Re: /usr/local/lib/ruby/site_ruby/1.8/i386-openbsd/RRD.so: Cannot load specified object

[Wesley MOUEDINE ASSABY]

Hi,

Running the web app, give me in the production.log :

Processing DashboardController#index (for 192.168.0.20 at 2014-07-02 
11:58:53) [GET]

  Parameters: {"controller"=>"dashboard", "action"=>"index"}
LoadError (Cannot load specified object - 
/usr/local/lib/ruby/site_ruby/1.8/i386-openbsd/RRD.so):

  /usr/local/lib/ruby/site_ruby/1.8/i386-openbsd/RRD.so
  lib/rrdmon.rb:4
  app/controllers/dashboard_controller.rb:7:in `index'

Below, a beginning of dashboard_controller.rb file :
class DashboardController < ApplicationController
  def index
@proc = Mailserver.new.processes
@updates = Mailserver.new.updates
# problem to load rrdtools - can not load specified object RRD.so
Rrdmon.new.daily
  end


The error was away in the install using LD_PRELOAD in the install 
process.

But i don't know how to correct this app, if you can help me.

Thank you very much.







Rendering /var/mailserv/admin/public/500.html (500 Internal Server 
Error)


On 01.07.2014 03:14, Stuart Henderson wrote:

On 2014-06-30, Wesley MOUEDINE ASSABY  wrote:

dlopen: /usr/local/lib/ruby/site_ruby/1.8/i386-openbsd/RRD.so: done
(failed).
/usr/local/lib/ruby/site_ruby/1.8/i386-openbsd/RRD.so: Cannot load
specified object - 
/usr/local/lib/ruby/site_ruby/1.8/i386-openbsd/RRD.so

...


and verify now : ldconfig -r | grep libpthread.so.18.0
68:-lpthread.18.0 => /usr/lib/libpthread.so.18.0

and the file exists.

I don't understand why it is not loaded ...


dlopen() doesn't automatically pull in libpthread. Either the main
program must be linked against it, or you need LD_PRELOAD.


On 2014-06-30, Wesley MOUEDINE ASSABY  wrote:

On 30.06.2014 18:11, Ted Unangst wrote:


LD_PRELOAD=libpthread.so ruby 


I tried this : env LD_PRELOAD=/usr/lib/libpthread.so.18.0 ruby18
path_to_rb
The error go away. But the ruby app doesn't work.


So this fixed one problem, now you have another and need to debug a
bit further..

Re: ViewVC

[Kirill Bychkov]

On Wed, July 2, 2014 10:04, Stefan Sperling wrote:
> On Tue, Jul 01, 2014 at 08:36:29PM -0400, Predrag Punosevac wrote:
>> I am trying to run ViewVC in the stand alone server mode on the new svn
>> server (OpenBSD 5.5 amd64).  Since ViewVC is not in ports I downloaded
>> 1.1.22 package from CollabNet website. ViewVC keeps crashing when
>> while I browse my SVN repos. They are rather large. I am not using any
>> kind a proxy but rather forcing built in server to listen on the port
>> 80.
>
> IIRC viewvc uses Subversion's python bindings. Did you install them?
> pkg_add py-subversion
>
>> Does anyone have any experience running ViewVC on OpenBSD recently? I am
>> tempted to try to use Nginx as a proxy or install Apache 2 and use CGI
>> mode via ScriptAlias for ViewVC. The latter is running fine in out
>> current setup on Scientific Linux 6.2 which I am trying to migrate to
>> OpenBSD. Unfortunately moving to Trac (which would be my strong
>> preference) or WebSVN will probably cause ruffle feathers, a condition I
>> want to avoid.
>>
>> Predrag
>
> WebSVN is fairly broken with SVN 1.8. Don't bother. (Which reminds me
> I've been meaning to remove it but was still waiting for patches
> promised by someone, which never arrived).

Yes, we decided that it should be updated to 0.63 or killed. I have no patch
yet, sorry...

current/i386 panics on Asus J1800I-C

[Jan Stary]

So I got me this Asus board with an integrated Celeron
http://www.asus.com/Motherboards/J1800IC/specifications/
and put 2G of Crucial RAM in it.

"A PC is a PC is a PC" I can hear you say,
but somehow I can't get current/i386 to run on it.

Using another current/i386 machine as an installer,
I installed current/i386 on a Samsung 250GB SATA disk
(installing onto the external sd1). Then I put this
SATA disk into the Asus board to boot from it.

Firstly, it didn't even _try_ to boot from it.
The POST screen mentioned the disk is there
(with the correct Samsung code and all),
but went straight to BIOS; in the BOOT menu,
the disk was not an option (just PXE).

That was my first encounter with the UEFI "Secure Boot" horror
- and there was no way to "disable" it, the "enabled" setting
was gray'ed out. I set the "OS type" to "Other" (as opposed to
"Windows 8", the only other option), no change. Then I deleted
the database of "keys" - that made the Secure Boot "disabled",
but it still didn't try to boot from the disk, and didn't even
present it as an option in the boot menu.

Only after upgarding to the latest BIOS
http://www.asus.com/Motherboards/J1800IC/HelpDesk_Download/
I am presented with "CMS settings" where I can somehow make
other systems (other boot loaders) allowed.
So now it finally gets to the OpenBSD boot loader.

But /bsd panics during boot, /bsd.sp and /bsd.rd panic too.
I don't know if the previous is relevant to it.

The board has a serial console, but I can't get it to work
(the manual does not specify the baud rate, I tried all
baud rates from 9600 to 115200 that I have met, but 
I never get anything after "connected"); so here are
the pictures (sorry):

/bsd
http://stare.cz/dmesg/asus-J1800IC-bsd-panic.jpg
http://stare.cz/dmesg/asus-J1800IC-bsd-trace.jpg
http://stare.cz/dmesg/asus-J1800IC-bsd-ddbcpu.jpg
(the last command just sits there)

/bsd.sp
http://stare.cz/dmesg/asus-J1800IC-bsdsp-panic.jpg
http://stare.cz/dmesg/asus-J1800IC-bsdsp-trace.jpg

/bsd.rd
http://stare.cz/dmesg/asus-J1800IC-bsdrd-panic.jpg


I don't think these newer machines are even supposed to work without ACPI
- indeed, disabling ACPI makes /bsd panic in identifycpu().
What can I do to further debug it?

Jan

Re: current/i386 panics on Asus J1800I-C

[Otto Moerbeek]

On Wed, Jul 02, 2014 at 12:43:58PM +0200, Jan Stary wrote:

> So I got me this Asus board with an integrated Celeron
> http://www.asus.com/Motherboards/J1800IC/specifications/
> and put 2G of Crucial RAM in it.
> 
> "A PC is a PC is a PC" I can hear you say,
> but somehow I can't get current/i386 to run on it.
> 
> Using another current/i386 machine as an installer,
> I installed current/i386 on a Samsung 250GB SATA disk
> (installing onto the external sd1). Then I put this
> SATA disk into the Asus board to boot from it.
> 
> Firstly, it didn't even _try_ to boot from it.
> The POST screen mentioned the disk is there
> (with the correct Samsung code and all),
> but went straight to BIOS; in the BOOT menu,
> the disk was not an option (just PXE).
> 
> That was my first encounter with the UEFI "Secure Boot" horror
> - and there was no way to "disable" it, the "enabled" setting
> was gray'ed out. I set the "OS type" to "Other" (as opposed to
> "Windows 8", the only other option), no change. Then I deleted
> the database of "keys" - that made the Secure Boot "disabled",
> but it still didn't try to boot from the disk, and didn't even
> present it as an option in the boot menu.
> 
> Only after upgarding to the latest BIOS
> http://www.asus.com/Motherboards/J1800IC/HelpDesk_Download/
> I am presented with "CMS settings" where I can somehow make
> other systems (other boot loaders) allowed.
> So now it finally gets to the OpenBSD boot loader.
> 
> But /bsd panics during boot, /bsd.sp and /bsd.rd panic too.
> I don't know if the previous is relevant to it.
> 
> The board has a serial console, but I can't get it to work
> (the manual does not specify the baud rate, I tried all
> baud rates from 9600 to 115200 that I have met, but 
> I never get anything after "connected"); so here are
> the pictures (sorry):
> 
> /bsd
> http://stare.cz/dmesg/asus-J1800IC-bsd-panic.jpg
> http://stare.cz/dmesg/asus-J1800IC-bsd-trace.jpg
> http://stare.cz/dmesg/asus-J1800IC-bsd-ddbcpu.jpg
> (the last command just sits there)
> 
> /bsd.sp
> http://stare.cz/dmesg/asus-J1800IC-bsdsp-panic.jpg
> http://stare.cz/dmesg/asus-J1800IC-bsdsp-trace.jpg
> 
> /bsd.rd
> http://stare.cz/dmesg/asus-J1800IC-bsdrd-panic.jpg
> 
> 
> I don't think these newer machines are even supposed to work without ACPI
> - indeed, disabling ACPI makes /bsd panic in identifycpu().
> What can I do to further debug it?
> 
>   Jan

Use google...

http://archives.neohapsis.com/archives/openbsd/2014-05/1637.html

-Otto

Re: /usr/local/lib/ruby/site_ruby/1.8/i386-openbsd/RRD.so: Cannot load specified object

[Wesley MOUEDINE ASSABY]

Now, it works using your advice, the following at startup
export LD_PRELOAD=/usr/lib/libpthread.so.18.0


Thank you very much.

