Re: Watch out for bad options in /var/run/rc.d/$daemon

[Antoine Jacoutot]

On Tue, Jan 03, 2017 at 11:01:18PM -0700, Andy Bradford wrote:
> Hello,
> 
> Since I couldn't find any reference  to this anywhere, I thought I would
> put out a description of the problem in the event that someone else runs
> into it with other daemons.
> 
> At one  point in time,  identd -l had a  different meaning than  it does
> now. After upgrading,  I noticed that identd was not  running, thanks to
> the following section in the daily output email:
> 
> Services that should be running but aren't:
> identd
> 
> So I began investigating why it wasn't running and found the following 
> in /var/log/messages:
> 
> Jan  3 22:46:56 obsd identd[80696]: h/auth: no address associated with name
> Jan  3 22:46:56 obsd identd[84721]: child has gone
> 
> Looking at the output, it seemed  clear that something had changed, so I
> looked at the man page for identd, and sure enough, -l is now different.
> Previously, in /etc/rc.conf.local, I had:
> 
> identd_flags="-elh"
> 
> Which coincided  with the error message.  Clearly -lh meant that  it was
> trying to look  up a host named h, which  doesn't exist, whereas before,
> -l meant to log  to syslog. So, I removed the  -l from identd_flags, and
> tried to  restart the daemon. Much  to my dismay, it  failed to restart,
> even though I had corrected the problem in rc.conf.local.
> 
> As  it turns  out, after  further investigation,  I discovered  that the
> flags get cached in /var/run/rc.d/identd:
> 
> $ cat /var/run/rc.d/identd 
> daemon_class=daemon
> daemon_flags=-elh
> daemon_rtable=0
> daemon_timeout=30
> daemon_user=root
> pexp=identd: (listen|resolver)
> 
> There's the offending -l that I thought I had removed!
> 
> I can see why now:
> 
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc/rc.d/rc.subr?annotate=1.116
> 
> On line 109, the options that are cached in the _RC_RUNFILE override any
> that were provided before rc_cmd() was called.
> 
> Not sure  if this is  a bug.  How often does  a command line  option get
> repurposed for something else?
> 
> At any rate, I wanted to give a heads up to anyone else who might end up
> with a daemon which refuses to restart, even after the options have been
> corrected.

Nice catch, but the real issue comes from identd(8).

# /usr/sbin/identd -elh
# echo $?
0
# pgrep identd
#

See, it's not running but the return code was 0 which made rc.d(8) believed the
daemon was properly started in which case the variable are cached (so that we
can still match the daemon in the process list if the flags are changed in
rc.conf.local).

Someone fix identd please :-)

-- 
Antoine

Watch out for bad options in /var/run/rc.d/$daemon

[Andy Bradford]

Hello,

Since I couldn't find any reference  to this anywhere, I thought I would
put out a description of the problem in the event that someone else runs
into it with other daemons.

At one  point in time,  identd -l had a  different meaning than  it does
now. After upgrading,  I noticed that identd was not  running, thanks to
the following section in the daily output email:

Services that should be running but aren't:
identd

So I began investigating why it wasn't running and found the following 
in /var/log/messages:

Jan  3 22:46:56 obsd identd[80696]: h/auth: no address associated with name
Jan  3 22:46:56 obsd identd[84721]: child has gone

Looking at the output, it seemed  clear that something had changed, so I
looked at the man page for identd, and sure enough, -l is now different.
Previously, in /etc/rc.conf.local, I had:

identd_flags="-elh"

Which coincided  with the error message.  Clearly -lh meant that  it was
trying to look  up a host named h, which  doesn't exist, whereas before,
-l meant to log  to syslog. So, I removed the  -l from identd_flags, and
tried to  restart the daemon. Much  to my dismay, it  failed to restart,
even though I had corrected the problem in rc.conf.local.

As  it turns  out, after  further investigation,  I discovered  that the
flags get cached in /var/run/rc.d/identd:

$ cat /var/run/rc.d/identd 
daemon_class=daemon
daemon_flags=-elh
daemon_rtable=0
daemon_timeout=30
daemon_user=root
pexp=identd: (listen|resolver)

There's the offending -l that I thought I had removed!

I can see why now:

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc/rc.d/rc.subr?annotate=1.116

On line 109, the options that are cached in the _RC_RUNFILE override any
that were provided before rc_cmd() was called.

Not sure  if this is  a bug.  How often does  a command line  option get
repurposed for something else?

At any rate, I wanted to give a heads up to anyone else who might end up
with a daemon which refuses to restart, even after the options have been
corrected.

