Re: Multiple USB NICs
On 22/10/20 1:08 pm, Lee Nelson wrote: > The same sort of thing happened to me with me PCI cards, but it was > another edge case. I had two identical 2-port NIC's representing > em0-em3. The card with em0 and em1 died and brought the syste down with > a kernel panic. Upon rebooting the card that had been em2 and em3 was > now em0 and em1. The server could have still functioned on half the > ports but now the configuration was wrong for the surviving ports so the > server was unreachable. Yeah, the thing that's in PCI's favour is that it all gets power at the same time, whereas in USB, the bus gets powered up one hub at a time as each downstream hub is detected in the tree and powered up. Also the PCI bus is synchronised to a common clock, whereas USB is entirely asynchronous. Thus it's a lot easier to enforce some sort of order in PCI than USB. > And Theo's hint was spot on. I'm experimenting with arm64 on an RPI 4. > Stability is not one of my expectations. This is the normally standby > half of the fw pair of my home network. Even if it bursts into flames, > it will still be a learning experience. Yes well, it was in the back of my mind that this might be some sort of interface-challenged device. PCIe devices _can_ be connected to a Raspberry Pi 4, but it's a rather hap-hazard process that's not recommended unless you _really_ like re-working high-speed data links on printed circuit boards. Closest you get on a 'Pi is maybe some of the SPI Ethernet ICs that you might be able to hook to the GPIO header, but then you'd have to hack the OpenBSD kernel to support it, and it won't support gigabit speeds. A standard x86 machine and a multi-port network card is looking pretty good at this point. -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere.
Re: Multiple USB NICs
The same sort of thing happened to me with me PCI cards, but it was another edge case. I had two identical 2-port NIC's representing em0-em3. The card with em0 and em1 died and brought the syste down with a kernel panic. Upon rebooting the card that had been em2 and em3 was now em0 and em1. The server could have still functioned on half the ports but now the configuration was wrong for the surviving ports so the server was unreachable. This would likely happen on most OS's so the real moral of the story is don't use multiple, identical NIC's in your systems. There are probably other good reasons why this is a bad idea anyways. And Theo's hint was spot on. I'm experimenting with arm64 on an RPI 4. Stability is not one of my expectations. This is the normally standby half of the fw pair of my home network. Even if it bursts into flames, it will still be a learning experience. On Tue, 20 Oct 2020, Theo de Raadt wrote: Stuart Longland wrote: On 21/10/20 9:55 am, Lee Nelson wrote: Alternatively use a single nic with vlans, and break out to separate ports on a managed switch. Yes, that could work too, but this is one side of a pfsync/carp redundant firewall setup, so I want to keep it as simple as possible. Silly question, what hardware are the USB NICs plugging into? USB trades off determinism for hot-pluggability, and it seems a firewall, you absolutely do want an interface to appear in a specific location. I'd be looking at something that plugs into the system peripheral bus somehow (PCIe, PCI, ISA, … etc). Oh come on, you know the answer before you ask it. Using cheap hardware and expecting free software developers to pull magic out of their ass to make it solve unsolveable problems, and produce a result as too as state of the art expensive hardware --- or even cheaper hardware --- with DEDICATED PORTS -- it is madness. We can't do it. And we said so. And Lee gets it. But do the rest of the thread participants? I think it's fine for us as a community to humour the attempt for a bit, but THEN THE DISCUSSION MIGHT AS WELL END, as the consequences of the choice ARE WHAT THEY ARE. You get what you paid for. And we (OpenBSD) played no part in the decision or the consequences, hotplug is what it is. Can we end this discussion?
