Intel 82580 Fiber PCIe adapter
Dear openbsd users, I'm trying to install an Intel 82580 dual port SFP PCIe adapter in obsd 5.3 amd64. The device isn't recognized and I've got errors in dmesg like: em0 at pci5 dev 0 function 0 Intel 82580 Fiber rev 0x01: msiem0: Hardware Initialization Failedem0: Unable to initialize the hardware em1 at pci5 dev 0 function 0 Intel 82580 Fiber rev 0x01: msiem1: Hardware Initialization Failedem1: Unable to initialize the hardware According to this post (2012) the chipset is only supported with copper and not fiber yet. http://openbsd.7691.n7.nabble.com/Intel-82580EB-Hardware-Initialization-Failed-td80282.html I just wanted to know if the provided patch was still relevant for openbsd 5.3 or not and if the fiber support for this chipset was planned for future releases ? Thanks for your time ! Romain Aviolat
Notifies on CARP failover
Hi, Could anyone point me in the right direction on how to have a script be executed whenever a CARP failover or preempt event occurs? Need to write a script to send an event message into our monitoring systems so we can see when a change has occurred. I haven't used ifstated yet, is this the right tool for this? and if so could someone throw me an example if you have one? Thanks, Andy.
Re: Notifies on CARP failover
Hello, Could anyone point me in the right direction on how to have a script be executed whenever a CARP failover or preempt event occurs? Need to write a script to send an event message into our monitoring systems so we can see when a change has occurred. I haven't used ifstated yet, is this the right tool for this? and if so could someone throw me an example if you have one? I know people don't like calomel.org suggestions here, but this example has been working fine for me: https://calomel.org/ifstated.html -- Karlis
Re: During install MacBookAir5,2 screen goes blank, need external monitor
On Wed, Oct 23, 2013 at 10:53:49PM +0400, Sevan / Venture37 wrote: On 23 Oct 2013, at 12:53, Alexey E. Suslikov alexey.susli...@gmail.com wrote: Have you tried to disable [intel|ati]drm via boot config and then proceed with installation? It's not possible as the prompt keeps on jumping back forth between the line which says UKC User Kernel Config. Sevan There are no drm drivers on the install media. So the apple machines with eDP panels can't do vesa modes at all? The bios interface those machines present seems to have many problems, the ideal way of handling them is likely to support booting via uefi and the associated framebuffer interface.
Re: Intel 82580 Fiber PCIe adapter
On Thu, Oct 24, 2013 at 08:01:50AM +, Aviolat Romain wrote: Dear openbsd users, I'm trying to install an Intel 82580 dual port SFP PCIe adapter in obsd 5.3 amd64. The device isn't recognized and I've got errors in dmesg like: em0 at pci5 dev 0 function 0 Intel 82580 Fiber rev 0x01: msiem0: Hardware Initialization Failedem0: Unable to initialize the hardware em1 at pci5 dev 0 function 0 Intel 82580 Fiber rev 0x01: msiem1: Hardware Initialization Failedem1: Unable to initialize the hardware According to this post (2012) the chipset is only supported with copper and not fiber yet. http://openbsd.7691.n7.nabble.com/Intel-82580EB-Hardware-Initialization-Failed-td80282.html I just wanted to know if the provided patch was still relevant for openbsd 5.3 or not and if the fiber support for this chipset was planned for future releases ? I suspect the person who asked never tried the patch so it didn't go in. Try it and let us know if it works.
Re: Intel 82580 Fiber PCIe adapter
Hi Jonathan, I was a bit reluctant to test it as, as you said the person probably never tried it and I didn't know where this patch came from ? I'll try again next week against obsd 5.4 and keep you informed Thanks, Romain -Original Message- From: Jonathan Gray [mailto:j...@jsg.id.au] Sent: jeudi 24 octobre 2013 11:20 To: Aviolat Romain Cc: misc@openbsd.org; Junod Antoine; Ganguin Michel Subject: Re: Intel 82580 Fiber PCIe adapter On Thu, Oct 24, 2013 at 08:01:50AM +, Aviolat Romain wrote: Dear openbsd users, I'm trying to install an Intel 82580 dual port SFP PCIe adapter in obsd 5.3 amd64. The device isn't recognized and I've got errors in dmesg like: em0 at pci5 dev 0 function 0 Intel 82580 Fiber rev 0x01: msiem0: Hardware Initialization Failedem0: Unable to initialize the hardware em1 at pci5 dev 0 function 0 Intel 82580 Fiber rev 0x01: msiem1: Hardware Initialization Failedem1: Unable to initialize the hardware According to this post (2012) the chipset is only supported with copper and not fiber yet. http://openbsd.7691.n7.nabble.com/Intel-82580EB-Hardware-Initialization-Failed-td80282.html I just wanted to know if the provided patch was still relevant for openbsd 5.3 or not and if the fiber support for this chipset was planned for future releases ? I suspect the person who asked never tried the patch so it didn't go in. Try it and let us know if it works.
