Re: Automatically restarting services/daemons after crash

[Philip Guenther]

On Fri, Oct 13, 2017 at 9:51 PM, Luke Small  wrote:

> Maybe more things should be randomized like the stack canaries. Is that a
> new idea?


OpenBSD randomize perhaps more than any other OS.  Randomization comes up
often in discussions.  If something isn't randomized that could be, it's
probably because it's really hard or would break stuff that people really
need to work.

If you think you know of something that could be randomized with no costs
or downsides, you should research it (who else has tried it?), or implement
it yourself, or at least work through the consequences enough to
demonstrate that it won't make people hate you afterwards.

If you have to ask "What about ?", then you're still unsure of the
costs and consequences, so stop, go back, and figure them out!  Or are you
expecting OpenBSD developers to field, implement, and test every random
(heh) suggestion about randomization?


Philip Guenther

Re: A stupid question, re: xargs(1)

[Philip Guenther]

On Fri, Oct 13, 2017 at 5:14 PM, Raul Miller  wrote:

> On Fri, Oct 13, 2017 at 6:14 PM, Theo de Raadt 
> wrote:
> > If you want to add things to standardized utilities you need to
> > convince a large volume of people in the greater community
> >
> > Not me.
>
> Ok,
>
> Would you be open to a re-implementation of the gnu xargs -d option?
>

You want a version of xargs that, instead of requiring special handling for
5 characters legal in filenames (quote, double-quote, backslash, space,
tab, newline), will be completely unable to handle exactly one of those
characters (newline)?  Easy: create this two line shell script under some
convenient name and use it instead:

#!/bin/sh
sed 's!\(.\)!\\\1!g' | xargs "$@"


My personal preference is to pick either of the following options:
a) don't use any of those characters in filenames and just use xargs bare
b) go directly into perl or C once I reach the limit of -0 option handling

IMO, (a) makes sense for stuff you control the name of, (b) for stuff where
you don't.  The set of people I trust to create filenames containing space,
tabs, or quotes, but not newlines is *empty*.


Philip Guenther

Re: Automatically restarting services/daemons after crash

[Theo de Raadt]

> Maybe more things should be randomized like the stack canaries. Is that a
> new idea?

Time to orer a new keyboar.

Re: Automatically restarting services/daemons after crash

[Luke Small]

Maybe more things should be randomized like the stack canaries. Is that a
new idea?
On Fri, Oct 13, 2017 at 11:34 PM Theo de Raadt  wrote:

> > I read "hacking blind." Can you restart a daemon with another forked
> > process that's only job is to monitor a pipe or a waitpid()-like
> operation
> > and if the parent dies, it exec's to restart it, or even execs "rcctl
> > restart ntpd"
> >
> > If the mitigations are successful at limiting execution to let's say,
> > overwriting a canary that gets completely rerandomized with a fork-exec,
> > instead of just a fork, it would stop a meaningful search for the correct
> > canary to just blind luck instead of byte by byte discovery.
>
> your position is very roughly: that paper lays out the absolute limit
> of what someone could learn from broken software, so as long as we run
> a new copy of the broken software we'll be safe
>
> obviously, no downside.
>
> you say "completely rerandomized" -- uhm no, only a tiny fraction of
> the program execution environment and runtime are randomized, in
> particular same registers used everywhere, same instruction sequences,
> same frame layouts, same register and stack leave-behinds, same
> relative offsets inside each DSO
>
> nothing learned from re-running buggy software?  sorry, that is BS.
>

Re: Automatically restarting services/daemons after crash

[Theo de Raadt]

> I read "hacking blind." Can you restart a daemon with another forked
> process that's only job is to monitor a pipe or a waitpid()-like operation
> and if the parent dies, it exec's to restart it, or even execs "rcctl
> restart ntpd"
> 
> If the mitigations are successful at limiting execution to let's say,
> overwriting a canary that gets completely rerandomized with a fork-exec,
> instead of just a fork, it would stop a meaningful search for the correct
> canary to just blind luck instead of byte by byte discovery.

your position is very roughly: that paper lays out the absolute limit
of what someone could learn from broken software, so as long as we run
a new copy of the broken software we'll be safe

obviously, no downside.

you say "completely rerandomized" -- uhm no, only a tiny fraction of
the program execution environment and runtime are randomized, in
particular same registers used everywhere, same instruction sequences,
same frame layouts, same register and stack leave-behinds, same
relative offsets inside each DSO

nothing learned from re-running buggy software?  sorry, that is BS.

Re: Automatically restarting services/daemons after crash

[Luke Small]

I read "hacking blind." Can you restart a daemon with another forked
process that's only job is to monitor a pipe or a waitpid()-like operation
and if the parent dies, it exec's to restart it, or even execs "rcctl
restart ntpd"

If the mitigations are successful at limiting execution to let's say,
overwriting a canary that gets completely rerandomized with a fork-exec,
instead of just a fork, it would stop a meaningful search for the correct
canary to just blind luck instead of byte by byte discovery.

Re: How make X rotation work via xrandr or xorg.conf? Did not get it to work on wsfb at least

[tinkr]

>> On Fri, Oct 06, 2017 at 05:11:05PM -, ti...@openmailbox.org wrote:
>>> [...]
>>> Any ideas how I get screen rotation in X going?
>> 
>> $ xrandr -o right
>> $ xrandr -o left
>> $ xrandr -o normal
> 
> Hi John,
> 
> "xrandr -o left" (both as root and user, from xterm) gives me:
> 
> X Error of failed request:  BadMatch (invalid parameter attributes)
[..]

The following xorg.conf produces the desired rotation:

Section "Device"
Identifier "Card0"
Driver "wsfb"
Option "Rotate" "CW"
EndSection

Many thanks to the one who made me realize.

(Also I have been given the hint that the WSFB driver not has XRandr support, 
however this has not been evident from xrandr's output in itself.)

Tinker

Re: CoDel Flows

[Glenn Faustino]

Hi Mike,

I'm using HFSC with two root queues (1 for uplink and 1 for downlink), can
you please share your config for FQ-CoDel with HFSC with two queues if you
don't mind?

Regards,
Glenn



On Sat, Oct 14, 2017 at 9:47 AM, Mike Belopuhov  wrote:

> On Fri, Oct 13, 2017 at 05:33 +, Daniel Melameth wrote:
> > In playing around with the new CoDel/fair traffic sharing, it's not
> > clear to me the best way to work with this when also using the
> > previous queuing.
>
> It's not clear to me either at least not in the generic case :-)
> I guess it depends on what you're trying to achieve.
>
> > pfctl balks when I specify a flow on the root queue
> > with child queues present, so I only specify flows on child queues.
>
> Only leaf queues can be used to assign traffic, so if your root queue
> isn't a leaf queue, then it's actual packet queue (sorry for overusing
> the term) is not being used and therefore it doesn't make sense for
> codel to be specified there at all.
>
> > Will CoDel still work as expected if all my child queues have flows,
> > but my root queue is using "fifo" (revealed with systat queues)?
>
> Depends on what you expect CoDel to do.  Normally the idea here is
> to set an upper bound on latency that all outgoing packets experience.
> For example if you have 10 connections and 2 are uploading data and
> other 8 are a mix of ACKs and SSH keystrokes, with FIFO you'd normally
> see bulk connections saturating the link and not leaving other 8
> connections a chance to send a packet.
>
> So you go and create those HFSC queues and try to reserve the bandwidth
> for your ACKs, SSH and whatnot.  The approach that FQ-CoDel takes is
> different.  You no longer need to reserve bandwidth as FQ-CoDel attempts
> to make the bandwidth "available" when needed -- this is what is fair
> sharing essentially.  Which in practice means that those 8 connections
> are able to send their small packets "practically" whenever they want
> without disrupting your uploads.
>
> This means that if all you want is to be able for your outgoing
> connections to fair share the bandwidth you don't need to reserve the
> bandwidth at all.
>
> > Assuming it does, if one of my child queues is just for TCP ACKs, does
> > it make sense to have a small quantum for this queue, but a larger
> > quantum for a child queue that focuses on bulk file transfers?
>
> Quantum of service just tilts the balance at the expense of extra CPU
> cycles and potentially extra overall latency.  I think you need to
> figure out the big picture first and then fine tune.
>
> > Or is
> > CoDel orthogonal of child queues and it only really works well with a
> > single root flow queue (and requires me to give up bandwidth control
> > with child queues)?
> >
>
> "Works well this way or that way" would imply that we have enough data
> to make such a judgement.  At the moment we don't.  Last week we had it
> running with 8192 flows feeding into an LTE connection with a rather
> flaky 50Mbit/s downlink (150Mbit/s up) for about a hundred of users.
> With a few HFSC tweaks we had almost no observable SSH latency with
> ping times to 8.8.8.8 of about 25ms with fairly low variation.  This
> setup used two root queues: one on the uplink, one on the downlink.
>
> > Also, the pf.conf man page says the default qlimit is 1024, but, if I
> > don't specify a qlimit, pfctl –vsq shows a qlength of 50 when I was
> > expecting it to be 1024.  What am I missing?
> >
>
> I've updated the man page today to address some of the concerns since
> the same question was also brought up on reddit yesterday:
>
> https://www.reddit.com/r/openbsd/comments/75ps6h/fqcodel_and_pf/
>
> The gist of it is that 1024 is not the HFSC default.  When you're
> specifying both "flows" and "bandwidth" thus requesting an FQ-CoDel
> queue manager for your HFSC queue, the HFSC default qlimit (50) is
> still applied.  It's a bit counter-intuitive I guess, so I've removed
> mention of this from the man page.
>
> > Thank you!
> >
>
>

Re: A stupid question, re: xargs(1)

[Raul Miller]

I think the "an exact problem" thing tends to be misleading for open
ended issues like this.

The while loop works (and I have used it), but can be tremendously
slow, depending on the command in question (and if you need xargs to
break up the command line, there tends to be a lot of work that needs
doing).

And, generally speaking, this is solvable - but it's also a problem
that should have been solved once and for all a long time ago. (And,
by "solved" I mean that it should be straightforward to use the xargs
with the unix "standard" where one line is one record - here, a record
being a file name.)

Anyways, the -d option looks like it might be as good as it can get?

Thanks,

-- 
Raul





On Fri, Oct 13, 2017 at 9:26 PM, Andre Smagin  wrote:
> On Fri, 13 Oct 2017 18:03:59 -0400
> Raul Miller  wrote:
>
>> "Because then you don't need xargs, normal tooling seperates each line
>> into a seperate argv entry regardless of other spacing."
>>
>> If there's some existing way (portable or not) to build this kind of
>> argv in a shell script - using newline separation and nothing else - I
>> would really appreciate another hint.
>
> I wish you would have given an exact problem you are having
> difficulties with...
>
> I've been using
>
> ls | while read i; do echo "$i"; done
> or
> cat /tmp/tmp_file | while read i; do echo "$i"; done
>
> type of constructs for years and have never even needed xargs...
>
> --
> Andre
>

Re: CoDel Flows

[Mike Belopuhov]

On Fri, Oct 13, 2017 at 05:33 +, Daniel Melameth wrote:
> In playing around with the new CoDel/fair traffic sharing, it's not
> clear to me the best way to work with this when also using the
> previous queuing.

