Re: groupdel 'command' don't remove group id
On Wed, Mar 16, 2016 at 07:10:09AM +0100, Max Power wrote: | Hi Todd, guys. | | LogOut e reboot has been the first thing I have done, | but nothing... gid is always there! | | The group not exist but gid: yes! | # groups testx: group: can't find group 'testx' | # id testx: uid=1001(testx) gid=1001 groups=1001, 1000(laboratory) The gid id reports here is the group that's configured in your passwd file. The line will look like this: testx:*:1001:1001:Test User:/home/testx:/bin/ksh - That's the GID right there. A user always has a login group that's configed in /etc/passwd. If you don't want this group to be used, don't put users in it (either in /etc/group as additional groups or in /etc/passwd as the login group). Cheers, Paul 'WEiRD' de Weerd | I just can not understand this! | can someone please help me? | Thanks. | | The same situation, with other deleted group, is on another server with | OpenBSD 5.7 amd64. | | > A user's active groups are set at login time. Removing a group | > from the group file does not affect processes that are already | > running. If you logout and login again after removing the group | > you should no longer be a member of the group. | > | > - todd | -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: groupdel 'command' don't remove group id
Hi Todd, guys. LogOut e reboot has been the first thing I have done, but nothing... gid is always there! The group not exist but gid: yes! # groups testx: group: can't find group 'testx' # id testx: uid=1001(testx) gid=1001 groups=1001, 1000(laboratory) I just can not understand this! can someone please help me? Thanks. The same situation, with other deleted group, is on another server with OpenBSD 5.7 amd64. > A user's active groups are set at login time. Removing a group > from the group file does not affect processes that are already > running. If you logout and login again after removing the group > you should no longer be a member of the group. > > - todd
Re: Raspberrypi 3 was released
> On Mar 14, 2016, at 02:42, Karel Gardas wrote: > >> On Mon, Mar 14, 2016 at 10:07 AM, Roderick wrote: >> What about AMD Opteron A-Series? Does OpenBSD run on it? >> >> http://www.amd.com/en-us/products/server/opteron-a-series > > No and unfortunately reference doc is still under NDA. Also no answer > here: https://community.amd.com/thread/196120 > > I'm not sure about broadcom in RPi3, but I've tried to get doc from > AMCC for their X-Gene and from Cavium for their ThunderX but no > success so far. The only meaningful thing (i.e. performance higher > than A53 which is also in RPi3) with doc released is Nvidia's > Tegra-X1. > > If you are a fan of ARMv8 and you'd like to see this moving forward, > perhaps you can give a try to drahn_arm64 branch in bitrig project > git tree... IMHO thing which may be closest to OpenBSD tree... It seems to me that as time passes there will be additional armv8 choices. If I were to devote cycles to it it would seem preferable to work in the context of the real thing instead of something close. Is that poor reasoning? Also, even though the Pi3 has its blob problems it is inexpensive and may not be a bad way to get a v8 foundation in place. Again, is this wrong?