--

On 01.07.2014 03:14, Stuart Henderson wrote:


dlopen() doesn't automatically pull in libpthread. Either the main
program must be linked against it, or you need LD_PRELOAD.

Re: openssh

[Gregory Edigarov]

On 07/01/2014 02:20 PM, Nick Holland wrote:

On 07/01/14 07:00, Gregory Edigarov wrote:

Hello,

Just out for curiosity.
what is the fastest and lightest in cpu terms algorithm in ssh?

As someone who has worked with lots of really old and weak processors
(and still used the defaults)...I must ask, why?  If this matters to
you, I'd suggest getting a better computer, not dumbing-down SSH.  Yes,
using ssh on a 25mhz sparc is annoying, but then, so is almost
everything else you do on those machines.  A 20% change one way or
another won't change the annoying factor enough to worry about.

And maybe more important: why aren't you just testing what YOU care
about on YOUR system and answering your own question?  I suspect you may
see different answers on different processors and different tasks.
I.e., what matters? connection time?  throughput?  On the client or server?

And if you have difficulty answering, maybe the answer is "doesn't
really matter, just use the defaults".

Nick.

because I need to scp some 90-100G  of data from a VERY busy server over 
internet on a regular basis and I don't

want scp eat any cpu at all, which in case of encryption is unavoidable).

then, in the middle I have a firewall, that is out of my control, only 
allowing connections to 22 port to that server.


Hope my explanation is enough

--
With best regards,
 Gregory Edigarov

Re: openssh

[Nick Holland]

On 07/02/14 09:08, Gregory Edigarov wrote:
> On 07/01/2014 02:20 PM, Nick Holland wrote:
>> On 07/01/14 07:00, Gregory Edigarov wrote:
>>> Hello,
>>>
>>> Just out for curiosity.
>>> what is the fastest and lightest in cpu terms algorithm in ssh?
>> As someone who has worked with lots of really old and weak processors
>> (and still used the defaults)...I must ask, why?  If this matters to
>> you, I'd suggest getting a better computer, not dumbing-down SSH.  Yes,
>> using ssh on a 25mhz sparc is annoying, but then, so is almost
>> everything else you do on those machines.  A 20% change one way or
>> another won't change the annoying factor enough to worry about.
>>
>> And maybe more important: why aren't you just testing what YOU care
>> about on YOUR system and answering your own question?  I suspect you may
>> see different answers on different processors and different tasks.
>> I.e., what matters? connection time?  throughput?  On the client or server?
>>
>> And if you have difficulty answering, maybe the answer is "doesn't
>> really matter, just use the defaults".
>>
>> Nick.
>>
> because I need to scp some 90-100G  of data from a VERY busy server over 
> internet on a regular basis and I don't
> want scp eat any cpu at all, which in case of encryption is unavoidable).
> 
> then, in the middle I have a firewall, that is out of my control, only 
> allowing connections to 22 port to that server.
> 
> Hope my explanation is enough

not really, but regardless, YOU still need to do experiments on YOUR
systems.  And I still think fiddling with the encryption knob is the
wrong knob.  Will it change something?  Sure.  Not much, however.

What is busy?  if "busy" is CPU, nice(1) is your friend.  if busy is
disk, chewing some CPU or even rate limiting may be your friend.  If you
are generating that much new data regularly, you may well have more of a
disk issue than a CPU issue.  If it isn't all new data, look at rsync --
more cpu for less disk and network I/O.

Try compression on vs. off (the results of this are usually easier to
explain after the fact than to predict before.  Shouldn't be the case, I
know, but I've bet wrong too many times).

Fiddle with the rate limiting of scp.  Note that the number you specify
is not terribly absolute -- don't take your available bandwidth and
claim 80% and think magic will happen, you will have to experiement with
values, and leave it sit for a while to let the buffers do their thing.

Then of course, there's the "if you don't like the answers, change the
question" strategy -- drop another machine behind the firewall with a
lower impact way of transfering data -- NFS? FTP?  You are again going
to have to experiement -- then SCP off that machine instead of your
overloaded box.  If the data is logs, you probably want to be syslogging
to another box anyway.

Some time back, TedU@ wrote a nifty little programlette he called
"disknice" -- google for that, you'll find it.  It yanks the program you
have it running away from the CPU (and thus, disk, etc.) periodically,
letting other tasks have at it.  I use it to back up some data from my
laptop's disk to a SD card on boot with rsync, before, it killed the
system performance until it was done.  Now it takes longer, but I don't
feel it happening.  Maybe this helps you in some way.


Nick.

Re: openssh

[Gregory Edigarov]

On 07/02/2014 04:40 PM, Nick Holland wrote:

On 07/02/14 09:08, Gregory Edigarov wrote:

On 07/01/2014 02:20 PM, Nick Holland wrote:

On 07/01/14 07:00, Gregory Edigarov wrote:

Hello,

Just out for curiosity.
what is the fastest and lightest in cpu terms algorithm in ssh?

As someone who has worked with lots of really old and weak processors
(and still used the defaults)...I must ask, why?  If this matters to
you, I'd suggest getting a better computer, not dumbing-down SSH.  Yes,
using ssh on a 25mhz sparc is annoying, but then, so is almost
everything else you do on those machines.  A 20% change one way or
another won't change the annoying factor enough to worry about.

And maybe more important: why aren't you just testing what YOU care
about on YOUR system and answering your own question?  I suspect you may
see different answers on different processors and different tasks.
I.e., what matters? connection time?  throughput?  On the client or server?

And if you have difficulty answering, maybe the answer is "doesn't
really matter, just use the defaults".

Nick.


because I need to scp some 90-100G  of data from a VERY busy server over
internet on a regular basis and I don't
want scp eat any cpu at all, which in case of encryption is unavoidable).

then, in the middle I have a firewall, that is out of my control, only
allowing connections to 22 port to that server.

Hope my explanation is enough

not really, but regardless, YOU still need to do experiments on YOUR
systems.  And I still think fiddling with the encryption knob is the
wrong knob.  Will it change something?  Sure.  Not much, however.

What is busy?  if "busy" is CPU, nice(1) is your friend.  if busy is
disk, chewing some CPU or even rate limiting may be your friend.  If you
are generating that much new data regularly, you may well have more of a
disk issue than a CPU issue.  If it isn't all new data, look at rsync --
more cpu for less disk and network I/O.

Try compression on vs. off (the results of this are usually easier to
explain after the fact than to predict before.  Shouldn't be the case, I
know, but I've bet wrong too many times).

Fiddle with the rate limiting of scp.  Note that the number you specify
is not terribly absolute -- don't take your available bandwidth and
claim 80% and think magic will happen, you will have to experiement with
values, and leave it sit for a while to let the buffers do their thing.

Then of course, there's the "if you don't like the answers, change the
question" strategy -- drop another machine behind the firewall with a
lower impact way of transfering data -- NFS? FTP?  You are again going
to have to experiement -- then SCP off that machine instead of your
overloaded box.  If the data is logs, you probably want to be syslogging
to another box anyway.

Some time back, TedU@ wrote a nifty little programlette he called
"disknice" -- google for that, you'll find it.  It yanks the program you
have it running away from the CPU (and thus, disk, etc.) periodically,
letting other tasks have at it.  I use it to back up some data from my
laptop's disk to a SD card on boot with rsync, before, it killed the
system performance until it was done.  Now it takes longer, but I don't
feel it happening.  Maybe this helps you in some way.
Thanks for the insight NIck. I will seriously think about second machine 
approach.
The data I need to copy are in a way something like logs, although they 
are coming

from some technological equipment.

http://www.openbsd.org/anoncvs.html

[Waldemar Brodkorb]

Hi,

just trying to build 5.5 stable branch and seeing that
the FAQ is implicitely saying cvs should be used as root.
"First, start out by `get'-ing an initial tree:

(If you are following current):

# cd /usr
# cvs -qd anon...@anoncvs.ca.openbsd.org:/cvs get -P src

(If you are following the patch branch for 5.5):

# cd /usr
# cvs -qd anon...@anoncvs.ca.openbsd.org:/cvs get
# -rOPENBSD_5_5 -P src
"

Wouldn't it be better to tell the user to add the local non-root
user to the wsrc group and then just do it without root permissions?
(changing # into $ in the examples)

Or is the change of this FAQ, already a FAQ? ;)

best regards
 Waldemar

Re: openssh

[Mihai Popescu]

> because I need to scp some 90-100G  of data from a VERY busy server over
> internet on a regular basis and I don't
> want scp eat any cpu at all, which in case of encryption is unavoidable).

Better buy a hardisk, copy your data and mail it abroad. Seriously.

rc script problem with pgrep / pkill

[Leclerc, Sebastien]

Hi,

I have a problem with a rc script, when I try to check or stop the service.