/dev/usb0 - NotImplementedError: Operation not supported or unimplemented on this platform
I am attempting to get data from USB or an Accurite Weather Sensor, model 06006 through python program called weewx. I wrote the weewx dist list but got no answer so far. I am in foact not sure it's related to weewx itself as I can not connect to the device even through ipython. Throuh ipython I get this output: === /usr/local/lib/python3.8/site-packages/usb/backend/libusb1.py in _check(ret) 583 if ret < 0: 584 if ret == LIBUSB_ERROR_NOT_SUPPORTED: --> 585 raise NotImplementedError(_strerror(ret)) 586 elif ret == LIBUSB_ERROR_TIMEOUT: 587 raise USBTimeoutError(_strerror(ret), ret, _libusb_errno[ret]) NotImplementedError: Operation not supported or unimplemented on this platform I of course get similar output if I try the acurite.py drive used by weewx: === PYTHONPATH=bin doas python3.8 bin/weewx/drivers/acurite.py Traceback (most recent call last): File "bin/weewx/drivers/acurite.py", line 982, in with Station() as s: File "bin/weewx/drivers/acurite.py", line 587, in __enter__ self.open() File "bin/weewx/drivers/acurite.py", line 612, in open self.handle.detachKernelDriver(interface) File "/usr/local/lib/python3.8/site-packages/usb/legacy.py", line 294, in detachKernelDriver self.dev.detach_kernel_driver(interface) File "/usr/local/lib/python3.8/site-packages/usb/core.py", line 1094, in detach_kernel_driver self._ctx.backend.detach_kernel_driver( File "/usr/local/lib/python3.8/site-packages/usb/backend/libusb1.py", line 905, in detach_kernel_driver _check(self.lib.libusb_detach_kernel_driver(dev_handle.handle, intf)) File "/usr/local/lib/python3.8/site-packages/usb/backend/libusb1.py", line 585, in _check raise NotImplementedError(_strerror(ret)) NotImplementedError: Operation not supported or unimplemented on this platform usbdevs output: = YTHONPATH=bin doas python3.8 bin/weewx/drivers/acurite.py Traceback (most recent call last): File "bin/weewx/drivers/acurite.py", line 982, in with Station() as s: File "bin/weewx/drivers/acurite.py", line 587, in __enter__ self.open() File "bin/weewx/drivers/acurite.py", line 612, in open self.handle.detachKernelDriver(interface) File "/usr/local/lib/python3.8/site-packages/usb/legacy.py", line 294, in detachKernelDriver self.dev.detach_kernel_driver(interface) File "/usr/local/lib/python3.8/site-packages/usb/core.py", line 1094, in detach_kernel_driver self._ctx.backend.detach_kernel_driver( File "/usr/local/lib/python3.8/site-packages/usb/backend/libusb1.py", line 905, in detach_kernel_driver _check(self.lib.libusb_detach_kernel_driver(dev_handle.handle, intf)) File "/usr/local/lib/python3.8/site-packages/usb/backend/ Could someone shed some light on this. I will provide more info if required. Any other alternative to access this device? usbdevs output: doas usbdevs -v -d /dev/usb0 Controller /dev/usb0: addr 01: 8086: Intel, xHCI root hub super speed, self powered, config 1, rev 1.00 driver: uhub0 addr 02: 24c0:0003 vendor 0x24c0, Chaney Instrument low speed, power 100 mA, config 1, rev 0.20 driver: uhidev0 -- Mario St-Gelais Gatineau
Re: du man page
had is rad. On Wed, Oct 21, 2020 at 10:09 AM Ingo Schwarze wrote: > Hi, > > a...@sdf.org wrote on Wed, Oct 21, 2020 at 11:44:01AM +: > > > In du(1) it reads: > > > > [...] > > EXAMPLES > > Display a summary of files and folders in the current directory, > > sorted by size: > > > >$ du -sh * .??* | sort -h > > [...] > > > > This misses file names of the form .a, .1, etc. Better use something like > > > > $ du -ahd1 . | sort -h > > Committed with three tweaks: > > * The "." is redundant, it is the default for "file", >as documented in the first paragraph. > * POSIX recommends a space between an option and its argument, >and we usually follow that advice in our manuals. > * I like the word "had" better than the word "ahd". > > > Where is the best place to report these trivial documentation fixes? > > If you include a patch, tech@. If you don't, misc@ is fine. > > Yours, > Ingo > > > CVSROOT:/cvs > Module name:src > Changes by: schwa...@cvs.openbsd.org2020/10/21 11:00:47 > > Modified files: > usr.bin/du : du.1 > > Log message: > simplify and improve the example by using the -a and -d options; > suggested by , tweaked by me > > > Index: du.1 > === > RCS file: /cvs/src/usr.bin/du/du.1,v > retrieving revision 1.37 > diff -u -r1.37 du.1 > --- du.130 Jan 2020 17:54:30 - 1.37 > +++ du.121 Oct 2020 16:56:47 - > @@ -151,7 +151,7 @@ > Display a summary of files and folders in the current directory, > sorted by size: > .Pp > -.Dl $ du -sh * .??* | sort -h > +.Dl $ du -had 1 | sort -h > .Sh SEE ALSO > .Xr df 1 , > .Xr fts_open 3 , > >
