Re: Problems installing on Dell R830

[Mike Larkin]

On Thu, Apr 27, 2017 at 10:20:38AM +1000, adr...@close.wattle.id.au wrote:
> Hi Mike,
> 
> > huh? I thought you said it fails after displaying the copyright message.
> > boot> is shown long before that.
> 
> Sorry, not enough coffee.
> 
> [..snip..]
> >> OpenBSD/amd64 CDBOOT 3.28
> boot> mach mem
> Region 0: type 1 at 0x0 for 624KB
> Region 1: type 2 at 0x9c000 for 16KB
> Region 2: type 3 at 0xe for 128KB
> Region 3: type 1 at 0x100 for 1823020KB
> Region 4: type 2 at 0x6f54b000 for 6148KB
> Region 5: type 1 at 0x6fb4c000 for 171252KB
> Region 6: type 2 at 0x7a289000 for 12808KB
> Region 7: type 4 at 0x7af0b000 for 10432KB
> Region 8: type 3 at 0x7b93b000 for 1500KB
> Region 9: type 1 at 0x7bab2000 for 220KB
> Region 10: type 3 at 0x7bae9000 for 88KB
> Region 11: type 1 at 0x7baff000 for 4KB
> Region 12: type 2 at 0x7bb0 for 5120KB
> Region 13: type 2 at 0x7c00 for 61440KB
> Region 14: type 2 at 0x7fc0 for 4096KB
> Region 15: type 2 at 0x8000 for 262144KB
> Region 16: type 2 at 0cfeda8000 for 16KB
> Region 17: type 2 at 0xff31 for 13248KB
> Region 18: type 1 at 0x1 for 534773760KB
> Low ram: 624KB  High ram: 1823020KB
> Total free memory: 536768880KB
> [..snip..]
> 
> ... with apologies for any typos as I copied that manually from the screen.
> 
> Thanks.
> 
> Adrian Close
> 

try removing some RAM, at least that will tell us if this is the issue or
if it is something else.

-ml

tinc on openBSD?

[Harald Dunkel]

Hi folks,

AFAICS tinc is included in the packages for 6.1, but surely
that doesn't mean its safe to use without looking.

Are there security concerns against running tinc on an OpenBSD
gateway as an alternative to IPsec and openvpn in a +50 road
warriors setup? What is your impression of this tool in daily
usage? Which VPN solution would you prefer?


Every helpful comment is highly appreciated
Harri

Re: Problems installing on Dell R830

[adrian]

Hi Job,

>Make a photo to prevent typos.

No problem.  I wasn't sure if the list would like attachments, but here it is 
(attached).

Thanks,

Adrian Close

Re: Problems installing on Dell R830

[Job Snijders]

Hi Adrian,

Make a photo to prevent typos.

Kind regards,

Job

On Thu, Apr 27, 2017 at 1:20 AM,   wrote:
> Hi Mike,
>
>> huh? I thought you said it fails after displaying the copyright message.
>> boot> is shown long before that.
>
> Sorry, not enough coffee.
>
> [..snip..]
>>> OpenBSD/amd64 CDBOOT 3.28
> boot> mach mem
> Region 0: type 1 at 0x0 for 624KB
> Region 1: type 2 at 0x9c000 for 16KB
> Region 2: type 3 at 0xe for 128KB
> Region 3: type 1 at 0x100 for 1823020KB
> Region 4: type 2 at 0x6f54b000 for 6148KB
> Region 5: type 1 at 0x6fb4c000 for 171252KB
> Region 6: type 2 at 0x7a289000 for 12808KB
> Region 7: type 4 at 0x7af0b000 for 10432KB
> Region 8: type 3 at 0x7b93b000 for 1500KB
> Region 9: type 1 at 0x7bab2000 for 220KB
> Region 10: type 3 at 0x7bae9000 for 88KB
> Region 11: type 1 at 0x7baff000 for 4KB
> Region 12: type 2 at 0x7bb0 for 5120KB
> Region 13: type 2 at 0x7c00 for 61440KB
> Region 14: type 2 at 0x7fc0 for 4096KB
> Region 15: type 2 at 0x8000 for 262144KB
> Region 16: type 2 at 0cfeda8000 for 16KB
> Region 17: type 2 at 0xff31 for 13248KB
> Region 18: type 1 at 0x1 for 534773760KB
> Low ram: 624KB  High ram: 1823020KB
> Total free memory: 536768880KB
> [..snip..]
>
> ... with apologies for any typos as I copied that manually from the screen.
>
> Thanks.
>
> Adrian Close
>

Stable packages for OpenBSD 6.1 (sparc64, mips64) - thank you

[Jan Vlach]

Hello misc, package builders, port maintainers,

I've noticed that second batch of packages for OpenBSD 6.1 arrived to mirrors.

I really appreciate the time and effort you put in and I would like to thank 
you all.

