Re: Missing security announcements
2008/11/13 Theo de Raadt [EMAIL PROTECTED]: I think that would work better. I am not here saying this because I have answers. I don't. I think that people running old software quite frankly cannot rely on a mailing list run by people who don't run -stable. So how can any of you hope we will solve your problems? Why do you maintain stable by issuing security patches for it if you don't care if anybody installs them (by not telling them about the patches through one of the designated channels)? Don't you want people installing them? Is it so hard to write a mail to the list once every few months? The content is already there... Frankly: We have this discussion about once a year. Please either remove the list and spare us the discussions (and write a short notice on the page why you don't have the list) or use it. Either way will probably spare you more work then the status quo. Finally: If you don't bother about changing the status quo, may I (or someone else) use the list to send out mails about the erratas? Best Martin
cvs, cvsup and xenocara advice
Let me first say that I looked over all the man pages, the official faqs and I searched over the archived mailing lists before sending out these questions ... and I'm still a little confused. So: 1. What are the main differences between cvs and cvsup when updating sources to stable? 2. I'm just the typical home user of obsd, so which should I use, cvs or cvsup? 3. As of Nov 13th of 2008 why do only 4 of the 17 cvsup servers have the xenocara repository? ( according to this list: http://www.openbsd.org/cvsup.html ) Any advice or words of wisdom pertaining to the above questions would be greatly appreciated. Thanks in advance, Ansen
Re: Can't SSH into CARP'd system from the outside
On Wed, Nov 12, 2008 at 11:40:36AM -0800, Vivek Ayer wrote: i don't think I understand. Clarify. you mean carpdev is like your physical interface..eth0, re0, etc.? say you have a carp configured like: carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:04 carp: MASTER carpdev em0 vhid 4 advbase 1 advskew 0 groups: carp inet 1.2.3.4 netmask 0xff00 broadcast 1.255.255.255 As you can see, carp0 is using em0 as its carpdev. A pf rule to pass ssh to the carp address would be: pass in on em0 inet proto tcp to (carp0) port 22 and NOT: pass in on carp0 inet proto tcp to (carp0) port 22 HTH, Marco
Re: cvs, cvsup and xenocara advice
On 2008-11-13, Ansen Lloyd [EMAIL PROTECTED] wrote: Let me first say that I looked over all the man pages, the official faqs and I searched over the archived mailing lists before sending out these questions ... and I'm still a little confused. So: 1. What are the main differences between cvs and cvsup when updating sources to stable? using cvs you can view the commit log, diffs between random version, etc. all while working from a remote repository with just the source tree on your machine. you can also do these operations if you use CVSup, but you have to mirror the whole repository, not just take a single working checkout. 2. I'm just the typical home user of obsd, so which should I use, cvs or cvsup? probably cvs, very easy setup, it's all in base and the instructions (anoncvs.html) are straightforward. if you need a local mirror of the full repository, cvsync is another option, it's fairly straightforward. I prefer this over CVSup. there are one or two mirrors which also make the repository available by rsync but this is uncommon. (quite possibly due to the enormous memory load of serving a large tree via rsync to pre-v3 clients). 3. As of Nov 13th of 2008 why do only 4 of the 17 cvsup servers have the xenocara repository? ( according to this list: http://www.openbsd.org/cvsup.html ) the list is probably out-of-date, it's difficult to check CVSup mirrors (partly because it's i386-only, partly because there's no easy way to list the files on the server as there is with most other protocols). diffs to update it are very welcome :-)
Re: cvs, cvsup and xenocara advice
On 01:28:57 Nov 13, Ansen Lloyd wrote: 1. What are the main differences between cvs and cvsup when updating sources to stable? cvs is the revision control technology. You can use cvs to check out the main OpenBSD repository to your local machine by which you only get the files pertaining to the revision you ask. Whereas cvsup and cvsync are tools that fetch the entire cvs repository to your local machine. So you have to necessary run a cvs checkout on your local repository to obtain the sources. 2. I'm just the typical home user of obsd, so which should I use, cvs or cvsup? I use cvsync. cvsup is not written in C. ;) You can use cvs if you have copious bandwidth. If you are like me you have to either use cvsup or cvsync. 3. As of Nov 13th of 2008 why do only 4 of the 17 cvsup servers have the xenocara repository? ( according to this list: http://www.openbsd.org/cvsup.html ) Some mirrors may be out of date. -Girish
Re: Missing security announcements
I too have of course subscribed myself to the list, and i think since its there, it should work and be updated regularly. If we don't need such a list, then lets delete it. But since its there, and people are subscribing to it in hope to get a quick mail notifying them of new patches or other security issues, someone should take the task to send a mail via it once something arrives on the errata page. Martin Schrvder wrote: 2008/11/13 Theo de Raadt [EMAIL PROTECTED]: I think that would work better. I am not here saying this because I have answers. I don't. I think that people running old software quite frankly cannot rely on a mailing list run by people who don't run -stable. So how can any of you hope we will solve your problems? Why do you maintain stable by issuing security patches for it if you don't care if anybody installs them (by not telling them about the patches through one of the designated channels)? Don't you want people installing them? Is it so hard to write a mail to the list once every few months? The content is already there... Frankly: We have this discussion about once a year. Please either remove the list and spare us the discussions (and write a short notice on the page why you don't have the list) or use it. Either way will probably spare you more work then the status quo. Finally: If you don't bother about changing the status quo, may I (or someone else) use the list to send out mails about the erratas? Best Martin !DSPAM:491bed6c241107248971901!
Re: IPSec to Checkpoint
On Wed, Nov 12, 2008 at 07:13:05PM +0100, Hans-Joerg Hoexer wrote: Support for specifying aes key sizes was added february 2008, thus 4.2 does not provide this. Ah, thought so. Well, I got it working by reverting back to using the old isakmpd.conf method. Thanks for your time. -- joe. Fishing doesn't count as a sport.
Re: Missing security announcements
additionally, i care very about about those patches, and apply each and everyone where needed every time. Martin Schrvder wrote: 2008/11/13 Theo de Raadt [EMAIL PROTECTED]: I think that would work better. I am not here saying this because I have answers. I don't. I think that people running old software quite frankly cannot rely on a mailing list run by people who don't run -stable. So how can any of you hope we will solve your problems? Why do you maintain stable by issuing security patches for it if you don't care if anybody installs them (by not telling them about the patches through one of the designated channels)? Don't you want people installing them? Is it so hard to write a mail to the list once every few months? The content is already there... Frankly: We have this discussion about once a year. Please either remove the list and spare us the discussions (and write a short notice on the page why you don't have the list) or use it. Either way will probably spare you more work then the status quo. Finally: If you don't bother about changing the status quo, may I (or someone else) use the list to send out mails about the erratas? Best Martin !DSPAM:491bed6c241107248971901!
Re: HP DL180 hangs on boot
Status: As a last resort I tried installing Windows XP pro, but it BSOD on me while probing the hw... Not sure if XP pro is a certified OS for the DL180 but it certainly seems bad. Browsing some HP forums, it seems I'm certainly not the only person having issues with the HP DL180's. Seems like allover crappy and unreliable HW to me. I'll start bugging the retailer now. Thanks for all suggestions, on-list and off-list. /Alexander Alexander Hall wrote: Hi! I have issues booting a HP ProLiant DL180 G5 (456830-421) [1] which I hope someone can shed some light on. [ While writing thie email I've done some more testing and realized that the behaviour is not really consistent, but what I describe below is a typical case ] 1. The machine takes loong pauses (usually two; sometimes more) while loading the kernel. - The first long pause is after entry point at ... line, and is about 90s. [noticed now that pressing any key on the keyboard makes it go on... interrupt issues?] - Second pause is after pckbd0 at isa0... and lasts approximately 3 to 5 minutes. Dunno if it means anything, but somewhere in between the pauses described first above, the machine beeps once. I get similar beeps when adding or removing an usb stick, so it might be related to usb. 2. Sometimes the machine shuts down and restarts slightly after the kernel is loaded (might have time to show the (I)nstall... prompt). I don't have serial console for now so I cannot tell exactly. A few times I have seen the capital letter F being printed out (gray on blue) prior to the reboot. disabling isa and pci seems to make it not hang but makes it rather unusable... :-d If the machine gets past loading and initializing the kernel without rebooting, it seems fine but all I've done so far is installing 4.4. The HP product id is 456830-421 with 1G RAM replaced by 4G (2+2) and a 250GB SATA drive. The machine has no proper raid AFAICT (ie no E200 or P400) but some (likely crappy) built-in semi-raid. Reinserting the original memory stick did not improve anything, nor did removing the harddrive. The diagnostics test showed no errors, but i'm running it now over the weekend. I'm going to try a firmware upgrade too. Any clues are appreciated. dmesg from after the succesful install (bsd.rd) follows. Thanks, Alexander [1] http://h10010.www1.hp.com/wwpc/uk/en/sm/WF06b/15351-15351-3328412-3328421-3328421-3580698-3673202.html == OpenBSD 4.4-current (RAMDISK_CD) #203: Sun Nov 2 13:41:35 MST 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/RAMDISK_CD real mem = 3745857536 (3572MB) avail mem = 3635634176 (3467MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xfc4b0 (65 entries) bios0: vendor HP version O19 date 08/20/2008 bios0: HP ProLiant DL180 G5 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP APIC MCFG SPMI SLIC OEMB HPET SSDT EINJ BERT ERST HEST acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (NPE2) acpiprt2 at acpi0: bus 2 (NPE3) acpiprt3 at acpi0: bus 3 (NPE4) acpiprt4 at acpi0: bus 5 (NPE6) acpiprt5 at acpi0: bus 10 (P0P1) acpiprt6 at acpi0: bus 9 (P0PE) acpiprt7 at acpi0: bus 8 (P0P3) acpiprt8 at acpi0: bus 7 (BCM_) cpu0 at mainbus0: (uniprocessor) cpu0: Intel(R) Xeon(R) CPU E5420 @ 2.50GHz, 2494.12 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG cpu0: 6MB 64b/line 16-way L2 cache pci0 at mainbus0 bus 0: configuration mode 1 pchb0 at pci0 dev 0 function 0 Intel 5100 Host rev 0x80 ppb0 at pci0 dev 2 function 0 Intel 5100 PCIE rev 0x80 pci1 at ppb0 bus 1 ppb1 at pci0 dev 3 function 0 Intel 5100 PCIE rev 0x80 pci2 at ppb1 bus 2 ppb2 at pci0 dev 4 function 0 Intel 5100 PCIE rev 0x80 pci3 at ppb2 bus 3 ppb3 at pci0 dev 5 function 0 Intel 5100 PCIE rev 0x80 pci4 at ppb3 bus 4 ppb4 at pci0 dev 6 function 0 Intel 5100 PCIE rev 0x80 pci5 at ppb4 bus 5 ppb5 at pci0 dev 7 function 0 Intel 5100 PCIE rev 0x80 pci6 at ppb5 bus 6 pchb1 at pci0 dev 16 function 0 Intel 5100 FSB rev 0x80 pchb2 at pci0 dev 16 function 1 Intel 5100 FSB rev 0x80 pchb3 at pci0 dev 16 function 2 Intel 5100 FSB rev 0x80 pchb4 at pci0 dev 17 function 0 Intel 5100 Reserved rev 0x80 pchb5 at pci0 dev 19 function 0 Intel 5100 Reserved rev 0x80 pchb6 at pci0 dev 21 function 0 Intel 5100 DDR rev 0x80 pchb7 at pci0 dev 22 function 0 Intel 5100 DDR rev 0x80 uhci0 at pci0 dev 26 function 0 Intel 82801I USB rev 0x02: irq 11 uhci1 at pci0 dev 26 function 1 Intel 82801I USB rev 0x02: irq 14 uhci2 at pci0 dev 26 function 2 Intel 82801I USB rev 0x02: irq 5 ehci0 at pci0 dev 26 function 7 Intel 82801I USB rev 0x02: irq 15 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb6 at pci0 dev 28 function 0 Intel 82801I PCIE rev 0x02: irq 11 pci7 at ppb6 bus 9 ppb7 at pci0 dev 28 function 4 Intel 82801I PCIE rev 0x02: irq 11 pci8
Re: How to research the cause of a warning message?