Re: AMDGPU(4) - Question about man page
On Wed, Oct 21, 2020 at 11:13:59AM -0500, flint pyrite wrote: > Question: is the amdgpu(4) manual page up to correct and up to date? > > https://man.openbsd.org/amdgpu The man page is for the xorg driver. > > I set up an xorg.conf file in /etc/X11/xorg.conf and was trying to get > AMDgpu working. > > The man page uses "Device" as the section. This worked as root but not > a normal user. When I changed "Device" to "OutputClass," X loaded > without error as a normal user. > > Also, the man page does not mention setting > > machdep.allowaperture=1 > > in /etc/sysctl.conf That is to permit non-kms drivers, why are you setting this? > > cat /etc/X11/xorg.conf > > Section "OutputClass" > Identifier "AMDgpu" > MatchDriver "amdgpu" > Driver "amdgpu" > Option "DRI" "3" > Option "TearFree" "true" > EndSection > #copied from /usr/X11R6/share/X11/xorg.conf.d/10-amdgpu.conf > > > #Section "Device" > # Identifier "AMDgpu" > # Driver "amdgpu" > # Option "DRI" "3" > # Option "TearFree" "true" > #EndSection > > Section "Files" > FontPath "/usr/local/share/fonts/spleen/" > FontPath "/usr/local/share/fonts/ghostscript" > EndSection > > 6.8 GENERIC.MP#98 amd64 > > As a normal user, and using "Device" X fails with "No devices > detected. If I leave out the section completely, X goes through mode > setting and chooses Radeon. I suspect you have hardware claimed by radeondrm and not amdgpu. It is hard to know without seeing a dmesg and /var/log/Xorg.0.log
Re: Multiple USB NICs
I thought we were free to worship our totalitarian leader, butt an all, on and off list. This is, after all, not a linux list. :) Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Wednesday, 21 October 2020 22:08, Stuart Longland wrote: > On 21/10/20 10:53 pm, pipus wrote: > > > but Theo your butt is magical :( > > Perhaps you can worship it off list then. ;-) > > > > Stuart Longland (aka Redhatter, VK4MSL) > > I haven't lost my mind... > ...it's backed up on a tape somewhere.
Re: Issue updating spidermonkey
On 10/21/20 4:40 AM, Stuart Henderson wrote: On 2020-10-21, Chris Bennett wrote: On Tue, Oct 20, 2020 at 08:26:05PM -0400, Brennan Vincent wrote: Updated yesterday from 6.7 to a snapshot, and now: $ doas pkg_add -u doas pkg_add -u -Dsnap You need to do some things different once you change to -current snapshots. Might also have to wait for -current packages to match the -current snapshot sometimes. -Dsnap does nothing for most of the year. The only thing it's useful for is pointing to the snapshots directory whdn you're running a kernel with no -beta/-current suffix (i.e. a release, or snapshot in the short period in the run-up to release). quirks-3.458 signed on 2020-10-18T13:56:14Z This shows that it is indeed looking at a snapshot directory not release. Can't update spidermonkey-60.9.0v1->spidermonkey78-78.3.1v1: no update found for spidermonkey-60.9.0v1 Can't install polkit-0.116p1->0.118: can't resolve spidermonkey78-78.3.1v1 Is this expected soon after updating? Do I just need to wait for some inconsistency in the pkg repo to be resolved? This could either be: - a bug in some port - a package source that does not have a consistent set of files from one build (can happen when a mirror is updating) First thing to do if this happens is check file dates in the mirror's directory listing and see if they're consistent (no big jump between the a* and z* files). Will the URL to check look something like https://cdn.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/ ? I checked there; all the files were touched within a 10 minute period. Issue is persisting.