Jan

Re: Problems installing on Dell R830

[adrian]

Hi Mike,

> huh? I thought you said it fails after displaying the copyright message.
> boot> is shown long before that.

Sorry, not enough coffee.

[..snip..]
>> OpenBSD/amd64 CDBOOT 3.28
boot> mach mem
Region 0: type 1 at 0x0 for 624KB
Region 1: type 2 at 0x9c000 for 16KB
Region 2: type 3 at 0xe for 128KB
Region 3: type 1 at 0x100 for 1823020KB
Region 4: type 2 at 0x6f54b000 for 6148KB
Region 5: type 1 at 0x6fb4c000 for 171252KB
Region 6: type 2 at 0x7a289000 for 12808KB
Region 7: type 4 at 0x7af0b000 for 10432KB
Region 8: type 3 at 0x7b93b000 for 1500KB
Region 9: type 1 at 0x7bab2000 for 220KB
Region 10: type 3 at 0x7bae9000 for 88KB
Region 11: type 1 at 0x7baff000 for 4KB
Region 12: type 2 at 0x7bb0 for 5120KB
Region 13: type 2 at 0x7c00 for 61440KB
Region 14: type 2 at 0x7fc0 for 4096KB
Region 15: type 2 at 0x8000 for 262144KB
Region 16: type 2 at 0cfeda8000 for 16KB
Region 17: type 2 at 0xff31 for 13248KB
Region 18: type 1 at 0x1 for 534773760KB
Low ram: 624KB  High ram: 1823020KB
Total free memory: 536768880KB
[..snip..]

... with apologies for any typos as I copied that manually from the screen.

Thanks.

Adrian Close

Re: Problems installing on Dell R830

[Mike Larkin]

On Thu, Apr 27, 2017 at 09:33:39AM +1000, adr...@close.wattle.id.au wrote:
> Hi Mike,
> 
> On Thu, Apr 27, 2017 at 09:08:18AM +1000, adr...@close.wattle.id.au wrote:
> 
> > Can you show the output of "mach mem" from boot>   ?
> 
> It faults before it displays the "boot>" prompt, so that's tricky.
> Is the result of that still useful if I pull some memory out?
> 
> >512GB is the limit for physmem in OpenBSD amd64 (I believe, last time I 
> >looked,
> unless someone upped it). It's possible the bios remapped some memory past
> 512GB and we got confused.
> 
> I'll see if I can find anything obvious in the BIOS settings along those 
> lines.
> 
> Thanks,
> 
> Adrian Close
> 

huh? I thought you said it fails after displaying the copyright message.

boot> is shown long before that.

Re: Problems installing on Dell R830

[adrian]

Hi Mike,

On Thu, Apr 27, 2017 at 09:08:18AM +1000, adr...@close.wattle.id.au wrote:

> Can you show the output of "mach mem" from boot>   ?

It faults before it displays the "boot>" prompt, so that's tricky.
Is the result of that still useful if I pull some memory out?

>512GB is the limit for physmem in OpenBSD amd64 (I believe, last time I looked,
unless someone upped it). It's possible the bios remapped some memory past
512GB and we got confused.

I'll see if I can find anything obvious in the BIOS settings along those lines.

Thanks,

Adrian Close

Re: Problems installing on Dell R830

[Mike Larkin]

On Thu, Apr 27, 2017 at 09:08:18AM +1000, adr...@close.wattle.id.au wrote:
> Hi Mike,
> 
> Thanks for your reply.
> 
> > how much memory does the machine have?
> 
> This Dell R830 has 512GB of RAM (which is the definitely the biggest machine 
> I've ever tried to install OpenBSD on).  There is a decent delay between the 
> copyright message and the page fault.
> 
> It's destined to go into production as a Linux-based hypervisor (sorry), but 
> I've got some time with it before that needs to happen so I thought I'd try 
> to spin up OpenBSD on it.
> 
> Thanks,
> 
> Adrian Close
> 

Your crash pointed to something in pagezero, and the faulting address
was something really odd.

Can you show the output of "mach mem" from boot>   ?

512GB is the limit for physmem in OpenBSD amd64 (I believe, last time I looked,
unless someone upped it). It's possible the bios remapped some memory past
512GB and we got confused.

-ml

Re: Problems installing on Dell R830

[adrian]

Hi Mike,

Thanks for your reply.

> how much memory does the machine have?

This Dell R830 has 512GB of RAM (which is the definitely the biggest machine 
I've ever tried to install OpenBSD on).  There is a decent delay between the 
copyright message and the page fault.

It's destined to go into production as a Linux-based hypervisor (sorry), but 
I've got some time with it before that needs to happen so I thought I'd try to 
spin up OpenBSD on it.

