems, for example:
http://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/9.0_2019Q4/
A zillion thanks, I'm thrilled! Wouldn't it make sense to add the
standard "9.0" link to this quarterly release, too?
Martin Neitzel
Re: pkgin error
Hi Matthew,
MN> http://cdn.Netbsd.org/pub/pkgsrc/packages/NetBSD/amd64/...
MN> http://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/amd64/...
MN> yielded different data. Both hostnames resolved to the same IP addresses
MS> I fixed the host header thing when that was pointed out.
Thanks for fixing it (back when), and yes, the URL case didn't make a
difference yesterday. Great to know that shouldn't be any worry anymore.
MS> Anyway try it now.
Much better -- pefect! Yesterday's different pkgs per 8.0 8.2 8.2 version
MN> % echo 0 1 2 | xargs -n1 -I XX lynx -head -dump
http://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/amd64/8.XX/All/p5-Authen-SASL-2.16nb7.tgz
| grep Length
MN> Content-Length: 24900
MN> Content-Length: 24892
MN> Content-Length: 24900
changed to 24892 for all three 8.x directories, now matching what's
advertised in the pkg_summary.bz2 (which was "update"able today, too).
All outstanding pkgs downloaded fine today (07:23 UTC),
all 60 pkgs were refreshed/upgraded/installed without a hitch.
Thanks!
Martin Neitzel
Re: pkgin error
ill> Same here. ill> ill> $ echo "select file_size from remote_pkg where pkgname like ill> 'xmlcatmgr%'" | sqlite3 pkgin.db ill> 25004 ill> ill> $ ftp ill> https://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/amd64/8.0/All/xmlcatmgr-2.2nb1.tgz ill> 24864 bytes retrieved in 00:00 (16.63 MiB/s) Some observations on this: % echo 0 1 2 | xargs -n1 -I XX lynx -head -dump http://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/amd64/8.XX/All/xmlcatmgr-2.2nb1.tgz | grep Length Content-Length: 24864 Content-Length: 24864 Content-Length: 25004 This actually figures with my(!, see below) long "select" info: sqlite> select * from remote_pkg where pkgname like 'xmlcat%' ; PKG_ID = 21533 FULLPKGNAME = xmlcatmgr-2.2nb1 PKGNAME = xmlcatmgr PKGVERS = 2.2nb1 BUILD_DATE = 2020-03-28 20:22:48 + COMMENT = XML and SGML catalog manager LICENSE = modified-bsd PKGTOOLS_VERSION = 20091115 HOMEPAGE = http://xmlcatmgr.sourceforge.net/ OS_VERSION = 8.0 DESCRIPTION = PKGPATH = textproc/xmlcatmgr PKG_OPTIONS = CATEGORIES = textproc SIZE_PKG = 50583 FILE_SIZE = 25004 OPSYS = NetBSD REPOSITORY = http://cdn.Netbsd.org/pub/pkgsrc/packages/NetBSD/amd64/8.2/All Looks like Roland is rather using the 8.0 repo? I essentially noticed the same problem here, too, after... - an update on the netbsd-8 branch on May 2nd and - moving my /usr/pkg/etc/pkgin/repositories.conf from http://cdn.NetBSD.org/pub/pkgsrc/packages/NetBSD/amd64/8.1/All to http://cdn.Netbsd.org/pub/pkgsrc/packages/NetBSD/amd64/8.2/All - having nothing at all happen on "pkgin update" until May 11 00:52 /var/db/pkgin/pkgin.db For "pkgin upgrade", this resulted in: 31 packages to refresh: (xmlcatmgr-2.2nb1 ... ... ...) 19 packages to upgrade: 2 packages to install: heimdal-1.5.3nb24 openssl-1.1.1e (I was mostly surprised about the "refresh" section. Where does this come from, what is this supposed to mean?) Since I'm referring to 8.2 pkg repository, details differ for me, I guess I am seeing the same problem but maybe from the other side. I can still confirm the problem / the error message seen from my side, albeit with other packages. I get the error message with: download error: p5-Authen-SASL-2.16nb7 size does not match pkg_summary and [abridged]: sqlite> select * from remote_pkg where pkgname like 'p5-Authen-SASL' ; PKG_ID = 6173 FULLPKGNAME = p5-Authen-SASL-2.16nb7 BUILD_DATE = 2020-04-01 03:57:23 + OS_VERSION = 8.0 SIZE_PKG = 119267 FILE_SIZE = 24892 REPOSITORY = http://cdn.Netbsd.org/pub/pkgsrc/packages/NetBSD/amd64/8.2/All % echo 0 1 2 | xargs -n1 -I XX lynx -head -dump http://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/amd64/8.XX/All/p5-Authen-SASL-2.16nb7.tgz | grep Length Content-Length: 24900 Content-Length: 24892 Content-Length: 24900 D'oh! This is not the first time this madness happens. The last time was around last summer and some kind fellow on the ircnet #netbsd pointed out to me that the URLs http://cdn.Netbsd.org/pub/pkgsrc/packages/NetBSD/amd64/... http://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/amd64/... ^ | yielded different data. Both hostnames resolved to the same IP addresses (as they should) but the Fastly CDN servers were apparently treating the requests in different ways depending on the case in the Host: headers. Martin Neitzel
Re: listing "commit comments" in CVS
> Is there a way to tell cvs to print out the list of comments I left
> with each/every revision?
cvs log
(Use cvs -H log to get a help summary about the available options.
The long story can be found via "info cvs".)
Martin Neitzel
Re: portable file touched during boot
> I'm trying to hack up a Make rule that's only run once after a reboot
> by having it depend on a file touched during boot.
