Re: Problems installing on Dell R830
On Thu, Apr 27, 2017 at 10:20:38AM +1000, adr...@close.wattle.id.au wrote: > Hi Mike, > > > huh? I thought you said it fails after displaying the copyright message. > > boot> is shown long before that. > > Sorry, not enough coffee. > > [..snip..] > >> OpenBSD/amd64 CDBOOT 3.28 > boot> mach mem > Region 0: type 1 at 0x0 for 624KB > Region 1: type 2 at 0x9c000 for 16KB > Region 2: type 3 at 0xe for 128KB > Region 3: type 1 at 0x100 for 1823020KB > Region 4: type 2 at 0x6f54b000 for 6148KB > Region 5: type 1 at 0x6fb4c000 for 171252KB > Region 6: type 2 at 0x7a289000 for 12808KB > Region 7: type 4 at 0x7af0b000 for 10432KB > Region 8: type 3 at 0x7b93b000 for 1500KB > Region 9: type 1 at 0x7bab2000 for 220KB > Region 10: type 3 at 0x7bae9000 for 88KB > Region 11: type 1 at 0x7baff000 for 4KB > Region 12: type 2 at 0x7bb0 for 5120KB > Region 13: type 2 at 0x7c00 for 61440KB > Region 14: type 2 at 0x7fc0 for 4096KB > Region 15: type 2 at 0x8000 for 262144KB > Region 16: type 2 at 0cfeda8000 for 16KB > Region 17: type 2 at 0xff31 for 13248KB > Region 18: type 1 at 0x1 for 534773760KB > Low ram: 624KB High ram: 1823020KB > Total free memory: 536768880KB > [..snip..] > > ... with apologies for any typos as I copied that manually from the screen. > > Thanks. > > Adrian Close > try removing some RAM, at least that will tell us if this is the issue or if it is something else. -ml
tinc on openBSD?
Hi folks, AFAICS tinc is included in the packages for 6.1, but surely that doesn't mean its safe to use without looking. Are there security concerns against running tinc on an OpenBSD gateway as an alternative to IPsec and openvpn in a +50 road warriors setup? What is your impression of this tool in daily usage? Which VPN solution would you prefer? Every helpful comment is highly appreciated Harri
Re: Problems installing on Dell R830
Hi Job, >Make a photo to prevent typos. No problem. I wasn't sure if the list would like attachments, but here it is (attached). Thanks, Adrian Close
Re: Problems installing on Dell R830
Hi Adrian, Make a photo to prevent typos. Kind regards, Job On Thu, Apr 27, 2017 at 1:20 AM,wrote: > Hi Mike, > >> huh? I thought you said it fails after displaying the copyright message. >> boot> is shown long before that. > > Sorry, not enough coffee. > > [..snip..] >>> OpenBSD/amd64 CDBOOT 3.28 > boot> mach mem > Region 0: type 1 at 0x0 for 624KB > Region 1: type 2 at 0x9c000 for 16KB > Region 2: type 3 at 0xe for 128KB > Region 3: type 1 at 0x100 for 1823020KB > Region 4: type 2 at 0x6f54b000 for 6148KB > Region 5: type 1 at 0x6fb4c000 for 171252KB > Region 6: type 2 at 0x7a289000 for 12808KB > Region 7: type 4 at 0x7af0b000 for 10432KB > Region 8: type 3 at 0x7b93b000 for 1500KB > Region 9: type 1 at 0x7bab2000 for 220KB > Region 10: type 3 at 0x7bae9000 for 88KB > Region 11: type 1 at 0x7baff000 for 4KB > Region 12: type 2 at 0x7bb0 for 5120KB > Region 13: type 2 at 0x7c00 for 61440KB > Region 14: type 2 at 0x7fc0 for 4096KB > Region 15: type 2 at 0x8000 for 262144KB > Region 16: type 2 at 0cfeda8000 for 16KB > Region 17: type 2 at 0xff31 for 13248KB > Region 18: type 1 at 0x1 for 534773760KB > Low ram: 624KB High ram: 1823020KB > Total free memory: 536768880KB > [..snip..] > > ... with apologies for any typos as I copied that manually from the screen. > > Thanks. > > Adrian Close >
Stable packages for OpenBSD 6.1 (sparc64, mips64) - thank you
Hello misc, package builders, port maintainers, I've noticed that second batch of packages for OpenBSD 6.1 arrived to mirrors. I really appreciate the time and effort you put in and I would like to thank you all. Jan
Re: Problems installing on Dell R830