Re: Notifies on CARP failover
On 2013-10-24, Andy a...@brandwatch.com wrote: Hi, Could anyone point me in the right direction on how to have a script be executed whenever a CARP failover or preempt event occurs? Need to write a script to send an event message into our monitoring systems so we can see when a change has occurred. I haven't used ifstated yet, is this the right tool for this? and if so could someone throw me an example if you have one? Lots of options, ifstated is certainly a useful one, as is shipping syslog to a remote machine and monitoring that. Note that a script is going to rely on fork() working, which might not be the case in some failure modes (whereas some other methods will just work with a long-running process). Personally to do this, I'd probably run snmpd and use an snmp probe to watch iso.org.dod.internet.private.enterprises.openBSD.carpMIBObjects.interface_id (though it would be a useful extra feature for snmpd if it could respond to interface link changes and send out traps..)
Full disk encryption and hibernate on amd64
Hi, after I read mlarkin@'s report on Undeadly.org[1] about hibernation, I've got curious question. How does it work with full disk encryption (FDE) which OpenBSD offers? [1] http://undeadly.org/cgi?action=articlesid=20131024092852mode=expandedcount=0 jirib
Re: Full disk encryption and hibernate on amd64
On Thu, Oct 24, 2013 at 2:02 PM, Jiri B ji...@devio.us wrote: Hi, after I read mlarkin@'s report on Undeadly.org[1] about hibernation, I've got curious question. How does it work with full disk encryption (FDE) which OpenBSD offers? [1] http://undeadly.org/cgi?action=articlesid=20131024092852mode=expandedcount=0 jirib It does not work, afaik
Re: Full disk encryption and hibernate on amd64
On Thu, Oct 24, 2013 at 2:14 PM, David Coppa dco...@gmail.com wrote: On Thu, Oct 24, 2013 at 2:02 PM, Jiri B ji...@devio.us wrote: Hi, after I read mlarkin@'s report on Undeadly.org[1] about hibernation, I've got curious question. How does it work with full disk encryption (FDE) which OpenBSD offers? [1] http://undeadly.org/cgi?action=articlesid=20131024092852mode=expandedcount=0 jirib It does not work, afaik mmm yesterday installed my laptop Dell E6320 with -current amd64 including whole disk encrypted with softraid and was able to do zzz either in console or X just fine including resume.
Re: Full disk encryption and hibernate on amd64
On Thu, Oct 24, 2013 at 2:20 PM, Tomas Bodzar tomas.bod...@gmail.com wrote: mmm yesterday installed my laptop Dell E6320 with -current amd64 including whole disk encrypted with softraid and was able to do zzz either in console or X just fine including resume. op asked about ZZZ (hibernation), not zzz (suspend).
Re: Full disk encryption and hibernate on amd64
On Thu, Oct 24, 2013 at 02:20:15PM +0200, Tomas Bodzar wrote: On Thu, Oct 24, 2013 at 2:14 PM, David Coppa dco...@gmail.com wrote: On Thu, Oct 24, 2013 at 2:02 PM, Jiri B ji...@devio.us wrote: Hi, after I read mlarkin@'s report on Undeadly.org[1] about hibernation, I've got curious question. How does it work with full disk encryption (FDE) which OpenBSD offers? [1] http://undeadly.org/cgi?action=articlesid=20131024092852mode=expandedcount=0 jirib It does not work, afaik mmm yesterday installed my laptop Dell E6320 with -current amd64 including whole disk encrypted with softraid and was able to do zzz either in console or X just fine including resume. zzz does suspend, not hybernate. -Otto
Re: Full disk encryption and hibernate on amd64
Tomas Bodzar tomas.bod...@gmail.com writes: On Thu, Oct 24, 2013 at 2:14 PM, David Coppa dco...@gmail.com wrote: On Thu, Oct 24, 2013 at 2:02 PM, Jiri B ji...@devio.us wrote: Hi, after I read mlarkin@'s report on Undeadly.org[1] about hibernation, I've got curious question. How does it work with full disk encryption (FDE) which OpenBSD offers? [1] http://undeadly.org/cgi?action=articlesid=20131024092852mode=expandedcount=0 jirib It does not work, afaik mmm yesterday installed my laptop Dell E6320 with -current amd64 including whole disk encrypted with softraid and was able to do zzz either in console or X just fine including resume. This is about ZZZ. -- jca | PGP: 0x06A11494 / 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494
Re: Full disk encryption and hibernate on amd64
On Thu, Oct 24, 2013 at 2:21 PM, Jérémie Courrèges-Anglas j...@wxcvbn.orgwrote: Tomas Bodzar tomas.bod...@gmail.com writes: On Thu, Oct 24, 2013 at 2:14 PM, David Coppa dco...@gmail.com wrote: On Thu, Oct 24, 2013 at 2:02 PM, Jiri B ji...@devio.us wrote: Hi, after I read mlarkin@'s report on Undeadly.org[1] about hibernation, I've got curious question. How does it work with full disk encryption (FDE) which OpenBSD offers? [1] http://undeadly.org/cgi?action=articlesid=20131024092852mode=expandedcount =0 jirib It does not work, afaik mmm yesterday installed my laptop Dell E6320 with -current amd64 including whole disk encrypted with softraid and was able to do zzz either in console or X just fine including resume. This is about ZZZ. -- jca | PGP: 0x06A11494 / 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494 right. Sry, my fault
Yubikey login: bad file descriptor.
