Re: /usr/local/lib/ruby/site_ruby/1.8/i386-openbsd/RRD.so: Cannot load specified object
Hi, Running the web app, give me in the production.log : Processing DashboardController#index (for 192.168.0.20 at 2014-07-02 11:58:53) [GET] Parameters: {"controller"=>"dashboard", "action"=>"index"} LoadError (Cannot load specified object - /usr/local/lib/ruby/site_ruby/1.8/i386-openbsd/RRD.so): /usr/local/lib/ruby/site_ruby/1.8/i386-openbsd/RRD.so lib/rrdmon.rb:4 app/controllers/dashboard_controller.rb:7:in `index' Below, a beginning of dashboard_controller.rb file : class DashboardController < ApplicationController def index @proc = Mailserver.new.processes @updates = Mailserver.new.updates # problem to load rrdtools - can not load specified object RRD.so Rrdmon.new.daily end The error was away in the install using LD_PRELOAD in the install process. But i don't know how to correct this app, if you can help me. Thank you very much. Rendering /var/mailserv/admin/public/500.html (500 Internal Server Error) On 01.07.2014 03:14, Stuart Henderson wrote: On 2014-06-30, Wesley MOUEDINE ASSABY wrote: dlopen: /usr/local/lib/ruby/site_ruby/1.8/i386-openbsd/RRD.so: done (failed). /usr/local/lib/ruby/site_ruby/1.8/i386-openbsd/RRD.so: Cannot load specified object - /usr/local/lib/ruby/site_ruby/1.8/i386-openbsd/RRD.so ... and verify now : ldconfig -r | grep libpthread.so.18.0 68:-lpthread.18.0 => /usr/lib/libpthread.so.18.0 and the file exists. I don't understand why it is not loaded ... dlopen() doesn't automatically pull in libpthread. Either the main program must be linked against it, or you need LD_PRELOAD. On 2014-06-30, Wesley MOUEDINE ASSABY wrote: On 30.06.2014 18:11, Ted Unangst wrote: LD_PRELOAD=libpthread.so ruby I tried this : env LD_PRELOAD=/usr/lib/libpthread.so.18.0 ruby18 path_to_rb The error go away. But the ruby app doesn't work. So this fixed one problem, now you have another and need to debug a bit further..
Re: ViewVC
On Wed, July 2, 2014 10:04, Stefan Sperling wrote: > On Tue, Jul 01, 2014 at 08:36:29PM -0400, Predrag Punosevac wrote: >> I am trying to run ViewVC in the stand alone server mode on the new svn >> server (OpenBSD 5.5 amd64). Since ViewVC is not in ports I downloaded >> 1.1.22 package from CollabNet website. ViewVC keeps crashing when >> while I browse my SVN repos. They are rather large. I am not using any >> kind a proxy but rather forcing built in server to listen on the port >> 80. > > IIRC viewvc uses Subversion's python bindings. Did you install them? > pkg_add py-subversion > >> Does anyone have any experience running ViewVC on OpenBSD recently? I am >> tempted to try to use Nginx as a proxy or install Apache 2 and use CGI >> mode via ScriptAlias for ViewVC. The latter is running fine in out >> current setup on Scientific Linux 6.2 which I am trying to migrate to >> OpenBSD. Unfortunately moving to Trac (which would be my strong >> preference) or WebSVN will probably cause ruffle feathers, a condition I >> want to avoid. >> >> Predrag > > WebSVN is fairly broken with SVN 1.8. Don't bother. (Which reminds me > I've been meaning to remove it but was still waiting for patches > promised by someone, which never arrived). Yes, we decided that it should be updated to 0.63 or killed. I have no patch yet, sorry...
current/i386 panics on Asus J1800I-C
So I got me this Asus board with an integrated Celeron http://www.asus.com/Motherboards/J1800IC/specifications/ and put 2G of Crucial RAM in it. "A PC is a PC is a PC" I can hear you say, but somehow I can't get current/i386 to run on it. Using another current/i386 machine as an installer, I installed current/i386 on a Samsung 250GB SATA disk (installing onto the external sd1). Then I put this SATA disk into the Asus board to boot from it. Firstly, it didn't even _try_ to boot from it. The POST screen mentioned the disk is there (with the correct Samsung code and all), but went straight to BIOS; in the BOOT menu, the disk was not an option (just PXE). That was my first encounter with the UEFI "Secure Boot" horror - and there was no way to "disable" it, the "enabled" setting was gray'ed out. I set the "OS type" to "Other" (as opposed to "Windows 8", the only other option), no change. Then I deleted the database of "keys" - that made the Secure Boot "disabled", but it still didn't try to boot from the disk, and didn't even present it as an option in the boot menu. Only after upgarding to the latest BIOS http://www.asus.com/Motherboards/J1800IC/HelpDesk_Download/ I am presented with "CMS settings" where I can somehow make other systems (other boot loaders) allowed. So now it finally gets to the OpenBSD boot loader. But /bsd panics during boot, /bsd.sp and /bsd.rd panic too. I don't know if the previous is relevant to it. The board has a serial console, but I can't get it to work (the manual does not specify the baud rate, I tried all baud rates from 9600 to 115200 that I have met, but I never get anything after "connected"); so here are the pictures (sorry): /bsd http://stare.cz/dmesg/asus-J1800IC-bsd-panic.jpg http://stare.cz/dmesg/asus-J1800IC-bsd-trace.jpg http://stare.cz/dmesg/asus-J1800IC-bsd-ddbcpu.jpg (the last command just sits there) /bsd.sp http://stare.cz/dmesg/asus-J1800IC-bsdsp-panic.jpg http://stare.cz/dmesg/asus-J1800IC-bsdsp-trace.jpg /bsd.rd http://stare.cz/dmesg/asus-J1800IC-bsdrd-panic.jpg I don't think these newer machines are even supposed to work without ACPI - indeed, disabling ACPI makes /bsd panic in identifycpu(). What can I do to further debug it? Jan
Re: current/i386 panics on Asus J1800I-C
On Wed, Jul 02, 2014 at 12:43:58PM +0200, Jan Stary wrote: > So I got me this Asus board with an integrated Celeron > http://www.asus.com/Motherboards/J1800IC/specifications/ > and put 2G of Crucial RAM in it. > > "A PC is a PC is a PC" I can hear you say, > but somehow I can't get current/i386 to run on it. > > Using another current/i386 machine as an installer, > I installed current/i386 on a Samsung 250GB SATA disk > (installing onto the external sd1). Then I put this > SATA disk into the Asus board to boot from it. > > Firstly, it didn't even _try_ to boot from it. > The POST screen mentioned the disk is there > (with the correct Samsung code and all), > but went straight to BIOS; in the BOOT menu, > the disk was not an option (just PXE). > > That was my first encounter with the UEFI "Secure Boot" horror > - and there was no way to "disable" it, the "enabled" setting > was gray'ed out. I set the "OS type" to "Other" (as opposed to > "Windows 8", the only other option), no change. Then I deleted > the database of "keys" - that made the Secure Boot "disabled", > but it still didn't try to boot from the disk, and didn't even > present it as an option in the boot menu. > > Only after upgarding to the latest BIOS > http://www.asus.com/Motherboards/J1800IC/HelpDesk_Download/ > I am presented with "CMS settings" where I can somehow make > other systems (other boot loaders) allowed. > So now it finally gets to the OpenBSD boot loader. > > But /bsd panics during boot, /bsd.sp and /bsd.rd panic too. > I don't know if the previous is relevant to it. > > The board has a serial console, but I can't get it to work > (the manual does not specify the baud rate, I tried all > baud rates from 9600 to 115200 that I have met, but > I never get anything after "connected"); so here are > the pictures (sorry): > > /bsd > http://stare.cz/dmesg/asus-J1800IC-bsd-panic.jpg > http://stare.cz/dmesg/asus-J1800IC-bsd-trace.jpg > http://stare.cz/dmesg/asus-J1800IC-bsd-ddbcpu.jpg > (the last command just sits there) > > /bsd.sp > http://stare.cz/dmesg/asus-J1800IC-bsdsp-panic.jpg > http://stare.cz/dmesg/asus-J1800IC-bsdsp-trace.jpg > > /bsd.rd > http://stare.cz/dmesg/asus-J1800IC-bsdrd-panic.jpg > > > I don't think these newer machines are even supposed to work without ACPI > - indeed, disabling ACPI makes /bsd panic in identifycpu(). > What can I do to further debug it? > > Jan Use google... http://archives.neohapsis.com/archives/openbsd/2014-05/1637.html -Otto
Re: /usr/local/lib/ruby/site_ruby/1.8/i386-openbsd/RRD.so: Cannot load specified object
Now, it works using your advice, the following at startup export LD_PRELOAD=/usr/lib/libpthread.so.18.0 Thank you very much. -- On 01.07.2014 03:14, Stuart Henderson wrote: dlopen() doesn't automatically pull in libpthread. Either the main program must be linked against it, or you need LD_PRELOAD.
