Re: Override NGROUPS_MAX

[Sébastien Morand]

Hi,

> Congratulations.   You are no longer running OpenBSD.  Your system
> has a significant incompatibility, and now we cannot accept any
> bug reports from you anymore.  Any bug you hit might be due to that
> change you made.  You own the change.

This is true, thanks for the reminder although I was aware of this matter.

I'm not deploying this change widely in my company, all my others
OpenBSD servers still use unmodified 5.9 kernel and packages.

I won't report any bug from this machine nor from related computer
(particularly using NFS protocol even with unmodified kernel and
packages).

Regards,
Sébastien

Re: strange behaviour spamd

[Chris Bennett]

On Fri, Jul 22, 2016 at 10:53:01AM +0200, Markus Rosjat wrote:
> This seems flawed , because when I see a spammer sending a mail to 10
> addresses and I trap the spammer IP the grey entries shouldn't over ride the
> Trap entry at all. I even put the ip on my personal blacklist and called the
> spamd-setup to take effect. At this point the grey entries shouldnt be
> delivered in my opinion.
> 
> 
> 
> Am 22.07.2016 um 09:54 schrieb Peter Hessler:
> >Greytrap addresses only trap the systems when it has not been seen
> >before.  In your case, they arlready have a GREY entry, so they have
> >been seen and the trapping won't take effect.

I have to agree with Markus Rosjat 100%.
I have a script running that picks out evil spam addresses that I have
seen previously and traps them.
Which is worthless, as it runs off the Greytrapped addresses.
Which means that the only way I can block them is with pfctl blocking
the address permanently? Some of these IP addresses are forged, but
would still block that address for the incoming spam.

Seriously, I'm looking at this wrong or is there another answer I'm not
seeing?

Thanks,
Chris Bennett

Re: Driving 4k Display for OpenBSD Workstation

[lists]

Thu, 21 Jul 2016 21:41:23 -0700 Bryan Vyhmeister 
> On Fri, Jul 22, 2016 at 02:05:07PM +1000, Jonathan Gray wrote:
> > There is no kernel support for skylake and it will require firmware.
> > https://01.org/linuxgraphics/intel-linux-graphics-firmwares
> > 
> > The intel code in Mesa does not use gallium or LLVM.
> > 
> > Using efifb with a 4k display would likely be horribly slow due to the
> > high number of pixels to push.  
> 
> I guess I will find out just how slow. I have two 4k monitors on the
> way (the Dell P4317W and also an HP Z27s). Perhaps I will pick up some
> more 30-inch 2560x1600 monitors for now. Thanks for all the info.

27" are less expensive, plus have all the better colour depth numbers, see:

http://www.tftcentral.co.uk/articles/panel_parts_content_files/sheet008.htm

You will see there are much less panels in the database above 27", which is
another hint for you, on top of the ~100 DPI paper / book printing quality.

> Short answer from user level: I'd personally get more 2560x1440 27" IPS
> monitors for now, and use the excess budget for another set of the same.
> You'd probably have to get a slightly older & cheaper video card (6450).
> I know of no justification for a 5K monitor yet, though I want one too..

Re: iwm performance (was: Re: how would you troubleshoot your wifi?)

[David Dahlberg]

Am Freitag, den 22.07.2016, 11:36 +0200 schrieb Stefan Sperling:

> I've already been told about iwm performance regressions compared to
> 5.9,
> so I'd like to make a statement (not just directed at you, Andreas,
> but
> at everyone).

JFYI: A temporary workaround which works for me (on a X1C3) is disabling
802.11n with "ifconfig mode".

Re: Network Interface "Intel I350 Fiber" 8 Port Module shows only 4 Ports

[Marco Prause]

Re,


> So, I've just adjusted my build scripts and jenkins-job and hit the
> build button a few minutes ago to build a 5.9 stable image (yes it's not
> current, but I didn't see any changes in plus.html concerning em
> interfaces or pci stuff, but this will be the next step.

just as a short actual information on this topic. Booted with 5.9, but I
still see just the first 4 interfaces that belong to the first chip on
the card :

 2:0:0: Intel I350 Fiber
 2:0:1: Intel I350 Fiber
 2:0:2: Intel I350 Fiber
 2:0:3: Intel I350 Fiber

em0 at pci2 dev 0 function 0 "Intel I350 Fiber" rev 0x01: msi, address
00:90:0b:4b:54:0e
em1 at pci2 dev 0 function 1 "Intel I350 Fiber" rev 0x01: msi, address
00:90:0b:4b:54:0f
em2 at pci2 dev 0 function 2 "Intel I350 Fiber" rev 0x01: msi, address
00:90:0b:4b:54:10
em3 at pci2 dev 0 function 3 "Intel I350 Fiber" rev 0x01: msi, address
00:90:0b:4b:54:11


Unfortunately I'm just connected to a remote lab, so I neither can't
check the Bios settings or version concerning any PCI stuff nor perform
a "normal" installation.