Hi, On Sun, 02.11.2008 at 15:28:06 +0100, Johannes Krampf [EMAIL PROTECTED] wrote: My problem: Every couple of seconds, I get 5 messages WARN: not buffer in the console, even when using an editor or viewing man pages. 0brad0 told me That WARN .. not buffer message appears to be coming from the ACPI stack. How can I research this and help to find the reason of the messages? in such cases where I have no idea about where a message comes from, I tend to take a big 'grep' run through all the source, using variations of the error message (ie, slices that I suspect to appear somewhere in the code). Kind regards, --Toni++
Re: Virtual Consoles in OpenBSD/macppc
From: Pedro de Oliveira [EMAIL PROTECTED] Hi, Anyone here using OpenBSD/macppc knows if its possible to enable more than one virtual console? I cant seem to find any info about that in the FAQ. http://www.openbsd.org/faq/faq7.html It's not supported. Use 'screen' from packages instead. PK
usb hsdpa modem not working
hi list, i have a t-mobile usb web'n'walk stuff for testing. i attached it to a 4.4 GENERIC and realized that first it attaches umsm0 and then immediately deattaches it. then umsm0 and umsm1 attached along with ucom0 and ucom1. i can open the /dev/ttyU[01] but they don't respond to any AT commands. from umsm(4) man page: The Option GlobeTrotter HSDPA modem has three serial ports, but only the last port can be used to make PPP connections. i guess i am missing the third serial port (maybe related to the first attach/deattach?) to be able to open the ppp connection. any idea? bdz usbdevs -v: addr 1: high speed, self powered, config 1, EHCI root hub(0x), Intel(0x8086), rev 1.00 port 1 powered port 2 powered port 3 powered port 4 powered port 5 powered port 6 powered Controller /dev/usb2: addr 1: full speed, self powered, config 1, UHCI root hub(0x), Intel(0x8086), rev 1.00 port 1 powered port 2 addr 2: full speed, power 100 mA, config 1, Fingerprint Sensor(0x2016), TouchStrip(0x147e), rev 0.01 Controller /dev/usb3: addr 1: full speed, self powered, config 1, UHCI root hub(0x), Intel(0x8086), rev 1.00 port 1 addr 2: low speed, power 100 mA, config 1, Optical USB Mouse(0xc016), Logitech(0x046d), rev 3.40 port 2 powered Controller /dev/usb4: addr 1: full speed, self powered, config 1, UHCI root hub(0x), Intel(0x8086), rev 1.00 port 1 addr 2: low speed, power 100 mA, config 1, Type 6 Keyboard(0x0005), Sun Microsystems(0x0430), rev 1.02 port 2 addr 3: full speed, power 500 mA, config 1, Globetrotter HSDPA Modem(0x6971), Option N.V.(0x0af0), rev 0.00, iSerialNumber Serial Number Controller /dev/usb5: addr 1: full speed, self powered, config 1, UHCI root hub(0x), Intel(0x8086), rev 1.00 port 1 powered port 2 powered dmesg: real mem = 2145669120 (2046MB) avail mem = 2066345984 (1970MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 08/22/07, BIOS32 rev. 0 @ 0xfdc70, SMBIOS rev. 2.4 @ 0xe0010 (71 entries) bios0: vendor LENOVO version 7KET71WW (1.21 ) date 08/22/2007 bios0: LENOVO 8918B8G acpi0 at bios0: rev 2 acpi0: tables DSDT FACP SSDT ECDT TCPA APIC MCFG HPET SLIC BOOT SSDT SSDT SSDT SSDT acpi0: wakeup devices LID_(S3) SLPB(S3) LURT(S3) DURT(S3) IGBE(S4) EXP0(S4) EXP1(S4) EXP2(S4) EXP3(S4) EXP4(S4) PCI1(S4) USB0(S3) USB1(S3) USB2(S3) USB3(S3) USB4(S3) EHC0(S3) EHC1(S3) HDEF(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (AGP_) acpiprt2 at acpi0: bus 2 (EXP0) acpiprt3 at acpi0: bus 3 (EXP1) acpiprt4 at acpi0: bus 4 (EXP2) acpiprt5 at acpi0: bus 5 (EXP3) acpiprt6 at acpi0: bus 13 (EXP4) acpiprt7 at acpi0: bus 21 (PCI1) acpiec0 at acpi0 acpicpu0 at acpi0: C3, C2 acpitz0 at acpi0: critical temperature 127 degC acpitz1 at acpi0: critical temperature 100 degC acpibtn0 at acpi0: LID_ acpibtn1 at acpi0: SLPB acpibat0 at acpi0: BAT0 model 42T4513 serial 5561 type LION oem SANYO acpibat1 at acpi0: BAT1 not present acpiac0 at acpi0: AC unit online acpithinkpad0 at acpi0 acpidock at acpi0 not configured acpivideo at acpi0 not configured acpivideo at acpi0 not configured bios0: ROM list: 0xc/0xf000 0xcf000/0x1000 0xd/0x1000 0xe/0x1! cpu0 at mainbus0 cpu0: unknown Enhanced SpeedStep CPU, msr 0x06170b2d06000b2d cpu0: using only highest and lowest power states cpu0: Enhanced SpeedStep 2200 MHz (1420 mV): speeds: 2200, 1200 MHz pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel GM965 Host rev 0x0c ppb0 at pci0 dev 1 function 0 Intel GM965 PCIE rev 0x0c: irq 10 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 vendor NVIDIA, unknown product 0x0429 rev 0xa1 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) agp0 at vga1: no integrated graphics drm at vga1 unsupported em0 at pci0 dev 25 function 0 Intel ICH8 IGP M rev 0x03: irq 11, address 00:15:58:cb:d4:f4 uhci0 at pci0 dev 26 function 0 Intel 82801H USB rev 0x03: irq 11 uhci1 at pci0 dev 26 function 1 Intel 82801H USB rev 0x03: irq 11 ehci0 at pci0 dev 26 function 7 Intel 82801H USB rev 0x03: irq 11 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 azalia0 at pci0 dev 27 function 0 Intel 82801H HD Audio rev 0x03: irq 11 azalia0: RIRB time out azalia0: RIRB time out azalia0: codec[s]: Analog Devices AD1984, Conexant/0x2bfa, using Analog Devices AD1984 audio0 at azalia0 ppb1 at pci0 dev 28 function 0 Intel 82801H PCIE rev 0x03: irq 11 pci2 at ppb1 bus 2 ppb2 at pci0 dev 28 function 1 Intel 82801H PCIE rev 0x03: irq 11 pci3 at ppb2 bus 3 iwn0 at pci3 dev 0 function 0 Intel Wireless WiFi Link 4965AGN rev 0x61: irq 11, MoW2, address 00:13:e8:ed:2c:cd ppb3 at pci0 dev 28 function 2 Intel 82801H PCIE rev 0x03: irq 11 pci4 at ppb3 bus 4 ppb4 at pci0 dev 28 function 3 Intel 82801H PCIE rev 0x03: irq 11 pci5 at ppb4 bus 5 ppb5 at pci0 dev 28 function 4 Intel 82801H PCIE rev 0x03:
Re: cvs, cvsup and xenocara advice
Girish Venkatachalam [EMAIL PROTECTED] wrote: cvs is the revision control technology. You can use cvs to check out the main OpenBSD repository to your local machine by which you only get the files pertaining to the revision you ask. Whereas cvsup and cvsync are tools that fetch the entire cvs repository to your local machine. Actually, cvsup can fetch both the repository or check out a particular branch/date. I use cvsync. cvsup is not written in C. ;) The csup client for CVSup _is_ written in C and only supports checkout mode (so far). That said, I expect CVSup to slowly wither away. -- Christian naddy Weisgerber [EMAIL PROTECTED]
Re: cvs, cvsup and xenocara advice
cvsup is not written in C. ;) net/csup is a cvsup client written in C. 2008/11/13, Girish Venkatachalam [EMAIL PROTECTED]: On 01:28:57 Nov 13, Ansen Lloyd wrote: 1. What are the main differences between cvs and cvsup when updating sources to stable? cvs is the revision control technology. You can use cvs to check out the main OpenBSD repository to your local machine by which you only get the files pertaining to the revision you ask. Whereas cvsup and cvsync are tools that fetch the entire cvs repository to your local machine. So you have to necessary run a cvs checkout on your local repository to obtain the sources. 2. I'm just the typical home user of obsd, so which should I use, cvs or cvsup? I use cvsync. cvsup is not written in C. ;) You can use cvs if you have copious bandwidth. If you are like me you have to either use cvsup or cvsync. 3. As of Nov 13th of 2008 why do only 4 of the 17 cvsup servers have the xenocara repository? ( according to this list: http://www.openbsd.org/cvsup.html ) Some mirrors may be out of date. -Girish
Re: Virtual Consoles in OpenBSD/macppc
'tmux' (misc/tmux) is a nice alternative to 'screen'. Well worth trying out. Andreas 2008/11/13 Peter Kay - Syllopsium [EMAIL PROTECTED]: From: Pedro de Oliveira [EMAIL PROTECTED] Hi, Anyone here using OpenBSD/macppc knows if its possible to enable more than one virtual console? I cant seem to find any info about that in the FAQ. http://www.openbsd.org/faq/faq7.html It's not supported. Use 'screen' from packages instead. PK -- Andreas Kahari Somewhere in the general Cambridge area, UK
Re: Virtual Consoles in OpenBSD/macppc
macppc console sucks, it is slower than dog poo. Besides this has been asked, oh maybe 329849384293473284784728347328 times by now? On Thu, Nov 13, 2008 at 12:57:58PM -, Pedro de Oliveira wrote: Is it possible to implement it, its something that may be available in the future ? Or its really impossible to have multiple consoles ? From what i understand, the console in macppc just works in Framebuffer, is FB limited to just one console, it just doesnt support yet multiple? -Mensagem original- De: Peter Kay - Syllopsium [mailto:[EMAIL PROTECTED] Enviada: quinta-feira, 13 de Novembro de 2008 12:44 Para: Pedro de Oliveira; misc@openbsd.org Assunto: Re: Virtual Consoles in OpenBSD/macppc From: Pedro de Oliveira [EMAIL PROTECTED] Hi, Anyone here using OpenBSD/macppc knows if its possible to enable more than one virtual console? I cant seem to find any info about that in the FAQ. http://www.openbsd.org/faq/faq7.html It's not supported. Use 'screen' from packages instead. PK
Re: Missing security announcements
On Thu, Nov 13, 2008 at 5:59 AM, David Schulz [EMAIL PROTECTED] wrote: I too have of course subscribed myself to the list, and i think since its there, it should work and be updated regularly. If we don't need such a list, then lets delete it. But since its there, and people are subscribing to it in hope to get a quick mail notifying them of new patches or other security issues, someone should take the task to send a mail via it once something arrives on the errata page. So get on the developer's case when they don't send out notifications. All this chatter now isn't going to change anything when the next errata comes out. You want security announcement? Do something to make it happen!
