Understanding of keydisk backup for FDE

[Andreas Menge]

Hi folks,

I try to wrap my head around why the FAQ 
(https://www.openbsd.org/faq/faq14.html#softraidFDEkeydisk) says that one 
should create a backup of the keydisk with bs=8192 and skip=1.

>From the FAQ:

# dd bs=8192 skip=1 if=/dev/rsd1a of=backup-keydisk.img
# dd bs=8192 seek=1 if=backup-keydisk.img of=/dev/rsd1a

My personal inclination was to just dd the whole disk (like dd if=/dev/rsd1c) 
...

Is there anyone who spares the time to give me an explanation?

Thanks in advance!
Andreas

Re: pf, send(2) and EACCES

[Daniel Jakots]

On Thu, 27 Aug 2020 16:16:17 -0400, "Sven F." 
wrote:

> pflog0 will tell you what is block if you log it, and can tell you if
> it is

I would have been surprised otherwise (since normally packets pass) but
I looked and there was no log about blocked packet at that time.

Re: Microsoft's war on plain text email in open source

[Sean Kamath]

> On Aug 27, 2020, at 01:16, Janne Johansson  wrote:
> It doesn't matter if it was "change spaces to tabs", "html made carriage
> returns where a space was found" or if it was "make two - - chars into one
> single utf-8 -- token" or "spell check/correction edited fnd_trgl_dsk() to
> find_triangle_disk()" in your C function. You did not ship what you had
> produced in that diff.

I just realized uuencode/uudecode is still shipped on macos, even if emacs 
isn’t anymore.  And it’s in base, of course.

Remembering the old days. . .

Sean

Re: pf, send(2) and EACCES

[Sven F.]

On Thu, Aug 27, 2020 at 3:30 PM Daniel Jakots  wrote:
>
> Hi,
>
> I'm chasing a weird behavior with postgresql. Sometimes (it's very
> infrequent) a sql request fails with "could not send data to client:
> Permission denied". I reported the problem on pgsql-general@ [0] and if
> I understood correctly, this happens when pgsql uses send(2) and gets
> EACCES.
>
> According to send(2) this happens when "The connection was blocked by
> pf(4)". I have a cron that modifies a table with
> `pfctl -t TABLE_NAME -Tr -f TABLE_FILE_PATH`
>
> The file is large so it's not exactly immediate. Could pf temporarily
> block new connections while it loads the file? Or am I looking at the
> wrong thing?
>
>
> [0]: https://www.postgresql.org/message-id/20200827111031.5ee46257%40anegada
>
>
> Cheers,
> Daniel
>

pflog0 will tell you what is block if you log it, and can tell you if it is

-- 
--
-
Knowing is not enough; we must apply. Willing is not enough; we must do

pf, send(2) and EACCES

[Daniel Jakots]

Hi,

I'm chasing a weird behavior with postgresql. Sometimes (it's very
infrequent) a sql request fails with "could not send data to client:
Permission denied". I reported the problem on pgsql-general@ [0] and if
I understood correctly, this happens when pgsql uses send(2) and gets
EACCES.

According to send(2) this happens when "The connection was blocked by
pf(4)". I have a cron that modifies a table with 
`pfctl -t TABLE_NAME -Tr -f TABLE_FILE_PATH`

The file is large so it's not exactly immediate. Could pf temporarily
block new connections while it loads the file? Or am I looking at the
wrong thing?


[0]: https://www.postgresql.org/message-id/20200827111031.5ee46257%40anegada


Cheers,
Daniel

Re: clover and nvme

[T T]

continued

i succeed to boot manjarolinux ,
but
failed to boot openbsd .

details is here

yenkou-yosinasi.blogspot.com/2020/08/cloverbios.html

Re: Running out of pty's

[Mischa Peters]

--

> On 27 Aug 2020, at 16:25, Paul de Weerd  wrote:
> 
> On Thu, Aug 27, 2020 at 02:52:04PM +0200, Mischa wrote:
> | Hi All,
> | 
> | I am managing a OpenBSD instance for a customer of mine who uploads camera 
> images via sftp to be used in a single location.
> | It looks like there are quite a number of camera’s uploading at once.
> | I am seeing a lot of message like:
> | 
> | Aug 27 13:53:28 images sshd[68494]: error: do_exec_no_pty: fork: Resource 
> temporarily unavailable
> | Aug 27 13:53:43 images sshd[53989]: error: do_exec_no_pty: fork: Resource 
> temporarily unavailable
> 
> For the archives .. you're not running out of pty's but. 
> 
> you can't fork.  That's another resource that's limited.  There's
> a kernel limit (sysctl kern.maxproc), but there's also ulimits (those
> you are more likely to hit, especially if it's all the same user).