Hi there, Trying to use my yubikey. drwxrwx--- 2 root auth 512 Oct 18 15:20 yubikey # ls -l total 8 -r--r- 1 root auth 33 Oct 24 14:47 pieter.key -r--r- 1 root auth 10 Oct 24 14:47 pieter.uid # /usr/libexec/auth/login_yubikey -d -s login pieter Password: reject authlog: Oct 24 14:52:51 lilium login_yubikey: user pieter: fdopen: Bad file descriptor Oct 24 14:53:08 lilium login_yubikey: user pieter: reject What is this bad file descriptor thing? I'm not so much into c programming :-) Running OpenBSD 5.3 Cheers!
Re: Notifies on CARP failover
I use ifstated for that. This is my config file: init-state auto carp_up = carp3.link.up carp10.link.up carp101.link.up carp100.link.up carp254.link.up carp2.link.up carp7.link.up carp4.link.up carp_down = carp3.link.down carp10.link.down carp101.link.down carp100.link.down carp254.link.down carp2.link.down carp7.link.down carp4.link.down state auto { if $carp_up { set-state primary } if $carp_down { set-state backup } } state primary { init { run /root/scripts/alert_ifstated.sh MASTER } if $carp_down { set-state backup } } state backup { init { run /root/scripts/alert_ifstated.sh BACKUP } if $carp_up { set-state primary } } This is the little script alert_ifstated.sh too: #/bin/sh ifconfig carp | mail -s [RTR Failover] `hostname` is now $1 m...@address.me Hope this helps... Morgan Le 24/10/2013 10:59, Andy a écrit : Hi, Could anyone point me in the right direction on how to have a script be executed whenever a CARP failover or preempt event occurs? Need to write a script to send an event message into our monitoring systems so we can see when a change has occurred. I haven't used ifstated yet, is this the right tool for this? and if so could someone throw me an example if you have one? Thanks, Andy.
DNS Hosting Managed DNS
Hi Misc, This is not an OpenBSD specific question but since the list is full of security and network professionals I would like to solicit your opinion. Are there any strong opinions on DNS Hosting Managed DNS providers. We are small Lab currently using ZoneEdit. I believe ZoneEdit was chosen at the time they were free. We are looking to move to something little bit more secure with DNSSEC support out of box. We have one domain name, small web server and a mail server. Thank you, Predrag Punosevac
Re: DNS Hosting Managed DNS
On 10/24/2013 10:35, Predrag Punosevac wrote: Hi Misc, This is not an OpenBSD specific question but since the list is full of security and network professionals I would like to solicit your opinion. Are there any strong opinions on DNS Hosting Managed DNS providers. We are small Lab currently using ZoneEdit. I believe ZoneEdit was chosen at the time they were free. We are looking to move to something little bit more secure with DNSSEC support out of box. We have one domain name, small web server and a mail server. Thank you, Predrag Punosevac Take a look at Dyn: http://dyn.com/managed-dns-express/ -- staticsafe O ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post. It is not logical. Please don't CC me! I'm subscribed to whatever list I just posted on.
Re: DNS Hosting Managed DNS
On 24 October 2013 07:35, Predrag Punosevac punoseva...@gmail.com wrote: Hi Misc, This is not an OpenBSD specific question but since the list is full of security and network professionals I would like to solicit your opinion. Are there any strong opinions on DNS Hosting Managed DNS providers. We are small Lab currently using ZoneEdit. I believe ZoneEdit was chosen at the time they were free. We are looking to move to something little bit more secure with DNSSEC support out of box. We have one domain name, small web server and a mail server. Do you run it all out of a single network? If so, then running a third-party DNS is not recommended: http://cr.yp.to/djbdns/third-party.html OTOH, named and nsd in base work great. BTW, if you start adding DNS servers in far away places around the world, and with bad connectivity from your target audience, then the time it takes to resolve your domain for your target audience will suffer overall, not improve. Yes, these ideas are basically exactly the opposite of what the marketing would lead you to believe. C.