It's not clear to me either at least not in the generic case :-)
I guess it depends on what you're trying to achieve.

> pfctl balks when I specify a flow on the root queue
> with child queues present, so I only specify flows on child queues.

Only leaf queues can be used to assign traffic, so if your root queue
isn't a leaf queue, then it's actual packet queue (sorry for overusing
the term) is not being used and therefore it doesn't make sense for
codel to be specified there at all.

> Will CoDel still work as expected if all my child queues have flows,
> but my root queue is using "fifo" (revealed with systat queues)?

Depends on what you expect CoDel to do.  Normally the idea here is
to set an upper bound on latency that all outgoing packets experience.
For example if you have 10 connections and 2 are uploading data and
other 8 are a mix of ACKs and SSH keystrokes, with FIFO you'd normally
see bulk connections saturating the link and not leaving other 8
connections a chance to send a packet.

So you go and create those HFSC queues and try to reserve the bandwidth
for your ACKs, SSH and whatnot.  The approach that FQ-CoDel takes is
different.  You no longer need to reserve bandwidth as FQ-CoDel attempts
to make the bandwidth "available" when needed -- this is what is fair
sharing essentially.  Which in practice means that those 8 connections
are able to send their small packets "practically" whenever they want
without disrupting your uploads.

This means that if all you want is to be able for your outgoing
connections to fair share the bandwidth you don't need to reserve the
bandwidth at all.

> Assuming it does, if one of my child queues is just for TCP ACKs, does
> it make sense to have a small quantum for this queue, but a larger
> quantum for a child queue that focuses on bulk file transfers?

Quantum of service just tilts the balance at the expense of extra CPU
cycles and potentially extra overall latency.  I think you need to
figure out the big picture first and then fine tune.

> Or is
> CoDel orthogonal of child queues and it only really works well with a
> single root flow queue (and requires me to give up bandwidth control
> with child queues)?
>

"Works well this way or that way" would imply that we have enough data
to make such a judgement.  At the moment we don't.  Last week we had it
running with 8192 flows feeding into an LTE connection with a rather
flaky 50Mbit/s downlink (150Mbit/s up) for about a hundred of users.
With a few HFSC tweaks we had almost no observable SSH latency with
ping times to 8.8.8.8 of about 25ms with fairly low variation.  This
setup used two root queues: one on the uplink, one on the downlink.

> Also, the pf.conf man page says the default qlimit is 1024, but, if I
> don't specify a qlimit, pfctl –vsq shows a qlength of 50 when I was
> expecting it to be 1024.  What am I missing?
>

I've updated the man page today to address some of the concerns since
the same question was also brought up on reddit yesterday:

https://www.reddit.com/r/openbsd/comments/75ps6h/fqcodel_and_pf/

The gist of it is that 1024 is not the HFSC default.  When you're
specifying both "flows" and "bandwidth" thus requesting an FQ-CoDel
queue manager for your HFSC queue, the HFSC default qlimit (50) is
still applied.  It's a bit counter-intuitive I guess, so I've removed
mention of this from the man page.

> Thank you!
> 

Re: A stupid question, re: xargs(1)

[Andre Smagin]

On Fri, 13 Oct 2017 18:03:59 -0400
Raul Miller  wrote:

> "Because then you don't need xargs, normal tooling seperates each line
> into a seperate argv entry regardless of other spacing."
> 
> If there's some existing way (portable or not) to build this kind of
> argv in a shell script - using newline separation and nothing else - I
> would really appreciate another hint.

I wish you would have given an exact problem you are having
difficulties with...

I've been using

ls | while read i; do echo "$i"; done
or
cat /tmp/tmp_file | while read i; do echo "$i"; done

type of constructs for years and have never even needed xargs...

--
Andre

Re: Looking for libraries

[Nigel Taylor]

On 10/13/17 22:09, Per-Olov Sjöholm wrote:
> Hi
> 
> I just upgraded to 6.2…
> 
> Anyone that knows what packages I can find the following libs in:
> libpthread.so.22.0
> libc.so.88.0
> libm.so.9.0
> 
> I used this https://beta1.bredbandskollen.se/download/bbk_cli_openbsd 
>  on 6.0, but don’t 
> have a copy of the “pkg_info” output from 6.0 that I used.
> 
> 
> 
> Tnx in advance
> /Peo
> 

Any references to those libraries means the packages 
haven't been upgraded to 6.2

Those libraries are not packages but part of the base install for OpenBSD,

>From my snapshots

$ tar -tzvf 6.2/amd64/base62.tgz ./usr/lib/lib{c,pthread,m}.so.*


 
-r--r--r--  1 root bin3429941 Oct  7 13:42 ./usr/lib/libc.so.90.0
-r--r--r--  1 root bin7917716 Oct  7 13:42 ./usr/lib/libc.so.90.0.a
-r--r--r--  1 root bin 589974 Oct  7 13:42 ./usr/lib/libm.so.10.0
-r--r--r--  1 root bin 119192 Oct  7 13:42 
./usr/lib/libpthread.so.24.0

$ tar -tzvf 5.9/amd64/base59.tgz ./usr/lib/lib{c,pthread,m}.so.*  
-r--r--r--  1 root bin3342333 May 10  2016 ./usr/lib/libc.so.87.0
-r--r--r--  1 root bin7851102 May 10  2016 ./usr/lib/libc.so.87.0.a
-r--r--r--  1 root bin 586370 May 10  2016 ./usr/lib/libm.so.9.0
-r--r--r--  1 root bin 168849 May 10  2016 
./usr/lib/libpthread.so.22.0

$ tar -tzvf 6.0/amd64/base60.tgz ./usr/lib/lib{c,pthread,m}.so.*  
-r--r--r--  1 root bin3355741 Mar  4  2017 ./usr/lib/libc.so.89.2
-r--r--r--  1 root bin7852606 Mar  4  2017 ./usr/lib/libc.so.89.2.a
-r--r--r--  1 root bin 588752 Mar  4  2017 ./usr/lib/libm.so.10.0
-r--r--r--  1 root bin 171878 Mar  4  2017 
./usr/lib/libpthread.so.23.0

Re: A stupid question, re: xargs(1)

[Raul Miller]

On Fri, Oct 13, 2017 at 6:14 PM, Theo de Raadt  wrote:
> If you want to add things to standardized utilities you need to
> convince a large volume of people in the greater community
>
> Not me.

Ok,

Would you be open to a re-implementation of the gnu xargs -d option?

Quoting 
https://www.gnu.org/software/findutils/manual/html_node/find_html/xargs-options.html

---

-d delim

Input file names are terminated by the specified character delim
instead of by whitespace, and any quotes and backslash characters are
not considered special (every character is taken literally). Disables
the end of file string, which is treated like any other argument.

The specified delimiter may be a single character, a C-style character
escape such as ‘\n’, or an octal or hexadecimal escape code. Octal and
hexadecimal escape codes are understood as for the printf command.
Multibyte characters are not supported.

---

That's considerably more elaborate than what I was thinking, but would
at least accomplish what I think needs to be done.

And, that way you've got at least some buy-in already...

Thanks,

-- 
Raul

Re: A stupid question, re: xargs(1)

[Raul Miller]

On Fri, Oct 13, 2017 at 7:37 PM, edgar  wrote:
> Perhaps a real life example of what you have been doing with xargs before
> and after your change would be helpful.

That's tough, since when I was working on this issue I didn't have
time to think about xargs and now that I have time to think about
xargs the examples are distant memories.

That said, something on the order of this:

find . -type f -mtime -1 -print0 | xargs -0 egrep -l pattern1 | xargs shasum

Anyways, I think I fixed it that time by removing all the files with
problematic names, and another time by using a while loop instead of
the second xargs, and a third time by writing a perl program, and the
fourth time using grep -v ' ' in the pipeline, and probably a few
dozen other hacks over the years...

And if I search, I can find a tremendous variety of other elaborate
approaches, including replacements for xargs. So it's not like this is
not a real issue, nor is it like this isn't something that grows new
handlings on an ongoing basis.

What I'm trying to understand is why there's no simple fix. And maybe
this really is just one of those things that will never get fixed.

Thanks,

-- 
Raul

Re: A stupid question, re: xargs(1)

[edgar]

 
 
Perhaps a real life example of what you have been doing with xargs before and 
after your change would be helpful.
 
 
 

 
 
 
 
 
>  
> On Oct 13, 2017 at 5:03 PM,wrote:
>  
>  
>  Portability? It does seem to me that the implementation should be portable. 
> Then if someone needs it elsewhere they can have it elsewhere. But I think 
> that that's more about pledge than anything else (strnsubst and strtonum 
> maybe deserving honorable mention). Meanwhile, I guess this would also need a 
> man page update with a portability caution until enough other implementations 
> deploy this (probably 10 years or longer). I could supply that if this was 
> the only remaining issue. And, ok, I do not expect this to be an immediately 
> useful fix for any of my problems. I've lived with this problem for a very 
> long time... But maybe there are other people issues also? I know any choice 
> has its haters. However, in that first message you had said: "Because then 
> you don't need xargs, normal tooling seperates each line into a seperate argv 
> entry regardless of other spacing." If there's some existing way (portable or 
> not) to build this kind of argv in a shell script - using newline separation  
> an
d nothing else - I would really appreciate another hint. The only approaches I 
know of are order of magnitude worse (heavy, inefficient and/or risky). On the 
other hand if you just meant "xargs already splits on newlines and a bunch of 
other stuff" then that gets back into standards interpretation and history 
land. Thanks, -- Raul On Fri, Oct 13, 2017 at 5:29 PM, Theo de Raadt wrote:  >> 
 Ok, I am curious - what new problems would this create?  >   >  I explained in 
the first mail. 
>  
 

Re: Boot installation problem on laptop with Intel N3350 CPU

[YASUOKA Masahiko]

On Fri, 13 Oct 2017 14:50:50 +0900 (JST)
YASUOKA Masahiko  wrote:
> On Thu, 12 Oct 2017 00:46:20 -0400
> Ken Withee  wrote:
>> I had something similar and had to change to legacy in bios or something 
>> like that.
>> 
>> Sent from ProtonMail Mobile
>> 
>> On Wed, Oct 11, 2017 at 4:51 PM, Pedro Ramos  wrote:
>> 
>>> Hello, I am having troubles installing OpenBSD 6.2 on a white label laptop 
>>> with an Intel N3350 CPU and AMI UEFI BIOS. When the kernel start booting, 
>>> the system hangs with a blank screen. I also tried the installation with 
>>> OpenBSD 6.1 and the same behaviour happens. Any idea how to find and fix 
>>> this issue? Thanks. Best regards, Pedro Ramos
> 
> Similar problem happens on bhyve + uefi.  The diff below is fix the
> problem on bhyve.  Can you try this?