I find plenty of candidates in /var/run:
% ls -lrt /var/run
total 98
drwxrwx--- 2 root operator512 May 2 16:27 lvm
-rw-r--r-- 1 root wheel 46793 May 2 16:28 dev.cdb
-rw-r--r-- 1 root wheel 0 May 2 16:28 syslogd.sockets
srw-rw-rw- 1 root wheel 0 May 2 16:28 log
-rw-r--r-- 1 root wheel 4 May 2 16:28 syslogd.pid
drwxr-xr-x 2 root wheel 512 May 2 16:28 named
-rw-r--r-- 1 root wheel 7664 May 2 16:28 dmesg.boot
-rw-r--r-- 1 root wheel 0 May 2 16:28 blacklistd.sockets
srwxrwxrwx 1 root wheel 0 May 2 16:28 blacklistd.sock
-rw-r--r-- 1 root wheel 4 May 2 16:28 blacklistd.pid
-rw-r--r-- 1 root wheel 3 May 2 16:28 ntpd.pid
-rw-r--r-- 1 root wheel 4 May 2 16:28 powerd.pid
-rw-r--r-- 1 root wheel 4 May 2 16:28 sshd.pid
-rw-r--r-- 1 root wheel 4 May 2 16:28 cron.pid
-rw-r--r-- 1 root wheel 5429 May 2 16:28 rc.log
-rw-r--r-- 1 root wheel 5 May 7 22:47 inetd.pid
-rw-rw-r-- 1 root utmp 1000 May 19 19:02 utmp
-rw-rw-r-- 1 root utmp 18200 May 21 20:15 utmpx
% last -1 reboot
reboot~ Sat May 02 16:28
Martin Neitzel
Re: acpibat0 error message at terminal login
P> I keep getting an error message
P> "acpibat0: failed to evaluate _IF: AE_ERROR".
OC> As this just a VM, it's mostly a harmless warning. You are not really
OC> using a battery here.
I agree.
OC> Edit /etc/syslog.conf (the line with /dev/console).
I'd rather add
userconf=disable acpibat*
to the end of /boot.cfg. (Of course, don't use that with a real (non-VM)
install.)
Martin Neitzel
Re: blacklistd not reacting to postfix/smtpd AUTH failures
iMil> smtpd is indeed linked over libblacklist:
iMil>
iMil> $ ldd /usr/libexec/postfix/smtpd |grep black
iMil> -lblacklist.0 => /usr/lib/libblacklist.so.0
iMil> Anything I am missing here?
A daemon may well notify blacklistd about a possible attack at some
places along the code path but not at others, even when an issue
gets logged at the "other" place. In particular, the blacklist(3)
API requires the connection to the client to be still active when
registering an mis-behavior. This is a bit stupid, IMHO, because
it prevents the blacklist registration of any clients which pull
out early.
I had noticed this with sshd: it just logged lots of "client closed
connection [preauth]" probes without notifying blacklistd. A look
into the sshd source showed that this was a case of "fd already
closed" and not fixable.
In fact, only allowing public key access kept many stupid clients
knocking at the door. Allowing password-based access gets rid of
them quickly because those attempts *do* trigger blacklistd.
You have to check the smtpd source to see if blacklist{,_r,_sa}
could be called at the point where the issue is logged.
Martin Neitzel
Re: possible new feature: unrm ?
> There are scripts which will create and remove a set of snapshots on
> zfs, which would be pretty much what you have in mind.
> [...]
> Traditional Unix filesystems don't support this well, I am afraid.
Well, "traditional" is a vague term, but we in {Net,Free}BSD land
have the McKusick's FFS softupdates+snapshots since NetBSD-2.0 and
FreeBSD-4 in our default filesystem. That is: two decades now.
(Sorry, OpenBSDlers, you didn't bother.)
If you've never used it before, do yourself a favour and give it
a spin. fssconfig(8) has an easy-peasy example how to create a
snapshot, use it, and get rid off it again, doable in less than
five minutes.
If you are inclined to read more on it, there are several papers
available, for example:
https://www.usenix.org/legacy/publications/library/proceedings/bsdcon02/mckusick/mckusick_html/index.html
And while I'm at it:
(1) In *BSD land, we also get nighlty RCS revisioning of all our
adminstrative files (/etc and more) out of the box. (Watch your
daily mail and /var/backups if you haven't noticed before.)
(2) DragonFlyBSD's "HAMMER" filesystem lets you review and unroll
any atrocities against files or directories with "sync update"
resolution (30 or 60 seconds) along the entire day. Around 3am,
the past day's details get condensed into a summary snapshot --
these will be kept for 180 days. So you get half a year of revisable
and undo(1)able history of your files, out of the box.
Martin Neitzel
Re: Use network printer from NetBSD
Hi Rocky, > TEXT_P1 > Service Name TEXT_P1 > FilterText Substitution > Control Strings Beginning of Job1) > End of Job 11)\0C > Service Options Bi-Directional > If you think I can made any attempt with `lpr' or even `netcat', I'm > ready to try. For example, maybe for the `Beginning of Job' no character > is needed (`1)' is just the first, blank line of a list), but the text > should be ended with the character `\0C'. The character hex 0C (decimal 12) is ascii "formfeed". It may well be that these control strings are simply added to the print jobs you supply rather than expected from it. An added formfeed at the ensures that the last sheet gets ejected. I just sent you a longer email regarding these printer Service Names and lpr/netcat/cups offlist. Martin
Re: postfix for 2 domains on 1 vps 1 ip
silas_nbli...@nocafe.net wrote:
>
> IIUC, it is possible to implement Reverse DNS validation with
> postfix tools in base system with some Postfix option (I've seen
> that, but I don't recall the exact postfix setting)
postfix main.cf:
smtpd_client_restrictions =
...
reject_unknown_client_hostname
...
sendmail.mc:
FEATURE(`require_rdns') dnl see also: delayed_checks
Martin Neitzel
Re: Any package to populate image from raw data?
