Re: IPv6 autoconf

[Sterling Archer]

Hey, glad you got it working :)

On Sat, Jul 29, 2017 at 3:29 AM, Thomas Smith
 wrote:
> On July 28, 2017 at 3:37:18 PM, Hamza Sheikh (fehr...@codeghar.com) wrote:
>
> I went through the process of creating an OpenBSD-based gateway for my
> home network (IPv4 and IPv6). Learned a lot and documented my setup in
> a blog post[0]. Maybe it can help troubleshoot your IPv6 setup. Pay
> special attention to these sections: (a) cnmac0; (b) dhcp6c; (c) The
> "Wrong" Config.
>
> [0] http://codeghar.com/blog/openbsd-network-gateway-on-edgerouter-lite.html
>
>
> I had been trying wide-dhcpv6—even with no firewall rules enabled, it erred
> out—“no route to host” and some other info. I expected that this had to do
> with `rtsol` or `inet6 autoconf` not working properly in hostname.em0—but
> according to your blog post, it was likely a misconfiguration on my part.
>
> After Mr Archer’s post, instead of giving dhcpcd a shot I tried
> isc-dhcp-client—firewall off, it immediately pulled down an ip6 address
> from Cox. After making some adjustments to the firewall, it could pull down
> one with it enabled as well. Still have a few things to work out now, but
> this is a great start!
>
> Thanks for the input guys!
>
> One question…
>
> What would be necessary to bake this functionality into OpenBSD base? IPv6
> is pretty ubiquitous nowadays—most ISPs support it, most cloud providers
> support it—it seems common enough that much of this functionality should
> just work.
>
> I know that “common enough” isn’t a good reason to implement features or
> functionality, it just seems like a core capability that should be present.
>
> When I was researching how to set this up, I found many different ways to
> do so—some of the information was clearly dated, others not so much. It
> would be great to have just configure this via hostname.em0 (or whichever
> interface) and have it work.
>
> I’m fairly new to OpenBSD but if there’s something I can do to help with
> this, I’m happy to do so if it's within my skillset.

Re: IPv6 autoconf

[Thomas Smith]

On July 28, 2017 at 3:37:18 PM, Hamza Sheikh (fehr...@codeghar.com) wrote:

I went through the process of creating an OpenBSD-based gateway for my
home network (IPv4 and IPv6). Learned a lot and documented my setup in
a blog post[0]. Maybe it can help troubleshoot your IPv6 setup. Pay
special attention to these sections: (a) cnmac0; (b) dhcp6c; (c) The
"Wrong" Config.

[0] http://codeghar.com/blog/openbsd-network-gateway-on-edgerouter-lite.html


I had been trying wide-dhcpv6—even with no firewall rules enabled, it erred
out—“no route to host” and some other info. I expected that this had to do
with `rtsol` or `inet6 autoconf` not working properly in hostname.em0—but
according to your blog post, it was likely a misconfiguration on my part.

After Mr Archer’s post, instead of giving dhcpcd a shot I tried
isc-dhcp-client—firewall off, it immediately pulled down an ip6 address
from Cox. After making some adjustments to the firewall, it could pull down
one with it enabled as well. Still have a few things to work out now, but
this is a great start!

Thanks for the input guys!

One question…

What would be necessary to bake this functionality into OpenBSD base? IPv6
is pretty ubiquitous nowadays—most ISPs support it, most cloud providers
support it—it seems common enough that much of this functionality should
just work.

I know that “common enough” isn’t a good reason to implement features or
functionality, it just seems like a core capability that should be present.

When I was researching how to set this up, I found many different ways to
do so—some of the information was clearly dated, others not so much. It
would be great to have just configure this via hostname.em0 (or whichever
interface) and have it work.

I’m fairly new to OpenBSD but if there’s something I can do to help with
this, I’m happy to do so if it's within my skillset.

Re: IPv6 autoconf

[leonardz]

o


Sent from my Samsung Galaxy smartphone.
 Original message From: Sterling Archer  
Date: 2017-07-28  7:05 PM  (GMT-05:00) To: Hamza Sheikh  
Cc: Thomas Smith , OpenBSD Misc  
Subject: Re: IPv6 autoconf 
I switched from wide-dhcp to dhcpcd after reading recommendations
on this mailing list, and I don't regret it. Setup is just as easy, and the
code is more actively maintained.

On Sat, Jul 29, 2017 at 12:37 AM, Hamza Sheikh  wrote:
> I went through the process of creating an OpenBSD-based gateway for my
> home network (IPv4 and IPv6). Learned a lot and documented my setup in
> a blog post[0]. Maybe it can help troubleshoot your IPv6 setup. Pay
> special attention to these sections: (a) cnmac0; (b) dhcp6c; (c) The
> "Wrong" Config.
>
> [0] http://codeghar.com/blog/openbsd-network-gateway-on-edgerouter-lite.html
>

Re: Split zone DNS?

[Steve Williams]

Hi,

Thanks for the feedback everyone!

I'll be looking at unbound and seeing if I need nsd or not.

Have a great weekend!

Cheers,
Steve

On 28/07/2017 7:58 AM, Steve Williams wrote:

Hi,

I recently upgraded to 6.1 and am trying to (finally, after many 
OpenBSD versions over 10 years) fine tune my home network.


I would like to run a local resolver on my internal network that will 
resolve all my hosts on my local network to IP addresses on my local 
network(s) rather than resolving to their public IP addresses.


