Re: 4GB RAM too little for Firefox?
On Fri, Jul 05, 2019 at 09:21:48PM +0200, maillists.rul...@mailbox.org wrote: > > OpenBSD derives some security by confining processes and web browsing > > with firefox is notorious for memory leaks. > > > > If you mobo supports it, more ram will also improve performance with > > firefox and other memory intensive tasks. > Firefox is pretty much my only memory intensive task. Thanks for sharing > your opinion, though! One more incentive to buy the new ram stick. > > > Other options: > > > > Adding the Firefox "forget" widget to your panel > > https://support.mozilla.org/en-US/kb/forget-button-quickly-delete-your-browsing-his > tory > > and using it frequently. > That seems more like a workaround to me. > > > Consider www/iridium as an alternative browser. You can export your > > firefox bookmarks.html and import it into iridium. Although I do not > > have solid numbers, I thought it was better in this regard than firefox. > I wrote two little scripts [1] that open five reddit.com threads in each > browser an print memory usage. The result was (besides my amazement > about how much RAM the browsers ate), that Firefox used up ca. 1.4G and > Iridium ca. 0.9G. I obviously haven't set up the same extensions, but it > seems like Iridium would be able to help me. I'm going to try it some > more. Thanks for the tip! > > Best regards, > Richard Ulmer > > > [1] > ``` > printf 'Before starting Firefox:\n\t' > top | grep Memory > firefox --private-window 2>&1 > /dev/null & > sleep 5 # Wait for firefox to open > for i in c48qg7 c916tf c5n06b c0yvsz c2sco0; do > firefox --private-window \ > "https://www.reddit.com/r/openbsd/comments/$i"; > done > sleep 30 # Wait for all tabs to load > printf 'After starting Firefox:\n\t' > top | grep Memory > ``` > > ``` > printf 'Before starting Iridium:\n\t' > top | grep Memory > iridium --incognito 2>&1 > /dev/null & > sleep 5 # Wait for Iridium to open > for i in c48qg7 c916tf c5n06b c0yvsz c2sco0; do > iridium --incognito \ > "https://www.reddit.com/r/openbsd/comments/$i"; > done > sleep 30 # Wait for all tabs to load > printf 'After starting Iridium:\n\t' > top | grep Memory > ``` > You still did not tell which platform you are running. It matters. -Otto
Re: OT: hardware war with manufacturers (espionage claims)
Stuart Longland wrote: > On 2/7/19 5:43 pm, John Long wrote: > >> What do you think and do when using OpenBSD on this kind of hardware? > > Lemote boxes are kinda neat but they're not the fastest in the world. > > It beats the hell out of the alternatives if you can live with the > > limitations. > > Gentoo was donated two Lemote Fulong 2Es back when I used to maintain > their MIPS port. Compared to the other machines we supported at the > time (aging SGI boxes and Cobalt Qube), they were a breath of fresh air. > > Fast enough to actually do useful things on, even play Quake II (with 3D > acceleration … for about 10 seconds until X crapped itself). > > The Loongson netbook was a backward step in terms of graphics hardware > though, and a lot of software has problems with MIPS regardless of ABI > (I've tried o32, n32 and n64). > > Shame, because it is a nice enough platform. > > As for espionage… unless you're going to sit there with sand you've > mined yourself, refine it, and make your own semiconductors, there's > always going to be an element of risk in terms of espionage from your > supply chain. And meanwhile, Intel added undocumented strong speculation to their cpus, which are now easily CVE-identifiable as verifiable giant security problems to a majority platform. And the more we dig, more we realize they did this as market force, ignoring the risks they identified at conferences a decade earlier. > Basically your best bet: don't rely on a single vendor. It's harder for > them to hide their espionage then as one vendor won't know how to hide > another vendor's dirty deeds. Precisely. Most of the risks are in the bugs, and if you hit a problem you'll be Dennis Muilenburg saying you didn't know (that phrase works one way today, but if in the next few days he leaves his position, it will work a different way). The unknown risk factors are first unknown and potentially accidental, and secondly unknown and now we are supposed to guess it wasn't accidental. Vendors are wired to increase performance and noone judges security aspects, that the process where the "accident" arises. Maybe we should suddenly accuse absolutely everyone of malpractice! As if that will change anything... So this is misc, which is full of lots of talk about nothing, by people who can't change the ecosystem. Having worried vocally about this before, I know I can't change it. Pretty sad to see people who are even less capable find the energy to moan about it. Especially americans. Know what I mean?