Andy
-- 
TAI64 timestamp: 4000586c8fd2

Re: Android device detach/attach loop

[RD Thrush]

On 01/03/17 11:16, Adam Van Ymeren wrote:
> On 01/03/17 02:15, Anthony J. Bentley wrote:
>> Adam Van Ymeren writes:
>>> I was attempting to to use android's adb toolbut when I enable usb
>>> debugging on my phoneit appears to repeatedly detach/reattach the device.
>>>
>>> Anyone experience this before or have any advice on how to debug this?
>>>
>>> Jan  2 15:12:30 adam-laptop /bsd: ugen2 at uhub0 port 5 "Samsung Galaxy
>>> Nexus" rev 2.00/2.16 addr 2
>> This seems to be a problem with the Galaxy Nexus, and I've seen it on
>> mine. I did buy another Galaxy Nexus to pass on to any dev with
>> potential interest but couldn't reproduce the problem on the new phone;
>> maybe I forgot to enable USB debugging.
> 
> Interesting, it doesn't happen plugging my Galaxy Nexus into a Linux of macOS 
> machine, also doesn't happen on OpenBSD using different android phones.  
> Definitely something specific with the combination of OpenBSD and the Galaxy 
> Nexus.
> 
> I did some more digging, if I'm reading this right, shortly after the device 
> connects, ehci.c reads the "Connect Status Change" register, triggers another 
> uhub_explore, which calls uhub_port_connect, which detaches the existing 
> device.
> 
> 
> I'm reading the linux usb drivers to try to fiure out what it's doing 
> different, but this isn't my area of expertise :).
> 
> 
> Follows is some more debugging information if anyone is interested
> 
> Here's the lsusb -v output from a linux machine:
> 
> [ ... snip ...]
> 
> Also some dmesg output with usbdebug = 0xff; of the device re-attaching a few 
> times.
> 
> [ ... snip ...]

I have a similar galaxy nexus and noticed the same degradation when usb 
debugging is enabled.

I built a USB_DEBUG kernel and collected some additional information from the 
usb of a pc engines apu2c4.  The -current dmesg is appended. The details are at 
http://arp.thrush.com/obsd/galaxy_nexus/:

[1] Briefly annotated transcript of console log from debug kernel (grep '#' 
messages.annotated)
[2] Another copy of the -current dmesg
[3] directory w/ linux info about the nexus device including excerpt from 
/var/log/messages and a few lsusb -v results.

[1]
[2]
[3]

Re: isakmpd set up

[Damian McGuckin]

I apologise if it has already been said but we have heaps of clients with 
Office 365 where Microsoft do not control the DNS. The client does but you 
need special TXT records. Then again, none are charities with that special

$1/month/user deal.

Regards - Damian

Pacific Engineering Systems International, 277-279 Broadway, Glebe NSW 2037
Ph:+61-2-8571-0847 .. Fx:+61-2-9692-9623 | unsolicited email not wanted here
Views & opinions here are mine and not those of any past or present employer

Re: Custom installation iso

[Thuban]

* Stuart Henderson  le [31-12-2016 21:08:13 +]:
> On 2016-12-31, Thuban  wrote:
> > Hello,
> > I currently use customized install60.iso images with site60.tgz set. It
> > works quite well, but I need to include in site60.tgz set some packages.
> >
> > For now, I used pkg_add in a rc.firsttime script, but it requires an
> > internet access at first boot, and it's not handy.
> >
> > Do you have any advice to include packages with dependencies in an
> > install cd ?
>
> You can use siteXX.tgz to create a directory containing the tgz files
> for the packages you need (include the "quirks" package too). You probably
> still want to do the installation from rc.firsttime, you can do something
> like "PKG_PATH=/path/to/pkgs/ pkg_add [...]".
>

This last solution is great. I just had to write a script to find every
dependencies of each packages, but once it's done, everything works as
expected.

Thanks.

Regards

--
/Thuban/

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: relayd[66834]: relayd: socketpair: Too many open files

[Kevin]

Tiny detail omitted previously (mea culpa): this is on a vultr.com machine.