Thanks,

Adrian Close

Re: Arch and vmd

[Reyk Floeter]

On Wed, Apr 26, 2017 at 11:15:57AM -0700, Mike Larkin wrote:
> On Wed, Apr 26, 2017 at 06:47:17PM +0200, Karl Pettersson wrote:
> > Arch Linux works well as a vmd guest. Some notes about my experiences 
> > installing the system:
> > 
> > * The Arch installation can be started from the serial console, see:
> >   https://wiki.archlinux.org/index.php/Working_with_the_serial_console
> >   #Installing_Arch_Linux_using_the_serial_console
> >   However, the installation still tends to be unstable, due to unreliable
> >   downloads (which has been discussed earlier). Until this is fixed, the 
> >   installation can be run in QEMU, or in a guest under Linux/KVM (as is
> >   currently required by distributions with graphical install).
> > 
> > * Syslinux has to be used as bootloader, and serial console should be
> >   enabled: https://wiki.archlinux.org/index.php/Syslinux#Serial_console
> >   Moreover, the generated config has to be edited to point to the
> >   correct root device, and if Ext4 is used as root file system, it must
> >   not be 64bit (which is enabled by default when the file system is
> >   created): http://www.syslinux.org/wiki/index.php?title=Filesystem
> > 
> 
> Thanks for trying this out and reporting Karl.
> 
> The notes about serial console are welcome. Do note that we are working toward
> an sgabios + seabios payload so that you will be able to install from media
> that uses the regular VGA console (sgabios redirects VGA text mode I/O to
> the serial console). There are a couple of developers working on this, 
> hopefully
> it will make it to the tree soon.
> 

vmd -current is ready to handle sgabios with a different BIOS image.

sthen@ has made an updated sysutils/firmware/vmm port that includes
sgabios, but it is not available yet, you can give it quick try by
replacing the /etc/firmware/vmm-bios file with the following image
that I created manually:

https://bsd.plumbing/vmm-bios-sgabios

Notes and config (to build your own):
https://bsd.plumbing/vmm-bios-sgabios.config.txt

Reyk

Re: acme-client(1) and http_proxy

[Theo de Raadt]

> acme.sh does not require root/sudoer access.  For sure I run it as an 
> unprivileged user and hope you do as well!

The concept of privsep isn't about running as an unprivileged user.

It is so much more.

The problem is that unprivileged users still have the full system call
interface available to them.  Ignoring that reality -- in these trying
times -- is like living in a cave.

Don't care where you run such software.  But suggesting it to others
as a quality choice is irresponsible.

Re: acme-client(1) and http_proxy

[Jeff Ross]

On 4/26/17 12:41 PM, Theo de Raadt wrote:


I haven't seen anyone mention acme.sh yet--a shell script for
letsencrypt with no external dependencies.

https://github.com/Neilpang/acme.sh

No external dependencies, and no security foundations.

No privsep, no clear seperation.

Using pretty much every unsafe pattern tied to security holes in the past.

Using the openssl command *GO READ THAT CODE SOMETIME*, don't go read
the libressl one, go read upstream openssl command source.

No attempt at security.

Just doing the job, and assuming every mistake later can be

It's like constructing jetliners from foundational components, and by
that I mean sticks and stones.

I'm sorry, but I don't get it.  It is crazy to recommend something
that hasn't been STUDIED to ensure it dutifully tries to only perform
the task and creates no new risk.


Always good to hear from you, Theo!

acme.sh does not require root/sudoer access.  For sure I run it as an 
unprivileged user and hope you do as well!


Jeff

Re: acme-client(1) and http_proxy

[Theo de Raadt]

> I haven't seen anyone mention acme.sh yet--a shell script for 
> letsencrypt with no external dependencies.
> 
> https://github.com/Neilpang/acme.sh

No external dependencies, and no security foundations.

No privsep, no clear seperation.

Using pretty much every unsafe pattern tied to security holes in the past.

Using the openssl command *GO READ THAT CODE SOMETIME*, don't go read
the libressl one, go read upstream openssl command source.

No attempt at security.

Just doing the job, and assuming every mistake later can be  

It's like constructing jetliners from foundational components, and by
that I mean sticks and stones.

I'm sorry, but I don't get it.  It is crazy to recommend something
that hasn't been STUDIED to ensure it dutifully tries to only perform
the task and creates no new risk.

Re: acme-client(1) and http_proxy

[Jeff Ross]

On 4/26/17 11:02 AM, Stuart Henderson wrote:


On 2017-04-25, Adam Thompson  wrote:

On 2017-04-25 05:27, Stuart Henderson wrote:


* If you want to do dns-01 challenge with acme-client, you'll need to
use Kristaps' version for now, base acme-client only supports the
standard http challenge type. The UI isn't the simplest; use
'-t dns-01', then it outputs "dns-01 domainname token.key", then
you convert token.key into a suitable format for a DNS TXT record:
   "echo -n token.key | sha256 -b | tr -d = | tr + - | tr / _"
Get the record to the nameserver, then send the whole "dns-01
domainname token.key" line back to acme-client, and cross fingers.
If there are too many errors you'll lock yourself out for a period,
so test with the staging server first.