Re: 4GB RAM too little for Firefox?
> OpenBSD derives some security by confining processes and web browsing > with firefox is notorious for memory leaks. > > If you mobo supports it, more ram will also improve performance with > firefox and other memory intensive tasks. Firefox is pretty much my only memory intensive task. Thanks for sharing your opinion, though! One more incentive to buy the new ram stick. > Other options: > > Adding the Firefox "forget" widget to your panel > https://support.mozilla.org/en-US/kb/forget-button-quickly-delete-your-browsing-his tory > and using it frequently. That seems more like a workaround to me. > Consider www/iridium as an alternative browser. You can export your > firefox bookmarks.html and import it into iridium. Although I do not > have solid numbers, I thought it was better in this regard than firefox. I wrote two little scripts [1] that open five reddit.com threads in each browser an print memory usage. The result was (besides my amazement about how much RAM the browsers ate), that Firefox used up ca. 1.4G and Iridium ca. 0.9G. I obviously haven't set up the same extensions, but it seems like Iridium would be able to help me. I'm going to try it some more. Thanks for the tip! Best regards, Richard Ulmer [1] ``` printf 'Before starting Firefox:\n\t' top | grep Memory firefox --private-window 2>&1 > /dev/null & sleep 5 # Wait for firefox to open for i in c48qg7 c916tf c5n06b c0yvsz c2sco0; do firefox --private-window \ "https://www.reddit.com/r/openbsd/comments/$i"; done sleep 30 # Wait for all tabs to load printf 'After starting Firefox:\n\t' top | grep Memory ``` ``` printf 'Before starting Iridium:\n\t' top | grep Memory iridium --incognito 2>&1 > /dev/null & sleep 5 # Wait for Iridium to open for i in c48qg7 c916tf c5n06b c0yvsz c2sco0; do iridium --incognito \ "https://www.reddit.com/r/openbsd/comments/$i"; done sleep 30 # Wait for all tabs to load printf 'After starting Iridium:\n\t' top | grep Memory ```
Re: 4GB RAM too little for Firefox?
> OpenBSD derives some security by confining processes and web browsing > with firefox is notorious for memory leaks. > > If you mobo supports it, more ram will also improve performance with > firefox and other memory intensive tasks. Firefox is pretty much my only memory intensive task. Thanks for sharing your opinion, though! One more incentive to buy the new ram stick. > Other options: > > Adding the Firefox "forget" widget to your panel > https://support.mozilla.org/en-US/kb/forget-button-quickly-delete-your-browsing-history > and using it frequently. That seems more like a workaround to me. > Consider www/iridium as an alternative browser. You can export your > firefox bookmarks.html and import it into iridium. Although I do not > have solid numbers, I thought it was better in this regard than firefox. I wrote two little scripts [1] that open five reddit.com threads in each browser an print memory usage. The result was (besides my amazement about how much RAM the browsers ate), that Firefox used up ca. 1.4G and Iridium ca. 0.9G. I obviously haven't set up the same extensions, but it seems like Iridium would be able to help me. I'm going to try it some more. Thanks for the tip! Best regards, Richard Ulmer [1] ``` printf 'Before starting Firefox:\n\t' top | grep Memory firefox --private-window 2>&1 > /dev/null & sleep 5 # Wait for firefox to open for i in c48qg7 c916tf c5n06b c0yvsz c2sco0; do firefox --private-window \ "https://www.reddit.com/r/openbsd/comments/$i"; done sleep 30 # Wait for all tabs to load printf 'After starting Firefox:\n\t' top | grep Memory ``` ``` printf 'Before starting Iridium:\n\t' top | grep Memory iridium --incognito 2>&1 > /dev/null & sleep 5 # Wait for Iridium to open for i in c48qg7 c916tf c5n06b c0yvsz c2sco0; do iridium --incognito \ "https://www.reddit.com/r/openbsd/comments/$i"; done sleep 30 # Wait for all tabs to load printf 'After starting Iridium:\n\t' top | grep Memory ```
Re: OT: hardware war with manufacturers (espionage claims)
On 2/7/19 5:43 pm, John Long wrote: >> What do you think and do when using OpenBSD on this kind of hardware? > Lemote boxes are kinda neat but they're not the fastest in the world. > It beats the hell out of the alternatives if you can live with the > limitations. Gentoo was donated two Lemote Fulong 2Es back when I used to maintain their MIPS port. Compared to the other machines we supported at the time (aging SGI boxes and Cobalt Qube), they were a breath of fresh air. Fast enough to actually do useful things on, even play Quake II (with 3D acceleration … for about 10 seconds until X crapped itself). The Loongson netbook was a backward step in terms of graphics hardware though, and a lot of software has problems with MIPS regardless of ABI (I've tried o32, n32 and n64). Shame, because it is a nice enough platform. As for espionage… unless you're going to sit there with sand you've mined yourself, refine it, and make your own semiconductors, there's always going to be an element of risk in terms of espionage from your supply chain. Basically your best bet: don't rely on a single vendor. It's harder for them to hide their espionage then as one vendor won't know how to hide another vendor's dirty deeds. -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere.