OpenBSD 6.0-stable (GENERIC.MP) #0: Wed Dec 28 14:13:24 PST 2016
ksmith@template:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 788381696 (751MB)
avail mem = 760070144 (724MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf6a10 (9 entries)
bios0: vendor SeaBIOS version "
rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org" date 04/01/2014
bios0: QEMU Standard PC (i440FX + PIIX, 1996)
acpi0 at bios0: rev 0
acpi0: sleep states S3 S4 S5
acpi0: tables DSDT FACP APIC HPET
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Virtual CPU 714389bda930, 2400.36 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOV
BE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,LONG,LAHF,ABM,FSGSBASE,BM
I1,AVX2,SMEP,BMI2,ERMS,INVPCID,ARAT
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
64b/line 16-way L2 cache
cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 1000MHz
ioapic0 at mainbus0: apid 0 pa 0xfec0, version 11, 24 pins
acpihpet0 at acpi0: 1 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C1(@1 halt!)
"ACPI0006" at acpi0 not configured
"PNP0303" at acpi0 not configured
"PNP0F13" at acpi0 not configured
"PNP0700" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"QEMU0002" at acpi0 not configured
"ACPI0010" at acpi0 not configured
pvbus0 at mainbus0: KVM
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel
0 wired to compatibility, channel 1 wired to compatibility
pciide0: channel 0 disabled (no drives)
atapiscsi0 at pciide0 channel 1 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0:  ATAPI 5/cdrom
removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: apic 0 int 11
piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 0 int
9
iic0 at piixpm0
vga1 at pci0 dev 2 function 0 "Cirrus Logic CL-GD5446" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
virtio0 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00
vio0 at virtio0: address 56:00:00:4b:41:f3
virtio0: msix shared
virtio1 at pci0 dev 4 function 0 "Qumranet Virtio Storage" rev 0x00
vioblk0 at virtio1
scsibus2 at vioblk0: 2 targets
sd0 at scsibus2 targ 0 lun 0:  SCSI3 0/direct fixed
sd0: 15360MB, 512 bytes/sector, 31457280 sectors
virtio1: msix shared
virtio2 at pci0 dev 5 function 0 "Qumranet Virtio Memory" rev 0x00
viomb0 at virtio2
virtio2: apic 0 int 10
virtio3 at pci0 dev 6 function 0 "Qumranet Virtio RNG" rev 0x00
viornd0 at virtio3
virtio3: apic 0 int 10
virtio4 at pci0 dev 7 function 0 "Qumranet Virtio Network" rev 0x00
vio1 at virtio4: address 5a:00:00:4b:41:f3
virtio4: msix shared
isa0 at pcib0
isadma0 at isa0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 1: density unknown
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 "Intel UHCI root hub" rev 1.00/1.00 addr 1
nvram: invalid checksum
uhidev0 at uhub0 port 1 configuration 1 interface 0 "QEMU QEMU USB Tablet"
rev 2.00/0.00 addr 2
uhidev0: iclass 3/0
ums0 at uhidev0: 3 buttons, Z dir
wsmouse1 at ums0 mux 0
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
root on sd0a (02fdd533b920e06e.a) swap on sd0b dump on sd0b
clock: unknown CMOS layout

On Tue, Jan 3, 2017 at 1:21 PM, Reyk Floeter  wrote:

> dmesg please
>
> > Am 03.01.2017 um 22:16 schrieb Kevin :
> >
> > Hey gang,
> >
> > So I'm putting a new firewall in place and have run into issues with
> > getting relayd to start using:
> >
> > # /etc/rc.d/relayd start
> >
> > When I try starting it like that inevitably I get:
> >
> >relayd(failed)
> >
> > checking the log files tells me:
> >
> >relayd: socketpair: Too many open files
> >
> > Having trolled through pages of SERPs, I can't find an answer; however,
> in
> > the interest of science, if I do this:
> >
> > # ulimit -n 512
> > # /usr/sbin/relayd
> >
> > it starts perfectly.
> >
> > Anyone care to give me a quick strike wit

Re: Is it possible to follow -current after missing several versions?

[Kevin]

On Tue, Jan 3, 2017 at 12:45 PM, Theo de Raadt  wrote:

> > > Upgrade with a snapshot.
> > >
> > > You don't stand a chance figuring out what we changed and making your
> way
> > > through it.
> >
> > Do you mean that I can simply boot with a fresh bsd.rd and upgrade my
> system?
> >
> > Thank you both for your answers.
>
> Yes.  Follow the advice someone else provided, to upgrade step by step over
> sequential releases.
>
> I had a test machine that was on 5.5 that I just did this exact process
on; it worked exactly as advertised.

Updating the ports took some time since the machine had a truckload of
stuff running on it and was so far out of patch, but for me it was worth it
vs installing clean and restoring data from backup.