Also HP DL20 Gen9 with "UEFI optimized mode"=ON has another similar
problem.  The diff below fix that problem.  I'd like you to try the
diff separately.

diff --git a/sys/arch/amd64/amd64/wscons_machdep.c 
b/sys/arch/amd64/amd64/wscons_machdep.c
index 461441c4d43..90f1f4fcc37 100644
--- a/sys/arch/amd64/amd64/wscons_machdep.c
+++ b/sys/arch/amd64/amd64/wscons_machdep.c
@@ -192,10 +192,12 @@ wscn_input_init(int pass)
}
 
 #if (NPCKBC > 0)
+#if 0
if (pass == 0 &&
pckbc_cnattach(X86_BUS_SPACE_IO, IO_KBD, KBCMDP, 0) == 0)
return;
 #endif
+#endif
 #if (NUKBD > 0)
if (ukbd_cnattach() == 0)
return;

Re: kernel panic i386

[Mike Larkin]

On Fri, Oct 13, 2017 at 09:21:37PM +0200, Krzysztof Strzeszewski wrote:
> Hi,
> When I upgrade 6.1 to 6.2 in my futro s400 i have kernel panic.
> 

Try 6.1 stock kernel and see if that works. Then at least we know if we
introduced a regression.

Nobody knows (or cares) what NROOT is.

-ml

> 
> 
> http://wklej.org/hash/e590382de31/
> 
> boot>
> booting hd0a:/bsd: 8154312+2282500+166852+0+1097728
> [680614+82+489520+501323]=0xcc233c
> entry point at 0x2000d4
> 
> [ using 1671996 bytes of bsd ELF symbol table ]
> Copyright (c) 1982, 1986, 1989, 1991, 1993
> The Regents of the University of California.  All rights reserved.
> Copyright (c) 1995-2017 OpenBSD. All rights reserved.
> https://www.OpenBSD.org
> 
> OpenBSD 6.2 (GENERIC) #163: Tue Oct  3 19:51:20 MDT 2017
> dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: AMD Athlon(tm) Processor ("AuthenticAMD" 686-class, 256KB L2
> cache) 1.01 GHz
> cpu0:
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE,MPC,MMXX,3DNOW2,3DNOW
> real mem  = 1039613952 (991MB)
> avail mem = 1005654016 (959MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: date 02/14/07, BIOS32 rev. 0 @ 0xfaa30, SMBIOS rev.
> 2.2 @ 0xf (31 entries)
> bios0: vendor Phoenix Technologies, LTD version "6.00PG Rev. 4.00.0H"
> date 02/14/2007
> bios0: FUJITSU SIEMENS FUTRO S400
> acpi0 at bios0: rev 0
> acpi0: sleep states S0 S1 S4 S5
> acpi0: tables DSDT FACP SSDT
> acpi0: wakeup devices USB0(S5) USB1(S5) USB2(S5) USB3(S5) AMR0(S4)
> UAR1(S5) PCI0(S5)
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpicpu0 at acpi0: C1(@1 halt!), PSS
> acpitz0 at acpi0: critical temperature is 100 degC
> acpibtn0 at acpi0: PWRB
> "PNP0401" at acpi0 not configured
> "PNP0C0B" at acpi0 not configured
> bios0: ROM list: 0xc/0xc000 0xcc000/0x4000! 0xd/0x1000
> cpu0 at mainbus0: (uniprocessor)
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> uvm_fault(0xd0c589b0, 0xd0f32000, 0, 1) -> e
> kernel: page fault trap, code=0
> Stopped at  memcmp+0x11:repe cmpsl  (%esi),%es:(%edi)
> ddb>
> 
> 
> 
> 
> 
> 
> 
> http://wklej.org/hash/e590382de31/
> 
> # dmesg
> OpenBSD 6.1-stable (NROOT) #12: Fri Oct 13 17:15:13 CEST 2017
> krz...@nroot.pl:/usr/src/sys/arch/i386/compile/NROOT
> cpu0: AMD Athlon(tm) Processor ("AuthenticAMD" 686-class, 256KB L2
> cache) 1.01 GHz
> cpu0:
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE,MPC,MMXX,3DNOW2,3DNOW
> real mem  = 1039613952 (991MB)
> avail mem = 1006993408 (960MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: date 05/14/08, BIOS32 rev. 0 @ 0xfaa30, SMBIOS rev.
> 2.2 @ 0xf (31 entries)
> bios0: vendor Phoenix Technologies, LTD version "6.00PG Rev. 4.00.0Q"
> date 05/14/2008
> bios0: FUJITSU SIEMENS FUTRO S400
> acpi0 at bios0: rev 0
> acpi0: sleep states S0 S1 S4 S5
> acpi0: tables DSDT FACP SSDT
> acpi0: wakeup devices USB0(S5) USB1(S5) USB2(S5) USB3(S5) AMR0(S4) PCI0(S5)
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpicpu0 at acpi0: C1(@1 halt!), PSS
> acpitz0 at acpi0: critical temperature is 100 degC
> acpibtn0 at acpi0: PWRB
> "PNP0C0B" at acpi0 not configured
> bios0: ROM list: 0xc/0xc000 0xcc000/0x4000! 0xd/0x1800
> 0xd2000/0x1000
> cpu0 at mainbus0: (uniprocessor)
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: PowerNow! K7 1001 MHz: speeds: 1000 800 667 MHz
> pci0 at mainbus0 bus 0: configuration mode 1 (bios)
> pchb0 at pci0 dev 0 function 0 "SiS 741 PCI" rev 0x03
> sisagp0 at pchb0
> agp0 at sisagp0: aperture at 0xe800, size 0x400
> ppb0 at pci0 dev 1 function 0 "SiS 86C202 AGP" rev 0x00
> pci1 at ppb0 bus 1
> vga1 at pci1 dev 0 function 0 "SiS 6330 VGA" rev 0x00
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> pcib0 at pci0 dev 2 function 0 "SiS 85C503 System" rev 0x25
> pciide0 at pci0 dev 2 function 5 "SiS 5513 EIDE" rev 0x00: 741: DMA,
> channel 0 configured to compatibility, channel 1 configured to compatibility
> wd0 at pciide0 channel 0 drive 0: 
> wd0: 16-sector PIO, LBA48, 57231MB, 117210240 sectors
> wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
> pciide0: channel 1 ignored (disabled)
> ohci0 at pci0 dev 3 function 0 "SiS 5597/5598 USB" rev 0x0f: irq 4,
> version 1.0, legacy support
> ohci1 at pci0 dev 3 function 1 "SiS 5597/5598 USB" rev 0x0f: irq 3,
> version 1.0, legacy support
> ehci0 at pci0 dev 3 function 3 "SiS 7002 USB" rev 0x00: irq 7
> ehci0: timed out waiting for BIOS
> usb0 at ehci0: USB revision 2.0
> uhub0 at usb0 configuration 1 interface 0 "SiS EHCI root hub" rev
> 2.00/1.00 addr 1
> em0 at 

Re: Adding root CA

[Stuart Henderson]

On 2017-10-13, Allan Streib  wrote:
> "Bryan C. Everly"  writes:
>
>> Where I work, we are required to install a self-signed root CA into
>> our machines in order to access https sites on the Internet.  It
>> basically allows our security appliances to do a MITM attack on the
>> traffic and look into it to examine the payload for viruses, data
>> exfiltration, etc.  I know, creepy.
>>
>> Regardless, I'd like to be able to set up my OpenBSD laptop with this
>> certificate; however, I have searched mailing lists, Google, etc. and
>> have come up dry.  It basically looks like I need to somehow hook it
>> into the certificate store in /etc/ssl but if someone could point me
>> to a resource that would help me figure out how to do this, I'd really
>> appreciate it.
>
> I think what you will find is that browsers like chromium and firefox
> don't use the OpenBSD-provided /etc/ssl/cert.pem CA file.
>
> They instead have their own interal list of trusted CAs so you will need
> to add your local CA root to the browser's trusted CAs.
> 
> I stand to be corrected, but I do know that I've tried just tacking on a
> local CA root at the end of /etc/ssl/cert.pem and firefox still sounded
> alarms when I tried to connect to one of our local websites.

Yes, that's correct for the usual graphical browsers. cert.pem is
still used for things like ftp (and thus pkg_add/syspatch}, lynx,
curl, svn, etc.

Remember that browsers will disable some things like cert pinning
for sites signed with these manually-added certificates. Basically
you are putting full trust in the middleware vendor/operator to 
verify certificates correctly as well as to not leak your data.

Re: A stupid question, re: xargs(1)

[Theo de Raadt]

> It does seem to me that the implementation should be portable.

Wow, you don't get it.

You want to add a feature.

The someone will use the feature.

In a script intended to be portable.

But other systems won't have this feature

Therefore the script won't work.

That sucks.

If you want to add things to standardized utilities you need to
convince a large volume of people in the greater community

Not me.

An alternative solution for your problem already exists on all the
operating systems, which is to use programmatic tools _such as perl
or awk_.

Every utility doesn't need to grow handling for every case, differently
on every operating system.

Looking for libraries

[Per-Olov Sjöholm]

Hi

I just upgraded to 6.2…

Anyone that knows what packages I can find the following libs in:
libpthread.so.22.0
libc.so.88.0
libm.so.9.0

I used this https://beta1.bredbandskollen.se/download/bbk_cli_openbsd 
 on 6.0, but don’t 
have a copy of the “pkg_info” output from 6.0 that I used.



Tnx in advance
/Peo

Re: A stupid question, re: xargs(1)

[Raul Miller]

Portability?

It does seem to me that the implementation should be portable. Then if
someone needs it elsewhere they can have it elsewhere. But I think
that that's more about pledge than anything else (strnsubst and
strtonum maybe deserving honorable mention).

Meanwhile, I guess this would also need a man page update with a
portability caution until enough other implementations deploy this
(probably 10 years or longer). I could supply that if this was the
only remaining issue.

And, ok, I do not expect this to be an immediately useful fix for any
of my problems. I've lived with this problem for a very long time...

But maybe there are other people issues also? I know any choice has its haters.

However, in that first message you had said:

"Because then you don't need xargs, normal tooling seperates each line
into a seperate argv entry regardless of other spacing."

If there's some existing way (portable or not) to build this kind of
argv in a shell script - using newline separation and nothing else - I
would really appreciate another hint. The only approaches I know of
are order of magnitude worse (heavy, inefficient and/or risky). On the
other hand if you just meant "xargs already splits on newlines and a
bunch of other stuff" then that gets back into standards
interpretation and history land.

Thanks,

-- 
Raul

On Fri, Oct 13, 2017 at 5:29 PM, Theo de Raadt  wrote:
>> Ok, I am curious - what new problems would this create?
>
> I explained in the first mail.

Re: A stupid question, re: xargs(1)

[Theo de Raadt]

> Ok, I am curious - what new problems would this create?

I explained in the first mail.

Re: vmm issues - vioblk_notifyq: unsupported command 0x8

[Andrew Daugherity]

On Thu, Oct 12, 2017 at 6:42 PM, Mike Larkin  wrote:
>> oh. I didn't know that is how it was finding things.
>>
>
> When booting it this way in qemu, qemu just reports the ID as "".
>
> So are you sure this is the way it is supposed to work?

Yes... with some caveats.