intel ixl driver running Proxmox(kvm) Guest SR-IOV unable to map interrupt
Hello all, im running SR-IOV on Proxmox and im trying to present 40G intel PCI-E NICs direct to the Guest using SR-IOV, XL710 QSFP+ In openBSD during the boot up we get an unable to map interrupt as shown below virtio1: msix shared ixl0 at pci0 dev 16 function 0 "Intel XL710 QSFP+" rev 0x02: port 0, FW 6.0.48442 API 1.7, unable to map interrupt ixl1 at pci0 dev 17 function 0 "Intel XL710 QSFP+" rev 0x02: port 1, FW 6.0.48442 API 1.7, unable to map interrupt ixl2 at pci0 dev 27 function 0 "Intel XL710 QSFP+" rev 0x02: port 0, FW 6.0.48442 API 1.7, unable to map interrupt ixl3 at pci0 dev 28 function 0 "Intel XL710 QSFP+" rev 0x02: port 1, FW 6.0.48442 API 1.7, unable to map interrupt ppb0 at pci0 dev 30 function 0 "Red Hat Qemu PCI-PCI" rev 0x00 pci1 at ppb0 bus 1 ppb1 at pci0 dev 31 function 0 "Red Hat Qemu PCI-PCI" rev 0x00 pci2 at ppb1 bus 2 Im running OPENBSD 6.5 Current as of 05/07/2019 (5th of July) I have tested the same configuration with Debian linux guest and the Network cards are recognised and connect to the network fine ... Does any one have any suggestions on that unable to map interrupt error ... Thanks, Tom Smyth Full DMESG Below test# cat /root/tomdemesg OpenBSD 6.5-current (GENERIC.MP) #101: Fri Jul 5 08:19:55 MDT 2019 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 2130554880 (2031MB) avail mem = 2055946240 (1960MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf59b0 (9 entries) bios0: vendor SeaBIOS version " rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org" date 04/01/2014 bios0: QEMU Standard PC (i440FX + PIIX, 1996) acpi0 at bios0: ACPI 1.0 acpi0: sleep states S3 S4 S5 acpi0: tables DSDT FACP APIC SSDT HPET acpi0: wakeup devices acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E5-2660 v2 @ 2.20GHz, 273.27 MHz, 06-3e-04 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,FSGSBASE,TSC_ADJUST,SMEP,ERMS,ARAT,XSAVEOPT,MELTDOWN cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 999MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Xeon(R) CPU E5-2660 v2 @ 2.20GHz, 584.21 MHz, 06-3e-04 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,FSGSBASE,TSC_ADJUST,SMEP,ERMS,ARAT,XSAVEOPT,MELTDOWN cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu1: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped cpu1: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 0 pa 0xfec0, version 11, 24 pins acpihpet0 at acpi0: 1 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0: C1(@1 halt!) acpicpu1 at acpi0: C1(@1 halt!) "ACPI0006" at acpi0 not configured acpipci0 at acpi0 PCI0: _OSC failed acpicmos0 at acpi0 "PNP0A06" at acpi0 not configured "PNP0A06" at acpi0 not configured "PNP0A06" at acpi0 not configured "QEMU0002" at acpi0 not configured "ACPI0010" at acpi0 not configured "QEMUVGID" at acpi0 not configured cpu0: using IvyBridge MDS workaround pvbus0 at mainbus0: KVM pvclock0 at pvbus0 pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02 pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00 pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility pciide0: channel 0 disabled (no drives) atapiscsi0 at pciide0 channel 1 drive 0 scsibus1 at atapiscsi0: 2 targets cd0 at