Thanx Paul! That was indeed it.
Increasing the maxproc in /etc/login.conf made it work.

Mischa

> | I have tried adding a bunch of pty’s and increased them,
> | inadvertently from 62 to 620, but I guess I missed something. :/
> 
> You missed the 'fork' part.  Oh, and the "no_pty" part of the function
> that was complaining: sftp can work without a pty (see
> https://man.openbsd.org/ssh#T - sftp doesn't need a pseudo terminal
> IIRC).
> 
> | Any insights someone can share?
> 
> Cheers,
> 
> Paul
> 
> -- 
>> [<++>-]<+++.>+++[<-->-]<.>+++[<+
> +++>-]<.>++[<>-]<+.--.[-]
> http://www.weirdnet.nl/ 

Re: routing ipv6 over wireguard

[Aisha Tammy]

On 8/27/20 7:07 AM, Simon Fryer wrote:
> All,
> 
> On Thu, 27 Aug 2020 at 08:17, Alarig Le Lay  wrote:
> 
>> Hi,
>>
>> On Tue 25 Aug 2020 15:27:27 GMT, Aisha Tammy wrote:
>>> (peer A)$ tcpdump -inet6 -i vio0 icmp6
>>> 15:23:04.918459 fe80::fc00:2ff:feee:5248 > ff02::1:ff42:6: icmp6:
>>> neighbor sol: who has 2001:19f0:5:5cd5::6942:6
>>>
>>> (a lot of such lines)
>>
>> It seems that you have been provided a *connected* /64, so the router
>> tried to do NDP for your peer, which isn’t possible because the peer
>> isn’t on the same L2.
>>
>> You have ask your provider to *route* you a range. Then, it will be your
>> VM that will manage it.
>>
> 
> Thank you very much. I have been struggling with exactly the same problem
> but with an Iked created IPSec tunnel. Off to raise a query with my
> provider.
> 
> Thanks again.
> 
> Simon.
> 

I found this out too when talking with ncon@ on irc.
He has sent a patch which should allow us to use ndp with wg, am not sure if ndp
works with (or is even designed to work with) ipsec ipv6.

My knowledge of network layers is on demand wikipedia/google, which I assume is
also most people attempting to set up tunnels XD
So these behaviours put me in a twist.

Should get solved soon though.

Aisha.

Re: Running out of pty's

[Paul de Weerd]

On Thu, Aug 27, 2020 at 02:52:04PM +0200, Mischa wrote:
| Hi All,
| 
| I am managing a OpenBSD instance for a customer of mine who uploads camera 
images via sftp to be used in a single location.
| It looks like there are quite a number of camera’s uploading at once.
| I am seeing a lot of message like:
| 
| Aug 27 13:53:28 images sshd[68494]: error: do_exec_no_pty: fork: Resource 
temporarily unavailable
| Aug 27 13:53:43 images sshd[53989]: error: do_exec_no_pty: fork: Resource 
temporarily unavailable

For the archives .. you're not running out of pty's but. 

you can't fork.  That's another resource that's limited.  There's
a kernel limit (sysctl kern.maxproc), but there's also ulimits (those
you are more likely to hit, especially if it's all the same user).

| I have tried adding a bunch of pty’s and increased them,
| inadvertently from 62 to 620, but I guess I missed something. :/

You missed the 'fork' part.  Oh, and the "no_pty" part of the function
that was complaining: sftp can work without a pty (see
https://man.openbsd.org/ssh#T - sftp doesn't need a pseudo terminal
IIRC).

| Any insights someone can share?

Cheers,

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 

Running out of pty's

[Mischa]

Hi All,

I am managing a OpenBSD instance for a customer of mine who uploads camera 
images via sftp to be used in a single location.
It looks like there are quite a number of camera’s uploading at once.
I am seeing a lot of message like:

Aug 27 13:53:28 images sshd[68494]: error: do_exec_no_pty: fork: Resource 
temporarily unavailable
Aug 27 13:53:43 images sshd[53989]: error: do_exec_no_pty: fork: Resource 
temporarily unavailable
...etc…

I have tried adding a bunch of pty’s and increased them, inadvertently from 62 
to 620, but I guess I missed something. :/

Any insights someone can share?