Hi Mayuresh,
> I recently wrote a pyusb based driver to interact with an X ray camera.
> The driver gives me a byte array of a 16 bit grayscale image. I want to
> put this byte array into an image format. No specific format required as I
> can always convert it using ImageMagick.
I always do this kind of stuff with Jeff Poskanzer's PBM tools.
The the pksrc name for the whole toolkit is "netpbm".
In this case, rawtopgm(1) would probably your first step of a command
pipeline, finishing with any of the pgmto... or pnmto... tools to create
your target format; optionally with some transformations wegded in
in between.
HNY, Martin Neitzel
NAME
rawtopgm - convert raw grayscale bytes into a portable graymap
SYNOPSIS
rawtopgm [-bpp [1|2]] [-littleendian] [-maxval N] [-headerskip N]
[-rowskip N] [-tb|-topbottom] [width height] [imagefile]
DESCRIPTION
Reads raw grayscale values as input. Produces a PGM file as output.
The input file is just a sequence of pure binary numbers, either one or
two bytes each, either bigendian or littleendian, representing gray
values. They may be arranged either top to bottom, left to right or
bottom to top, left to right. There may be arbitrary header informaâ
tion at the start of the file (to which rawtopgm pays no attention at
all other than the header's size).
Re: USB-HEAD wont talk to USB ports
> FIRST MY DMESG:
> [...]
> It looks like it repeated?
The kernel message ring buffer (that's what dmesg(1) displays) is
preserved across reboot(8)s/shutdown -r's and accumulates the messages
even if you reboot into different kernel versions. A cold start
(after a -p shutdown) will start with an empty message buffer.
> I did dmesg > /umass1/NETBSD-HEAD*
The standard rc setup saves the current set of boot messages
in /var/run/dmesg.boot. This becomes helpful when later kernel
messages displace the boot msgs in the ring buffer.
> where /umass1 is the mount point for my 4-port USB hub. None of my
> USB-3.0 ports work. My USB-3.1 (web camera) works, and my nVidia
> GTX- 680 works inconsistantly. Any ideas?
Nope.
> If I upgrade to a later version of NetBSD-HEAD, will I need to upgrade
> the entire system, or only the kernel sources?
Just upgrading your kernel is fine. A newer kernel will generally
have no problem with an older user land version.
Martin Neitzel
Re: Compiling NetBSD-HEAD kernel sources
> I *think* the correct way is to make your _own_, almost empty kernel
> config, and include (say, `GENERIC'.) then override settings in your own
> config. I've done it, but somehow it feels more hazy than plain
> modifying GENERIC
Even easier: the stock GENERIC config contains the conditional include
# Pull in optional local configuration
cinclude "arch/amd64/conf/GENERIC.local"
So just create a GENERIC.local file with your tweaks to build
an "almost-GENERIC" kernel.
Martin Neitzel
Re: blocklistd: How to keep my dynamic IP from getting blocked
On Sat, Apr 03, 2021 at 06:02:03PM +0530, Mayuresh wrote:
> > BTW does blacklistd.conf accept hostname instead of IP, which I can
> > manipulate in /etc/hosts?
>
> PS: I mean, I tried that way but it didn't work (hostname with /etc/hosts
> entry didn't work, IP did). Wondering whether it's supposed to be that
> way.
Firewalls (and many other security-related configs) in general
require you to state everything in terms of fixed addresses and
not (DNS-dependent) hostnames, for good reasons:
- There is a chicken and egg problem: the fw system needs working
DNS in order to insert rules; the DNS needs a working fw in order
to resolve names.
- It would be / is expensive to continuously update rules and
re-resolve symbolic hostnames while the firewall is running.
Because DNS name resolution is cache-dependend, it also leads
to ill-defined behaviour. You usually do not want that with
a firewall.
- Where the DNS is under external control, your rules suddenly refer
to addresses under external control. Again, you do not want that.
I understand that you are trying to use a hostname in /etc/hosts
well under your local control and locally resolvable. I'm not
suprised though that bl[oa]cklistd requires strictly numeric
addresses, because of the reasons above.
Martin Neitzel
Re: What is a good pkgsrc package to use for file encryption and decryption?
>From
>bounces-netbsd-users-owner-neitzel=hackett.marshlabs.gaertner...@netbsd.org
>Wed Mar 10 09:43:52 2021
From: Brian Buhrow
Date: Wed, 10 Mar 2021 00:43:41 -0800
To: netbsd-users@netbsd.org
Subject: What is a good pkgsrc package to use for file encryption and
decryption?
Cc: buh...@nfbcal.org
Brain Buhrow wrote:
BB>
BB> Are there packages in the pkgsrc tree that have similar
BB> functionality but which use newer encryption algorithms?
The openssl command (coming already with base but available as
a pkg, too) makes its plethora of crypt algos available to you,
independently of any SSL context.
To quickly see the list of supported algorithms and learn more:
% openssl enc -ciphers
% man openssl-enc
(Decrypting is done via the enc "-d" option.)
Martin Neitzel
SEE ALSO
caesar(6)
Re: OpenGL - browser and WebGL support - failed libGL.so
> > Â Â Â GLXtest process failed (exited with status 1): Unable to load
> > libGL.so.1
>
> This reminds me of e.g., libepoxy hardcoding "libGL.so.1", when
>
> $ ls /usr/X11R7/lib/libGL.*
> /usr/X11R7/lib/libGL.a /usr/X11R7/lib/libGL.so.3
> /usr/X11R7/lib/libGL.so /usr/X11R7/lib/libGL.so.3.0
>
> (Why hardcode the major number?)
The convention is that the major number reflects the shared lib's API,
while minor numbers are used for bug fixes and internal improvements.