scsibus1 targ 0 lun 0: ATAPI 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, DMA mode 2 uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: apic 0 int 11 piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 0 int 9 iic0 at piixpm0 vga1 at pci0 dev 2 function 0 "Bochs VGA" rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) virtio0 at pci0 dev 3 function 0 "Qumranet Virtio Memory Balloon" rev 0x00 viomb0 at virtio0 virtio0: apic 0 int 11 virtio1 at pci0 dev 5 function 0 "Qumranet Virtio SCSI" rev 0x00 vioscsi0 at virtio1: qsize 128 scsibus2 at vioscsi0: 255 targets sd0 at scsibus2 targ 0 lun 0: S
IKEv2 Multiple NAT'd Clients
Hello,
I have an IKEv2 VPN server setup with OpenBSD + IKED + PF. Everything is
working properly - a single client device will properly route all traffic
through the VPN and exit from the VPN server via PF + NAT.
However, I experience errors with two clients simultaneously connecting. Both
clients appear to successfully connect, but I believe NAT issues are preventing
traffic from leaving the box, or confusing the two client traffic streams
during NAT. I’m looking for any clues / suggestions which may help achieve my
use case.
The internet suggests using unique “from CLIENTIPADDR” clauses for each
potential client in /etc/iked.conf - but I can’t tell ahead of time which CIDR
ranges my devices will be connecting from (Especially roaming cell phones).
Also, in some cases I may have two devices connecting from the same CIDR range.
I’m not even sure it’s an IKED issue, rather NAT.
Respectfully,
David Anthony
/etc/pf.conf
set skip on lo
block return
match out on vio0 from 10.0.0.0/24 to any nat-to vio0
pass
block return in on ! lo0 proto tcp to port 6000:6010
block return out log proto {tcp udp} user _pbuild
/etc/iked.conf
ikev2 “inet” esp \
from 0.0.0.0/0 to 10.0.0.0/24 \
peer any \
psk “foobar” \
config address 10.0.0.64/27 \
config name-server 10.0.0.1 \
config protected-subnet 0.0.0.0/0
/etc/hostname.enc0
inet 10.0.0.1 255.255.255.0 10.0.0.255
up
/etc/rc.conf.local
iked_flags=
unbound_flags=
/etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.esp.enable=1
net.inet.ah.enable=1
net.inet.ipcomp.enable=1
Re: ed(1) man page doesn't mention use of single / and ?
Wonderful is perhaps too strong, but I chuckled many times while reading it.
Re: ed(1) man page doesn't mention use of single / and ?
I wouldn't say it is particularly wonderful but it is whats out there! However, Michael W. Lucas(the author) do have awesome books. On Fri, Jul 5, 2019 at 8:26 PM Vincent Waciuk wrote: > Ed Mastery is a wonderful read. Highly recommended. >
Re: ed(1) man page doesn't mention use of single / and ?
Ed Mastery is a wonderful read. Highly recommended.
Re: Autostart of ssh-agent in root's .profile prevents startup
On Fri, Jul 05, 2019 at 08:52:55AM +0200, Rosselur Rossen wrote:
> Hi!
>
> I have the following added to root's .profile:
>
> --snip--
> env=~/.ssh/agent.env
> agent_load_env () { test -f "$env" && . "$env" >| /dev/null ; }
> agent_start () {
> (umask 077; ssh-agent >| "$env")
> . "$env" >| /dev/null ; }
> agent_load_env
> # agent_run_state: 0=agent running w/ key; 1=agent w/o key; 2= agent
> not running
> agent_run_state=$(ssh-add -l >| /dev/null 2>&1; echo $?)