Hi Mike, > huh? I thought you said it fails after displaying the copyright message. > boot> is shown long before that. Sorry, not enough coffee. [..snip..] >> OpenBSD/amd64 CDBOOT 3.28 boot> mach mem Region 0: type 1 at 0x0 for 624KB Region 1: type 2 at 0x9c000 for 16KB Region 2: type 3 at 0xe for 128KB Region 3: type 1 at 0x100 for 1823020KB Region 4: type 2 at 0x6f54b000 for 6148KB Region 5: type 1 at 0x6fb4c000 for 171252KB Region 6: type 2 at 0x7a289000 for 12808KB Region 7: type 4 at 0x7af0b000 for 10432KB Region 8: type 3 at 0x7b93b000 for 1500KB Region 9: type 1 at 0x7bab2000 for 220KB Region 10: type 3 at 0x7bae9000 for 88KB Region 11: type 1 at 0x7baff000 for 4KB Region 12: type 2 at 0x7bb0 for 5120KB Region 13: type 2 at 0x7c00 for 61440KB Region 14: type 2 at 0x7fc0 for 4096KB Region 15: type 2 at 0x8000 for 262144KB Region 16: type 2 at 0cfeda8000 for 16KB Region 17: type 2 at 0xff31 for 13248KB Region 18: type 1 at 0x1 for 534773760KB Low ram: 624KB High ram: 1823020KB Total free memory: 536768880KB [..snip..] ... with apologies for any typos as I copied that manually from the screen. Thanks. Adrian Close
Re: Problems installing on Dell R830
On Thu, Apr 27, 2017 at 09:33:39AM +1000, adr...@close.wattle.id.au wrote: > Hi Mike, > > On Thu, Apr 27, 2017 at 09:08:18AM +1000, adr...@close.wattle.id.au wrote: > > > Can you show the output of "mach mem" from boot> ? > > It faults before it displays the "boot>" prompt, so that's tricky. > Is the result of that still useful if I pull some memory out? > > >512GB is the limit for physmem in OpenBSD amd64 (I believe, last time I > >looked, > unless someone upped it). It's possible the bios remapped some memory past > 512GB and we got confused. > > I'll see if I can find anything obvious in the BIOS settings along those > lines. > > Thanks, > > Adrian Close > huh? I thought you said it fails after displaying the copyright message. boot> is shown long before that.
Re: Problems installing on Dell R830
Hi Mike, On Thu, Apr 27, 2017 at 09:08:18AM +1000, adr...@close.wattle.id.au wrote: > Can you show the output of "mach mem" from boot> ? It faults before it displays the "boot>" prompt, so that's tricky. Is the result of that still useful if I pull some memory out? >512GB is the limit for physmem in OpenBSD amd64 (I believe, last time I looked, unless someone upped it). It's possible the bios remapped some memory past 512GB and we got confused. I'll see if I can find anything obvious in the BIOS settings along those lines. Thanks, Adrian Close
Re: Problems installing on Dell R830
On Thu, Apr 27, 2017 at 09:08:18AM +1000, adr...@close.wattle.id.au wrote: > Hi Mike, > > Thanks for your reply. > > > how much memory does the machine have? > > This Dell R830 has 512GB of RAM (which is the definitely the biggest machine > I've ever tried to install OpenBSD on). There is a decent delay between the > copyright message and the page fault. > > It's destined to go into production as a Linux-based hypervisor (sorry), but > I've got some time with it before that needs to happen so I thought I'd try > to spin up OpenBSD on it. > > Thanks, > > Adrian Close > Your crash pointed to something in pagezero, and the faulting address was something really odd. Can you show the output of "mach mem" from boot> ? 512GB is the limit for physmem in OpenBSD amd64 (I believe, last time I looked, unless someone upped it). It's possible the bios remapped some memory past 512GB and we got confused. -ml
Re: Problems installing on Dell R830
Hi Mike, Thanks for your reply. > how much memory does the machine have? This Dell R830 has 512GB of RAM (which is the definitely the biggest machine I've ever tried to install OpenBSD on). There is a decent delay between the copyright message and the page fault. It's destined to go into production as a Linux-based hypervisor (sorry), but I've got some time with it before that needs to happen so I thought I'd try to spin up OpenBSD on it. Thanks, Adrian Close
Re: Arch and vmd
