Re: BackupPC

[David Coppa]

On Tue, Dec 10, 2013 at 6:42 PM, Stuart Henderson s...@spacehopper.org wrote:
 On 2013-12-09, Dennis Davis dennisdavis+openbsd-m...@fastmail.fm wrote:
 You might find the OpenBSD port/package of openpam:

 /usr/ports/security/openpam

 of use in getting authentication via winbindd working.  I've
 never used openpam myself, just installed it to satisfy the
 build requirement of other software.

 This is not going to help, what you are looking for is nsswitch,
 but OpenBSD does not support that.

 On 2013-12-09, Peter Fraser p...@thinkage.ca wrote:
 In my case, my user community is slowly changing, it is not too much
 work to manual created a OpenBSD account  for each BackupPC user.

 You *might* possibly get somewhere by grabbing a snapshot of the
 account database from Windows via ldapsearch, and creating system
 users based on that. You might even get somewhere with ypldap
 though probably not particularly straightforward..

 I think you're looking along the right lines with login_ldap to
 handle password auth.


With Windows Server = 2008R2 you can enable the Identity Management
for UNIX components.
Such setup should work in conjunction with OpenBSD+ypldap+login_ldap.
For a reference, see:
http://www.obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client

Ciao,
David

Re: alix2d3 entry point at 0x200120 after PXE installation

[Aurelien Martin]

Hi all,

I succeed to boot the alix2d3 by fixing the MBR with fdisk -u wd0

Cheers,
Aurelien

Best way to allow public use of OpenBSD IPSec/L2TP VPN?

[Some Developer]

First of all I'd like to say I'm a recent convert from Linux so please 
be kind to the newb :).


I've read through the documentation and got my install of OpenBSD 
working as I would like but there is one thing that I am not sure about.


According to the man page for isakmpd there are 4 types of 
authentication that one can use. Shared passphrase, public keys, X.509 
certificates and keynote authentication.


Both shared passphrase and keynote authentication are not really options 
for security and compatibility reasons. So that leaves public keys and 
X.509 certificates. Of those 2 I think X.509 certificates would be the 
best option for my deployment.


The question is the man page says that you need to create the keys using 
the IP address of the peer or the host name of the peer. The problem is 
that many of my peers have dynamic IP addresses and therefore won't know 
their IP address ahead of time and they also do not have control over 
their host name either (or won't know what it is). So what do I do in 
this instance when it comes to generating the X.509 client certificate? 
Can I use something like their email address in the certificates instead 
of their IP address or host name?


This is probably a really stupid question but I'm reasonably new to the 
whole X.509 certificate thing.

OpenBSD VPS Providers

[Some Developer]

Hi,

I'm looking for a VPS provider that supports OpenBSD (preferably the 
latest version). I've obviously found a few but what I really want is 
easy to create and destroy instances in the same way you can on Digital 
Ocean and Linode (which I use for my Linux boxes).


An API for automatic creation and destruction of virtual machines would 
be fantastic and if I was being really picky a European location for the 
servers.


Does anyone have any suggestions and recommendations? I'd rather use a 
provider that has some positive customer reviews from this list. Some of 
the available options from a Google search look a bit shabby (I could be 
completely wrong and they are excellent companies I'm just basing it on 
what I can see).


I'll be using this box as a VPN server.

Re: OpenBSD VPS Providers

[Marko M.]

Hi,

You may try: https://www.transip.eu They offer both OpenBSD and FreeBSD. I
have been using their VPS with FreeBSD for a couple of years. They offer
rather cheap and really good service.


On Fri, Dec 6, 2013 at 6:37 PM, Some Developer someukdevelo...@gmail.comwrote:

 Hi,

 I'm looking for a VPS provider that supports OpenBSD (preferably the
 latest version). I've obviously found a few but what I really want is easy
 to create and destroy instances in the same way you can on Digital Ocean
 and Linode (which I use for my Linux boxes).

 An API for automatic creation and destruction of virtual machines would be
 fantastic and if I was being really picky a European location for the
 servers.

 Does anyone have any suggestions and recommendations? I'd rather use a
 provider that has some positive customer reviews from this list. Some of
 the available options from a Google search look a bit shabby (I could be
 completely wrong and they are excellent companies I'm just basing it on
 what I can see).

 I'll be using this box as a VPN server.

Re: Best way to allow public use of OpenBSD IPSec/L2TP VPN?

[Zé Loff]

On Wed, Dec 11, 2013 at 09:41:30AM +, Some Developer wrote:
 The problem is that many of my peers have dynamic IP addresses and
 therefore won't know their IP address ahead of time and they also do
 not have control over their host name either (or won't know what it
 is).

Use FQDNs instead. The FQDN in the certificate doesn't have to match the
host's FQDN, just use srcid and/or dstid on ipsec.conf.

Cheers
Zé

Re: dhcpd: rejecting bogus offer

[Chris Smith]

Yes, that does help it all make sense.

Thanks to all.

On Tue, Dec 10, 2013 at 11:43 PM, Ted Unangst t...@tedunangst.com wrote:
 On Tue, Dec 10, 2013 at 22:16, Chris Smith wrote:
 On Tue, Dec 10, 2013 at 8:04 PM, Chris Smith obsd_m...@chrissmith.org
 wrote:
 Dec 10 16:19:46 firewall dhcpd[29710]: Many bogus options seen in offers.

 In particular the above line: Many bogus options seen in offers.
 Doesn't the server make the offer? If so, why would the OpenBSD
 dhcpd server create bogus options? Or am I misreading the intent of
 the log message?

 The option parsing code was at one time shared between dhclient and
 dhcpd. (ironically, our dhclient no longer contains that message.)

 It's worded strangely for a server warning message, but client
 requests are allowed to specify options to the server. Just replace
 the word offers with requests and it all makes sense.