Virtual Consoles in OpenBSD/macppc
Hi, Anyone here using OpenBSD/macppc knows if its possible to enable more than one virtual console? I cant seem to find any info about that in the FAQ. Thanks in advance, Pedro de Oliveira
I need a trusted partner
I have a new email address!You can now email me at: [EMAIL PROTECTED] I am Albert of Shell oil plc,I made $40m already from crude oil Intersted partner contact me. - Albert Harr
Re: cvs, cvsup and xenocara advice
On Thu, Nov 13, 2008 at 01:28:57AM -0800, Ansen Lloyd wrote: Let me first say that I looked over all the man pages, the official faqs and I searched over the archived mailing lists before sending out these questions ... and I'm still a little confused. So: 1. What are the main differences between cvs and cvsup when updating sources to stable? opencvs and gnu cvs are in base 2. I'm just the typical home user of obsd, so which should I use, cvs or cvsup? opencvs 3. As of Nov 13th of 2008 why do only 4 of the 17 cvsup servers have the xenocara repository? ( according to this list: http://www.openbsd.org/cvsup.html ) for 4.4-stable: cvs -qd [EMAIL PROTECTED]:/cvs get -rOPENBSD_4_4 xenocara m
Re: Virtual Consoles in OpenBSD/macppc
Is it possible to implement it, its something that may be available in the future ? Or its really impossible to have multiple consoles ? From what i understand, the console in macppc just works in Framebuffer, is FB limited to just one console, it just doesnt support yet multiple? -Mensagem original- De: Peter Kay - Syllopsium [mailto:[EMAIL PROTECTED] Enviada: quinta-feira, 13 de Novembro de 2008 12:44 Para: Pedro de Oliveira; misc@openbsd.org Assunto: Re: Virtual Consoles in OpenBSD/macppc From: Pedro de Oliveira [EMAIL PROTECTED] Hi, Anyone here using OpenBSD/macppc knows if its possible to enable more than one virtual console? I cant seem to find any info about that in the FAQ. http://www.openbsd.org/faq/faq7.html It's not supported. Use 'screen' from packages instead. PK
Re: Missing security announcements
Ted, everybody knows that's not going to happen. Why no scrap the security announcement list if it's not being used or just whenever someone feels like it? The mere existence of this list implies to users that new errata are being announced to that list which is not the case. Get rid of the list and the problem is solved. The website is updated with new errata. Everybody should be able to follow the CVS. The list is flawed and obsolete. Just my 2 cents, as I remember having asked the same question YEARS AGO and nothing has changed since then. cheers, Tobias On Thu, Nov 13, 2008 at 2:55 PM, Ted Unangst [EMAIL PROTECTED] wrote: So get on the developer's case when they don't send out notifications. All this chatter now isn't going to change anything when the next errata comes out. You want security announcement? Do something to make it happen!
Re: Experiences running named and rndc on 4.4 vs 4.3
-- Best Regards My Chaos: https://n23.appspot.com vi /etc/rc: ... if [ X${named_flags} != XNO ]; then if ! cmp -s /etc/rndc.key /var/named/etc/rndc.key ; then echo -n rndc-confgen: generating new shared secret... if /usr/sbin/rndc-confgen -a -t /var/named /dev/null 21; then chmod 0640 /var/named/etc/rndc.key /dev/null 21 echo done. else echo failed. fi fi echo 'starting named'; named $named_flags fi ... On Thu, Nov 13, 2008 at 14:08, 23号 [EMAIL PROTECTED] wrote: vi /etc/rc: .. if [ X${named_flags} != XNO ]; then if ! cmp -s /etc/rndc.key /var/named/etc/rndc.key ; then echo -n rndc-confgen: generating new shared secret... if /usr/sbin/rndc-confgen -a -t /var/named /dev/null 21; then chmod 0640 /var/named/etc/rndc.key /dev/null 21 echo done. else echo failed. fi fi echo 'starting named'; named $named_flags fi ... -- Best Regards My Chaos: https://n23.appspot.com On Wed, Nov 12, 2008 at 14:17, Woodchuck [EMAIL PROTECTED] wrote: On Tue, 11 Nov 2008, Don Jackson wrote: Today I began testing named on a freshly installed OpenBSD 4.4 amd64 machine, using my old named.conf file from 4.3 (which was still running named version 9.4.2) When the machine first boots after the install, /etc/rc determines there is no rndc.key, and generates one: rndc-confgen: generating new shared secret... done. starting named Here are the owner, group, and file modes of the two different copies of rndc.key that are generated: # ls -lAF /etc/rndc.key /var/named/etc/rndc.key -rw--- 1 root wheel 77 Nov 11 12:24 /etc/rndc.key -rw-r- 1 root wheel 77 Nov 11 12:24 /var/named/etc/rndc.key named only cares about the rndc.key in /var/named/etc Right. But later, rndc will use the /etc version. So you need both, and the permissions you show are sane ones. Looking at the logs: /var/log/daemon, one can see: Nov 11 12:24:10 svn01 named[142]: none:0: open: /etc/rndc.key: permission denied Nov 11 12:24:10 svn01 named[142]: couldn't add command channel 127.0.0.1#953: permission denied Here is my workaround: # chown root:named /var/named/etc/rndc.key # ls -lAF /var/named/etc/rndc.key -rw-r- 1 root named 77 Nov 11 12:24 /var/named/etc/rndc.key Should /etc/rc set the group ownership of /var/named/etc/rndc.key? Comments? I think rndc.key should pick up the named group from the ownerships and permissions on /var/named/etc. /var/named/etc should be owned by root.named and have permissions 750. I bet your /var/named/etc is owned by root.wheel. Dave
Da li ste žrtva zabluda?
Top Shop Top e-revija: 30 l 13. novembar 2008. Najbolja praktiD na reE!enja i saveti za bolji Eivot PoD etna l Budi fit l Lepota l Zdravlje l Kuhinja i domaDinstvo Zabava i deca l Carstvo igraD aka l Knjige Top Shop HIT TV proizvodi! Sanozen jonizator Sanozen jonizator Ab trainer advance Ab Trainer Advance leg magic Leg Magic Sweet Dream Pillow Sweet Dream Pillow turbo maximus Turbo Maximus Da li ste Ertva zabluda o fitnesu? Svako ima svoj fetiE!...Bolest ili ne? Potpuno svestan da prolazi vreme Znate li zaista da operete veE!? Kako je moguDe da se viE!e puta dnevno borite sa fitnes spravama, a i dalje se oseDate loE!e? Da li znate E!ta je seksualni fetiE!izam? Da li je to bolest i posebna sklonost svakog D oveka? Proverite... In memoriam Milan MladenoviD... Kao da je bilo nekad, hronika jednog vremena i podneblja... NauD ite sami da se brinete o sebi, budite D isti i uredni i bez maminog nadzora. PokaEite da moEete! Fitnes Da li ste Ertva zabluda o fitnesu? Kako je moguDe da se viE!e puta dnevno borite sa fitnes spravama, a i dalje se oseDate loE!e? Svi su toliko zadovoljni treningom koji upraEnjavajub E ta onda sa vama ne valja? Ne brinite, moguDe da spadate u jednu meDu hiljade osoba b koja robuje pogreE!nim i zastarelim predstavama o fitnesu. [viE!e...] Predstavljamo: Punching Ball Punching Ball Puna cena: 4.290 RSD VaE!a cena: 3.690 RSD Ekskluzivno! Punching Ball bokserska vreDa sa 600 RSD popusta. * KonaD no moEete da testirate svoju snagu, preciznost, brzinu i broj udaraca. * Stabilan. * Prilagodljive visine. * SavrE!en sparing partner. Neverovatna cena od 3690,00 RSD samo za vas - do 30. novembra! [ViE!e l PoruD i odmah] Mini Washer Mini Washer Cena: 3.690 RSD NOVO u Top Shopu! Mini, praktiD na i lako prenosiva maE!ina za veE!. Idealna za male stanove, studenske sobe i vikendice. Temeljno pere sve vrste tkanina. [ViE!e l PoruD i odmah] DuraMop DuraMop Cena: 1.490 RSD Dosta je napornog D iE!Denja! Univerzalni dEoger za sve vrste podova. U paketu dobijate sve E!to Vam je potrebno da se oslobodite praE!ine u celoj kuDi. [ViE!e l PoruD i odmah] FetiE! Svako ima svoj fetiE!... Seksualni ili erotski fetiE!izam podrazumeva seksualnu privlaD nost vezanu za neki predmet ili stvar koja nije prirodno vezana za seksualnost. FetiE!izam se moEe dijagnosticirati kao parafilija, ali samo ako odreDeni fetiE! izaziva bol ili zavisnost. Mnogi ljudi produbljuju svoje interesovanje za fetiE! ...[viE!e...] Najpopularniji proizvodi! H2O Steam Mop Orbitrek Elite Joy Box - multi konzola H2O Steam Mop Cena: 8.490 RSD Orbitrek Elite Cena: 14.990 RSD Joy Box Cena: 4.890 RSD Za temeljno D iE!Denje i dezinfekciju svih vrsta podova u kuDi. E=ivite zdravije, D istite pomoDu pare! Sobni trenaEer koji vam uz kardio trening pomaEe i da oblikujete figuru i da sagorite kalorije. Igrajte se i zabavite svoje dete. Priredite mu zabavu uz karaoke, filmove, muziku, igrice... [ViE!e l PoruD i odmah] [ViE!e l PoruD i odmah] [ViE!e l PoruD i odmah] Milan Potpuno svestan da prolazi vreme Kao da doEivljavamo ponovno vraDanje nekim starim vrednostima, do nedavno potisnutim... Serija emisija o EKV na nacionalnoj televiziji, peticija za ulicu Milana MladenoviDa i godiE!njica njegove smrti, ponukala nas je da se, iz veoma liD nog ugla, podsetimo ove priD e ...[viE!e...] Podelite sa nama neE!to iz svog ugla. PoE!aljite nam svoj stav, priD u ili miE!ljenje na temu koja Vam je vaEna. Najzanimljivije priD e objavljujemo u rubrici bLiD ni ugaob b PiE!ite nam - kliknite ovde! E tede vaE!e vreme i trud! Ab Rocket Power Juicer + POKLON otvaraD za konzerve Rovus Garment Steamer Ab Rocket Cena: 6.490 RSD Power Juicer Cena: 9.990 RSD Rovus Garment Steamer Cena: 5.990 RSD VeEbajte kod kuDe i zategnite svoje trbuE!njake uz 3 nivoa otpora i sa dodatkom za masaEu kiD me! Obezbedite sebi zdravlje tokom cele zime. Iscedite sve najbolje iz voDa i povrDa! Skratite vreme peglanja! Pegla sa parom temeljnije pegla, a odeDa ostaje sveEa i meka. [ViE!e l PoruD i odmah] [ViE!e l PoruD i odmah] [ViE!e l PoruD i odmah] veE! maE!ina Znate li da operete veE!? Postoji velika verovatnoDa, da Dete jednom u Eivotu morati da znate kako da se sami pobrinete za sebe: da budete siti i oprani, a bez mame, koja bi se za to pobrinula. Da li ste veD na tom stepenu samostalnosti? Nikad nije na odmet ovo znanje malo i obnoviti, uz nekoliko jednostavnih saveta...[viE!e...] Obradujte sebe i one koje volite Celluless Kleen Kut Snap 'n' Slice Celluless Cena: 3.990 RSD Kleen Kut Cena: 2.190 RSD Snap 'n' Slice Cena: 3.490 RSD Aparat za anticelulit masaEu. Oblikujte svoju figuru baE! kako Eelite bez skupih tretmana. Mokro suvi brijaD sa baterijom na punjenje. Idealan za putovanja i za one koji su D esto u pokretu! Za brzo pripremanje i dekoraciju hrane kao u najboljim restoranima! Neka priprema postane zabava! [ViE!e l PoruD i odmah] [ViE!e l PoruD i odmah] [ViE!e
Re: Missing security announcements
On Thu, Nov 13, 2008 at 9:12 AM, Tobias Weisserth [EMAIL PROTECTED] wrote: everybody knows that's not going to happen. Why no scrap the security announcement list if it's not being used or just whenever someone feels like it? The mere existence of this list implies to users that new errata are being announced to that list which is not the case. Get rid of the list and the problem is solved. Because new errata should be announced on the list.