Mischa

SM X9DRi-F vs. SM X9SRA

[Jens A. Griepentrog]

Dear Listeners,

I have experienced different behaviour after the installation
of OpenBSD 6.7 stable on two machines with SM mainboards
X9DRi-F and X9SRA, respectively (both with default BIOS settings):

1. The first machine with the X9DRi-F mainboard and two E5 CPUs
works fine with onboard graphics. (With OpenBSD 6.7 stable nearly
all the keyboard hickups and runaways are gone, many thanks!)

2. After taking the system disks out of the first machine and
putting them into the second machine with the X9SRA mainboard
and E5 v2 CPU (or freshly installing the same release onto
these disks) booting the /bsd.rd kernel works, too.

3. Trying to boot the /bsd kernel on the second machine fails,
it hangs after the line "savecore: no core dump" ...

Comparing the files in the /var trees of both the machines
I found a regular list of ACPI tables in /var/db/acpi/headers
in the case of the first machine but an empty file in the case
of the second machine. Let me know, please, if I can help to
solve the problem by supplying the contents of other files.

In the following you find the contents of /var/log/messages
for all the three scenarios mentioned above:

1. X9DRi-F booting /bsd:

Aug 26 18:00:34 sm syslogd[35399]: start
Aug 26 18:00:34 sm /bsd: OpenBSD 6.7 (GENERIC.MP) #5: Tue Jul 21 
13:50:07 MDT 2020
Aug 26 18:00:34 sm /bsd: 
r...@syspatch-67-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

Aug 26 18:00:34 sm /bsd: real mem = 274826579968 (262095MB)
Aug 26 18:00:34 sm /bsd: avail mem = 266484858880 (254139MB)
Aug 26 18:00:34 sm /bsd: User Kernel Config
Aug 26 18:00:34 sm /bsd: UKC> enable ipmi
Aug 26 18:00:34 sm /bsd: 447 ipmi0 enabled
Aug 26 18:00:34 sm /bsd: 448 ipmi0 enabled
Aug 26 18:00:34 sm /bsd: UKC> quit
Aug 26 18:00:34 sm /bsd: Continuing...
Aug 26 18:00:34 sm /bsd: mpath0 at root
Aug 26 18:00:34 sm /bsd: scsibus0 at mpath0: 256 targets
Aug 26 18:00:34 sm /bsd: mainbus0 at root
Aug 26 18:00:34 sm /bsd: bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xec0c0 
(136 entries)
Aug 26 18:00:34 sm /bsd: bios0: vendor American Megatrends Inc. version 
"3.3" date 07/12/2018

Aug 26 18:00:34 sm /bsd: bios0: Supermicro X9DR3-F
Aug 26 18:00:34 sm /bsd: acpi0 at bios0: ACPI 5.0
Aug 26 18:00:34 sm /bsd: acpi0: sleep states S0 S1 S4 S5
Aug 26 18:00:34 sm /bsd: acpi0: tables DSDT FACP APIC FPDT MCFG SRAT 
SLIT HPET PRAD SPMI SSDT EINJ ERST HEST BERT DMAR
Aug 26 18:00:34 sm /bsd: acpi0: wakeup devices P0P9(S1) EUSB(S4) 
USBE(S4) PEX0(S4) PEX1(S1) PEX2(S1) PEX3(S1) PEX4(S1) PEX5(S1) PEX6(S1) 
PEX7(S1) NPE1(S1) NPE2(S1) GBE_(S4) I350(S4) NPE3(S1) [...]

Aug 26 18:00:34 sm /bsd: acpitimer0 at acpi0: 3579545 Hz, 24 bits
Aug 26 18:00:34 sm /bsd: acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
Aug 26 18:00:34 sm /bsd: cpu0 at mainbus0: apid 0 (boot processor)
Aug 26 18:00:34 sm /bsd: cpu0: Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHz, 
2200.38 MHz, 06-2d-07
Aug 26 18:00:34 sm /bsd: cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN

Aug 26 18:00:34 sm /bsd: cpu0: 256KB 64b/line 8-way L2 cache
Aug 26 18:00:34 sm /bsd: cpu0: smt 0, core 0, package 0
Aug 26 18:00:34 sm /bsd: mtrr: Pentium Pro MTRR support, 10 var ranges, 
88 fixed ranges