ntop on openbsd
Hi, i installed ntop by going to /usr/ports/net/ntop/ (then, make , make install) How to run it on web mode? When I type below command ntop -w 3000 -d it gives below output. -w mode is disabled for security reasons. I want to see traffic via web browser. How can I achieve this ? just a source. http://www.computerglitch.net/blog/attic/ntop-2-0-on-openbsd.html -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Re: wireshark illegal instruction on older systems
On 2016-03-15, Stuart Henderson wrote: > Looks like Qt autodetects at build time, we probably want to configure > on i386 with no-avx, no-avx2, no-sse4.1, no-sse4.2, maybe no-ssse3. > (SSE2 is probably reasonable to expect for Qt5 apps, it's present on > Netburst, Pentium-M, Atom, C7 etc. which seems a sane cut-off point > for heavy GUI apps). Well, Peter did attempt to run it on Pentium II, which doesn't have SSE2. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: openbsd.org, openssh.com server(s) down
Failing PSU AFAIK from IRC. > On 15 Mar 2016, at 19:56, Gene wrote: > >> On Tue, Mar 15, 2016 at 7:22 AM, Martin Schröder wrote: >> >> 2016-03-15 14:31 GMT+01:00 Rudolf Sykora : >>> is it only I who cannot connect to either >>> of openbsd.org and openssh.com, or >> >> Nope. >> http://www.downforeveryoneorjustme.com/openbsd.org >> >> Best >> Martin > > They're back up. > > Any info on what caused the outage? (Just curious) > > -Gene
Re: groupdel 'command' don't remove group id
A user's active groups are set at login time. Removing a group from the group file does not affect processes that are already running. If you logout and login again after removing the group you should no longer be a member of the group. - todd
Re: /usr/games/hack
On Tue, Mar 15, 2016 at 3:52 PM, Kamil Cholewiński wrote: > setgid is setgid, you give unprivileged users an executable they can > play with. ... and a successful hack means that they can corrupt the score file. > A daemon can open a descriptor to the score file at startup, chroot, > drop privileges, and only then start accepting connections. Which leads to: > I can't think of a way a networked setgid could ever be possible. > Ultimately it means the score server would have to somehow trust the > input from whichever program is sending the score. I can think of ways a networked setgid could be made to work, but each involves significant hassle and annoyance. That said, I can think of another networked approach which should work fine for low volume use (but winds up being vulnerable to spam attacks - and of course is significantly more complicated than setgid). But what's so bad about giving unprivileged users an executable they can play with, in this specific case? Personally, I can think of more important things to worry about... -- Raul
Re: /usr/games/hack
> > You propose to start a score daemon all the time? Yes, you do... > > I didn't suggest it to be enabled by default. Administrator's choice. > Users can spawn private instances. No more dangerous than installing > openarena-server from ports. > > Not a score daemon but a game server. If it's a simple daemon keeping > scores, it couldn't stop users from submitting any score they please and > thus cheating. It gains nothing.
Re: /usr/games/hack
On Tue, 15 Mar 2016, Raul Miller wrote: > On Tue, Mar 15, 2016 at 3:04 PM, Kamil Cholewiński wrote: >> I didn't suggest it to be enabled by default. Administrator's choice. >> Users can spawn private instances. No more dangerous than installing >> openarena-server from ports. >> >> Not a score daemon but a game server. If it's a simple daemon keeping >> scores, it couldn't stop users from submitting any score they please and >> thus cheating. > > How is a game server better security (or better anything) than setgid > for these games? setgid is setgid, you give unprivileged users an executable they can play with. A daemon can open a descriptor to the score file at startup, chroot, drop privileges, and only then start accepting connections. > In my opinion: > > You'd basically have to rewrite everything from scratch to turn them > into game servers. And, ok, that might make a fun project for someone > with an MVC bent and an intense interest in game archeology, but the > development/debugging issues here are daunting (and offer lots of > potential for security holes). Agree. Probably easier to write a couple of new, fun games from scratch. > Meanwhile, if you trim that back to just a score server, you need to > create a networked equivalent of setgid - maybe not a bad project in > itself, but more opportunity for flaws. I can't think of a way a networked setgid could ever be possible. Ultimately it means the score server would have to somehow trust the input from whichever program is sending the score. Perhaps embed a signing key in the executable and chmod 111? Infrastructural mess, keys would have to be different per each install. Also not sure how to keep the user away from inspecting a core dump. Perhaps there could be a way to let an unprivileged process exchange one set of capabilities for another; like pledge, but a trade. "In exchange for this cookie, I promise I will only ever write /var/games/scores". Probably would end up having similar problems as setgid. > But maybe you have some working code which shows otherwise? (Have you > you looked at how these games were implemented?) > > Thanks, > > -- > Raul