Re: Missing security announcements
All this chatter now isn't going to change anything when the next errata comes out. You want security announcement? Do something to make it happen! Ted, everybody knows that's not going to happen. I remember having asked the same question YEARS AGO and nothing has changed since then. Reading those two next to eachother says everything.
Re: Missing security announcements
there is also the errata rss feed from undeadly If anyone cares enough, someone could write a perl/ksh/whatever script that can mail updates to that list. Apparently nobody cares and the list is useless ATM, so IMHO it should be deleted. -- Aram Havarneanu
Re: Missing security announcements
Janne, On Thu, Nov 13, 2008 at 4:14 PM, Janne Johansson [EMAIL PROTECTED] wrote: everybody knows that's not going to happen. I remember having asked the same question YEARS AGO and nothing has changed since then. Reading those two next to eachother says everything. Why ain't you a bit more explicit? Should /I/ have managed that list? Why didn't you if you care to post messages in this thread? This kind of answer is so redundant and hypocritical at the same time.
Re: Missing security announcements
On 13 Nov 2008, at 15:56, Tobias Weisserth wrote: Janne, On Thu, Nov 13, 2008 at 4:14 PM, Janne Johansson [EMAIL PROTECTED] wrote: everybody knows that's not going to happen. I remember having asked the same question YEARS AGO and nothing has changed since then. Reading those two next to eachother says everything. Why ain't you a bit more explicit? Should /I/ have managed that list? Why didn't you if you care to post messages in this thread? This kind of answer is so redundant and hypocritical at the same time. Seems perfectly simple. If you want them announced and nobody is doing it. then do it yourself. If you don't care then stop posting about it. Simon.
Re: Missing security announcements
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Janne Johansson Sent: Thursday, November 13, 2008 10:14 AM To: Misc OpenBSD Subject: Re: Missing security announcements why not just get it yourself if you're worried about it? just fire a crontab entry and move on. lynx -dump openbsd.org/errata44.html |mail -s Daily Security [EMAIL PROTECTED]
Re: Missing security announcements
someone should take the task to send a mail via it once something arrives on the errata page. It is really easy to use that word should when it isn't you.
Re: Missing security announcements
On Thu, 13 Nov 2008 11:22:09 -0500 Morris, Roy [EMAIL PROTECTED] wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Janne Johansson Sent: Thursday, November 13, 2008 10:14 AM To: Misc OpenBSD Subject: Re: Missing security announcements why not just get it yourself if you're worried about it? just fire a crontab entry and move on. lynx -dump openbsd.org/errata44.html |mail -s Daily Security [EMAIL PROTECTED] I agree. Keeping yourself informed about security updates is easy, at least once you realise security-announce is dead. From http://www.openbsd.org/mail.html security-announce Security announcements. This low volume list receives OpenBSD security advisories and pointers to security patches as they become available. Apparently not, so just remove the damn thing and avoid confusion. Here: Index: mail.html === RCS file: /cvs/www/mail.html,v retrieving revision 1.110 diff -u -p -r1.110 mail.html --- mail.html 4 Sep 2008 09:55:21 - 1.110 +++ mail.html 13 Nov 2008 16:45:27 - @@ -19,12 +19,10 @@ hr Mailing lists are an important means of communication among users and -developers of OpenBSD. With the exceptions of bannounce/b and -bsecurity-announce/b, the lists are not moderated. We deliberately -restrict the number of different mailing lists. -This helps reduce the amount of cross-posting and makes sure that the +developers of OpenBSD. With the exception of bannounce/b, the lists +are not moderated. We deliberately restrict the number of different mailing +lists. This helps reduce the amount of cross-posting and makes sure that the information gets distributed to a wide audience. - p a name=Netiquette/a h2font color=#e0Netiquette/font/h2 @@ -149,11 +147,6 @@ Problem/a before posting. dtbannounce/b ddImportant announcements. This low volume list is excellent for people who just want occasional news about the project. - -dtbsecurity-announce/b -ddSecurity announcements. This low volume list receives OpenBSD -security advisories and pointers to security patches as they become -available. dtbports/b ddDiscussions about using and contributing to the 'ports' source tree. If people continually complain about the lack of a security-announce list, there's always the option of updating the FAQ. Thomas
active partition not booting
I installed NetBSD 4.01 (amd64) and then installed OpenBSD 4.4 (amd64) onto the same hard disk. I used the OpenBSD fdisk on the install CD to set it up OpenBSD like this: Offset: 0 Signature : 0xAA55 C H S C H S 0: A9 0 1 1 8885 254 63 *1: A6 8896 0 1 15000 254 63 where *1 is the active OpenBSD partition. Yet, when I reboot I am greeted with the NetBSD boot loader, not the Open BSD boot loader as I hoped. I am very new to BSD and UNIX. Any suggestions? Thank you!
smtpd - developer blog on undeadly
Hello, For those of you who where asking informations about (open ?)smtpd : Gilles Chehade writes a long and clear text about it on undeadly.org : http://undeadly.org/cgi?action=articlesid=20081112084647 Thank you Gilles for this work. This is a very exciting project. -- Rimi Bougard
Re: Missing security announcements
As someone new to OpenBSD and UNIX in general (reading a lot and trying to learn) I signed up for the security list due to the description of the list thinking I would be covered if something serious were to come up. I only check errata about every week or so and as of right now I'm not even sure how to apply the reliability patches, but I am trying to learn without causing too much noise, only generally skimming to find some golden nuggets that will help me with learning (admittedly, most is over my head and I don't attempt much of what I read, but it does help me). By having the list seemingly available, it's possible new people such as myself are missing announcements and after checking the errata for 4.4 (which I purchased as soon as it was avail along with 3 or 4 prior versions which I only installed to test but gladly support this effort albeit in a small way) lets me know that I am indeed missing things. So I am curious, what IS the best way to stay up to date? Is manually checking the errata page every day really correct (seems like there would be an automated solutuion such as the lynx dump aforementioned)? It seems to me that even if there is a security flaw in OpenBSD most of them (from reading prior patches) would be exceedingly hard to exploit anyway so maybe it's not as big of a deal as, say, Windows B.S. (which is exactly the reason I am learning something else). If people really DO want the list, I would have no problem checking it once a day and posting any relevant updates as they appear on errata. Cheers, Brian From http://www.openbsd.org/mail.html security-announce Security announcements. This low volume list receives OpenBSD security advisories and pointers to security patches as they become available.
Re: Missing security announcements
To everyone who wants security-announce to work: On Thu, 13 Nov 2008 09:29:09 -0700 Theo de Raadt [EMAIL PROTECTED] wrote: someone should take the task to send a mail via it once something arrives on the errata page. It is really easy to use that word should when it isn't you. I'll do it. I care about having security announcements sent out in a way that makes it easy for us to track without having to write out own scripts. I happen to think a mailing list is a very good way of doing this. I'm willing to put in the time to do this, since I *do* use -stable. Is security-announce an open list? If not, give me access and I'll keep it reasonably up to date, give or take a day or so of release of the Security Errata on the website, unless there is an even faster way of checking it out, such as CVS. -- Aaron W. Hsu [EMAIL PROTECTED] | http://www.sacrideo.us Government is the great fiction, through which everybody endeavors to live at the expense of everybody else. -- Frederic Bastiat +++ ((lambda (x) (x x)) (lambda (x) (x x))) ++
Re: Missing security announcements
just fire a crontab entry and move on actually, that's a great idea, I just scheduled the following script this mails the diff of errata.html, but only if something changed #!/bin/sh rel=44 # OpenBSD version ftp http://www.openbsd.org/errata$rel.html /dev/null 21 if [ $? != 0 ]; then echo Unable to fetch errata page! exit 1 fi if [ ! -f .errata$rel.old ]; then touch .errata$rel.old fi mv errata$rel.html .errata$rel.new diff -u .errata$rel.old .errata$rel.new .errata$rel.diff if [ $? = 1 ]; then cat .errata$rel.diff | mail -s OpenBSD$rel errata changed root rm .errata$rel.old /dev/null 21 mv .errata$rel.new .errata$rel.old fi exit 0
Re: Missing security announcements
On Thu, Nov 13, 2008 at 12:35 PM, Aaron W. Hsu [EMAIL PROTECTED] wrote: Is security-announce an open list? If not, give me access and I'll keep it reasonably up to date, give or take a day or so of release of the Security Errata on the website, unless there is an even faster way of checking it out, such as CVS. It is moderated, and really, outsiders should not be posting to it because then it appears that they have some position of authority. The only person who should be posting to the list is the person who made the fix, because they are the security contact. When people reply, it is important they are talking to the right person. What you can do is monitor the list. If an erratum comes out and nothing happens for a day, email the person responsible and remind them. The person responsible is not necessarily the person who happened to commit to stable, though, it's the person who made the original fix. There's no announcements on the list because probably half the developers don't know they are supposed to make such announcements.
Re: active partition not booting
Steven wrote: I installed NetBSD 4.01 (amd64) and then installed OpenBSD 4.4 (amd64) onto the same hard disk. I used the OpenBSD fdisk on the install CD to set it up OpenBSD like this: Offset: 0 Signature : 0xAA55 C H S C H S 0: A9 0 1 1 8885 254 63 *1: A6 8896 0 1 15000 254 63 that didn't come through as desired. :) where *1 is the active OpenBSD partition. Yet, when I reboot I am greeted with the NetBSD boot loader, not the Open BSD boot loader as I hoped. I am very new to BSD and UNIX. ah, so dive in and hurt yourself as much as you can with a complicated setup. :) See the first paragraph in FAQ4 about multibooting. You really should understand a lot about how your systems work before attempting multibooting. Any suggestions? Thank you! Just ran into that problem myself on an Acer Aspire One, apparently the MBR they shipped on the thing doesn't actually respect the partition flagged as active. Flagging the partition is supposed to work, of course, but that assumes the MBR code actually decides to play by the rules. Sounds like your MBR (like mine) doesn't. You can probably fix the problem by installing the OpenBSD MBR code on the system (fdisk's -u command line option or update in the interactive editor). This should get OpenBSD booting. Not sure what it will do to your NetBSD setup, however (it may be just fine, it may not, never tried to multi-boot NetBSD and OpenBSD, you may find some quirks). It looks like your disk is pretty big, and you split in half. Might want to make sure NetBSD's boot loader can load an OS over 8G. I have no idea if they can. OpenBSD can..assuming the MBR hands control over to the PBR and /boot properly. For that matter, you might want to make sure your BIOS supports large disks properly, otherwise you may have boot issues (just realized I may not be the only one sticking big disks on old computers!) Nick.