Aug 26 18:00:34 sm /bsd: cpu0: apic clock running at 100MHz
Aug 26 18:00:34 sm /bsd: cpu0: mwait min=64, max=64, 
C-substates=0.2.1.1.2, IBE

Aug 26 18:00:34 sm /bsd: cpu1 at mainbus0: apid 2 (application processor)
Aug 26 18:00:34 sm /bsd: cpu1: Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHz, 
2200.02 MHz, 06-2d-07
Aug 26 18:00:34 sm /bsd: cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN

Aug 26 18:00:34 sm /bsd: cpu1: 256KB 64b/line 8-way L2 cache
Aug 26 18:00:34 sm /bsd: cpu1: smt 0, core 1, package 0
Aug 26 18:00:34 sm /bsd: cpu2 at mainbus0: apid 4 (application processor)
Aug 26 18:00:34 sm /bsd: cpu2: Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHz, 
2200.02 MHz, 06-2d-07
Aug 26 18:00:34 sm /bsd: cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN

Aug 26 18:00:34 sm /bsd: cpu2: 256KB 64b/line 8-way L2 cache
Aug 26 18:00:34 sm /bsd: cpu2: smt 0, core 2, package 0
Aug 26 18:00:34 sm /bsd: cpu3 at 

Re: routing ipv6 over wireguard

[Simon Fryer]

All,

On Thu, 27 Aug 2020 at 08:17, Alarig Le Lay  wrote:

> Hi,
>
> On Tue 25 Aug 2020 15:27:27 GMT, Aisha Tammy wrote:
> > (peer A)$ tcpdump -inet6 -i vio0 icmp6
> > 15:23:04.918459 fe80::fc00:2ff:feee:5248 > ff02::1:ff42:6: icmp6:
> > neighbor sol: who has 2001:19f0:5:5cd5::6942:6
> >
> > (a lot of such lines)
>
> It seems that you have been provided a *connected* /64, so the router
> tried to do NDP for your peer, which isn’t possible because the peer
> isn’t on the same L2.
>
> You have ask your provider to *route* you a range. Then, it will be your
> VM that will manage it.
>

Thank you very much. I have been struggling with exactly the same problem
but with an Iked created IPSec tunnel. Off to raise a query with my
provider.

Thanks again.

Simon.

-- 

"Well, an engineer is not concerned with the truth; that is left to
philosophers and theologians: the prime concern of an engineer is
the utility of the final product."
Lectures on the Electrical Properties of Materials, L.Solymar, D.Walsh

Re: Microsoft's war on plain text email in open source

[Frank Beuth]

On Wed, Aug 26, 2020 at 05:44:12PM -0700, Constantine A. Murenin wrote:
Why OpenBSD is to blame when Gmail -- after so many years -- still 
doesn't have proper support for sending text-based attachments the 
right way?


Because large corporations are always right, and the idea is to bend the 
world to suit the needs of the Microsofts and Googles.

Re: m4 counting arguments

[Jan Stary]

On Aug 21 21:16:40, h...@stare.cz wrote:
> On Aug 21 21:04:53, h...@stare.cz wrote:
> > I came across some m4 problems when trying to compile sox
> > (a future version of the audio/sox port), which uses the
> > horrendous autotools to create it's ./configure script.
> > These tools in turn use m4 to define their macros.
> > 
> > What should the following print?
> > (Please excuse my m4 ignorance.)
> > 
> > divert(-1)dnl
> > changequote([, ])
> > define([dquote],  [[$@]])
> > define([argn], [pushdef([_$0], 
> > [popdef([_$0])]dquote([$]incr([$1])))_$0($@)])
> 
> Could it be this?
> 
>  The built-ins pushdef and popdef handle macro definitions as a stack.
>  However, define interacts with the stack in an undefined way.  In this
>  implementation, define replaces the top-most definition only.  Other
>  implementations may erase all definitions on the stack instead.
> 
> 
> > define([foo], [argn([10], $@)])
> > define([bar], [argn([9], shift($@))])
> > define([baz], [argn([8], shift(shift($@)))])
> > define([numbers], [[1], [2], [3], [4], [5], [6], [7], [8], [9], [10]])
> > divert(0)dnl
> > foo(numbers)
> > bar(numbers)
> > baz(numbers)
> > 
> > According to upstream, it should be
> > 
> > 10
> > 10
> > 10
> > 
> > On current, it's
> > 
> > 101
> > 90
> > 10

No really, should these all be 10,
or is that undefined because of the stack interaction?