Re: relayd[66834]: relayd: socketpair: Too many open files

[Reyk Floeter]

dmesg please

> Am 03.01.2017 um 22:16 schrieb Kevin :
> 
> Hey gang,
> 
> So I'm putting a new firewall in place and have run into issues with
> getting relayd to start using:
> 
> # /etc/rc.d/relayd start
> 
> When I try starting it like that inevitably I get:
> 
>relayd(failed)
> 
> checking the log files tells me:
> 
>relayd: socketpair: Too many open files
> 
> Having trolled through pages of SERPs, I can't find an answer; however, in
> the interest of science, if I do this:
> 
> # ulimit -n 512
> # /usr/sbin/relayd
> 
> it starts perfectly.
> 
> Anyone care to give me a quick strike with the clue stick, please?
> 
> Oh yah, here's my relayd.conf
> 
> # Example.com
> # 145.176.20.136
> exm_chi01="192.168.2.0"
> exm_chi02="192.168.2.1"
> 
> table{ $exm_chi01, $exm_chi02 }
> 
> #=#
> # Servers #
> #=#
> redirect "Example.com" {
>listen on 145.176.20.162 port 80 interface vio0
>pftag RELAYD-Example.com
>forward to  check tcp
> }
> 
> 
> For what it's worth, I'm using a hosts file to point example.com to my IP
> for the time being, as I can't pull the real sites down and move them 'til
> this is working.
> 
> Also of interest: pf seems to be working as advertised, as does relayd when
> it's started with the ulimit cranked up.
> 
> 
> Thanks,
> Kevin

relayd[66834]: relayd: socketpair: Too many open files

[Kevin]

Hey gang,

So I'm putting a new firewall in place and have run into issues with
getting relayd to start using:

# /etc/rc.d/relayd start

When I try starting it like that inevitably I get:

relayd(failed)

checking the log files tells me:

relayd: socketpair: Too many open files

Having trolled through pages of SERPs, I can't find an answer; however, in
the interest of science, if I do this:

# ulimit -n 512
# /usr/sbin/relayd

it starts perfectly.

Anyone care to give me a quick strike with the clue stick, please?

Oh yah, here's my relayd.conf

# Example.com
# 145.176.20.136
exm_chi01="192.168.2.0"
exm_chi02="192.168.2.1"

table{ $exm_chi01, $exm_chi02 }

#=#
# Servers #
#=#
redirect "Example.com" {
listen on 145.176.20.162 port 80 interface vio0
pftag RELAYD-Example.com
forward to  check tcp
}


For what it's worth, I'm using a hosts file to point example.com to my IP
for the time being, as I can't pull the real sites down and move them 'til
this is working.

Also of interest: pf seems to be working as advertised, as does relayd when
it's started with the ulimit cranked up.


Thanks,
Kevin

Re: Is it possible to follow -current after missing several versions?

[Theo de Raadt]

> > Upgrade with a snapshot.
> >
> > You don't stand a chance figuring out what we changed and making your way
> > through it.
> 
> Do you mean that I can simply boot with a fresh bsd.rd and upgrade my system?
> 
> Thank you both for your answers.

Yes.  Follow the advice someone else provided, to upgrade step by step over
sequential releases.

Re: Is it possible to follow -current after missing several versions?

[Panagiotis Liakos]

2017-01-03 19:07 GMT+02:00 Theo de Raadt :
>
> Upgrade with a snapshot.
>
> You don't stand a chance figuring out what we changed and making your way
> through it.

Do you mean that I can simply boot with a fresh bsd.rd and upgrade my system?

Thank you both for your answers.

Re: isakmpd set up

[Armin Tüting]

On Mon, 2017-01-02 at 22:05 +, Peter Fraser wrote:

[...]

> any hint as to what I am doing wrong?
Your config looks strange for sure!
Please read http://www.kernel-panic.it/openbsd/vpn/vpn3.html and http:/
/stuffresearch.tor.hu/?p=64
In addition I recomend reading http://undeadly.org/cgi?action=article&s
id=20131125041429

Regards,
Armin.

Re: Android device detach/attach loop

[Adam Van Ymeren]

On 01/03/17 02:15, Anthony J. Bentley wrote:

Adam Van Ymeren writes:

I was attempting to to use android's adb toolbut when I enable usb
debugging on my phoneit appears to repeatedly detach/reattach the device.

Anyone experience this before or have any advice on how to debug this?

Jan  2 15:12:30 adam-laptop /bsd: ugen2 at uhub0 port 5 "Samsung Galaxy
Nexus" rev 2.00/2.16 addr 2

This seems to be a problem with the Galaxy Nexus, and I've seen it on
mine. I did buy another Galaxy Nexus to pass on to any dev with
potential interest but couldn't reproduce the problem on the new phone;
maybe I forgot to enable USB debugging.


Interesting, it doesn't happen plugging my Galaxy Nexus into a Linux of 
macOS machine, also doesn't happen on OpenBSD using different android 
phones.  Definitely something specific with the combination of OpenBSD 
and the Galaxy Nexus.