pf.conf: set timeout tcp.tsdiff
Hi, The output of 'pfctl -s timeout' shows ... tcp.tsdiff 30s ... However this feature is not mentioned in the pf.conf man-page (on 5.3) nor did I find anything sufficiently useful on google. Anyone care to explain how this feature works? Thanks, Buzz
Re: Notifies on CARP failover
Andy wrote: Hi, Could anyone point me in the right direction on how to have a script be executed whenever a CARP failover or preempt event occurs? Need to write a script to send an event message into our monitoring systems so we can see when a change has occurred. I haven't used ifstated yet, is this the right tool for this? and if so could someone throw me an example if you have one? Thanks, Andy. read the ifstated man page and the man for ifstated.conf That should get you there. -- IS-IS sleeps. BGP peers are quiet. Something must be wrong.
Re: DNS Hosting Managed DNS
On Thu, Oct 24, 2013 at 10:35:51AM -0400, Predrag Punosevac wrote: We are looking to move to something little bit more secure with DNSSEC support out of box. The security you'd get with DNSSEC would be tiny in comparison to problems in reliability. For realistic security, you'd get far more by choosing 1) a registrar without a history of compromises, and 2) a DNS provider that uses something other than BIND. NSD is in base. Nicolai
Re: Yubikey login: bad file descriptor.
On Thu, Oct 24, 2013 at 03:07:19PM +0200, Pieter Verberne wrote: -r--r- 1 root auth 33 Oct 24 14:47 pieter.key -r--r- 1 root auth 10 Oct 24 14:47 pieter.uid Your uid file looks too small, it's usually 13 bytes, with 12 hex digits and a newline (optional). # /usr/libexec/auth/login_yubikey -d -s login pieter Password: reject authlog: Oct 24 14:52:51 lilium login_yubikey: user pieter: fdopen: Bad file descriptor Oct 24 14:53:08 lilium login_yubikey: user pieter: reject The first error must be from a different invokation. If you get the Password: prompt, that error condition is already passed. Daniel
Re: Yubikey login: bad file descriptor.
Daniel Hartmeier daniel at benzedrine.cx writes: wow! long time no see :)
text-mode console, wscons ignoring keyboard repeat
On the i386 snapshots dated Oct 9 and Oct 23, I am unable to make the text-mode console (no fancy inteldrm here) repeat keyboard input any faster than the default. $ wsconsctl keyboard keyboard.type=pc-xt keyboard.bell.pitch=400 keyboard.bell.period=100 keyboard.bell.volume=0 keyboard.bell.pitch.default=400 keyboard.bell.period.default=100 keyboard.bell.volume.default=50 wsconsctl: Use explicit arg to view keyboard.map. keyboard.repeat.del1=150 keyboard.repeat.deln=35 keyboard.repeat.del1.default=150 keyboard.repeat.deln.default=35 keyboard.ledstate=0 keyboard.encoding=dk $ wsconsctl keyboard.repeat.del1=1 keyboard.repeat.del1 - 1 $ wsconsctl keyboard.repeat.deln=1 keyboard.repeat.deln - 1 $ echo I can still type just fine. I can still type just fine. Changing the del1 and deln fields to 1 or 1000 makes no difference. I would expect typingto be impossible when set to 1ms. Any clues as to how I troubleshoot this one? One other i386 user on IRC reported that wscons keyboard repeat works fine with inteldrm both enabled or disabled. OpenBSD 5.4-current (GENERIC.MP) #87: Wed Oct 23 17:30:59 MDT 2013 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Atom(TM) CPU Z530 @ 1.60GHz (GenuineIntel 686-class) 1.60 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,xTPR,PDCM,MOVBE,LAHF,PERF real mem = 1063481344 (1014MB) avail mem = 1034313728 (986MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 03/18/09, BIOS32 rev. 0 @ 0xfdc70, SMBIOS rev. 2.5 @ 0x3f6bf000 (39 entries) bios0: vendor Phoenix Technologies LTD version NAPA0001.86C..D.0903181438 date 03/18/2009 bios0: CompuLab SBC-FITPC2 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP HPET MCFG TCPA TMOR APIC BOOT SSDT acpi0: wakeup devices PXS1(S3) PXS2(S3) USB1(S3) USB2(S3) USB3(S3) EHC1(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 133MHz cpu0: mwait min=64, max=64, C-substates=0.2.2.0.2, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Atom(TM) CPU Z530 @ 1.60GHz (GenuineIntel 686-class) 1.60 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,xTPR,PDCM,MOVBE,LAHF,PERF ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 2 (RP01) acpiprt2 at acpi0: bus -1 (RP02) acpiec0 at acpi0 acpicpu0 at acpi0: C3, C3, C2, C1, PSS acpicpu1 at acpi0: C3, C3, C2, C1, PSS acpipwrres0 at acpi0: FN00 acpitz0 at acpi0acpitz0: TZ00: failed to read _TMP acpitz1 at acpi0acpitz1: TZ01: failed to read _TMP acpiac0 at acpi0: AC unit online acpibat0 at acpi0: BAT0 model CRB Battery 0 serial Battery 0 type Fake oem -Virtual Battery 0- acpibat1 at acpi0: BAT1 not present acpibat2 at acpi0: BAT2 not present acpibtn0 at acpi0: LID0 acpibtn1 at acpi0: PWRB acpivideo0 at acpi0: GFX0 bios0: ROM list: 0xc/0xe600! 