Re: /usr/games/hack
On Tue, Mar 15, 2016 at 3:04 PM, Kamil Cholewiński wrote: > I didn't suggest it to be enabled by default. Administrator's choice. > Users can spawn private instances. No more dangerous than installing > openarena-server from ports. > > Not a score daemon but a game server. If it's a simple daemon keeping > scores, it couldn't stop users from submitting any score they please and > thus cheating. How is a game server better security (or better anything) than setgid for these games? In my opinion: You'd basically have to rewrite everything from scratch to turn them into game servers. And, ok, that might make a fun project for someone with an MVC bent and an intense interest in game archeology, but the development/debugging issues here are daunting (and offer lots of potential for security holes). Meanwhile, if you trim that back to just a score server, you need to create a networked equivalent of setgid - maybe not a bad project in itself, but more opportunity for flaws. But maybe you have some working code which shows otherwise? (Have you you looked at how these games were implemented?) Thanks, -- Raul
Re: /usr/games/hack
/use/games/scored Sent from my iPhone > On Mar 15, 2016, at 2:04 PM, Kamil Cholewiński wrote: > > On Tue, 15 Mar 2016, Theo de Raadt wrote: You obviously cannot make them private, because that destroys inter- terminal games, and you cannot remove the common data because it is the game status data. >>> >>> The rest of the gamedev world seems to handle this situation by >>> splitting the game into a client and a server part. >>> >>> The client handles whatever the player is supposed to witness with their >>> eyes, and communicates with the server using some network protocol. The >>> server accepts client input, executes the game logic, keeps the game >>> state, updates connected clients, and keeps scores. >>> >>> This would probably be a major rewrite for most games. >> >> You propose to start a score daemon all the time? Yes, you do... > > I didn't suggest it to be enabled by default. Administrator's choice. > Users can spawn private instances. No more dangerous than installing > openarena-server from ports. > > Not a score daemon but a game server. If it's a simple daemon keeping > scores, it couldn't stop users from submitting any score they please and > thus cheating.
Re: wireshark illegal instruction on older systems
On Tue, Mar 15, 2016 at 06:33:56PM +, Stuart Henderson wrote: > On 2016-03-15, Peter Kay wrote: > > It's a MOVSD SSE instruction. Tshark is ok. I can cope with that or tcpdump > > if need be, but here's the output : > > I think this variant of MOVSD might be AVX? > > > Starting program: /usr/local/bin/wireshark > > warning: Lowest section in /usr/local/lib/libicudata.so.9.0 is .hash at > > 0154 > > > > Program received signal SIGILL, Illegal instruction. > > 0x06d685fb in _GLOBAL__sub_I_qguiapplication.cpp () from > > /usr/local/lib/qt5/./libQt5Gui.so.1.1 > > Looks like it's in Qt5 then. Wireshark still has the "legacy" gtk GUI > (it's in a subpackage), you could try that instead for now. > > Looks like Qt autodetects at build time, we probably want to configure > on i386 with no-avx, no-avx2, no-sse4.1, no-sse4.2, maybe no-ssse3. > (SSE2 is probably reasonable to expect for Qt5 apps, it's present on > Netburst, Pentium-M, Atom, C7 etc. which seems a sane cut-off point > for heavy GUI apps). "maybe no-ssse3" There are a lot of "recent" AMD cpus which don't support ssse3. cpu0: AMD Athlon(tm) II X4 638 Quad-Core Processor, 2700.26 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,ITSC > > > 0x06d685fb <_GLOBAL__sub_I_qguiapplication.cpp+43>: movsd > > 0x8(%esp),%xmm0 > .. > > 0x06d6860c <_GLOBAL__sub_I_qguiapplication.cpp+60>: movsd > > %xmm0,0x8(%eax) > -- Juan Francisco Cantero Hurtado http://juanfra.info
Re: /usr/games/hack
On Tue, 15 Mar 2016, Theo de Raadt wrote: >> > You obviously cannot make them private, because that destroys inter- >> > terminal games, and you cannot remove the common data because it is the >> > game status data. >> >> The rest of the gamedev world seems to handle this situation by >> splitting the game into a client and a server part. >> >> The client handles whatever the player is supposed to witness with their >> eyes, and communicates with the server using some network protocol. The >> server accepts client input, executes the game logic, keeps the game >> state, updates connected clients, and keeps scores. >> >> This would probably be a major rewrite for most games. > > You propose to start a score daemon all the time? Yes, you do... I didn't suggest it to be enabled by default. Administrator's choice. Users can spawn private instances. No more dangerous than installing openarena-server from ports. Not a score daemon but a game server. If it's a simple daemon keeping scores, it couldn't stop users from submitting any score they please and thus cheating.