I did some more digging, if I'm reading this right, shortly after the 
device connects, ehci.c reads the "Connect Status Change" register, 
triggers another uhub_explore, which calls uhub_port_connect, which 
detaches the existing device.



I'm reading the linux usb drivers to try to fiure out what it's doing 
different, but this isn't my area of expertise :).



Follows is some more debugging information if anyone is interested

Here's the lsusb -v output from a linux machine:

Bus 002 Device 003: ID 04e8:6860 Samsung Electronics Co., Ltd Galaxy (MTP)
Device Descriptor:
  bLength18
  bDescriptorType 1
  bcdUSB   2.00
  bDeviceClass0
  bDeviceSubClass 0
  bDeviceProtocol 0
  bMaxPacketSize064
  idVendor   0x04e8 Samsung Electronics Co., Ltd
  idProduct  0x6860 Galaxy (MTP)
  bcdDevice2.16
  iManufacturer   2 Samsung
  iProduct3 Galaxy Nexus
  iSerial 4 01498FC00901A01C
  bNumConfigurations  1
  Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength   62
bNumInterfaces  2
bConfigurationValue 1
iConfiguration  0
bmAttributes 0x80
  (Bus Powered)
MaxPower  500mA
Interface Descriptor:
  bLength 9
  bDescriptorType 4
  bInterfaceNumber0
  bAlternateSetting   0
  bNumEndpoints   3
  bInterfaceClass   255 Vendor Specific Class
  bInterfaceSubClass255 Vendor Specific Subclass
  bInterfaceProtocol  0
  iInterface  5 MTP
  Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81  EP 1 IN
bmAttributes2
  Transfer TypeBulk
  Synch Type   None
  Usage Type   Data
wMaxPacketSize 0x0200  1x 512 bytes
bInterval   0
  Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02  EP 2 OUT
bmAttributes2
  Transfer TypeBulk
  Synch Type   None
  Usage Type   Data
wMaxPacketSize 0x0200  1x 512 bytes
bInterval   0
  Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82  EP 2 IN
bmAttributes3
  Transfer TypeInterrupt
  Synch Type   None
  Usage Type   Data
wMaxPacketSize 0x001c  1x 28 bytes
bInterval   6
Interface Descriptor:
  bLength 9
  bDescriptorType 4
  bInterfaceNumber1
  bAlternateSetting   0
  bNumEndpoints   2
  bInterfaceClass   255 Vendor Specific Class
  bInterfaceSubClass 66
  bInterfaceProtocol  1
  iInterface  0
  Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x83  EP 3 IN
bmAttributes2
  Transfer TypeBulk
  Synch Type   None
  Usage Type   Data
wMaxPacketSize 0x0200  1x 512 bytes
bInterval   0
  Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x03  EP 3 OUT
bmAttributes2
  Transfer TypeBulk
  Synch Type   None
  Usage Type   Data
wMaxPacketSize 0x0200  1x 512 bytes
bInterval   0
Device Qualifier (for other device speed):
  bLength10
  bDescriptorType 6
  bcdUSB   2.00
  bDeviceClass0
  bDeviceSubClass 0
  bDeviceProtocol  

Re: Is it possible to follow -current after missing several versions?

[ludovic coues]

Your best bet is to upgrade to 5.6-stable, then 5.7, 5.8, 5.9, 6.0 then -current

As far as I know, OpenBSD only support upgrade from one version to the
next one. 5.5-current to 6.0-current is skipping a lot of version.

2017-01-03 16:31 GMT+01:00 Panagiotis Liakos :
> Hello all,
>
> I have an old installation of OpenBSD that is following -current and I
> had successfully done so going from 5.5 to 5.6 a long time ago. Today
> I tried to follow -current again and I stepped into several issues.
>
> At first, kernel build failed and I found out that as of 2015-09-11 I
> have to update config(8) before building. Therefore, I tried to update
> config(8) with:
>
> cd /usr/src/usr.sbin/config
> make obj && make cleandir && make depend && make && make install
>
> which also fails because it tries to use pledge(2) which was introduced in 
> 5.9.
>
> So now I am wondering what options do I have? Is it possible to follow
> -current at this stage? Can I (or should I) go to a stable release
> instead?
>
> Thanks a lot,
> Panagiotis
>



-- 

Cordialement, Coues Ludovic
+336 148 743 42

Re: Is it possible to follow -current after missing several versions?