I haven't seen anyone mention acme.sh yet--a shell script for 
letsencrypt with no external dependencies.


https://github.com/Neilpang/acme.sh

It was trivial for me to write a dns api script for djbdns--very handy 
to have to bootstrap a new domain without previously setting up http in 
apache2 first.


I'd send that out to anyone interested--ask me off list.

Jeff

Re: Arch and vmd

[Mike Larkin]

On Wed, Apr 26, 2017 at 06:47:17PM +0200, Karl Pettersson wrote:
> Arch Linux works well as a vmd guest. Some notes about my experiences 
> installing the system:
> 
> * The Arch installation can be started from the serial console, see:
>   https://wiki.archlinux.org/index.php/Working_with_the_serial_console
>   #Installing_Arch_Linux_using_the_serial_console
>   However, the installation still tends to be unstable, due to unreliable
>   downloads (which has been discussed earlier). Until this is fixed, the 
>   installation can be run in QEMU, or in a guest under Linux/KVM (as is
>   currently required by distributions with graphical install).
> 
> * Syslinux has to be used as bootloader, and serial console should be
>   enabled: https://wiki.archlinux.org/index.php/Syslinux#Serial_console
>   Moreover, the generated config has to be edited to point to the
>   correct root device, and if Ext4 is used as root file system, it must
>   not be 64bit (which is enabled by default when the file system is
>   created): http://www.syslinux.org/wiki/index.php?title=Filesystem
> 

Thanks for trying this out and reporting Karl.

The notes about serial console are welcome. Do note that we are working toward
an sgabios + seabios payload so that you will be able to install from media
that uses the regular VGA console (sgabios redirects VGA text mode I/O to
the serial console). There are a couple of developers working on this, hopefully
it will make it to the tree soon.

-ml

Re: pledge for sockets?

[Ted Unangst]

Luke Small wrote:
> Would it be a good idea to make a pledge like call that limits a process
> from connecting to ports and/or hosts? Maybe it could be done in way that
> the kernel is made aware of the limitations like in a pledge call and while
> the process is alive, the kernel spawns pf rules based upon the socket
> ports that are created to connect to remote host ports.

The idea doesn't have a lot of traction, but someday I'd like to add a bpf
matcher to connect() calls and let programs manage their own filters.

Re: thank you sthen@ [Was: Re: acme-client(1) and http_proxy]

[Stuart Henderson]

On 2017-04-26, Marcus MERIGHI  wrote:
> To keep him going I suggest:
>
> http://spacehopper.org/wishlist
>
> "Exploding the phone" is taken.
> ("Estimated delivery:  23 May 2017 - 16 Jun. 2017")
>
> We all benefit :-)

Thanks!  I haven't updated that list recently so it's a bit random at the 
moment :-)

Re: acme-client(1) and http_proxy

[Stuart Henderson]

On 2017-04-25, Adam Thompson  wrote:
> On 2017-04-25 05:27, Stuart Henderson wrote:
>
>> Firstly, with dns-01 challenge you can get a certificate for a server
>> which doesn't allow external access at all (the request and challenge
>> can be done with completely separate machines than the certificate
>> is for).
>> 
>> Secondly, some environments permit inbound connections but require
>> a proxy for outbound access from a DMZ. In a hosting environment,
>> restricting outbound access is often more important than inbound.
>
> While it's possible that this was the case, the fact the OP was even 
> asking the question in the first place strongly suggests that this is 
> not his situation.
>
> I stand by my statement that just buying a cheap SSL cert will, for 
> anything other than the simple case of an online, directly-connected, 
> webserver, be cheaper than the labour required to obtain a LetsEncrypt 
> certificate.
>
>  From what I've read so far, you'd have to be *really* committed to 
> LetsEncrypt to go to the bother of using any of the alternate challenge 
> protocols.

It's not that hard with some clients, especially with DNS hosted at
a provider that has an API that the client already supports (or with
nsupdate).

If it's a one-off, I agree a cheap SSL cert is often easier. But the
work that's involved is manual and needs doing at renewal (generate
key/csr, get payment approval, login to CA's website, order, enter
card details, manually handle CA's DNS/email auth, copy cert into
place, figure out which chain certs are needed if the CA changed
them, fix things if you messed up with the keys). Multiply that by
a few domains, especially when they need renewing at different
times, and it gets to be a real pain. More so when browsers push
harder and the validity of certs gets reduced in length across the
board.

So with LetsEncrypt and especially non-http challenges it's often
more of a faff to setup initially, but that's once only, amortised
across multiple domains, in theory the only thing you're likely to
need to do later is update the agreement URL.

(And you don't have to worry about unscrupulous registrars trying
to rip you off by autorenewing at several times the usual cost,
hi g*d***y).