Another question arised while looking at the supported media-types:

# ifconfig em1 media
em1: flags=18802 mtu 1500
lladdr 00:90:0b:4b:54:0f
priority: 0
media: Ethernet autoselect (none)
status: no carrier
supported media:
media 1000baseSX mediaopt full-duplex
media 1000baseSX
media autoselect
#

Having a look at the specification and em(4) I thought, it would be
possible to connect e.g. 1000baseLX transceiver too.
Does anybody know, if it is just because there's no 1000baseLX plugged
in at the moment, or are there any limitations I should be aware of ?



So long,
Marco

Re: Unable to open UPS device. [apcupsd]

[Radek]

Thanks a lot!
I followed /usr/local/share/doc/pkg-readmes/apcupsd-3.14.1* and after 
recompiling my kernel my USB UPS works with apcupsd. 

#dmesg | grep UPS
ugen0 at uhub1 port 1 "American Power Conversion Smart-UPS 2200 FW:UPS 09.3 / 
ID=18" rev 2.00/1.06 addr 2

On Thu, 14 Jul 2016 17:10:45 +0300
"Kirill Bychkov"  wrote:

> On Thu, July 14, 2016 15:56, Radek wrote:
> > Hi,
> > I can not set up apcupsd to work with USB. Any help appreciated.
> >
> [...]
> >
> > #dmesg
> [...]
> > uhidev0 at uhub2 port 1 configuration 1 interface 0 "American Power 
> > Conversion
> > Smart-UPS 2200 FW:UPS 09.3 / ID=18" rev 2.00/1.06 addr 2
> > uhidev0: iclass 3/0, 146 report ids
> > upd0 at uhidev0
> 
> Hi!
> If you want your USB UPS to work with apcupsd you should disable upd and
> uhidev drivers in your kernel. When UPS attach like ugen* then it wil work
> with apcupsd.
> Take a look at /usr/local/share/doc/pkg-readmes/apcupsd-3.14.1*
> 


-- 
radek

Re: Install OpenBSD on disks larger than 2TB

[Leo Unglaub]

Hey,

On 07/22/16 10:29, Alexander Hall wrote:

How did you install the system? If you didn't already, use the installer and 
point it at the softraid disk (likely sd2). If that doesn't help, please show 
what happens.

"i am unable to boot" tells us nothing.


i used the installer for installing OpenBSD. I selected sd2 during the 
install process and created a GPT layout on that disc. Then it continues 
by installing it normally. But in the last step i get the following 
error message:


installboot: no OpenBSD partition
Failed to install bootblocks.
You will not be able to boot OpenBSD from sd2

I asume thats because OpenBSD cannot boot from GPT? Only from MBR?
Thanks and greetings
Leo

iwm performance (was: Re: how would you troubleshoot your wifi?)

[Stefan Sperling]

On Thu, Jul 21, 2016 at 08:25:11PM +0200, Andreas Bartelt wrote:
> sorry, my response was not precise - the "fatal" error is gone now but the
> observed performance problems are still there.

I've already been told about iwm performance regressions compared to 5.9,
so I'd like to make a statement (not just directed at you, Andreas, but
at everyone).

Recently, I've been focusing on improving wireless stability after many
reports of lag, dropped links, and similar problems ever since 11n support
was introduced. This effort is still on-going, since I am still unable to
reproduce some of the reported issues. If such fixes end up decreasing
performance in some use cases then I'm entirely fine with that.

One possibility is that perceived performance drops are a side effect of
frame protection we've enabled. This may show up as a performance drop for
users which are alone with their AP and never see interference (so frame
protection doesn't buy them anything, it just adds overhead).
Many users are not alone with their AP but share a channel with a dozen
other APs or so and frame protection _really_ helps them. In the most
extreme cases (which I've reproduced with help from phessler@) these
users cannot use wifi at all without frame protection (TCP stalls).
To get an idea about the overhead added by RTS/CTS, see
http://www.testequipmentdepot.com/flukenetworks/pdf/802.11n-compatibility.pdf
(When reading this, keep in mind we send at MCS 7 max, without aggregation.)