0xe/0x1800! cpu0: Enhanced SpeedStep 1597 MHz: speeds: 1600, 1333, 1067, 800 MHz pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel US15W Host rev 0x07 vga1 at pci0 dev 2 function 0 Intel US15W Video rev 0x07 intagp at vga1 not configured wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ppb0 at pci0 dev 28 function 0 Intel SCH PCIE rev 0x07: apic 2 int 17 pci1 at ppb0 bus 2 re0 at pci1 dev 0 function 0 Realtek 8168 rev 0x02: RTL8168C/8111C (0x3c00), apic 2 int 16, address 00:01:c0:05:9b:0f rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 2 uhci0 at pci0 dev 29 function 0 Intel SCH USB rev 0x07: apic 2 int 23 uhci1 at pci0 dev 29 function 1 Intel SCH USB rev 0x07: apic 2 int 19 uhci2 at pci0 dev 29 function 2 Intel SCH USB rev 0x07: apic 2 int 18 ehci0 at pci0 dev 29 function 7 Intel SCH USB rev 0x07: apic 2 int 21 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 sdhc0 at pci0 dev 30 function 0 Intel SCH SD/MMC rev 0x07: apic 2 int 22 sdmmc0 at sdhc0 sdhc1 at pci0 dev 30 function 1 Intel SCH SD/MMC rev 0x07: apic 2 int 20 sdmmc1 at sdhc1 pcib0 at pci0 dev 31 function 0 Intel SCH LPC rev 0x07 pciide0 at pci0 dev 31 function 1 Intel SCH IDE rev 0x07: DMA, channel 0 wired to compatibility wd0 at pciide0 channel 0 drive 0: Samsung SSD 840 Series wd0: 16-sector PIO, LBA48, 114473MB, 234441648 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 usb1 at uhci0: USB revision 1.0 uhub1 at usb1 Intel UHCI root hub rev 1.00/1.00 addr 1 usb2 at uhci1: USB revision 1.0 uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1 usb3 at uhci2: USB revision 1.0
Re: text-mode console, wscons ignoring keyboard repeat
On the i386 snapshots dated Oct 9 and Oct 23, I am unable to make the text-mode console (no fancy inteldrm here) repeat keyboard input any faster than the default. [...] $ wsconsctl keyboard.repeat.del1=1 keyboard.repeat.del1 - 1 $ wsconsctl keyboard.repeat.deln=1 keyboard.repeat.deln - 1 $ echo I can still type just fine. I can still type just fine. Changing the del1 and deln fields to 1 or 1000 makes no difference. I would expect typingto be impossible when set to 1ms. Any clues as to how I troubleshoot this one? You are probably using your USB keyboard, wskbd1, not the PS/2 keyboard, wskbd0, which might actually be the PS/2 keyboard emulation performed by the USB controller during boot. Try to use `keyboard1' instead of `keyboard'. Miod
Re: DNS Hosting Managed DNS
Constantine A. Murenin muren...@gmail.com wrote: On 24 October 2013 07:35, Predrag Punosevac punoseva...@gmail.com wrote: Hi Misc, This is not an OpenBSD specific question but since the list is full of security and network professionals I would like to solicit your opinion. Are there any strong opinions on DNS Hosting Managed DNS providers. We are small Lab currently using ZoneEdit. I believe ZoneEdit was chosen at the time they were free. We are looking to move to something little bit more secure with DNSSEC support out of box. We have one domain name, small web server and a mail server. Do you run it all out of a single network? If so, then running a third-party DNS is not recommended: http://cr.yp.to/djbdns/third-party.html That was an interesting reading. OTOH, named and nsd in base work great. I inherited managed DNS setup for our web site and mailing lists as well as full blown BIND for internal network. I am moving internal network to Unbound, trying to get permission to outsource mailing lists to our university host and trying to avoid running NSD just to have our small web site visible by outside world. I appreciate all knowledge shared with me on and off this list. @Nicolai I am with you on DNSSEC. One of the reasons I asked bout managed DNS on this list was a hope to have non BIND recommendations. Most Kind Regard, Predrag BTW, if you start adding DNS servers in far away places around the world, and with bad connectivity from your target audience, then the time it takes to resolve your domain for your target audience will suffer overall, not improve. Yes, these ideas are basically exactly the opposite of what the marketing would lead you to believe. C.