Re: Multiple USB NICs
On 21/10/20 10:53 pm, pipus wrote: > but Theo your butt is magical :( Perhaps you can worship it off list then. ;-) -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere.
Re: Approved way to update installed ports after system upgrade?
You're not the only one being slapped with this problem, and the solution is in the man page, but maybe the FAQ for 'using snapshots' should mention this: if `pkg -u` don't work, try `pkg -u -Dsnap` I've been using snapshots ever since puffy offered binary pkgs, and I've never seen this problem before. I'm wildly guessing it'll go away once the snapshots crank further past 6.8-release -- Am 10/20/20 um 7:32 PM schrieb Andrew Robertson: What's the standard way to upgrade installed ports after a system upgrade? I've been trying to figure out how to do this properly, and it doesn't seem to have any mention in the FAQ. Thanks in advance.
Re: possible relayd.conf(5) documentation mistake regarding session tickets
Ashlen(euryd...@riseup.net) on 2020.10.20 16:02:49 -0600:
> In relayd.conf(5), the tls section under PROTOCOLS states the following:
>
> no session tickets
> Disable TLS session tickets. relayd(8) supports stateless TLS
> session tickets (RFC 5077) to implement TLS session resumption.
> The default is to enable session tickets.
>
> However, an SSL Labs test[1] without `tls { session tickets }` specified
> shows no session tickets.
There are two things i believe happening:
* i'm not sure we wanted session resumption to be enabled by default because
of the security implications regarding perferct forward secrecy. Indeed the
option is off by default at the moment.
* With TLS 1.3, session resumption is called pre-shared key) resumption.
I have to check what the issue here is, that is if qualys does not show this
right or if relayd has to do something different.
For now, with the following options you should see session resumption:
tls { session tickets, tlsv1.2, no tlsv1.3 }
I will figure out what to do about the default, the documentation and TLS
1.3.
/Benno
>
> $ uname -a
> OpenBSD lain.lan 6.8 GENERIC.MP#98 amd64
>
> [1]: https://www.ssllabs.com/ssltest/
>
> --
> https://amissing.link
>
--
Re: Inphi CS4223 for 4x 10GbE SFP+
> Hope this helps How much did you pay per unit, please?
Re: du man page
Hi, a...@sdf.org wrote on Wed, Oct 21, 2020 at 11:44:01AM +: > In du(1) it reads: > > [...] > EXAMPLES > Display a summary of files and folders in the current directory, > sorted by size: > >$ du -sh * .??* | sort -h > [...] > > This misses file names of the form .a, .1, etc. Better use something like > > $ du -ahd1 . | sort -h Committed with three tweaks: * The "." is redundant, it is the default for "file", as documented in the first paragraph. * POSIX recommends a space between an option and its argument, and we usually follow that advice in our manuals. * I like the word "had" better than the word "ahd". > Where is the best place to report these trivial documentation fixes? If you include a patch, tech@. If you don't, misc@ is fine. Yours, Ingo CVSROOT:/cvs Module name:src Changes by: schwa...@cvs.openbsd.org2020/10/21 11:00:47 Modified files: usr.bin/du : du.1 Log message: simplify and improve the example by using the -a and -d options; suggested by , tweaked by me Index: du.1 === RCS file: /cvs/src/usr.bin/du/du.1,v retrieving revision 1.37 diff -u -r1.37 du.1 --- du.130 Jan 2020 17:54:30 - 1.37 +++ du.121 Oct 2020 16:56:47 - @@ -151,7 +151,7 @@ Display a summary of files and folders in the current directory, sorted by size: .Pp -.Dl $ du -sh * .??* | sort -h +.Dl $ du -had 1 | sort -h .Sh SEE ALSO .Xr df 1 , .Xr fts_open 3 ,