In the best iwm performance regression report I've received so far, the
reporter tracked the regression down to a particular commit (r1.86 if_iwm.c).
Backing out that commit restores performance to 5.9 levels for this user.
But this commit fixed an unrelated problem, which was that IPv6 autoconf and
ARP briefly stopped working in -current after we upgraded iwm's firmware.
I don't understand how this relates. It may involve invisible details handled
within the magic firmware, or it may be a driver bug, or prior performance
levels may have been a side effect of a real stability problem. In any case,
I won't back out this commit to restore performance for one user if backing
out that commit means that other known bugs will come back.

More generally speaking, given that our 11n implementation is still in its
infancy, and doesn't yet use any of the new features which are supposed to
vastly increase throughput, it is premature to complain about performance.
For now, stability gets priority.

Re: strange behaviour spamd

[Markus Rosjat]

This seems flawed , because when I see a spammer sending a mail to 10 
addresses and I trap the spammer IP the grey entries shouldn't over ride 
the Trap entry at all. I even put the ip on my personal blacklist and 
called the spamd-setup to take effect. At this point the grey entries 
shouldnt be delivered in my opinion.




Am 22.07.2016 um 09:54 schrieb Peter Hessler:

Greytrap addresses only trap the systems when it has not been seen
before.  In your case, they arlready have a GREY entry, so they have
been seen and the trapping won't take effect.


On 2016 Jul 21 (Thu) at 17:34:37 +0200 (+0200), Markus Rosjat wrote:
:Hi there,
:
:I noticed that a trapped ip gets whitelisted when there are still greylisted
:messages. this shouldn't happen when I use the -a -t switches to trap the ip
:or do I miss something here ?
:
:Regards
:
:--
:Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
:
:G+H Webservice GbR Gorzolla, Herrmann
:K??nigsbr??cker Str. 70, 01099 Dresden
:
:http://www.ghweb.de
:fon: +49 351 8107220   fax: +49 351 8107227
:
:Bitte pr??fen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you
:print it, think about your responsibility and commitment to the ENVIRONMENT
:



--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: Install OpenBSD on disks larger than 2TB

[Alexander Hall]

On July 21, 2016 7:56:57 PM GMT+02:00, Leo Unglaub  wrote:
>Hey,
>i am using OpenBSD with two harddrives. Both of them are 2 TB and i put
>
>them in a Raid 1 (mirroring) using softraid0. It works perfect, the 
>system boots from the raid 1 and runs perfectly.
>
>Sadly now 2 TB is not enought disc space anymore and i got some new 4TB
>
>drives. I suceeded in crating a raid 1 on them, but i am unable to boot
>
>of those drives. Do you have any ideas what i could try next?
>
>Here is what i did so far:
>
>fdisk -igy sd0
>fdisk -igy sd1
>disklabel -E sd0 (created a partition of type RAID)
>disklabel -E sd1 (created the same disklayout)
>bioctl -c1 -l sd0a,sd1a softraid0 (resulted in sd2 beeing created)
>
>
>I can install OpenBSD on the new sd2 but i cannot boot from it. I used 
>the latest snapshot to try this.

How did you install the system? If you didn't already, use the installer and 
point it at the softraid disk (likely sd2). If that doesn't help, please show 
what happens. 

"i am unable to boot" tells us nothing.

/Alexander 

>
>Any ideas?
>Thanks and greetings
>Leo

Re: strange behaviour spamd

[Peter Hessler]

Greytrap addresses only trap the systems when it has not been seen
before.  In your case, they arlready have a GREY entry, so they have
been seen and the trapping won't take effect.


On 2016 Jul 21 (Thu) at 17:34:37 +0200 (+0200), Markus Rosjat wrote:
:Hi there,
:
:I noticed that a trapped ip gets whitelisted when there are still greylisted
:messages. this shouldn't happen when I use the -a -t switches to trap the ip
:or do I miss something here ?
:
:Regards
:
:--
:Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
:
:G+H Webservice GbR Gorzolla, Herrmann
:K??nigsbr??cker Str. 70, 01099 Dresden
:
:http://www.ghweb.de
:fon: +49 351 8107220   fax: +49 351 8107227
:
:Bitte pr??fen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you
:print it, think about your responsibility and commitment to the ENVIRONMENT
:

--
We don't understand the software, and sometimes we don't understand the
hardware, but we can *___see* the blinking lights!

Re: Question on Theo's dotSecurity paper

[patrick keshishian]

On 7/21/16, Ted Unangst  wrote:
> patrick keshishian wrote:
>> Hi,
>>
>> Quick question about Theo de Raadt's "Presentations: dotSecurity
>> 2016"[1]. Slide 11 says "Most violations result in process being killed",
>> not all violations?
>>
>> Just wanted clarification here.
>
> If you look at kern_pledge.c, you'll see a couple instances where EPERM is
> returned instead of killing the process.

Thank you