Jan

> > 
> > https://marc.info/?l=sox-devel=159803236823541=2
> > https://sourceforge.net/p/sox/code/ci/affc279d142f843f3f50d4718798303396ee24b4/
> > 
> > 
> 
> 

Re: Microsoft's war on plain text email in open source

[Janne Johansson]

Den ons 26 aug. 2020 kl 21:17 skrev Mike Hammett :

> Text-only was great in 1985.
> Mike Hammett
> Intelligent Computing Solutions
> Midwest Internet Exchange
> The Brothers WISP
>

Being able to publish and/or send a really small file from computer A to
computer B unchanged in this day and age is still a required feat if you
want to appear as an internet professional.
It doesn't matter if it was "change spaces to tabs", "html made carriage
returns where a space was found" or if it was "make two - - chars into one
single utf-8 -- token" or "spell check/correction edited fnd_trgl_dsk() to
find_triangle_disk()" in your C function. You did not ship what you had
produced in that diff.

If you can't send data 100% with the tools of your choice, the blame is on
you, not on the recipient who did the checking FOR YOU and notified you
about mangled transmissions.

So when your file integrity check or vpn software says "we dropped the
incoming data due to broken checksums", the correct answer is not for the
receiving end to disable checksums. Really.
To even have to tell this to people...

-- 
May the most significant bit of your life be positive.

Re: Installing sets from install67.fs on USB stick

[Duncan Patton a Campbell]

In my experience the key to an easy OBSD install is to start with a 
bootable fs, on a disk, a usbkey, a cd, floppy ... whatever.  Copy
the mfs boot (eg https://ftp.openbsd.org/pub/OpenBSD/?.?/amd64/bsd.rd)
for your target rev into, say /bsd.XX.rd and reboot.  When prompted 
enter "boot bsd.XX.rd" and away you go.  If you're using obscure 
network hardware/connex that needs firmware or such to work, a 
USB ethernet dongle (or just a common card) can get you around lots
of grief.

Dhu

On Wed, 26 Aug 2020 19:03:27 +0100
Julian Smith  wrote:

> I've just run into a slightly confusing situation during an install
> using install67.fs on a USB stick, and wondered whether it might be
> worth adding something to http://www.openbsd.org/faq/faq4.html
> "Installation Guide " to clarify what to do.
> 
> I was installing onto a second 32 GB USB stick on a Lenovo x220.
> 
> At the "Let's install the sets!" stage, the installer asks:
> 
> Location of sets? (disk http nfs or 'done') [http]
> 
> At this stage networking was not working due to missing firmware, so i
> entered "disk" to use the sets from install67.fs on the install USB
> stick.
> 
> Then it asks:
> 
> Is the disk partition already mounted? [yes]
> 
> I wasn't sure about the correct answer here. It turns out that you need
> to say "no".
> 
> But it then lists the disk on which it is installing OpenBSD
> (containing the partitions that were created by the installer earlier):
> 
> Available disks are: sd0.
> 
> I eventually got things to work by unplugging and re-plugging the USB
> install stick before answering "no" to "Is the disk partition already
> mounted? [yes]". This feels slightly unsafe of course, but presumably
> the installer has copied everything into the ramdisk kernel in memory by
> this point?
> 
> Thereafter, things worked fine:
> 
> Available disks are: sd0 sd1.
> Which disk contains the install media? (or 'done') [sd1]
> a: 928768 [...]
> i: 960 [...]
> Available sd1 partitions are: a i
> Which sd1 partition has the install sets? (or 'done') [a]
> Pathname to the sets? (or 'done') [6.7/amd64]
> 
> And the sets were found and installed with no further problems.
> 
> 
> Would it be worth me coming up with some text to add to
> http://www.openbsd.org/faq/faq4.html explaining this? Or maybe my
> installing onto a second USB stick is unusual and might have caused the
> issue?
> 
> 
> Thanks,
> 
> - Jules
> 
> -- 
> http://op59.net
> 
> 
> 


-- 
Je suis Canadien. Ce n'est pas Francais ou Anglaise.  
 C'est une esp`ece de sauvage: ne obliviscaris, vix ea nostra voco;-)