Issues compiling binkd-1.1 on OpenBSD 5.3 (testing on 5.4 in a bit, as well); ns_msg undeclared

[Damon Getsman]

I've got a system that I'm trying to get connected to another fidonet hub
[again], but I'm having issues now that I'm having to connect to a new
coordinator.  Previously I was able to connect via binkd-0.9.4, but I'm
having issues that I can't get resolved between several people very
experienced with binkd; it appears to be an incompatibility between more
recent versions and 0.9.4, not a configuration issue.

Unfortunately, when attempting to get binkd-1.1 to compile on my OpenBSD
5.3 system, there appears to be some issues either locating a library or
finding the correct library to install on my system.  There is a rather
large lack of information for my situation available; as far as anybody
experienced with fidonet or binkd (as far as I know) knows, I'm the only
person that has had binkd running on OpenBSD, let alone run into these
incompatibilities and tried to get binkd-1.1 to compile in this environment.

Here is the problem that I've been getting, starting with the 'configure'
shell script output that seems to be applicable:
-=-=-
checking for ns_initparse... no
checking for ns_msg._msg_ptr... no
checking for ns_msg._ptr... no
-=-=-

and then, compilation seems to go fine until I hit the last few files
before final linkage; 'make' errors follow:
-=-=-
Compiling srv_gai.c...
srv_gai.c: In function 'srv_getaddrinfo':
srv_gai.c:82: error: 'ns_msg' undeclared (first use in this function)
srv_gai.c:82: error: (Each undeclared identifier is reported only once
srv_gai.c:82: error: for each function it appears in.)
srv_gai.c:82: error: expected ';' before 'nsb'
srv_gai.c:83: error: 'ns_rr' undeclared (first use in this function)
srv_gai.c:83: error: expected ';' before 'rrb'
srv_gai.c:137: error: 'ns_c_in' undeclared (first use in this function)
srv_gai.c:137: error: 'ns_t_srv' undeclared (first use in this function)
srv_gai.c:151: warning: implicit declaration of function 'ns_initparse'
srv_gai.c:151: error: 'nsb' undeclared (first use in this function)
srv_gai.c:163: warning: implicit declaration of function 'ns_msg_count'
srv_gai.c:163: error: 'ns_s_an' undeclared (first use in this function)
srv_gai.c:164: warning: implicit declaration of function 'ns_parserr'
srv_gai.c:164: error: 'rrb' undeclared (first use in this function)
srv_gai.c:168: warning: implicit declaration of function 'ns_rr_class'
srv_gai.c:171: warning: implicit declaration of function 'ns_rr_type'
srv_gai.c:173: warning: implicit declaration of function 'ns_rr_rdlen'
srv_gai.c:178: warning: implicit declaration of function 'ns_rr_rdata'
srv_gai.c:178: warning: assignment makes pointer from integer without a cast
*** Error 1 in /usr/src/binkd-1.1 (Makefile:76 'srv_gai.o': @gcc -c
-DPACKAGE_NAME=\\ -DPACKAGE_TARNAME=\\ -DPACKAGE_VERSION=\\ -DPACK...)
-=-=-

Now, I will be the first one to admit that my knowledge of Makefile syntax
and operations is pretty limited.  I can fumble my way through general
modifications, but I'm not sure I'm doing things correctly.  I've gotten
some difficult packages to compile that haven't wanted to on particular
systems, but I find these solutions pretty much by educated guess.  I know
C/C++, but I can't say that I've ever coded anything more than a few
hundred (600) lines long in that language.  So as far as porting to a new
operating system, taking into account SYSV/BSD differences and anything
else, I'm pretty lost.

My web searching for the ns_msg and associated functions seemed to indicate
that this is a part of libspf2, which I then installed via pkg_add to my
system.  Right off the bat I attempted a freshly started 'configure' and
'make'.  The configuration still indicated success, but with the same 'not
found' messages that I indicated in my first cut 'n paste in this message.
 I then made several modifications to the Makefile and even attempted
manual compilation of srv_gai.c with different command lines, trying to
manually specify -lspf2.  No luck.  I even tried switching the order of the
compilation in order to compile unix/ns_parse.c prior to srv_gai.c,
thinking (strictly due to the superficial resemblance of the name of this
file and hints that I saw in the source code) that perhaps an ns_msg may
reside in there.  Yeah, it was desperation time by this point.  No go.

At this point I'm totally out of ideas.  I'd be grateful for anything that
anybody might be able to suggest.  Well, with possible exception of
switching operating systems.  My machine that has ports forwarded to it
from the internet will always be OpenBSD due to my affinity for privacy and
system integrity.

Am I trying to add the wrong library?  Is there any other place I could
somehow insert this ns_msg and other associated code?  Many thanks in
advance for anything you can offer.  I really need to get this system
working as a binkd server and client asap.

Also, if anybody is interested in the BBS scene, I'd be happy to drop the
address for my system just as soon as I've got the ports forwarded at my
new location again.  ;)

Re: NAT64 troubleshooting

[Stuart Henderson]

On 2013/12/11 11:35, dikshie wrote:
 On Wed, Dec 11, 2013 at 2:33 AM, Stuart Henderson s...@spacehopper.org 
 wrote:
  There were problems with af-to in some recent versions, but since you
  didn't include the dmesg, I can't say if this applies to you..
  http://www.openbsd.org/report.html
 
 i use openbsd 5.4

There were definitely some fixes for af-to post-5.4, so trying a
snapshot would be worthwhile. (it might be reasonable to backport the
fix to -stable, but I'm not sure which exact commits fixed it..)