It is very similar to the spamd rc script (with no rc_pre() and rc_start()):

$ grep -C2 pexp /etc/rc.d/{spamd,tarpitd}
/etc/rc.d/spamd-. /etc/rc.d/rc.subr
/etc/rc.d/spamd-
/etc/rc.d/spamd:pexp="spamd: \[priv\]"
/etc/rc.d/spamd-rc_reload=NO
/etc/rc.d/spamd-
--
/etc/rc.d/tarpitd-. /etc/rc.d/rc.subr
/etc/rc.d/tarpitd-
/etc/rc.d/tarpitd:pexp="tarpitd: \[priv\]"
/etc/rc.d/tarpitd-
/etc/rc.d/tarpitd-rc_reload=NO

The start parameter works correctly:

$ sudo /etc/rc.d/tarpitd -d start
doing rc_read_runfile
doing rc_check
tarpitd
doing rc_start
doing rc_write_runfile
(ok)

$ ps aux | grep "tarpitd:"
_tarpitd 22014  0.0  0.1  7176  3964 ??  Ss10:18AM0:00.46 tarpitd: 
[priv] (tarpitd)
root   775  0.0  0.0   472   660 p1  I 10:18AM0:00.00 tarpitd: 
(blocker) (tarpitd)
seblec6474  0.0  0.0   448   268 p1  R+/1  11:01AM0:00.00 grep tarpitd:

If I try a manual pgrep, with the same syntax as in rc.subr, it works as 
expected:

$ pgrep -f "^tarpitd: \[priv\]"
22014

But a check or stop doesn't:

$ sudo /etc/rc.d/tarpitd -d check ; echo $?
doing rc_read_runfile
doing rc_check
1

$ sudo /etc/rc.d/tarpitd -d stop
doing rc_read_runfile
doing rc_check


I'm using 5.5-release

What am I doing wrong?
Thank you!


Sebastien Leclerc

Re: ViewVC

[Predrag Punosevac]

Stefan Sperling  wrote:

> On Tue, Jul 01, 2014 at 08:36:29PM -0400, Predrag Punosevac wrote:
> > I am trying to run ViewVC in the stand alone server mode on the new svn
> > server (OpenBSD 5.5 amd64).  Since ViewVC is not in ports I downloaded
> > 1.1.22 package from CollabNet website. ViewVC keeps crashing when 
> > while I browse my SVN repos. They are rather large. I am not using any
> > kind a proxy but rather forcing built in server to listen on the port
> > 80.
> 
> IIRC viewvc uses Subversion's python bindings. Did you install them?
> pkg_add py-subversion

Of course :) Built in stand alone server which comes with ViewVC runs
fine until I start browsing repositories agresively. Than it crashes as
in 
# uname -a
OpenBSD svnhub.int.autonlab.org 5.5 GENERIC.MP#315 amd64
# /usr//local/bin/viewvc-1.1.22/bin/standalone.py -d -p 80 -h \
svnhub.int.autonlab.org

server ready at http://svnhub.int.autonlab.org:80/viewvc
# 10.8.0.6 - - [02/Jul/2014 11:16:47] "GET /viewvc HTTP/1.1" 200 -
10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok
10.8.0.6 - - [02/Jul/2014 11:16:47] "GET /viewvc/*docroot*/styles.css
HTTP/1.1" 200 -
10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok
10.8.0.6 - - [02/Jul/2014 11:16:47] "GET
/viewvc/*docroot*/images/viewvc-logo.png HTTP/1.1" 200 -
10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok
10.8.0.6 - - [02/Jul/2014 11:16:47] "GET
/viewvc/*docroot*/images/dir.png HTTP/1.1" 200 -
10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok
10.8.0.6 - - [02/Jul/2014 11:16:47] "GET
/viewvc/*docroot*/images/favicon.ico HTTP/1.1" 200 -
10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok
10.8.0.6 - - [02/Jul/2014 11:16:49] "GET /viewvc/cvs/ HTTP/1.1" 200 -
10.8.0.6 - - [02/Jul/2014 11:16:49] ViewVC exited ok
10.8.0.6 - - [02/Jul/2014 11:16:49] "GET /viewvc/*docroot*/images/up.png
HTTP/1.1" 200 -
10.8.0.6 - - [02/Jul/2014 11:16:49] ViewVC exited ok
10.8.0.6 - - [02/Jul/2014 11:16:57] "GET /viewvc/cvs/trunk/ HTTP/1.1"
200 -
Traceback (most recent call last):
  File "/usr/local/bin/viewvc-1.1.22/bin/standalone.py", line 879, in

main(sys.argv)
  File "/usr/local/bin/viewvc-1.1.22/bin/standalone.py", line 874, in
main
serve(options.host, options.port, ready)
  File "/usr/local/bin/viewvc-1.1.22/bin/standalone.py", line 421, in
serve
ViewVCHTTPServer(host, port, callback).serve_until_quit()
  File "/usr/local/bin/viewvc-1.1.22/bin/standalone.py", line 356, in
serve_until_quit
self.handle_request()
  File "/usr/local/lib/python2.7/SocketServer.py", line 280, in
handle_request
self._handle_request_noblock()
  File "/usr/local/lib/python2.7/SocketServer.py", line 297, in
_handle_request_noblock
self.handle_error(request, client_address)
  File "/usr/local/lib/python2.7/SocketServer.py", line 350, in
handle_error
print '-'*40
  File "/usr/local/lib/python2.7/socket.py", line 324, in write
self.flush()
  File "/usr/local/lib/python2.7/socket.py", line 303, in flush
self._sock.sendall(view[write_offset:write_offset+buffer_size])
AttributeError: 'NoneType' object has no attribute 'sendall'


Any clues Stefan from the kernel hacker point of view?


Most Kind Regards,
Predrag


> 
> > Does anyone have any experience running ViewVC on OpenBSD recently? I am
> > tempted to try to use Nginx as a proxy or install Apache 2 and use CGI
> > mode via ScriptAlias for ViewVC. The latter is running fine in out
> > current setup on Scientific Linux 6.2 which I am trying to migrate to
> > OpenBSD. Unfortunately moving to Trac (which would be my strong
> > preference) or WebSVN will probably cause ruffle feathers, a condition I
> > want to avoid.
> > 
> > Predrag
> 
> WebSVN is fairly broken with SVN 1.8. Don't bother. (Which reminds me
> I've been meaning to remove it but was still waiting for patches
> promised by someone, which never arrived).

Re: LAN vs VLAN interface performance

[Job Snijders]

Hi all,

I am replying to this thread as I see some resemblance between issue I
experience and the quickly rising netlivelocks value.

On 24/06/14 3:08 PM, Chris Cappuccio wrote:
>Kapetanakis Giannis [bil...@edu.physics.uoc.gr] wrote:
>> On 23/06/14 21:33, Henning Brauer wrote:
>>>* Chris Cappuccio  [2014-06-23 20:24]:
 I have a sandy bridge Xeon box with PF NAT that handles a daily 200
 to 700Mbps. It has a single myx interface using OpenBSD 5.5 (not
 current). It does nothing but PF NAT and related routing. No barage
 of vlans or interfaces. No dynamic routing. Nothing else. 60,000 to
 100,000 states.

 With an MP kernel, kern.netlivelocks increases by something like
 150,000 per day!! I The packet loss was notable.

 With an SP kernel, the 'netlivelock' counter barely moves. Maybe
 100 per day on average, but for the past week, maybe 5.
>>
>> sysctl -a|grep netlive
>> kern.netlivelocks=50
>> 
>> # pfctl -ss|wc -l
>> 73203
>> 
>> # pfctl -sr|wc -l
>>  294
>>
>> routing/firewalling/some NAT at ~ 500Mbps

I am routing between 5 and 20 megabit/sec on an OpenBSD 5.5 following
mtier stable updates. No NAT, PF is disabled, just plain routing (~ 500k
IPv4 routes, 20k IPv6 routes).

DMESG is available here http://instituut.net/~job/dmesg-dcg-2.txt . A
mixture of em(4) and bnx(4) NICs in Dell R610 chassis with mfi(4)
powered PERC 6/i controller.

> I have some ideas. I'm going to do some troubleshooting when I have a
> chance to think clearly.
>
> I think the disk subsystem could be part of the issue. I see the most
> netlivelocks on a box with a USB key, mfi is in second place.

I am graphing netlivelocks in munin to get a grasp on things:


http://sysadmin.coloclue.net/munin/router.nl.coloclue.net/eunetworks-2.router.nl.coloclue.net/index.html#kern
(feel free to look at the other system metrics from the BSD routers,
filed under "router.nl.coloclue.net" at 
http://sysadmin.coloclue.net/munin/index.html)

Until yesterday I was running GENERIC.MP, and experienced between 1% and
2% packetloss on packets forwarded by the OpenBSD routers, sthen@
recommended I try the singlecore kernel and magically most of the
packetloss disappeared (but not all). With the GENERIC.MP kernel
netlivelocks was raising way faster.

During debugging (when I was running MP) i tcpdumped for inbound ICMP
traffic on one of our edge interfaces, and inititally thought one of our
suppliers was to blame as tcpdump didn't show some packets I expected to
arrive, now I suspect they got lost on our side because we don't see the
behaviour with SP. I observed similair packetloss for both IPv4 and
IPv6. Unsure if that helps in assessing where in the system they get
lost.

How can I assist in further debugging? 