The Linux device manager (udev, I think?  They've gone through
several.) creates symlinks under /dev/disk/by-{id,label,path,uuid}/,
so that you can use more permanent names in case the disk order (sda,
sdb, etc.) changes; there are also library calls to open a
device/partition by ID, UUID, etc., (via libblkid I believe, which
lets you use things like LABEL=foo or UUID=abcd... as the block device
passed to mount(8) or listed in fstab).  The SUSE installer is
"helpfully" attempting to use these IDs; e.g. with a SATA disk under
VirtualBox, it uses a repo URL of
'hd:///?device=/dev/disk/by-id/ata-VBOX_HARDDISK_VB40007e3d-cdaea0a1-part2'.

However, you are correct that qemu virtio disks do not report IDs (or
report blank ones) -- at least by default (apparently with recent
qemu, there is an option to set a drive's serial number, but it
doesn't seem to be commonly used).  I did a test installation of
openSUSE under Proxmox VE (qemu/KVM) using virtio disks, and the only
thing under /dev/disk/by-id is the emaulated IDE CD-ROM. -- nothing
for /dev/vda or vdb.  Notably, the installer configured its repo as
'hd:///?device=/dev/vda2' without me having to tell it that, as I had
to under vmm.

By comparison, the opensuse VM I installed under OpenBSD vmm *does*
show some 'by-id' devices:
/dev/disk/by-id:
total 0
lrwxrwxrwx 1 root root  9 Oct 13 13:21 virtio-__LI_U_ -> ../../vdb
lrwxrwxrwx 1 root root 10 Oct 13 13:21 virtio-__LI_U_-part1 ->
../../vdb1
lrwxrwxrwx 1 root root 10 Oct 13 13:21 virtio-__LI_U_-part2 ->
../../vdb2
(Currently /dev/vda is the VM's hard disk and vdb is the ISO...
strange that there are only links for vdb, but not vda.  Of course
accessing via these symlinks works, since they point at the real
device, but doing whatever library call to open
'virtio-__LI_U_-part2' would most likely fail, and obviously
the correct symlinks did not exist during installation.)

My best guess is that when udev gets a blank ID, it skips the by-id
stuff, and thus the installer uses the real disk device, but since vmm
doesn't implement that call, instead of marking the disk as not having
an ID, invalid disk IDs somehow get used.


-Andrew

Re: Openbsd 6.1 and Current Console Freezes and lockup Proxmox PVE5.0

[Michał Koc]

On Thu, Oct 12, 2017 at 03:11:31PM -0700, Mike Larkin wrote:

On Thu, Oct 12, 2017 at 10:36:42PM +0200, Michał Koc wrote:

On Thu, Oct 12, 2017 at 01:23:36PM +0200, Michał Koc wrote:

On Sun, Oct 08, 2017 at 11:59:52PM +0200, Oliver Marugg wrote:

On 7 Oct 2017, at 22:01, Mike Larkin wrote:


On Sat, Oct 07, 2017 at 02:19:58PM +0200, Oliver Marugg wrote:

Just to add a 4th situation of hangs: Login via proxmox (pve)/kvm
serial
console (via noVNC), login successful: Vm guest in pve hangs, cpu
usage at
above 102%. Only way is to hard stop the Vm guest. -oliver


sounds like a kvm bug. Ask your provider to investigate the host side
when this
happens.

Thanks Mike, will do so. The proxmox guys have also the idea that it could
be a bug in kvm hypervisor (which is the hypervisor part for proxmox) and
will affect OpenBSD since 4.9, they wrote me in their public forum. As far
as I understood they do not know what OpenBSD needs in kvm or what/where
should be fixed in kvm run OpenBSD without that freezes.

-oliver

>From what I read, the cpu spins to 100%, which means somewhere on the host it's
likely spinning also. Start with systrace/ptrace/ktrace/whatever on the host
qemu-kvm and go from there...

-ml




Hi,

it looks like the cpu process of kvm (CPU 0/KVM) is issuing 1500+ of
ioctl(15, KVM_RUN, 0)  per second while running OpenBSD 6.2 guest.


What CPU profile is being presented to the OpenBSD guest?

I've seen things like this happen when a vCPU is claimed to have monitor/mwait
support, but the hypervisor implements those as NOPs, which just results in
spinning like this.

In short - try changing the type of CPU presented to the guest and see if that
changes behaviour. At least then you'll have more data points to work with.

-ml

Okey,
How would You disable monitor/mwait support in KVM to be presented to guest
?


Well, monitor/mwait was just what I recall contributing to something *like*
this.


PS, IIRC qemu -cpu ? will show you a list of recognized cpuid flags, from
which you can subtract off things you don't want.

Hi Mike,

Guest OpenBSD has those flags presented:
cpu0: FPU,VME,DE,PSE,TSC,MSR,MCE,CX8,APIC,MMX,HV,PERF

What else should I switch off to get desired effect ?

Best regards
M.K.

-ml


If you can determine the guest %rip during each ioctl(vm_run) and give me a
kernel or disassembly I may be able to see if it's something obvious.

That, or describe a way I can repro this locally. I have a machine I could
put linux on for an evening to test.

-ml


changing CPU to pentium or setting  does not actually change anything in scope of host cpu
utilization

BR
M.K.



In case of linux guest the process issues about 15 of those ioctls per
second.

In any case I cannot make openbsd to starve KVM host cpu. OpenBSD uses at
most(when idle) 7% of cpu.

My versions:
- OpenBSD 6.2 amd64
- KVM 2.8.1

BR
M.K.

Re: A stupid question, re: xargs(1)

[Raul Miller]

I do use xargs -0 almost habitually. That handles quoting issues and
space issues, but:

xargs -0 fails when I want to pipe the result of xargs through a
filter on the way to another xargs.

Meanwhile, tr fails when I do not know the relevant set of unused
characters (when just looking for them takes a long time and a
specialized routine).

Meanwhile, I am trying to understand what would fail if we had an
option similar to -0 where xargs would split on (always and only)
newlines rather than newlines plus other stuff.

And, yes, I have been able to survive without this - but I still am
wanting to understand the issue.

Thanks,

-- 
Raul



On Fri, Oct 13, 2017 at 3:22 PM, Allan Streib  wrote:
> Raul Miller  writes:
>
>> The problem here is that you currently can't get xargs to use newline
>> as a separator without also getting spaces as a separator. This
>> creates a variety of problems.
>
> I see. I've always used -0 in this case, can't recall any times where
> this didn't solve the problem. You use case sounds unusual. Without
> knowing the details, I'd suggest using additional filters e.g. maybe
> tr(1), before/after xargs.
>
> Allan

Re: Adding root CA

[Allan Streib]

"Bryan C. Everly"  writes:

> Where I work, we are required to install a self-signed root CA into
> our machines in order to access https sites on the Internet.  It
> basically allows our security appliances to do a MITM attack on the
> traffic and look into it to examine the payload for viruses, data
> exfiltration, etc.  I know, creepy.
>
> Regardless, I'd like to be able to set up my OpenBSD laptop with this
> certificate; however, I have searched mailing lists, Google, etc. and
> have come up dry.  It basically looks like I need to somehow hook it
> into the certificate store in /etc/ssl but if someone could point me
> to a resource that would help me figure out how to do this, I'd really
> appreciate it.

I think what you will find is that browsers like chromium and firefox
don't use the OpenBSD-provided /etc/ssl/cert.pem CA file.

They instead have their own interal list of trusted CAs so you will need
to add your local CA root to the browser's trusted CAs.

I stand to be corrected, but I do know that I've tried just tacking on a
local CA root at the end of /etc/ssl/cert.pem and firefox still sounded
alarms when I tried to connect to one of our local websites.

Allan

Adding root CA

[Bryan C. Everly]

Hi misc@,

Where I work, we are required to install a self-signed root CA into
our machines in order to access https sites on the Internet.  It
basically allows our security appliances to do a MITM attack on the
traffic and look into it to examine the payload for viruses, data
exfiltration, etc.  I know, creepy.

Regardless, I'd like to be able to set up my OpenBSD laptop with this
certificate; however, I have searched mailing lists, Google, etc. and
have come up dry.  It basically looks like I need to somehow hook it
into the certificate store in /etc/ssl but if someone could point me
to a resource that would help me figure out how to do this, I'd really
appreciate it.

Thanks,
Bryan

Re: A stupid question, re: xargs(1)

[Allan Streib]

Raul Miller  writes:

> The problem here is that you currently can't get xargs to use newline
> as a separator without also getting spaces as a separator. This
> creates a variety of problems.

I see. I've always used -0 in this case, can't recall any times where
this didn't solve the problem. You use case sounds unusual. Without
knowing the details, I'd suggest using additional filters e.g. maybe
tr(1), before/after xargs.

Allan

Re: I'm stuck with pf - can someone with some experience check my rules please? Thanks

[Kenneth Gober]

On Thu, Oct 12, 2017 at 7:48 AM, tec...@protonmail.com
 wrote:
> I have been reading through the Book of PF (3rd edition) and other resources 
> on the web (FAQ), so far so good but I'm hitting some roadblocks.  This 
> router I have built is also acting as a client to an external VPN server, it 
> works and my client is getting a connection just fine.  The problem is that 
> whenever OpenVPN is active I cannot SSH in from a specific subnet - my pf 
> rules aren't right.  Is there some obvious issue with my rules standing out 
> to you?  I appreciate you looking, thanks.
>
> Topology:
> [pfSense  Router: 192.168.1.1] (wifi lan subnet 192.168.2.0/24 / ethernet lan 
> subnet 192.168.1.0/24) -- Unmanaged Switch -- [OpenBSD router : 
> 192.168.1.100] (ethernet lan subnet 10.0.0.0/24)
>
> What doesn't work:
> pfSense clients on the wifi lan subnet SSH'ing in to the OpenBSD router
> (when OpenVPN is active on the OpenBSD router)

I suspect that you have an address conflict between your WiFi network
and the networks that are reachable via OpenVPN.  I'm guessing your
VPN service is either giving you a 192.168.2.x address for your
OpenVPN client, or they are pushing a route to their own 192.168.2.0
network that takes precedence over your own.

The output of "netstat -nrf inet" (while OpenVPN is active) will help
to identify the problem.