5.4 amd64 - Poor disk performance with Smart Array 6404

[Jan Lambertz]

I found dd to be a very bad/misleading tool for this case.
Problems are caches in different layers of the system, filesystem
behaviour, sector sizing of drives and arrays, kernel configurations, input
data loading, real world scenarios and driver implementation.
I had same issues on centos.
Not perfect but a lot better for my purpose is bonnie++. Even with bonnie++
i would not dare to say that same tests on same hardware with centos and
openbsd will show the real differences in performance.

Maybe that might help to get more comparable results

Re: Issues compiling binkd-1.1 on OpenBSD 5.3 (testing on 5.4 in a bit, as well); ns_msg undeclared

[Jérémie Courrèges-Anglas]

Damon Getsman damo.g...@gmail.com writes:

 I've got a system that I'm trying to get connected to another fidonet hub
 [again], but I'm having issues now that I'm having to connect to a new
 coordinator.  Previously I was able to connect via binkd-0.9.4, but I'm
 having issues that I can't get resolved between several people very
 experienced with binkd; it appears to be an incompatibility between more
 recent versions and 0.9.4, not a configuration issue.

 Unfortunately, when attempting to get binkd-1.1 to compile on my OpenBSD
 5.3 system, there appears to be some issues either locating a library or
 finding the correct library to install on my system.  There is a rather
 large lack of information for my situation available; as far as anybody
 experienced with fidonet or binkd (as far as I know) knows, I'm the only
 person that has had binkd running on OpenBSD, let alone run into these
 incompatibilities and tried to get binkd-1.1 to compile in this environment.

 Here is the problem that I've been getting, starting with the 'configure'
 shell script output that seems to be applicable:
 -=-=-
 checking for ns_initparse... no
 checking for ns_msg._msg_ptr... no
 checking for ns_msg._ptr... no
 -=-=-

 and then, compilation seems to go fine until I hit the last few files
 before final linkage; 'make' errors follow:
 -=-=-
 Compiling srv_gai.c...
 srv_gai.c: In function 'srv_getaddrinfo':
 srv_gai.c:82: error: 'ns_msg' undeclared (first use in this function)
 srv_gai.c:82: error: (Each undeclared identifier is reported only once
 srv_gai.c:82: error: for each function it appears in.)
 srv_gai.c:82: error: expected ';' before 'nsb'
 srv_gai.c:83: error: 'ns_rr' undeclared (first use in this function)
 srv_gai.c:83: error: expected ';' before 'rrb'
 srv_gai.c:137: error: 'ns_c_in' undeclared (first use in this function)
 srv_gai.c:137: error: 'ns_t_srv' undeclared (first use in this function)
 srv_gai.c:151: warning: implicit declaration of function 'ns_initparse'
 srv_gai.c:151: error: 'nsb' undeclared (first use in this function)
 srv_gai.c:163: warning: implicit declaration of function 'ns_msg_count'
 srv_gai.c:163: error: 'ns_s_an' undeclared (first use in this function)
 srv_gai.c:164: warning: implicit declaration of function 'ns_parserr'
 srv_gai.c:164: error: 'rrb' undeclared (first use in this function)
 srv_gai.c:168: warning: implicit declaration of function 'ns_rr_class'
 srv_gai.c:171: warning: implicit declaration of function 'ns_rr_type'
 srv_gai.c:173: warning: implicit declaration of function 'ns_rr_rdlen'
 srv_gai.c:178: warning: implicit declaration of function 'ns_rr_rdata'
 srv_gai.c:178: warning: assignment makes pointer from integer without a cast
 *** Error 1 in /usr/src/binkd-1.1 (Makefile:76 'srv_gai.o': @gcc -c
 -DPACKAGE_NAME=\\ -DPACKAGE_TARNAME=\\ -DPACKAGE_VERSION=\\ -DPACK...)
 -=-=-

You need stuff that was moved from base to the net/libbind package.

 Now, I will be the first one to admit that my knowledge of Makefile syntax
 and operations is pretty limited.  I can fumble my way through general
 modifications, but I'm not sure I'm doing things correctly.  I've gotten
 some difficult packages to compile that haven't wanted to on particular
 systems, but I find these solutions pretty much by educated guess.  I know
 C/C++, but I can't say that I've ever coded anything more than a few
 hundred (600) lines long in that language.  So as far as porting to a new
 operating system, taking into account SYSV/BSD differences and anything
 else, I'm pretty lost.

 My web searching for the ns_msg and associated functions seemed to indicate
 that this is a part of libspf2,

Well, libspf2 depends on libbind.

 which I then installed via pkg_add to my
 system.  Right off the bat I attempted a freshly started 'configure' and
 'make'.  The configuration still indicated success, but with the same 'not
 found' messages that I indicated in my first cut 'n paste in this message.
  I then made several modifications to the Makefile and even attempted
 manual compilation of srv_gai.c with different command lines, trying to
 manually specify -lspf2.  No luck.  I even tried switching the order of the
 compilation in order to compile unix/ns_parse.c prior to srv_gai.c,
 thinking (strictly due to the superficial resemblance of the name of this
 file and hints that I saw in the source code) that perhaps an ns_msg may
 reside in there.  Yeah, it was desperation time by this point.  No go.

So... you need to add /usr/local/include/bind/ to the include search
list, /usr/local/lib/libbind/ to the lib search list (with -L and -R),
you need to link against libbind (-lbind), and you need to patch
srv_gai.c so that it includes arpa/nameser.h.

The provided Makefile.in doesn't honor CPPFLAGS / LDFLAGS.

 At this point I'm totally out of ideas.  I'd be grateful for anything that
 anybody might be able to suggest.  Well, with possible exception of
 switching operating systems.  My machine that has ports forwarded 

Re: Patch to fix /etc/rc.d/identd...