Re: /usr/games/hack
> > You obviously cannot make them private, because that destroys inter- > > terminal games, and you cannot remove the common data because it is the > > game status data. > > The rest of the gamedev world seems to handle this situation by > splitting the game into a client and a server part. > > The client handles whatever the player is supposed to witness with their > eyes, and communicates with the server using some network protocol. The > server accepts client input, executes the game logic, keeps the game > state, updates connected clients, and keeps scores. > > This would probably be a major rewrite for most games. You propose to start a score daemon all the time? Yes, you do...
Re: wireshark illegal instruction on older systems
On 2016-03-15, Peter Kay wrote: > It's a MOVSD SSE instruction. Tshark is ok. I can cope with that or tcpdump > if need be, but here's the output : I think this variant of MOVSD might be AVX? > Starting program: /usr/local/bin/wireshark > warning: Lowest section in /usr/local/lib/libicudata.so.9.0 is .hash at > 0154 > > Program received signal SIGILL, Illegal instruction. > 0x06d685fb in _GLOBAL__sub_I_qguiapplication.cpp () from > /usr/local/lib/qt5/./libQt5Gui.so.1.1 Looks like it's in Qt5 then. Wireshark still has the "legacy" gtk GUI (it's in a subpackage), you could try that instead for now. Looks like Qt autodetects at build time, we probably want to configure on i386 with no-avx, no-avx2, no-sse4.1, no-sse4.2, maybe no-ssse3. (SSE2 is probably reasonable to expect for Qt5 apps, it's present on Netburst, Pentium-M, Atom, C7 etc. which seems a sane cut-off point for heavy GUI apps). > 0x06d685fb <_GLOBAL__sub_I_qguiapplication.cpp+43>: movsd > 0x8(%esp),%xmm0 .. > 0x06d6860c <_GLOBAL__sub_I_qguiapplication.cpp+60>: movsd > %xmm0,0x8(%eax)
Re: openbsd.org, openssh.com server(s) down
On Tue, Mar 15, 2016 at 7:22 AM, Martin Schröder wrote: > 2016-03-15 14:31 GMT+01:00 Rudolf Sykora : > > is it only I who cannot connect to either > > of openbsd.org and openssh.com, or > > Nope. > http://www.downforeveryoneorjustme.com/openbsd.org > > Best >Martin > They're back up. Any info on what caused the outage? (Just curious) -Gene
Re: relayd - SSL acceleration / loadbalacing performance
With the following settings - e.g. by optimizing and simplifying pf.conf rules and relayd.conf we were able to push 24400 req/s through with HTTPS. :) Maybe this helps someone else. # ### # OpenBSD sysctl.conf net.inet.carp.preempt=1 kern.bufcachepercent=90 kern.maxfiles=20 kern.maxproc=5 kern.maxclusters=32768 net.inet.ip.forwarding=1 net.inet6.ip6.forwarding=1 net.inet.ip.ifq.maxlen=8192 net.inet.ip.mtudisc=0 net.inet.tcp.rfc3390=1 net.inet.tcp.mssdflt=1440 # ### # OpenBSD relayd.conf ip4_244 = "xx.xx.xx.244" ip4_245 = "xx.xx.xx.245" tracker5 = "10.5.3.34" tracker6 = "10.5.3.42" tracker7 = "10.5.3.50" interval 10 table { $tracker5, $tracker6, $tracker7 } prefork 12 http protocol https { ### TCP performance options tcp { nodelay, sack, socket buffer 65536, backlog 128 } match request header append "X-Forwarded-For" value "$REMOTE_ADDR" match request header append "X-Forwarded-By" \ value "$SERVER_ADDR:$SERVER_PORT" match header set "Keep-Alive" value "$TIMEOUT" pass tls { no tlsv1.0, ciphers "HIGH:!aNULL" } tls session cache disable } relay wwwssl { listen on $ip4_244 port 443 tls listen on $ip4_245 port 443 tls protocol "https" forward to port 8083 mode roundrobin check tcp session timeout 60 } relay www { listen on $ip4_244 port 80 listen on $ip4_245 port 80 forward to port 8083 mode roundrobin check tcp } # ### # OpenBSD: pf.conf tcp_services = "{ domain }" udp_services = "{ domain }" tcp_public_services = "{ www, https }" pfsync_int = trunk2 # Pfsync