I believe it's called a "split zone" DNS, where my domain is resolved 
locally, but everyone else is resolved using normal resolution processes.


I set this up at one of my previous jobs using BIND, but that was 7 
years ago.  I've never gone to the trouble of doing it at home, but I 
would like to exercise my brain a bit as well as having my home 
network set up "better".


What is the best tool to accomplish this these days?  Is NSD the 
"modern" tool to be using on OpenBSD?


Are there any hooks for dhcpd to update records?

I've read the NSD(8), nsd.conf(5) man pages and that seems to be the 
way to go, but I thought I'd check the wisdom here to see if there is 
a better approach.


Thanks,
Steve Williams

Re: permission denied local nfs mount

[Allan Streib]

Nicolas Schmidt  writes:

> Did you try setting an explicit netmask?

I didn't; the exports(5) man page says it's optional:

 If the mask is not specified, it will default to the mask for that
 network class (A, B or C; see inet_addr(3)).

I tried just now with -mask=255.255.255.0 and got the same "permission
denied."

Allan

Re: permission denied local nfs mount

[Nicolas Schmidt]

Did you try setting an explicit netmask?

> Am 29.07.2017 um 01:36 schrieb Allan Streib :
> 
> 6.1 amd64 release
> 
> My goal is to serve files from a directory in my home dir via httpd. As
> I understand it the way to do this is a local NFS mount in the httpd
> chroot.
> 
> Basically following the FAQ for NFS I set up this:
> 
> $ cat /etc/exports
> /home/astreib/work/new-site.org -ro -network=127.0.0.1
> 
> $ showmount -e
> Exports list on localhost:
> /home/astreib/work/new-site.org127.0.0.1
> 
> $ doas mount -t nfs 127.0.0.1:/home/astreib/work/new-site.org 
> /var/www/htdocs/new-site
> mount_nfs: can't access /home/astreib/work/new-site.org: Permission denied
> 
> Everyhing works if I remove the "-network=" from /etc/exports, i.e.:
> 
> /home/astreib/work/new-site.org -ro 127.0.0.1
> 
> I don't really understand why?
> 
> Allan

permission denied local nfs mount

[Allan Streib]

6.1 amd64 release

My goal is to serve files from a directory in my home dir via httpd. As
I understand it the way to do this is a local NFS mount in the httpd
chroot.

Basically following the FAQ for NFS I set up this:

$ cat /etc/exports
/home/astreib/work/new-site.org -ro -network=127.0.0.1

$ showmount -e
Exports list on localhost:
/home/astreib/work/new-site.org127.0.0.1

$ doas mount -t nfs 127.0.0.1:/home/astreib/work/new-site.org 
/var/www/htdocs/new-site
mount_nfs: can't access /home/astreib/work/new-site.org: Permission denied

Everyhing works if I remove the "-network=" from /etc/exports, i.e.:

/home/astreib/work/new-site.org -ro 127.0.0.1

I don't really understand why?

Allan

Re: IPv6 autoconf

[Sterling Archer]

I switched from wide-dhcp to dhcpcd after reading recommendations
on this mailing list, and I don't regret it. Setup is just as easy, and the
code is more actively maintained.

On Sat, Jul 29, 2017 at 12:37 AM, Hamza Sheikh  wrote:
> I went through the process of creating an OpenBSD-based gateway for my
> home network (IPv4 and IPv6). Learned a lot and documented my setup in
> a blog post[0]. Maybe it can help troubleshoot your IPv6 setup. Pay
> special attention to these sections: (a) cnmac0; (b) dhcp6c; (c) The
> "Wrong" Config.
>
> [0] http://codeghar.com/blog/openbsd-network-gateway-on-edgerouter-lite.html
>

Re: IPv6 autoconf

[Hamza Sheikh]

I went through the process of creating an OpenBSD-based gateway for my
home network (IPv4 and IPv6). Learned a lot and documented my setup in
a blog post[0]. Maybe it can help troubleshoot your IPv6 setup. Pay
special attention to these sections: (a) cnmac0; (b) dhcp6c; (c) The
"Wrong" Config.

[0] http://codeghar.com/blog/openbsd-network-gateway-on-edgerouter-lite.html

Re: Getting Dell RAID status via SNMP

[Andrew Daugherity]

On Mon, Jul 24, 2017 at 12:10 AM, FUKAUMI Naoki  wrote:

> Hi,
>
> From: Jibby Jeremiah 
> Subject: Re: Getting Dell RAID status via SNMP
> Date: Wed, 19 Jul 2017 15:03:21 -0400
>
> > Darn.  Well if you need more testers let me know.
>
> It seems your RAID card doesn't have cache,
>
> > mfii0 at pci3 dev 0 function 0 "Symbios Logic MegaRAID SAS3008" rev 0x02:
> > msi
> > mfii0: "PERC H330 Adapter", firmware 25.5.0.0019
>
> then, I guess the "issue" will not happen.
>
> Here is new/WIP patch to support bio(4) for mfii(4). it doesn't fix the
> "issue" yet, but it includes hot swap support from my patch for mfi(4)
>  http://marc.info/?l=openbsd-tech=149872410222552=2
>
> Could you try attached patch?
>

Hi,

Thanks for the patch, but it fails to build (also, I had to use 'patch -l'
to get it to apply at all, due to ^M line endings, etc.):