[Jérémie Courrèges-Anglas]

Adam Jeanguenat a...@voyager.6v6.org writes:

Below is a patch to fix the identd rc.d script, which currently
 doesn't allow you to stop the daemon because ${pexp} is passed
 incorrectly.

Fixed, thanks.

Note the string identd: resolver is 16 chars long and at the
 limit of what OpenBSD cares about (according to the pgrep/pkill(1) man
 page), but it works fine. I suppose both strings could be shortened if
 desired, but I figured the least amount of ambiguity was the best.

This 16-bytes limitation is not a problem when using -f.

If identd is already running, /var/run/rc.d/identd will need to be
 manually deleted first as it contains the wrong ${pexp}.

--avj


 Index: identd
 ===
 RCS file: /home/cvsync/src/etc/rc.d/identd,v
 retrieving revision 1.6
 diff -u -p -r1.6 identd
 --- identd8 Aug 2013 15:41:28 -   1.6
 +++ identd4 Dec 2013 19:17:26 -
 @@ -7,6 +7,7 @@ daemon_flags=-e
  
  . /etc/rc.d/rc.subr
  
 +pexp=identd: (listen|resolver)
  rc_reload=NO
  
  rc_cmd $1


-- 
jca | PGP: 0x06A11494 / 61DB D9A0 00A4 67CF 2A90  8961 6191 8FBF 06A1 1494

Re: OpenBSD VPS Providers

[Francisco Valladolid H.]

Hi.

The following list of ISP also provide OpenBSD.

http://www.bsdvm.com
http://www.arpnetworks.com

Regards.


On Wed, Dec 11, 2013 at 5:11 AM, Marko M. ma...@bsdserbia.org wrote:
 Hi,

 You may try: https://www.transip.eu They offer both OpenBSD and FreeBSD. I
 have been using their VPS with FreeBSD for a couple of years. They offer
 rather cheap and really good service.


 On Fri, Dec 6, 2013 at 6:37 PM, Some Developer 
 someukdevelo...@gmail.comwrote:

 Hi,

 I'm looking for a VPS provider that supports OpenBSD (preferably the
 latest version). I've obviously found a few but what I really want is easy
 to create and destroy instances in the same way you can on Digital Ocean
 and Linode (which I use for my Linux boxes).

 An API for automatic creation and destruction of virtual machines would be
 fantastic and if I was being really picky a European location for the
 servers.

 Does anyone have any suggestions and recommendations? I'd rather use a
 provider that has some positive customer reviews from this list. Some of
 the available options from a Google search look a bit shabby (I could be
 completely wrong and they are excellent companies I'm just basing it on
 what I can see).

 I'll be using this box as a VPN server.




-- 
Francisco Valladolid H.
 -- http://blog.bsdguy.net - Jesus Christ follower.

Re: Issues compiling binkd-1.1 on OpenBSD 5.3 (testing on 5.4 in a bit, as well); ns_msg undeclared

[Jérémie Courrèges-Anglas]

j...@wxcvbn.org (Jérémie Courrèges-Anglas) writes:

[...]

 If building binkd on OpenBSD is so painful then a port could be useful.

Something like that...

[demime 1.01d removed an attachment of type application/octet-stream]
-- 
jca | PGP: 0x06A11494 / 61DB D9A0 00A4 67CF 2A90  8961 6191 8FBF 06A1 1494

Re: OpenBSD VPS Providers

[James Records]

Hi,

Take a look at www.hermetek.com  I've used them for OpenBSD hosting, they
were great and very flexible.

Best


On Wed, Dec 11, 2013 at 8:37 AM, Francisco Valladolid H.
fic...@gmail.comwrote:

 Hi.

 The following list of ISP also provide OpenBSD.

 http://www.bsdvm.com
 http://www.arpnetworks.com

 Regards.


 On Wed, Dec 11, 2013 at 5:11 AM, Marko M. ma...@bsdserbia.org wrote:
  Hi,
 
  You may try: https://www.transip.eu They offer both OpenBSD and
 FreeBSD. I
  have been using their VPS with FreeBSD for a couple of years. They offer
  rather cheap and really good service.
 
 
  On Fri, Dec 6, 2013 at 6:37 PM, Some Developer 
 someukdevelo...@gmail.comwrote:
 
  Hi,
 
  I'm looking for a VPS provider that supports OpenBSD (preferably the
  latest version). I've obviously found a few but what I really want is
 easy
  to create and destroy instances in the same way you can on Digital Ocean
  and Linode (which I use for my Linux boxes).
 
  An API for automatic creation and destruction of virtual machines would
 be
  fantastic and if I was being really picky a European location for the
  servers.
 
  Does anyone have any suggestions and recommendations? I'd rather use a
  provider that has some positive customer reviews from this list. Some of
  the available options from a Google search look a bit shabby (I could be
  completely wrong and they are excellent companies I'm just basing it on
  what I can see).
 
  I'll be using this box as a VPN server.
 



 --
 Francisco Valladolid H.
  -- http://blog.bsdguy.net - Jesus Christ follower.

Re: 5.4 amd64 - Poor disk performance with Smart Array 6404

[Adam Jensen]

On 12/11/2013 10:27 AM, Jan Lambertz wrote:

I found dd to be a very bad/misleading tool for this case.
Problems are caches in different layers of the system, filesystem
behaviour, sector sizing of drives and arrays, kernel configurations, input
data loading, real world scenarios and driver implementation.
I had same issues on centos.
Not perfect but a lot better for my purpose is bonnie++. Even with bonnie++
i would not dare to say that same tests on same hardware with centos and
openbsd will show the real differences in performance.