On Wed, Apr 26, 2017 at 11:15:57AM -0700, Mike Larkin wrote: > On Wed, Apr 26, 2017 at 06:47:17PM +0200, Karl Pettersson wrote: > > Arch Linux works well as a vmd guest. Some notes about my experiences > > installing the system: > > > > * The Arch installation can be started from the serial console, see: > > https://wiki.archlinux.org/index.php/Working_with_the_serial_console > > #Installing_Arch_Linux_using_the_serial_console > > However, the installation still tends to be unstable, due to unreliable > > downloads (which has been discussed earlier). Until this is fixed, the > > installation can be run in QEMU, or in a guest under Linux/KVM (as is > > currently required by distributions with graphical install). > > > > * Syslinux has to be used as bootloader, and serial console should be > > enabled: https://wiki.archlinux.org/index.php/Syslinux#Serial_console > > Moreover, the generated config has to be edited to point to the > > correct root device, and if Ext4 is used as root file system, it must > > not be 64bit (which is enabled by default when the file system is > > created): http://www.syslinux.org/wiki/index.php?title=Filesystem > > > > Thanks for trying this out and reporting Karl. > > The notes about serial console are welcome. Do note that we are working toward > an sgabios + seabios payload so that you will be able to install from media > that uses the regular VGA console (sgabios redirects VGA text mode I/O to > the serial console). There are a couple of developers working on this, > hopefully > it will make it to the tree soon. > vmd -current is ready to handle sgabios with a different BIOS image. sthen@ has made an updated sysutils/firmware/vmm port that includes sgabios, but it is not available yet, you can give it quick try by replacing the /etc/firmware/vmm-bios file with the following image that I created manually: https://bsd.plumbing/vmm-bios-sgabios Notes and config (to build your own): https://bsd.plumbing/vmm-bios-sgabios.config.txt Reyk
Re: acme-client(1) and http_proxy
> acme.sh does not require root/sudoer access. For sure I run it as an > unprivileged user and hope you do as well! The concept of privsep isn't about running as an unprivileged user. It is so much more. The problem is that unprivileged users still have the full system call interface available to them. Ignoring that reality -- in these trying times -- is like living in a cave. Don't care where you run such software. But suggesting it to others as a quality choice is irresponsible.
Re: acme-client(1) and http_proxy
On 4/26/17 12:41 PM, Theo de Raadt wrote: I haven't seen anyone mention acme.sh yet--a shell script for letsencrypt with no external dependencies. https://github.com/Neilpang/acme.sh No external dependencies, and no security foundations. No privsep, no clear seperation. Using pretty much every unsafe pattern tied to security holes in the past. Using the openssl command *GO READ THAT CODE SOMETIME*, don't go read the libressl one, go read upstream openssl command source. No attempt at security. Just doing the job, and assuming every mistake later can be It's like constructing jetliners from foundational components, and by that I mean sticks and stones. I'm sorry, but I don't get it. It is crazy to recommend something that hasn't been STUDIED to ensure it dutifully tries to only perform the task and creates no new risk. Always good to hear from you, Theo! acme.sh does not require root/sudoer access. For sure I run it as an unprivileged user and hope you do as well! Jeff
Re: acme-client(1) and http_proxy
> I haven't seen anyone mention acme.sh yet--a shell script for > letsencrypt with no external dependencies. > > https://github.com/Neilpang/acme.sh No external dependencies, and no security foundations. No privsep, no clear seperation. Using pretty much every unsafe pattern tied to security holes in the past. Using the openssl command *GO READ THAT CODE SOMETIME*, don't go read the libressl one, go read upstream openssl command source. No attempt at security. Just doing the job, and assuming every mistake later can be It's like constructing jetliners from foundational components, and by that I mean sticks and stones. I'm sorry, but I don't get it. It is crazy to recommend something that hasn't been STUDIED to ensure it dutifully tries to only perform the task and creates no new risk.