Re: Yubikey login: bad file descriptor.
On Thu, Oct 24, 2013 at 07:44:27PM +0200, Daniel Hartmeier wrote: On Thu, Oct 24, 2013 at 03:07:19PM +0200, Pieter Verberne wrote: -r--r- 1 root auth 33 Oct 24 14:47 pieter.key -r--r- 1 root auth 10 Oct 24 14:47 pieter.uid Your uid file looks too small, it's usually 13 bytes, with 12 hex digits and a newline (optional). # /usr/libexec/auth/login_yubikey -d -s login pieter Password: reject authlog: Oct 24 14:52:51 lilium login_yubikey: user pieter: fdopen: Bad file descriptor Oct 24 14:53:08 lilium login_yubikey: user pieter: reject The first error must be from a different invokation. If you get the Password: prompt, that error condition is already passed. Daniel iirc bsd auth helpers expect an open fd 3 to read a challenge. They are not meant to be run directly from the command line. -Otto
Re: DNS Hosting Managed DNS
On Thu, Oct 24, 2013 at 08:06, Constantine A. Murenin wrote: On 24 October 2013 07:35, Predrag Punosevac punoseva...@gmail.com wrote: Are there any strong opinions on DNS Hosting Managed DNS providers. We are small Lab currently using ZoneEdit. I believe ZoneEdit was chosen at the time they were free. We are looking to move to something little bit more secure with DNSSEC support out of box. We have one domain name, small web server and a mail server. Amazon offers route 53, but no DNSSEC at this time. Do you run it all out of a single network? If so, then running a third-party DNS is not recommended: http://cr.yp.to/djbdns/third-party.html Certainly worth considering, but a few counter points. That page appears to have been last updated around 2000. I pay about 57 cents per month for route 53 dns hosting. That's not particularly costly for me. It's reasonably performant, easy to manage, and so forth. Unlike web and mail hosting, for which I (and everyone else these days) am running custom code, DNS is a complete commodity.
Re: Yubikey login: bad file descriptor.
On 10/24/13 21:30, Otto Moerbeek wrote: On Thu, Oct 24, 2013 at 07:44:27PM +0200, Daniel Hartmeier wrote: On Thu, Oct 24, 2013 at 03:07:19PM +0200, Pieter Verberne wrote: -r--r- 1 root auth 33 Oct 24 14:47 pieter.key -r--r- 1 root auth 10 Oct 24 14:47 pieter.uid Your uid file looks too small, it's usually 13 bytes, with 12 hex digits and a newline (optional). # /usr/libexec/auth/login_yubikey -d -s login pieter Password: reject authlog: Oct 24 14:52:51 lilium login_yubikey: user pieter: fdopen: Bad file descriptor Oct 24 14:53:08 lilium login_yubikey: user pieter: reject The first error must be from a different invokation. If you get the Password: prompt, that error condition is already passed. Daniel iirc bsd auth helpers expect an open fd 3 to read a challenge. They are not meant to be run directly from the command line. That's what -d is for. Without -d, you get the first error message though, as then you expect fd3 to be open. :-) /Alexander
slow transfers 5.3 Tp-Link TG-3468 1gb nic pci-e
Hello everyone I´m having very slow transfers on stock 5.3 with the TP-LINK tg-3468 gb pci-e nic. When downloading OpenBSD src.tar.gz with wget from a local server on 100mb lan it will start around 100k/sec and after a fews second goes to 50-60k. In the same machine, without any hardware change (not even unplug net cables), I installed Windows 7 and the TG-3468 drivers. Firefox reported 9.5 mb/sec when downloading src.tar.gz from the same server. Below is some hardware data. Thank you! Juan # ifconfig re0 re0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr xx:xx:xx:xx:xx:xx priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) status: active inet6 fe80::fa1a:67ff:fe04:2f48%re0 prefixlen 64 scopeid 0x1 inet 192.168.1.159 netmask 0xff00 broadcast 192.168.1.255 # # cat /var/run/dmesg.boot OpenBSD 5.3 (GENERIC.MP) #58: Tue Mar 12 18:43:53 MDT 2013 