Maybe that might help to get more comparable results



Agreed. dd was a quick and dirty way to get some numbers after noticing 
very unusual system performance with OpenBSD. I might have gotten a 
little carried away with it. However, in this case I do think the 
numbers generally correlate to my impression of overall disk performance 
for this machine when running OpenBSD and FreeBSD. For example, when 
unpacking the ports tree or compiling a kernel, FreeBSD seems to drive 
the disks harder than OpenBSD (indicated by the drive activity lights, 
drive noise, and the output scrolling across the screen). Of course, 
this is hardly an objective metric and [for me] a ~15% disk I/O 
performance difference is not terribly important. It is far more 
important [to me] to have an elegant coherent reliable system with clean 
source code and good documentation. If the underlying system is cobbled 
together with zip-ties, duct-tape, and hot-rod hacks, it's not something 
I could trust and I wouldn't invest too much in it. If the 
zombie-apocalypse overruns the remnants of human society, it's the 
OpenBSD source and documentation I want on my machines. ;)

nginx reload no longer working

[Cyrus]

I am having a problem with nginx. When I add a config file in a
directory which is included in nginx.conf for a new user, I usually just
do an nginx -s reload and it uses it. Recently that has been failing,
but /etc/rc.d/nginx restart does work, indicating nothing wrong with the
config. I'm not sure why this is happening. Any ideas?

-- 
CYRUSERV Onionland Hosting: http://cyruserv5hlagzhg.onion/
new email address: cyrus_the_gr...@lelantos.org
PGP public key: http://cyruserv5hlagzhg.onion/PGP

Re: spamd in blacklist only modexd

[Alexander Hall]

On 12/10/13 14:03, Craig R. Skinner wrote:

On 2013-12-10 Tue 09:26 AM |, Alexander Hall wrote:


The OP is referring to this part of /etc/rc, which has nothing to do
with neither crontab nor /etc/rc.d/*.

if [ X${spamd_flags} != XNO ]; then
 /usr/libexec/spamd-setup -D
fi

Indeed, please suggest a diff.

Maybe we should just incorporate that into /etc/rc.d/spamd instead?



This has worked OK for me for a few months:


Index: rc
===
RCS file: /cvs/src/etc/rc,v
retrieving revision 1.407
diff -u -u -p -r1.407 rc
--- rc  9 Aug 2013 16:24:54 -   1.407
+++ rc  10 Dec 2013 12:59:49 -
@@ -499,10 +499,6 @@ start_daemon rbootd mopd popa3d spamd sp
  start_daemon ipropd_master ipropd_slave sndiod
  echo '.'

-if [ X${spamd_flags} != XNO ]; then
-   /usr/libexec/spamd-setup -D
-fi
-


yes


  # If rc.firstime exists, run it just once, and make sure it is deleted
  if [ -f /etc/rc.firsttime ]; then
mv /etc/rc.firsttime /etc/rc.firsttime.run
Index: rc.d/spamd
===
RCS file: /cvs/src/etc/rc.d/spamd,v
retrieving revision 1.3
diff -u -u -p -r1.3 spamd
--- rc.d/spamd  13 Sep 2013 14:50:56 -  1.3
+++ rc.d/spamd  10 Dec 2013 12:59:49 -
@@ -1,18 +1,23 @@
  #!/bin/sh
  #
-# $OpenBSD: spamd,v 1.3 2013/09/13 14:50:56 okan Exp $
+# $OpenBSD: spamd,v 1.4 2013/09/05 19:08:22 skinner Exp $

-daemon=/usr/libexec/spamd
+daemon='/usr/libexec/spamd'


noise



  . /etc/rc.d/rc.subr

  pexp=spamd: \[priv\]
  rc_reload=NO

-rc_pre() {
-   [ X${spamd_black} != XNO ]  \
-   daemon_flags=-b ${daemon_flags}
-   return 0
+rc_pre()
+{
+   [[ ${spamd_black} == 'NO' ]] || daemon_flags=-b ${daemon_flags}
+}


noise (and ksh syntax)


+
+rc_start()
+{
+   ${rcexec} ${daemon} ${daemon_flags} ${_bg}
+   rc_do rc_wait start  ${daemon}-setup -D


useful, but IMO in wrong order and misses the -b flag.

/Alexander


  }

  rc_cmd $1



Cheers,

Re: spamd in blacklist only modexd

[Alexander Hall]

On 12/10/13 21:38, Maurice Janssen wrote:

On 12/10/13 14:03, Craig R. Skinner wrote:

On 2013-12-10 Tue 09:26 AM |, Alexander Hall wrote:

The OP is referring to this part of /etc/rc, which has nothing to do
with neither crontab nor /etc/rc.d/*.

if [ X${spamd_flags} != XNO ]; then
 /usr/libexec/spamd-setup -D
fi

Indeed, please suggest a diff.

Maybe we should just incorporate that into /etc/rc.d/spamd instead?


This has worked OK for me for a few months:


Index: rc
===
RCS file: /cvs/src/etc/rc,v
retrieving revision 1.407
diff -u -u -p -r1.407 rc
--- rc9 Aug 2013 16:24:54 -1.407
+++ rc10 Dec 2013 12:59:49 -
@@ -499,10 +499,6 @@ start_daemon rbootd mopd popa3d spamd sp
  start_daemon ipropd_master ipropd_slave sndiod
  echo '.'
-if [ X${spamd_flags} != XNO ]; then
-/usr/libexec/spamd-setup -D
-fi
-
  # If rc.firstime exists, run it just once, and make sure it is deleted
  if [ -f /etc/rc.firsttime ]; then
  mv /etc/rc.firsttime /etc/rc.firsttime.run
Index: rc.d/spamd
===
RCS file: /cvs/src/etc/rc.d/spamd,v
retrieving revision 1.3
diff -u -u -p -r1.3 spamd
--- rc.d/spamd13 Sep 2013 14:50:56 -1.3
+++ rc.d/spamd10 Dec 2013 12:59:49 -
@@ -1,18 +1,23 @@
  #!/bin/sh
  #
-# $OpenBSD: spamd,v 1.3 2013/09/13 14:50:56 okan Exp $
+# $OpenBSD: spamd,v 1.4 2013/09/05 19:08:22 skinner Exp $
-daemon=/usr/libexec/spamd
+daemon='/usr/libexec/spamd'
  . /etc/rc.d/rc.subr
  pexp=spamd: \[priv\]
  rc_reload=NO
-rc_pre() {
-[ X${spamd_black} != XNO ]  \
-daemon_flags=-b ${daemon_flags}
-return 0
+rc_pre()
+{
+[[ ${spamd_black} == 'NO' ]] || daemon_flags=-b ${daemon_flags}
+}
+
+rc_start()
+{
+${rcexec} ${daemon} ${daemon_flags} ${_bg}
+rc_do rc_wait start  ${daemon}-setup -D
  }
  rc_cmd $1