Re: openssh
On 07/01/2014 02:20 PM, Nick Holland wrote: On 07/01/14 07:00, Gregory Edigarov wrote: Hello, Just out for curiosity. what is the fastest and lightest in cpu terms algorithm in ssh? As someone who has worked with lots of really old and weak processors (and still used the defaults)...I must ask, why? If this matters to you, I'd suggest getting a better computer, not dumbing-down SSH. Yes, using ssh on a 25mhz sparc is annoying, but then, so is almost everything else you do on those machines. A 20% change one way or another won't change the annoying factor enough to worry about. And maybe more important: why aren't you just testing what YOU care about on YOUR system and answering your own question? I suspect you may see different answers on different processors and different tasks. I.e., what matters? connection time? throughput? On the client or server? And if you have difficulty answering, maybe the answer is "doesn't really matter, just use the defaults". Nick. because I need to scp some 90-100G of data from a VERY busy server over internet on a regular basis and I don't want scp eat any cpu at all, which in case of encryption is unavoidable). then, in the middle I have a firewall, that is out of my control, only allowing connections to 22 port to that server. Hope my explanation is enough -- With best regards, Gregory Edigarov
Re: openssh
On 07/02/14 09:08, Gregory Edigarov wrote: > On 07/01/2014 02:20 PM, Nick Holland wrote: >> On 07/01/14 07:00, Gregory Edigarov wrote: >>> Hello, >>> >>> Just out for curiosity. >>> what is the fastest and lightest in cpu terms algorithm in ssh? >> As someone who has worked with lots of really old and weak processors >> (and still used the defaults)...I must ask, why? If this matters to >> you, I'd suggest getting a better computer, not dumbing-down SSH. Yes, >> using ssh on a 25mhz sparc is annoying, but then, so is almost >> everything else you do on those machines. A 20% change one way or >> another won't change the annoying factor enough to worry about. >> >> And maybe more important: why aren't you just testing what YOU care >> about on YOUR system and answering your own question? I suspect you may >> see different answers on different processors and different tasks. >> I.e., what matters? connection time? throughput? On the client or server? >> >> And if you have difficulty answering, maybe the answer is "doesn't >> really matter, just use the defaults". >> >> Nick. >> > because I need to scp some 90-100G of data from a VERY busy server over > internet on a regular basis and I don't > want scp eat any cpu at all, which in case of encryption is unavoidable). > > then, in the middle I have a firewall, that is out of my control, only > allowing connections to 22 port to that server. > > Hope my explanation is enough not really, but regardless, YOU still need to do experiments on YOUR systems. And I still think fiddling with the encryption knob is the wrong knob. Will it change something? Sure. Not much, however. What is busy? if "busy" is CPU, nice(1) is your friend. if busy is disk, chewing some CPU or even rate limiting may be your friend. If you are generating that much new data regularly, you may well have more of a disk issue than a CPU issue. If it isn't all new data, look at rsync -- more cpu for less disk and network I/O. Try compression on vs. off (the results of this are usually easier to explain after the fact than to predict before. Shouldn't be the case, I know, but I've bet wrong too many times). Fiddle with the rate limiting of scp. Note that the number you specify is not terribly absolute -- don't take your available bandwidth and claim 80% and think magic will happen, you will have to experiement with values, and leave it sit for a while to let the buffers do their thing. Then of course, there's the "if you don't like the answers, change the question" strategy -- drop another machine behind the firewall with a lower impact way of transfering data -- NFS? FTP? You are again going to have to experiement -- then SCP off that machine instead of your overloaded box. If the data is logs, you probably want to be syslogging to another box anyway. Some time back, TedU@ wrote a nifty little programlette he called "disknice" -- google for that, you'll find it. It yanks the program you have it running away from the CPU (and thus, disk, etc.) periodically, letting other tasks have at it. I use it to back up some data from my laptop's disk to a SD card on boot with rsync, before, it killed the system performance until it was done. Now it takes longer, but I don't feel it happening. Maybe this helps you in some way. Nick.
Re: openssh
On 07/02/2014 04:40 PM, Nick Holland wrote: On 07/02/14 09:08, Gregory Edigarov wrote: On 07/01/2014 02:20 PM, Nick Holland wrote: On 07/01/14 07:00, Gregory Edigarov wrote: Hello, Just out for curiosity. what is the fastest and lightest in cpu terms algorithm in ssh? As someone who has worked with lots of really old and weak processors (and still used the defaults)...I must ask, why? If this matters to you, I'd suggest getting a better computer, not dumbing-down SSH. Yes, using ssh on a 25mhz sparc is annoying, but then, so is almost everything else you do on those machines. A 20% change one way or another won't change the annoying factor enough to worry about. And maybe more important: why aren't you just testing what YOU care about on YOUR system and answering your own question? I suspect you may see different answers on different processors and different tasks. I.e., what matters? connection time? throughput? On the client or server? And if you have difficulty answering, maybe the answer is "doesn't really matter, just use the defaults". Nick. because I need to scp some 90-100G of data from a VERY busy server over internet on a regular basis and I don't want scp eat any cpu at all, which in case of encryption is unavoidable). then, in the middle I have a firewall, that is out of my control, only allowing connections to 22 port to that server. Hope my explanation is enough not really, but regardless, YOU still need to do experiments on YOUR systems. And I still think fiddling with the encryption knob is the wrong knob. Will it change something? Sure. Not much, however. What is busy? if "busy" is CPU, nice(1) is your friend. if busy is disk, chewing some CPU or even rate limiting may be your friend. If you are generating that much new data regularly, you may well have more of a disk issue than a CPU issue. If it isn't all new data, look at rsync -- more cpu for less disk and network I/O. Try compression on vs. off (the results of this are usually easier to explain after the fact than to predict before. Shouldn't be the case, I know, but I've bet wrong too many times). Fiddle with the rate limiting of scp. Note that the number you specify is not terribly absolute -- don't take your available bandwidth and claim 80% and think magic will happen, you will have to experiement with values, and leave it sit for a while to let the buffers do their thing. Then of course, there's the "if you don't like the answers, change the question" strategy -- drop another machine behind the firewall with a lower impact way of transfering data -- NFS? FTP? You are again going to have to experiement -- then SCP off that machine instead of your overloaded box. If the data is logs, you probably want to be syslogging to another box anyway. Some time back, TedU@ wrote a nifty little programlette he called "disknice" -- google for that, you'll find it. It yanks the program you have it running away from the CPU (and thus, disk, etc.) periodically, letting other tasks have at it. I use it to back up some data from my laptop's disk to a SD card on boot with rsync, before, it killed the system performance until it was done. Now it takes longer, but I don't feel it happening. Maybe this helps you in some way. Thanks for the insight NIck. I will seriously think about second machine approach. The data I need to copy are in a way something like logs, although they are coming from some technological equipment.
http://www.openbsd.org/anoncvs.html
Hi, just trying to build 5.5 stable branch and seeing that the FAQ is implicitely saying cvs should be used as root. "First, start out by `get'-ing an initial tree: (If you are following current): # cd /usr # cvs -qd anon...@anoncvs.ca.openbsd.org:/cvs get -P src (If you are following the patch branch for 5.5): # cd /usr # cvs -qd anon...@anoncvs.ca.openbsd.org:/cvs get # -rOPENBSD_5_5 -P src " Wouldn't it be better to tell the user to add the local non-root user to the wsrc group and then just do it without root permissions? (changing # into $ in the examples) Or is the change of this FAQ, already a FAQ? ;) best regards Waldemar
Re: openssh
> because I need to scp some 90-100G of data from a VERY busy server over > internet on a regular basis and I don't > want scp eat any cpu at all, which in case of encryption is unavoidable). Better buy a hardisk, copy your data and mail it abroad. Seriously.