Re: acme-client(1) and http_proxy
On 4/26/17 11:02 AM, Stuart Henderson wrote: On 2017-04-25, Adam Thompsonwrote: On 2017-04-25 05:27, Stuart Henderson wrote: * If you want to do dns-01 challenge with acme-client, you'll need to use Kristaps' version for now, base acme-client only supports the standard http challenge type. The UI isn't the simplest; use '-t dns-01', then it outputs "dns-01 domainname token.key", then you convert token.key into a suitable format for a DNS TXT record: "echo -n token.key | sha256 -b | tr -d = | tr + - | tr / _" Get the record to the nameserver, then send the whole "dns-01 domainname token.key" line back to acme-client, and cross fingers. If there are too many errors you'll lock yourself out for a period, so test with the staging server first. I haven't seen anyone mention acme.sh yet--a shell script for letsencrypt with no external dependencies. https://github.com/Neilpang/acme.sh It was trivial for me to write a dns api script for djbdns--very handy to have to bootstrap a new domain without previously setting up http in apache2 first. I'd send that out to anyone interested--ask me off list. Jeff
Re: Arch and vmd
On Wed, Apr 26, 2017 at 06:47:17PM +0200, Karl Pettersson wrote: > Arch Linux works well as a vmd guest. Some notes about my experiences > installing the system: > > * The Arch installation can be started from the serial console, see: > https://wiki.archlinux.org/index.php/Working_with_the_serial_console > #Installing_Arch_Linux_using_the_serial_console > However, the installation still tends to be unstable, due to unreliable > downloads (which has been discussed earlier). Until this is fixed, the > installation can be run in QEMU, or in a guest under Linux/KVM (as is > currently required by distributions with graphical install). > > * Syslinux has to be used as bootloader, and serial console should be > enabled: https://wiki.archlinux.org/index.php/Syslinux#Serial_console > Moreover, the generated config has to be edited to point to the > correct root device, and if Ext4 is used as root file system, it must > not be 64bit (which is enabled by default when the file system is > created): http://www.syslinux.org/wiki/index.php?title=Filesystem > Thanks for trying this out and reporting Karl. The notes about serial console are welcome. Do note that we are working toward an sgabios + seabios payload so that you will be able to install from media that uses the regular VGA console (sgabios redirects VGA text mode I/O to the serial console). There are a couple of developers working on this, hopefully it will make it to the tree soon. -ml
Re: pledge for sockets?
Luke Small wrote: > Would it be a good idea to make a pledge like call that limits a process > from connecting to ports and/or hosts? Maybe it could be done in way that > the kernel is made aware of the limitations like in a pledge call and while > the process is alive, the kernel spawns pf rules based upon the socket > ports that are created to connect to remote host ports. The idea doesn't have a lot of traction, but someday I'd like to add a bpf matcher to connect() calls and let programs manage their own filters.
Re: thank you sthen@ [Was: Re: acme-client(1) and http_proxy]
On 2017-04-26, Marcus MERIGHIwrote: > To keep him going I suggest: > > http://spacehopper.org/wishlist > > "Exploding the phone" is taken. > ("Estimated delivery: 23 May 2017 - 16 Jun. 2017") > > We all benefit :-) Thanks! I haven't updated that list recently so it's a bit random at the moment :-)
Re: acme-client(1) and http_proxy
On 2017-04-25, Adam Thompsonwrote: > On 2017-04-25 05:27, Stuart Henderson wrote: > >> Firstly, with dns-01 challenge you can get a certificate for a server >> which doesn't allow external access at all (the request and challenge >> can be done with completely separate machines than the certificate >> is for). >> >> Secondly, some environments permit inbound connections but require >> a proxy for outbound access from a DMZ. In a hosting environment, >> restricting outbound access is often more important than inbound. > > While it's possible that this was the case, the fact the OP was even > asking the question in the first place strongly suggests that this is > not his situation. > > I stand by my statement that just buying a cheap SSL cert will, for > anything other than the simple case of an online, directly-connected, > webserver, be cheaper than the labour required to obtain a LetsEncrypt > certificate. > > From what I've read so far, you'd have to be *really* committed to > LetsEncrypt to go to the bother of using any of the alternate challenge > protocols. It's not that hard with some clients, especially with DNS hosted at a provider that has an API that the client already supports (or with nsupdate). If it's a one-off, I agree a cheap SSL cert is often easier. But the work that's involved is manual and needs doing at renewal (generate key/csr, get payment approval, login to CA's website, order, enter card details, manually handle CA's DNS/email auth, copy cert into place, figure out which chain certs are needed if the CA changed them, fix things if you messed up with the keys). Multiply that by a few domains, especially when they need renewing at different times, and it gets to be a real pain. More so