interface int_if = trunk1 # DMZ (internal) interface ext_if = trunk0 # External CARP interface # Increase limits set limit { states 25000, src-nodes 25000, table-entries 30 } # Aggressive settings set optimization aggressive set timeout { adaptive.end 12, interval 2, tcp.tsdiff 5, tcp.first 5, tcp.closing 5, tcp.closed 5, tcp.finwait 5, tcp.established 4200} # See pf.conf(5) and /etc/examples/pf.conf anchor "relayd/*" set block-policy drop set loginterface $ext_if set skip on lo set skip on $int_if set skip on $pfsync_int match in all scrub (no-df max-mss 1440) # Block everything by default block all # Allow main service of this host pass quick proto tcp to port $tcp_public_services keep state pass out quick proto tcp to port $tcp_services keep state pass proto udp to port $udp_services keep state # Pass CARP pass quick proto carp keep state (no-sync) # SSH backup channel from Wooga office pass in on trunk0 inet proto tcp from xx.xx.xx.xx/xx to any port 22 keep state (no-sync) # Allow pings for Pingdom status checks pass on trunk0 inet proto icmp keep state (no-sync) pass on trunk0 inet6 proto icmp6 keep state (no-sync) On Tue, Mar 15, 2016 at 11:49 AM, Tobias Feldhaus wrote: > We have 3x Supermicro Intel Dual Xeon E5-2620v3 powered systems with 32GB > ECC > memory, 4x 10 Gigabit Ethernet NICs (Intel X520-DA2), and 2x Gigabit > Ethernet > onboard NICs connected towards a Virtual Chassis of a Juniper EX 4550 > Ethernet > Switch, running OpenBSD 5.8 with all (11) patches. > > We want to use these 3 systems as loadbalancers, 2x 10GE (trunk0, LACP) > inbound, > 2x 10GE (trunk1, LACP) outbound, 2x 1GE (trunk2, LACP) for Pfsync. > > LB-1 shares a public IP with LB-2, and LB-2 and LB-3 do the same (via > CARP). We > use relayd for Loadbalancing the traffic towards 3 backend servers, all > they > currently do is serving a HTTP 200 OK response. > > When we load tested one LB's HTTP performance alone with wrk - we get > about 40k > req/s when testing with one machine in the same network as a client, and > more > than 100k req/s when testing with 3 client machines. Doing the test with > HTTPS > brings the performance down to 1400 req/s, and it does not matter if using > more > or less clients, the total number of req/s stays almost the same. > > The overall load of the systems is low (below 2-3), memory utilization is > low as well. > > As we don't have experience with OpenBSD and relayd we can only compare > these > numbers to FreeBSD and HAproxy, which we used in our previous setup. Our > configuration files are listed below - we would be happy about any comment > how > to improve the HTTPS performance. > > > # ### > # OpenBSD sysctl.conf > > net.inet.carp.preempt=1 > > ### Tried with and without the following settings - with some effect > kern.bufcachepercent=90 > > kern.maxfiles=20 > kern.maxproc=5 > > kern.maxclusters=32768 > machdep.allowaperture=2 > net.inet.ip.forwarding=1 > net.inet.ip.ifq.maxlen=8192 > net.inet.ip.mtudisc=0 > net.inet.tcp.rfc3390=1 > net.inet.tcp.mssdflt=1440 > > > > # #
groupdel 'command' don't remove group id
Hi peoples! Operating System: OpenBSD 5.8 amd64. I removed a group with 'groupdel' command, When I run the 'groups' command the result is: 'group: can't find group 'testx' ...but when the I run 'id' command or look for the user that was associated with it, the group exist: id testx = uid=1001(testx) gid=1001 groups=1001, 1000(laboratory) # groups testx [user in this case associated with other group]: 1001 laboratory The same scenario, with OpenBSD 5.7 amd64 with 'groups' command, gid non appears: # groups testx laboratory but for the rest is the same, although the group is removed his gid exist. Why this happens? Can I remove gid? Thanks for Your replies.