/usr/src/sys/dev/pci/mfii.c: In function 'mfii_makegood':
/usr/src/sys/dev/pci/mfii.c:3068: error: 'MR_DCMD_CFG_FOREIGN_SCAN'
undeclared (first use in this function)
/usr/src/sys/dev/pci/mfii.c:3068: error: (Each undeclared identifier is
reported only once
/usr/src/sys/dev/pci/mfii.c:3068: error: for each function it appears in.)
/usr/src/sys/dev/pci/mfii.c:3073: error: 'MR_DCMD_CFG_FOREIGN_CLEAR'
undeclared (first use in this function)
/usr/src/sys/dev/pci/mfii.c: In function 'mfii_makespare':
/usr/src/sys/dev/pci/mfii.c:3125: error: 'MR_DCMD_CFG_MAKE_SPARE'
undeclared (first use in this function)
*** Error 1 in /usr/src/sys/arch/amd64/compile/GENERIC.MP (Makefile:947
'mfii.o')


I got around that by copying those definitions from the FreeBSD mfi driver
(patch is also attached, in case gmail decides to munge inline tabs):

Add MR_DCMD_CFG definitions for *_SPARE and FOREIGN_* (taken from
FreeBSD sys/dev/mfi/mfireg.h).
--- sys/dev/ic/mfireg.h.bak Fri Jul 28 12:43:41 2017
+++ sys/dev/ic/mfireg.h Fri Jul 28 12:47:19 2017
@@ -139,6 +139,13 @@
 #define MR_DCMD_CONF_GET 0x0401
 #define MR_DCMD_CFG_ADD 0x0402
 #define MR_DCMD_CFG_CLEAR 0x0403
+#define MR_DCMD_CFG_MAKE_SPARE 0x0404
+#define MR_DCMD_CFG_REMOVE_SPARE 0x0405
+#define MR_DCMD_CFG_FOREIGN_SCAN 0x04060100
+#define MR_DCMD_CFG_FOREIGN_DISPLAY 0x04060200
+#define MR_DCMD_CFG_FOREIGN_PREVIEW 0x04060300
+#define MR_DCMD_CFG_FOREIGN_IMPORT 0x04060400
+#define MR_DCMD_CFG_FOREIGN_CLEAR 0x04060500
 #define MR_DCMD_BBU_GET_STATUS 0x0501
 #define MR_DCMD_BBU_GET_CAPACITY_INFO 0x0502
 #define MR_DCMD_BBU_GET_DESIGN_INFO 0x0503

I'll leave it to the experts to determine whether the numbers for
MR_DCMD_CFG_MAKE_SPARE, etc. are in fact correct.

I have the same PERC H330 HBA, and temporarily have a rather unique disk
configuration in this server -- it has two disks, initially set up as
RAID-1.  For testing UEFI support, I broke the mirror, and configured the
second disk as a passthrough disk, so as to have one disk with MBR and one
with GPT.  (Unfortunately, OpenBSD still doesn't boot in EFI mode on this
server, only BIOS mode [1].  FreeBSD and Linux do work fine with EFI.)
 Right now it shows a degraded RAID-1 volume plus the passthrough disk.
Obviously I plan to make a normal healthy RAID-1 before going live with it.

After building a new kernel with the patch, I now have a new 'mfii0' entry
in hw.sensors:

hw.sensors.cpu0.temp0=26.00 degC
hw.sensors.mfii0.drive0=degraded (sd0), WARNING
hw.sensors.pchtemp0.temp0=26.50 degC
hw.sensors.sdtemp0.temp0=25.62 degC
hw.sensors.sdtemp1.temp0=26.25 degC

(sdtemp was already working previously)

Also bioctl works too, at least for reading status (haven't tried modifying
the array):
=== bioctl sd0 output 
BEFORE
sd0: , serial 007bbdf6cecf3d461e5c56708741

AFTER (bioctl -v)
Volume  Status   Size Device
mfii0 0 Degraded 499558383616 sd0 RAID1 WT
  0 Failed  0 0:0.0   noencl <>
 'unknown serial'
  1 Online   500107862016 0:1.0   noencl 
 'unknown serial'

Not sure about the 'unknown serial', but otherwise looks correct.


Nice work!  Sorry I don't have a card with cache (e.g. H730) to test on,
but I haven't hit any problems with my H330 yet.


-Andrew


[1] https://marc.info/?l=openbsd-misc=146343624320665=2
With more recent kernels, the numbers on the "entry point" line are
different, but the UEFI boot problem otherwise remains the same -- video
corruption, followed by a reboot 10-15 seconds later.  I just discovered
that serial console support has recently been added to the UEFI bootloader,
so I hopefully I'll be able to see boot messages from after the video goes
wonky, and submit a more useful bug report.


dmesg:
OpenBSD 6.1 (GENERIC.MP) #1: Fri Jul 28 12:51:53 CDT 2017
andrew@obsd-r230:/usr/src/sys/arch/amd64/compile/GENERIC.MP
RTC BIOS diagnostic error 80
real mem = 8395776000 

Re: OpenBSD 6.1 installation, on dedicated server, using qemu not working.

[Stefan Fritsch]

On Tuesday, 25 July 2017 21:30:08 CEST Mxher wrote:
> I'm renting a dedicated server from a web host that unfortunately does
> not propose OpenBSD installation.
> 
> So I'm installing OpenBSD using qemu from my host rescue mode (which use
> FreeBSD).
> 
> 
> Usually it works like a charm but this time, on this server/hardware, it
> does not work: OpenBSD does not seem to start at all.
> Indeed when I boot with qemu I do not see any logs of the "normal" boot
> of the server (I only see qemu's boots in the logs).