when browsers push harder and the validity of certs gets reduced in length across the board. So with LetsEncrypt and especially non-http challenges it's often more of a faff to setup initially, but that's once only, amortised across multiple domains, in theory the only thing you're likely to need to do later is update the agreement URL. (And you don't have to worry about unscrupulous registrars trying to rip you off by autorenewing at several times the usual cost, hi g*d***y). > In all the situations where one person could complete the > process themselves, that person is highly likely to simply be directly > connected anyway - so why bother? I usually only let webservers connect out to specific IPs, which doesn't work for connecting to letsencrypt's API servers, currently on akamai and moving around. Punting the requests to a proxy lets you to restrict by domain name on the proxy instead. > Once the entire CA industry moves towards ACME (if that happens) then I > can see a number of situations where those alternate challenge protocols > will be useful and/or required, but for a LetsEncrypt certificate? It > just doesn't seem worthwhile. Especially when the cost of a > single-hostname SSL cert (which meets the needs of many users) is now > somewhere below US$5/year! > > And neither of us addressed the fact that for a server that's "behind a > corporate firewall", there's a good chance that it's not even using a > legit gTLD/ccTLD, which means getting an external domain-validated SSL > cert for it will be (or should be!) impossible in the first place. It may well be "www.$somecompany.com" on a DMZ behind a corporate firewall. And/or it may be run on multiple machines for failover and need the cert on all of them, here it's often more straightforward to do the auth from a management host (dns challenge is really needed for this) and push out the cert and keys across from config management. * If you want to do dns-01 challenge with acme-client, you'll need to use Kristaps' version for now, base acme-client only supports the standard http challenge type. The UI isn't the simplest; use '-t dns-01', then it outputs "dns-01 domainname token.key", then you convert token.key into a suitable format for a DNS TXT record: "echo -n token.key | sha256 -b | tr -d = | tr + - | tr / _" Get the record to the nameserver, then send the whole "dns-01 domainname token.key" line back to acme-client, and cross fingers. If there are too many errors you'll lock yourself out for a period, so test with the staging server first.
Arch and vmd
Arch Linux works well as a vmd guest. Some notes about my experiences installing the system: * The Arch installation can be started from the serial console, see: https://wiki.archlinux.org/index.php/Working_with_the_serial_console #Installing_Arch_Linux_using_the_serial_console However, the installation still tends to be unstable, due to unreliable downloads (which has been discussed earlier). Until this is fixed, the installation can be run in QEMU, or in a guest under Linux/KVM (as is currently required by distributions with graphical install). * Syslinux has to be used as bootloader, and serial console should be enabled: https://wiki.archlinux.org/index.php/Syslinux#Serial_console Moreover, the generated config has to be edited to point to the correct root device, and if Ext4 is used as root file system, it must not be 64bit (which is enabled by default when the file system is created): http://www.syslinux.org/wiki/index.php?title=Filesystem
Re: OpenBSD 6.1, boot can't find kernel anymore
Thanks for the response Jonathan. Seems probable, boot output looks something like this: disk: hd0 hd1 hd2 open(hd0a:/etc/boot.conf): Invalid argument booting hd0a:/bsd: open hd0a:/bsd: Invalid argument and so on... It does only check hd0 (which is not a readable disk), while the OpenBSD partition is under hd2. -- View this message in context: http://openbsd-archive.7691.n7.nabble.com/OpenBSD-6-1-boot-can-t-find-kernel-anymore-tp317055p317199.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: pledge for sockets
I guess that representing something like "block out user daemon_id" and "pass out quick from any to specific_host port specific_port user daemon_id" in terms of pledge() parameters would make it rather unwieldy, if you want your fooDB to only be able to make outward connections to the designated fooDB tcp port on a specific destination ip. But its rather simple in PF already. And very flexible if you want to have very advanced exceptions later on. 2017-04-26 13:38 GMT+02:00 Luke Small: > Pledge will presumably have per process (including fork()ed process) > **path limitations on rpath rpath and wpath calls, why not limitations on > inet and unix? > > On Wed, Apr 26, 2017 at 6:26 AM Janne Johansson > wrote: > >> 2017-04-26 13:19 GMT+02:00 Luke Small : >> >>> I'm not saying to alter pledge necessarily, maybe make new system call >>> like pledge. There aren't any per-process pf rules that are applied. >> >> >> If your daemon has a specific user, you can make such rules in PF. >> The goal you stated can be reached already, why keep on suggesting new >> syscalls? >> >> >> -- >> May the most significant bit of your life be positive. >> > -- May the most significant bit of your life be positive.