Cheers,


Nice, but this also fails to add -b to spamd-setup.  How about this (and
of course remove the spamd-setup bits from /etc/rc):

--- spamd.orig  Tue Dec 10 21:24:48 2013
+++ spamd   Tue Dec 10 21:24:14 2013
@@ -15,4 +15,12 @@
 return 0
  }

+rc_start() {
+   ${rcexec} ${daemon} ${daemon_flags} ${_bg}
+   spamd_setup_flags=-D
+   [ X${spamd_black} != XNO ]  \
+   spamd_setup_flags=-b ${spamd_setup_flags}
+   rc_do rc_wait start  /usr/libexec/spamd-setup
${spamd_setup_flags}
+}


This seems like the wrong order. Currently, we run spamd-setup prior to
starting spamd, which sounds more appropriate to me.

I'd suggest the following, but I leave the decision to people working
in this area. Untested.

rc_start() {
local _setup=-D
[ X${spamd_black} != XNO ]  _setup=-b $_setup
/usr/libexec/spamd-setup $_setup
${rcexec} ${daemon} ${daemon_flags} ${_bg}
}

/Alexander


+
  rc_cmd $1

Re: spamd in blacklist only modexd

[Maurice Janssen]

On 12/11/13 21:06, Alexander Hall wrote:

On 12/10/13 21:38, Maurice Janssen wrote:


How about this (and of course remove the spamd-setup bits from /etc/rc):

--- spamd.orig  Tue Dec 10 21:24:48 2013
+++ spamd   Tue Dec 10 21:24:14 2013
@@ -15,4 +15,12 @@
 return 0
  }

+rc_start() {
+   ${rcexec} ${daemon} ${daemon_flags} ${_bg}
+   spamd_setup_flags=-D
+   [ X${spamd_black} != XNO ]  \
+   spamd_setup_flags=-b ${spamd_setup_flags}
+   rc_do rc_wait start  /usr/libexec/spamd-setup
${spamd_setup_flags}
+}


This seems like the wrong order. Currently, we run spamd-setup prior to
starting spamd, which sounds more appropriate to me.



Are you sure?  In /etc/rc, spamd-setup is run after spamd and spamlogd.  
Seems more appropriate to me, as spamd-setup sends blacklist data to spamd.


Maurice

Re: nginx reload no longer working

[Cyrus]

On 12/12/2013 06:54 AM, Josh Grosse wrote:
 On 2013-12-11 14:30, Cyrus wrote:
 I am having a problem with nginx. When I add a config file in a
 directory which is included in nginx.conf for a new user, I usually just
 do an nginx -s reload and it uses it. Recently that has been failing,
 but /etc/rc.d/nginx restart does work, indicating nothing wrong with the
 config. I'm not sure why this is happening. Any ideas?
 
 Per the nginx(8) man page, the '-s reload option sends a SIGHUP to the
 master process, which will Reload configuration, start the new worker
 process with a new configuration, and gracefully shut down old worker
 processes.  This is different than the SIGTERM used by pkill(8) within
 /etc/rc.d/nginx.
 
 More information on your nginx processes before and after the failed
 reload would be helpful, as would a dmesg as that would tell us your
 architecture/flavor of OS, and your nginx configuration which appears to
 be causing the problem.
 
 The more you provide, the better answers will be.  See
 http://www.openbsd.org/report.html for examples.
 
 

# dmesg
OpenBSD 5.4 (GENERIC.MP) #41: Tue Jul 30 15:30:02 MDT 2013
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 2130640896 (2031MB)
avail mem = 2066255872 (1970MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xe1000 (5 entries)
bios0: vendor innotek GmbH version VirtualBox date 12/01/2006
bios0: innotek GmbH VirtualBox
acpi0 at bios0: rev 2
acpi0: sleep states S0 S5
acpi0: tables DSDT FACP APIC SSDT
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM)2 Quad CPU Q8400 @ 2.66GHz, 2665.66 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,SSSE3,NXE,LONG,LAHF
cpu0: 2MB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
cpu0: apic clock running at 999MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 Quad CPU Q8400 @ 2.66GHz, 2667.18 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,SSSE3,NXE,LONG,LAHF
cpu1: 2MB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 2
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
acpicpu1 at acpi0
acpibat0 at acpi0: BAT0 not present
acpiac0 at acpi0: AC unit online
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 Intel 82441FX rev 0x02
pcib0 at pci0 dev 1 function 0 Intel 82371SB ISA rev 0x00
pciide0 at pci0 dev 1 function 1 Intel 82371AB IDE rev 0x01: DMA,
channel 0 configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: VBOX HARDDISK
wd0: 128-sector PIO, LBA48, 204800MB, 419430400 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: VBOX, CD-ROM, 1.0 ATAPI 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
vga1 at pci0 dev 2 function 0 InnoTek VirtualBox Graphics Adapter rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
em0 at pci0 dev 3 function 0 Intel 82543GC rev 0x02: apic 2 int 19,
address 08:00:27:85:37:f9
InnoTek VirtualBox Guest Service rev 0x00 at pci0 dev 4 function 0 not
configured
piixpm0 at pci0 dev 7 function 0 Intel 82371AB Power rev 0x08: SMBus
disabled
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
mtrr: CPU supports MTRRs but not enabled
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
scsibus2 at softraid0: 256 targets
root on wd0a (784d82c953376542.a) swap on wd0b dump on wd0b