> In all the situations where one person could complete the 
> process themselves, that person is highly likely to simply be directly 
> connected anyway - so why bother?

I usually only let webservers connect out to specific IPs, which doesn't
work for connecting to letsencrypt's API servers, currently on akamai
and moving around. Punting the requests to a proxy lets you to restrict
by domain name on the proxy instead.

> Once the entire CA industry moves towards ACME (if that happens) then I 
> can see a number of situations where those alternate challenge protocols 
> will be useful and/or required, but for a LetsEncrypt certificate?  It 
> just doesn't seem worthwhile.  Especially when the cost of a 
> single-hostname SSL cert (which meets the needs of many users) is now 
> somewhere below US$5/year!
>
> And neither of us addressed the fact that for a server that's "behind a 
> corporate firewall", there's a good chance that it's not even using a 
> legit gTLD/ccTLD, which means getting an external domain-validated SSL 
> cert for it will be (or should be!) impossible in the first place.

It may well be "www.$somecompany.com" on a DMZ behind a corporate
firewall.

And/or it may be run on multiple machines for failover and need the
cert on all of them, here it's often more straightforward to do
the auth from a management host (dns challenge is really needed for
this) and push out the cert and keys across from config management.



* If you want to do dns-01 challenge with acme-client, you'll need to
use Kristaps' version for now, base acme-client only supports the
standard http challenge type. The UI isn't the simplest; use
'-t dns-01', then it outputs "dns-01 domainname token.key", then
you convert token.key into a suitable format for a DNS TXT record:
  "echo -n token.key | sha256 -b | tr -d = | tr + - | tr / _"
Get the record to the nameserver, then send the whole "dns-01
domainname token.key" line back to acme-client, and cross fingers.
If there are too many errors you'll lock yourself out for a period,
so test with the staging server first.

Arch and vmd

[Karl Pettersson]

Arch Linux works well as a vmd guest. Some notes about my experiences 
installing the system:

* The Arch installation can be started from the serial console, see:
  https://wiki.archlinux.org/index.php/Working_with_the_serial_console
  #Installing_Arch_Linux_using_the_serial_console
  However, the installation still tends to be unstable, due to unreliable
  downloads (which has been discussed earlier). Until this is fixed, the 
  installation can be run in QEMU, or in a guest under Linux/KVM (as is
  currently required by distributions with graphical install).

* Syslinux has to be used as bootloader, and serial console should be
  enabled: https://wiki.archlinux.org/index.php/Syslinux#Serial_console
  Moreover, the generated config has to be edited to point to the
  correct root device, and if Ext4 is used as root file system, it must
  not be 64bit (which is enabled by default when the file system is
  created): http://www.syslinux.org/wiki/index.php?title=Filesystem

Re: OpenBSD 6.1, boot can't find kernel anymore

[Nicolas Vollmar]

Thanks for the response Jonathan.
Seems probable, boot output looks something like this:

disk: hd0 hd1 hd2
open(hd0a:/etc/boot.conf): Invalid argument 
booting hd0a:/bsd: open hd0a:/bsd: Invalid argument 
and so on...

It does only check hd0 (which is not a readable disk), while the OpenBSD
partition is under hd2.



--
View this message in context: 
http://openbsd-archive.7691.n7.nabble.com/OpenBSD-6-1-boot-can-t-find-kernel-anymore-tp317055p317199.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: pledge for sockets

[Janne Johansson]

I guess that representing something like
"block out user daemon_id" and
"pass out quick from any to specific_host port specific_port user daemon_id"
in terms of pledge() parameters would make it rather unwieldy, if you want
your fooDB to only be able to make outward connections to the designated
fooDB tcp port on a specific destination ip.

But its rather simple in PF already. And very flexible if you want to have
very advanced exceptions later on.


2017-04-26 13:38 GMT+02:00 Luke Small :

> Pledge will presumably have per process (including fork()ed process)
> **path limitations on rpath rpath and wpath calls, why not limitations on
> inet and unix?
>
> On Wed, Apr 26, 2017 at 6:26 AM Janne Johansson 
> wrote:
>
>> 2017-04-26 13:19 GMT+02:00 Luke Small :
>>
>>> I'm not saying to alter pledge necessarily, maybe make new system call
>>> like pledge. There aren't any per-process pf rules that are applied.
>>
>>
>> If your daemon has a specific user, you can make such rules in PF.
>> The goal you stated can be reached already, why keep on suggesting new
>> syscalls?
>>
>>
>> --
>> May the most significant bit of your life be positive.
>>
>


-- 
May the most significant bit of your life be positive.