rc script problem with pgrep / pkill
Hi, I have a problem with a rc script, when I try to check or stop the service. It is very similar to the spamd rc script (with no rc_pre() and rc_start()): $ grep -C2 pexp /etc/rc.d/{spamd,tarpitd} /etc/rc.d/spamd-. /etc/rc.d/rc.subr /etc/rc.d/spamd- /etc/rc.d/spamd:pexp="spamd: \[priv\]" /etc/rc.d/spamd-rc_reload=NO /etc/rc.d/spamd- -- /etc/rc.d/tarpitd-. /etc/rc.d/rc.subr /etc/rc.d/tarpitd- /etc/rc.d/tarpitd:pexp="tarpitd: \[priv\]" /etc/rc.d/tarpitd- /etc/rc.d/tarpitd-rc_reload=NO The start parameter works correctly: $ sudo /etc/rc.d/tarpitd -d start doing rc_read_runfile doing rc_check tarpitd doing rc_start doing rc_write_runfile (ok) $ ps aux | grep "tarpitd:" _tarpitd 22014 0.0 0.1 7176 3964 ?? Ss10:18AM0:00.46 tarpitd: [priv] (tarpitd) root 775 0.0 0.0 472 660 p1 I 10:18AM0:00.00 tarpitd: (blocker) (tarpitd) seblec6474 0.0 0.0 448 268 p1 R+/1 11:01AM0:00.00 grep tarpitd: If I try a manual pgrep, with the same syntax as in rc.subr, it works as expected: $ pgrep -f "^tarpitd: \[priv\]" 22014 But a check or stop doesn't: $ sudo /etc/rc.d/tarpitd -d check ; echo $? doing rc_read_runfile doing rc_check 1 $ sudo /etc/rc.d/tarpitd -d stop doing rc_read_runfile doing rc_check I'm using 5.5-release What am I doing wrong? Thank you! Sebastien Leclerc
Re: ViewVC
Stefan Sperling wrote: > On Tue, Jul 01, 2014 at 08:36:29PM -0400, Predrag Punosevac wrote: > > I am trying to run ViewVC in the stand alone server mode on the new svn > > server (OpenBSD 5.5 amd64). Since ViewVC is not in ports I downloaded > > 1.1.22 package from CollabNet website. ViewVC keeps crashing when > > while I browse my SVN repos. They are rather large. I am not using any > > kind a proxy but rather forcing built in server to listen on the port > > 80. > > IIRC viewvc uses Subversion's python bindings. Did you install them? > pkg_add py-subversion Of course :) Built in stand alone server which comes with ViewVC runs fine until I start browsing repositories agresively. Than it crashes as in # uname -a OpenBSD svnhub.int.autonlab.org 5.5 GENERIC.MP#315 amd64 # /usr//local/bin/viewvc-1.1.22/bin/standalone.py -d -p 80 -h \ svnhub.int.autonlab.org server ready at http://svnhub.int.autonlab.org:80/viewvc # 10.8.0.6 - - [02/Jul/2014 11:16:47] "GET /viewvc HTTP/1.1" 200 - 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok 10.8.0.6 - - [02/Jul/2014 11:16:47] "GET /viewvc/*docroot*/styles.css HTTP/1.1" 200 - 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok 10.8.0.6 - - [02/Jul/2014 11:16:47] "GET /viewvc/*docroot*/images/viewvc-logo.png HTTP/1.1" 200 - 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok 10.8.0.6 - - [02/Jul/2014 11:16:47] "GET /viewvc/*docroot*/images/dir.png HTTP/1.1" 200 - 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok 10.8.0.6 - - [02/Jul/2014 11:16:47] "GET /viewvc/*docroot*/images/favicon.ico HTTP/1.1" 200 - 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok 10.8.0.6 - - [02/Jul/2014 11:16:49] "GET /viewvc/cvs/ HTTP/1.1" 200 - 10.8.0.6 - - [02/Jul/2014 11:16:49] ViewVC exited ok 10.8.0.6 - - [02/Jul/2014 11:16:49] "GET /viewvc/*docroot*/images/up.png HTTP/1.1" 200 - 10.8.0.6 - - [02/Jul/2014 11:16:49] ViewVC exited ok 10.8.0.6 - - [02/Jul/2014 11:16:57] "GET /viewvc/cvs/trunk/ HTTP/1.1" 200 - Traceback (most recent call last): File "/usr/local/bin/viewvc-1.1.22/bin/standalone.py", line 879, in main(sys.argv) File "/usr/local/bin/viewvc-1.1.22/bin/standalone.py", line 874, in main serve(options.host, options.port, ready) File "/usr/local/bin/viewvc-1.1.22/bin/standalone.py", line 421, in serve ViewVCHTTPServer(host, port, callback).serve_until_quit() File "/usr/local/bin/viewvc-1.1.22/bin/standalone.py", line 356, in serve_until_quit self.handle_request() File "/usr/local/lib/python2.7/SocketServer.py", line 280, in handle_request self._handle_request_noblock() File "/usr/local/lib/python2.7/SocketServer.py", line 297, in _handle_request_noblock self.handle_error(request, client_address) File "/usr/local/lib/python2.7/SocketServer.py", line 350, in handle_error print '-'*40 File "/usr/local/lib/python2.7/socket.py", line 324, in write self.flush() File "/usr/local/lib/python2.7/socket.py", line 303, in flush self._sock.sendall(view[write_offset:write_offset+buffer_size]) AttributeError: 'NoneType' object has no attribute 'sendall' Any clues Stefan from the kernel hacker point of view? Most Kind Regards, Predrag > > > Does anyone have any experience running ViewVC on OpenBSD recently? I am > > tempted to try to use Nginx as a proxy or install Apache 2 and use CGI > > mode via ScriptAlias for ViewVC. The latter is running fine in out > > current setup on Scientific Linux 6.2 which I am trying to migrate to > > OpenBSD. Unfortunately moving to Trac (which would be my strong > > preference) or WebSVN will probably cause ruffle feathers, a condition I > > want to avoid. > > > > Predrag > > WebSVN is fairly broken with SVN 1.8. Don't bother. (Which reminds me > I've been meaning to remove it but was still waiting for patches > promised by someone, which never arrived).
Re: LAN vs VLAN interface performance
Hi all, I am replying to this thread as I see some resemblance between issue I experience and the quickly rising netlivelocks value. On 24/06/14 3:08 PM, Chris Cappuccio wrote: >Kapetanakis Giannis [bil...@edu.physics.uoc.gr] wrote: >> On 23/06/14 21:33, Henning Brauer wrote: >>>* Chris Cappuccio [2014-06-23 20:24]: I have a sandy bridge Xeon box with PF NAT that handles a daily 200 to 700Mbps. It has a single myx interface using OpenBSD 5.5 (not current). It does nothing but PF NAT and related routing. No barage of vlans or interfaces. No dynamic routing. Nothing else. 60,000 to 100,000 states. With an MP kernel, kern.netlivelocks increases by something like 150,000 per day!! I The packet loss was notable. With an SP kernel, the 'netlivelock' counter barely moves. Maybe 100 per day on average, but for the past week, maybe 5. >> >> sysctl -a|grep netlive >> kern.netlivelocks=50 >> >> # pfctl -ss|wc -l >> 73203 >> >> # pfctl -sr|wc -l >> 294 >> >> routing/firewalling/some NAT at ~ 500Mbps I am routing between 5 and 20 megabit/sec on an OpenBSD 5.5 following mtier stable updates. No NAT, PF is disabled, just plain routing (~ 500k IPv4 routes, 20k IPv6 routes). DMESG is available here http://instituut.net/~job/dmesg-dcg-2.txt . A mixture of em(4) and bnx(4) NICs in Dell R610 chassis with mfi(4) powered PERC 6/i controller. > I have some ideas. I'm going to do some troubleshooting when I have a > chance to think clearly. > > I think the disk subsystem could be part of the issue. I see the most > netlivelocks on a box with a USB key, mfi is in second place. I am graphing netlivelocks in munin to get a grasp on things: http://sysadmin.coloclue.net/munin/router.nl.coloclue.net/eunetworks-2.router.nl.coloclue.net/index.html#kern (feel free to look at the other system metrics from the BSD routers, filed under "router.nl.coloclue.net" at http://sysadmin.coloclue.net/munin/index.html) Until yesterday I was running GENERIC.MP, and experienced between 1% and 2% packetloss on packets forwarded by the OpenBSD routers, sthen@ recommended I try the singlecore kernel and magically most of the packetloss disappeared (but not all). With the GENERIC.MP kernel netlivelocks was raising way faster. During debugging (when I was running MP) i tcpdumped for inbound ICMP traffic on one of our edge interfaces, and inititally thought one of our suppliers was to blame as tcpdump didn't show some packets I expected to arrive, now I suspect they got lost on our side because we don't see the behaviour with SP. I observed similair packetloss for both IPv4 and IPv6. Unsure if that helps in assessing where in the system they get lost. How can I assist in further debugging? Kind regards, Job
Re: ViewVC