> if [ ! "$SSH_AUTH_SOCK" ] || [ $agent_run_state = 2 ]; then
> agent_start
> ssh-add
> elif [ "$SSH_AUTH_SOCK" ] && [ $agent_run_state = 1 ]; then
> ssh-add
> fi
> unset env
> --snip--
>
> OpenBSD 6.4 amd64.
> When I reboot the machine, it asks for my id_rsa password during
> system startup, which prevents most services from starting. Eventually
> all the password prompts time out and I am able to log in on the
> console, but most services including sshd have failed to start.
> The desired behaviour would be for the id_rsa password prompt to
> appear only when I am actually interactively logging in, and not
> during system boot.
> Is there any way I could achieve this for the root account? What am I
> doing wrong (apart from interactively logging in as root, I am well
> aware)?
Hi.
Does this help?
Index: rc.subr
===
RCS file: /cvs/src/etc/rc.d/rc.subr,v
retrieving revision 1.131
diff -u -p -r1.131 rc.subr
--- rc.subr 21 Mar 2019 15:10:27 - 1.131
+++ rc.subr 5 Jul 2019 18:10:34 -
@@ -319,6 +319,6 @@ unset _rcflags _rcrtable _rcuser _rctime
# the shell will strip the quotes from daemon_flags when starting a daemon;
# make sure pexp matches the process (i.e. doesn't include the quotes)
pexp="$(eval echo ${daemon}${daemon_flags:+ ${daemon_flags}})"
-rcexec="su -l -c ${daemon_class} -s /bin/sh ${daemon_user} -c"
+rcexec="env -i HOME=/tmp su -m -c ${daemon_class} -s /bin/sh ${daemon_user} -c"
[ "${daemon_rtable}" -eq "$(id -R)" ] ||
rcexec="route -T ${daemon_rtable} exec ${rcexec}"
--
Antoine
Re: ed(1) man page doesn't mention use of single / and ?
On Thu, Jul 04, 2019 at 11:47:50PM +0200, ropers wrote: > Do I understand correctly that this is in reference to these parts of man 1 > ed: > > > /re/ > >The next line containing the regular expression re. The search wraps to > > the beginning of the buffer and continues down to the current line, if > > necessary. ???//??? repeats the last search. > > > ?re? > >The previous line containing the regular expression re. The search wraps > > to the end of the buffer and continues up to the current line, if > > necessary. repeats the last search. > > and: > > > (1,$)g/re/command-list > >Applies command-list to each of the addressed lines matching a regular > > expression re. The current address is set to the line currently matched > > before command-list is executed. At the end of the g command, the current > > address is set to the last line affected by command-list. If no lines were > > matched, the current line number remains unchanged. > > > >Each command in command-list must be on a separate line, and every line > > except for the last must be terminated by a backslash (???\???). Any > > commands are allowed, except for g, G, v, and V. A newline alone in > > command-list is equivalent to a p command. > > > If yes, then the corresponding parts of ed.1 are: > > .It / Ns Ar re Ns / > The next line containing the regular expression > .Ar re . > The search wraps to the beginning of the buffer and continues down to the > current line, if necessary. > .Qq // > repeats the last search. > .It Pf ? Ar re ? > The previous line containing the regular expression > .Ar re . > The search wraps to the end of the buffer and continues up to the > current line, if necessary. > .Qq ?? > repeats the last search. > > and: > > .It Xo > .Pf (1,$) Ic g No / > .Ar re No / Ar command-list > .Xc > .Sm on > Applies > .Ar command-list > to each of the addressed lines matching a regular expression > .Ar re . > The current address is set to the line currently matched before > command-list is executed. > At the end of the > .Ic g > command, the current address is set to the last line affected by command-list. > If no lines were matched, > the current line number remains unchanged. > .Pp > Each command in > .Ar command-list > must be on a separate line, > and every line except for the last must be terminated by a backslash > .Pq Sq \e . > Any commands are allowed, except for > .Ic g , > .Ic G , > .Ic v , > and > .Ic V . > A newline alone in command-list is equivalent to a > .Ic p > command. > .Sm off > > I'm not actually sure how to rewrite that. Would this call for > separate /re, ?re and (1,$)g/re entries, or would it suffice to say > that the second question mark or slash can be omitted if immediately > followed by a newline? > > Does anyone else have any ideas? > > NB: In case people haven't seen it, here's an excellent ed(1) > tutorial: https://sanctum.geek.nz/arabesque/actually-using-ed/ > I just thought I'd mention that. > > Ian > hi. if we were going to document it, i'd say it definitely wouldn;t warrant adding separate entries. it would be enough to describe when the / or ? were optional. neither freebsd nor netbsd seemingly document this. posix documents it for /re/ and ?re?, but not g/RE/command-list, like this: In addition, the second can be omitted at the end of a command line. without having tested any of this, i guess we'd want to add such a note to /re/ and ?re?, but not g/RE/command-list. something along the lines of: The second slash is optional when followed by a newline. you could ping a diff to tech, and see if anyone has any input that could help. if no one does, i'll take it. jmc
Re: 4GB RAM too little for Firefox?