Kind regards,

Job

Re: ViewVC

[Eugene Yunak]

It fails to create a socket (_sock is None). This can be an indicator of
you hitting fd limits.
On 2 Jul 2014 17:23, "Predrag Punosevac"  wrote:

> Stefan Sperling  wrote:
>
> > On Tue, Jul 01, 2014 at 08:36:29PM -0400, Predrag Punosevac wrote:
> > > I am trying to run ViewVC in the stand alone server mode on the new svn
> > > server (OpenBSD 5.5 amd64).  Since ViewVC is not in ports I downloaded
> > > 1.1.22 package from CollabNet website. ViewVC keeps crashing when
> > > while I browse my SVN repos. They are rather large. I am not using any
> > > kind a proxy but rather forcing built in server to listen on the port
> > > 80.
> >
> > IIRC viewvc uses Subversion's python bindings. Did you install them?
> > pkg_add py-subversion
>
> Of course :) Built in stand alone server which comes with ViewVC runs
> fine until I start browsing repositories agresively. Than it crashes as
> in
> # uname -a
> OpenBSD svnhub.int.autonlab.org 5.5 GENERIC.MP#315 amd64
> # /usr//local/bin/viewvc-1.1.22/bin/standalone.py -d -p 80 -h \
> svnhub.int.autonlab.org
>
> server ready at http://svnhub.int.autonlab.org:80/viewvc
> # 10.8.0.6 - - [02/Jul/2014 11:16:47] "GET /viewvc HTTP/1.1" 200 -
> 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok
> 10.8.0.6 - - [02/Jul/2014 11:16:47] "GET /viewvc/*docroot*/styles.css
> HTTP/1.1" 200 -
> 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok
> 10.8.0.6 - - [02/Jul/2014 11:16:47] "GET
> /viewvc/*docroot*/images/viewvc-logo.png HTTP/1.1" 200 -
> 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok
> 10.8.0.6 - - [02/Jul/2014 11:16:47] "GET
> /viewvc/*docroot*/images/dir.png HTTP/1.1" 200 -
> 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok
> 10.8.0.6 - - [02/Jul/2014 11:16:47] "GET
> /viewvc/*docroot*/images/favicon.ico HTTP/1.1" 200 -
> 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok
> 10.8.0.6 - - [02/Jul/2014 11:16:49] "GET /viewvc/cvs/ HTTP/1.1" 200 -
> 10.8.0.6 - - [02/Jul/2014 11:16:49] ViewVC exited ok
> 10.8.0.6 - - [02/Jul/2014 11:16:49] "GET /viewvc/*docroot*/images/up.png
> HTTP/1.1" 200 -
> 10.8.0.6 - - [02/Jul/2014 11:16:49] ViewVC exited ok
> 10.8.0.6 - - [02/Jul/2014 11:16:57] "GET /viewvc/cvs/trunk/ HTTP/1.1"
> 200 -
> Traceback (most recent call last):
>   File "/usr/local/bin/viewvc-1.1.22/bin/standalone.py", line 879, in
> 
> main(sys.argv)
>   File "/usr/local/bin/viewvc-1.1.22/bin/standalone.py", line 874, in
> main
> serve(options.host, options.port, ready)
>   File "/usr/local/bin/viewvc-1.1.22/bin/standalone.py", line 421, in
> serve
> ViewVCHTTPServer(host, port, callback).serve_until_quit()
>   File "/usr/local/bin/viewvc-1.1.22/bin/standalone.py", line 356, in
> serve_until_quit
> self.handle_request()
>   File "/usr/local/lib/python2.7/SocketServer.py", line 280, in
> handle_request
> self._handle_request_noblock()
>   File "/usr/local/lib/python2.7/SocketServer.py", line 297, in
> _handle_request_noblock
> self.handle_error(request, client_address)
>   File "/usr/local/lib/python2.7/SocketServer.py", line 350, in
> handle_error
> print '-'*40
>   File "/usr/local/lib/python2.7/socket.py", line 324, in write
> self.flush()
>   File "/usr/local/lib/python2.7/socket.py", line 303, in flush
> self._sock.sendall(view[write_offset:write_offset+buffer_size])
> AttributeError: 'NoneType' object has no attribute 'sendall'
>
>
> Any clues Stefan from the kernel hacker point of view?
>
>
> Most Kind Regards,
> Predrag
>
>
> >
> > > Does anyone have any experience running ViewVC on OpenBSD recently? I
> am
> > > tempted to try to use Nginx as a proxy or install Apache 2 and use CGI
> > > mode via ScriptAlias for ViewVC. The latter is running fine in out
> > > current setup on Scientific Linux 6.2 which I am trying to migrate to
> > > OpenBSD. Unfortunately moving to Trac (which would be my strong
> > > preference) or WebSVN will probably cause ruffle feathers, a condition
> I
> > > want to avoid.
> > >
> > > Predrag
> >
> > WebSVN is fairly broken with SVN 1.8. Don't bother. (Which reminds me
> > I've been meaning to remove it but was still waiting for patches
> > promised by someone, which never arrived).

Re: http://www.openbsd.org/anoncvs.html

[Nick Holland]

On 07/02/14 10:54, Waldemar Brodkorb wrote:
> Hi,
> 
> just trying to build 5.5 stable branch and seeing that

...[checkout/compile/install as root]...

> Wouldn't it be better to tell the user to add the local non-root
> user to the wsrc group and then just do it without root permissions?
> (changing # into $ in the examples)

why?
Answer thoughtfully, not reflexively, please.

You are building code that all system security depends on.  If you don't
trust the user doing this, you have a problem, doing it as non-root
changes this situation not one bit.

You have to be root to install the kernel and the userland anyway. If
you wish to build userland without being root, you need sudo configured
without a password (or be sitting around to respond when it asks for a
pw).  Again, not really improving security.  Maybe lessening it if
that's against your needs.

Good administrative practices?  Very possibly.  But this comes down to
local administrative policies set by people looking at the situation at
your site.  Minimizing the damage of "rm -rf /" is good.  Turning off
passwords on sudo if that's otherwise your policy is not good.

There's a philosophy that what you are doing here could totally f***
your system up.  Not doing it as root and pretending what you do
couldn't hurt things is bad.  Maybe seeing the "#" prompt reminds you
there are sharp edges here.

me?  IF I'm doing this on a "General Purpose" machine, I'd probably
check out as me, compile kernel as me, "sudo make install" the kernel,
and "sudo make build".  I should probably "SUDO=sudo make build", but
hey, if there's something wrong in the build scripts that this saves me
from, it would probably be best for all of you that I find out, right?
:)  If I'm building on a machine dedicated to building...I'm not seeing
a lot of benefit to not just doing it all as root.

Nick.

Re: ViewVC

[Predrag Punosevac]

Eugene Yunak  wrote:

> It fails to create a socket (_sock is None). This can be an indicator of
> you hitting fd limits.

Right on money!!!

I changed sysctl kern.maxfiles=7030 to 17030 and now works like a champ.
Any suggestion to what fd limits should be and do you suggest changing 
per-login/process limits as well? 


Most Kind Regards,
Predrag


> On 2 Jul 2014 17:23, "Predrag Punosevac"  wrote:
> 
> > Stefan Sperling  wrote:
> >
> > > On Tue, Jul 01, 2014 at 08:36:29PM -0400, Predrag Punosevac wrote:
> > > > I am trying to run ViewVC in the stand alone server mode on the new svn
> > > > server (OpenBSD 5.5 amd64).  Since ViewVC is not in ports I downloaded
> > > > 1.1.22 package from CollabNet website. ViewVC keeps crashing when
> > > > while I browse my SVN repos. They are rather large. I am not using any
> > > > kind a proxy but rather forcing built in server to listen on the port
> > > > 80.
> > >
> > > IIRC viewvc uses Subversion's python bindings. Did you install them?
> > > pkg_add py-subversion
> >
> > Of course :) Built in stand alone server which comes with ViewVC runs
> > fine until I start browsing repositories agresively. Than it crashes as
> > in
> > # uname -a
> > OpenBSD svnhub.int.autonlab.org 5.5 GENERIC.MP#315 amd64
> > # /usr//local/bin/viewvc-1.1.22/bin/standalone.py -d -p 80 -h \
> > svnhub.int.autonlab.org
> >
> > server ready at http://svnhub.int.autonlab.org:80/viewvc
> > # 10.8.0.6 - - [02/Jul/2014 11:16:47] "GET /viewvc HTTP/1.1" 200 -
> > 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok
> > 10.8.0.6 - - [02/Jul/2014 11:16:47] "GET /viewvc/*docroot*/styles.css
> > HTTP/1.1" 200 -
> > 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok
> > 10.8.0.6 - - [02/Jul/2014 11:16:47] "GET
> > /viewvc/*docroot*/images/viewvc-logo.png HTTP/1.1" 200 -
> > 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok
> > 10.8.0.6 - - [02/Jul/2014 11:16:47] "GET
> > /viewvc/*docroot*/images/dir.png HTTP/1.1" 200 -
> > 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok
> > 10.8.0.6 - - [02/Jul/2014 11:16:47] "GET
> > /viewvc/*docroot*/images/favicon.ico HTTP/1.1" 200 -
> > 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok
> > 10.8.0.6 - - [02/Jul/2014 11:16:49] "GET /viewvc/cvs/ HTTP/1.1" 200 -
> > 10.8.0.6 - - [02/Jul/2014 11:16:49] ViewVC exited ok
> > 10.8.0.6 - - [02/Jul/2014 11:16:49] "GET /viewvc/*docroot*/images/up.png
> > HTTP/1.1" 200 -
> > 10.8.0.6 - - [02/Jul/2014 11:16:49] ViewVC exited ok
> > 10.8.0.6 - - [02/Jul/2014 11:16:57] "GET /viewvc/cvs/trunk/ HTTP/1.1"
> > 200 -
> > Traceback (most recent call last):
> >   File "/usr/local/bin/viewvc-1.1.22/bin/standalone.py", line 879, in
> > 
> > main(sys.argv)
> >   File "/usr/local/bin/viewvc-1.1.22/bin/standalone.py", line 874, in
> > main
> > serve(options.host, options.port, ready)
> >   File "/usr/local/bin/viewvc-1.1.22/bin/standalone.py", line 421, in
> > serve
> > ViewVCHTTPServer(host, port, callback).serve_until_quit()
> >   File "/usr/local/bin/viewvc-1.1.22/bin/standalone.py", line 356, in
> > serve_until_quit
> > self.handle_request()
> >   File "/usr/local/lib/python2.7/SocketServer.py", line 280, in
> > handle_request
> > self._handle_request_noblock()
> >   File "/usr/local/lib/python2.7/SocketServer.py", line 297, in
> > _handle_request_noblock
> > self.handle_error(request, client_address)
> >   File "/usr/local/lib/python2.7/SocketServer.py", line 350, in
> > handle_error
> > print '-'*40
> >   File "/usr/local/lib/python2.7/socket.py", line 324, in write
> > self.flush()
> >   File "/usr/local/lib/python2.7/socket.py", line 303, in flush
> > self._sock.sendall(view[write_offset:write_offset+buffer_size])
> > AttributeError: 'NoneType' object has no attribute 'sendall'
> >
> >
> > Any clues Stefan from the kernel hacker point of view?
> >
> >
> > Most Kind Regards,
> > Predrag
> >
> >
> > >
> > > > Does anyone have any experience running ViewVC on OpenBSD recently? I
> > am
> > > > tempted to try to use Nginx as a proxy or install Apache 2 and use CGI
> > > > mode via ScriptAlias for ViewVC. The latter is running fine in out
> > > > current setup on Scientific Linux 6.2 which I am trying to migrate to
> > > > OpenBSD. Unfortunately moving to Trac (which would be my strong
> > > > preference) or WebSVN will probably cause ruffle feathers, a condition
> > I
> > > > want to avoid.
> > > >
> > > > Predrag
> > >
> > > WebSVN is fairly broken with SVN 1.8. Don't bother. (Which reminds me
> > > I've been meaning to remove it but was still waiting for patches
> > > promised by someone, which never arrived).