It fails to create a socket (_sock is None). This can be an indicator of you hitting fd limits. On 2 Jul 2014 17:23, "Predrag Punosevac" wrote: > Stefan Sperling wrote: > > > On Tue, Jul 01, 2014 at 08:36:29PM -0400, Predrag Punosevac wrote: > > > I am trying to run ViewVC in the stand alone server mode on the new svn > > > server (OpenBSD 5.5 amd64). Since ViewVC is not in ports I downloaded > > > 1.1.22 package from CollabNet website. ViewVC keeps crashing when > > > while I browse my SVN repos. They are rather large. I am not using any > > > kind a proxy but rather forcing built in server to listen on the port > > > 80. > > > > IIRC viewvc uses Subversion's python bindings. Did you install them? > > pkg_add py-subversion > > Of course :) Built in stand alone server which comes with ViewVC runs > fine until I start browsing repositories agresively. Than it crashes as > in > # uname -a > OpenBSD svnhub.int.autonlab.org 5.5 GENERIC.MP#315 amd64 > # /usr//local/bin/viewvc-1.1.22/bin/standalone.py -d -p 80 -h \ > svnhub.int.autonlab.org > > server ready at http://svnhub.int.autonlab.org:80/viewvc > # 10.8.0.6 - - [02/Jul/2014 11:16:47] "GET /viewvc HTTP/1.1" 200 - > 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok > 10.8.0.6 - - [02/Jul/2014 11:16:47] "GET /viewvc/*docroot*/styles.css > HTTP/1.1" 200 - > 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok > 10.8.0.6 - - [02/Jul/2014 11:16:47] "GET > /viewvc/*docroot*/images/viewvc-logo.png HTTP/1.1" 200 - > 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok > 10.8.0.6 - - [02/Jul/2014 11:16:47] "GET > /viewvc/*docroot*/images/dir.png HTTP/1.1" 200 - > 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok > 10.8.0.6 - - [02/Jul/2014 11:16:47] "GET > /viewvc/*docroot*/images/favicon.ico HTTP/1.1" 200 - > 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok > 10.8.0.6 - - [02/Jul/2014 11:16:49] "GET /viewvc/cvs/ HTTP/1.1" 200 - > 10.8.0.6 - - [02/Jul/2014 11:16:49] ViewVC exited ok > 10.8.0.6 - - [02/Jul/2014 11:16:49] "GET /viewvc/*docroot*/images/up.png > HTTP/1.1" 200 - > 10.8.0.6 - - [02/Jul/2014 11:16:49] ViewVC exited ok > 10.8.0.6 - - [02/Jul/2014 11:16:57] "GET /viewvc/cvs/trunk/ HTTP/1.1" > 200 - > Traceback (most recent call last): > File "/usr/local/bin/viewvc-1.1.22/bin/standalone.py", line 879, in > > main(sys.argv) > File "/usr/local/bin/viewvc-1.1.22/bin/standalone.py", line 874, in > main > serve(options.host, options.port, ready) > File "/usr/local/bin/viewvc-1.1.22/bin/standalone.py", line 421, in > serve > ViewVCHTTPServer(host, port, callback).serve_until_quit() > File "/usr/local/bin/viewvc-1.1.22/bin/standalone.py", line 356, in > serve_until_quit > self.handle_request() > File "/usr/local/lib/python2.7/SocketServer.py", line 280, in > handle_request > self._handle_request_noblock() > File "/usr/local/lib/python2.7/SocketServer.py", line 297, in > _handle_request_noblock > self.handle_error(request, client_address) > File "/usr/local/lib/python2.7/SocketServer.py", line 350, in > handle_error > print '-'*40 > File "/usr/local/lib/python2.7/socket.py", line 324, in write > self.flush() > File "/usr/local/lib/python2.7/socket.py", line 303, in flush > self._sock.sendall(view[write_offset:write_offset+buffer_size]) > AttributeError: 'NoneType' object has no attribute 'sendall' > > > Any clues Stefan from the kernel hacker point of view? > > > Most Kind Regards, > Predrag > > > > > > > Does anyone have any experience running ViewVC on OpenBSD recently? I > am > > > tempted to try to use Nginx as a proxy or install Apache 2 and use CGI > > > mode via ScriptAlias for ViewVC. The latter is running fine in out > > > current setup on Scientific Linux 6.2 which I am trying to migrate to > > > OpenBSD. Unfortunately moving to Trac (which would be my strong > > > preference) or WebSVN will probably cause ruffle feathers, a condition > I > > > want to avoid. > > > > > > Predrag > > > > WebSVN is fairly broken with SVN 1.8. Don't bother. (Which reminds me > > I've been meaning to remove it but was still waiting for patches > > promised by someone, which never arrived).
Re: http://www.openbsd.org/anoncvs.html
On 07/02/14 10:54, Waldemar Brodkorb wrote: > Hi, > > just trying to build 5.5 stable branch and seeing that ...[checkout/compile/install as root]... > Wouldn't it be better to tell the user to add the local non-root > user to the wsrc group and then just do it without root permissions? > (changing # into $ in the examples) why? Answer thoughtfully, not reflexively, please. You are building code that all system security depends on. If you don't trust the user doing this, you have a problem, doing it as non-root changes this situation not one bit. You have to be root to install the kernel and the userland anyway. If you wish to build userland without being root, you need sudo configured without a password (or be sitting around to respond when it asks for a pw). Again, not really improving security. Maybe lessening it if that's against your needs. Good administrative practices? Very possibly. But this comes down to local administrative policies set by people looking at the situation at your site. Minimizing the damage of "rm -rf /" is good. Turning off passwords on sudo if that's otherwise your policy is not good. There's a philosophy that what you are doing here could totally f*** your system up. Not doing it as root and pretending what you do couldn't hurt things is bad. Maybe seeing the "#" prompt reminds you there are sharp edges here. me? IF I'm doing this on a "General Purpose" machine, I'd probably check out as me, compile kernel as me, "sudo make install" the kernel, and "sudo make build". I should probably "SUDO=sudo make build", but hey, if there's something wrong in the build scripts that this saves me from, it would probably be best for all of you that I find out, right? :) If I'm building on a machine dedicated to building...I'm not seeing a lot of benefit to not just doing it all as root. Nick.
Re: ViewVC
Eugene Yunak wrote: > It fails to create a socket (_sock is None). This can be an indicator of > you hitting fd limits. Right on money!!! I changed sysctl kern.maxfiles=7030 to 17030 and now works like a champ. Any suggestion to what fd limits should be and do you suggest changing per-login/process limits as well? Most Kind Regards, Predrag > On 2 Jul 2014 17:23, "Predrag Punosevac" wrote: > > > Stefan Sperling wrote: > > > > > On Tue, Jul 01, 2014 at 08:36:29PM -0400, Predrag Punosevac wrote: > > > > I am trying to run ViewVC in the stand alone server mode on the new svn > > > > server (OpenBSD 5.5 amd64). Since ViewVC is not in ports I downloaded > > > > 1.1.22 package from CollabNet website. ViewVC keeps crashing when > > > > while I browse my SVN repos. They are rather large. I am not using any > > > > kind a proxy but rather forcing built in server to listen on the port > > > > 80. > > > > > > IIRC viewvc uses Subversion's python bindings. Did you install them? > > > pkg_add py-subversion > > > > Of course :) Built in stand alone server which comes with ViewVC runs > > fine until I start browsing repositories agresively. Than it crashes as > > in > > # uname -a > > OpenBSD svnhub.int.autonlab.org 5.5 GENERIC.MP#315 amd64 > > # /usr//local/bin/viewvc-1.1.22/bin/standalone.py -d -p 80 -h \ > > svnhub.int.autonlab.org > > > > server ready at http://svnhub.int.autonlab.org:80/viewvc > > # 10.8.0.6 - - [02/Jul/2014 11:16:47] "GET /viewvc HTTP/1.1" 200 - > > 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok > > 10.8.0.6 - - [02/Jul/2014 11:16:47] "GET /viewvc/*docroot*/styles.css > > HTTP/1.1" 200 - > > 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok > > 10.8.0.6 - - [02/Jul/2014 11:16:47] "GET > > /viewvc/*docroot*/images/viewvc-logo.png HTTP/1.1" 200 - > > 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok > > 10.8.0.6 - - [02/Jul/2014 11:16:47] "GET > > /viewvc/*docroot*/images/dir.png HTTP/1.1" 200 - > > 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok > > 10.8.0.6 - - [02/Jul/2014 11:16:47] "GET > > /viewvc/*docroot*/images/favicon.ico HTTP/1.1" 200 - > > 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok > > 10.8.0.6 - - [02/Jul/2014 11:16:49] "GET /viewvc/cvs/ HTTP/1.1" 200 - > > 10.8.0.6 - - [02/Jul/2014 11:16:49] ViewVC exited ok > > 10.8.0.6 - - [02/Jul/2014 11:16:49] "GET /viewvc/*docroot*/images/up.png > > HTTP/1.1" 200 - > > 10.8.0.6 - - [02/Jul/2014 11:16:49] ViewVC exited ok > > 10.8.0.6 - - [02/Jul/2014 11:16:57] "GET /viewvc/cvs/trunk/ HTTP/1.1" > > 200 - > > Traceback (most recent call last): > > File "/usr/local/bin/viewvc-1.1.22/bin/standalone.py", line 879, in > > > > main(sys.argv) > > File "/usr/local/bin/viewvc-1.1.22/bin/standalone.py", line 874, in > > main > > serve(options.host, options.port, ready) > > File "/usr/local/bin/viewvc-1.1.22/bin/standalone.py", line 421, in > > serve > > ViewVCHTTPServer(host, port, callback).serve_until_quit() > > File "/usr/local/bin/viewvc-1.1.22/bin/standalone.py", line 356, in > > serve_until_quit > > self.handle_request() > > File "/usr/local/lib/python2.7/SocketServer.py", line 280, in > > handle_request > > self._handle_request_noblock() > > File "/usr/local/lib/python2.7/SocketServer.py", line 297, in > > _handle_request_noblock > > self.handle_error(request, client_address) > > File "/usr/local/lib/python2.7/SocketServer.py", line 350, in > > handle_error > > print '-'*40 > > File "/usr/local/lib/python2.7/socket.py", line 324, in write > > self.flush() > > File "/usr/local/lib/python2.7/socket.py", line 303, in flush > > self._sock.sendall(view[write_offset:write_offset+buffer_size]) > > AttributeError: 'NoneType' object has no attribute 'sendall' > > > > > > Any clues Stefan from the kernel hacker point of view? > > > > > > Most Kind Regards, > > Predrag > > > > > > > > > > > Does anyone have any experience running ViewVC on OpenBSD recently? I > > am > > > > tempted to try to use Nginx as a proxy or install Apache 2 and use CGI > > > > mode via ScriptAlias for ViewVC. The latter is running fine in out > > > > current setup on Scientific Linux 6.2 which I am trying to migrate to > > > > OpenBSD. Unfortunately moving to Trac (which would be my strong > > > > preference) or WebSVN will probably cause ruffle feathers, a condition > > I > > > > want to avoid. > > > > > > > > Predrag > > > > > > WebSVN is fairly broken with SVN 1.8. Don't bother. (Which reminds me > > > I've been meaning to remove it but was still waiting for patches > > > promised by someone, which never arrived).