Fri, 5 Jul 2019 08:09:26 -0700 "Heppler, J. Scott" > Richard Ulmer wrote: > > Hi all, > > after having Firefox running for some time (ca. 30min to 2h) my > > system seems to become slow. I get frequent freezes for several > > seconds, mpv instances start crashing and things like switching tabs > > in Firefox become a pain. > > > > I've got 4GB of RAM installed and when I look at htop after my system > > became slow, I can see that OpenBSD started swapping. When I close > > Firefox it takes several seconds and I can watch how my memory becomes > > free again in htop. My system is then again responsive. > > > > RAM prices seem to be low right now, but I don't want to spend money > > uneedingly and I didn't have this problem under Linux. Has anyone had > > similar experieces and noticed an improvement after a RAM upgrade? > > OpenBSD derives some security by confining processes and web browsing > with firefox is notorious for memory leaks. > > If you mobo supports it, more ram will also improve performance with > firefox and other memory intensive tasks. > > Other options: > > Adding the Firefox "forget" widget to your panel > https://support.mozilla.org/en-US/kb/forget-button-quickly-delete-your-browsing-history > and using it frequently. > > Under preference disable access to webcams, microphone etc. > > Consider www/iridium as an alternative browser. You can export your > firefox bookmarks.html and import it into iridium. Although I do not > have solid numbers, I thought it was better in this regard than firefox. > Since you did not attach a single digit, number or figure, as measures of comparison, consider the above information opinion only and nothing more. In fact, if you switch the names of the programs, you cannot even notice. Try to be more specific, at least compare the memory usage: show numbers. Such fine advice, wasted over the simplest lack of information objection.
Re: 4GB RAM too little for Firefox?
Richard Ulmer wrote: Hi all, after having Firefox running for some time (ca. 30min to 2h) my system seems to become slow. I get frequent freezes for several seconds, mpv instances start crashing and things like switching tabs in Firefox become a pain. I've got 4GB of RAM installed and when I look at htop after my system became slow, I can see that OpenBSD started swapping. When I close Firefox it takes several seconds and I can watch how my memory becomes free again in htop. My system is then again responsive. RAM prices seem to be low right now, but I don't want to spend money uneedingly and I didn't have this problem under Linux. Has anyone had similar experieces and noticed an improvement after a RAM upgrade? OpenBSD derives some security by confining processes and web browsing with firefox is notorious for memory leaks. If you mobo supports it, more ram will also improve performance with firefox and other memory intensive tasks. Other options: Adding the Firefox "forget" widget to your panel https://support.mozilla.org/en-US/kb/forget-button-quickly-delete-your-browsing-history and using it frequently. Under preference disable access to webcams, microphone etc. Consider www/iridium as an alternative browser. You can export your firefox bookmarks.html and import it into iridium. Although I do not have solid numbers, I thought it was better in this regard than firefox. -- J. Scott Heppler
Re: how to update remote bind zone from pppoe client?