Re: Missing security announcements
Ted == Ted Unangst [EMAIL PROTECTED] writes: Ted What you can do is monitor the list. If an erratum comes out and Ted nothing happens for a day, email the person responsible and remind Ted them. The person responsible is not necessarily the person who Ted happened to commit to stable, though, it's the person who made the Ted original fix. There's no announcements on the list because probably Ted half the developers don't know they are supposed to make such Ted announcements. Who handles the errata page, assigning the sequential numbers and deciding whether it's a security fix or not? Surely, it would be easier to teach that small set of people (one?) to cc the mailing list on a security announcement, rather than expect that everyone with a core commit bit be reminded to watch errata to notice when their particular contribution has been accepted as a security patch. What am I missing here? -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 [EMAIL PROTECTED] URL:http://www.stonehenge.com/merlyn/ Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion
Re: Missing security announcements
On Thu, 13 Nov 2008 12:55:36 -0500 Ted Unangst [EMAIL PROTECTED] wrote: [...] There's no announcements on the list because probably half the developers don't know they are supposed to make such announcements. Excuse my ignorance, but who keeps http://openbsd.org/errata44.html updated, then? Apparently the errata page is kept up-to-date, so why not automate the process of sending mail to security-announce? Thomas
3.8 stable to 4.4 snapshot and the system is about 95% in interrupts with tcpdump on em(82541GI)
Hi, upgraded a box from 3.8 stable to 4.4 snapshot and am wondering now, why it is hogged with interrupts when i run tcpdump on em0. According to vmstat iterrupt rate is more or less the following: $ vmstat -i interrupt total rate irq10/em0 399560 330 irq11/em1 50 irq14/pciide012691 irq15/pciide0 1360 irq5/vr0 16591 irq0/clock 120799 99 irq8/rtc 154617 127 Total 678045 561 $ The traffic going to em0 is (taken from the cisco here): 30 second output rate 569104000 bits/sec, 125107 packets/sec that must be a lot, but 3.8 stable has been handling 960 Mbps on the same link. Yes 3.8 stable was losing frames but interrupt load was under 30% and the system was pretty responsive. Now the box nearly freezes, other processes get delayed seriously, load goes up to 20. It does not matter whether tcpdump writes to disk or just to /dev/null, so it more seems to be related to em driver. What could be the cause? It would be real pity to go back to 3.8, since there are nice features and fixes that came in during the three years... I don't know if ifconfig output gives anything useful and dmesg is traditionally at the end. Thanks in advance. $ ifconfig lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33204 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 em0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0e:0c:05:0c:3f media: Ethernet autoselect (1000baseT full-duplex,rxpause) status: active inet6 fe80::20e:cff:fe05:c3f%em0 prefixlen 64 scopeid 0x1 em1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0e:0c:05:0c:9c media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::20e:cff:fe05:c9c%em1 prefixlen 64 scopeid 0x2 vr0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0a:e6:22:2e:a5 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.110.16.245 netmask 0xff00 broadcast 10.110.16.255 inet6 fe80::20a:e6ff:fe22:2ea5%vr0 prefixlen 64 scopeid 0x3 enc0: flags=0 mtu 1536 pflog0: flags=141UP,RUNNING,PROMISC mtu 33204 groups: pflog $ OpenBSD 4.4-current (GENERIC) #1480: Tue Nov 11 19:56:54 MST 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Celeron(R) CPU 1.70GHz (GenuineIntel 686-class) 1.71 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM real mem = 251162624 (239MB) avail mem = 234262528 (223MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 06/27/02, BIOS32 rev. 0 @ 0xfdad0, SMBIOS rev. 2.3 @ 0xf0630 (19 entries) bios0: vendor American Megatrends Inc. version 07.00T date 04/02/01 bios0: ECS P4VMM2 apm at bios0 function 0x15 not configured acpi0 at bios0: rev 0 acpi0: tables DSDT FACP acpi0: wakeup devices UAR1(S4) USB_(S4) USB1(S4) USB2(S4) AC9_(S4) MC9_(S4) ILAN(S4) PCI0(S4) SLPB(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpiprt0 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0 acpibtn0 at acpi0: PWRB acpibtn1 at acpi0: SLPB bios0: ROM list: 0xc/0xc000 0xcc000/0x4000! cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 VIA VT8751 PCI rev 0x00 viaagp0 at pchb0v2, agp0 at viaagp0: aperture at 0xe800, size 0xe40 ppb0 at pci0 dev 1 function 0 VIA VT8633 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 S3 ProSavage DDR rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) em0 at pci0 dev 9 function 0 Intel PRO/1000MT (82541GI) rev 0x00: irq 10, address 00:0e:0c:05:0c:3f em1 at pci0 dev 11 function 0 Intel PRO/1000MT (82541GI) rev 0x00: irq 11, address 00:0e:0c:05:0c:9c viapm0 at pci0 dev 17 function 0 VIA VT8233 ISA rev 0x00 iic0 at viapm0 spdmem0 at iic0 addr 0x50: 256MB SDRAM non-parity PC133CL2 pciide0 at pci0 dev 17 function 1 VIA VT82C571 IDE rev 0x06: ATA100, channel 0 configured to compatibility, channel 1 config ured to compatibility wd0 at pciide0 channel 0 drive 0: MAXTOR 6L040J2 wd0: 16-sector PIO, LBA, 38172MB, 78177792 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 wd1 at pciide0 channel 1 drive 0: Maxtor 7L300R0 wd1: 16-sector PIO, LBA48, 286188MB, 586114704 sectors wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5 vr0 at pci0 dev 18 function 0 VIA RhineII-2 rev 0x70: irq 5, address 00:0a:e6:22:2e:a5 ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 5: OUI 0x004063, model 0x0032 isa0 at mainbus0 isadma0 at isa0 com0 at isa0
Re: Missing security announcements
On Thu, Nov 13, 2008 at 1:38 PM, Randal L. Schwartz [EMAIL PROTECTED] wrote: Who handles the errata page, assigning the sequential numbers and deciding whether it's a security fix or not? Surely, it would be easier to teach that small set of people (one?) to cc the mailing list on a security announcement, rather than expect that everyone with a core commit bit be reminded to watch errata to notice when their particular contribution has been accepted as a security patch. What am I missing here? There's no real good reason why it can't be the same person, but maintaining stable already sucks enough without having more work. I won't ask that. And I strongly believe that the person making a security fix needs to take responsibility for seeing it through to the end. If they can't handle that, I don't think they should be making security fixes. Of course, everything I've said so far is more my opinion than project rules. By now, it should be pretty clear that the rules are not clear.
Re: Missing security announcements
On Thu, Nov 13, 2008 at 11:19:45AM -0600, Brian Drain wrote: So I am curious, what IS the best way to stay up to date? Is manually checking the errata page every day really correct (seems like there would be an automated solutuion such as the lynx dump aforementioned)? It seems to me that even if there is a security flaw in OpenBSD most of them (from reading prior patches) would be exceedingly hard to exploit anyway so maybe it's not as big of a deal as, say, Windows B.S. (which is exactly the reason I am learning something else). I'm not sure this is the best way, but what I do to keep up with -stable is to have a cronjob do a cvs (or csup) update every day. Most days there is nothing updated, so it's quite noticeable when there's a change. These are the two changes since 4.4 release: - Forwarded message from Cron Daemon [EMAIL PROTECTED] - Date: 2 Nov 2008 11:00:02 - From: Cron Daemon [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Cron [EMAIL PROTECTED] /home/eperea/Bin/updsrc Starting /home/eperea/Bin/updsrc: Sun Nov 2 05:00:02 CST 2008 P sys/conf/newvers.sh P sys/dev/pci/if_vr.c P sys/netinet6/in6.c P sys/netinet6/in6_var.h P sys/netinet6/nd6_nbr.c Finished updating source: Sun Nov 2 05:15:24 CST 2008 *==* Date: 6 Nov 2008 11:00:02 - From: Cron Daemon [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Cron [EMAIL PROTECTED] /home/eperea/Bin/updsrc Starting /home/eperea/Bin/updsrc: Thu Nov 6 05:00:02 CST 2008 P sys/netinet/tcp_input.c P usr.sbin/httpd/src/ap/ap_hook.c P usr.sbin/httpd/src/modules/proxy/proxy_http.c Finished updating source: Thu Nov 6 05:14:56 CST 2008 - End forwarded message - When I see these, I check to see if it's something that requires patching immediately (but haven't seen any of those yet). Otherwise, I build a release and install it after hours on the remote sites.
Re: Missing security announcements
On Thu, Nov 13, 2008 at 1:55 PM, Thomas Pfaff [EMAIL PROTECTED] wrote: On Thu, 13 Nov 2008 12:55:36 -0500 Ted Unangst [EMAIL PROTECTED] wrote: [...] There's no announcements on the list because probably half the developers don't know they are supposed to make such announcements. Excuse my ignorance, but who keeps http://openbsd.org/errata44.html updated, then? Apparently the errata page is kept up-to-date, so why not automate the process of sending mail to security-announce? Because it hasn't happened in 10 years of whining about it. There are two ways to fix the problem. One is the developers change their process. As should be damn clear by now, you're not making much progress in that regard. The other option is to step up and remind the developers when they are not doing what they should. That doesn't mean throwing a pity party on misc every 6 months, it means actively watching what's happening as errata come out. This is the one thing that *ANYONE* who cares can do, yet nobody does it. All we get is more chatter about changing things that obviously aren't changing. Of course, this is how things always work on misc. There's the developers do it option and the community does it option. The community is full of ideas about the first option, and full of shit when it comes to the second. It doesn't matter which way is better, it only matters which way something will get done.
Re: Missing security announcements
Of course, this is how things always work on misc. There's the developers do it option and the community does it option. The community is full of ideas about the first option, and full of shit when it comes to the second. That is exactly what happens. Now what happens next? You guys out there on misc have more ideas that we can ignore? Because that is exactly what I will do. I'm just so sick and tired of the whining, and over the last year or so I have adjusted my attitude and started getting pleasure out of watching the futility.