*IF* the GL folks have taken care to keep their API downwards-compatible,
you can safely
ln -s libGL.so.3 libGL.so.1
Martin Neitzel
Re: jailbreaking an iPhone
TG> What is "TNF" ? wtf(6) would answer that for you. Martin
Re: ssh and libsqlite.so
> I found that apropos and whatis from the modern mandoc no longer
> depend on libsqlite.so.
> Maybe it's time to switch to it and make the base image less dependent
> on third-party libraries?
Personally, since sqlite *did* incorporated into base, I started to
rely a bit on it. So does our (base) postfix (check postconf -m).
Removing sqlite again would appear a bit willy/nilly to me. That's
how the fads of the year are treated in Ubuntu but (hopefully) not
in NetBSD.
Moreover, Richard Hipp as its author is doing an awsome job keeping
sqlite itself trouble-free and DBs upgradable, too. It is probably
the SQL db with the least overhead. Is keeping it in base really a
big burden?
Note that I am not arguing against the latest and greatest
mandb (without sqlite as a requirement).
Martin Neitzel
Re: would anybody use binary packages for NetBSD/i386 10?
> If you have a system that meets the above, please either reply here (the
> first few people :-) or just answer me privately.
Better late than never:
I still run NetBSD (along with many other unixens) actively on my
four Atom-N270-powered netbooks (2 *ASUS EeePC 1000H, Samsung NC10,
Medion Akoya E1212). I just love the form factor for travelling
around. Main tasks are: software development, RTFMing til I die,
and giving presentations. I have one machine running -current and
another one running the current stable release (9-STABLE at the moment).
These systems build themselves from source.
You could put these in category (e): "still working too good to
be thrown away". I mostly just pour over man pages or source code
anyway -- a new amd64 multi-core machine wouldn't make things any
faster for me.
I use binary pkgs, not in huge numbers but I appreciate their
availablity very much. Most important for me are:
- pkgin
- tcsh
- screen (I *could* live with tmux, but nesting screen in
screen is sooo much less headachy than nesting tmux in
screen or vice versa.)
- git, tig
- lynx
- gmake, automake, autoconf
- ngrep
with X11 installations:
- cwm
- dillo
If binary pkgs didn't exist anymore, I could build all of these
myself. (I'd do that directly from upstream sources, not via
pksrc.)
Thanks for all your work!
Martin Neitzel
Re: TrueType fonts not showing up
Steve Blinkhorn:
> I would be grateful for a pointer to a description of how to ensure
> TrueType fonts in /usr/X11R7/lib/X11/fonts/TTF are available for use.
> I have some, but they don't show up with xlsfonts, so I imagine
> there's some misconfiguration or lack of configuration. I last
> tangled with X11 fonts a looong time ago.
Scalable fonts get managed with "font-config", for example:
fc-list
fc-list :scalable=true:spacing=mono: family
xterm -fa 'Luxi Mono' -fs 24
HTH, Martin Neitzel
Re: Expanding email aliases
SB> Is there a simple way of expanding an email alias, [...]
The command
sendmail -bv some_alias
should help you. With the original sendmail(8) you get the result
on stdout while with Postfix' sendmail-compatibility-shim ends you
an email with a pseudo delivery report, listing all alias expansions
as "Final-Recipients".
Martin Neitzel
Re: pop3 server on NetBSD
Mayuresh asked: > > Which pop server will be advisable for this. (I'd prefer if it's in the > base, but if not then pkgsrc is ok.) We have no POP server in base but quite a few in pkgsrc: $ pkgin se pop3 | grep -Ei 'server|daemon' | ... cucipop-1.31nb3 The Cubic Circle POP3 mail server dovecot-2.3.14 Secure IMAP and POP3 server imap-uw-2007fnb9 University of Washington's IMAP, POP2, and POP3 servers nopop3d-20201030 POP3 server for when you don't want mail popa3d-1.0.3 Secure, reliable, performant, and small pop3 server pulsar-0.1.1nb10 Small, secure POP3 daemon, featuring native SSL support solid-pop3d-0.15 Flexible POP3 server teapop-0.3.8nb20 Yet another RFC1939 compliant POP3 server Personally, I have good experiences with both cucipop and popa3d. They are small, lean, and easy to configure. These days, one would probably also put them behind a TLS wrapper -- there's "stunnel" in pkgsrc, and it's proven to work nicely together. All these tools also you IPv6 support. Which "pulsar", sadly, does not. The dovecot / imap-uw / cyrus-imapd are huge and complex because IMAP has so much more demands. Life is so much easier (server-side) if you can avoid IMAP and really just offer POP3. (Out of those 3, I only like dovecot -- YMMV). Martin
Re: updating direct from 5 to 9?
>> So what goes wrong is not at the file system level, but MBR and disklabel
>> handling. I dimly recall the disklabel moved into the type 169 MBR partition
>> a long time ago - I bet 4.0 was before that change and this is what
>> now causes the broken wedge auto-detection.
There's an interesting
switch (dp->mbrp_type) {
#ifdef COMPAT_386BSD_MBRPART
case MBR_PTYPE_386BSD:
if (ext_base != 0)
break;
/* FALLTHROUGH */
#endif
case MBR_PTYPE_NETBSD:
in /usr/src/sbin/disklabel/main.c which dates from 2005 if I read
the "cvs annotate" correctly.
> Yes believe this is ancient history. NetBSD 1.0 would install with a 169
> partition. IIRC before 1.0 you might have ended up with a partition ID
> of 165. It needed to be changed for NetBSD 1.2 to work (I think).
That was a bit later (but still rather early):
The move from the 165 (FreeBSD, NetBSD, 386BSD) to the 169 (NetBSD)
fdisk partition type happened between NetBSD-1.3 and 1.4.