proper way to terminate bgpd (removing routes from RIB upon termination of bgpd)
Hi, I'm wondering what a good way of terminating bgpd would be. Context: OpenBSD box (5.8 GENERIC.MP#1236 amd64) running ospfd, bgpd, ... When terminating bgpd (pkill bgpd), routes installed by bgpd are not being removed from the routing table (this server is getting 4 full views and a lot of peering sessions (see bgpctl show rib mem below)). How to have the routes removed from the rib when the bgpd daemon is killed ? Thanks :bgpctl show rib mem: RDE memory statistics 583225 IPv4 unicast network entries using 22.2M of memory 95527 IPv6 unicast network entries using 5.1M of memory 1355164 rib entries using 82.7M of memory 6696529 prefix entries using 409M of memory 1150903 BGP path attribute entries using 132M of memory 402714 BGP AS-PATH attribute entries using 21.8M of memory, and holding 1150903 references 32147 BGP attributes entries using 1.2M of memory and holding 3629437 references 32146 BGP attributes using 805K of memory RIB using 674M of memory
Re: openbsd.org, openssh.com server(s) down
On Tue, Mar 15, 2016 at 09:36:33AM -0400, Matt Schwartz wrote: > Seems like there might be an outage. I cannot reach either openbsd.org or > openssh.com. > > On Mar 15, 2016 9:32 AM, "Rudolf Sykora" wrote: > > > > Hello, > > > > is it only I who cannot connect to either > > of openbsd.org and openssh.com, or > > is the server down? Not just for you nor me: http://www.isup.me/www.openbsd.org > > > > Thanks > > Ruda -- / Raimo Niskanen, Erlang/OTP, Ericsson AB
Re: openbsd.org, openssh.com server(s) down
2016-03-15 14:31 GMT+01:00 Rudolf Sykora : > is it only I who cannot connect to either > of openbsd.org and openssh.com, or Nope. http://www.downforeveryoneorjustme.com/openbsd.org Best Martin
Re: openbsd.org, openssh.com server(s) down
Seems like there might be an outage. I cannot reach either openbsd.org or openssh.com. On Mar 15, 2016 9:32 AM, "Rudolf Sykora" wrote: > > Hello, > > is it only I who cannot connect to either > of openbsd.org and openssh.com, or > is the server down? > > Thanks > Ruda
Re: Silly typo in docs
Mon, 14 Mar 2016 22:12:12 +0100 Murk Fletcher > I see what you mean and you're right, it can go both ways. Does not change a thing. Maybe concentrate on improving incomplete, missing or required sections rather than churn on wording and style.
openbsd.org, openssh.com server(s) down
Hello, is it only I who cannot connect to either of openbsd.org and openssh.com, or is the server down? Thanks Ruda
Re: /usr/games/hack
On Tue, 15 Mar 2016, Black Rider wrote: > El Sun, 13 Mar 2016 20:17:00 +0100, Theo Buehler escribió: > >> On Sun, Mar 13, 2016 at 02:06:54PM -0500, Edgar Pettijohn wrote: >>> On current I get the following when starting 'hack' >>> >>> "Cannot get status of hack" >>> >>> It worked on 5.8 release. Just wanted to see if anyone else had the >>> same problem. >> >> hack, hunt, phantasia and sail are either completely broken or mostly >> broken since they had their setgid bits removed almost 4 months ago: >> >> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/games/hack/Makefile >> >> so far, nobody has stepped up to fix them and I think you're the first >> to mention it on the list. > > From the link: > > "score file features must be removed, or > rewritten to use private files" > > That can be ok for some games, but Phantasia stores the game status in > common files that must be accesible/writeable by the players, I think. > You obviously cannot make them private, because that destroys inter- > terminal games, and you cannot remove the common data because it is the > game status data. The rest of the gamedev world seems to handle this situation by splitting the game into a client and a server part. The client handles whatever the player is supposed to witness with their eyes, and communicates with the server using some network protocol. The server accepts client input, executes the game logic, keeps the game state, updates connected clients, and keeps scores. This would probably be a major rewrite for most games. K.