Re: pledge for sockets

[Luke Small]

Pledge will presumably have per process (including fork()ed process) **path
limitations on rpath rpath and wpath calls, why not limitations on inet and
unix?
On Wed, Apr 26, 2017 at 6:26 AM Janne Johansson  wrote:

> 2017-04-26 13:19 GMT+02:00 Luke Small :
>
>> I'm not saying to alter pledge necessarily, maybe make new system call
>> like pledge. There aren't any per-process pf rules that are applied.
>
>
> If your daemon has a specific user, you can make such rules in PF.
> The goal you stated can be reached already, why keep on suggesting new
> syscalls?
>
>
> --
> May the most significant bit of your life be positive.
>

Re: pledge for sockets

[Janne Johansson]

2017-04-26 13:19 GMT+02:00 Luke Small :

> I'm not saying to alter pledge necessarily, maybe make new system call
> like pledge. There aren't any per-process pf rules that are applied.


If your daemon has a specific user, you can make such rules in PF.
The goal you stated can be reached already, why keep on suggesting new
syscalls?


-- 
May the most significant bit of your life be positive.

thank you sthen@ [Was: Re: acme-client(1) and http_proxy]

[Marcus MERIGHI]

To keep him going I suggest:

http://spacehopper.org/wishlist

"Exploding the phone" is taken.
("Estimated delivery:  23 May 2017 - 16 Jun. 2017")

We all benefit :-)

Marcus

stefan.wol...@web.de (Stefan Wollny), 2017.04.26 (Wed) 10:04 (CEST):
> Gesendet:??Mittwoch, 26. April 2017 um 06:16 Uhr
> Von:??"Predrag Punosevac" 
> An:??misc@openbsd.org
> Betreff:??Re: acme-client(1) and http_proxy
> [ ... ]
> > Best,
> > Predrag
> > 
> > P.S. In all my years on this mailing list I have seen nothing but the
> > most insightful, helpful, and polite answers by Mr. Stuart Henderson.
> +1
> 
> > If he had labeled my post as a "Fake news :)" I would reflect on it
> > before posting again in the same thread.
> Words of wisdom here
> 
> !DSPAM:590054a628014500718621!

Re: pledge for sockets

[Luke Small]

I'm not saying to alter pledge necessarily, maybe make new system call
like pledge. There aren't any per-process pf rules that are applied.
When a socket connects to a remote or local server and pf makes a
state, it has the originating randomized port. Pf rules can be made
that target those randomized port numbers, but maybe there could be a
more elegant way like intervening in connect() and bind() calls.

>you can have rules to filter by user >for both
>incoming and outgoing connections, see
>http://man=2Eopenbsd=2Eorg/OpenBSD->6=2E1/pf=2Econf=2E5#user

>I don't think there's too much gain in >adding
>support for this kinda thing in pledge >but
>that's for the devs to decide=2E=20

Re: Relayd 2 domains on 2 seperate vm

[Markus Rosjat]

Hi denis,

this seems to look like it I will give it a try :)

Im fairly new to this subject so sorry if I asked a simple question but 
as far as searching on the net goes most of the time I end up with a 
load balancing example :)


regards

MArkus

Am 26.04.2017 um 11:01 schrieb Denis Fondras:

I dont want loadbalancing here! I need to seperate the hosting of the domain
to diffrent machines because of som software that is running on one of the
machines but is not needed on the other one.



Something like that ?

# cat /etc/relayd.conf
ext_addr="185.xxx.xxx.xxx"

table  { 192.168.1.31 }
table  { 192.168.1.21 }

http protocol "httpsproxy" {
  match request quick header "Host" value "app.mydomain.fr" forward to 
  match request quick header "Host" value "app2-0.mydomain.fr" forward to 

  match request quick header "Host" value "www.mydomain.fr" forward to 
  match request quick header "Host" value "app2-1.mydomain.fr" forward to 

}

relay "proxy" {
  listen on $ext_addr port 443 tls
  protocol "httpsproxy"

  forward with tls to  port 443
  forward with tls to  port 443
}



--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: Relayd 2 domains on 2 seperate vm

[Denis Fondras]

> I dont want loadbalancing here! I need to seperate the hosting of the domain
> to diffrent machines because of som software that is running on one of the
> machines but is not needed on the other one.
> 

Something like that ?

# cat /etc/relayd.conf  
ext_addr="185.xxx.xxx.xxx"

table  { 192.168.1.31 }
table  { 192.168.1.21 }

http protocol "httpsproxy" {
  match request quick header "Host" value "app.mydomain.fr" forward to  
  match request quick header "Host" value "app2-0.mydomain.fr" forward to 
 
  match request quick header "Host" value "www.mydomain.fr" forward to  
  match request quick header "Host" value "app2-1.mydomain.fr" forward to 
 
}

relay "proxy" {
  listen on $ext_addr port 443 tls
  protocol "httpsproxy"

  forward with tls to  port 443
  forward with tls to  port 443
}

Re: WARNING: symbol(icudt58_dat) size mismatch, relink your program

[Anthony Campbell]

On 25 Apr 2017, Edgar Pettijohn wrote:
> 
> 
> On 04/25/17 10:39, Kim Lidström wrote:
> > I get the same but with Firefox.
> > 
> > > On 25 Apr 2017, at 12:29, Stuart Henderson  wrote:
> > > 
> > > You aren't doing anything wrong to trigger it. Known problem but we
> > > haven't figured out the cause of this yet.
> > Alright. Do you know if you have any leads? Might take a look this week
> I also get the same when starting libreoffice.