(Revs 1.25+26 of /usr/src/sbin/fdisk/fdisk.c:
date: 1998-02-25 15:19:12 +0100; author: drochner; state: Exp; lines: +3 -3;
Use the new NetBSD partition ID for first time setup of an MBR.
)
Martin Neitzel
Re: btrsf
> ZFS is already part of NetBSD
On some(?) platforms.
For example, amd64 yes, i386 no.
Martin Neitzel
Re: Blocklistd blocking ssh despite successful public key authentication
> If not, what else might be triggering an increase in the failed
> login tally?
> Is there somewhere else I should be looking?
Just a month ago a was bitten by a sshd+blocklistd combo, and it puzzled
me too for a little while.
On that specific day,
(1) I was coming from a customer's office place, outside of
my whitelisted "home networks", trying to ssh into
my home server.
(2) I had already an ssh-agent running with three or four
client-specific ssh keys not relevant for my home server
in place. (Which I didn't had exercised much before.)
Turns out that sshd registers all the different keys offered to the
server which are not yet the proper one as indivdual events with
blocklistd. I.e., for me on that day, three wrong keys from the
agent had been "three strikes out" already, triggering the
packetfilter before the proper, standard ~/.ssh/rsa_id could be
even offered.
Solution 1 (the proper one): add an .ssh/config entry for your server,
nailing the proper client "IdentityFile" from the get-go.
Solution 2 (the quick one): first connect to your server, then
start/fill your agent with extra keys.
Note that sshd has its MaxAuthTries limit (default: 6) independently
of blocklistd. That is, once you are equipped with a decent amount
of different keys, typically but not necessarily with an agent,
you'll need to give such identity hints anyway. blocklistd just
hurts you noticeably earlier, and proabably without any immediate way
to recover :-)
Martin Neitzel
Re: Which ARM SBC would work well with NetBSD?
> > o can I create a NetBSD bootable micro SD card, or does one have to
> > use Debian or Android on these A-20 Olimex SBCs?
>
> NetBSD runs fine on A20. You can look at
> http://wiki.netbsd.org/ports/evbarm/allwinner/
> for details on creating a bootable SD card
Another thumbs up from me: I'm using an old Olimex a20-onlinuxino-micro
and, at least 1+ year ago, it booted netbsd just fine.
> > o can I hook up a serial concole via a standard RS232 cable?
>
> No, most SBC use a serial port with TTL levels (usually 0 and +3.3V), not
> RS232 levels. You need a USB-UART adapter like FTDI-based one, or this one:
> https://www.olimex.com/Products/Breadboarding/BB-CH340T/open-source-hardware
I'm using
https://www.olimex.com/Products/Components/Cables/USB-Serial-Cable/USB-SERIAL-F/
which directly connects between the boad's pins and a laptop.
I also have serial links between my ARM boards at the 3.3V level, using
three simple jump wires from, say,
https://www.olimex.com/Products/Breadboarding/JUMPER-WIRES/JW-200x10-FF/
(Their images just feature male ends; make sure you order the
correct FF/MM/FM/ ends.)
This is dirt cheap and extremly helpful, ion particular with
the very early boot stages.
Martin Neitzel
Re: TOTP apps, and WebAuthn recommended devices?
> I wonder if there are good TOTP programs in pkgsrc and what
> people recommend.
I'm a happy user of "oath-toolkit', too.
I wrapped that into a small shell script which lets me easily select
any of the few TOTP secrets I have collected so far. It also tracks
the token changes on the full and half minute.
Have fun, Martin
#/bin/sh
case "$1" in
-h*)secret=YOUR ;;
-z*)secret=SECRETS ;;
-m*)secret=GO_HERE ;;
?*) secret=$1 ;;
"") echo "usage: $0 [ -h | -z | -m | ]"
exit 1
;;
esac
# https://www.youtube.com/watch?v=Q3mgapAcVdU
# we gotta get out of this place, but cleanly:
trap "exit 0" INT
while true; do
t=`date +%S`
date +"%T, current & next token (changes on seconds :00 and :30):"
oathtool --totp -w1 -b $secret
# gotcha! SOMETIMES, $t may come in as 08 or 09 which would be
# illegal octal numbers -- we need to nuke a leading "0":
sleep $(( 1 + 30 - (${t#0} % 30) ))
done
# and if it's the last thing we ever do...
# 2FA -- 2 Factor Audio, here's the 2nd factor:
# https://www.youtube.com/watch?v=lsuQO77n9SE
Re: Blocklistd + postfix
Brook Milligan wrote:
BM> Does it make sense that failed SMTP authentication should trigger
BM> blocklistd events?
Basically yes. I don't know, though, whether the trigger should
be implemented at the postfix level, the underlying SASL mechanism
used, or even the PAM framework.
And whether or not one makes use of it depends on the actual
circumstances, just like Greg already wrote.
I'd happily activate it on my personal mail server without any
problems.
On the mailservers we operate as an ISP for business customers,
it's a decision which can be tricky to balance. It will always
happen that one user with an incorrect or outdated config will
trigger the block for all the colleagues working from behind the
same NAT address. This can usually be resolved quickly enough for
a small customer with just, say, just 5 accounts; with 20 mail
accounts, the odds of this happening just rise and the impact
becomes much worse. In the best case, the mail customer is using
static addresses we can exempt from being blocked.
What irks me about blocklistd(8) is the lack of a way of correcting
such mishaps quickly. blocklisctctl(8) should not just have the
current "dump" sub-command to investigate the blocked entries;
having some "release/cleanup" facilities would be a real bonus.
Restoring access directly with npfctl (or whatever is used) doesn't
feel right to me.
Martin Neitzel
Re: Blocklistd + postfix
> More generally, how does one discover which NetBSD daemons can trigger
> blocklistd events?