Re: /usr/games/hack
El Sun, 13 Mar 2016 20:17:00 +0100, Theo Buehler escribió: > On Sun, Mar 13, 2016 at 02:06:54PM -0500, Edgar Pettijohn wrote: >> On current I get the following when starting 'hack' >> >> "Cannot get status of hack" >> >> It worked on 5.8 release. Just wanted to see if anyone else had the >> same problem. > > hack, hunt, phantasia and sail are either completely broken or mostly > broken since they had their setgid bits removed almost 4 months ago: > > http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/games/hack/Makefile > > so far, nobody has stepped up to fix them and I think you're the first > to mention it on the list. >From the link: "score file features must be removed, or rewritten to use private files" That can be ok for some games, but Phantasia stores the game status in common files that must be accesible/writeable by the players, I think. You obviously cannot make them private, because that destroys inter- terminal games, and you cannot remove the common data because it is the game status data.
Relayd relay http persistent connection to different destination (filter by url)
Hi all, I'm trying to relay an http connection to differents destination based on url filtering. It works great but since url used for filtering are on the same domain, browser tends to use a persistent connection: "Connection: keep-alive". Relayd seems to keep using the first match destination even when http request match the second one. Here is my relayd configuration: table { 127.0.0.1 } table { 127.0.0.1 } http protocol "httpfilter" { return error match url "www.example.org/" forward to match url "www.example.org/api/" forward to } relay www { listen on 127.0.0.1 port 80 protocol httpfilter forward to port 8080 check tcp forward to port 8181 check tcp } Here is how I test with persistent connection: curl http://www.example.org http://www.example.org/api/ and here is the log I get: relay www, session 1 (1 active), 0, 127.0.0.1 -> 127.0.0.1:8080, done, GET GET Giving a look at relayd source code I suppose that this scenario is known. In relay_http.c, int relay_match_actions(); relayd is changing the destination table with the one from the matched rule. Am I doing something wrong ? something not supported ? I'm more than willing to help on this. Regards, -- Paul Fariello
relayd - SSL acceleration / loadbalacing performance
We have 3x Supermicro Intel Dual Xeon E5-2620v3 powered systems with 32GB ECC memory, 4x 10 Gigabit Ethernet NICs (Intel X520-DA2), and 2x Gigabit Ethernet onboard NICs connected towards a Virtual Chassis of a Juniper EX 4550 Ethernet Switch, running OpenBSD 5.8 with all (11) patches. We want to use these 3 systems as loadbalancers, 2x 10GE (trunk0, LACP) inbound, 2x 10GE (trunk1, LACP) outbound, 2x 1GE (trunk2, LACP) for Pfsync. LB-1 shares a public IP with LB-2, and LB-2 and LB-3 do the same (via CARP). We use relayd for Loadbalancing the traffic towards 3 backend servers, all they currently do is serving a HTTP 200 OK response. When we load tested one LB's HTTP performance alone with wrk - we get about 40k req/s when testing with one machine in the same network as a client, and more than 100k req/s when testing with 3 client machines. Doing the test with HTTPS brings the performance down to 1400 req/s, and it does not matter if using more or less clients, the total number of req/s stays almost the same. The overall load of the systems is low (below 2-3), memory utilization is low as well. As we don't have experience with OpenBSD and relayd we can only compare these numbers to FreeBSD and HAproxy, which we used in our previous