Re: http://www.openbsd.org/anoncvs.html

[Vigdis]

On Wed, 02 Jul 2014 12:47:04 -0400, Nick Holland
 wrote:

> > Wouldn't it be better to tell the user to add the local non-root
> > user to the wsrc group and then just do it without root permissions?
> > (changing # into $ in the examples)  
> 
> why?

Because Miod told it? :p

http://marc.info/?l=openbsd-misc&m=140224659303522&w=2

It's been already discussed:
http://marc.info/?l=openbsd-misc&m=140235676510174&w=2

Cheers,
-- 
Vigdis

Why doesn't GCM HTTPS work with nginx?

[Ez Egy]

Since these two are using GCM:

www.ssllabs.com: ECDHE-RSA-AES256-GCM-SHA384
www.google.com: ECDHE-RSA-AES128-GCM-SHA256

We wanted to make our webserver HTTPS connection more secure (don't look at
the self-signed certificate, that doesn't count right now..)

We are using an OpenBSD 5.4 64bit, and the "openssl ciphers" command says
that it supports the "ECDHE-RSA-AES256-GCM-SHA384" cipher. On client side
there is Firefox 30 at least.

So here is how we setup the HTTPS server:

# generate self signed certificate
openssl genrsa -aes256 -out /etc/ssl/private/server.key 4096
openssl req -new -key /etc/ssl/private/server.key -out
/etc/ssl/private/server.csr
openssl x509 -sha512 -req -days 365 -in /etc/ssl/private/server.csr
-signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt

The config:

vi /etc/nginx/nginx.conf
...
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers   on;
...

But Firefox says (I translated it from my language..):

A connection to the www.foo.com is interrupted

and ssllabs ( https://www.ssllabs.com/ssltest/ ) says:

Assessment failed: Failed to communicate with the secure server

Question: How can we set GCM in nginx? Why couldn't a fresh Firefox connect
via HTTPS to foo.com (ECDHE-RSA-AES256-GCM-SHA384,TLSv1.2)? It can connect
to www.ssllabs.com via HTTPS (ECDHE-RSA-AES256-GCM-SHA384,TLSv1.2) so maybe
it's not a client side problem..

[user@localhost ~] openssl s_client -connect www.foo.com:443
CONNECTED(0003)
depth=0 C = HU, CN = www.foo.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = HU, CN = www.foo.com
verify return:1
---
Certificate chain
 0 s:/C=HU/CN=www.foo.com
   i:/C=HU/CN=www.foo.com
---
Server certificate
-BEGIN CERTIFICATE-
 here goes the cert..
-END CERTIFICATE-
subject=/C=HU/CN=www.foo.com
issuer=/C=HU/CN=www.foo.com
---
No client certificate CA names sent
---
SSL handshake has read 2137 bytes and written 389 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1.2

Re: What is the difference between these two SSHD configs?

[Ez Egy]

Match Group GROUPNAME User !root
This does nothing. (but sshd restart doesn't tell it's syntactically
incorrect!!!..., values should be delimited by "," comma.. a groupname will
never have space in it..)

and:

Match Group GROUPNAME, User *,!root
This excludes the root if it's in the GROUPNAME group.


So they not just differ by "2 Bytes"


On Tue, Jul 1, 2014 at 6:30 PM, Edward M  wrote:

> On 07/01/14 09:18, Ez Egy wrote:
>
>> #1
>>
>>  Match Group GROUPNAME, User *,!root
>>
>> #2
>>
>>  Match Group GROUPNAME User !root
>>
>> What is the difference between #1 and #2 in the SSHD_CONFIG?
>>
>> If someone could help me.. thanks in advance..
>>
>>
>  May want to take a look at 'PATTERNS' section of 'ssh_config' manpage.

Re: Why doesn't GCM HTTPS work with nginx?

[Dorian H.]

You could try using the cipher configuration recommended by Ivan
Ristić / ssllabs.com, as described here:
http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html

Restart nginx and check what cipher is being offered.
The highest cipher supported by both client and server should be negotiated.

You could also try compiling nginx with a newer version of OpenSSL as
static libraries
(or maybe upgrade and use LibreSSL?) and retry the above procedure.

And also, check the about:config page in Firefox, make sure the
maximum supported
TLS version is 1.2 by changing security.tls.version.max to value 3.


On Wed, Jul 2, 2014 at 7:52 PM, Ez Egy  wrote:
>
> Since these two are using GCM:
>
> www.ssllabs.com: ECDHE-RSA-AES256-GCM-SHA384
> www.google.com: ECDHE-RSA-AES128-GCM-SHA256
>
> We wanted to make our webserver HTTPS connection more secure (don't look at
> the self-signed certificate, that doesn't count right now..)
>
> We are using an OpenBSD 5.4 64bit, and the "openssl ciphers" command says
> that it supports the "ECDHE-RSA-AES256-GCM-SHA384" cipher. On client side
> there is Firefox 30 at least.
>
> So here is how we setup the HTTPS server:
>
> # generate self signed certificate
> openssl genrsa -aes256 -out /etc/ssl/private/server.key 4096
> openssl req -new -key /etc/ssl/private/server.key -out
> /etc/ssl/private/server.csr
> openssl x509 -sha512 -req -days 365 -in /etc/ssl/private/server.csr
> -signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt
>
> The config:
>
> vi /etc/nginx/nginx.conf
> ...
> ssl_protocols TLSv1.2;
> ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384;
> ssl_prefer_server_ciphers   on;
> ...
>
> But Firefox says (I translated it from my language..):
>
> A connection to the www.foo.com is interrupted
>
> and ssllabs ( https://www.ssllabs.com/ssltest/ ) says:
>
> Assessment failed: Failed to communicate with the secure server
>
> Question: How can we set GCM in nginx? Why couldn't a fresh Firefox connect
> via HTTPS to foo.com (ECDHE-RSA-AES256-GCM-SHA384,TLSv1.2)? It can connect
> to www.ssllabs.com via HTTPS (ECDHE-RSA-AES256-GCM-SHA384,TLSv1.2) so maybe
> it's not a client side problem..
>
> [user@localhost ~] openssl s_client -connect www.foo.com:443
> CONNECTED(0003)
> depth=0 C = HU, CN = www.foo.com
> verify error:num=18:self signed certificate
> verify return:1
> depth=0 C = HU, CN = www.foo.com
> verify return:1
> ---
> Certificate chain
>  0 s:/C=HU/CN=www.foo.com
>i:/C=HU/CN=www.foo.com
> ---
> Server certificate
> -BEGIN CERTIFICATE-
>  here goes the cert..
> -END CERTIFICATE-
> subject=/C=HU/CN=www.foo.com
> issuer=/C=HU/CN=www.foo.com
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 2137 bytes and written 389 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 4096 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol  : TLSv1.2

Re: Why doesn't GCM HTTPS work with nginx?