Maybe I misunderstand what you are trying to do, but: There is sgabios for 
redirecting vga text output to serial console in qemu. Maybe that could help 
somehow? Or try using VNC console in qemu. Are you seeing the openbsd 
bootloader prompt? Are you then setting the console correctly in the openbsd 
bootloader?

Re: Some questions about vmm and xorg

[Mike Larkin]

On Thu, Jul 27, 2017 at 12:14:58PM -0400, Josh Grosse wrote:
> On 2017-07-27 11:30, G wrote:
> > Hello.
> > 
> > Some questions about vmm
> > Does vmm (on openbsd current) support running xorg?
> 
> I'll restate this question, because the X11 Windows System uses a
> client/server model,
> and X.Org software includes both clients and servers.
> 
>* X11 Clients are the graphical applications.
>* X11 Servers are the X display devices.
> 
> So, "What part of the X11 Windows System is available for vmm(4) guests" is
> a better question,
> and one that I can answer.
> 
> X client applications works fine from within a vmm(4) guest, as they do from
> any server that
> does not have a graphics display.  The typical communication path between
> the application
> and a workstation display (the X Server) is with ssh(1) X11 Forwarding.  See
> sshd_config(5),
> ssh_config(5), and ssh(1) man pages for details.
> 
> If a user wanted to operate a window manager for the vmm() guest and its
> various X clients,
> Xephyr(1) or Xnest(1) are both available.
>

Yes, this sums it up best. Thanks Josh.

-ml 

Re: WARNING: SPL NOT LOWERED ON SYSCALL 247 4 EXIT

[Mark Patruck]

Missing ddb output


login: WARNING: SPL NOT LOWERED ON SYSCALL 247 4 EXIT cac955c0 7
Stopped at  Xsyscall+0x1d5: movl$0,%gs:0x4e0

ddb{1}> trace
Xsyscall(10,39c19950,8bdd17c2b1f,0,0,7f7ea290) at Xsyscall+0x1d5
(null)(4838907c6d12efb3,0,0,39c19950,7,14) at 0x8badb32c2e1
(null)(8bdacaff560,e00,8bcef368000,,8bd10d5df00,4838907c6d12efb3) at 0x
8badb319ff1
(null)(8bcef368000,8bdacaff560,0,7f7ec898,8bdacf0a400,4838907c6d12efb3) at 0
x8badb31428b
(null)(8bdacf0a400,7f7ec898,0,0,0,4838907c6d12efb3) at 0x8badb30d332
(null)(7f7ec9a8,20,7f7ea890,7f7ec8a8,de,8bdacaff560) at 0x8badb30ca
0c
(null)(8bdacb08008,8bdc38f6048,8bdbed7d800,0,8bdacb02680,4838907c6d12efb3) at 0
x8badb3199df
(null)(8bdacaffaf8,0,8badb32b0d0,8badb5542e0,8bdacaffed0,a3470c94a0c437c8) at 0
x8bdc36f00c5
(null)(1,8bd24511a00,8bdacaffaf8,1,8badb5542e0,8badb30bd20) at 0x8badb32b470
(null)(0,8bdacaffaf8,7f7ece68,8badb443ce8,8bdacaff560,3fffecdc0) at 0x8badb
32a649
(null)(8bd23e12000,1,0,7f7ece60,7f7ece68,7f7f) at 0x8badb30b390

(null)(0,0,0,8badb3016d0,8badb301724,7f7ece50) at 0x8badb301724
end trace frame: 0x0, count: -12