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Core(TM) i3-3240 CPU @ 3.40GHz (GenuineIntel 686-class) 3.40 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,PCLMUL,DTES64,MWAIT,D S-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,XSA VE,AVX,F16C,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS real mem = 3649409024 (3480MB) avail mem = 3578793984 (3413MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/22/11, SMBIOS rev. 2.7 @ 0xe96e0 (74 entries) bios0: vendor American Megatrends Inc. version F9 date 08/22/2012 bios0: Gigabyte Technology Co., Ltd. H77M-D3H acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC MCFG HPET SSDT SSDT SSDT acpi0: wakeup devices PS2K(S3) PS2M(S3) P0P1(S4) USB1(S3) USB2(S3) USB3(S3) USB4(S3) USB5(S3) USB6(S3) USB7(S3) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4) RP06(S4) PXSX(S4) RP07(S4) PXSX(S4) RP08(S4) PEGP(S4) PEG0(S4) PEG1(S4) PEG2(S4) PEG3(S4) GLAN(S4) EHC1(S4) EHC2(S4) XHC_(S4) HDEF(S4) PWRB(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 99MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Core(TM) i3-3240 CPU @ 3.40GHz (GenuineIntel 686-class) 3.40 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,PCLMUL,DTES64,MWAIT,D S-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,XSA VE,AVX,F16C,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS cpu2 at mainbus0: apid 1 (application processor) cpu2: Intel(R) Core(TM) i3-3240 CPU @ 3.40GHz (GenuineIntel 686-class) 3.40 GHz cpu2: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,PCLMUL,DTES64,MWAIT,D S-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,XSA VE,AVX,F16C,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Core(TM) i3-3240 CPU @ 3.40GHz (GenuineIntel 686-class) 3.40 GHz cpu3: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,PCLMUL,DTES64,MWAIT,D S-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,XSA VE,AVX,F16C,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 addr 0xf800, bus 0-63 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (P0P1) acpiprt2 at acpi0: bus 1 (RP01) acpiprt3 at acpi0: bus -1 (RP02) acpiprt4 at acpi0: bus -1 (RP03) acpiprt5 at acpi0: bus -1 (RP04) acpiprt6 at acpi0: bus 2 (RP05) acpiprt7 at acpi0: bus 3 (RP06) acpiprt8 at acpi0: bus 4 (RP07) acpiprt9 at acpi0: bus -1 (RP08) acpiprt10 at acpi0: bus -1 (PEG0) acpiprt11 at acpi0: bus -1 (PEG1) acpiprt12 at acpi0: bus -1 (PEG2) acpiprt13 at acpi0: bus -1 (PEG3) acpiec0 at acpi0: Failed to read resource settings acpicpu0 at acpi0: C3, C1, PSS acpicpu1 at acpi0: C3, C1, PSS acpicpu2 at acpi0: C3, C1, PSS acpicpu3 at acpi0: C3, C1, PSS acpipwrres0 at acpi0: FN00 acpipwrres1 at acpi0: FN01 acpipwrres2 at acpi0: FN02 acpipwrres3 at acpi0: FN03 acpipwrres4 at acpi0: FN04 acpitz0 at acpi0: critical temperature is 106 degC acpitz1 at acpi0: critical temperature is 106 degC acpibat0 at acpi0: BAT0 not present acpibat1 at acpi0: BAT1 not present acpibat2 at acpi0: BAT2 not present acpibtn0 at acpi0: PWRB acpibtn1 at acpi0: LID0 acpivideo0 at acpi0: GFX0 acpivout0 at acpivideo0: DD02 bios0: ROM list: 0xc/0xe600 cpu0: Enhanced SpeedStep 3393 MHz: speeds: 3400, 3300, 3200, 3000, 2900, 2800, 2700, 2600, 2400, 2300, 2200, 2100, 2000, 1800, 1700, 1600 MHz pci0 at mainbus0 bus 0:
Re: slow transfers 5.3 Tp-Link TG-3468 1gb nic pci-e
A B [damnitiwantm...@gmail.com] wrote: Hello everyone I?m having very slow transfers on stock 5.3 with the TP-LINK tg-3468 gb pci-e nic. re0 at pci3 dev 0 function 0 Realtek 8168 rev 0x06: RTL8168E/8111E (0x2c00), apic 2 int 17, address f8:1a:67:04:2f:48 rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 4 re0: watchdog timeout re0: watchdog timeout Newer versions of the realtek driver switch to msi interrupts and disable interrupts during the interrupt handler to avoid confusing the chip. Perhaps this helps you. Try 5.4-current snapshots and see if the behavior is fixed.