Yes, and also firefox 5.30.

-- 
Anthony Campbellhttp://www.acampbell.uk

Relayd 2 domains on 2 seperate vm

[Markus Rosjat]

Hi there,

since Im discovering the possibilities for having a few vm behind 1 
external ip I was wondering if this kind of setup is possible with relayd?


so I was thinking:

 1 gateway with openbsd and relayd and the external IP
 2 vm each with a httpd running hosting a domain behind that gateway

I dont want loadbalancing here! I need to seperate the hosting of the 
domain to diffrent machines because of som software that is running on 
one of the machines but is not needed on the other one.


Is this kind of setup pissible or do I need to look for some other piece 
of software then relayd?


Regards

--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: pledge for sockets?

[Florian Ermisch]

Hi Luke,

you can have rules to filter by user for both
incoming and outgoing connections, see
http://man.openbsd.org/OpenBSD-6.1/pf.conf.5#user

I don't think there's too much gain in adding
support for this kinda thing in pledge but
that's for the devs to decide. 

Regards, Florian 

Am 26. April 2017 10:09:18 MESZ schrieb Luke Small :
>Would it be a good idea to make a pledge like call that limits a
>process
>from connecting to ports and/or hosts? Maybe it could be done in way
>that
>the kernel is made aware of the limitations like in a pledge call and
>while
>the process is alive, the kernel spawns pf rules based upon the socket
>ports that are created to connect to remote host ports.
>
>You could conceivably do things like limiting ntpd to predetermined
>hosts
>and port 123 and 53 on the respective processes involved.
>
>It would make processes that need the inet pledge permission merely to
>use
>libhiredis to connect to a Redis database more safe.

Re: msdosfs filenames encoding

[Manos Pitsidianakis]

Sorry for bumping this thread but I got an off-list reply about using 
the -l flag to force long filenames. In fact I tried -l but there wasn't 
any change, because mount_msdos correctly found that there are long 
filenames in the filesystem and assumed -l on its own.


Ascii filenames work correctly:

% \ls Mendelssohn
Mendelssohn - Songs Without Words Op. 19b No. 6 'Venetianisches 
Gondellied' In G Minor.ogg  Mendelssohn - Songs Without Words 
Op.67 No.6 In E Major.ogg


Unicode (Greek and names with other special unicode characters) don't:

% \ls __ٯ__\~1 
1994-_~1 1997-_~1 1999-_~1 2003-_~1 2005-_~1 2008-?~1



On Thu, Apr 06, 2017 at 09:26:54PM +0300, Manos Pitsidianakis wrote:

I have some FAT32 devices (Rockbox firmware only supports that,
unfortunately), mounted with `mount -t msdos ...` and in them I have
many files in non-ascii filenames.  While I can see encoding inside the
files (eg: cat-ing a text file), I get mangled filenames:

% \ls _*
___ү_~1:
1985-_~1 1987-_~1 1990-_~1 1993-_~1 1996-_~1 1999-_~1

~1:
2000-_~1 2000-_~2 2003-_~1 2008-_~1

__ٯ__~1:
1994-_~1 1997-_~1 1999-_~1 2003-_~1 2005-_~1 2008-?~1

~1:
1981-_~1 1985-_~1 1988-_~1 1991-_~1 2005-_~1 2007-_~1 2009-2~1

etc.

I get the same behaviour on bash, zsh, ksh. The filesystem and files have
been created on a linux machine.

Is this a msdosfs bug? I see in sys/msdosfs/msdosfs_conv.c that
filenames are converted in through an ascii table, instead of passing
the raw bytes (If I am not mistaken). I don't know why 0x5f (underscore)
would be there instead. How should I begin looking to correct this?

Re: pledge for sockets?

[Janne Johansson]

That sounds like what pf can do for stuff running on the local machine,
based on userid of the process opening the sockets.
At least if your daemons all run as separate users.


2017-04-26 10:09 GMT+02:00 Luke Small :

> Would it be a good idea to make a pledge like call that limits a process
> from connecting to ports and/or hosts? Maybe it could be done in way that
> the kernel is made aware of the limitations like in a pledge call and while
> the process is alive, the kernel spawns pf rules based upon the socket
> ports that are created to connect to remote host ports.
>
> You could conceivably do things like limiting ntpd to predetermined hosts
> and port 123 and 53 on the respective processes involved.
>
> It would make processes that need the inet pledge permission merely to use
> libhiredis to connect to a Redis database more safe.
>



-- 
May the most significant bit of your life be positive.

pledge for sockets?