Re: Missing security announcements
On Thu, 13 Nov 2008 14:12:21 -0500 Ted Unangst [EMAIL PROTECTED] wrote: On Thu, Nov 13, 2008 at 1:55 PM, Thomas Pfaff [EMAIL PROTECTED] wrote: On Thu, 13 Nov 2008 12:55:36 -0500 Ted Unangst [EMAIL PROTECTED] wrote: [...] There's no announcements on the list because probably half the developers don't know they are supposed to make such announcements. [...] It doesn't matter which way is better, it only matters which way something will get done. Applying my diff will get something done. Thanks for your time. Thomas
Re: 3.8 stable to 4.4 snapshot and the system is about 95% in interrupts with tcpdump on em(82541GI)
On Thu, Nov 13, 2008 at 1:54 PM, Denis Doroshenko [EMAIL PROTECTED] wrote: Hi, upgraded a box from 3.8 stable to 4.4 snapshot and am wondering now, why it is hogged with interrupts when i run tcpdump on em0. According to vmstat iterrupt rate is more or less the following: snip re upgraded from 3.8 to 4.4 snapshot: how (explicitly) did you do this? is this a fresh install? or an actual upgrade? if it was an upgrade, did you go from 3.8-3.9---4.4, or did you fudge from 3.8 -- 4.4 with a snapshot? cheers, ~Jason
Re: Can't SSH into CARP'd system from the outside
Oh ok. That kind of makes sense. Thanks On Thu, Nov 13, 2008 at 2:11 AM, Marco Pfatschbacher [EMAIL PROTECTED] wrote: On Wed, Nov 12, 2008 at 11:40:36AM -0800, Vivek Ayer wrote: i don't think I understand. Clarify. you mean carpdev is like your physical interface..eth0, re0, etc.? say you have a carp configured like: carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:04 carp: MASTER carpdev em0 vhid 4 advbase 1 advskew 0 groups: carp inet 1.2.3.4 netmask 0xff00 broadcast 1.255.255.255 As you can see, carp0 is using em0 as its carpdev. A pf rule to pass ssh to the carp address would be: pass in on em0 inet proto tcp to (carp0) port 22 and NOT: pass in on carp0 inet proto tcp to (carp0) port 22 HTH, Marco
Re: 3.8 stable to 4.4 snapshot and the system is about 95% in interrupts with tcpdump on em(82541GI)
On Thu, Nov 13, 2008 at 10:12 PM, Jason Beaudoin [EMAIL PROTECTED] wrote: On Thu, Nov 13, 2008 at 1:54 PM, Denis Doroshenko [EMAIL PROTECTED] wrote: Hi, upgraded a box from 3.8 stable to 4.4 snapshot and am wondering now, why it is hogged with interrupts when i run tcpdump on em0. According to vmstat iterrupt rate is more or less the following: snip re upgraded from 3.8 to 4.4 snapshot: how (explicitly) did you do this? is this a fresh install? or an actual upgrade? if it was an upgrade, did you go from 3.8-3.9---4.4, or did you fudge from 3.8 -- 4.4 with a snapshot? ugh, sorry, the upgrade was actually a clean install of the Nov 11 snapshot
Re: Missing security announcements
On Thu, 13 Nov 2008 12:55:36 -0500 Ted Unangst [EMAIL PROTECTED] wrote: On Thu, Nov 13, 2008 at 12:35 PM, Aaron W. Hsu [EMAIL PROTECTED] wrote: Is security-announce an open list? If not, give me access and I'll keep it reasonably up to date, give or take a day or so of release of the Security Errata on the website, unless there is an even faster way of checking it out, such as CVS. It is moderated, and really, outsiders should not be posting to it because then it appears that they have some position of authority. The only person who should be posting to the list is the person who made the fix, because they are the security contact. When people reply, it is important they are talking to the right person. Okay, I can see why everyone would prefer to see the developer's sending their own fixes -- this is convenient to the users, though not to the developers. However, it is obvious that the developers do not wish to do this, have no time to bother with it, and aren't concerned at all. I don't blame them, that's perfectly legitimate. So we should get someone else to do it, because some people do care about having semi-timely security announcements on a mailing list. I also see no reason why someone announcing a security announcement that is detailed elsewhere should be required to be a developer heavily involved in the development process. The very nature of this suggests that people who meet this requirement will not have the motivation or time to do this. There is nothing wrong with having someone else assigned to the task. What you can do is monitor the list. If an erratum comes out and nothing happens for a day, email the person responsible and remind them. The person responsible is not necessarily the person who happened to commit to stable, though, it's the person who made the original fix. There's no announcements on the list because probably half the developers don't know they are supposed to make such announcements. You're implying ignorance of the developers, which I doubt. They don't care about it, and we shouldn't be nagging them about it. Instead, we should do something, rather than just being on the outside bugging them like annoying gnats. I'm offering to do the work. OpenBSD as a whole may not want me to do anything, but that's not my fault. At least I'm trying to *do* something; I don't consider nagging people who don't have time or motivation or reason to bother with such things to be an useful thing to do. -- Aaron W. Hsu [EMAIL PROTECTED] | http://www.sacrideo.us Government is the great fiction, through which everybody endeavors to live at the expense of everybody else. -- Frederic Bastiat +++ ((lambda (x) (x x)) (lambda (x) (x x))) ++
Layer 7 relaying still needs pf?
Hi, Why does layer 7 relaying require pf still? Thanks -- Best Regards Edd http://students.dec.bournemouth.ac.uk/ebarrett
Re: Missing security announcements
On Thu, 13 Nov 2008 10:38:06 -0800 [EMAIL PROTECTED] (Randal L. Schwartz) wrote: Surely, it would be easier to teach that small set of people (one?) to cc the mailing list on a security announcement, rather than expect that everyone with a core commit bit be reminded to watch errata to notice when their particular contribution has been accepted as a security patch. What am I missing here? Why should developers listen to people who are just consuming resources that they are giving out for free? We don't need to teach them, we can just do the work they don't want to do to free them up for doing the work they should be doing. Why bug them? They have work to do. -- Aaron W. Hsu [EMAIL PROTECTED] | http://www.sacrideo.us Government is the great fiction, through which everybody endeavors to live at the expense of everybody else. -- Frederic Bastiat +++ ((lambda (x) (x x)) (lambda (x) (x x))) ++
Re: Missing security announcements
2008/11/13 Theo de Raadt [EMAIL PROTECTED]: You guys out there on misc have more ideas that we can ignore? quote src=http://www.openbsd.org/goals.html; Do not let serious problems sit unsolved. /quote Best Martin
Re: Missing security announcements
On Thu, Nov 13, 2008 at 12:55:36PM -0500, Ted Unangst wrote: On Thu, Nov 13, 2008 at 12:35 PM, Aaron W. Hsu [EMAIL PROTECTED] wrote: Is security-announce an open list? If not, give me access and I'll keep it reasonably up to date, give or take a day or so of release of the Security Errata on the website, unless there is an even faster way of checking it out, such as CVS. It is moderated, and really, outsiders should not be posting to it because then it appears that they have some position of authority. The only person who should be posting to the list is the person who made the fix, because they are the security contact. When people reply, it is important they are talking to the right person. I just wrote something quick in perl that scrapes the errata pages of the two most recent releases and sends a nicely formatted email for any that are have change since the last check. It does require a couple of packages be installed (p5-libwww and p5-HTML-Tree) but if there were enough interest from someone who could do something with it, I could probably make it work with just what is available in the base system. There are lots of ways to break something that scrapes html, but it is at least automated. l8rZ, -- andrew - ICQ# 253198 - Jabber: [EMAIL PROTECTED] #!/usr/bin/perl -T use strict; use warnings; %ENV = (); #Additional modules needed use LWP::Simple; # pkg_add p5-libwww use HTML::TreeBuilder;# pkg_add p5-HTML-Tree # Core modules use Text::Wrap; use Fcntl ':flock'; # import LOCK_* constants # should end with a / my $base_url = 'http://www.OpenBSD.org/'; my $start_page = 'errata.html'; my $sender= '[EMAIL PROTECTED]'; my $recipient = '[EMAIL PROTECTED]'; # should end with a / my $base_dir = '/home/andrew/.openbsd_errata_notifier/'; my $max_versions_to_process = 2; #*#*# Nothing to change beyond this point #*#*# my $tree = HTML::TreeBuilder-new(); my $content = get( $base_url . $start_page ) or die Could't get [$start_page]: $!; $tree-parse($content)-eof; my @errata_urls; foreach my $link ( @{ $tree-extract_links('a') } ) { my ( $url, $element, $attr, $tag ) = @{$link}; if ( $url =~ /^errata\d+\.html\Z/xms ) { push @errata_urls, $base_url . $url; } } $tree-delete; my $processed = 0; URL: foreach my $url ( reverse @errata_urls ) { $processed++; last URL if $processed $max_versions_to_process; my $tree = HTML::TreeBuilder-new(); my $content = get($url) or die Couldn't get [$url]: $!; $tree-parse($content)-eof; my $title = $tree-find('title')-as_trimmed_text; my ($version) = $title =~ /\b ( \d+ \. \d ) \b/xms; foreach my $entry ( reverse $tree-find('ul')-find('li') ) { my $errata = process_errata_entry($entry); $errata-{version} = $version; $errata-{url} = $url; my $message = format_errata_message($errata); my $file= make_errata_dir($errata); if ( should_send( $message, $file ) ) { mail($message); } } $tree-delete; } sub process_errata_entry { my ($errata) = @_; my $id = $errata-find('a')-attr('name'); my ( $num, $type, $date ) = split /:\s*/xms, $errata-find('strong')-as_trimmed_text; my $arch = $errata-find('i')-as_trimmed_text; my %errata = ( id = $id, number = $num, type = $type, date = $date, arch = $arch, ); foreach my $content ( $errata-content_list ) { if ( ref $content eq 'HTML::Element' ) { if ( my $href = $content-attr('href') ) { if ( $href =~ m{ftp\.openbsd\.org.*patch\Z}ixms ) { $errata{patch} = { href = $href, text = $content-as_trimmed_text, }; $content-delete; } elsif ( $href =~ m{CVE-} ) { push @{ $errata{cve} }, { href = $href, text = $content-as_trimmed_text, }; $content-delete; } } } } foreach my $br ( $errata-find('br') ) { $br-replace_with(\n); } my @descr = split /\n/, $errata-as_text; shift @descr; pop @descr; foreach my $m (@descr) { $m =~ s/^\s+//xms; $m =~ s/\.\W+\Z/\./xms; } $errata{description} = [EMAIL PROTECTED]; return \%errata; } sub mail { my ($message) = @_; open( my $sendmail, |/usr/sbin/sendmail -oi -t -odq ) or die Can't fork for sendmail: $!\n; print $sendmail $message; close $sendmail or warn sendmail didn't close nicely; } sub format_errata_message { my ($errata) = @_; my $message = EOL; From: $sender To: $recipient EOL $message .= 'Subject: OpenBSD ' . $errata-{version} . ' Errata ' .