Generating a secret: /dev/random vs openssl rand
For years I've been using `openssl rand -base64 N` to generate secrets. However, I recently saw `dd if=/dev/random bs=N count=1 | openssl base64` used. Is one more secure and random than the other? Is openssl rand not secure if the -rand file option is omitted? I'm guessing openssl may suck from /dev/*random in addition to the optional -rand file?
pgrep(1) not matching process pattern from rc script
OpenBSD 5.3 i386 I have an rc.d(8) script to manage a python server that seems to start up fine but doesn't manage to successfully match a running process or stop it because (I think) it's not matching $pexp during script execution. It does seem to match when testing manually from shell. $ sudo /etc/rc.d/gunicorn start gunicorn(ok) $ ps auxwww | grep gun[i] dspruell 29008 0.0 1.1 5900 8260 ?? S 1:10AM0:38.75 python2.7: gunicorn: master [mysite.wsgi:application] (python2.7) dspruell 7589 0.0 1.5 9580 11864 ?? S 1:10AM0:04.71 python2.7: gunicorn: worker [mysite.wsgi:application] (python2.7) dspruell 29731 0.0 1.5 9572 11860 ?? S 1:10AM0:04.12 python2.7: gunicorn: worker [mysite.wsgi:application] (python2.7) /etc/rc.d/gunicorn: -- #!/bin/sh daemon=/usr/local/bin/gunicorn . /etc/rc.d/rc.subr pexp=python.* gunicorn: master rc_cmd $1 -- /etc/rc.conf.local: -- gunicorn_flags=-c /etc/gunicorn_django.py.ini mysite.wsgi:application gunicorn_user=dspruell -- $ sudo /etc/rc.d/gunicorn check $ echo $? 1 $ sudo sh -x /etc/rc.d/gunicorn check ... + daemon_user=dspruell + printf %s -c /etc/gunicorn_django.py.ini mysite.wsgi:application + daemon_flags= -c /etc/gunicorn_django.py.ini mysite.wsgi:application + daemon_flags=-c /etc/gunicorn_django.py.ini mysite.wsgi:application + readonly daemon_class + unset _rcflags _rcuser + pexp=/home/dspruell/venv.d/django-home/bin/gunicorn -c /etc/gunicorn_django.py.ini mysite.wsgi:application + rcexec=su -l -c daemon -s /bin/sh dspruell -c + pexp=python.* gunicorn: master + rc_cmd check $ ## emulate rc_check() in /etc/rc.d/rc.subr: $ pexp=python.* gunicorn: master $ pgrep -fl ^${pexp} 29008 python2.7: gunicorn: master [mysite.wsgi:application] $ pkill -f ^${pexp} $ pgrep -fl ^${pexp} $ There's a comment I didn't understand in pkill(1): If any pattern operands are specified, they are used as regular expressions to match the command name or, if -f is specified, the full argument list of each process. However, presently OpenBSD will only keep track of the first 16 characters of the command name for each process. Attempts to match any characters after the first 16 of a command name will silently fail. Not sure if the 16 character limit applies with what I'm seeing but I'm supposing not since the operations work manually from the shell. I think the only modification I should have to make is the setting for pexp to match the nonstandard process name and it shouldn't require overriding any rc_* functions. What am I botching? OpenBSD 5.3-stable (GENERIC) #0: Fri Jul 5 00:27:35 MST 2013 r...@molodetz.sancho2k.net:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Duron(tm) processor (AuthenticAMD 686-class, 64KB L2 cache) 752 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,MMXX,3DNOW2,3DNOW real mem = 804777984 (767MB) avail mem = 780640256 (744MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 06/24/02, BIOS32 rev. 0 @ 0xfb470, SMBIOS rev. 2.2 @ 0xf0800 (44 entries) bios0: vendor Award Software International, Inc. version 6.00 PG date 06/24/2002 bios0: VIA Technologies, Inc. VT8363 apm0 at bios0: Power Management spec V1.2 (slowidle) acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 2.1 @ 0xf/0xb8f8 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde30/160 (8 entries) pcibios0: PCI Exclusive IRQs: 5 10 11 12 pcibios0: PCI Interrupt Router at 000:07:0 (VIA VT82C596A ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xa000 0xcc000/0x800 cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 VIA VT8363 Host rev 0x02 viaagp0 at pchb0: v2 agp0 at viaagp0: aperture at 0xd000, size 0x1000 ppb0 at pci0 dev 1 function 0 VIA VT8363 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 3DFX Voodoo3 rev 0x01 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 7 function 0 VIA VT82C686 ISA rev 0x22 pciide0 at pci0 dev 7 function 1 VIA VT82C571 IDE rev 0x10: ATA66, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: PIONEER, DVD-ROM DVD-120, 1.22 ATAPI 5/cdrom removable atapiscsi1 at pciide0 channel 0 drive 1 scsibus1 at atapiscsi1: 2 targets cd1 at scsibus1 targ 0 lun 0: ATAPI, CD-RW 48X16, A.UZ ATAPI 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 cd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 wd0 at pciide0 channel 1 drive 0: ST380021A wd0: 16-sector PIO, LBA, 76319MB, 156301488 sectors wd1 at pciide0 channel 1 drive 1: WDC WD200BB-75AUA1 wd1: 16-sector PIO, LBA, 19092MB, 39102336 sectors wd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 4 wd1(pciide0:1:1): using PIO mode 4,