ddb{1}> ps
   PID TID   PPIDUID  S   FLAGS  WAIT  COMMAND
* 6690  113501  57458101  70x100010iked
 33909  217600  57458101  30x100090  kqreadiked
 98657  464368  57458101  30x100090  kqreadiked
 57458   23862  1  0  30x100080  kqreadiked
 80374  433789  1  0  30x100083  ttyin getty
 41088  461912  1  0  30x100083  ttyin getty
 12954  103774  1  0  30x100083  ttyin getty
 66593  116200  1  0  30x100083  ttyin getty
 30307  450950  1  0  30x100083  ttyin getty
 56065  390750  1  0  30x100083  ttyin ksh
 58110  518795  1  0  30x100098  poll  cron
 16087  148757  10438623  30x90  selectzabbix_agentd
 68780  499447  10438623  30x90  selectzabbix_agentd
 46506  252538  10438623  30x90  netconzabbix_agentd
 46996  341834  10438623  30x90  nanosleep zabbix_agentd
 10438  368812  1623  30x90  wait  zabbix_agentd
 31606  309210  32726 73  20x100090syslogd
 32726  475499  1  0  30x100082  netio syslogd
 23137  451822  16538 95  30x100092  kqreadsmtpd
 31341  310118  16538103  30x100092  kqreadsmtpd
 27554   52977  16538 95  30x100092  kqreadsmtpd
 66593  116200  1  0  30x100083  ttyin getty
 30307  450950  1  0  30x100083  ttyin getty
 56065  390750  1  0  30x100083  ttyin ksh
 58110  518795  1  0  30x100098  poll  cron
 16087  148757  10438623  30x90  selectzabbix_agentd
 68780  499447  10438623  30x90  selectzabbix_agentd
 46506  252538  10438623  30x90  netconzabbix_agentd
 46996  341834  10438623  30x90  nanosleep zabbix_agentd
 10438  368812  1623  30x90  wait  zabbix_agentd
 31606  309210  32726 73  20x100090syslogd
 32726  475499  1  0  30x100082  netio syslogd
 23137  451822  16538 95  30x100092  kqreadsmtpd
 31341  310118  16538103  30x100092  kqreadsmtpd
 27554   52977  16538 95  30x100092  kqreadsmtpd
 61151   42742  16538 95  30x100092  kqreadsmtpd
 76837  514289  16538 95  30x100092  kqreadsmtpd
 56326  422664  16538 95  30x100092  kqreadsmtpd
 16538  451980  1  0  30x100080  kqreadsmtpd
 59776   96117  1  0  30x80  selectsshd
 29235  301319  1  0  30x80  selectsshd
 23862  252384  1  0  30x80  selectsshd
 41181   72471  54129 83  30x100092  poll  ntpd
 54129  184540  57820 83  30x100092  poll  ntpd
 57820  171617  1  0  30x100080  poll  ntpd
 96702  170303  1 99  30x100090  poll  sndiod
 95618  262535  1110  30x100090  poll  sndiod
 89364  141746  18299 74  30x100090  bpf   pflogd
 18299  473190  1  0  30x80  netio pflogd
 66234  425338  14436115  30x100092  kqreadslaacd
  1704  241666  14436115  30x100092  kqreadslaacd
 14436  390336  1  0  30x80  kqreadslaacd
 36268  413023  1  0  30x80  mfsidlmount_mfs
 71953  316048  0  0  3 0x14200  pgzerozerothread
 29281  385683  0  0  3 0x14200  aiodoned  aiodoned
 36988   92261  0  0  3 0x14200  syncerupdate
 10232   81380  0  0  

Re: IPv6 autoconf

[Mike Coddington]

On Thu, Jul 27, 2017 at 05:41:48PM -0700, Thomas Smith wrote:
> Hi,
> 
> My ISP (Cox) supports IPv6 and I have this working on a MikroTik
> router--it pulls an address and prefix, creates a default route,
> creates an address pool for internal clients, etc.
> 
> I've been working to configure a similar setup in OpenBSD 6.1 but I've
> been unable to even get the outside interface to pull an IPv6 address
> from Cox (IPv4 is working properly).
> 
> I???ve tried both `inet6 autoconf` and `rtsol` in
> /etc/hostname.em0--both have worked in other IPv6 environments I???ve
> run OpenBSD in, but neither are working in this context.
> 
> Can anyone advise on this please?

Make sure that you're allowing the correct ICMP packets through pf. I've
banged my head on that part of IPv6 too many times. Here's what I've
found I have had to add in /etc/pf.conf:

icmp6_types = "{ echoreq, routersol, routeradv, neighbrsol, \
neighbradv, redir }"


# allow multicast ICMP so IPv6 works right
pass in quick on egress inet6 proto ipv6-icmp from any to \
   { ( egress ), ff02::1/16 } icmp6-type $icmp6_types



There's a bunch of neighbor-finding chatter that occurs on IPv6, so my
typical iron-fisted traffic blocking was causing IPv6 to not work at
all. Also, I know that when I used to have Comcast I had to specifically
request a /60  and tell Comcast that I wanted to be a router instead of
a client. I believe DHCPD accomplished this, although someone with a
less foggy memory should double-check that.

-- 
To find a friend one must close one eye; to keep him -- two.
-- Norman Douglas

Re: Split zone DNS?

[Liviu Daia]

On 28 July 2017, Steve Williams  wrote:
> Hi,
> 
> I recently upgraded to 6.1 and am trying to (finally, after many OpenBSD
> versions over 10 years) fine tune my home network.
> 
> I would like to run a local resolver on my internal network that will
> resolve all my hosts on my local network to IP addresses on my local
> network(s) rather than resolving to their public IP addresses.
> 
> I believe it's called a "split zone" DNS, where my domain is resolved
> locally, but everyone else is resolved using normal resolution processes.
> 
> I set this up at one of my previous jobs using BIND, but that was 7 years
> ago.  I've never gone to the trouble of doing it at home, but I would like
> to exercise my brain a bit as well as having my home network set up
> "better".
> 
> What is the best tool to accomplish this these days?  Is NSD the "modern"
> tool to be using on OpenBSD?
> 
> Are there any hooks for dhcpd to update records?
> 
> I've read the NSD(8), nsd.conf(5) man pages and that seems to be the way to
> go, but I thought I'd check the wisdom here to see if there is a better
> approach.

unbound(8) probably does exactly what you want.  It's mainly a
recursive resoler, but it can also answer authoritatively for "local"
zones, or simply override addresses for given hosts (think anti-spam).
Unless you also want to answer queries for your domain comming from the
Internet, you don't need a separate authoritative server.

Regards,

Liviu Daia

Re: Split zone DNS?

[Rui Ribeiro]

Hi,

In large scenarios, they might have an advantage in having the same domain
inside and outside, which is when accessing services behind NAT addresses,
you can serve the private address internally. In that way, you do not need
to go to firewall and back to the private network to translate that NAT.