Re: Multiple USB NICs
but Theo your butt is magical :( You do it no justice. I have a microwave that is a bit glitchy . Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Wednesday, 21 October 2020 07:42, Theo de Raadt wrote: > Stuart Longland stua...@longlandclan.id.au wrote: > > > On 21/10/20 9:55 am, Lee Nelson wrote: > > > > > > Alternatively use a single nic with vlans, and break out to separate > > > > ports on a managed switch. > > > > > > Yes, that could work too, but this is one side of a pfsync/carp > > > redundant firewall setup, so I want to keep it as simple as possible. > > > > Silly question, what hardware are the USB NICs plugging into? > > USB trades off determinism for hot-pluggability, and it seems a > > firewall, you absolutely do want an interface to appear in a specific > > location. I'd be looking at something that plugs into the system > > peripheral bus somehow (PCIe, PCI, ISA, … etc). > > Oh come on, you know the answer before you ask it. > > Using cheap hardware and expecting free software developers to > pull magic out of their ass to make it solve unsolveable problems, and > produce a result as too as state of the art expensive hardware --- or > even cheaper hardware --- with DEDICATED PORTS -- it is madness. We > can't do it. And we said so. > > And Lee gets it. But do the rest of the thread participants? > > I think it's fine for us as a community to humour the attempt for a bit, > but THEN THE DISCUSSION MIGHT AS WELL END, as the consequences of the > choice ARE WHAT THEY ARE. > > You get what you paid for. And we (OpenBSD) played no part in the > decision or the consequences, hotplug is what it is. > > Can we end this discussion?
AMDGPU(4) - Question about man page
Question: is the amdgpu(4) manual page up to correct and up to date? https://man.openbsd.org/amdgpu I set up an xorg.conf file in /etc/X11/xorg.conf and was trying to get AMDgpu working. The man page uses "Device" as the section. This worked as root but not a normal user. When I changed "Device" to "OutputClass," X loaded without error as a normal user. Also, the man page does not mention setting machdep.allowaperture=1 in /etc/sysctl.conf cat /etc/X11/xorg.conf Section "OutputClass" Identifier "AMDgpu" MatchDriver "amdgpu" Driver "amdgpu" Option "DRI" "3" Option "TearFree" "true" EndSection #copied from /usr/X11R6/share/X11/xorg.conf.d/10-amdgpu.conf #Section "Device" # Identifier "AMDgpu" # Driver "amdgpu" # Option "DRI" "3" # Option "TearFree" "true" #EndSection Section "Files" FontPath "/usr/local/share/fonts/spleen/" FontPath "/usr/local/share/fonts/ghostscript" EndSection 6.8 GENERIC.MP#98 amd64 As a normal user, and using "Device" X fails with "No devices detected. If I leave out the section completely, X goes through mode setting and chooses Radeon.
du man page
Hello, In du(1) it reads: [...] EXAMPLES Display a summary of files and folders in the current directory, sorted by size: $ du -sh * .??* | sort -h [...] This misses file names of the form .a, .1, etc. Better use something like $ du -ahd1 . | sort -h Where is the best place to report these trivial documentation fixes? Regards, adr.
Re: ssl/libssl certificate validation broken?