On 2019-07-05, Paco Esteban wrote: > On Fri, 05 Jul 2019, Marko Cupać wrote: > >> Hi, >> >> I have a bunch of branch offices whose gateways (OpenBSD on APU) connect >> to 'net via PPPoE and obtain their dynamic public IP addresses from >> ISPs. Is there a way for them to update remote bind zone every time IP >> changes so I have their current public IP in DNS? > > I've used bind's nsupdate in the past to do something like this (not on > dynamic ip change, but on provisioning vms but quite similar). > > It was some time ago but, iirc the provisioning scripts uploaded some > file like this: > > update add $FULL_DNS_NAME. 300 A $INT_IP > send > > and then executed nsupdate. I guess you can do something similar with > cron jobs. > > But there's probably an easier/more reliable option. nsupdate is expected to be reliable. The easy option is to outsource to an external service (there are plenty of clients in /usr/ports/net). But if you want to run it yourself BIND+nsupdate is probably about the easiest way, search for e.g. "nsupdate own dynamic dns", you will find multiple examples. You will want to reserve a zone (separate file) for the nsupdate-managed names rather than having it as part of your main domain.
Re: AESGCM supported in IKEv1 phase 2 but not in phase 1
On 2019-07-05, Daniel Polak wrote:
> Stuart Henderson wrote on 4-7-2019 17:14:
>> On 2019-07-04, Daniel Polak wrote:
>>> Just tried to configure an IKEv1 VPN connection with AESGCM but isakmpd
>>> only supports that in phase 2 but not in phase 1.
>>> See https://marc.info/?l=openbsd-cvs&m=128516335103833&w=2 for the commit.
>>>
>>> Is there any special reason why AESGCM has not been implemented for
>>> phase 1 as well?
>> AFAIK AES-GCM isn't in the spec for IKEv1 phase 1. See e.g.
>> https://tools.ietf.org/html/rfc4543#section-5.1
> I had a look (https://tools.ietf.org/html/rfc4106#section-8.2 is
> slightly better) and you are right AES-GCM is phase 2 only!
>
> How does one supply the 32-bit nonce the man page mentions? Or is this
> handled automatically by isakmpd?
>
>
I believe that is for manual SAs. It's handled automatically with
standard ike. My usual setup for IKEv1 with AES-GCM looks like
ike passive esp \
from {xxx/nn, yyy/nn} to zzz/nn peer aaa local bbb \
main auth hmac-sha2-256 enc aes group modp3072 \
quick enc aes-128-gcm group modp3072 \
tag ipsec-$id
Re: how to update remote bind zone from pppoe client?
On Fri, 05 Jul 2019, Marko Cupać wrote: > Hi, > > I have a bunch of branch offices whose gateways (OpenBSD on APU) connect > to 'net via PPPoE and obtain their dynamic public IP addresses from > ISPs. Is there a way for them to update remote bind zone every time IP > changes so I have their current public IP in DNS? I've used bind's nsupdate in the past to do something like this (not on dynamic ip change, but on provisioning vms but quite similar). It was some time ago but, iirc the provisioning scripts uploaded some file like this: update add $FULL_DNS_NAME. 300 A $INT_IP send and then executed nsupdate. I guess you can do something similar with cron jobs. But there's probably an easier/more reliable option. Hope it helps. Cheers, -- Paco Esteban. https://onna.be/gpgkey.asc 9A6B 6083 AD9E FDC2 0EAF 5CB3 5818 130B 8A6D BC03
4GB RAM too little for Firefox?
Hi all, after having Firefox running for some time (ca. 30min to 2h) my system seems to become slow. I get frequent freezes for several seconds, mpv instances start crashing and things like switching tabs in Firefox become a pain. I've got 4GB of RAM installed and when I look at htop after my system became slow, I can see that OpenBSD started swapping. When I close Firefox it takes several seconds and I can watch how my memory becomes free again in htop. My system is then again responsive. RAM prices seem to be low right now, but I don't want to spend money uneedingly and I didn't have this problem under Linux. Has anyone had similar experieces and noticed an improvement after a RAM upgrade? Greetings Richard Ulmer
how to update remote bind zone from pppoe client?
Hi, I have a bunch of branch offices whose gateways (OpenBSD on APU) connect to 'net via PPPoE and obtain their dynamic public IP addresses from ISPs. Is there a way for them to update remote bind zone every time IP changes so I have their current public IP in DNS? Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: Autostart of ssh-agent in root's .profile prevents startup
On Fri, Jul 05, 2019 at 07:52:55AM BST, Rosselur Rossen wrote:
> Hi!