Re: pledge for sockets
Pledge will presumably have per process (including fork()ed process) **path limitations on rpath rpath and wpath calls, why not limitations on inet and unix? On Wed, Apr 26, 2017 at 6:26 AM Janne Johanssonwrote: > 2017-04-26 13:19 GMT+02:00 Luke Small : > >> I'm not saying to alter pledge necessarily, maybe make new system call >> like pledge. There aren't any per-process pf rules that are applied. > > > If your daemon has a specific user, you can make such rules in PF. > The goal you stated can be reached already, why keep on suggesting new > syscalls? > > > -- > May the most significant bit of your life be positive. >
Re: pledge for sockets
2017-04-26 13:19 GMT+02:00 Luke Small: > I'm not saying to alter pledge necessarily, maybe make new system call > like pledge. There aren't any per-process pf rules that are applied. If your daemon has a specific user, you can make such rules in PF. The goal you stated can be reached already, why keep on suggesting new syscalls? -- May the most significant bit of your life be positive.
thank you sthen@ [Was: Re: acme-client(1) and http_proxy]
To keep him going I suggest: http://spacehopper.org/wishlist "Exploding the phone" is taken. ("Estimated delivery: 23 May 2017 - 16 Jun. 2017") We all benefit :-) Marcus stefan.wol...@web.de (Stefan Wollny), 2017.04.26 (Wed) 10:04 (CEST): > Gesendet:??Mittwoch, 26. April 2017 um 06:16 Uhr > Von:??"Predrag Punosevac"> An:??misc@openbsd.org > Betreff:??Re: acme-client(1) and http_proxy > [ ... ] > > Best, > > Predrag > > > > P.S. In all my years on this mailing list I have seen nothing but the > > most insightful, helpful, and polite answers by Mr. Stuart Henderson. > +1 > > > If he had labeled my post as a "Fake news :)" I would reflect on it > > before posting again in the same thread. > Words of wisdom here > > !DSPAM:590054a628014500718621!
Re: pledge for sockets
I'm not saying to alter pledge necessarily, maybe make new system call like pledge. There aren't any per-process pf rules that are applied. When a socket connects to a remote or local server and pf makes a state, it has the originating randomized port. Pf rules can be made that target those randomized port numbers, but maybe there could be a more elegant way like intervening in connect() and bind() calls. >you can have rules to filter by user >for both >incoming and outgoing connections, see >http://man=2Eopenbsd=2Eorg/OpenBSD->6=2E1/pf=2Econf=2E5#user >I don't think there's too much gain in >adding >support for this kinda thing in pledge >but >that's for the devs to decide=2E=20
Re: Relayd 2 domains on 2 seperate vm
Hi denis, this seems to look like it I will give it a try :) Im fairly new to this subject so sorry if I asked a simple question but as far as searching on the net goes most of the time I end up with a load balancing example :) regards MArkus Am 26.04.2017 um 11:01 schrieb Denis Fondras: I dont want loadbalancing here! I need to seperate the hosting of the domain to diffrent machines because of som software that is running on one of the machines but is not needed on the other one. Something like that ? # cat /etc/relayd.conf ext_addr="185.xxx.xxx.xxx" table { 192.168.1.31 } table { 192.168.1.21 } http protocol "httpsproxy" { match request quick header "Host" value "app.mydomain.fr" forward to match request quick header "Host" value "app2-0.mydomain.fr" forward to match request quick header "Host" value "www.mydomain.fr" forward to match request quick header "Host" value "app2-1.mydomain.fr" forward to } relay "proxy" { listen on $ext_addr port 443 tls protocol "httpsproxy" forward with tls to port 443 forward with tls to port 443 } -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Relayd 2 domains on 2 seperate vm
> I dont want loadbalancing here! I need to seperate the hosting of the domain > to diffrent machines because of som software that is running on one of the > machines but is not needed on the other one. > Something like that ? # cat /etc/relayd.conf ext_addr="185.xxx.xxx.xxx" table { 192.168.1.31 } table { 192.168.1.21 } http protocol "httpsproxy" { match request quick header "Host" value "app.mydomain.fr" forward to match request quick header "Host" value "app2-0.mydomain.fr" forward to match request quick header "Host" value "www.mydomain.fr" forward to match request quick header "Host" value "app2-1.mydomain.fr" forward to } relay "proxy" { listen on $ext_addr port 443 tls protocol "httpsproxy" forward with tls to port 443 forward with tls to port 443 }
Re: WARNING: symbol(icudt58_dat) size mismatch, relink your program
On 25 Apr 2017, Edgar Pettijohn wrote: > > > On 04/25/17 10:39, Kim Lidström wrote: > > I get the same but with Firefox. > > > > > On 25 Apr 2017, at 12:29, Stuart Hendersonwrote: > > > > > > You aren't doing anything wrong to trigger it. Known problem but we > > > haven't figured out the cause of this yet. > > Alright. Do you know if you have any leads? Might take a look this week > I also get the same when starting libreoffice. Yes, and also firefox 5.30. -- Anthony Campbellhttp://www.acampbell.uk
Relayd 2 domains on 2 seperate vm
Hi there, since Im discovering the possibilities for having a few vm behind 1 external ip I was wondering if this kind of setup is possible with relayd? so I was thinking: 1 gateway with openbsd and relayd and the external IP 2 vm each with a httpd running hosting a domain behind that gateway I dont want loadbalancing here! I need to seperate the hosting of the domain to diffrent machines because of som software that is running on one of the machines but is not needed on the other one. Is this kind of setup pissible or do I need to look for some other piece of software then relayd? Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: pledge for sockets?