The calls to register events with blocklistd are all provided by
a library, so ldd(1) on a binary gives you a very strong hint.
For example:
$ ldd /usr/sbin/sshd# NetBSD 8-stable
[...]
-lblacklist.0 => /usr/lib/libblacklist.so.0
[...]
Being a shared lib, it could also *not* be in such a list but still
be dynamically loaded. Which is why I'd rather prefer to have any
use of bl[ao]cklistd mentioned in the man page. Which, alas, happens
not to be the case for sshd(8).
> Is it possible for the NetBSD postfix to trigger blocklistd events?
For what it's worth, nothing in /usr/libexec/postfix uses the lib.
Martin Neitzel
Re: Blacklistd configuration
Hi Joel,
> I have installed blacklistd on -10.0 and, if daemon runs fine, it
> doesn't block attacks. I have read several pages and I suppose I have
> done a misconfiguration somewhere.
>
> My configuration is very simple. I only have to block ssh. thus, I have
> written in /etc/blacklistd.conf :
Looks basically good to me, but two ideas to verify things:
(1) It's blAcklistd* in up to NetBSD-9, but blOcklistd* from 10 on.
(2) Make sure that wm2 is your outward interface and not, say,
pppoe (over wm2). You could also simply leave off the "wm2:" spec
in your config file.
> I suppose something is missing between ssh and blacklistd. And I don't
> understand how 'ruleset "blacklistd"' works. man npf.conf doesn't help.
It's documented in blocklistd(8), see "-C" and:
FILES
/libexec/blocklistd-helper Shell script invoked to interface with the
packet filter.
Martin Neitzel
Re: Blacklistd configuration
Hi Joel, > I have in -10 blAcklistd and blOcklistd. Is blacklistd now unsupported? > Man pages seem to be very similar. It's just a renaming, and blocklistd gets continuing support. On a "true" netbsd-10-release (not available yet), there should be just blocklistd. Maybe you have old blAcklistd remnants from upgrading into the your release-candidate? I'd just use blOcklistd on anything 10-ish. Make sure you match the proper daemon with the proper config file; Without an explicit "-c configfile" option, blocklistd will use blocklistd.conf -- not blacklistd.conf. > I have checked /libexec/blacklistd-helper. But as blacklistctl dump > doesn't return anything, I suppose something is broken before call of > /libexec/blacklistd-helper. Things which got me when I did the ssh filter setup: - "blacklistctl dump" without options only shows "embryonic" clients -- clients which have been reported but not yet reached the limit to get blocked. "-a"/"-b" is required to see currently blocked clients (according to bl[ao]cklistd). These should then also show up in npf: npfctl rule blacklistd list - There are certain forms of ssh connects which the client doesn't complete and where sshd never notifies blacklistd. For example, if you only accept key-based logins and the client never gets to the stage where it guesses passwords, this will not make it to blacklistd -- even when the client keeps hammering on with new connects. IIRC, one sees lots of "pre-authorized client disconnects" in the auth.log Martin Neitzel
Re: Problems with blocklistd: user error?
> Any ideas about what caused blocklistd to decide that my rather normal
> [ssh] activity was not good?
This is what had happend to me:
Sshd registers any attempted but non-matching ssh-key presented by
the with blocklistd and these can add up and eventuelly trip the
critical threshold. An eventually successful login doesn't reset
the bad marks collected by the prior failed attempts. (You can
see failed attempts with "ssh -v".)
The problem is more likely to show up with a client which accumulates
both older and newer key types or more keys in a key-agent.
The only solution is to use your .ssh/config and an "IdentityFile"
directive to present to proper key to the server from the get-go.
Martin Neitzel
Re: How to render Groff / troff output directly on the terminal
IRI> groff -ms -Tps test.ms > test.ps IRI> gs test.ps IRI> IRI> Is there a way to render groff / troff's output directly to the IRI> terminal similar to the way man outputs to the terminal? Depending on your terminal's locale, format for the ascii, latin1, or utf9 backend. That is, instead of -Tps use one of -Tascii -Tlatin1 -Tutf8 There is also the grotty(1) frontend (as a replacement for the groff(1) frontend) which may or or may not tailor things even more to terminal output. (So far, I never used it myself.) Martin
Re: Rackmount Server for NetBSD in 2023
>From
>bounces-netbsd-users-owner-neitzel=hackett.marshlabs.gaertner...@netbsd.org
>Mon Nov 27 03:53:36 2023
Authentication-Results: marshlabs-mx.gaertner.de; dmarc=fail (p=none dis=none)
header.from=ecs.vuw.ac.nz
Authentication-Results: marshlabs-mx.gaertner.de; spf=pass
smtp.mailfrom=NetBSD.org
Date: Mon, 27 Nov 2023 15:53:12 +1300
MIME-Version: 1.0
Subject: Re: Rackmount Server for NetBSD in 2023
To: Frank Wille , netbsd-users@NetBSD.org
From: Mark Davies
Content-Type: text/plain; charset=UTF-8; format=flowed
On 15/11/23 04:07, Frank Wille wrote:
> The current server is a HP ProLiant DL360 G5, Xeon 5160 3GHz, supporting the
> HP hardware RAID via ciss(4).
As I just learned trying out 10RC1 on a DL360 G6 with an HP Smart
Array P410i RAID controller:
Yes, ciss(4) does recognize the controller but as the man page says:
there are no RAID config changes possible. You can only view the
status of the logical & physical drives using bioctl(1). You cannot
redefine logical drives with bioctl(1).
Other operations were hit and miss:
+ turning the physical drives ID lights on/off worked
- no info about the BBWC battery (I checked the associated envsys
section)
- none of the "bioctl alarm" subcommands worked
Another thing a learned on this DL360 G6: A Xeon 5550 has the VMX
and PTE flags but not not the UG="Unrestriced Guest" flag/feature.