Regards

On 28 July 2017 at 15:23, Claer  wrote:

> On Fri, Jul 28 2017 at 58:07, Steve Williams wrote:
> > Hi,
> Hello,
>
> > I recently upgraded to 6.1 and am trying to (finally, after many OpenBSD
> > versions over 10 years) fine tune my home network.
> >
> > I would like to run a local resolver on my internal network that will
> > resolve all my hosts on my local network to IP addresses on my local
> > network(s) rather than resolving to their public IP addresses.
> >
> > I believe it's called a "split zone" DNS, where my domain is resolved
> > locally, but everyone else is resolved using normal resolution processes.
> >
> > I set this up at one of my previous jobs using BIND, but that was 7 years
> > ago.  I've never gone to the trouble of doing it at home, but I would
> like
> > to exercise my brain a bit as well as having my home network set up
> > "better".
> >
> > What is the best tool to accomplish this these days?  Is NSD the "modern"
> > tool to be using on OpenBSD?
> I went for nsd for external domain informations and Unbound for local
> cache and local resolutions override.
>
> bind was a DNS resolver and a forwarder at the same time. If you want
> both options, you need to setup NSD and Unbound.
>
> Unbound alone can do the trick for few records, but I found it easier to
> have a dedicated resolver in case I wanted to sync zones with a slave.
>
> > Are there any hooks for dhcpd to update records?
> Dunno, I use static MAC - IP mapping.
>
> > I've read the NSD(8), nsd.conf(5) man pages and that seems to be the way
> to
> > go, but I thought I'd check the wisdom here to see if there is a better
> > approach.
> As said, just pay attention that nsd is a resolver only.
>
> > Thanks,
> > Steve Williams
>
> Nowadays, I try to avoid using the same domain for internal and
> external. From my ops point of view, having a domain.local and a
> domain.ext is easier to maintain.
>
>
> Regards,
>
> Claer
>
>


-- 
Regards,

--
Rui Ribeiro
Senior Linux Architect and Network Administrator
ISCTE-IUL
https://www.linkedin.com/pub/rui-ribeiro/16/ab8/434

Re: Split zone DNS?

[Claer]

On Fri, Jul 28 2017 at 58:07, Steve Williams wrote:
> Hi,
Hello,

> I recently upgraded to 6.1 and am trying to (finally, after many OpenBSD
> versions over 10 years) fine tune my home network.
> 
> I would like to run a local resolver on my internal network that will
> resolve all my hosts on my local network to IP addresses on my local
> network(s) rather than resolving to their public IP addresses.
> 
> I believe it's called a "split zone" DNS, where my domain is resolved
> locally, but everyone else is resolved using normal resolution processes.
> 
> I set this up at one of my previous jobs using BIND, but that was 7 years
> ago.  I've never gone to the trouble of doing it at home, but I would like
> to exercise my brain a bit as well as having my home network set up
> "better".
> 
> What is the best tool to accomplish this these days?  Is NSD the "modern"
> tool to be using on OpenBSD?
I went for nsd for external domain informations and Unbound for local
cache and local resolutions override.

bind was a DNS resolver and a forwarder at the same time. If you want
both options, you need to setup NSD and Unbound.

Unbound alone can do the trick for few records, but I found it easier to
have a dedicated resolver in case I wanted to sync zones with a slave.

> Are there any hooks for dhcpd to update records?
Dunno, I use static MAC - IP mapping.

> I've read the NSD(8), nsd.conf(5) man pages and that seems to be the way to
> go, but I thought I'd check the wisdom here to see if there is a better
> approach.
As said, just pay attention that nsd is a resolver only.

> Thanks,
> Steve Williams

Nowadays, I try to avoid using the same domain for internal and
external. From my ops point of view, having a domain.local and a
domain.ext is easier to maintain.


Regards,

Claer

Re: reordering libs failed - cannot find -lcompiler_rt

[Mark Patruck]