[Joel Sing]

On Thu, 3 Jul 2014, Ez Egy wrote:
> Since these two are using GCM:
>
> www.ssllabs.com: ECDHE-RSA-AES256-GCM-SHA384
> www.google.com: ECDHE-RSA-AES128-GCM-SHA256
>
> We wanted to make our webserver HTTPS connection more secure (don't look at
> the self-signed certificate, that doesn't count right now..)
>
> We are using an OpenBSD 5.4 64bit, and the "openssl ciphers" command says
> that it supports the "ECDHE-RSA-AES256-GCM-SHA384" cipher. On client side
> there is Firefox 30 at least.
>
> So here is how we setup the HTTPS server:
>
> # generate self signed certificate
> openssl genrsa -aes256 -out /etc/ssl/private/server.key 4096
> openssl req -new -key /etc/ssl/private/server.key -out
> /etc/ssl/private/server.csr
> openssl x509 -sha512 -req -days 365 -in /etc/ssl/private/server.csr
> -signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt
>
> The config:
>
> vi /etc/nginx/nginx.conf
> ...
> ssl_protocols TLSv1.2;
> ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384;
> ssl_prefer_server_ciphers   on;
> ...
>
> But Firefox says (I translated it from my language..):
>
> A connection to the www.foo.com is interrupted
>
> and ssllabs ( https://www.ssllabs.com/ssltest/ ) says:
>
> Assessment failed: Failed to communicate with the secure server
>
> Question: How can we set GCM in nginx? Why couldn't a fresh Firefox connect
> via HTTPS to foo.com (ECDHE-RSA-AES256-GCM-SHA384,TLSv1.2)? It can connect
> to www.ssllabs.com via HTTPS (ECDHE-RSA-AES256-GCM-SHA384,TLSv1.2) so maybe
> it's not a client side problem..
>
> [user@localhost ~] openssl s_client -connect www.foo.com:443
> CONNECTED(0003)
> depth=0 C = HU, CN = www.foo.com
> verify error:num=18:self signed certificate
> verify return:1
> depth=0 C = HU, CN = www.foo.com
> verify return:1
> ---
> Certificate chain
>  0 s:/C=HU/CN=www.foo.com
>i:/C=HU/CN=www.foo.com
> ---
> Server certificate
> -BEGIN CERTIFICATE-
>  here goes the cert..
> -END CERTIFICATE-
> subject=/C=HU/CN=www.foo.com
> issuer=/C=HU/CN=www.foo.com
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 2137 bytes and written 389 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

You've just proven that nginx is working with ECDHE-RSA-AES256-GCM-SHA384 
(assuming that www.foo.com is actually your server).

> Server public key is 4096 bit

Compared to ssllabs:

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit

I would suspect that your client (Firefox) issues are related to your server 
certificate/public key, rather than the cipher.

> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol  : TLSv1.2
-- 

"Action without study is fatal. Study without action is futile."
-- Mary Ritter Beard

Re: Why doesn't GCM HTTPS work with nginx?

[Philip Guenther]

On Wed, Jul 2, 2014 at 11:46 AM, Joel Sing  wrote:

> On Thu, 3 Jul 2014, Ez Egy wrote:
> > Since these two are using GCM:
> >
> > www.ssllabs.com: ECDHE-RSA-AES256-GCM-SHA384
> > www.google.com: ECDHE-RSA-AES128-GCM-SHA256
> >
> > We wanted to make our webserver HTTPS connection more secure (don't look
> at
> > the self-signed certificate, that doesn't count right now..)
> >
> > We are using an OpenBSD 5.4 64bit, and the "openssl ciphers" command says
> > that it supports the "ECDHE-RSA-AES256-GCM-SHA384" cipher. On client side
> > there is Firefox 30 at least.
>

Does firefox 30, which uses nss and *NOT* openssl, support that cipher
suite?  When I go to www.ssllabs.com in firefox, it only shows
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", and it's not listed in the
about:config page in firefox.  Do you see it in about:config in your
firefox?  Is it enabled there?

 ...

> > But Firefox says (I translated it from my language..):
> >
> > A connection to the www.foo.com is interrupted
>

Error message fail.  Interrupted by *what*?  There isn't a "more
information" button or similar with more information about the (handshake?)
failure?


Philip Guenther

Re: Why doesn't GCM HTTPS work with nginx?

[Christian Weisgerber]

On 2014-07-02, Ez Egy  wrote:

> www.ssllabs.com: ECDHE-RSA-AES256-GCM-SHA384
> www.google.com: ECDHE-RSA-AES128-GCM-SHA256
>
> We wanted to make our webserver HTTPS connection more secure (don't look at
> the self-signed certificate, that doesn't count right now..)
>
> We are using an OpenBSD 5.4 64bit, and the "openssl ciphers" command says
> that it supports the "ECDHE-RSA-AES256-GCM-SHA384" cipher. On client side
> there is Firefox 30 at least.

Firefox doesn't support ECDHE-RSA-AES256-GCM-SHA384.

ECDHE-RSA-AES128-GCM-SHA256, yes.

ECDHE-RSA-AES256-GCM-SHA384, no.

> Question: How can we set GCM in nginx? Why couldn't a fresh Firefox connect
> via HTTPS to foo.com (ECDHE-RSA-AES256-GCM-SHA384,TLSv1.2)? It can connect
> to www.ssllabs.com via HTTPS (ECDHE-RSA-AES256-GCM-SHA384,TLSv1.2)

No, it doesn't.  Not with that cipher suite.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Intel Dual Band Wireless AC 7260 support on the horizon?

[Peter N. M. Hansteen]

While I was shopping around for a new laptop to replace my aging
Thinkpad SL500 I noticed that the Thinkpad's /etc/firmware directory had
a file called iwn-7260, so when I couldn't get the Atheros AR9485
included in one recent laptop here to work (and seeing it is included in
various other laptop models), I bought one Intel 7260 to play with.

However, the card comes up unconfigured:

pci2 at ppb1 bus 2
"Intel Dual Band Wireless AC 7260" rev 0x73 at pci2 dev 0 function 0 not 
configured

Have I stumbled onto a new variant, or have I made some silly mistake
along the way?

dmesg and pcidump -v output follows (yes, I'm using a Netgear urtwn(4)
USB dongle to post this), and fully prepared for cluebats:

- Peter

OpenBSD 5.5-current (GENERIC.MP) #245: Sun Jun 29 19:19:21 MDT 2014
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8452567040 (8060MB)
avail mem = 8218787840 (7838MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeba70 (23 entries)
bios0: vendor American Megatrends Inc. version "X551CAP.209" date 01/23/2014
bios0: ASUSTeK COMPUTER INC. X551CAP
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT ECDT MCFG HPET SSDT SSDT SSDT SSDT MSDM
acpi0: wakeup devices P0P1(S4) PEG0(S4) PEG1(S4) PEG2(S4) PEG3(S4) XHC1(S3) 
EHC1(S3) USB1(S3) USB2(S3) USB3(S3) USB4(S3) EHC2(S3) USB5(S3) USB6(S3) 
USB7(S3) HDEF(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) CPU 1007U @ 1.50GHz, 1496.85 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,XSAVE,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1.2, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Celeron(R) CPU 1007U @ 1.50GHz, 1496.61 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,XSAVE,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
acpiec0 at acpi0
acpimcfg0 at acpi0 addr 0xf800, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (P0P1)
acpiprt2 at acpi0: bus -1 (PEG0)
acpiprt3 at acpi0: bus -1 (PEG1)
acpiprt4 at acpi0: bus -1 (PEG2)
acpiprt5 at acpi0: bus -1 (PEG3)
acpiprt6 at acpi0: bus 1 (RP01)
acpiprt7 at acpi0: bus -1 (RP03)
acpiprt8 at acpi0: bus -1 (RP05)
acpiprt9 at acpi0: bus -1 (RP06)
acpiprt10 at acpi0: bus -1 (RP07)
acpiprt11 at acpi0: bus -1 (RP08)
acpiprt12 at acpi0: bus 2 (RP02)
acpiprt13 at acpi0: bus 3 (RP04)
acpicpu0 at acpi0: C2, C1, PSS
acpicpu1 at acpi0: C2, C1, PSS
acpitz0 at acpi0: critical temperature is 108 degC
acpiac0 at acpi0: AC unit online
acpibat0 at acpi0: BAT0 model "X551-26" serial   type LIon oem "ASUSTeK"
acpibtn0 at acpi0: LID_
acpibtn1 at acpi0: SLPB
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: LCDD
cpu0: Enhanced SpeedStep 1496 MHz: speeds: 1500, 1400, 1300, 1200, 1100, 1000, 
900, 800 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core 3G Host" rev 0x09
vga1 at pci0 dev 2 function 0 "Intel HD Graphics 2500" rev 0x09
intagp at vga1 not configured
inteldrm0 at vga1
drm0 at inteldrm0
drm: Memory usable by graphics device = 2048M
inteldrm0: 1366x768
wsdisplay0 at vga1 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
"Intel 7 Series xHCI" rev 0x04 at pci0 dev 20 function 0 not configured
"Intel 7 Series MEI" rev 0x04 at pci0 dev 22 function 0 not configured
ehci0 at pci0 dev 26 function 0 "Intel 7 Series USB" rev 0x04: apic 2 int 16
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
azalia0 at pci0 dev 27 function 0 "Intel 7 Series HD Audio" rev 0x04: msi
azalia0: codecs: Realtek/0x0270, Intel/0x2806, using Realtek/0x0270
audio0 at azalia0
ppb0 at pci0 dev 28 function 0 "Intel 7 Series PCIE" rev 0xc4: msi
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 1 "Intel 7 Series PCIE" rev 0xc4: msi
pci2 at ppb1 bus 2
"Intel Dual Band Wireless AC 7260" rev 0x73 at pci2 dev 0 function 0 not 
configured
ppb2 at pci0 dev 28 function 3 "Intel 7 Series PCIE" rev 0xc4: msi
pci3 at ppb2 bus 3
rtsx0 at pci3 dev 0 function 0 "Realtek RTL8402 Card Reader" rev 0x01: msi
sdmmc0 at rtsx0
re0 at pci3 dev 0 function 2 "Realtek 8101E" rev 0x06: RTL8402

Re: What is the difference between these two SSHD configs?