OpenBSD 4.4 panics when using AICCU
Hi misc, Are any of you using AICCU on OpenBSD 4.4 patched to 005? Have you experienced panics? Since I upgraded to OpenBSD 4.4, whenever I take AICCU down, then up, after a while the system panics. I can reproduce this reliably, although the timing is not always the same: sometimes the system panics in a few seconds, sometimes it takes longer. Have you experienced this? Thanks in advance. PS: I have crash dumps for each panic. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: OpenBSD 4.4 panics when using AICCU
On Fri, Nov 14, 2008 at 12:00 AM, Felipe Alfaro Solana [EMAIL PROTECTED] wrote: Hi misc, Are any of you using AICCU on OpenBSD 4.4 patched to 005? Have you experienced panics? Since I upgraded to OpenBSD 4.4, whenever I take AICCU down, then up, after a while the system panics. I can reproduce this reliably, although the timing is not always the same: sometimes the system panics in a few seconds, sometimes it takes longer. Have you experienced this? I've been trying to chase down what is causing the panic. Apparently, it's related to IPSec/IPv6: when I reboot the system with no IPSec/IPv6 tunnels enabled (no sasync, no isakmpd) the system doesn't panic when I take aiccu down and then up. The system panics here: uvm_fault(0xd623f758, 0x0, 0, 1) - e kernel: page fault trap, code=0 Stopped at in6_selecthlim+0x29:movzbl 0x1c(%eax),%eax Thanks in advance. PS: I have crash dumps for each panic. -- http://www.felipe-alfaro.org/blog/disclaimer/ -- http://www.felipe-alfaro.org/blog/disclaimer/
opencvs weird problem 4.3
Hi list, using stable 4.3. I have a weird behaviour with opencvs and wish to know if it's a known thing. My usual steps to have an up to date OpenBSD source tree is to download the src.tar.gz and sys.tar.gz files from a well known ftp server, and then launch a opencvs checkout. I found that opencvs seems to get stuck when the source tree it's checking is already up to date. To reproduce this behaviour from a clean /usr/obj/ and /usr/src/ dirs I do: - download de src.tar.gz and sys.tar.gz from a ftp. - untar them on /usr/src (tar zxvf file.tar.gz in /usr/src) - cd /usr - opencvs checkout -P -r OPENBSD_4_3 src Then opencvs updates a few files for me in about 10-12 minutes. Well, from this point lets say I have a nice source tree, then I use the exactly same opencvs again and the process takes several minutes (about 2 hours) without any response, it seems it loops or something similar. Have anyone experienced something similar? google didn't helped me, but also the cvs manual. -Jesus
Re: OpenBSD 4.4 panics when using AICCU
On Fri, Nov 14, 2008 at 12:58 AM, Felipe Alfaro Solana [EMAIL PROTECTED] wrote: On Fri, Nov 14, 2008 at 12:00 AM, Felipe Alfaro Solana [EMAIL PROTECTED] wrote: Hi misc, Are any of you using AICCU on OpenBSD 4.4 patched to 005? Have you experienced panics? Since I upgraded to OpenBSD 4.4, whenever I take AICCU down, then up, after a while the system panics. I can reproduce this reliably, although the timing is not always the same: sometimes the system panics in a few seconds, sometimes it takes longer. Have you experienced this? I've been trying to chase down what is causing the panic. Apparently, it's related to IPSec/IPv6: when I reboot the system with no IPSec/IPv6 tunnels enabled (no sasync, no isakmpd) the system doesn't panic when I take aiccu down and then up. The system panics here: uvm_fault(0xd623f758, 0x0, 0, 1) - e kernel: page fault trap, code=0 Stopped at in6_selecthlim+0x29:movzbl 0x1c(%eax),%eax Looks to me that the IPSec/IPv6 code is holding a reference to a in6pcb structure (that represents or is associated the aiccu tun0 interface) that gets destroyed when I take aiccu down. When I start aiccu again, the in6_selecthlim ends up being called with an old reference to tun0 interface that does not exist anymore (was freed) and that causes the trap. Thanks in advance. PS: I have crash dumps for each panic. -- http://www.felipe-alfaro.org/blog/disclaimer/ -- http://www.felipe-alfaro.org/blog/disclaimer/ -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: 4.3 Freeze
Hello, I had the time to test a snapshot. I download the bsd.mp i386 11 nov 2008 23h25 I install only the bsd.mp because I want keep the box in 4.4 stable if something goes wrong. If that is not engouh I will have the next week a better environnement to test it (with serial console, apc, etc). I have a heavy apache with mod_perl that was crashing the box due to (I suppose) heavy memory fragmentation under 4.3. I upgrade to 4.4, and that was only a little better. With the 44.2008-2325 snapshot, it is really better. What looks strange to me is that I limit the heavy perl to 10 MaxRequestPerChild in httpd.conf as a test. And when the child exist, sometimes the swap used grows even if the memory is not exhausted. When there are many heavy httpd process running, if I do apachectl stop the machine often starts to swap to death. But if I do pkill -9 httpd, no problem. The second thing, I use watchdogd but it never reboots the server. I see some message in /var/log/messages Nov 14 01:00:07 root /bsd: uvm_mapent_alloc: out of static map entries Nov 14 01:01:58 root /bsd: uvm_mapent_alloc: out of static map entries Nov 14 01:03:44 root last message repeated 9 times Nov 14 01:08:25 root last message repeated 4 times When I test the box with http_load - parallel 200 -seconds 60 url.txt the server sometimes freezes. Here the last output of some tools at freeze times: 6 usersLoad 112.80 53.61 29.18 Fri Nov 14 01:22:02 2008 memory totals (in KB)PAGING SWAPPING Interrupts real virtual free in out in out 453 total Active 1553940 2068016 133424 ops110 116100 clock All 3212464 3726540 133424 pages *326 mpi0 27 bge1 Proc:r d s wCsw Trp Sys Int Sof Flt forks ehci0 119 3 20 188 1013 421 353 141 1004 fkppw com0 fksvm 0.4%Int 96.9%Sys 2.8%Usr 0.0%Nic 0.0%Idle pwait ||||||||||| 116 relck =116 rlkok noram Namei Sys-cacheProc-cacheNo-cache 398 ndcpy Calls hits%hits %miss % fltcp 112 112 100 5 zfod 254 cow Disks sd0 cd0 27882 fmin seeks 37176 ftarg xfers 327194244 itarg Kbyte 1314 1 wired sec 0.8 116 pdfre oad averages: 115.35, 56.10, 30.35 01:22:07 225 processes: 115 running, 109 idle, 1 on processor CPU states: 3.6% user, 0.0% nice, 96.4% system, 0.0% interrupt, 0.0% idle Memory: Real: 1519M/3137M act/tot Free: 131M Swap: 502M/502M used/tot PIDUID PRI NICE SIZE RES STATEWAIT TIMECPU COMMAND 12 0 -1800K 465M sleeppgdaemo 1:52 91.21% pagedaemon 28486997280 212M 46M run - 0:02 0.05% httpd 16277 67280 47M 28M run - 0:00 0.05% httpd 26147 67280 47M 35M run - 0:00 0.05% httpd 20969997280 227M 14M run - 0:00 0.05% httpd 19676 67280 68M 3404K run - 0:07 0.00% httpd 31033 67280 79M 3292K run - 0:06 0.00% httpd 15570 67280 67M 3188K run - 0:03 0.00% httpd 30920 67280 73M 6588K run - 0:02 0.00% httpd 4906 67280 72M 6184K run - 0:02 0.00% httpd 6291997280 189M 57M run - 0:02 0.00% httpd 19720 67280 67M 7148K run - 0:02 0.00% httpd 6337997280 232M 17M run - 0:02 0.00% httpd 1030997280 193M 55M run - 0:02 0.00% httpd 29512997280 204M 61M run - 0:02 0.00% httpd 17457997280 189M 30M run - 0:02 0.00% httpd 19779997280 189M 31M run - 0:02 0.00% httpd 17380997280 189M 17M run - 0:01 0.00% httpd netstat -m 2157 mbufs in use: 501 mbufs allocated to data 1648 mbufs allocated to packet headers 8 mbufs allocated to socket names and addresses 431/898/6144 mbuf clusters in use (current/peak/max) 2356 Kbytes allocated to network (59% in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines OpenBSD 4.4-current (GENERIC) #1480: Tue Nov 11
In a bit of a pickle with ral0
I'm providing wireless internet access for a small building with OpenBSD 4.3 (some snapshot) as access point. I'm using the ral driver. I regularly need to bring down and then back up the interface with ifconfig. Is this normal? Is there anything I can do short of replacing the card? As an aside, I'm pondering going wired but plugging into a wireless bridge. Any recommendations on models? ral0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:18:f8:28:b9:f4 groups: wlan media: IEEE802.11 DS11 mode 11b hostap (autoselect mode 11b hostap) status: active ieee80211: nwid MYNETWORK chan 11 bssid 00:18:f8:28:b9:f4 100dBm inet6 fe80::218:f8ff:fe28:b9f4%ral0 prefixlen 64 scopeid 0x1 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 Thanks for listening, /juan
Re: Virtual Consoles in OpenBSD/macppc
It's not possible (at this time?) and probably won't be for quite a long time. I use OpenBSD on macppc, I too recommend using screen or tmux, although I have no experience with the latter. It's enough to get by. On Thu, Nov 13, 2008 at 5:29 AM, Marco Peereboom [EMAIL PROTECTED] wrote: macppc console sucks, it is slower than dog poo. Besides this has been asked, oh maybe 329849384293473284784728347328 times by now? On Thu, Nov 13, 2008 at 12:57:58PM -, Pedro de Oliveira wrote: Is it possible to implement it, its something that may be available in the future ? Or its really impossible to have multiple consoles ? From what i understand, the console in macppc just works in Framebuffer, is FB limited to just one console, it just doesnt support yet multiple? -Mensagem original- De: Peter Kay - Syllopsium [mailto:[EMAIL PROTECTED] Enviada: quinta-feira, 13 de Novembro de 2008 12:44 Para: Pedro de Oliveira; misc@openbsd.org Assunto: Re: Virtual Consoles in OpenBSD/macppc From: Pedro de Oliveira [EMAIL PROTECTED] Hi, Anyone here using OpenBSD/macppc knows if its possible to enable more than one virtual console? I cant seem to find any info about that in the FAQ. http://www.openbsd.org/faq/faq7.html It's not supported. Use 'screen' from packages instead. PK
Re: Can't SSH into CARP'd system from the outside
Yay! I got ssh and http to work on the CARP interface. Thanks. However, the httpd redirect is not working just yet on the CARP interface for one of the computers. Does IP balancing mess up redirect? When I only have one router up doing the redirect, the CARP interface works, but when I have both routers on, the CARP interface defaults to the one that doesn't apparently do redirection. I'm going to troubleshoot and turn off the one that works and turn on the computer that doesn't redirect. Any other suggestions for troubleshooting this weird setup I have? Has anyone ever done this before having CARP'd web servers behind CARP'd routers? Here's my current pf.conf: # $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $ # # See pf.conf(5) and /usr/share/pf for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. # macros ext_if = re0 # External Interface (169.229.158.0/24) int_if = xl0 # Internal Interface (192.168.1.0/24) localnet = $int_if:network webserver = 192.168.1.50 # Redundant Sun Servers nameserver = 192.168.1.101 # Dell L400 Celeron webports = { http , https } domainport = { domain } tcp_services = { ssh } icmp_types = echoreq carpdevs = { carp0 , carp1 } syncdev = { re1 } carp_mcast = 224.0.0.18 # extra tweaks set skip on lo set block-policy return set loginterface $ext_if scrub in all # nat nat on $ext_if from $localnet to any - ($ext_if) no nat on $int_if proto tcp from $int_if to $localnet nat on $int_if proto tcp from $localnet to $webserver port $webports - $int_if # rdr for http rdr on $ext_if proto tcp from any to any port $webports - $webserver rdr on $int_if proto tcp from $localnet to $ext_if port $webports - $webserver rdr on $int_if proto tcp from $localnet to $int_if port $webports - $webserver # rdr for domain (tcp) rdr on $ext_if proto tcp from any to any port $domainport - $nameserver rdr on $int_if proto tcp from $localnet to $ext_if port $domainport - $nameserver rdr on $int_if proto tcp from $localnet to $int_if port $domainport - $nameserver # rdr for domain (udp) rdr on $ext_if proto udp from any to any port $domainport - $nameserver rdr on $int_if proto udp from $localnet to $ext_if port $domainport - $nameserver rdr on $int_if proto udp from $localnet to $int_if port $domainport - $nameserver # pass rules block in # Default Deny pass out keep state antispoof quick for { lo } pass in inet proto icmp all icmp-type $icmp_types keep state # Let Ping In pass in quick on $int_if pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state # Allow SSH Access from Outside pass in on $ext_if inet proto tcp from any to $webserver port $webports \ flags S/SA synproxy state pass in on $ext_if inet proto udp from any to $nameserver port $domainport pass in on $ext_if inet proto tcp from any to $nameserver port $domainport \ flags S/SA synproxy state # Basic CARP/pfsync pass rules pass on $carpdevs proto carp keep state pass quick on $ext_if proto carp \ from $ext_if:network to $carp_mcast keep state pass on $syncdev proto pfsync # Internet-Facing CARP rules pass in on $ext_if inet proto tcp from any to (carp0) \ port $tcp_services flags S/SA keep state # Allow SSH Access from Outside pass in on $ext_if inet proto tcp from any to (carp0) \ port $webports flags S/SA synproxy state pass in on $ext_if inet proto udp from any to (carp0) \ port $domainport pass in on $ext_if inet proto tcp from any to (carp0) \ port $domainport flags S/SA synproxy state # LAN-Facing CARP rules pass in on $int_if inet proto tcp from $localnet to (carp1) \ port $tcp_services flags S/SA keep state # Allow SSH Access from Inside pass in on $int_if inet proto tcp from $localnet to (carp1) \ port $webports flags S/SA synproxy state pass in on $int_if inet proto udp from $localnet to (carp1) \ port $domainport pass in on $int_if inet proto tcp from $localnet to (carp1) \ port $domainport flags S/SA synproxy state Thanks On Thu, Nov 13, 2008 at 12:27 PM, Vivek Ayer [EMAIL PROTECTED] wrote: Oh ok. That kind of makes sense. Thanks On Thu, Nov 13, 2008 at 2:11 AM, Marco Pfatschbacher [EMAIL PROTECTED] wrote: On Wed, Nov 12, 2008 at 11:40:36AM -0800, Vivek Ayer wrote: i don't think I understand. Clarify. you mean carpdev is like your physical interface..eth0, re0, etc.? say you have a carp configured like: carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:04 carp: MASTER carpdev em0 vhid 4 advbase 1 advskew 0 groups: carp inet 1.2.3.4 netmask 0xff00 broadcast 1.255.255.255 As you can see, carp0 is using em0 as its carpdev. A pf rule to pass ssh to the carp address would be: pass in on em0 inet proto tcp to (carp0) port 22 and NOT: pass in on carp0 inet proto tcp to (carp0) port 22 HTH, Marco