Re: http://www.openbsd.org/anoncvs.html
On Wed, 02 Jul 2014 12:47:04 -0400, Nick Holland wrote: > > Wouldn't it be better to tell the user to add the local non-root > > user to the wsrc group and then just do it without root permissions? > > (changing # into $ in the examples) > > why? Because Miod told it? :p http://marc.info/?l=openbsd-misc&m=140224659303522&w=2 It's been already discussed: http://marc.info/?l=openbsd-misc&m=140235676510174&w=2 Cheers, -- Vigdis
Why doesn't GCM HTTPS work with nginx?
Since these two are using GCM: www.ssllabs.com: ECDHE-RSA-AES256-GCM-SHA384 www.google.com: ECDHE-RSA-AES128-GCM-SHA256 We wanted to make our webserver HTTPS connection more secure (don't look at the self-signed certificate, that doesn't count right now..) We are using an OpenBSD 5.4 64bit, and the "openssl ciphers" command says that it supports the "ECDHE-RSA-AES256-GCM-SHA384" cipher. On client side there is Firefox 30 at least. So here is how we setup the HTTPS server: # generate self signed certificate openssl genrsa -aes256 -out /etc/ssl/private/server.key 4096 openssl req -new -key /etc/ssl/private/server.key -out /etc/ssl/private/server.csr openssl x509 -sha512 -req -days 365 -in /etc/ssl/private/server.csr -signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt The config: vi /etc/nginx/nginx.conf ... ssl_protocols TLSv1.2; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers on; ... But Firefox says (I translated it from my language..): A connection to the www.foo.com is interrupted and ssllabs ( https://www.ssllabs.com/ssltest/ ) says: Assessment failed: Failed to communicate with the secure server Question: How can we set GCM in nginx? Why couldn't a fresh Firefox connect via HTTPS to foo.com (ECDHE-RSA-AES256-GCM-SHA384,TLSv1.2)? It can connect to www.ssllabs.com via HTTPS (ECDHE-RSA-AES256-GCM-SHA384,TLSv1.2) so maybe it's not a client side problem.. [user@localhost ~] openssl s_client -connect www.foo.com:443 CONNECTED(0003) depth=0 C = HU, CN = www.foo.com verify error:num=18:self signed certificate verify return:1 depth=0 C = HU, CN = www.foo.com verify return:1 --- Certificate chain 0 s:/C=HU/CN=www.foo.com i:/C=HU/CN=www.foo.com --- Server certificate -BEGIN CERTIFICATE- here goes the cert.. -END CERTIFICATE- subject=/C=HU/CN=www.foo.com issuer=/C=HU/CN=www.foo.com --- No client certificate CA names sent --- SSL handshake has read 2137 bytes and written 389 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2
Re: What is the difference between these two SSHD configs?
Match Group GROUPNAME User !root This does nothing. (but sshd restart doesn't tell it's syntactically incorrect!!!..., values should be delimited by "," comma.. a groupname will never have space in it..) and: Match Group GROUPNAME, User *,!root This excludes the root if it's in the GROUPNAME group. So they not just differ by "2 Bytes" On Tue, Jul 1, 2014 at 6:30 PM, Edward M wrote: > On 07/01/14 09:18, Ez Egy wrote: > >> #1 >> >> Match Group GROUPNAME, User *,!root >> >> #2 >> >> Match Group GROUPNAME User !root >> >> What is the difference between #1 and #2 in the SSHD_CONFIG? >> >> If someone could help me.. thanks in advance.. >> >> > May want to take a look at 'PATTERNS' section of 'ssh_config' manpage.
Re: Why doesn't GCM HTTPS work with nginx?
You could try using the cipher configuration recommended by Ivan Ristić / ssllabs.com, as described here: http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html Restart nginx and check what cipher is being offered. The highest cipher supported by both client and server should be negotiated. You could also try compiling nginx with a newer version of OpenSSL as static libraries (or maybe upgrade and use LibreSSL?) and retry the above procedure. And also, check the about:config page in Firefox, make sure the maximum supported TLS version is 1.2 by changing security.tls.version.max to value 3. On Wed, Jul 2, 2014 at 7:52 PM, Ez Egy wrote: > > Since these two are using GCM: > > www.ssllabs.com: ECDHE-RSA-AES256-GCM-SHA384 > www.google.com: ECDHE-RSA-AES128-GCM-SHA256 > > We wanted to make our webserver HTTPS connection more secure (don't look at > the self-signed certificate, that doesn't count right now..) > > We are using an OpenBSD 5.4 64bit, and the "openssl ciphers" command says > that it supports the "ECDHE-RSA-AES256-GCM-SHA384" cipher. On client side > there is Firefox 30 at least. > > So here is how we setup the HTTPS server: > > # generate self signed certificate > openssl genrsa -aes256 -out /etc/ssl/private/server.key 4096 > openssl req -new -key /etc/ssl/private/server.key -out > /etc/ssl/private/server.csr > openssl x509 -sha512 -req -days 365 -in /etc/ssl/private/server.csr > -signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt > > The config: > > vi /etc/nginx/nginx.conf > ... > ssl_protocols TLSv1.2; > ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384; > ssl_prefer_server_ciphers on; > ... > > But Firefox says (I translated it from my language..): > > A connection to the www.foo.com is interrupted > > and ssllabs ( https://www.ssllabs.com/ssltest/ ) says: > > Assessment failed: Failed to communicate with the secure server > > Question: How can we set GCM in nginx? Why couldn't a fresh Firefox connect > via HTTPS to foo.com (ECDHE-RSA-AES256-GCM-SHA384,TLSv1.2)? It can connect > to www.ssllabs.com via HTTPS (ECDHE-RSA-AES256-GCM-SHA384,TLSv1.2) so maybe > it's not a client side problem.. > > [user@localhost ~] openssl s_client -connect www.foo.com:443 > CONNECTED(0003) > depth=0 C = HU, CN = www.foo.com > verify error:num=18:self signed certificate > verify return:1 > depth=0 C = HU, CN = www.foo.com > verify return:1 > --- > Certificate chain > 0 s:/C=HU/CN=www.foo.com >i:/C=HU/CN=www.foo.com > --- > Server certificate > -BEGIN CERTIFICATE- > here goes the cert.. > -END CERTIFICATE- > subject=/C=HU/CN=www.foo.com > issuer=/C=HU/CN=www.foo.com > --- > No client certificate CA names sent > --- > SSL handshake has read 2137 bytes and written 389 bytes > --- > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 > Server public key is 4096 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1.2
Re: Why doesn't GCM HTTPS work with nginx?