missed dmesg

OpenBSD 6.1-current (GENERIC.MP) #0: Fri Jul 28 10:10:38 CEST 2017
m...@aquila.paccotec.de:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4236161024 (4039MB)
avail mem = 4101410816 (3911MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xec170 (79 entries)
bios0: vendor American Megatrends Inc. version "3.0" date 04/24/2015
bios0: Supermicro X10SLM-F
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT SSDT SSDT SSDT SSDT SSDT MCFG PRAD HPET 
SSDT SSDT SPMI EINJ ERST HEST BERT
acpi0: wakeup devices PEGP(S4) PEG0(S4) PEGP(S4) PEG1(S4) PEGP(S4) PEG2(S4) 
PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP05(S4) 
GLAN(S4) EHC1(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) CPU G1840 @ 2.80GHz, 2800.42 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG
,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,ERMS,INVPCID,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: TSC frequency 2800424720 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 100MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Celeron(R) CPU G1840 @ 2.80GHz, 2800.00 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG
,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,ERMS,INVPCID,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0 addr 0xf800, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (PEG0)
acpiprt2 at acpi0: bus 2 (PEG1)
acpiprt3 at acpi0: bus -1 (PEG2)
acpiprt4 at acpi0: bus 3 (RP01)
acpiprt5 at acpi0: bus 5 (RP02)
acpiprt6 at acpi0: bus -1 (RP03)
acpiprt7 at acpi0: bus 6 (RP05)
acpiec0 at acpi0: not present
acpicpu0 at acpi0: C2(350@117 mwait.1@0x20), C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C2(350@117 mwait.1@0x20), C1(1000@1 mwait.1), PSS
acpipwrres0 at acpi0: PG00, resource for PEG0
acpipwrres1 at acpi0: PG01, resource for PEG1
acpipwrres2 at acpi0: PG02, resource for PEG2
acpipwrres3 at acpi0: FN00, resource for FAN0
acpipwrres4 at acpi0: FN01, resource for FAN1
acpipwrres5 at acpi0: FN02, resource for FAN2
acpipwrres6 at acpi0: FN03, resource for FAN3
acpipwrres7 at acpi0: FN04, resource for FAN4
acpitz0 at acpi0: critical temperature is 105 degC
acpitz1 at acpi0: critical temperature is 105 degC
"INT3F0D" at acpi0 not configured
"IPI0001" at acpi0 not configured
acpibtn0 at acpi0: SLPB
acpibtn1 at acpi0: PWRB
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD1F
ipmi at mainbus0 not configured
cpu0: Enhanced SpeedStep 2800 MHz: speeds: 2800, 2700, 2500, 2400, 2300, 2100, 
2000, 1900, 1700, 1600, 1500, 1300, 1200, 1100, 900, 800 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core 4G Host" rev 0x06
ppb0 at pci0 dev 1 function 0 "Intel Core 4G PCIE" rev 0x06: msi
pci1 at ppb0 bus 1
em0 at pci1 dev 0 function 0 "Intel I350" rev 0x01: msi, address 
a0:36:9f:78:11:ac
em1 at pci1 dev 0 function 1 "Intel I350" rev 0x01: msi, address 
a0:36:9f:78:11:ad
ppb1 at pci0 dev 1 function 1 "Intel Core 4G PCIE" rev 0x06: msi
pci2 at ppb1 bus 2
em2 at pci2 dev 0 function 0 "Intel I350" rev 0x01: msi, address 
a0:36:9f:d2:cf:10
em3 at pci2 dev 0 function 1 "Intel I350" rev 0x01: msi, address 
a0:36:9f:d2:cf:11
xhci0 at pci0 dev 20 function 0 "Intel 8 Series xHCI" rev 0x05: msi
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00 
addr 1
"Intel 8 Series MEI" rev 0x04 at pci0 dev 22 function 0 not configured
"Intel 8 Series MEI" rev 0x04 at pci0 dev 22 function 1 not configured
em4 at pci0 dev 25 function 0 "Intel I217-LM" rev 0x05: msi, address 
0c:c4:7a:74:63:47
ehci0 at pci0 dev 26 function 0 "Intel 8 Series USB" rev 0x05: apic 8 int 16
usb1 at ehci0: USB revision 2.0
uhub1 at usb1 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 
addr 1
ppb2 at pci0 dev 28 function 0 "Intel 8 Series PCIE" rev 0xd5: msi
pci3 at ppb2 bus 3
ppb3 at pci3 dev 0 function 0 "ASPEED Technology AST1150 PCI" rev 0x03
pci4 at ppb3 bus 4
vga1 at pci4 dev 0 

reordering libs failed - cannot find -lcompiler_rt

[Mark Patruck]

Hi,

after updating a two month old amd64 to -current today
(base61, bsd.mp, bsd.rd only), i get the following warning while
reordering libraries on boot.

-

starting network
reordering libraries:/usr/bin/ld: cannot find -lcompiler_rt
cc: error: linker command failed with exit code 1 (use -v to see invocation)
install: libc.so.89.6: No such file or directory
 failed.
starting early daemons: pflogdpflogd[15990]: [priv]: msg PRIV_OPEN_LOG received
.

-

Also, right after starting "iked" the systems jumps into ddb:

login: WARNING: SPL NOT LOWERED ON SYSCALL 247 4 EXIT 832a3900 7
Stopped at  Xsyscall+0x1d5: movl$0,%gs:0x4e0
ddb{1}> _

I'll try to get trace and ps and report back.


-- 
Mark Patruck ( mark at wrapped.cx )
GPG key 0xF2865E51 / 187F F6D3 EE04 1DCE 1C74  F644 0D3C F66F F286 5E51

http://www.wrapped.cx

Re: Need help securing SMTP (thunderbird says it's not encrypted)

[Gregory Edigarov]

On 27.07.17 15:56, Paul Covello wrote:

I have an OpenBSD 6.1 box set up with OpenSMTPD and Dovecot on Vultr (a 
VPS provider).

This machine is intended for use as my primary mail server.  I have a Let’s 
Encrypt certificate installed and declared in the smtpd.conf file like so:

I can send and receive mail ok using Apple Mail on my mac.  Thunderbird is 
another story…  I am warned when I set up the account that SMTP is NOT 
encrypted.

This has driven me batty all week.  My Google-Foo fails me and reading through 
my Dovecot book and smtpd man pages have not enlightened me as to why this is 
not using TLS.

When I telnet to the machine on port 587 and issue the EHLO command, STARTTLS 
does appear in the response.  Also, OpenSMTPD shows when I type the help 
command.

issuing a Mail command comes back with the response that STARTTLS must be done 
first.

Can someone clue me in on what I might be missing?

in thunderbird set Connection security to STARTTLS



Thanks in advance for your help!

— Paul.

Split zone DNS?

[Steve Williams]

Hi,

I recently upgraded to 6.1 and am trying to (finally, after many OpenBSD 
versions over 10 years) fine tune my home network.


I would like to run a local resolver on my internal network that will 
resolve all my hosts on my local network to IP addresses on my local 
network(s) rather than resolving to their public IP addresses.