On 20 Oct 20:21, Bob Beck wrote: > On 20 Oct 21:01, Uwe Werler wrote: > > Hi folks, > > > > before opening a bug report I'll ask here because I want to make sure that I > > have not missed something. > > You should probably submit a real bug report instead of jumping to > conclusions on misc@ Hi Bob, it was in the middle of the night and I got quite kinda stressed because all services depending on our ldap proxy stopped working after the upgrade and it took me a while to figure the problem out. But as in 99.9% of the cases I wanted to be sure that the problem sits not between screen and keyboard because I missed or misconfigured something. Will open a proper bug report now. > > > > > With the upgrade to 6.8 my cert validation seems to be broken because the > > hashed certs in /etc/ssl/certs are not honored anymore. I usually stored our > > L1 and L2 ca certs in /etc/ssl/certs and hashed them with "openssl > > certhash". > > That worked for all my machines until 6.7 but broke with 6.8. Adding the ca > > certs to /etc/ssl/cert.pem works. > > > > Did I miss something? I guess something changed during k2k20 in "certificate > > chain validation in libcrypto"? > > > > Thanks and with kind regards. > > > > Uwe > > > ... > >Mmh, it seems to me that libssl is broken. After the upgrade to 6.8 my > >openldap proxies were screwed too. I configured explicitely > > > >olcTLSCACertificatePath: /etc/ssl/certs > > > >But that broke so I had to change to: > > "Broke".. how? The certificate chain can't be verified anymore so ldap connections (server - server and client - server) can't be established anymore. > > > >olcTLSCACertificateFile: /etc/ssl/cert.pem > > > >... and I had to change also /etc/openldap/ldap.conf from: > > > >TLS_CACERTDIR /etc/ssl/certs > > > >to > > > >TLS_CACERT /etc/ssl/cert.pem > > > >to keep syncrepl running. > > You are a little bit thin on details here. The changes in the validator > should not affect the loading of your certificates. slapd acts as a ldap client for syncreplication to work and is therefore configured via /etc/openldap/ldap.conf. But because the validation stopped working syncrepl also stopped working. > > Are you using openldap from packages or something else? Yes, always from ports. > > So please pass on some details and perhaps a succint way to reproduce > and include the error messages you see. Probably as a real bug report > instead of misc discussions. > Yes, I open now a bug report. mbk Uwe
Re: CARP load balancing problems under KVM
On 21 Oct 07:12, Carlos Lopez wrote: > Hi all, > > Before upgrade from OpenBSD 6.7 to OpenBSD 6.8, my pair firewalls was using > carp in IP balance mode without problems from several months. These firewalls > are installed in a RHEL 8.2 (fully patched) KVM host. > > After upgrading to OpenBSD 6.8, carp ip balance mode doesn’t works. I have > tested reconfiguring balance mode for ip-stealth and ip-unicast also and the > result is always the same: network packets are not processed by firewalls. > But if I configure CARP using “the simple configuration” and one node is > master and the other is backup all it is working without problems. > > Since the configuration is exactly the same for version 6.8 as it was for > version 6.7, could there be some kind of problem with the virtio driver on > the network interfaces in version 6.8? > > Regards, > C. L. Martinez Hi folks, I run into exactly the same issue with my ldap proxy. When one node is master for both carp nodes it responds to packets addressed to the carp ip. In load balancing mode it sometimes responds depending on the source ip. Please open a bug report. -- wq: ~uw
Re: Inphi CS4223 for 4x 10GbE SFP+
On 10/19/20 4:40 PM, Stuart Henderson wrote: On 2020-10-19, Harald Dunkel wrote: Hi folks, I am about to order 2 network appliances, providing an "Inphi CS4223 for 4x 10GbE SFP+". dmesg would be of interest :) See attachment. Product web site: https://www.ibase.com.tw/english/ProductDetail/NetworkAppliance/FWA8506 OpenBSD 6.8 booted from USB cdrom and installed fine. I didn't try the USB installer image. The host was preconfigured with serial console enabled. 