This precludes the use of nvmm(4) virtualization. I wish nvmm(4)
would be more transparant on its requirements, both in its man page
and in its diagnostic output. I wouldn't have bothered with this
box at all if I had known before that it is unsuitable for nvmm(4).
Martin Neitzel
Re: Rackmount Server for NetBSD in 2023
Sorry for the un-removed header! Martin Neitzel
Re: NetBSD-10.0RC
Todd Gruhn:
>
> in /etc (on wd0) i screwed up rc.conf ; how do I copy an original-version
> to the hard disk?
By default, a NetBSD system will backup all /etc files every night
at 03:15. (This is done from the "security" script, which is
invoked from the "daily" script, which in turn is started from
cron(8)).
Any changes are by default registered in an RCS history:
# ls -l /var/backups/etc/rc.conf*
-rw-r--r-- 1 root wheel 869 Aug 6 03:15 /var/backups/etc/rc.conf.current
-r--r--r-- 1 root wheel 3511 Aug 6 03:15 /var/backups/etc/rc.conf.current,v
The "rc.conf.current" is the most recent version of rc.conf saved
(which may already the hosed one). The rc.conf.current,v is the
RCS file with the current and all prior versions. See rcsintro(1),
rlog(1), co(1).
Martin Neitzel
Re: bl[ao]cklistd/apache integration
JYM> Does someone know whether there is an "integration" of bl*cklistd with a
JYM> web server?
Your question made me wonder about our (bozo)httpd coming with the
base system, so I checked. The first blocklistd support code appeared
with:
NetBSD-9.2, 9.3, 9-stable:
The man page is promising, read the BLOCKLIST SUPPORT section.
However, the netbsd9 is compiled with -DNO_BLOCKLIST_SUPPORT,
and that support is *not* active.
To compile *with* support, retrofit these four lines in
/usr/src/libexec/httpd to the 9's "blacklist" spelling:
bozohttpd.h:#include
bozohttpd.c:static struct blocklist *blstate;
bozohttpd.c:blstate = blocklist_open();
bozohttpd.c:(void)blocklist_r(blstate, what, 0, http_errors_short(code));
In "Makefile",
- nuke -DNO_BLOCKLIST_SUPPORT from COPTS+=
- add -lblacklist to LDADD
NetBSD-10 (RCs and and upcoming), -current:
has indeed the support compiled in out of the box;
There appear to be no functional changes.
Martin Neitzel
Re: NetBSD Localization
> I can use setxkbmap in X to change the input language. If I am in text
> mode and not in X how can I switch the input language?
See wsconsctl(8), in particular the first example there.
NetBSD's apropos(1) command is full-text and phrase-based and can
help you to find the proper commands/man-pages yourself.
In this case,
apropos -1 -8 -5 -7 keyboard layout
works pretty nicely. "man -k ..." does just the same kind of search.
The result order is based on "relevance" of the search words as a phrase
in the man-page. Be imaginative about the search words.
apropos -1 -8 -5 -7 input language
would direct you to NLS(7), describing the POSIX "locale" system.
Because apropos(1) standard search/result ouput is often voluminous,
I usually prefer "apropos -l" legacy searches. These just cover the
one-line "NAME" entry of any man-page, such as
NAME
ls – list directory contents
The phrases here, just single search words. Results in this case:
% apropos -l -1 -8 -5 -7 keyboard
x68k/loadkmap(1) - load and set the x68k console keyboard map
% apropos -l -1 -8 -5 -7 console
wscons.conf(5) - workstation console config file
i386/console(4) - i386 console interface
amiga/console(4) - amiga console interface
iteconfig(8) - modify console attributes at run time
x86/boot_console(8) - selection of a console device in the x86 bootloader
x68k/loadkmap(1) - load and set the x68k console keyboard map
x68k/loadfont(1) - load and set font for the NetBSD /x68k console
That is, no reference to wsconsctl(1) here, a misleading entry for
iteconfig(8) (Amiga/Atari only), but the wscons.conf(5) is a proper
hit here.
Martin Neitzel
Re: OAUTH TOTP
PW> Apparently I need to "purchase an inexpensive OATH TOTP compatible
PW> token device."
Here's another "thumbs-up" for the pkg "oath-toolkit".
I drive its oathtool(1) with a simple, rwx-- shell wrapper which
collects my personal seed secrets and tells me both the current and
upcoming TOTP, syncing on the HH:MM:{00,30} switch-overs.
(With an intentional off-by-one, cannot remember why I preferred
it that way, though. The sample seeds below are not the real thing
-- no worries.)
Oh: exit the loop with Ctrl-C.
Martin Neitzel
#!/bin/sh
case "$1" in
-h*|-hzi) secret=LDCKNdVBUJUWMCDBCDOKQSDLC ;;
-g*|-github)secret=KMSXBBSPVOFBWCKX ;;
-m*|-microsoft) secret=sxok3dck8skxn9sx ;;
-o*|-oci) secret="SLODCNCDJNCDJBDCJBDCJBSXNI" ;;
-*) echo "$1: no such option" 1>&2 ; exit 1 ;;
?*) secret=$1 ;;
"") echo "usage: $0 [ -h | -m | -g | -o | ]"
exit 1
;;
esac
trap "exit 0" INT
while true; do
t=`date +%S`
date +"%T, current & next token (changes on seconds :00 and :30):"
oathtool --totp -w1 -b $secret
# gotcha! $t may come as 08 or 09 which would be illegal octal
# numbers -- so we need to nuke a leading "0":
sleep $(( 1 + 30 - (${t#0} % 30) ))
done
Re: efibootmgr
VS> Does NetBSD have efibootmgr or any similar utilities to add/modify
VS> UEFI boot entries?
apropos(1) doesn't turn up "efibootmgr or any similar utilities"
as in Free/DragonflyBSD, but gpt(8) may be able to do what you need:
gpt set -l
gpt set [-a attribute] [-N] [-i index] [-b startsec]
The set command sets various partition attributes. The -l flag
lists all available attributes. The -a option specifies which
attributes to set and may be specified more than once, or the
attributes can be comma-separated. If the -N option and no -a
option are specified, all attributes are removed. The -i or the
-b option specify which entry to update. The possible attributes
are “biosboot”, “bootme”, “bootonce”, “bootfailed”, “noblockio”,
and “required”. The biosboot flag is used to indicate which
partition should be booted by legacy BIOS boot code. See the
biosboot command for more information. The bootme flag is used
to indicate which partition should be booted by UEFI boot code.