On Thu, 3 Jul 2014, Ez Egy wrote: > Since these two are using GCM: > > www.ssllabs.com: ECDHE-RSA-AES256-GCM-SHA384 > www.google.com: ECDHE-RSA-AES128-GCM-SHA256 > > We wanted to make our webserver HTTPS connection more secure (don't look at > the self-signed certificate, that doesn't count right now..) > > We are using an OpenBSD 5.4 64bit, and the "openssl ciphers" command says > that it supports the "ECDHE-RSA-AES256-GCM-SHA384" cipher. On client side > there is Firefox 30 at least. > > So here is how we setup the HTTPS server: > > # generate self signed certificate > openssl genrsa -aes256 -out /etc/ssl/private/server.key 4096 > openssl req -new -key /etc/ssl/private/server.key -out > /etc/ssl/private/server.csr > openssl x509 -sha512 -req -days 365 -in /etc/ssl/private/server.csr > -signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt > > The config: > > vi /etc/nginx/nginx.conf > ... > ssl_protocols TLSv1.2; > ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384; > ssl_prefer_server_ciphers on; > ... > > But Firefox says (I translated it from my language..): > > A connection to the www.foo.com is interrupted > > and ssllabs ( https://www.ssllabs.com/ssltest/ ) says: > > Assessment failed: Failed to communicate with the secure server > > Question: How can we set GCM in nginx? Why couldn't a fresh Firefox connect > via HTTPS to foo.com (ECDHE-RSA-AES256-GCM-SHA384,TLSv1.2)? It can connect > to www.ssllabs.com via HTTPS (ECDHE-RSA-AES256-GCM-SHA384,TLSv1.2) so maybe > it's not a client side problem.. > > [user@localhost ~] openssl s_client -connect www.foo.com:443 > CONNECTED(0003) > depth=0 C = HU, CN = www.foo.com > verify error:num=18:self signed certificate > verify return:1 > depth=0 C = HU, CN = www.foo.com > verify return:1 > --- > Certificate chain > 0 s:/C=HU/CN=www.foo.com >i:/C=HU/CN=www.foo.com > --- > Server certificate > -BEGIN CERTIFICATE- > here goes the cert.. > -END CERTIFICATE- > subject=/C=HU/CN=www.foo.com > issuer=/C=HU/CN=www.foo.com > --- > No client certificate CA names sent > --- > SSL handshake has read 2137 bytes and written 389 bytes > --- > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 You've just proven that nginx is working with ECDHE-RSA-AES256-GCM-SHA384 (assuming that www.foo.com is actually your server). > Server public key is 4096 bit Compared to ssllabs: New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit I would suspect that your client (Firefox) issues are related to your server certificate/public key, rather than the cipher. > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1.2 -- "Action without study is fatal. Study without action is futile." -- Mary Ritter Beard
Re: Why doesn't GCM HTTPS work with nginx?
On Wed, Jul 2, 2014 at 11:46 AM, Joel Sing wrote: > On Thu, 3 Jul 2014, Ez Egy wrote: > > Since these two are using GCM: > > > > www.ssllabs.com: ECDHE-RSA-AES256-GCM-SHA384 > > www.google.com: ECDHE-RSA-AES128-GCM-SHA256 > > > > We wanted to make our webserver HTTPS connection more secure (don't look > at > > the self-signed certificate, that doesn't count right now..) > > > > We are using an OpenBSD 5.4 64bit, and the "openssl ciphers" command says > > that it supports the "ECDHE-RSA-AES256-GCM-SHA384" cipher. On client side > > there is Firefox 30 at least. > Does firefox 30, which uses nss and *NOT* openssl, support that cipher suite? When I go to www.ssllabs.com in firefox, it only shows "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", and it's not listed in the about:config page in firefox. Do you see it in about:config in your firefox? Is it enabled there? ... > > But Firefox says (I translated it from my language..): > > > > A connection to the www.foo.com is interrupted > Error message fail. Interrupted by *what*? There isn't a "more information" button or similar with more information about the (handshake?) failure? Philip Guenther
Re: Why doesn't GCM HTTPS work with nginx?
On 2014-07-02, Ez Egy wrote: > www.ssllabs.com: ECDHE-RSA-AES256-GCM-SHA384 > www.google.com: ECDHE-RSA-AES128-GCM-SHA256 > > We wanted to make our webserver HTTPS connection more secure (don't look at > the self-signed certificate, that doesn't count right now..) > > We are using an OpenBSD 5.4 64bit, and the "openssl ciphers" command says > that it supports the "ECDHE-RSA-AES256-GCM-SHA384" cipher. On client side > there is Firefox 30 at least. Firefox doesn't support ECDHE-RSA-AES256-GCM-SHA384. ECDHE-RSA-AES128-GCM-SHA256, yes. ECDHE-RSA-AES256-GCM-SHA384, no. > Question: How can we set GCM in nginx? Why couldn't a fresh Firefox connect > via HTTPS to foo.com (ECDHE-RSA-AES256-GCM-SHA384,TLSv1.2)? It can connect > to www.ssllabs.com via HTTPS (ECDHE-RSA-AES256-GCM-SHA384,TLSv1.2) No, it doesn't. Not with that cipher suite. -- Christian "naddy" Weisgerber na...@mips.inka.de
Intel Dual Band Wireless AC 7260 support on the horizon?
While I was shopping around for a new laptop to replace my aging Thinkpad SL500 I noticed that the Thinkpad's /etc/firmware directory had a file called iwn-7260, so when I couldn't get the Atheros AR9485 included in one recent laptop here to work (and seeing it is included in various other laptop models), I bought one Intel 7260 to play with. However, the card comes up unconfigured: pci2 at ppb1 bus 2 "Intel Dual Band Wireless AC 7260" rev 0x73 at pci2 dev 0 function 0 not configured Have I stumbled onto a new variant, or have I made some silly mistake along the way? dmesg and pcidump -v output follows (yes, I'm using a Netgear urtwn(4) USB dongle to post this), and fully prepared for cluebats: - Peter OpenBSD 5.5-current (GENERIC.MP) #245: Sun Jun 29 19:19:21 MDT 2014 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8452567040 (8060MB) avail mem = 8218787840 (7838MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeba70 (23 entries) bios0: vendor American Megatrends Inc. version "X551CAP.209" date 01/23/2014 bios0: ASUSTeK COMPUTER INC. X551CAP acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC FPDT ECDT MCFG HPET SSDT SSDT SSDT SSDT MSDM acpi0: wakeup devices P0P1(S4) PEG0(S4) PEG1(S4) PEG2(S4) PEG3(S4) XHC1(S3) EHC1(S3) USB1(S3) USB2(S3) USB3(S3) USB4(S3) EHC2(S3) USB5(S3) USB6(S3) USB7(S3) HDEF(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Celeron(R) CPU 1007U @ 1.50GHz, 1496.85 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,XSAVE,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.1.2, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Celeron(R) CPU 1007U @ 1.50GHz, 1496.61 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,XSAVE,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpiec0 at acpi0 acpimcfg0 at acpi0 addr 0xf800, bus 0-63 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (P0P1) acpiprt2 at acpi0: bus -1 (PEG0) acpiprt3 at acpi0: bus -1 (PEG1) acpiprt4 at acpi0: bus -1 (PEG2) acpiprt5 at acpi0: bus -1 (PEG3) acpiprt6 at acpi0: bus 1 (RP01) acpiprt7 at acpi0: bus -1 (RP03) acpiprt8 at acpi0: bus -1 (RP05) acpiprt9 at acpi0: bus -1 (RP06) acpiprt10 at acpi0: bus -1 (RP07) acpiprt11 at acpi0: bus -1 (RP08) acpiprt12 at acpi0: bus 2 (RP02) acpiprt13 at acpi0: bus 3 (RP04) acpicpu0 at acpi0: C2, C1, PSS acpicpu1 at acpi0: C2, C1, PSS acpitz0 at acpi0: critical temperature is 108 degC acpiac0 at acpi0: AC unit online acpibat0 at acpi0: BAT0 model "X551-26" serial type LIon oem "ASUSTeK" acpibtn0 at acpi0: LID_ acpibtn1 at acpi0: SLPB acpivideo0 at acpi0: GFX0 acpivout0 at acpivideo0: LCDD cpu0: Enhanced SpeedStep 1496 MHz: speeds: 1500, 1400, 1300, 1200, 1100, 1000, 900, 800 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel Core 3G Host" rev 0x09 vga1 at pci0 dev 2 function 0 "Intel HD Graphics 2500" rev 0x09 intagp at vga1 not configured inteldrm0 at vga1 drm0 at inteldrm0 drm: Memory usable by graphics device = 2048M inteldrm0: 1366x768 wsdisplay0 at vga1 mux 1: console (std, vt100 emulation) wsdisplay0: screen 1-5 added (std, vt100 emulation) "Intel 7 Series xHCI" rev 0x04 at pci0 dev 20 function 0 not configured "Intel 7 Series MEI" rev 0x04 at pci0 dev 22 function 0 not configured ehci0 at pci0 dev 26 function 0 "Intel 7 Series USB" rev 0x04: apic 2 int 16 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 azalia0 at pci0 dev 27 function 0 "Intel 7 Series HD Audio" rev 0x04: msi azalia0: codecs: Realtek/0x0270, Intel/0x2806, using Realtek/0x0270 audio0 at azalia0 ppb0 at pci0 dev 28 function 0 "Intel 7 Series PCIE" rev 0xc4: msi pci1 at ppb0 bus 1 ppb1 at pci0 dev 28 function 1 "Intel 7 Series PCIE" rev 0xc4: msi pci2 at ppb1 bus 2 "Intel Dual Band Wireless AC 7260" rev 0x73 at pci2 dev 0 function 0 not configured ppb2 at pci0 dev 28 function 3 "Intel 7 Series PCIE" rev 0xc4: msi pci3 at ppb2 bus 3 rtsx0 at pci3 dev 0 function 0 "Realtek RTL8402 Card Reader" rev 0x01: msi sdmmc0 at rtsx0 re0 at pci3 dev 0 function 2 "Realtek 8101E" rev 0x06: RTL8402
Re: What is the difference between these two SSHD configs?