>
> I have the following added to root's .profile:
>
> --snip--
> env=~/.ssh/agent.env
> agent_load_env () { test -f "$env" && . "$env" >| /dev/null ; }
> agent_start () {
> (umask 077; ssh-agent >| "$env")
> . "$env" >| /dev/null ; }
> agent_load_env
> # agent_run_state: 0=agent running w/ key; 1=agent w/o key; 2= agent
> not running
> agent_run_state=$(ssh-add -l >| /dev/null 2>&1; echo $?)
> if [ ! "$SSH_AUTH_SOCK" ] || [ $agent_run_state = 2 ]; then
> agent_start
> ssh-add
> elif [ "$SSH_AUTH_SOCK" ] && [ $agent_run_state = 1 ]; then
> ssh-add
> fi
> unset env
> --snip--
>
> OpenBSD 6.4 amd64.
> When I reboot the machine, it asks for my id_rsa password during
> system startup, which prevents most services from starting. Eventually
> all the password prompts time out and I am able to log in on the
> console, but most services including sshd have failed to start.
> The desired behaviour would be for the id_rsa password prompt to
> appear only when I am actually interactively logging in, and not
> during system boot.
> Is there any way I could achieve this for the root account? What am I
> doing wrong (apart from interactively logging in as root, I am well
> aware)?
>
Hi Rosselur,
$ man 1 ksh
[...] In order to have an interactive (as opposed to login)
shell process a startup file, ENV may be set and exported
(see below) in $HOME/.profile [...]
I won't quote all of it here - search for ENV.
Regards,
Raf
Re: Autostart of ssh-agent in root's .profile prevents startup
Hi,
On Fri, 5 Jul 2019 08:52:55 +0200
Rosselur Rossen wrote:
> Hi!
>
> I have the following added to root's .profile:
>
> --snip--
> env=~/.ssh/agent.env
> agent_load_env () { test -f "$env" && . "$env" >| /dev/null ; }
> agent_start () {
> (umask 077; ssh-agent >| "$env")
> . "$env" >| /dev/null ; }
> agent_load_env
> # agent_run_state: 0=agent running w/ key; 1=agent w/o key; 2= agent
> not running
> agent_run_state=$(ssh-add -l >| /dev/null 2>&1; echo $?)
> if [ ! "$SSH_AUTH_SOCK" ] || [ $agent_run_state = 2 ]; then
> agent_start
> ssh-add
> elif [ "$SSH_AUTH_SOCK" ] && [ $agent_run_state = 1 ]; then
> ssh-add
> fi
> unset env
> --snip--
>
> OpenBSD 6.4 amd64.
> When I reboot the machine, it asks for my id_rsa password during
> system startup, which prevents most services from starting. Eventually
> all the password prompts time out and I am able to log in on the
> console, but most services including sshd have failed to start.
> The desired behaviour would be for the id_rsa password prompt to
> appear only when I am actually interactively logging in, and not
> during system boot.
> Is there any way I could achieve this for the root account? What am I
> doing wrong (apart from interactively logging in as root, I am well
> aware)?
>
you could check for the option flags l (login shell) and i (interactive
shell), e.g.
if [ ${-#*i} != $- ] && [ ${-#*l} != $- ]; then
...
Best regards,
Robert
Re: AESGCM supported in IKEv1 phase 2 but not in phase 1
Stuart Henderson wrote on 4-7-2019 17:14: On 2019-07-04, Daniel Polak wrote: Just tried to configure an IKEv1 VPN connection with AESGCM but isakmpd only supports that in phase 2 but not in phase 1. See https://marc.info/?l=openbsd-cvs&m=128516335103833&w=2 for the commit. Is there any special reason why AESGCM has not been implemented for phase 1 as well? AFAIK AES-GCM isn't in the spec for IKEv1 phase 1. See e.g. https://tools.ietf.org/html/rfc4543#section-5.1 I had a look (https://tools.ietf.org/html/rfc4106#section-8.2 is slightly better) and you are right AES-GCM is phase 2 only! How does one supply the 32-bit nonce the man page mentions? Or is this handled automatically by isakmpd?