[Theo de Raadt]

> I have an old installation of OpenBSD that is following -current and I
> had successfully done so going from 5.5 to 5.6 a long time ago. Today
> I tried to follow -current again and I stepped into several issues.
> 
> At first, kernel build failed and I found out that as of 2015-09-11 I
> have to update config(8) before building. Therefore, I tried to update
> config(8) with:
> 
> cd /usr/src/usr.sbin/config
> make obj && make cleandir && make depend && make && make install
> 
> which also fails because it tries to use pledge(2) which was introduced in 
> 5.9.
> 
> So now I am wondering what options do I have? Is it possible to follow
> -current at this stage? Can I (or should I) go to a stable release
> instead?

Upgrade with a snapshot.

You don't stand a chance figuring out what we changed and making your way
through it.

Is it possible to follow -current after missing several versions?

[Panagiotis Liakos]

Hello all,

I have an old installation of OpenBSD that is following -current and I
had successfully done so going from 5.5 to 5.6 a long time ago. Today
I tried to follow -current again and I stepped into several issues.

At first, kernel build failed and I found out that as of 2015-09-11 I
have to update config(8) before building. Therefore, I tried to update
config(8) with:

cd /usr/src/usr.sbin/config
make obj && make cleandir && make depend && make && make install

which also fails because it tries to use pledge(2) which was introduced in 5.9.

So now I am wondering what options do I have? Is it possible to follow
-current at this stage? Can I (or should I) go to a stable release
instead?

Thanks a lot,
Panagiotis

Re: isakmpd set up

[Steve Williams]

Hi,

You should see if the client can operate as a Microsoft Office "partial 
redelegation".  One client where I work uses Office 365 and still 
retains control of their own DNS.

I did a quick google...

https://support.office.com/en-us/article/How-Office-365-manages-DNS-records-5980474a-097f-4f21-a864-21245314957f

If you can't get to a "partial redelation" situation, then you are 
really limited on what you can do, and it's likely that a dynamic IP 
address just won't work with Office 365 either.

Good luck!

Cheers,
Steve W.
/

/
On 03/01/2017 8:49 AM, Peter Fraser wrote:
> The charity uses Office 365, which for charities a great deal, Microsoft 
> charges them $1US per user per month
> up to 75 users, but a result, Microsoft control their DNS.
>
> I also expect that they will be NATed and given a 10/8 address.
>
>
>
>
> -Original Message-
> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of 
> Steve Williams
> Sent: Monday, January 2, 2017 6:57 PM
> To: Peter Fraser ; 'misc@openbsd.org' 
> Subject: Re: isakmpd set up
>
> Hi,
>
> I have been using OpenBSD on a dynamic IP address for 10+ years.
>
> I have an account with dynamic dns provider Zoneedit and use the ddclient 
> package.
>
> I run a SMTP daemon, HTTP, SSH and in those 10+ years, I have never had a 
> situation where I could not reach my server.  I access it from all over the 
> world using putty (ssh), imap (dovecot), webmail
> (roundcubemail) and access my web server for various purposes.
>
> When I first got my server going, I was a paranoid & had a modem connected to 
> the serial port of my server so I could get to my server in the case of 
> loosing Internet access.  I used the modem exactly 0 times and finally got 
> rid of the landline.
>
> Since I am paranoid, I had a backup to the backup & received an email every 2 
> hours (initially) that had the IP address of the interface.  I had a filter 
> so the email just went into a folder.  I never had to use it...
>
> If you feel tied to an ISP because of static IP, I would not hesitate to go 
> the dynamic route.
>
> Cheers,
> Steve Williams
>
> On 02/01/2017 3:05 PM, Peter Fraser wrote:
>> A charity that I support has been having trouble with its internet
>> provider (Rogers).
>> The problem I have is that Roger is the only supplier that is
>> available that will give a fixed IP address.
>>
>> I want the fixed IP address so I don't have to drive there to fix problems.
>>
>> It occurred to me that if I could get a VPN set up automatically when
>> their OpenBSD  firewall boots.
>> I could then use the VPN to reach back into their computer.
>>
>> Having never set up a VPN using OpenBSD I started by reading, and I
>> was left very confused.
>>
>> I came up with:
>>
>> On my firewall I have /etc/ipsec.conf
>>
>> ike passive from egress to 192.168.254/24 peer 192.168.254.1 srcid
>> thinkage.ca dstid kwaccessability.ca tag ipsec-kwa ike passive from
>> 192.102.11.0/24 to 192.168.254.0/24 peer 192.168.254.1 srcid
>> thinkage.ca  dstid kwaccessability.ca tag ipsec-kwa
>>
>> on their firewall
>>
>> ike  from egress to 192.102.11/24 peer 192.102.11.1 srcid
>> kwaccessability.ca dstid thinkage.ca tag ipsec-kwa ike  from
>> 192.168.254/24 to 192.102.11/24 peer 192.102.11.1 srcid
>> kwaccessability.ca dstid thinkage.ca tag ipsec-kwa
>>
>> I also  opened up the firewall to allow packed in from both networks
>> without restrictions, something I will have to clean up later
>>
>> On both system I have isakmpd_flags=-K -v -D A=10
>>
>> because of some of the readings I also put on both systems into
>> /etc/hostname.enc0
>> up
>>
>> when I try to start isakmpd on the remote system I get only a message
>> about privilege droping.
>>
>> on my local system I get
>>
>> Jan  2 16:23:55 gateway isakmpd[71980]: timer_add_event: event
>> ui_conn_reinit(0x0) added last, expiration in 5s Jan  2 16:23:55
>> gateway isakmpd[71980]: timer_remove_event: removing event
>> ui_conn_reinit(0x0)
>> Jan  2 16:23:55 gateway isakmpd[71980]: timer_add_event: event
>> ui_conn_reinit(0x0) added last, expiration in 5s gateway:/etc # Jan  2
>> 16:24:00 gateway isakmpd[71980]:
>> timer_handle_expirations: event ui_conn_reinit(0x0) Jan  2 16:24:00
>> gateway isakmpd[71980]: ipsec_get_id: invalid section
>> to-192.168.254/24 network 192.168.254
>> Jan  2 16:24:00 gateway isakmpd[71980]: connection_init: could not
>> record passive connection "from-ste0-to-192.168.254/24"
>> Jan  2 16:24:00 gateway isakmpd[71980]: ipsec_get_id: invalid section
>> from-192.102.11/24 network 192.102.11
>> Jan  2 16:24:00 gateway isakmpd[71980]: connection_init: could not
>> record passive connection "from-192.102.11/24-to-192.168.254/24"
>> JaJan  2 16:23:55 gateway isakmpd[71980]: timer_add_event: event
>> ui_conn_reinit(0x0) added last, expiration in 5s Jan  2 16:23:55
>> gateway isakmpd[71980]: timer_remove_event: removing event
>> ui_conn_reinit(0x0)
>> Jan  2 16:23:55 gateway isakmpd[71980]: timer_add_event: event
>> ui