-ken

kernel panic i386

[Krzysztof Strzeszewski]

Hi,
When I upgrade 6.1 to 6.2 in my futro s400 i have kernel panic.



http://wklej.org/hash/e590382de31/

boot>
booting hd0a:/bsd: 8154312+2282500+166852+0+1097728
[680614+82+489520+501323]=0xcc233c
entry point at 0x2000d4

[ using 1671996 bytes of bsd ELF symbol table ]
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2017 OpenBSD. All rights reserved.
https://www.OpenBSD.org

OpenBSD 6.2 (GENERIC) #163: Tue Oct  3 19:51:20 MDT 2017
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Athlon(tm) Processor ("AuthenticAMD" 686-class, 256KB L2
cache) 1.01 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE,MPC,MMXX,3DNOW2,3DNOW
real mem  = 1039613952 (991MB)
avail mem = 1005654016 (959MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 02/14/07, BIOS32 rev. 0 @ 0xfaa30, SMBIOS rev.
2.2 @ 0xf (31 entries)
bios0: vendor Phoenix Technologies, LTD version "6.00PG Rev. 4.00.0H"
date 02/14/2007
bios0: FUJITSU SIEMENS FUTRO S400
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP SSDT
acpi0: wakeup devices USB0(S5) USB1(S5) USB2(S5) USB3(S5) AMR0(S4)
UAR1(S5) PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C1(@1 halt!), PSS
acpitz0 at acpi0: critical temperature is 100 degC
acpibtn0 at acpi0: PWRB
"PNP0401" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
bios0: ROM list: 0xc/0xc000 0xcc000/0x4000! 0xd/0x1000
cpu0 at mainbus0: (uniprocessor)
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
uvm_fault(0xd0c589b0, 0xd0f32000, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at  memcmp+0x11:repe cmpsl  (%esi),%es:(%edi)
ddb>







http://wklej.org/hash/e590382de31/

# dmesg
OpenBSD 6.1-stable (NROOT) #12: Fri Oct 13 17:15:13 CEST 2017
krz...@nroot.pl:/usr/src/sys/arch/i386/compile/NROOT
cpu0: AMD Athlon(tm) Processor ("AuthenticAMD" 686-class, 256KB L2
cache) 1.01 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE,MPC,MMXX,3DNOW2,3DNOW
real mem  = 1039613952 (991MB)
avail mem = 1006993408 (960MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 05/14/08, BIOS32 rev. 0 @ 0xfaa30, SMBIOS rev.
2.2 @ 0xf (31 entries)
bios0: vendor Phoenix Technologies, LTD version "6.00PG Rev. 4.00.0Q"
date 05/14/2008
bios0: FUJITSU SIEMENS FUTRO S400
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP SSDT
acpi0: wakeup devices USB0(S5) USB1(S5) USB2(S5) USB3(S5) AMR0(S4) PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C1(@1 halt!), PSS
acpitz0 at acpi0: critical temperature is 100 degC
acpibtn0 at acpi0: PWRB
"PNP0C0B" at acpi0 not configured
bios0: ROM list: 0xc/0xc000 0xcc000/0x4000! 0xd/0x1800
0xd2000/0x1000
cpu0 at mainbus0: (uniprocessor)
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: PowerNow! K7 1001 MHz: speeds: 1000 800 667 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "SiS 741 PCI" rev 0x03
sisagp0 at pchb0
agp0 at sisagp0: aperture at 0xe800, size 0x400
ppb0 at pci0 dev 1 function 0 "SiS 86C202 AGP" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "SiS 6330 VGA" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 2 function 0 "SiS 85C503 System" rev 0x25
pciide0 at pci0 dev 2 function 5 "SiS 5513 EIDE" rev 0x00: 741: DMA,
channel 0 configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA48, 57231MB, 117210240 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 3 function 0 "SiS 5597/5598 USB" rev 0x0f: irq 4,
version 1.0, legacy support
ohci1 at pci0 dev 3 function 1 "SiS 5597/5598 USB" rev 0x0f: irq 3,
version 1.0, legacy support
ehci0 at pci0 dev 3 function 3 "SiS 7002 USB" rev 0x00: irq 7
ehci0: timed out waiting for BIOS
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "SiS EHCI root hub" rev
2.00/1.00 addr 1
em0 at pci0 dev 7 function 0 "Intel 82546EB" rev 0x01: irq 10, address
00:11:0a:5b:69:e8
em1 at pci0 dev 7 function 1 "Intel 82546EB" rev 0x01: irq 11, address
00:11:0a:5b:69:e9
re0 at pci0 dev 9 function 0 "Realtek 8169" rev 0x10: RTL8169/8110SB
(0x1000), irq 15, address 00:90:dc:06:37:7d
rgephy0 at re0 phy 7: RTL8169S/8110S/8211 PHY, rev. 3
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: 

Re: A stupid question, re: xargs(1)

[Raul Miller]

Er... aside from the broken patch problems, I mean.

:(

Once again, sorry about that.

-- 
Raul

--- xargs.c.orig2017-10-13 14:13:16.0 -0400
+++ xargs.c2017-10-13 15:16:16.0 -0400
@@ -65,7 +65,7 @@
 static char **av, **bxp, **ep, **endxp, **xp;
 static char *argp, *bbp, *ebp, *inpline, *p, *replstr;
 static const char *eofstr;
-static int count, insingle, indouble, oflag, pflag, tflag, Rflag, rval, zflag;
+static int count, insingle, indouble, oflag, pflag, tflag, Rflag,
rval, zflag, lflag;
 static int cnt, Iflag, jfound, Lflag, wasquoted, xflag, runeof = 1;
 static int curprocs, maxprocs;
 static size_t inpsize;
@@ -114,7 +114,7 @@
 nline -= strlen(*ep++) + 1 + sizeof(*ep);
 }
 maxprocs = 1;
-while ((ch = getopt(argc, argv, "0E:I:J:L:n:oP:pR:rs:tx")) != -1)
+while ((ch = getopt(argc, argv, "0E:I:J:L:n:oP:pR:rs:tx/")) != -1)
 switch (ch) {
 case 'E':
 eofstr = optarg;
@@ -174,6 +174,9 @@
 case '0':
 zflag = 1;
 break;
+case '/':
+lflag = 1;
+break;
 case '?':
 default:
 usage();
@@ -262,7 +265,7 @@
 if (insingle || indouble)
 goto addch;
 hasblank = 1;
-if (zflag)
+if (zflag || (lflag  && '\n'!=ch))
 goto addch;
 goto arg2;
 }
@@ -282,6 +285,8 @@
 goto arg2;
 goto addch;
 case '\n':
+if (lflag)
+goto arg2;
 hasblank = 1;
 if (hadblank == 0)
 count++;
@@ -360,19 +365,19 @@
 wasquoted = 0;
 break;
 case '\'':
-if (indouble || zflag)
+if (indouble || zflag || lflag)
 goto addch;
 insingle = !insingle;
 wasquoted = 1;
 break;
 case '"':
-if (insingle || zflag)
+if (insingle || zflag || lflag)
 goto addch;
 indouble = !indouble;
 wasquoted = 1;
 break;
 case '\\':
-if (zflag)
+if (zflag || lflag)
 goto addch;
 /* Backslash escapes anything, is escaped by quotes. */
 if (!insingle && !indouble && (ch = getchar()) == EOF)

On Fri, Oct 13, 2017 at 3:07 PM, Raul Miller  wrote:
> Ok, I am curious - what new problems would this create?
>
> Thanks,
>
> --
> Raul
>
>
> On Fri, Oct 13, 2017 at 2:52 PM, Theo de Raadt  wrote:
>>> The problem here is that you currently can't get xargs to use newline
>>> as a separator without also getting spaces as a separator. This
>>> creates a variety of problems.
>>
>> But it creates lots of other problems when you propose an extension to
>> only one operating system's version of a utility.
>>
>> I think you've written a diff and now you are handwaving...
>>

Re: A stupid question, re: xargs(1)

[Raul Miller]

Ok, I am curious - what new problems would this create?

Thanks,

-- 
Raul


On Fri, Oct 13, 2017 at 2:52 PM, Theo de Raadt  wrote:
>> The problem here is that you currently can't get xargs to use newline
>> as a separator without also getting spaces as a separator. This
>> creates a variety of problems.
>
> But it creates lots of other problems when you propose an extension to
> only one operating system's version of a utility.
>
> I think you've written a diff and now you are handwaving...
>

Re: A stupid question, re: xargs(1)

[Raul Miller]

That deals with some but not all problems.

It does deal with the spaces in file names problem.

Thanks,

-- 
Raul


On Fri, Oct 13, 2017 at 2:57 PM, Stefan Johnson
 wrote:
> I'm at work at the moment, so I can't test this on my OpenBSD machine at
> home.  However, have you tried setting IFS to a new line prior to feeding
> newline separated output to xargs?
>
> IFS="
> "
> some_command_that_generates_multiple_lines | xargs -n 1 some_other_command
> Understand that "xargs -0" from linux-land doesn't delimit on new lines.  It
> delimits on a zero marker "null" separator often generated by linux-land
> find.
>
>
>
> On Fri, Oct 13, 2017 at 1:49 PM, Raul Miller  wrote:
>>
>> The problem here is that you currently can't get xargs to use newline
>> as a separator without also getting spaces as a separator. This
>> creates a variety of problems.
>>
>> Thanks,
>>
>> --
>> Raul
>>
>>
>> On Fri, Oct 13, 2017 at 2:40 PM, Allan Streib  wrote:
>> > Raul Miller  writes:
>> >
>> >> Can someone explain to me why xargs(1) does not support using newline
>> >> as a separators, when that is one of the most common unix separators?
>> >
>> > Which xargs(1) are you talking about? From my 6.1 machine, man xargs
>> > says:
>> >
>> >  The xargs utility reads space, tab, newline, and end-of-file
>> >  delimited strings from the standard input and executes the
>> >  specified utility with the strings as arguments.
>> >
>> > Allan
>> >
>>
>

Re: A stupid question, re: xargs(1)

[Stefan Johnson]

I'm at work at the moment, so I can't test this on my OpenBSD machine at
home.  However, have you tried setting IFS to a new line prior to feeding
newline separated output to xargs?

IFS="
"
some_command_that_generates_multiple_lines | xargs -n 1 some_other_command
Understand that "xargs -0" from linux-land doesn't delimit on new lines.
It delimits on a zero marker "null" separator often generated by linux-land
find.



On Fri, Oct 13, 2017 at 1:49 PM, Raul Miller  wrote:

> The problem here is that you currently can't get xargs to use newline
> as a separator without also getting spaces as a separator. This
> creates a variety of problems.
>
> Thanks,
>
> --
> Raul
>
>
> On Fri, Oct 13, 2017 at 2:40 PM, Allan Streib  wrote:
> > Raul Miller  writes:
> >
> >> Can someone explain to me why xargs(1) does not support using newline
> >> as a separators, when that is one of the most common unix separators?
> >
> > Which xargs(1) are you talking about? From my 6.1 machine, man xargs
> > says:
> >
> >  The xargs utility reads space, tab, newline, and end-of-file
> >  delimited strings from the standard input and executes the
> >  specified utility with the strings as arguments.
> >
> > Allan
> >
>
>

Re: A stupid question, re: xargs(1)

[Theo de Raadt]

> The problem here is that you currently can't get xargs to use newline
> as a separator without also getting spaces as a separator. This
> creates a variety of problems.

But it creates lots of other problems when you propose an extension to
only one operating system's version of a utility.

I think you've written a diff and now you are handwaving...

Re: A stupid question, re: xargs(1)

[Raul Miller]

The problem here is that you currently can't get xargs to use newline
as a separator without also getting spaces as a separator. This
creates a variety of problems.

Thanks,

-- 
Raul


On Fri, Oct 13, 2017 at 2:40 PM, Allan Streib  wrote:
> Raul Miller  writes:
>
>> Can someone explain to me why xargs(1) does not support using newline
>> as a separators, when that is one of the most common unix separators?
>
> Which xargs(1) are you talking about? From my 6.1 machine, man xargs
> says:
>
>  The xargs utility reads space, tab, newline, and end-of-file
>  delimited strings from the standard input and executes the
>  specified utility with the strings as arguments.
>
> Allan
>

Re: A stupid question, re: xargs(1)

[Raul Miller]

When our interpretation of the specification creates orders of
magnitude more problems than it solves, yes.

This should not in any way be construed as meaning that anything goes.