[Philip Guenther]

On Wed, Jul 2, 2014 at 10:59 AM, Ez Egy  wrote:

> Match Group GROUPNAME User !root
> This does nothing. (but sshd restart doesn't tell it's syntactically
> incorrect!!!..., values should be delimited by "," comma.. a groupname will
> never have space in it..)
>

> and:
>
> Match Group GROUPNAME, User *,!root
> This excludes the root if it's in the GROUPNAME group.
>

There are *two* differences between those lines:
1) the second has a comma after the group name
2) the second has a different pattern for the User condition

The first change HAS NO EFFECT.

The change in behaviors is completely from the second change.  Unlike some
other programs' pattern match expressions, in ssh and sshd, starting a
pattern match with a negated term does *NOT* implicitly mean "start with
everything matching and exclude the negated stuff".  A pattern expression
in ssh/sshd with only negated items will *NEVER* match.


Philip Guenther

Re: [Bulk] Re: openssh

[Kevin Chadwick]

previously on this list Mihai Popescu contributed:

> > because I need to scp some 90-100G  of data from a VERY busy server over
> > internet on a regular basis and I don't
> > want scp eat any cpu at all, which in case of encryption is unavoidable).

If you have a fairly new OpenSSH at each end then I would investigate
ed25519

-- 
___

'Write programs that do one thing and do it well. Write programs to work
together. Write programs to handle text streams, because that is a
universal interface'

(Doug McIlroy)

In Other Words - Don't design like polkit or systemd
___

Re: iPhones and nginx/slowcgi on OpenBSD <=5.5

[Giancarlo Razzolini]

Em 01-07-2014 20:06, Kristaps Dzonsons escreveu:
> Folks,
>
> If anybody's running nginx with slowcgi(8) on or before OpenBSD 5.5
> release, be aware that there's a subtle error (fixed after 5.5) that
> silently discards HTTP headers with some referrers.
>
> Long story: I noticed that cookies POSTed by an iPhone client were
> lost before being passed to a slowcgi(8) script.  Several other HTTP
> headers were also lost (Accept-Language, etc.).  But they were passed
> through in GET calls (and in POST from other systems).  Dumping the
> request via tcpdump(8), I saw that each of the lost headers occured
> after a monster User-Agent string.  In this case,
>
> User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_4 like Mac OS X)
> AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a
> Safari/9537.53
>
> For the GET calls to the CGI via slowcgi(8), this was being invoked
> last, so there was no loss.
>
> I remembered seeing something in plus.html about the following:
>
> http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/slowcgi/slowcgi.c?rev=1.30;content-type=text%2Fx-cvsweb-markup
>
>
> florian@ saves the day!  The commit message only mentions
> QUERY_STRING, but as it turns out, it's also relevant to other
> headers.  And in this case, causes silent loss.  So if you're using
> slowcgi(8), you probably want to upgrade...
>
> Best,
>
> Kristaps
>
I've been using the port fcgi-cgi-static meanwhile and it's working ok.
Can't afford to upgrade right now.

Cheers,

-- 
Giancarlo Razzolini
GPG: 4096R/77B981BC

Re: Intel Dual Band Wireless AC 7260 support on the horizon?

[Brad Smith]

On 02/07/14 2:59 PM, Peter N. M. Hansteen wrote:

While I was shopping around for a new laptop to replace my aging
Thinkpad SL500 I noticed that the Thinkpad's /etc/firmware directory had
a file called iwn-7260, so when I couldn't get the Atheros AR9485
included in one recent laptop here to work (and seeing it is included in
various other laptop models), I bought one Intel 7260 to play with.

However, the card comes up unconfigured:

pci2 at ppb1 bus 2
"Intel Dual Band Wireless AC 7260" rev 0x73 at pci2 dev 0 function 0 not 
configured

Have I stumbled onto a new variant, or have I made some silly mistake
along the way?


The firmware was added so it is already included in the package
when and if someone adds the relevant code to iwn(4) to support
the 7260 / 3160 controllers but to date the driver does not
support these controllers.

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: [Patch] Possible typo in stdio(3) manpage

[Jason McIntyre]

On Wed, Jul 02, 2014 at 11:47:31AM +0800, Edward wrote:
> Hi,
> 
> Caught in a slight confusion about the wordings describing stdio(3) scenario
> needing fflush(3). The diff shows my understanding, but please do reply if it
> is otherwise.
> 
> # cvs diff
> cvs server: Diffing .
> Index: stdio.3
> ===
> RCS file: /cvs/src/lib/libc/stdio/stdio.3,v
> retrieving revision 1.30
> diff -u -p -r1.30 stdio.3
> --- stdio.3 25 Mar 2014 15:23:27 -  1.30
> +++ stdio.3 2 Jul 2014 03:00:36 -
> @@ -148,7 +148,7 @@ In these cases,
>  or when a large amount of computation is done after printing
>  part of a line on an output terminal, it is necessary to
>  .Xr fflush 3
> -the standard output before going off and computing so that the output
> +the standard output before continuing computation so that the output
>  will appear.
>  Alternatively, these defaults may be modified via the
>  .Xr setvbuf 3
> 
> Regards,
> Edward.
> 

i think the phrase "going off and computing" means use fflush before
your code goes elsewhere, to do other things. whatever it means, the
wording is kind of tragic, i agree.

your diff seeks to tweak bad wording, whereas i prefer to kill it. i'll
commit the diff below in the morning (relatively speaking, of course)
unless my maibox gets jammed with outrage.

jmc

Index: stdio.3
===
RCS file: /cvs/src/lib/libc/stdio/stdio.3,v
retrieving revision 1.30
diff -u -r1.30 stdio.3
--- stdio.3 25 Mar 2014 15:23:27 -  1.30
+++ stdio.3 2 Jul 2014 22:11:10 -
@@ -148,8 +148,7 @@
 or when a large amount of computation is done after printing
 part of a line on an output terminal, it is necessary to
 .Xr fflush 3
-the standard output before going off and computing so that the output
-will appear.
+the standard output so that the output will appear.
 Alternatively, these defaults may be modified via the
 .Xr setvbuf 3
 function.

Firefox Pkg Spellchecker

[Jason Adams]

I've googled around looking for why Firefox 26, installed from the Openbsd
package underlines
every word as misspelled.

All I can find is older references to windows/linux installations where
they did not have
a dictionary installed, had not enabled spellcheck, or had not selected the
dictionary.

Checked all those things, still no fix.  I can see the dictionary in the
installation directory,
I can (and have) installed at least one more dictionary via Firefox
add-ins.
Still no joy in getting ONLY the misspelled words underlined.

I've added words to my user dictionary (that works).

Is this a known problem, and is there a fix?

OpenBSD 5.5 i386. XFCE4.

-- 
Jason S. Adams

Re: Firefox Pkg Spellchecker

[Adam Suhl]

> I've googled around looking for why Firefox 26, installed from the Openbsd
> package underlines
> every word as misspelled.

I have this issue as well on 5.5-stable on amd64.
--Adam

DVD & how to overcome mkisofs

[Tuyosi Takesima]

Hi , all .

I try to copy DVD .
but in OpenSD , mkisofs doesn't  exist .


my procedurw is next
I use dvd-rw.

1)format
dvd+rw-format   -force   /dev/rcd0c

2)ripping
dvdbackup -M -n test  -i /dev/rcd0c   -o  /home/DVD/


3) in Linux
mkisofs -udf -dvd-video -o  /ISO/test.iso   /home/DVD/test


4)burn
growisofs   -dvd-compat -speed=16  -Z /dev/rcd0c   /ISO/test.iso


5)finalizing (is nessessay?  i don't  understand)
growisofs -dvd-compat -M /dev/rcd0c=/dev/zero


About step 3) , is thre Alternative means in OpenBSD ?
And step 5) is nessesary or not ?

---
tuyosi

Re: [Patch] Possible typo in stdio(3) manpage

[Edward]

On Wed, Jul 02, 2014 at 11:14:50PM +0059, Jason McIntyre wrote:
> i think the phrase "going off and computing" means use fflush before
> your code goes elsewhere, to do other things. whatever it means, the
> wording is kind of tragic, i agree.
> 
> your diff seeks to tweak bad wording, whereas i prefer to kill it. i'll
> commit the diff below in the morning (relatively speaking, of course)
> unless my maibox gets jammed with outrage.
> 
> jmc
> 
> Index: stdio.3
> ===
> RCS file: /cvs/src/lib/libc/stdio/stdio.3,v
> retrieving revision 1.30
> diff -u -r1.30 stdio.3
> --- stdio.3   25 Mar 2014 15:23:27 -  1.30
> +++ stdio.3   2 Jul 2014 22:11:10 -
> @@ -148,8 +148,7 @@
>  or when a large amount of computation is done after printing
>  part of a line on an output terminal, it is necessary to
>  .Xr fflush 3
> -the standard output before going off and computing so that the output
> -will appear.
> +the standard output so that the output will appear.
>  Alternatively, these defaults may be modified via the
>  .Xr setvbuf 3
>  function.
> 

Hi Jason,

Thanks for fix and clarification.

Regards,
Edward.

Re: DVD & how to overcome mkisofs

[Chris Cappuccio]

Use mkhybrid ??