Re: isakmpd set up

[Peter Fraser]

Yes I did try with the extra .0 it made no difference

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
Denis Fondras
Sent: Tuesday, January 3, 2017 1:56 AM
To: Peter Fraser 
Cc: 'misc@openbsd.org' 
Subject: Re: isakmpd set up

> ike  from egress to 192.102.11/24 peer 192.102.11.1 srcid
> kwaccessability.ca dstid thinkage.ca tag ipsec-kwa ike  from
> 192.168.254/24 to 192.102.11/24 peer 192.102.11.1 srcid
> kwaccessability.ca dstid thinkage.ca tag ipsec-kwa
>

Have you tried to replace 192.102.11/24 with 192.102.11.0/24 and
192.168.254/24 with 192.168.254.0/24 ?

Re: isakmpd set up

[Peter Fraser]

The charity uses Office 365, which for charities a great deal, Microsoft
charges them $1US per user per month
up to 75 users, but a result, Microsoft control their DNS.

I also expect that they will be NATed and given a 10/8 address.




-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
Steve Williams
Sent: Monday, January 2, 2017 6:57 PM
To: Peter Fraser ; 'misc@openbsd.org' 
Subject: Re: isakmpd set up

Hi,

I have been using OpenBSD on a dynamic IP address for 10+ years.

I have an account with dynamic dns provider Zoneedit and use the ddclient
package.

I run a SMTP daemon, HTTP, SSH and in those 10+ years, I have never had a
situation where I could not reach my server.  I access it from all over the
world using putty (ssh), imap (dovecot), webmail
(roundcubemail) and access my web server for various purposes.

When I first got my server going, I was a paranoid & had a modem connected to
the serial port of my server so I could get to my server in the case of
loosing Internet access.  I used the modem exactly 0 times and finally got rid
of the landline.

Since I am paranoid, I had a backup to the backup & received an email every 2
hours (initially) that had the IP address of the interface.  I had a filter so
the email just went into a folder.  I never had to use it...

If you feel tied to an ISP because of static IP, I would not hesitate to go
the dynamic route.