Thanks,

-- 
Raul



On Fri, Oct 13, 2017 at 2:45 PM, Theo de Raadt  wrote:
>> (2) Given that POSIX is an incomplete specification, why is POSIX the
>> issue here?
>
> What does 'incomplete specification' mean.
>
> You mean incompatible extensions should be added, quite similar to the
> damage bash creates in the ecosystem with it's incompatible extensions?
>

Re: A stupid question, re: xargs(1)

[Theo de Raadt]

> (2) Given that POSIX is an incomplete specification, why is POSIX the
> issue here?

What does 'incomplete specification' mean.

You mean incompatible extensions should be added, quite similar to the
damage bash creates in the ecosystem with it's incompatible extensions?

Re: A stupid question, re: xargs(1)

[Allan Streib]

Raul Miller  writes:

> Can someone explain to me why xargs(1) does not support using newline
> as a separators, when that is one of the most common unix separators?

Which xargs(1) are you talking about? From my 6.1 machine, man xargs
says:

 The xargs utility reads space, tab, newline, and end-of-file
 delimited strings from the standard input and executes the
 specified utility with the strings as arguments.

Allan

Re: A stupid question, re: xargs(1)

[Raul Miller]

Ok, first off, I appreciate your having taken time to respond.
Especially given the bug I had in my suggested patch.

That said... two things I am missing here:

(1) How do I get access to that normal tooling from the shell command
line without xargs?

(2) Given that POSIX is an incomplete specification, why is POSIX the
issue here?

That said, note also that I am partially motivated by having seen a
lot of xargs -0 deprecated warnings over the years, but I am also
motivated by my desire to use grep or other filters in front of xargs.

Thanks,

-- 
Raul

On Fri, Oct 13, 2017 at 2:34 PM, Theo de Raadt  wrote:
>> Can someone explain to me why xargs(1) does not support using newline
>> as a separators, when that is one of the most common unix separators?
>
> Because then you don't need xargs, normal tooling seperates each line
> into a seperate argv entry regardless of other spacing.
>
> You are proposing an incompatible extension to a POSIX defined
> utility.  Meaning if someone uses this in a script, it won't work on
> other systems.
>
> Not everything in unix is perfect.
>
>> I'm pasting one potential approach to the end of this message. There's
>> a few issues that might be stalling points:
>>
>> (*) which command line option to be used (this gets into potential
>> conflicts with other versions).
>>
>> (*) how to handle (or not handle) escape characters (my feeling is
>> that escaping newline characters would be a bad thing when using
>> newline as a separator).
>>
>> (*) code neatness and style issues.
>>
>> But, anyways, given the problems that arise from xargs space handling
>> being "too smart", and given how often spaces get included in file and
>> directory names, it seems like newline separated records should have
>> been a no-brainer back like 20 years ago, if not earlier. So
>> presumably someone has at some point squashed efforts to fix this.
>>
>> So, I guess I might be looking for the reasons. Does anyone know?
>>
>> Thanks,
>>
>> --
>> Raul
>>
>> --- xargs.c.orig2017-10-13 14:13:16.0 -0400
>> +++ xargs.c2017-10-13 14:13:17.0 -0400
>> @@ -65,7 +65,7 @@
>>  static char **av, **bxp, **ep, **endxp, **xp;
>>  static char *argp, *bbp, *ebp, *inpline, *p, *replstr;
>>  static const char *eofstr;
>> -static int count, insingle, indouble, oflag, pflag, tflag, Rflag, rval, 
>> zflag;
>> +static int count, insingle, indouble, oflag, pflag, tflag, Rflag,
>> rval, zflag, lflag;
>>  static int cnt, Iflag, jfound, Lflag, wasquoted, xflag, runeof = 1;
>>  static int curprocs, maxprocs;
>>  static size_t inpsize;
>> @@ -174,6 +174,9 @@
>>  case '0':
>>  zflag = 1;
>>  break;
>> +case '/':
>> +lflag = 1;
>> +break;
>>  case '?':
>>  default:
>>  usage();
>> @@ -262,7 +265,7 @@
>>  if (insingle || indouble)
>>  goto addch;
>>  hasblank = 1;
>> -if (zflag)
>> +if (zflag || (lflag  && '\n'==ch))
>>  goto addch;
>>  goto arg2;
>>  }
>> @@ -282,6 +285,8 @@
>>  goto arg2;
>>  goto addch;
>>  case '\n':
>> +if (lflag)
>> +goto arg2;
>>  hasblank = 1;
>>  if (hadblank == 0)
>>  count++;
>> @@ -360,19 +365,19 @@
>>  wasquoted = 0;
>>  break;
>>  case '\'':
>> -if (indouble || zflag)
>> +if (indouble || zflag || lflag)
>>  goto addch;
>>  insingle = !insingle;
>>  wasquoted = 1;
>>  break;
>>  case '"':
>> -if (insingle || zflag)
>> +if (insingle || zflag || lflag)
>>  goto addch;
>>  indouble = !indouble;
>>  wasquoted = 1;
>>  break;
>>  case '\\':
>> -if (zflag)
>> +if (zflag || lflag)
>>  goto addch;
>>  /* Backslash escapes anything, is escaped by quotes. */
>>  if (!insingle && !indouble && (ch = getchar()) == EOF)
>>
>

Re: A stupid question, re: xargs(1)

[Raul Miller]

Actually, that had a bug, which is maybe why I should have waited
before posting that question


if (zflag || (lflag  && '\n'==ch))

The && bit should not be there. Probably best to go if (zflag ||
lflag) though changing == to != would guard against the possibility
that isblank would recognize linefeed as a blank.

Sorry about that,

-- 
Raul


On Fri, Oct 13, 2017 at 2:23 PM, Raul Miller  wrote:
> Can someone explain to me why xargs(1) does not support using newline
> as a separators, when that is one of the most common unix separators?
>
> I'm pasting one potential approach to the end of this message. There's
> a few issues that might be stalling points:
>
> (*) which command line option to be used (this gets into potential
> conflicts with other versions).
>
> (*) how to handle (or not handle) escape characters (my feeling is
> that escaping newline characters would be a bad thing when using
> newline as a separator).
>
> (*) code neatness and style issues.
>
> But, anyways, given the problems that arise from xargs space handling
> being "too smart", and given how often spaces get included in file and
> directory names, it seems like newline separated records should have
> been a no-brainer back like 20 years ago, if not earlier. So
> presumably someone has at some point squashed efforts to fix this.
>
> So, I guess I might be looking for the reasons. Does anyone know?
>
> Thanks,
>
> --
> Raul
>
> --- xargs.c.orig2017-10-13 14:13:16.0 -0400
> +++ xargs.c2017-10-13 14:13:17.0 -0400
> @@ -65,7 +65,7 @@
>  static char **av, **bxp, **ep, **endxp, **xp;
>  static char *argp, *bbp, *ebp, *inpline, *p, *replstr;
>  static const char *eofstr;
> -static int count, insingle, indouble, oflag, pflag, tflag, Rflag, rval, 
> zflag;
> +static int count, insingle, indouble, oflag, pflag, tflag, Rflag,
> rval, zflag, lflag;
>  static int cnt, Iflag, jfound, Lflag, wasquoted, xflag, runeof = 1;
>  static int curprocs, maxprocs;
>  static size_t inpsize;
> @@ -174,6 +174,9 @@
>  case '0':
>  zflag = 1;
>  break;
> +case '/':
> +lflag = 1;
> +break;
>  case '?':
>  default:
>  usage();
> @@ -262,7 +265,7 @@
>  if (insingle || indouble)
>  goto addch;
>  hasblank = 1;
> -if (zflag)
> +if (zflag || (lflag  && '\n'==ch))
>  goto addch;
>  goto arg2;
>  }
> @@ -282,6 +285,8 @@
>  goto arg2;
>  goto addch;
>  case '\n':
> +if (lflag)
> +goto arg2;
>  hasblank = 1;
>  if (hadblank == 0)
>  count++;
> @@ -360,19 +365,19 @@
>  wasquoted = 0;
>  break;
>  case '\'':
> -if (indouble || zflag)
> +if (indouble || zflag || lflag)
>  goto addch;
>  insingle = !insingle;
>  wasquoted = 1;
>  break;
>  case '"':
> -if (insingle || zflag)
> +if (insingle || zflag || lflag)
>  goto addch;
>  indouble = !indouble;
>  wasquoted = 1;
>  break;
>  case '\\':
> -if (zflag)
> +if (zflag || lflag)
>  goto addch;
>  /* Backslash escapes anything, is escaped by quotes. */
>  if (!insingle && !indouble && (ch = getchar()) == EOF)

Re: A stupid question, re: xargs(1)

[Theo de Raadt]

> Can someone explain to me why xargs(1) does not support using newline
> as a separators, when that is one of the most common unix separators?

Because then you don't need xargs, normal tooling seperates each line
into a seperate argv entry regardless of other spacing.

You are proposing an incompatible extension to a POSIX defined
utility.  Meaning if someone uses this in a script, it won't work on
other systems.  

Not everything in unix is perfect.

> I'm pasting one potential approach to the end of this message. There's
> a few issues that might be stalling points:
> 
> (*) which command line option to be used (this gets into potential
> conflicts with other versions).
> 
> (*) how to handle (or not handle) escape characters (my feeling is
> that escaping newline characters would be a bad thing when using
> newline as a separator).
> 
> (*) code neatness and style issues.
> 
> But, anyways, given the problems that arise from xargs space handling
> being "too smart", and given how often spaces get included in file and
> directory names, it seems like newline separated records should have
> been a no-brainer back like 20 years ago, if not earlier. So
> presumably someone has at some point squashed efforts to fix this.
> 
> So, I guess I might be looking for the reasons. Does anyone know?
> 
> Thanks,
> 
> -- 
> Raul
> 
> --- xargs.c.orig2017-10-13 14:13:16.0 -0400
> +++ xargs.c2017-10-13 14:13:17.0 -0400
> @@ -65,7 +65,7 @@
>  static char **av, **bxp, **ep, **endxp, **xp;
>  static char *argp, *bbp, *ebp, *inpline, *p, *replstr;
>  static const char *eofstr;
> -static int count, insingle, indouble, oflag, pflag, tflag, Rflag, rval, 
> zflag;
> +static int count, insingle, indouble, oflag, pflag, tflag, Rflag,
> rval, zflag, lflag;
>  static int cnt, Iflag, jfound, Lflag, wasquoted, xflag, runeof = 1;
>  static int curprocs, maxprocs;
>  static size_t inpsize;
> @@ -174,6 +174,9 @@
>  case '0':
>  zflag = 1;
>  break;
> +case '/':
> +lflag = 1;
> +break;
>  case '?':
>  default:
>  usage();
> @@ -262,7 +265,7 @@
>  if (insingle || indouble)
>  goto addch;
>  hasblank = 1;
> -if (zflag)
> +if (zflag || (lflag  && '\n'==ch))
>  goto addch;
>  goto arg2;
>  }
> @@ -282,6 +285,8 @@
>  goto arg2;
>  goto addch;
>  case '\n':
> +if (lflag)
> +goto arg2;
>  hasblank = 1;
>  if (hadblank == 0)
>  count++;
> @@ -360,19 +365,19 @@
>  wasquoted = 0;
>  break;
>  case '\'':
> -if (indouble || zflag)
> +if (indouble || zflag || lflag)
>  goto addch;
>  insingle = !insingle;
>  wasquoted = 1;
>  break;
>  case '"':
> -if (insingle || zflag)
> +if (insingle || zflag || lflag)
>  goto addch;
>  indouble = !indouble;
>  wasquoted = 1;
>  break;
>  case '\\':
> -if (zflag)
> +if (zflag || lflag)
>  goto addch;
>  /* Backslash escapes anything, is escaped by quotes. */
>  if (!insingle && !indouble && (ch = getchar()) == EOF)
> 

A stupid question, re: xargs(1)

[Raul Miller]

Can someone explain to me why xargs(1) does not support using newline
as a separators, when that is one of the most common unix separators?