Tuyosi Takesima [nakajin.fu...@gmail.com] wrote:
> Hi , all .
> 
> I try to copy DVD .
> but in OpenSD , mkisofs doesn't  exist .
> 
> 
> my procedurw is next
> I use dvd-rw.
> 
> 1)format
> dvd+rw-format   -force   /dev/rcd0c
> 
> 2)ripping
> dvdbackup -M -n test  -i /dev/rcd0c   -o  /home/DVD/
> 
> 
> 3) in Linux
> mkisofs -udf -dvd-video -o  /ISO/test.iso   /home/DVD/test
> 
> 
> 4)burn
> growisofs   -dvd-compat -speed=16  -Z /dev/rcd0c   /ISO/test.iso
> 
> 
> 5)finalizing (is nessessay?  i don't  understand)
> growisofs -dvd-compat -M /dev/rcd0c=/dev/zero
> 
> 
> About step 3) , is thre Alternative means in OpenBSD ?
> And step 5) is nessesary or not ?
> 
> ---
> tuyosi

-- 
"If you see fraud and don't shout fraud, you are a fraud" -- Nassim Taleb

Re: Firefox Pkg Spellchecker

[Richard Toohey]

On 07/03/14 11:24, Adam Suhl wrote:

I've googled around looking for why Firefox 26, installed from the Openbsd
package underlines
every word as misspelled.

I have this issue as well on 5.5-stable on amd64.
--Adam



http://marc.info/?l=openbsd-ports&m=140341756711398&w=2

Not sure how to fix in 5.5, but it's been working for a while in current.

Re: DVD & how to overcome mkisofs

[Josh Grosse]

On Thu, Jul 03, 2014 at 08:54:35AM +0900, Tuyosi Takesima wrote:
> Hi , all .
> 
> I try to copy DVD .
> but in OpenSD , mkisofs doesn't  exist .

Yes, it does.  But not in the base.  Instead, it's available as a 3rd 
party package/port.  

You may find databases/pkglocatedb helpful.  In this example, the versions
of these packages are for -current.  

   $ sudo pkg_add pkglocatedb
   Ambiguous: choose package for pkglocatedb
a   0: 
1: pkglocatedb-0.6p1
2: pkglocatedb-0.6p1-src
   Your choice: 1
   pkglocatedb-0.6p1: ok


   $ pkg_info -L pkglocatedb
   Information for inst:pkglocatedb-0.6p1

   Files:
   /usr/local/bin/pkg_locate
   /usr/local/bin/pkglocate
   /usr/local/man/man1/pkg_locate.1
   /usr/local/share/pkglocatedb


   $ pkg_locate /usr/local/bin/mkisofs
   cdrtools-3.00p0:sysutils/cdrtools:/usr/local/bin/mkisofs

And there we have located the package that contains mkisofs.  :)  

Re: DVD & how to overcome mkisofs

[Tuyosi Takesima]

thanks for reply .
sorry ,  mkhybrid doesn't have '  -udf -dvd-video  ' suffics .
I guess mkhybrid cannot deal udf file system .
---
tuyosi

Re: [Patch] Possible typo in stdio(3) manpage

[Philip Guenther]

On Wed, Jul 2, 2014 at 3:15 PM, Jason McIntyre  wrote:

> i think the phrase "going off and computing" means use fflush before
> your code goes elsewhere, to do other things. whatever it means, the
> wording is kind of tragic, i agree.
>
> your diff seeks to tweak bad wording, whereas i prefer to kill it. i'll
> commit the diff below in the morning (relatively speaking, of course)
> unless my maibox gets jammed with outrage.
>
...

> @@ -148,8 +148,7 @@
>  or when a large amount of computation is done after printing
>  part of a line on an output terminal, it is necessary to
>  .Xr fflush 3
> -the standard output before going off and computing so that the output
> -will appear.
> +the standard output so that the output will appear.
>

"...will appear without delay"?  "...will appear immediately instead of at
the next automatic flush"?


Philip

Re: DVD & how to overcome mkisofs

[Tuyosi Takesima]

Thanks  Josh' s advice  , i try it after two days  .
In debian , no mkisofs , instead  genisoimage .
Times are changing .

OT: Suggestion for hard wire network care AND wireless supported in OpenBSD

[Daniel Ouellet]

Sorry for the off topic question, but I am looking and researching a PCI
network card that would have both the cat5 jack and wireless capability
to be use as host into an OpenBSD server to provide access point and the
hard wire part to be use as an additional network card. I only have one
pci slot free and need to add a third hard wire and want to provide
wireless as well from that router.

It appear not as easy as I thought to find.

Anyone know of one that work? Any suggestion as long as it is supported
I don't care.

Answer off list is fine as well.

Thanks for your time if you know of one.

Daniel

Re: DVD & how to overcome mkisofs

[Josh Grosse]

On Thu, Jul 03, 2014 at 11:14:40AM +0900, Tuyosi Takesima wrote:
> Thanks  Josh' s advice  , i try it after two days  .
> In debian , no mkisofs , instead  genisoimage .
> Times are changing .

$ pkg_locate genisoimage
zsh-5.0.5p0:shells/zsh:/usr/local/share/zsh/5.0.5/functions/_genisoimage

Re: crowding out bsd using systemd?

[frank ernest]

> I intend to produce the four systemd utilities as outlined on the
OpenBSD Foundation's web page, ... This seems unclear to me what you are
refering to http://www.openbsdfoundation.org/ does not contain, as far as
I could see, any software specs/ideas. And, though this sounds quite
pretty, are you intending to follow the  unix  philosophy? ian, Will the
software that you speak of be portable to Linux or is it BSD only? I've
contacted gentoo and they mentioned http://skarnet.org/software/s6/ as an
interesting project to help replace systemd. What do you guys think? I'm
going to try to port to opensuse.

Re: crowding out bsd using systemd?

[ian kremlin]

> refering to http://www.openbsdfoundation.org/ does not contain, as far as

http://www.openbsdfoundation.org/gsoc2014.html

> software that you speak of be portable to Linux or is it BSD only? I've

i am planning (post-GSOC) on writing an archlinux PKGBUILD and
eventually a debian package.

Re: OT: Suggestion for hard wire network care AND wireless supported in OpenBSD

[Jason Adams]

Not aware of such a card, but how about a usb wifi adaptor?
Cheep, and slower, but then its wifi, so its not that fast anyway.

There are also USB cat5 jacks.


On Wed, Jul 2, 2014 at 6:25 PM, Daniel Ouellet  wrote:

> Sorry for the off topic question, but I am looking and researching a PCI
> network card that would have both the cat5 jack and wireless capability
> to be use as host into an OpenBSD server to provide access point and the
> hard wire part to be use as an additional network card. I only have one
> pci slot free and need to add a third hard wire and want to provide
> wireless as well from that router.
>
> It appear not as easy as I thought to find.
>
> Anyone know of one that work? Any suggestion as long as it is supported
> I don't care.
>
> Answer off list is fine as well.
>
> Thanks for your time if you know of one.
>
> Daniel
>
>


-- 
Jason S. Adams

Re: crowding out bsd using systemd?

[frank ernest]

> refering to http://www.openbsdfoundation.org/ does not contain, as far
as
> http://www.openbsdfoundation.org/gsoc2014.html Umm, there are at least
24 links on that page to various projects that need done, to which are
you refering?

Re: crowding out bsd using systemd?

[ian kremlin]

> Umm, there are at least
> 24 links on that page to various projects that need done, to which are

if you don't have the time to look through a list of a couple dozen
items for the subject of what you have been criticizing, then i don't
have the time to reply to your petty, innocuous emails. i don't know
what to tell you: i regularly publish snapshots which compile with
strict compiler settings of my project. i pull a single library (GLib)
and have written everything in straight C. i'm valgrinding the shit
out of this bitch before i tag a release candidate and will check,
line by line, every GLib function i call to guarantee i'm free()'ing
everything i'm supposed to and that there are none of the common
over/underflow you'd see in a lazy individual's code. i'm integrating
checksums to guarantee each daemon is afforded the bare-minimum
security policies it can operate under. i host all of this on my
domain from money out of my college-student pockets. would you like to
see what i sent to my mentors when requesting this project? it's got
UNIX and blind sincerity out the wing-wang. i'm fervently passionate
about staying the hell away from systemd and making its existence a
non-issue for luckier operating systems. that's what this whole
project is about; if you actually care about the direction it's
taking, please feel free to read my code and mail me with whatever
issues/bugs you can find -- i'll happily review and patch them in.

ian

Re: [Patch] Possible typo in stdio(3) manpage

[Jason McIntyre]

On Wed, Jul 02, 2014 at 07:10:06PM -0700, Philip Guenther wrote:
> On Wed, Jul 2, 2014 at 3:15 PM, Jason McIntyre  wrote:
> 
> > i think the phrase "going off and computing" means use fflush before
> > your code goes elsewhere, to do other things. whatever it means, the
> > wording is kind of tragic, i agree.
> >
> > your diff seeks to tweak bad wording, whereas i prefer to kill it. i'll
> > commit the diff below in the morning (relatively speaking, of course)
> > unless my maibox gets jammed with outrage.
> >
> ...
> 
> > @@ -148,8 +148,7 @@
> >  or when a large amount of computation is done after printing
> >  part of a line on an output terminal, it is necessary to
> >  .Xr fflush 3
> > -the standard output before going off and computing so that the output
> > -will appear.
> > +the standard output so that the output will appear.
> >
> 
> "...will appear without delay"?  "...will appear immediately instead of at
> the next automatic flush"?
> 
> 
> Philip
> 

thanks, i settled on tim's "immediately" suggestion to keep it brief.
jmc