115200 8N1. There was no VGA adapter included. There is no bezel for a VGA socket, either. There is however a bezel for a PCI card included. Hope this helps Regards Harri OpenBSD 6.8 (GENERIC.MP) #98: Sun Oct 4 18:13:26 MDT 2020 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 17132859392 (16339MB) avail mem = 16598568960 (15829MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x7f2f4000 (52 entries) bios0: vendor American Megatrends Inc. version "5.13" date 03/06/2018 bios0: Default string Default string acpi0 at bios0: ACPI 6.1 acpi0: sleep states S0 S4 S5 acpi0: tables DSDT FACP FPDT FIDT MCFG WDAT ECDT APIC BDAT HPET UEFI SSDT DMAR SPCR HEST BERT ERST EINJ WSMT acpi0: wakeup devices PEX2(S4) XHC1(S4) LAN0(S4) LAN1(S4) LAN2(S4) LAN3(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimcfg0 at acpi0 acpimcfg0: addr 0xe000, bus 0-255 acpiec0 at acpi0 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Atom(TM) CPU C3758 @ 2.20GHz, 2195.39 MHz, 06-5f-01 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu0: 2MB 64b/line 16-way L2 cache cpu0: cannot disable silicon debug cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 25MHz cpu0: mwait min=64, max=64, C-substates=0.2.0.2, IBE cpu1 at mainbus0: apid 4 (application processor) cpu1: Intel(R) Atom(TM) CPU C3758 @ 2.20GHz, 2195.00 MHz, 06-5f-01 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu1: 2MB 64b/line 16-way L2 cache cpu1: cannot disable silicon debug cpu1: smt 0, core 2, package 0 cpu2 at mainbus0: apid 8 (application processor) cpu2: Intel(R) Atom(TM) CPU C3758 @ 2.20GHz, 2195.00 MHz, 06-5f-01 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu2: 2MB 64b/line 16-way L2 cache cpu2: cannot disable silicon debug cpu2: smt 0, core 4, package 0 cpu3 at mainbus0: apid 12 (application processor) cpu3: Intel(R) Atom(TM) CPU C3758 @ 2.20GHz, 2195.00 MHz, 06-5f-01 cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu3: 2MB 64b/line 16-way L2 cache cpu3: cannot disable silicon debug cpu3: smt 0, core 6, package 0 cpu4 at mainbus0: apid 16 (application processor) cpu4: Intel(R) Atom(TM) CPU C3758 @ 2.20GHz, 2195.00 MHz, 06-5f-01 cpu4: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu4: 2MB 64b/line 16-way L2 cache cpu4: cannot disable silicon debug cpu4: smt 0, core 8, package 0 cpu5 at mainbus0: apid 20 (application processor) cpu5: Intel(R) Atom(TM) CPU C3758 @ 2.20GHz, 2195.00 MHz, 06-5f-01
Re: UNIX printing demystified
On Tue, Oct 20, 2020 at 10:10:30PM -0400, Predrag Punosevac wrote: > > Every now and then people post a "question" about printing to this > mailng list which exposes their confusion. I am putting this email > together so that anybody capable of searching through the mailing list > can at least have terminology straight before asking for help. > Information presented here is in the public domain and I make no claims > of posting anything new. > > > Table of Contents: > > 1. Print spooling overview: LPD, LPRng, CUPS > 2. Common network printing protocols: LPD, IPP, JetDirect > 3. Printer driver. > 4. Input filters > 5. ASCII and page description language PostScript(PS) > 6. PostScript Printer Description (PPD) files > 7. Printer recommendations > 8. Code contribution > > > 1. What is a print spooling? Why is needed? > > A print spooler is a program/daemon that accepts print jobs from a > program or network. It typically consist of two programs: a print > spooler daemon that sends jobs to a printer and a command to submit > print jobs to the spooler daemon. In general spooler is not needed on > an operating system that allows a single user to perform only one task > at a time as long as that single user doesn't try to send multiple > documents to the printer at the same time. > > However, UNIX has been designed multitasking, multiuser computer > operating systems. Imagine that my wife and I send two documents to a > printer at the same time. Her documents gets there first and gets > printed. My document losses the race and my job is rejected because the > device is busy. I wait a few minutes and I sent my document again but > this time my daughter outrace me and her document get printed and not > mine. Now imagine the organization with hundreds of users and only a few > printers. This is exactly why we need a spooler program/daemon which > will listen for the incoming printing requests, stores them in a spool > queue, and then sends them to a printer when it becomes available. > > The original Berkeley spooling system is The Line Printer Daemon > protocol/Line Printer Remote protocol (or LPD) and it is available on > any default OpenBSD installation. LPD is super simple and writing a lpd > daemon should not be a too difficult for an undergraduate CS student. > For those of us who are old enough to remember legendary Richard Stevens > > https://www.oreilly.com/library/view/advanced-programming-in/9780321638014/ch21.html > > As the computer technology and printing proliferated among common folks > like me some system admins felt the need to develop more complex > queueing policies. People start hitting limitations of LPD and > eventually Dr. Patrick Powell felt compel to rewrite a new spooler > program/daemon which will be more capable