I'm pasting one potential approach to the end of this message. There's
a few issues that might be stalling points:

(*) which command line option to be used (this gets into potential
conflicts with other versions).

(*) how to handle (or not handle) escape characters (my feeling is
that escaping newline characters would be a bad thing when using
newline as a separator).

(*) code neatness and style issues.

But, anyways, given the problems that arise from xargs space handling
being "too smart", and given how often spaces get included in file and
directory names, it seems like newline separated records should have
been a no-brainer back like 20 years ago, if not earlier. So
presumably someone has at some point squashed efforts to fix this.

So, I guess I might be looking for the reasons. Does anyone know?

Thanks,

-- 
Raul

--- xargs.c.orig2017-10-13 14:13:16.0 -0400
+++ xargs.c2017-10-13 14:13:17.0 -0400
@@ -65,7 +65,7 @@
 static char **av, **bxp, **ep, **endxp, **xp;
 static char *argp, *bbp, *ebp, *inpline, *p, *replstr;
 static const char *eofstr;
-static int count, insingle, indouble, oflag, pflag, tflag, Rflag, rval, zflag;
+static int count, insingle, indouble, oflag, pflag, tflag, Rflag,
rval, zflag, lflag;
 static int cnt, Iflag, jfound, Lflag, wasquoted, xflag, runeof = 1;
 static int curprocs, maxprocs;
 static size_t inpsize;
@@ -174,6 +174,9 @@
 case '0':
 zflag = 1;
 break;
+case '/':
+lflag = 1;
+break;
 case '?':
 default:
 usage();
@@ -262,7 +265,7 @@
 if (insingle || indouble)
 goto addch;
 hasblank = 1;
-if (zflag)
+if (zflag || (lflag  && '\n'==ch))
 goto addch;
 goto arg2;
 }
@@ -282,6 +285,8 @@
 goto arg2;
 goto addch;
 case '\n':
+if (lflag)
+goto arg2;
 hasblank = 1;
 if (hadblank == 0)
 count++;
@@ -360,19 +365,19 @@
 wasquoted = 0;
 break;
 case '\'':
-if (indouble || zflag)
+if (indouble || zflag || lflag)
 goto addch;
 insingle = !insingle;
 wasquoted = 1;
 break;
 case '"':
-if (insingle || zflag)
+if (insingle || zflag || lflag)
 goto addch;
 indouble = !indouble;
 wasquoted = 1;
 break;
 case '\\':
-if (zflag)
+if (zflag || lflag)
 goto addch;
 /* Backslash escapes anything, is escaped by quotes. */
 if (!insingle && !indouble && (ch = getchar()) == EOF)

Re: Automatically restarting services/daemons after crash

[Theo de Raadt]

> OpenBSD also has plenty of redundancy service failover (CARP, relayd
> etc.) as do service providers. So one/more can take over whilst the
> failed are audited.

Uhm, in your dreams.

This is a conversation about simply restarting such failing services.

Re: Openbsd 6.1 and Current Console Freezes and lockup Proxmox PVE5.0

[Mike Larkin]

On Thu, Oct 12, 2017 at 03:11:31PM -0700, Mike Larkin wrote:
> On Thu, Oct 12, 2017 at 10:36:42PM +0200, Michał Koc wrote:
> > 
> > > On Thu, Oct 12, 2017 at 01:23:36PM +0200, Michał Koc wrote:
> > > > On Sun, Oct 08, 2017 at 11:59:52PM +0200, Oliver Marugg wrote:
> > > > > > On 7 Oct 2017, at 22:01, Mike Larkin wrote:
> > > > > > 
> > > > > > > On Sat, Oct 07, 2017 at 02:19:58PM +0200, Oliver Marugg wrote:
> > > > > > > > Just to add a 4th situation of hangs: Login via proxmox 
> > > > > > > > (pve)/kvm
> > > > > > > > serial
> > > > > > > > console (via noVNC), login successful: Vm guest in pve hangs, 
> > > > > > > > cpu
> > > > > > > > usage at
> > > > > > > > above 102%. Only way is to hard stop the Vm guest. -oliver
> > > > > > > > 
> > > > > > > sounds like a kvm bug. Ask your provider to investigate the host 
> > > > > > > side
> > > > > > > when this
> > > > > > > happens.
> > > > > > Thanks Mike, will do so. The proxmox guys have also the idea that 
> > > > > > it could
> > > > > > be a bug in kvm hypervisor (which is the hypervisor part for 
> > > > > > proxmox) and
> > > > > > will affect OpenBSD since 4.9, they wrote me in their public forum. 
> > > > > > As far
> > > > > > as I understood they do not know what OpenBSD needs in kvm or 
> > > > > > what/where
> > > > > > should be fixed in kvm run OpenBSD without that freezes.
> > > > > > 
> > > > > > -oliver
> > > > > >From what I read, the cpu spins to 100%, which means somewhere on 
> > > > > >the host it's
> > > > > likely spinning also. Start with systrace/ptrace/ktrace/whatever on 
> > > > > the host
> > > > > qemu-kvm and go from there...
> > > > > 
> > > > > -ml
> > > > > 
> > > > > 
> > > > > 
> > > > Hi,
> > > > 
> > > > it looks like the cpu process of kvm (CPU 0/KVM) is issuing 1500+ of
> > > > ioctl(15, KVM_RUN, 0)  per second while running OpenBSD 6.2 guest.
> > > > 
> > > What CPU profile is being presented to the OpenBSD guest?
> > > 
> > > I've seen things like this happen when a vCPU is claimed to have 
> > > monitor/mwait
> > > support, but the hypervisor implements those as NOPs, which just results 
> > > in
> > > spinning like this.
> > > 
> > > In short - try changing the type of CPU presented to the guest and see if 
> > > that
> > > changes behaviour. At least then you'll have more data points to work 
> > > with.
> > > 
> > > -ml
> > 
> > Okey,
> > How would You disable monitor/mwait support in KVM to be presented to guest
> > ?
> > 
> 
> Well, monitor/mwait was just what I recall contributing to something *like*
> this.
> 

PS, IIRC qemu -cpu ? will show you a list of recognized cpuid flags, from
which you can subtract off things you don't want.

-ml

> If you can determine the guest %rip during each ioctl(vm_run) and give me a
> kernel or disassembly I may be able to see if it's something obvious.
> 
> That, or describe a way I can repro this locally. I have a machine I could
> put linux on for an evening to test.
> 
> -ml
> 
> > changing CPU to pentium or setting  > name='monitor'/> does not actually change anything in scope of host cpu
> > utilization
> > 
> > BR
> > M.K.
> > 
> > 
> > > 
> > > > In case of linux guest the process issues about 15 of those ioctls per
> > > > second.
> > > > 
> > > > In any case I cannot make openbsd to starve KVM host cpu. OpenBSD uses 
> > > > at
> > > > most(when idle) 7% of cpu.
> > > > 
> > > > My versions:
> > > > - OpenBSD 6.2 amd64
> > > > - KVM 2.8.1
> > > > 
> > > > BR
> > > > M.K.
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > 
> 

Re: x problem after upgrading

[Martin Smith]

On 13/10/2017 15:28, Karel Gardas wrote:

Please add dmesg to your report at all. Also just before 6.2 there was
an update to Intel graphics going in to support KabyLake CPUs. It was
tested quite well and nobody complained. Perhaps you are victim of
this update?

On Fri, Oct 13, 2017 at 3:23 PM, Martin Smith  wrote:

I upgraded from 6.1 to 6.2 and I am sure I carried out all the necessary
things that were printed out after it ran, but on attempting to start x I
get the following

uvm_fault(0xd0c544dc, 0xd3a2d000,  0, 1)->e

kernel: page fault trap, code=0

stopped at I915_gem_pwrite_ioctl+0x621:  mov1  0x34(%eax), %eax

ddb>

(all copied out by hand)

and its locked solid, no response to keyboard at all

I must have missed something, can amyone point me in the right direction,
thanks

sorry about that, dmesg below
I dont think I have been bitten by the Kabylake thing, its quite an old 
machine


OpenBSD 6.2 (GENERIC.MP) #166: Tue Oct  3 19:58:05 MDT 2017
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
RTC BIOS diagnostic error 11
cpu0: Intel(R) Core(TM)2 Quad CPU Q8400 @ 2.66GHz ("GenuineIntel" 
686-class) 2.67 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,LAHF,PERF,SENSOR

real mem  = 3180867584 (3033MB)
avail mem = 3105812480 (2961MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 08/21/12, BIOS32 rev. 0 @ 0xffea0, SMBIOS rev. 
2.5 @ 0xf0450 (82 entries)

bios0: vendor Dell Inc. version "A14" date 08/21/2012
bios0: Dell Inc. OptiPlex 780
acpi0 at bios0: rev 2
acpi0: TCPA checksum error
acpi0: sleep states S0 S1 S3 S4 S5
acpi0: tables DSDT FACP SSDT APIC BOOT ASF! MCFG HPET TCPA DMAR SLIC
acpi0: wakeup devices VBTN(S4) PCI0(S5) PCI4(S5) PCI3(S5) PCI1(S5) 
PCI5(S5) PCI6(S5) USB0(S3) USB1(S3) USB2(S3) USB3(S3) USB4(S3) USB5(S3)

acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
mtrr: Pentium Pro MTRR support, 7 var ranges, 88 fixed ranges
cpu0: apic clock running at 332MHz
cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 Quad CPU Q8400 @ 2.66GHz ("GenuineIntel" 
686-class) 2.67 GHz
cpu1: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,LAHF,PERF,SENSOR

cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Core(TM)2 Quad CPU Q8400 @ 2.66GHz ("GenuineIntel" 
686-class) 2.67 GHz
cpu2: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,LAHF,PERF,SENSOR

cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM)2 Quad CPU Q8400 @ 2.66GHz ("GenuineIntel" 
686-class) 2.67 GHz
cpu3: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,LAHF,PERF,SENSOR

ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins
, remapped to apid 8
acpimcfg0 at acpi0 addr 0xf800, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 4 (PCI4)
acpiprt1 at acpi0: bus 2 (PCI2)
acpiprt2 at acpi0: bus 3 (PCI3)
acpiprt3 at acpi0: bus 1 (PCI1)
acpiprt4 at acpi0: bus -1 (PCI5)
acpiprt5 at acpi0: bus -1 (PCI6)
acpiprt6 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C1(1000@1 mwait.1)
acpicpu1 at acpi0: C1(1000@1 mwait.1)
acpicpu2 at acpi0: C1(1000@1 mwait.1)
acpicpu3 at acpi0: C1(1000@1 mwait.1)
acpibtn0 at acpi0: VBTN
"*pnp0c14" at acpi0 not configured
"PNP0401" at acpi0 not configured
"SMO1200" at acpi0 not configured
bios0: ROM list: 0xc/0xc800! 0xcc800/0x2000! 0xce800/0x1000 
0xcf800/0x800

cpu0: unknown Enhanced SpeedStep CPU, msr 0x0616082206000822
cpu0: using only highest and lowest power states
cpu0: Enhanced SpeedStep 2661 MHz: speeds: 2667, 2000 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel Q45 Host" rev 0x03
ppb0 at pci0 dev 1 function 0 "Intel Q45 PCIE" rev 0x03: apic 8 int 16
pci1 at ppb0 bus 1
inteldrm0 at pci0 dev 2 function 0 "Intel Q45 Video" rev 0x03
drm0 at inteldrm0
intagp0 at inteldrm0
agp0 at intagp0: aperture at 0xe000, size 0x1000
inteldrm0: msi
inteldrm0: 1280x1024, 32bpp
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
"Intel Q45 Video" rev 0x03 at pci0 dev 2 function 1 not configured
"Intel Q45 HECI" rev 0x03 at pci0 dev 3 function 0 not configured
pciide0 at pci0 dev 3 function 2 "Intel Q45 PT IDER" rev 0x03: 

new OpenBSD support submission

[ThisHosting.Rocks!]