# cat /etc/nginx/nginx.conf
# $OpenBSD: nginx.conf,v 1.14 2013/06/02 14:11:38 florian Exp $

#user  www;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;
#error_log  syslog:notice|logs/error.log;

#syslog local5  nginx;

#pidlogs/nginx.pid;


events {
worker_connections  1024;
}


http {
include   mime.types;
default_type  application/octet-stream;
index index.html index.htm;

#log_format  main  '$remote_addr - $remote_user [$time_local]
$request '
#  '$status $body_bytes_sent $http_referer '
#  '$http_user_agent $http_x_forwarded_for';

#access_log  logs/access.log  main;
#access_log  syslog:notice|logs/access.log main;

#tcp_nopush on;

#keepalive_timeout  0;
keepalive_timeout  65;

Re: spamd in blacklist only modexd

[Alexander Hall]

On 12/11/13 21:23, Maurice Janssen wrote:

On 12/11/13 21:06, Alexander Hall wrote:

On 12/10/13 21:38, Maurice Janssen wrote:


How about this (and of course remove the spamd-setup bits from /etc/rc):

--- spamd.orig  Tue Dec 10 21:24:48 2013
+++ spamd   Tue Dec 10 21:24:14 2013
@@ -15,4 +15,12 @@
 return 0
  }

+rc_start() {
+   ${rcexec} ${daemon} ${daemon_flags} ${_bg}
+   spamd_setup_flags=-D
+   [ X${spamd_black} != XNO ]  \
+   spamd_setup_flags=-b ${spamd_setup_flags}
+   rc_do rc_wait start  /usr/libexec/spamd-setup
${spamd_setup_flags}
+}


This seems like the wrong order. Currently, we run spamd-setup prior to
starting spamd, which sounds more appropriate to me.



Are you sure?  In /etc/rc, spamd-setup is run after spamd and spamlogd.
Seems more appropriate to me, as spamd-setup sends blacklist data to spamd.


Crap, yes. I was thinking of spamd as a package being run through 
$pkg_scripts.


Indeed my suggestion makes less sense.

/Alexander



Maurice

Re: loongson:automatic loading of OpenBSD:YES to 8G ssd No for 500Gdisk

[Miod Vallat]

 PMON vers
 PMON: PMON2000 2.1 (Bonito) #14: Tue May 18 10:33:47 CST 2010

The yeeloong here runs the same version, and autoboots correctly, but
its disk is only 160GB.

I am not aware of anyone using = 500GB disks in a Yeeloong, this could
very well trigger a bug in Lemote's bastardisation of PMON, and prevent
autoboot.

Miod

Re: ipv6 static routing

[Todd T. Fries]

Penned by dikshie on 20131208 19:50.21, we have:
| On Mon, Dec 9, 2013 at 7:00 AM, Claudio Jeker cje...@diehard.n-r-g.com 
wrote:
|  Check with tcpdump if the packets go out and to the right place.
|  Maybe try to figure out if they arrive at the destination to figure out
|  where they get lost.
| 
| sure, i'll check with tcpdump after working/business hour.
| 
| -dikshie-

I've installed a current snapshot on a kvm system and noted that with vio0 I 
have
the same problem you experience unless I manually program the global IPv6 
addresses
via ndp.

If I change to em0 (e1000 in kvm speak) it works like a champ.

Perhaps you could try this change; I also would not be surprised if some 
multicast
bits that recently changed got twiddled for vio(4) as well.

Thanks,
-- 
Todd Fries .. t...@fries.net

 
|\  1.636.410.0632 (voice)
| Free Daemon Consulting, LLC\  1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com\  1.866.792.3418 (FAX)
| PO Box 16169, Oklahoma City, OK 73113-2169 \  sip:freedae...@ekiga.net
| ..in support of free software solutions. \  sip:4052279...@ekiga.net
 \
 
  37E7 D3EB 74D0 8D66 A68D  B866 0326 204E 3F42 004A
http://todd.fries.net/pgp.txt

Re: OpenBSD VPS Providers

[Brett Mahar]

|   I'm looking for a VPS provider that supports OpenBSD (preferably the
|   latest version). I've obviously found a few but what I really want is
|  easy
|   to create and destroy instances in the same way you can on Digital Ocean
|   and Linode (which I use for my Linux boxes).
|  
|   An API for automatic creation and destruction of virtual machines would
|  be
|   fantastic and if I was being really picky a European location for the
|   servers.
|  
|   Does anyone have any suggestions and recommendations? I'd rather use a
|   provider that has some positive customer reviews from this list. Some of
|   the available options from a Google search look a bit shabby (I could be
|   completely wrong and they are excellent companies I'm just basing it on
|   what I can see).
|  
|   I'll be using this box as a VPN server.
|  

Just as a general VPS, I've been using http://www.ransomit.com.au/ for a couple 
of months and they've been great for my openbsd mailserver/webserver. They have 
an openbsd 5.3 iso for install which I used to install a new bsd.rd and then 
install -current.

They respond quickly to questions so may be able to help you with your further 
requirements.

Cheers,
Brett.