[Luke Small]

Would it be a good idea to make a pledge like call that limits a process
from connecting to ports and/or hosts? Maybe it could be done in way that
the kernel is made aware of the limitations like in a pledge call and while
the process is alive, the kernel spawns pf rules based upon the socket
ports that are created to connect to remote host ports.

You could conceivably do things like limiting ntpd to predetermined hosts
and port 123 and 53 on the respective processes involved.

It would make processes that need the inet pledge permission merely to use
libhiredis to connect to a Redis database more safe.

Re: acme-client(1) and http_proxy

[Stefan Wollny]

Gesendet: Mittwoch, 26. April 2017 um 06:16 Uhr
Von: "Predrag Punosevac" 
An: misc@openbsd.org
Betreff: Re: acme-client(1) and http_proxy
[ ... ]
> Best,
> Predrag
> 
> P.S. In all my years on this mailing list I have seen nothing but the
> most insightful, helpful, and polite answers by Mr. Stuart Henderson.
+1

> If he had labeled my post as a "Fake news :)" I would reflect on it
> before posting again in the same thread.
Words of wisdom here

Re: Problems installing on Dell R830

[Mike Larkin]

On Wed, Apr 26, 2017 at 03:55:34PM +1000, adr...@close.wattle.id.au wrote:
> Hi all,
> 
> It's been a long time since I posted here, so apologies if I slip up on the 
> netiquette.
> 
> I'm trying to install on a Dell R830 but I can't get the installer to boot - 
> it crashes with a page fault after displaying the initial copyright message:
> 
> [..snip..]
> fatal page fault in supervisor mode
> trap type 6 code 2 rip 8100195d cs 8 rflags 10246 cr2  f807ffef000
> cpl e rsp 81a05ba8
> panic: trap type 6, code=2, pc=8100195d
> [..snip..]
> 
> I've tried booting 6.0, 6.1 and the current snapshot with similar results.  
> Other Dell hardware I have access to (eg. R630, R620) works OK.  Normally I'd 
> try disabling stuff in UKC, but booting with "-c" has the same result and no 
> UKC> prompt.
> 
> Does anyone have any suggestions on how I might get this going?
> 
> Thanks,
> 
> Adrian Close
> 
> 

how much memory does the machine have?

Re: 6.1: /usr/local/bin/node: W^X binary outside wxallowed mountpoint

[Maxim Bourmistrov]

Thanks all for replying.
The key part was 1) in Todds’ answer.

Mounted /home with wxallowed already.
Just needed to ’cp’ binary into it.

Br

> 25 apr. 2017 kl. 22:43 skrev Todd C. Miller :
> 
> On Tue, 25 Apr 2017 16:49:36 +0200, Maxim Bourmistrov wrote:
> 
>> Any work around for this one?
>> 
>> Mount with wxallowed not working.
> 
> Two things are required:
> 
> 1) The binary must be on a file system mounted with the wxallowed
>   option.
> 
> 2) The binary must have the OPENBSD_WXNEED type in the ELF header.
> 
> You can check for #2 by running "readelf -l /usr/local/bin/node".
> The output should include a section similar to the following.
> If you don't see OPENBSD_WXNEED in there, that is the problem
> and you probably need to update your packages to the 6.1 versions.
> 
> Program Headers:
>  Type   Offset VirtAddr   PhysAddr
> FileSizMemSiz  Flags  Align
>  PHDR   0x0040 0x0040 0x0040
> 0x0348 0x0348  R E8
>  INTERP 0x00af82be 0x00bf82be 0x00bf82be
> 0x0013 0x0013  R  1
>  [Requesting program interpreter: /usr/libexec/ld.so]
>  LOAD   0x 0x 0x
> 0x00af82be 0x00af82be  R E10
>  LOAD   0x00af82be 0x00bf82be 0x00bf82be
> 0x00bfe59a 0x00bfe59a  R  10
>  LOAD   0x016f6910 0x018f6910 0x018f6910
> 0x000a5af0 0x000b6e00  RW 10
>  DYNAMIC0x0177dda8 0x0197dda8 0x0197dda8
> 0x01b0 0x01b0  RW 8
>  NOTE   0x00af82d4 0x00bf82d4 0x00bf82d4
> 0x0018 0x0018  R  4
>  GNU_EH_FRAME   0x01533634 0x01633634 0x01633634
> 0x00049dac 0x00049dac  R  4
>  OPENBSD_WXNEED 0x 0x 0x
> 0x 0xE8
>  OPENBSD_RANDOM 0x016f6910 0x018f6910 0x018f6910
> 0x0008 0x0008  RW 8
>  GNU_RELRO  0x016f6910 0x018f6910 0x018f6910
> 0x0008f6f0 0x0008f6f0  R  1
>