The other attributes are for compatibility with FreeBSD and are
not currently used by NetBSD. They may be used by NetBSD in the
future.
[Same for NetBSD-8/9/10/current; caveat: I'm pretty clueless about about
UEFI myself.]
Martin Neitzel
Re: framebuffer console on old ATI
Another late responder, a happy one, though:
> > The following patch (against -current from about 4 years ago) will
> > enable matching R100/R200 devices:
> >
> > +Index: sys/external/bsd/drm2/radeon/radeon_pci.c
> > [...]
> > + /* Set this to false if you want to match R100/R200 */
> > +-bool radeon_pci_ignore_r100_r200 = true;
> > ++bool radeon_pci_ignore_r100_r200 = false;
A zillion thanks to John Baker for mailing this! I changed this
on my old HP Proliant DL360 G6 with its ATI ES1000 (RV100) onboard
graphics two weeks ago and --voila-- instant karma!
I get now the radeon framebuffer console with proper 1280x1024
resolution and clearly readable text (green, black, and white all
as they should be); X11 also improved: 640x480 vga/vesa before,
1280x1024 radeon gfx now.
Thanks again, Martin Neitzel
Re: framebuffer console on old ATI
JDB> Interesting that this works for you. I have several machines with the
JDB> ATI ES1000 rev. 0x02 (RN50) video device: HP DL380G5, HP ML310G4, IBM
JDB> x3650, Dell PowerEdge 2850 and they all exhibit the "almost-black-on-black"
JDB> video problem when booting a kernel built with the patch applied and
JDB> radeondrmkms, etc. enabled.
In case it helps, this works for me with netbsd-10-stable and the
one-line change. pcictl(1) says
001:03:0: ATI Technologies ES1000 (VGA display, revision 0x02)
Here is the pertaining dmesg block:
[drm] initializing kernel modesetting (RV100 0x1002:0x515E 0x103C:0x31FB 0x02).
[drm] register mmio base: 0xf5ff
[drm] register mmio size: 65536
radeon0: VRAM: 128M 0xE800 - 0xEFFF (64M used)
radeon0: GTT: 512M 0xC800 - 0xE7FF
[drm] Detected VRAM RAM=80M, BAR=128M
[drm] RAM width 16bits DDR
Zone kernel: Available graphics memory: 9007199253233986 KiB
Zone dma32: Available graphics memory: 2097152 KiB
[drm] radeon: 64M of VRAM memory ready
[drm] radeon: 512M of GTT memory ready.
[drm] GART: num cpu pages 131072, num gpu pages 131072
[drm] PCI GART of 512M enabled (table at 0x451D2000).
radeon0: WB disabled
radeon0: fence driver on ring 0 use gpu addr 0xc800 and cpu addr
0x0xa6bfc272f000
[drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
[drm] Driver supports precise vblank timestamp query.
radeon0: interrupting at ioapic0 pin 23 (radeon0)
[drm] radeon: irq initialized.
[drm] Loading R100 Microcode
[drm] radeon: ring at 0xC8001000
[drm] ring test succeeded in 1 usecs
[drm] ib test succeeded in 0 usecs
[drm] No TV DAC info found in BIOS
[drm] Radeon Display Connectors
[drm] Connector 0:
[drm] VGA-1
[drm] DDC: 0x60 0x60 0x60 0x60 0x60 0x60 0x60 0x60
[drm] Encoders:
[drm] CRT1: INTERNAL_DAC1
[drm] Connector 1:
[drm] VGA-2
[drm] DDC: 0x6c 0x6c 0x6c 0x6c 0x6c 0x6c 0x6c 0x6c
[drm] Encoders:
[drm] CRT2: INTERNAL_DAC2
radeondrmkmsfb0 at radeon0
[drm] Initialized radeon 2.50.0 20080528 for radeon0 on minor 0
radeondrmkmsfb0: framebuffer at 0xe804, size 1280x1024, depth 16, stride
2560
wsdisplay0 at radeondrmkmsfb0 kbdmux 1: console (default, vt100 emulation),
using wskbd0
Monitor is a trusty old "ViewSonic VPS191s". (I like these because
they can still sync-on-green and work with old SGI gear.)
Martin Neitzel
Re: NetBSD 10 and framebuffer consoles setup vs 9.3 (font, multiple...)
ST> That of course means being able to read the DPI from somewhere, but isn't
ST> that a thing that EDID does?
RVP> There's no DPI present in the EDID data, as far as I know (DisplayID
RVP> has horiz. and vert. pixel counts which could be used in combination
RVP> with the display size values).
EDID provides both a coarse display size (height & width in cm) as
part of the "EDID Basic display parameters" and mm-exact sizes
along with every "EDID Detailed Timing Descriptor" (which also
specify the size in pixels). So yes: it *is* possible to derive
the DPI from the EDID info.
Martin Neitzel
Ref: https://en.wikipedia.org/wiki/Extended_Display_Identification_Data