Re: OpenBSD VPS Providers

[opendaddy]

On 11. desember 2013 at 11:03 AM, Some Developer  wrote:Hi,

I'm looking for a VPS provider that supports OpenBSD (preferably the 
latest version). I've obviously found a few but what I really want is 
easy to create and destroy instances in the same way you can on
Digital 
Ocean and Linode (which I use for my Linux boxes).

We're all pretty much waiting for Digital Ocean. Unless it's a cloud,
it's a no-go in my book.

https://digitalocean.uservoice.com/forums/136585-digital-ocean/suggestions/3232571-support-bsd-os-

O.D.
An API for automatic creation and destruction of virtual machines
would 
be fantastic and if I was being really picky a European location for
the 
servers.

Does anyone have any suggestions and recommendations? I'd rather use a

provider that has some positive customer reviews from this list. Some
of 
the available options from a Google search look a bit shabby (I could
be 
completely wrong and they are excellent companies I'm just basing it
on 
what I can see).

I'll be using this box as a VPN server.

Re: OpenBSD VPS Providers

[Matthew Dempsky]

[Disclosure: I work for Google, but not on Compute Engine.]

On Fri, Dec 6, 2013 at 9:37 AM, Some Developer
someukdevelo...@gmail.com wrote:
 I'm looking for a VPS provider that supports OpenBSD (preferably the latest
 version).

I got OpenBSD working on Google Compute Engine, but I haven't
committed the vioscsi(4) driver yet or documented the steps involved.
Once that's done (probably in a week; I'm swamped right now), you
should be able to create an OpenBSD image for Compute Engine from an
official snapshot.

(If you're interested, feel free to start nagging me about this next Monday.)

 An API for automatic creation and destruction of virtual machines would be
 fantastic and if I was being really picky a European location for the
 servers.

Compute Engine has an API for creating/destroying
disks/images/instances/etc
(https://developers.google.com/compute/docs/reference/latest/), and
offers VMs in Europe.

(5.4-amd64) Broadcom BCM95821 Crypto Accelerator

[Adam Jensen]

I'm thinking of getting a Broadcom PCI-X crypto accelerator card for my 
Proliant ML370-G4. (I found one for $20). The number on the chip is 
BCM5821A1KTB. The ubsec driver man page seems to suggest that this chip 
will accelerate DES, Triple-DES, MD5-HMAC, and SHA1-HMAC operations for 
ipsec(4) and crypto(4). Unfortunately, I don't think this particular 
chip will accelerate AES-CBC.


Will anyone suggest any before and after performance tests that I might 
do to evaluate this card? Also, which encryption algorithms does the 
softraid CRYPTO discipline support? I didn't find that information in 
the man pages. It might be interesting to see if the Broadcom card will 
enhance encrypted volume disk performance.

Re: (5.4-amd64) Broadcom BCM95821 Crypto Accelerator

[Ted Unangst]

On Wed, Dec 11, 2013 at 21:21, Adam Jensen wrote:

 Will anyone suggest any before and after performance tests that I might
 do to evaluate this card? Also, which encryption algorithms does the
 softraid CRYPTO discipline support? I didn't find that information in
 the man pages. It might be interesting to see if the Broadcom card will
 enhance encrypted volume disk performance.

Honestly, I'd save your money.

softraid uses AES in XTS mode, fwiw, which is (only) accelerated by CPUs
with AESNI if you're running amd64.

Re: OpenBSD VPS Providers

[James Shupe]

On 12/11/2013 10:45 AM, James Records wrote:
 Hi,
 
 Take a look at www.hermetek.com  I've used them for OpenBSD hosting, they
 were great and very flexible.
 
 Best
 

Thanks for the mention; we always appreciate it.

We don't offer the APIs or host control the op is looking for, and we're
not likely to in the near future. That being said, this is decision we
made because virtulization and shared hardware already present risks of
their own; no need to add to them with APIs and unmonitored hypervisor
and/or network operations. Anybody wanting to run OpenBSD in the cloud
should remember that a secure OS is not enough; the platform is runs on
must be trustworthy as well. This has been discussed, or at least
virtualization has, many times over the years on this mailing list. We
do our best to mitigate the risks and still have the benefits of
virtualzation - it's a fine line that different opinions may draw at
different points.

plugIf anybody from this list needs a VM, contact me and I'll see what
kind of deal I can make you./plug

-- 
James Shupe, HermeTek
developer/ engineer
BSD/ Linux support  hosting
jsh...@hermetek.com | www.hermetek.com
Office 8662351288 | Mobile 9035223425

Re: (5.4-amd64) Broadcom BCM95821 Crypto Accelerator

[Adam Jensen]

On 12/11/2013 10:09 PM, Ted Unangst wrote:

On Wed, Dec 11, 2013 at 21:21, Adam Jensen wrote:


Will anyone suggest any before and after performance tests that I might
do to evaluate this card? Also, which encryption algorithms does the
softraid CRYPTO discipline support? I didn't find that information in
the man pages. It might be interesting to see if the Broadcom card will
enhance encrypted volume disk performance.


Honestly, I'd save your money.



You might be right. I can't find any technical specifications for the 
card but the BCM5821 processor product brief says it has a 64-bit 33/66 
MHz PCI 2.2 interface. The card structurally appears to be PCI-X. I 
guess it's probably a 64-bit 66-MHz PCI-X card. I think this would cause 
the entire PCI-X bus to drop to 66MHz. That's something I cannot abide. 
Bummer.

ldapd user password change

[Predrag Punosevac]

I just finished first of several LDAP deployment using LDAP server from
the base. So far works like a charm. One quick question. I know that
LDAP from the base is pretty bare bone but I was wondering it it
supports user password change. My clients are by the way RedHat machines
using SSSD instead of PAM for directory services. 

Most Kind Regards,
Predrag Punosevac

P.S. Generating SSL certificates with easy-rsa for TLS works like a
charm.