Re: OpenBSD 4.4 panics when using AICCU
On Fri, Nov 14, 2008 at 12:58 AM, Felipe Alfaro Solana [EMAIL PROTECTED] wrote: On Fri, Nov 14, 2008 at 12:00 AM, Felipe Alfaro Solana [EMAIL PROTECTED] wrote: Hi misc, Are any of you using AICCU on OpenBSD 4.4 patched to 005? Have you experienced panics? Since I upgraded to OpenBSD 4.4, whenever I take AICCU down, then up, after a while the system panics. I can reproduce this reliably, although the timing is not always the same: sometimes the system panics in a few seconds, sometimes it takes longer. Have you experienced this? I've been trying to chase down what is causing the panic. Apparently, it's related to IPSec/IPv6: when I reboot the system with no IPSec/IPv6 tunnels enabled (no sasync, no isakmpd) the system doesn't panic when I take aiccu down and then up. The system panics here: uvm_fault(0xd623f758, 0x0, 0, 1) - e kernel: page fault trap, code=0 Stopped at in6_selecthlim+0x29:movzbl 0x1c(%eax),%eax Another datapoint: When bringing aiccu down, the kernel logs the following message: in6_purgeaddr: failed to remove a route to the p2p destination: 2001::::2 on tun0, errno=3. This looks very suspicious to me, and wrong, by the way, since tun0 interface is using 2001::::2 as the local IPv6 address, while 2001::::1 is the remote end point. Hence, there is no route in the routing table that is bound to tun0 and has 2001::::2 as the destination (there is one but is bound to lo0). It leads me to think that some data structures are not properly freed/referenced counted which leads eventually to the panic. Any ideas? Thanks in advance. PS: I have crash dumps for each panic. -- http://www.felipe-alfaro.org/blog/disclaimer/ -- http://www.felipe-alfaro.org/blog/disclaimer/ -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Can't SSH into CARP'd system from the outside
Confirmed. If I have both routers on, the http redirection on the CARP interface doesn't work. But when I only have one on, then the redirection works just fine. Is CARP getting confused with the packets? On Thu, Nov 13, 2008 at 5:51 PM, Vivek Ayer [EMAIL PROTECTED] wrote: Yay! I got ssh and http to work on the CARP interface. Thanks. However, the httpd redirect is not working just yet on the CARP interface for one of the computers. Does IP balancing mess up redirect? When I only have one router up doing the redirect, the CARP interface works, but when I have both routers on, the CARP interface defaults to the one that doesn't apparently do redirection. I'm going to troubleshoot and turn off the one that works and turn on the computer that doesn't redirect. Any other suggestions for troubleshooting this weird setup I have? Has anyone ever done this before having CARP'd web servers behind CARP'd routers? Here's my current pf.conf: # $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $ # # See pf.conf(5) and /usr/share/pf for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. # macros ext_if = re0 # External Interface (169.229.158.0/24) int_if = xl0 # Internal Interface (192.168.1.0/24) localnet = $int_if:network webserver = 192.168.1.50 # Redundant Sun Servers nameserver = 192.168.1.101 # Dell L400 Celeron webports = { http , https } domainport = { domain } tcp_services = { ssh } icmp_types = echoreq carpdevs = { carp0 , carp1 } syncdev = { re1 } carp_mcast = 224.0.0.18 # extra tweaks set skip on lo set block-policy return set loginterface $ext_if scrub in all # nat nat on $ext_if from $localnet to any - ($ext_if) no nat on $int_if proto tcp from $int_if to $localnet nat on $int_if proto tcp from $localnet to $webserver port $webports - $int_if # rdr for http rdr on $ext_if proto tcp from any to any port $webports - $webserver rdr on $int_if proto tcp from $localnet to $ext_if port $webports - $webserver rdr on $int_if proto tcp from $localnet to $int_if port $webports - $webserver # rdr for domain (tcp) rdr on $ext_if proto tcp from any to any port $domainport - $nameserver rdr on $int_if proto tcp from $localnet to $ext_if port $domainport - $nameserver rdr on $int_if proto tcp from $localnet to $int_if port $domainport - $nameserver # rdr for domain (udp) rdr on $ext_if proto udp from any to any port $domainport - $nameserver rdr on $int_if proto udp from $localnet to $ext_if port $domainport - $nameserver rdr on $int_if proto udp from $localnet to $int_if port $domainport - $nameserver # pass rules block in # Default Deny pass out keep state antispoof quick for { lo } pass in inet proto icmp all icmp-type $icmp_types keep state # Let Ping In pass in quick on $int_if pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state # Allow SSH Access from Outside pass in on $ext_if inet proto tcp from any to $webserver port $webports \ flags S/SA synproxy state pass in on $ext_if inet proto udp from any to $nameserver port $domainport pass in on $ext_if inet proto tcp from any to $nameserver port $domainport \ flags S/SA synproxy state # Basic CARP/pfsync pass rules pass on $carpdevs proto carp keep state pass quick on $ext_if proto carp \ from $ext_if:network to $carp_mcast keep state pass on $syncdev proto pfsync # Internet-Facing CARP rules pass in on $ext_if inet proto tcp from any to (carp0) \ port $tcp_services flags S/SA keep state # Allow SSH Access from Outside pass in on $ext_if inet proto tcp from any to (carp0) \ port $webports flags S/SA synproxy state pass in on $ext_if inet proto udp from any to (carp0) \ port $domainport pass in on $ext_if inet proto tcp from any to (carp0) \ port $domainport flags S/SA synproxy state # LAN-Facing CARP rules pass in on $int_if inet proto tcp from $localnet to (carp1) \ port $tcp_services flags S/SA keep state # Allow SSH Access from Inside pass in on $int_if inet proto tcp from $localnet to (carp1) \ port $webports flags S/SA synproxy state pass in on $int_if inet proto udp from $localnet to (carp1) \ port $domainport pass in on $int_if inet proto tcp from $localnet to (carp1) \ port $domainport flags S/SA synproxy state Thanks On Thu, Nov 13, 2008 at 12:27 PM, Vivek Ayer [EMAIL PROTECTED] wrote: Oh ok. That kind of makes sense. Thanks On Thu, Nov 13, 2008 at 2:11 AM, Marco Pfatschbacher [EMAIL PROTECTED] wrote: On Wed, Nov 12, 2008 at 11:40:36AM -0800, Vivek Ayer wrote: i don't think I understand. Clarify. you mean carpdev is like your physical interface..eth0, re0, etc.? say you have a carp configured like: carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:04 carp: MASTER carpdev em0 vhid
Re: opencvs weird problem 4.3
On Fri, 14 Nov 2008 01:15:19 +0100 Jesus Sanchez [EMAIL PROTECTED] wrote: Hi list, using stable 4.3. I have a weird behaviour with opencvs and wish to know if it's a known thing. My usual steps to have an up to date OpenBSD source tree is to download the src.tar.gz and sys.tar.gz files from a well known ftp server, and then launch a opencvs checkout. I found that opencvs seems to get stuck when the source tree it's checking is already up to date. To reproduce this behaviour from a clean /usr/obj/ and /usr/src/ dirs I do: - download de src.tar.gz and sys.tar.gz from a ftp. - untar them on /usr/src (tar zxvf file.tar.gz in /usr/src) - cd /usr - opencvs checkout -P -r OPENBSD_4_3 src Then opencvs updates a few files for me in about 10-12 minutes. Well, from this point lets say I have a nice source tree, then I use the exactly same opencvs again and the process takes several minutes (about 2 hours) without any response, it seems it loops or something similar. Have anyone experienced something similar? google didn't helped me, but also the cvs manual. -Jesus You are doing it wrong. Check out the up command for cvs. - Robert
Re: Layer 7 relaying still needs pf?
On 21:45:56 Nov 13, Edd Barrett wrote: Hi, Why does layer 7 relaying require pf still? There are cases where relaying works in tandem with redirection. pf never looks into the packet payloads. -Girish
Re: OpenBSD 4.4 panics when using AICCU
On Thu, Nov 13, 2008 at 7:18 PM, Felipe Alfaro Solana [EMAIL PROTECTED] wrote: On Fri, Nov 14, 2008 at 12:58 AM, Felipe Alfaro Solana [EMAIL PROTECTED] wrote: On Fri, Nov 14, 2008 at 12:00 AM, Felipe Alfaro Solana [EMAIL PROTECTED] wrote: Are any of you using AICCU on OpenBSD 4.4 patched to 005? Have you experienced panics? Since I upgraded to OpenBSD 4.4, whenever I take AICCU down, then up, after a while the system panics. I can reproduce this reliably, although the timing is not always the same: sometimes the system panics in a few seconds, sometimes it takes longer. Have you experienced this? I've been trying to chase down what is causing the panic. Apparently, it's related to IPSec/IPv6: when I reboot the system with no IPSec/IPv6 tunnels enabled (no sasync, no isakmpd) the system doesn't panic when I take aiccu down and then up. The system panics here: uvm_fault(0xd623f758, 0x0, 0, 1) - e kernel: page fault trap, code=0 Stopped at in6_selecthlim+0x29:movzbl 0x1c(%eax),%eax Another datapoint: When bringing aiccu down, the kernel logs the following message: in6_purgeaddr: failed to remove a route to the p2p destination: 2001::::2 on tun0, errno=3. This looks very suspicious to me, and wrong, by the way, since tun0 interface is using 2001::::2 as the local IPv6 address, while 2001::::1 is the remote end point. Hence, there is no route in the routing table that is bound to tun0 and has 2001::::2 as the destination (there is one but is bound to lo0). It leads me to think that some data structures are not properly freed/referenced counted which leads eventually to the panic. Any ideas? Haven't looked at it in detail, but brad@ just updated 4.4 stable's if.c to address an apparently similar IPv6-related panic that might help.
trouble installing ports (No packages available in the PKG_PATH)
I'm scripting a reinstall routine for my ports on 4.3. When I come to 'make reinstall' the thing is trying to download from the $PKG_PATH that I have set earlier in my script and, of course, does not find the files it needs. Removing that variable and I get No packages available in the PKG_PATH. Relevant snippet: export SUBDIR=$(pkg_info -Pq postfix) cd /usr/ports make reinstall Any ideas? ~juan
Re: In a bit of a pickle with ral0
On Thursday 13 November 2008 19:54:55 Juan Miscaro wrote: I'm providing wireless internet access for a small building with OpenBSD 4.3 (some snapshot) as access point. I'm using the ral driver. I regularly need to bring down and then back up the interface with ifconfig. Is this normal? Is there anything I can do short of replacing the card? As an aside, I'm pondering going wired but plugging into a wireless bridge. Any recommendations on models? ral0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:18:f8:28:b9:f4 groups: wlan media: IEEE802.11 DS11 mode 11b hostap (autoselect mode 11b hostap) status: active ieee80211: nwid MYNETWORK chan 11 bssid 00:18:f8:28:b9:f4 100dBm inet6 fe80::218:f8ff:fe28:b9f4%ral0 prefixlen 64 scopeid 0x1 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 Thanks for listening, /juan I had a random ral USB device on a T60p ThinkPad, which was rock stable, so if you're having to reset things, I'd try another card. I'd also try another newer snapshot. --STeve Andre'