setup. Our configuration files are listed below - we would be happy about any comment how to improve the HTTPS performance. # OpenBSD sysctl.conf net.inet.carp.preempt=1 ### Tried with and without the following settings - with some effect kern.bufcachepercent=90 kern.maxfiles=20 kern.maxproc=5 kern.maxclusters=32768 machdep.allowaperture=2 net.inet.ip.forwarding=1 net.inet.ip.ifq.maxlen=8192 net.inet.ip.mtudisc=0 net.inet.tcp.rfc3390=1 net.inet.tcp.mssdflt=1440 # OpenBSD relayd.conf ip4_244 = "xx.xx.xx.244" ip4_245 = "xx.xx.xx.245" tracker5 = "10.5.3.34" tracker6 = "10.5.3.42" tracker7 = "10.5.3.50" interval 10 table { $tracker5, $tracker6, $tracker7 } prefork 12 http protocol https { ### TCP performance options tcp { nodelay, sack, socket buffer 65536, backlog 128 } match request header append "X-Forwarded-For" value "$REMOTE_ADDR" match request header append "X-Forwarded-By" \ value "$SERVER_ADDR:$SERVER_PORT" match request header set "Connection" value "close" tls { no tlsv1.0, ciphers HIGH } tls session cache disable # tried enabling/disabling -> no effect } relay wwwssl { listen on $ip4_244 port 443 tls listen on $ip4_245 port 443 tls protocol "https" forward to port 8083 mode loadbalance check tcp } relay www { listen on $ip4_244 port 80 listen on $ip4_245 port 80 forward to port 8083 mode loadbalance check tcp } # OpenBSD: pf.conf tcp_services = "{ domain, www, https }" udp_services = "{ domain }" tcp_public_services = "{ www, https }" icmp_types = "{ echorep, echoreq, unreach}" icmp6_types = "{ echorep, echoreq, unreach, timex, paramprob, routersol, routeradv, neighbrsol, neighbradv, redir }" pfsync_int = trunk2 # Pfsync interface int_if = trunk1 # DMZ (internal) interface ext_if = trunk0 # External CARP interface # Increase limits set limit { states 10, src-nodes 10, table-entries 200 } # Optimizations set optimization aggressive set timeout { adaptive.end 12, interval 2, tcp.tsdiff 5, tcp.first 5, tcp.closing 5, tcp.closed 5, tcp.finwait 5, tcp.established 4200} # tried with # and without - very small effect # See pf.conf(5) and /etc/examples/pf.conf anchor "relayd/*" set reassemble yes set block-policy drop set loginterface $ext_if set skip on lo set skip on $int_if set skip on $pfsync_int # Scrub incoming match in all scrub (no-df max-mss 1440) # Block everything by default block all # Activate spoofing protection block in quick from urpf-failed # Allow main service of this host pass out proto tcp to port $tcp_services keep state pass in proto tcp to port $tcp_public_services keep state pass proto udp to port $udp_services keep state # Pass CARP and pfsync pass proto carp keep state (no-sync) pass quick proto pfsync keep state (no-sync) # SSH backup channel from Wooga office pass in on trunk0 inet proto tcp from 185.74.12.0/22 to any port 22 keep state (no-sync) # Allow pings for Pingdom status checks pass on trunk0 inet proto icmp icmp-type $icmp_types keep state (no-sync) pass on trunk0 inet6 proto icmp6 icmp6-type $icmp6_types keep state (no-sync)
zdump - nonexistent zone
It seems zdump(8) just displays GMT for zones which do not exist. Is that intended? Jan $ zdump Canada/* Canada/Toronto Canada/Atlantic Tue Mar 15 05:22:21 2016 ADT Canada/CentralTue Mar 15 03:22:21 2016 CDT Canada/East-Saskatchewan Tue Mar 15 02:22:21 2016 CST Canada/EasternTue Mar 15 04:22:21 2016 EDT Canada/Mountain Tue Mar 15 02:22:21 2016 MDT Canada/Newfoundland Tue Mar 15 05:52:21 2016 NDT Canada/PacificTue Mar 15 01:22:21 2016 PDT Canada/Saskatchewan Tue Mar 15 02:22:21 2016 CST Canada/Yukon Tue Mar 15 01:22:21 2016 PDT Canada/TorontoTue Mar 15 08:22:21 2016 GMT