0
C USA
P Florida
T Tampa
Z 33606
O ThisHosting.Rocks
I Nick Reiner
A 3140 W Cypress St
M support@thishosting.rocks
U https://www.thishosting.rocks/support/openbsd/
N We have been using OpenBSD personally and professionally for more than 
5 years.
We support clients with their OpenBSD installation, configuration and 
troubleshooting.

Re: Automatically restarting services/daemons after crash

[Kevin Chadwick]

On Thu, 12 Oct 2017 20:38:42 -0600


> > Perhaps I'm mistaken, but it doesn't seem like there's a facility
> > for automatically restarting daemons after a crash or similar. Is
> > the idea just that daemons should be designed to not crash?  
> 
> Yes.  Fail closed.  It is the only secure thing to do.

I agree. There is monit in ports which can notify you to investigate or
work offline but I configured it not to restart the daemons after
past commentry on this list. A script or cron job can do similar very
easily too. Although monit does provide some nice checks I rarely look
at it these days. I use external tcp/html etc. functionality tests. I
don't use ping as that is really an alive test. There are plenty of
hosting companies that can do external monitoring if you only have a
single server too.

OpenBSD also has plenty of redundancy service failover (CARP, relayd
etc.) as do service providers. So one/more can take over whilst the
failed are audited.

Re: Automatically restarting services/daemons after crash

[Kamil Cholewiński]

Hi Aaron & misc@,

My take:

I favor a tool that gives me (the end-user) more power. OpenBSD folks
are 100% right to maintain a particular policy (no automatic restarts),
but I see no reason to enforce it by taking away options from the end
users.

(Furthermore, I see no reason to attack a tool or concept that makes it
easier to run crappy software; it makes running excellent software and
crappy software equally easy.)

So this is entirely possible, you can swap OpenBSD's init & rc
mechanisms with runit, S6, or nosh (which, unlike daemontools, were all
designed to fit that particular role), and you can configure each of
them to do "one-shot" starts (no automatic restarts). So you can get
both the powerful supervision mechanism AND a policy that favors
security. Last time I checked, separation of mechanism and policy was
considered Good.

But from there on, the sad reality is you're mostly on your own. You can
run a FrankenBSD or Frankenbuntu, nobody can stop you. But no mainstream
OS uses runit, S6 nor nosh. Warranty is void.

The author of nosh (JDeBP) is very active and maintains ports and
integrations for Debian, OpenBSD, FreeBSD, so if you're not up for
maintaining a fork of your OS, that might be your best chance.

On the other hand... I run my Debian box with runit as PID 1 (an
ENTIRELY unsupported setup), because the default thing is a horrible
abomination, and even though I'm on my own making sure all the pieces
fit together, I still find it nicer to work with.

However I consider OpenBSD's rc(8) suite the second best thing in the
world, and I'm entirely happy just not touching it.

(Hint: you can also run daemontools/runit/etc alongside the default
init.)

<3,K.

Re: reordering libraries:/etc/rc[443]: ./test-ld.so: Permission denied

[Kevin Chadwick]

On Thu, 12 Oct 2017 18:16:02 +


> See https://marc.info/?l=openbsd-cvs=150783205404965

Nice, Thankyou

x problem after upgrading

[Martin Smith]

I upgraded from 6.1 to 6.2 and I am sure I carried out all the necessary 
things that were printed out after it ran, but on attempting to start x 
I get the following


uvm_fault(0xd0c544dc, 0xd3a2d000,  0, 1)->e

kernel: page fault trap, code=0

stopped at I915_gem_pwrite_ioctl+0x621:  mov1  0x34(%eax), %eax

ddb>

(all copied out by hand)

and its locked solid, no response to keyboard at all

I must have missed something, can amyone point me in the right 
direction, thanks


--

Martin

Re: CoDel Flows

[Daniel Melameth]

On Thu, Oct 12, 2017 at 11:48 PM, Daniel Ouellet  wrote:
>> Also, the pf.conf man page says the default qlimit is 1024, but, if I
>> don't specify a qlimit, pfctl –vsq shows a qlength of 50 when I was
>> expecting it to be 1024.  What am I missing?
>
> Why would you want to have a pool of 1024 oppose to the default of 50
> slots for your queue?

Because CoDel works differently.

> You will increase latency when you have congestion. It's not because you
> can have a 1024 limits that it make sense to use it by default.
>
> The default is 50 and that's plenty good for most usage.
>
> As Peter Hansteen would write, Quote
>
> "Cranking up queue sizes here means we’re a little less likely to drop
> packets when the traffic approaches the set limits, but it also means
> that when the traffic shaping kicks in, we’ll see increased latency for
> connections that end up in these larger than default pools."
>
> It's a trade off, just know the impact of your choice.

While I agree with you (and Peter!), this is no longer the case with
CoDel--see the author's guidance at
https://www.reddit.com/r/openbsd/comments/6ttuhn/fq_codel_scheduling/
and send him beer to convince him to write the article he mentions.

Re: Automatically restarting services/daemons after crash

[Nick Holland]

On 10/13/17 05:01, Mihai Popescu wrote:
>> That's sensible, but if money or lives were on the line, I think It'd
>> be better to have a running but potentially vulnerable service.
> 
> Not OpenBSD related, but I was truly amazed people like you still
> exist and still set up computers for others!
> For you curiosity about user case, I preffer such a service not to be
> started at all.
> 
> Money(online bank accounts) should not be managed by broken software.
> If they can't do this in a proper way, they should not start such a
> service at all.
> Life(medical, work) should not be risked behind this kind of services.
> 
> I wonder, was it a joke what you've asked?

I wish it was.  I wish this really was a rarely seen attitude.
While quite out of place in this community, the rest of the world is
much more about "security last".  Oh sure, if you ask, "security is
important!" will be stated, but when you start asking questions, it will
truly be the last priority.  Absolutely f'in' last.

Just this week, someone told me that OpenSSL was better than OpenSSH
because OpenSSH is too difficult to Man-in-the-middle, "obviously not
designed for Enterprise use".  What do you say to things like that?  (I
said, "It was designed for security first").

Ah, the stories I could tell if it wasn't for the need to make a living.

["Enterprise grade"???  What's so good about that?  That damn ship was
broke almost every week!  And broke twice a year in exactly the same way!]

Nick.

Re: Automatically restarting services/daemons after crash

[Ed Ahlsen-Girard]

On Fri, 13 Oct 2017 12:01:58 +0300
Mihai Popescu  wrote:

>  [...]  
> 
> Not OpenBSD related, but I was truly amazed people like you still
> exist and still set up computers for others!
> For you curiosity about user case, I preffer such a service not to be
> started at all.
> 
> Money(online bank accounts) should not be managed by broken software.
> If they can't do this in a proper way, they should not start such a
> service at all.
> Life(medical, work) should not be risked behind this kind of services.
> 
> I wonder, was it a joke what you've asked?
> 

There is a reason that software legal statements usually include
passages like this:

"...must not be used in medical devices with life support functions,
safety equipment (or similar applications where component failure would
result in loss of life or physical harm), aerospace equipment,
telecommunication equipment (trunk lines) or nuclear power control
equipment."


-- 

Edward Ahlsen-Girard
Ft Walton Beach, FL

Re: Automatically restarting services/daemons after crash

[Mihai Popescu]

> That's sensible, but if money or lives were on the line, I think It'd
> be better to have a running but potentially vulnerable service.

Not OpenBSD related, but I was truly amazed people like you still
exist and still set up computers for others!
For you curiosity about user case, I preffer such a service not to be
started at all.

Money(online bank accounts) should not be managed by broken software.
If they can't do this in a proper way, they should not start such a
service at all.
Life(medical, work) should not be risked behind this kind of services.

I wonder, was it a joke what you've asked?

Re: Need help setting http headers using relayd (and httpd)

[Andreas Thulin]

Thank you, I just bought the Kindle version. :-)

BR, Andreas
fre 13 okt. 2017 kl. 02:16 skrev Bryan Harris :

> There is a book called relayd and httpd. I think it has what you need.
>
> V/r,
> Bryan
>
>
>
> > On Oct 12, 2017, at 1:33 PM, Andreas Thulin 
> wrote:
> >
> > Hi!
> >
> > Before anything, thanks for yet another awesome OpenBSD release! I’ll
> > extend my gratitude into the pockets of the Foundation and finally donate
> > this time.
> >
> > Then:
> >
> > I’m a relayd virgin. Consider all the following a lab exercise, I want to
> > learn and understand more.
> >
> > My target:
> > Understanding how to score an A+ on the htbridge web server security
> test.
> > https://www.htbridge.com/websec/?id=BT1UmswV
> >
> > First objective:
> > Set HTTP headers, such as
> >
> > CONTENT-SECURITY-POLICY
> > X-CONTENT-TYPE-OPTIONS
> > X-XSS-PROTECTION
> >
> > using relayd (since httpd can’t help out here).
> >
> > Assumptions etc:
> > - I suppose only https traffic is in scope, since all http traffic is
> > redirected to https.
> > - Both httpd and relayd are (will be) run on the same 6.2 machine.
> > - httpd runs just fine and scores an A+ on the htbridge TLS Server Test
> > more or less out of the box. The web server test, however, was a
> > disappointing F. :-)
> >
> > I’m only a mortal, so simply reading the relayd.conf man page and do some
> > trial-and-error has so far only made me go all CAPS. I seek examples (of
> > something similar to the above use-case), a guide, turorial, or even a
> > how-to to make this happen. I can learn all the config options and
> settings
> > afterwards, and keep tweaking and understanding.
> >
> > Anyone?
> >
> > Humbly,
> > Andreas
>