I believe it's called a "split zone" DNS, where my domain is resolved 
locally, but everyone else is resolved using normal resolution processes.


I set this up at one of my previous jobs using BIND, but that was 7 
years ago.  I've never gone to the trouble of doing it at home, but I 
would like to exercise my brain a bit as well as having my home network 
set up "better".


What is the best tool to accomplish this these days?  Is NSD the 
"modern" tool to be using on OpenBSD?


Are there any hooks for dhcpd to update records?

I've read the NSD(8), nsd.conf(5) man pages and that seems to be the way 
to go, but I thought I'd check the wisdom here to see if there is a 
better approach.


Thanks,
Steve Williams

Re: vmd on Proliant DL360p Gen8: panic

[Joaquín Herrero Pintado]

Hi,

I was using i386 just because the CPU is Intel and I supposed i386 was the
best option.

Following your advice I reinstalled using amd64 and now I can start a
virtual machine without errors!

# vmctl status
   ID   PID VCPUS  MAXMEM  CURMEM TTYOWNER NAME
1 22679 12.0G328M   ttyp1 root host-vm

# sysctl hw
hw.machine=amd64
hw.model=Intel(R) Xeon(R) CPU E5-2650 v2 @ 2.60GHz
hw.ncpu=32
hw.byteorder=1234
hw.pagesize=4096
hw.disknames=sd0:108f8ec8aca76ac8
hw.diskcount=1
hw.sensors.cpu0.temp0=31.00 degC
hw.sensors.acpitz0.temp0=8.30 degC (zone temperature)
hw.sensors.ciss0.drive0=online (sd0), OK
hw.cpuspeed=2594
hw.setperf=100
hw.vendor=HP
hw.product=ProLiant DL360p Gen8
hw.serialno=CZJ448063M
hw.uuid=36353430-3831-435a-4a34-34383036334d
hw.physmem=17127092224
hw.usermem=17126952960
hw.ncpufound=32
hw.allowpowerdown=1
hw.perfpolicy=manual


The rest of the problems remain. I tried to tweak PCI parameters from BIOS
but there are not very much to change there. I have same timeouts
on pciide0:0:0 device so cd0 device is not available. I guess it should be
detected on atapiscsi0, but

atapiscsi0 at pciide0 channel 0 drive 0
scsibus2 at atapiscsi0: 2 targets
pciide0:0:0: device timeout, c_bcount=0, c_skip=0,
status=0x58, ireason=0x1
[...repeated...]
atapiscsi0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5

Also same memory conflicts on pci15-bus32

32:4:0: mem address conflict 0xfbff/0x4000
32:4:1: mem address conflict 0xfbfe/0x4000
32:4:2: mem address conflict 0xfbfd/0x4000
32:4:3: mem address conflict 0xfbfc/0x4000
32:4:4: mem address conflict 0xfbfb/0x4000
32:4:5: mem address conflict 0xfbfa/0x4000
32:4:6: mem address conflict 0xfbf9/0x4000
32:4:7: mem address conflict 0xfbf8/0x4000
32:5:4: mem address conflict 0xfbf7/0x1000

According to pcidump these mem conflicts correspond to this not-configured
devices:

# pcidump
Domain /dev/pci0:
 [...]
 32:4:0: Intel E5 v2 I/OAT
 32:4:1: Intel E5 v2 I/OAT
 32:4:2: Intel E5 v2 I/OAT
 32:4:3: Intel E5 v2 I/OAT
 32:4:4: Intel E5 v2 I/OAT
 32:4:5: Intel E5 v2 I/OAT
 32:4:6: Intel E5 v2 I/OAT
 32:4:7: Intel E5 v2 I/OAT
 32:5:0: Intel E5 v2 Address Map
 32:5:2: Intel E5 v2 IIO RAS
 32:5:4: Intel E5 v2 I/O APIC

The good news is that at least dmesg now shows complete:

OpenBSD 6.1 (GENERIC.MP) #20: Sat Apr  1 13:45:56 MDT 2017
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 17127092224 (16333MB)
avail mem = 16603348992 (15834MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xbfbdb000 (180 entries)
bios0: vendor HP version "P71" date 08/02/2014
bios0: HP ProLiant DL360p Gen8
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP SPCR MCFG HPET  SPMI ERST APIC SRAT  BERT
HEST DMAR  PCCT SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT
acpi0: wakeup devices PCI0(S5) IPT1(S5) IPT2(S5) IPT3(S5) IPT4(S5) IPT5(S5)
IPT6(S5) IPT7(S5) IPT8(S5) PCI1(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0 addr 0xc000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E5-2650 v2 @ 2.60GHz, 2594.16 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: TSC frequency 2594161500 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU E5-2650 v2 @ 2.60GHz, 2593.75 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Xeon(R) CPU E5-2650 v2 @ 2.60GHz, 2593.75 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Xeon(R) CPU 

A survey of BSD kernel vulnerabilities (DEF CON) [pdf]

[Ilya Abimael]

Hello, 

just a FYI: 

-
https://news.ycombinator.com/item?id=14870124

https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Ilja-van-Sprundel-BSD-Kern-Vulns.pdf

PDF  Creation Date: 2017. 07. 16., 13:58:56 

The maintainers of various BSDs should talk more among each other  
•Several bugs in one were fixed in the other  
•OpenBSD expired proc pointer in midiioctl() fixed in NetBSD  
-