Hi Luke, you can have rules to filter by user for both incoming and outgoing connections, see http://man.openbsd.org/OpenBSD-6.1/pf.conf.5#user I don't think there's too much gain in adding support for this kinda thing in pledge but that's for the devs to decide. Regards, Florian Am 26. April 2017 10:09:18 MESZ schrieb Luke Small: >Would it be a good idea to make a pledge like call that limits a >process >from connecting to ports and/or hosts? Maybe it could be done in way >that >the kernel is made aware of the limitations like in a pledge call and >while >the process is alive, the kernel spawns pf rules based upon the socket >ports that are created to connect to remote host ports. > >You could conceivably do things like limiting ntpd to predetermined >hosts >and port 123 and 53 on the respective processes involved. > >It would make processes that need the inet pledge permission merely to >use >libhiredis to connect to a Redis database more safe.
Re: msdosfs filenames encoding
Sorry for bumping this thread but I got an off-list reply about using the -l flag to force long filenames. In fact I tried -l but there wasn't any change, because mount_msdos correctly found that there are long filenames in the filesystem and assumed -l on its own. Ascii filenames work correctly: % \ls Mendelssohn Mendelssohn - Songs Without Words Op. 19b No. 6 'Venetianisches Gondellied' In G Minor.ogg Mendelssohn - Songs Without Words Op.67 No.6 In E Major.ogg Unicode (Greek and names with other special unicode characters) don't: % \ls __ٯ__\~1 1994-_~1 1997-_~1 1999-_~1 2003-_~1 2005-_~1 2008-?~1 On Thu, Apr 06, 2017 at 09:26:54PM +0300, Manos Pitsidianakis wrote: I have some FAT32 devices (Rockbox firmware only supports that, unfortunately), mounted with `mount -t msdos ...` and in them I have many files in non-ascii filenames. While I can see encoding inside the files (eg: cat-ing a text file), I get mangled filenames: % \ls _* ___ү_~1: 1985-_~1 1987-_~1 1990-_~1 1993-_~1 1996-_~1 1999-_~1 ~1: 2000-_~1 2000-_~2 2003-_~1 2008-_~1 __ٯ__~1: 1994-_~1 1997-_~1 1999-_~1 2003-_~1 2005-_~1 2008-?~1 ~1: 1981-_~1 1985-_~1 1988-_~1 1991-_~1 2005-_~1 2007-_~1 2009-2~1 etc. I get the same behaviour on bash, zsh, ksh. The filesystem and files have been created on a linux machine. Is this a msdosfs bug? I see in sys/msdosfs/msdosfs_conv.c that filenames are converted in through an ascii table, instead of passing the raw bytes (If I am not mistaken). I don't know why 0x5f (underscore) would be there instead. How should I begin looking to correct this?
Re: pledge for sockets?
That sounds like what pf can do for stuff running on the local machine, based on userid of the process opening the sockets. At least if your daemons all run as separate users. 2017-04-26 10:09 GMT+02:00 Luke Small: > Would it be a good idea to make a pledge like call that limits a process > from connecting to ports and/or hosts? Maybe it could be done in way that > the kernel is made aware of the limitations like in a pledge call and while > the process is alive, the kernel spawns pf rules based upon the socket > ports that are created to connect to remote host ports. > > You could conceivably do things like limiting ntpd to predetermined hosts > and port 123 and 53 on the respective processes involved. > > It would make processes that need the inet pledge permission merely to use > libhiredis to connect to a Redis database more safe. > -- May the most significant bit of your life be positive.
pledge for sockets?