On Wed, Jul 2, 2014 at 10:59 AM, Ez Egy wrote: > Match Group GROUPNAME User !root > This does nothing. (but sshd restart doesn't tell it's syntactically > incorrect!!!..., values should be delimited by "," comma.. a groupname will > never have space in it..) > > and: > > Match Group GROUPNAME, User *,!root > This excludes the root if it's in the GROUPNAME group. > There are *two* differences between those lines: 1) the second has a comma after the group name 2) the second has a different pattern for the User condition The first change HAS NO EFFECT. The change in behaviors is completely from the second change. Unlike some other programs' pattern match expressions, in ssh and sshd, starting a pattern match with a negated term does *NOT* implicitly mean "start with everything matching and exclude the negated stuff". A pattern expression in ssh/sshd with only negated items will *NEVER* match. Philip Guenther
Re: [Bulk] Re: openssh
previously on this list Mihai Popescu contributed: > > because I need to scp some 90-100G of data from a VERY busy server over > > internet on a regular basis and I don't > > want scp eat any cpu at all, which in case of encryption is unavoidable). If you have a fairly new OpenSSH at each end then I would investigate ed25519 -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) In Other Words - Don't design like polkit or systemd ___
Re: iPhones and nginx/slowcgi on OpenBSD <=5.5
Em 01-07-2014 20:06, Kristaps Dzonsons escreveu: > Folks, > > If anybody's running nginx with slowcgi(8) on or before OpenBSD 5.5 > release, be aware that there's a subtle error (fixed after 5.5) that > silently discards HTTP headers with some referrers. > > Long story: I noticed that cookies POSTed by an iPhone client were > lost before being passed to a slowcgi(8) script. Several other HTTP > headers were also lost (Accept-Language, etc.). But they were passed > through in GET calls (and in POST from other systems). Dumping the > request via tcpdump(8), I saw that each of the lost headers occured > after a monster User-Agent string. In this case, > > User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_4 like Mac OS X) > AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a > Safari/9537.53 > > For the GET calls to the CGI via slowcgi(8), this was being invoked > last, so there was no loss. > > I remembered seeing something in plus.html about the following: > > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/slowcgi/slowcgi.c?rev=1.30;content-type=text%2Fx-cvsweb-markup > > > florian@ saves the day! The commit message only mentions > QUERY_STRING, but as it turns out, it's also relevant to other > headers. And in this case, causes silent loss. So if you're using > slowcgi(8), you probably want to upgrade... > > Best, > > Kristaps > I've been using the port fcgi-cgi-static meanwhile and it's working ok. Can't afford to upgrade right now. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: Intel Dual Band Wireless AC 7260 support on the horizon?
On 02/07/14 2:59 PM, Peter N. M. Hansteen wrote: While I was shopping around for a new laptop to replace my aging Thinkpad SL500 I noticed that the Thinkpad's /etc/firmware directory had a file called iwn-7260, so when I couldn't get the Atheros AR9485 included in one recent laptop here to work (and seeing it is included in various other laptop models), I bought one Intel 7260 to play with. However, the card comes up unconfigured: pci2 at ppb1 bus 2 "Intel Dual Band Wireless AC 7260" rev 0x73 at pci2 dev 0 function 0 not configured Have I stumbled onto a new variant, or have I made some silly mistake along the way? The firmware was added so it is already included in the package when and if someone adds the relevant code to iwn(4) to support the 7260 / 3160 controllers but to date the driver does not support these controllers. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: [Patch] Possible typo in stdio(3) manpage
On Wed, Jul 02, 2014 at 11:47:31AM +0800, Edward wrote: > Hi, > > Caught in a slight confusion about the wordings describing stdio(3) scenario > needing fflush(3). The diff shows my understanding, but please do reply if it > is otherwise. > > # cvs diff > cvs server: Diffing . > Index: stdio.3 > === > RCS file: /cvs/src/lib/libc/stdio/stdio.3,v > retrieving revision 1.30 > diff -u -p -r1.30 stdio.3 > --- stdio.3 25 Mar 2014 15:23:27 - 1.30 > +++ stdio.3 2 Jul 2014 03:00:36 - > @@ -148,7 +148,7 @@ In these cases, > or when a large amount of computation is done after printing > part of a line on an output terminal, it is necessary to > .Xr fflush 3 > -the standard output before going off and computing so that the output > +the standard output before continuing computation so that the output > will appear. > Alternatively, these defaults may be modified via the > .Xr setvbuf 3 > > Regards, > Edward. > i think the phrase "going off and computing" means use fflush before your code goes elsewhere, to do other things. whatever it means, the wording is kind of tragic, i agree. your diff seeks to tweak bad wording, whereas i prefer to kill it. i'll commit the diff below in the morning (relatively speaking, of course) unless my maibox gets jammed with outrage. jmc Index: stdio.3 === RCS file: /cvs/src/lib/libc/stdio/stdio.3,v retrieving revision 1.30 diff -u -r1.30 stdio.3 --- stdio.3 25 Mar 2014 15:23:27 - 1.30 +++ stdio.3 2 Jul 2014 22:11:10 - @@ -148,8 +148,7 @@ or when a large amount of computation is done after printing part of a line on an output terminal, it is necessary to .Xr fflush 3 -the standard output before going off and computing so that the output -will appear. +the standard output so that the output will appear. Alternatively, these defaults may be modified via the .Xr setvbuf 3 function.
Firefox Pkg Spellchecker
I've googled around looking for why Firefox 26, installed from the Openbsd package underlines every word as misspelled. All I can find is older references to windows/linux installations where they did not have a dictionary installed, had not enabled spellcheck, or had not selected the dictionary. Checked all those things, still no fix. I can see the dictionary in the installation directory, I can (and have) installed at least one more dictionary via Firefox add-ins. Still no joy in getting ONLY the misspelled words underlined. I've added words to my user dictionary (that works). Is this a known problem, and is there a fix? OpenBSD 5.5 i386. XFCE4. -- Jason S. Adams
Re: Firefox Pkg Spellchecker
> I've googled around looking for why Firefox 26, installed from the Openbsd > package underlines > every word as misspelled. I have this issue as well on 5.5-stable on amd64. --Adam
DVD & how to overcome mkisofs
Hi , all . I try to copy DVD . but in OpenSD , mkisofs doesn't exist . my procedurw is next I use dvd-rw. 1)format dvd+rw-format -force /dev/rcd0c 2)ripping dvdbackup -M -n test -i /dev/rcd0c -o /home/DVD/ 3) in Linux mkisofs -udf -dvd-video -o /ISO/test.iso /home/DVD/test 4)burn growisofs -dvd-compat -speed=16 -Z /dev/rcd0c /ISO/test.iso 5)finalizing (is nessessay? i don't understand) growisofs -dvd-compat -M /dev/rcd0c=/dev/zero About step 3) , is thre Alternative means in OpenBSD ? And step 5) is nessesary or not ? --- tuyosi
Re: [Patch] Possible typo in stdio(3) manpage
On Wed, Jul 02, 2014 at 11:14:50PM +0059, Jason McIntyre wrote: > i think the phrase "going off and computing" means use fflush before > your code goes elsewhere, to do other things. whatever it means, the > wording is kind of tragic, i agree. > > your diff seeks to tweak bad wording, whereas i prefer to kill it. i'll > commit the diff below in the morning (relatively speaking, of course) > unless my maibox gets jammed with outrage. > > jmc > > Index: stdio.3 > === > RCS file: /cvs/src/lib/libc/stdio/stdio.3,v > retrieving revision 1.30 > diff -u -r1.30 stdio.3 > --- stdio.3 25 Mar 2014 15:23:27 - 1.30 > +++ stdio.3 2 Jul 2014 22:11:10 - > @@ -148,8 +148,7 @@ > or when a large amount of computation is done after printing > part of a line on an output terminal, it is necessary to > .Xr fflush 3 > -the standard output before going off and computing so that the output > -will appear. > +the standard output so that the output will appear. > Alternatively, these defaults may be modified via the > .Xr setvbuf 3 > function. > Hi Jason, Thanks for fix and clarification. Regards, Edward.