Cheers,
Steve Williams

On 02/01/2017 3:05 PM, Peter Fraser wrote:
> A charity that I support has been having trouble with its internet
> provider (Rogers).
> The problem I have is that Roger is the only supplier that is
> available that will give a fixed IP address.
>
> I want the fixed IP address so I don't have to drive there to fix problems.
>
> It occurred to me that if I could get a VPN set up automatically when
> their OpenBSD  firewall boots.
> I could then use the VPN to reach back into their computer.
>
> Having never set up a VPN using OpenBSD I started by reading, and I
> was left very confused.
>
> I came up with:
>
> On my firewall I have /etc/ipsec.conf
>
> ike passive from egress to 192.168.254/24 peer 192.168.254.1 srcid
> thinkage.ca dstid kwaccessability.ca tag ipsec-kwa ike passive from
> 192.102.11.0/24 to 192.168.254.0/24 peer 192.168.254.1 srcid
> thinkage.ca  dstid kwaccessability.ca tag ipsec-kwa
>
> on their firewall
>
> ike  from egress to 192.102.11/24 peer 192.102.11.1 srcid
> kwaccessability.ca dstid thinkage.ca tag ipsec-kwa ike  from
> 192.168.254/24 to 192.102.11/24 peer 192.102.11.1 srcid
> kwaccessability.ca dstid thinkage.ca tag ipsec-kwa
>
> I also  opened up the firewall to allow packed in from both networks
> without restrictions, something I will have to clean up later
>
> On both system I have isakmpd_flags=-K -v -D A=10
>
> because of some of the readings I also put on both systems into
> /etc/hostname.enc0
> up
>
> when I try to start isakmpd on the remote system I get only a message
> about privilege droping.
>
> on my local system I get
>
> Jan  2 16:23:55 gateway isakmpd[71980]: timer_add_event: event
> ui_conn_reinit(0x0) added last, expiration in 5s Jan  2 16:23:55
> gateway isakmpd[71980]: timer_remove_event: removing event
> ui_conn_reinit(0x0)
> Jan  2 16:23:55 gateway isakmpd[71980]: timer_add_event: event
> ui_conn_reinit(0x0) added last, expiration in 5s gateway:/etc # Jan  2
> 16:24:00 gateway isakmpd[71980]:
> timer_handle_expirations: event ui_conn_reinit(0x0) Jan  2 16:24:00
> gateway isakmpd[71980]: ipsec_get_id: invalid section
> to-192.168.254/24 network 192.168.254
> Jan  2 16:24:00 gateway isakmpd[71980]: connection_init: could not
> record passive connection "from-ste0-to-192.168.254/24"
> Jan  2 16:24:00 gateway isakmpd[71980]: ipsec_get_id: invalid section
> from-192.102.11/24 network 192.102.11
> Jan  2 16:24:00 gateway isakmpd[71980]: connection_init: could not
> record passive connection "from-192.102.11/24-to-192.168.254/24"
> JaJan  2 16:23:55 gateway isakmpd[71980]: timer_add_event: event
> ui_conn_reinit(0x0) added last, expiration in 5s Jan  2 16:23:55
> gateway isakmpd[71980]: timer_remove_event: removing event
> ui_conn_reinit(0x0)
> Jan  2 16:23:55 gateway isakmpd[71980]: timer_add_event: event
> ui_conn_reinit(0x0) added last, expiration in 5s gateway:/etc # Jan  2
> 16:24:00 gateway isakmpd[71980]:
> timer_handle_expirations: event ui_conn_reinit(0x0) Jan  2 16:24:00
> gateway isakmpd[71980]: ipsec_get_id: invalid section
> to-192.168.254/24 network 192.168.254
> Jan  2 16:24:00 gateway isakmpd[71980]: connection_init: could not
> record passive connection "from-ste0-to-192.168.254/24"
> Jan  2 16:24:00 gateway isakmpd[71980]: ipsec_get_id: invalid section
> from-192.102.11/24 network 192.102.11
> Jan  2 16:24:00 gateway isakmpd[71980]: connection_init: could not
> record passive connection "from-192.102.11/24-to-192.168.254/24"
>
>
> any hint as to what I am doing wrong?

httpd conf

[Asbel Kiprop]

Hi there!
Installing dokuwiki
server "wiki.local" {
listen on $ext_addr port 80

root "/dokuwiki"
location "/*.php*" {
fastcgi socket "/run/php-fpm.sock"
}
}

Why dont this work for me? I can access static files in http://wiki.local,
but http://wiki.local/index.php causes file downloading.

But this
server "wiki.local" {
listen on $ext_addr port 80

location "/dokuwiki/*.php*" {
root { "/dokuwiki", strip 1 }
fastcgi socket "/run/php-fpm.sock"
}
location "/dokuwiki/*" {
directory index index.php
root { "/dokuwiki", strip 1 }
}
}

works fine and i can access wiki via  http://wiki.local/dokwiki/ .
But i wont use "dokuwiki" extra url part. How should i configure my
httpd.conf to access wiki via http://wiki.local/docu.php ?

OpenBSD curent