Would it be a good idea to make a pledge like call that limits a process from connecting to ports and/or hosts? Maybe it could be done in way that the kernel is made aware of the limitations like in a pledge call and while the process is alive, the kernel spawns pf rules based upon the socket ports that are created to connect to remote host ports. You could conceivably do things like limiting ntpd to predetermined hosts and port 123 and 53 on the respective processes involved. It would make processes that need the inet pledge permission merely to use libhiredis to connect to a Redis database more safe.
Re: acme-client(1) and http_proxy
Gesendet: Mittwoch, 26. April 2017 um 06:16 Uhr Von: "Predrag Punosevac"An: misc@openbsd.org Betreff: Re: acme-client(1) and http_proxy [ ... ] > Best, > Predrag > > P.S. In all my years on this mailing list I have seen nothing but the > most insightful, helpful, and polite answers by Mr. Stuart Henderson. +1 > If he had labeled my post as a "Fake news :)" I would reflect on it > before posting again in the same thread. Words of wisdom here
Re: Problems installing on Dell R830
On Wed, Apr 26, 2017 at 03:55:34PM +1000, adr...@close.wattle.id.au wrote: > Hi all, > > It's been a long time since I posted here, so apologies if I slip up on the > netiquette. > > I'm trying to install on a Dell R830 but I can't get the installer to boot - > it crashes with a page fault after displaying the initial copyright message: > > [..snip..] > fatal page fault in supervisor mode > trap type 6 code 2 rip 8100195d cs 8 rflags 10246 cr2 f807ffef000 > cpl e rsp 81a05ba8 > panic: trap type 6, code=2, pc=8100195d > [..snip..] > > I've tried booting 6.0, 6.1 and the current snapshot with similar results. > Other Dell hardware I have access to (eg. R630, R620) works OK. Normally I'd > try disabling stuff in UKC, but booting with "-c" has the same result and no > UKC> prompt. > > Does anyone have any suggestions on how I might get this going? > > Thanks, > > Adrian Close > > how much memory does the machine have?
Re: 6.1: /usr/local/bin/node: W^X binary outside wxallowed mountpoint
Thanks all for replying. The key part was 1) in Todds’ answer. Mounted /home with wxallowed already. Just needed to ’cp’ binary into it. Br > 25 apr. 2017 kl. 22:43 skrev Todd C. Miller: > > On Tue, 25 Apr 2017 16:49:36 +0200, Maxim Bourmistrov wrote: > >> Any work around for this one? >> >> Mount with wxallowed not working. > > Two things are required: > > 1) The binary must be on a file system mounted with the wxallowed > option. > > 2) The binary must have the OPENBSD_WXNEED type in the ELF header. > > You can check for #2 by running "readelf -l /usr/local/bin/node". > The output should include a section similar to the following. > If you don't see OPENBSD_WXNEED in there, that is the problem > and you probably need to update your packages to the 6.1 versions. > > Program Headers: > Type Offset VirtAddr PhysAddr > FileSizMemSiz Flags Align > PHDR 0x0040 0x0040 0x0040 > 0x0348 0x0348 R E8 > INTERP 0x00af82be 0x00bf82be 0x00bf82be > 0x0013 0x0013 R 1 > [Requesting program interpreter: /usr/libexec/ld.so] > LOAD 0x 0x 0x > 0x00af82be 0x00af82be R E10 > LOAD 0x00af82be 0x00bf82be 0x00bf82be > 0x00bfe59a 0x00bfe59a R 10 > LOAD 0x016f6910 0x018f6910 0x018f6910 > 0x000a5af0 0x000b6e00 RW 10 > DYNAMIC0x0177dda8 0x0197dda8 0x0197dda8 > 0x01b0 0x01b0 RW 8 > NOTE 0x00af82d4 0x00bf82d4 0x00bf82d4 > 0x0018 0x0018 R 4 > GNU_EH_FRAME 0x01533634 0x01633634 0x01633634 > 0x00049dac 0x00049dac R 4 > OPENBSD_WXNEED 0x 0x 0x > 0x 0xE8 > OPENBSD_RANDOM 0x016f6910 0x018f6910 0x018f6910 > 0x0008 0x0008 RW 8 > GNU_RELRO 0x016f6910 0x018f6910 0x018f6910 > 0x0008f6f0 0x0008f6f0 R 1 >