Re: DVD & how to overcome mkisofs
Use mkhybrid ?? Tuyosi Takesima [nakajin.fu...@gmail.com] wrote: > Hi , all . > > I try to copy DVD . > but in OpenSD , mkisofs doesn't exist . > > > my procedurw is next > I use dvd-rw. > > 1)format > dvd+rw-format -force /dev/rcd0c > > 2)ripping > dvdbackup -M -n test -i /dev/rcd0c -o /home/DVD/ > > > 3) in Linux > mkisofs -udf -dvd-video -o /ISO/test.iso /home/DVD/test > > > 4)burn > growisofs -dvd-compat -speed=16 -Z /dev/rcd0c /ISO/test.iso > > > 5)finalizing (is nessessay? i don't understand) > growisofs -dvd-compat -M /dev/rcd0c=/dev/zero > > > About step 3) , is thre Alternative means in OpenBSD ? > And step 5) is nessesary or not ? > > --- > tuyosi -- "If you see fraud and don't shout fraud, you are a fraud" -- Nassim Taleb
Re: Firefox Pkg Spellchecker
On 07/03/14 11:24, Adam Suhl wrote: I've googled around looking for why Firefox 26, installed from the Openbsd package underlines every word as misspelled. I have this issue as well on 5.5-stable on amd64. --Adam http://marc.info/?l=openbsd-ports&m=140341756711398&w=2 Not sure how to fix in 5.5, but it's been working for a while in current.
Re: DVD & how to overcome mkisofs
On Thu, Jul 03, 2014 at 08:54:35AM +0900, Tuyosi Takesima wrote: > Hi , all . > > I try to copy DVD . > but in OpenSD , mkisofs doesn't exist . Yes, it does. But not in the base. Instead, it's available as a 3rd party package/port. You may find databases/pkglocatedb helpful. In this example, the versions of these packages are for -current. $ sudo pkg_add pkglocatedb Ambiguous: choose package for pkglocatedb a 0: 1: pkglocatedb-0.6p1 2: pkglocatedb-0.6p1-src Your choice: 1 pkglocatedb-0.6p1: ok $ pkg_info -L pkglocatedb Information for inst:pkglocatedb-0.6p1 Files: /usr/local/bin/pkg_locate /usr/local/bin/pkglocate /usr/local/man/man1/pkg_locate.1 /usr/local/share/pkglocatedb $ pkg_locate /usr/local/bin/mkisofs cdrtools-3.00p0:sysutils/cdrtools:/usr/local/bin/mkisofs And there we have located the package that contains mkisofs. :)
Re: DVD & how to overcome mkisofs
thanks for reply . sorry , mkhybrid doesn't have ' -udf -dvd-video ' suffics . I guess mkhybrid cannot deal udf file system . --- tuyosi
Re: [Patch] Possible typo in stdio(3) manpage
On Wed, Jul 2, 2014 at 3:15 PM, Jason McIntyre wrote: > i think the phrase "going off and computing" means use fflush before > your code goes elsewhere, to do other things. whatever it means, the > wording is kind of tragic, i agree. > > your diff seeks to tweak bad wording, whereas i prefer to kill it. i'll > commit the diff below in the morning (relatively speaking, of course) > unless my maibox gets jammed with outrage. > ... > @@ -148,8 +148,7 @@ > or when a large amount of computation is done after printing > part of a line on an output terminal, it is necessary to > .Xr fflush 3 > -the standard output before going off and computing so that the output > -will appear. > +the standard output so that the output will appear. > "...will appear without delay"? "...will appear immediately instead of at the next automatic flush"? Philip
Re: DVD & how to overcome mkisofs
Thanks Josh' s advice , i try it after two days . In debian , no mkisofs , instead genisoimage . Times are changing .
OT: Suggestion for hard wire network care AND wireless supported in OpenBSD
Sorry for the off topic question, but I am looking and researching a PCI network card that would have both the cat5 jack and wireless capability to be use as host into an OpenBSD server to provide access point and the hard wire part to be use as an additional network card. I only have one pci slot free and need to add a third hard wire and want to provide wireless as well from that router. It appear not as easy as I thought to find. Anyone know of one that work? Any suggestion as long as it is supported I don't care. Answer off list is fine as well. Thanks for your time if you know of one. Daniel
Re: DVD & how to overcome mkisofs
On Thu, Jul 03, 2014 at 11:14:40AM +0900, Tuyosi Takesima wrote: > Thanks Josh' s advice , i try it after two days . > In debian , no mkisofs , instead genisoimage . > Times are changing . $ pkg_locate genisoimage zsh-5.0.5p0:shells/zsh:/usr/local/share/zsh/5.0.5/functions/_genisoimage
Re: crowding out bsd using systemd?
> I intend to produce the four systemd utilities as outlined on the OpenBSD Foundation's web page, ... This seems unclear to me what you are refering to http://www.openbsdfoundation.org/ does not contain, as far as I could see, any software specs/ideas. And, though this sounds quite pretty, are you intending to follow the unix philosophy? ian, Will the software that you speak of be portable to Linux or is it BSD only? I've contacted gentoo and they mentioned http://skarnet.org/software/s6/ as an interesting project to help replace systemd. What do you guys think? I'm going to try to port to opensuse.
Re: crowding out bsd using systemd?
> refering to http://www.openbsdfoundation.org/ does not contain, as far as http://www.openbsdfoundation.org/gsoc2014.html > software that you speak of be portable to Linux or is it BSD only? I've i am planning (post-GSOC) on writing an archlinux PKGBUILD and eventually a debian package.
Re: OT: Suggestion for hard wire network care AND wireless supported in OpenBSD
Not aware of such a card, but how about a usb wifi adaptor? Cheep, and slower, but then its wifi, so its not that fast anyway. There are also USB cat5 jacks. On Wed, Jul 2, 2014 at 6:25 PM, Daniel Ouellet wrote: > Sorry for the off topic question, but I am looking and researching a PCI > network card that would have both the cat5 jack and wireless capability > to be use as host into an OpenBSD server to provide access point and the > hard wire part to be use as an additional network card. I only have one > pci slot free and need to add a third hard wire and want to provide > wireless as well from that router. > > It appear not as easy as I thought to find. > > Anyone know of one that work? Any suggestion as long as it is supported > I don't care. > > Answer off list is fine as well. > > Thanks for your time if you know of one. > > Daniel > > -- Jason S. Adams
Re: crowding out bsd using systemd?
> refering to http://www.openbsdfoundation.org/ does not contain, as far as > http://www.openbsdfoundation.org/gsoc2014.html Umm, there are at least 24 links on that page to various projects that need done, to which are you refering?
Re: crowding out bsd using systemd?
> Umm, there are at least > 24 links on that page to various projects that need done, to which are if you don't have the time to look through a list of a couple dozen items for the subject of what you have been criticizing, then i don't have the time to reply to your petty, innocuous emails. i don't know what to tell you: i regularly publish snapshots which compile with strict compiler settings of my project. i pull a single library (GLib) and have written everything in straight C. i'm valgrinding the shit out of this bitch before i tag a release candidate and will check, line by line, every GLib function i call to guarantee i'm free()'ing everything i'm supposed to and that there are none of the common over/underflow you'd see in a lazy individual's code. i'm integrating checksums to guarantee each daemon is afforded the bare-minimum security policies it can operate under. i host all of this on my domain from money out of my college-student pockets. would you like to see what i sent to my mentors when requesting this project? it's got UNIX and blind sincerity out the wing-wang. i'm fervently passionate about staying the hell away from systemd and making its existence a non-issue for luckier operating systems. that's what this whole project is about; if you actually care about the direction it's taking, please feel free to read my code and mail me with whatever issues/bugs you can find -- i'll happily review and patch them in. ian
Re: [Patch] Possible typo in stdio(3) manpage
On Wed, Jul 02, 2014 at 07:10:06PM -0700, Philip Guenther wrote: > On Wed, Jul 2, 2014 at 3:15 PM, Jason McIntyre wrote: > > > i think the phrase "going off and computing" means use fflush before > > your code goes elsewhere, to do other things. whatever it means, the > > wording is kind of tragic, i agree. > > > > your diff seeks to tweak bad wording, whereas i prefer to kill it. i'll > > commit the diff below in the morning (relatively speaking, of course) > > unless my maibox gets jammed with outrage. > > > ... > > > @@ -148,8 +148,7 @@ > > or when a large amount of computation is done after printing > > part of a line on an output terminal, it is necessary to > > .Xr fflush 3 > > -the standard output before going off and computing so that the output > > -will appear. > > +the standard output so that the output will appear. > > > > "...will appear without delay"? "...will appear immediately instead of at > the next automatic flush"? > > > Philip > thanks, i settled on tim's "immediately" suggestion to keep it brief. jmc