of complex printing policies > and easier to incorporate drivers and input filters (please see below) > so the UNIX world got > > LPRng > > http://web.mit.edu/ops/services/print/Attic/src/doc/LPRng-HOWTO.html#toc2 > > as the project grew and never became truly financially viable eventually > was replaced with newer and super complex spooling system called CUPS > > https://www.cups.org/documentation.html > > Now the true CUPS claim to fame is the support for the new Internet > printing protocol (IPP). > > > 2. What are network printing protocols? > > From its inception UNIX was designed to a distributed computing > environment. A bunch of developers will use dumb terminals to connect to > the same computer and do some work. At the same time it became possible > for printers to be first class citizens on the LAN. LPD is not just a > spooling system it is also a network protocol spoken by the daemon > itself but also spoken by any decent quality printer. The major > limitation of LPD that is primarily single direction protocol. > > As printer became more sophisticated and more like a computers than > microcontroller boards it became obvious that one could ask the printer > about the level of the toner or the state of key mechanical components > (drum comes to mind). Thus we got IPP. Actually, we got more than that. > Most so called workgroup printers come with a built in CUPS server. > > That is not it. Manufacturer came up with many different network > protocols. I will mention the one I use JetDirect. From wikipedia page: > AppSocket, also known as Port 9100, RAW, JetDirect, or Windows TCPmon is > a protocol that was developed by Tektronix. It is considered as 'the > simplest, fastest, and generally the most reliable network protocol used > for printers > > > 3. What are the printer drivers? Do I need them. > > In "old good times" all printers were capable of printing raw ASCII > code. You don't need any drivers to print raw ASCII text on most > business grade printers. As printers became more sophisticated users > wanted to print more complicated things like pictures as oppose to ASCII > art. One of earliest examples of page description language was
Re: South American mirrors?
On Monday, 19 October 2020 13:50:33 -03 Umgeher Torgersen wrote: > I've a not full mirror, just for amd64. > > http://openbsd.dc.vikingmakt.tech/ > > br, campos do jordao SP. > http://openbsd.c3sl.ufpr.br seems to be up to date and offers OpenBSD 6.8 since yesterday
Re: CARP load balancing problems under KVM
Ok, done. I have already sent the bug report. On 21/10/2020, 11:11, "Uwe Werler" wrote: On 21 Oct 07:12, Carlos Lopez wrote: > Hi all, > > Before upgrade from OpenBSD 6.7 to OpenBSD 6.8, my pair firewalls was using carp in IP balance mode without problems from several months. These firewalls are installed in a RHEL 8.2 (fully patched) KVM host. > > After upgrading to OpenBSD 6.8, carp ip balance mode doesn’t works. I have tested reconfiguring balance mode for ip-stealth and ip-unicast also and the result is always the same: network packets are not processed by firewalls. But if I configure CARP using “the simple configuration” and one node is master and the other is backup all it is working without problems. > > Since the configuration is exactly the same for version 6.8 as it was for version 6.7, could there be some kind of problem with the virtio driver on the network interfaces in version 6.8? > > Regards, > C. L. Martinez Hi folks, I run into exactly the same issue with my ldap proxy. When one node is master for both carp nodes it responds to packets addressed to the carp ip. In load balancing mode it sometimes responds depending on the source ip. Please open a bug report. -- wq: ~uw
Re: Issue updating spidermonkey
On 2020-10-21, Chris Bennett wrote: > On Tue, Oct 20, 2020 at 08:26:05PM -0400, Brennan Vincent wrote: >> Updated yesterday from 6.7 to a snapshot, and now: >> >> $ doas pkg_add -u > > doas pkg_add -u -Dsnap > > You need to do some things different once you change to -current > snapshots. > Might also have to wait for -current packages to match the -current > snapshot sometimes. -Dsnap does nothing for most of the year. The only thing it's useful for is pointing to the snapshots directory whdn you're running a kernel with no -beta/-current suffix (i.e. a release, or snapshot in the short period in the run-up to release). >> quirks-3.458 signed on 2020-10-18T13:56:14Z This shows that it is indeed looking at a snapshot directory not release. >> Can't update spidermonkey-60.9.0v1->spidermonkey78-78.3.1v1: no update found >> for spidermonkey-60.9.0v1 >> Can't install polkit-0.116p1->0.118: can't resolve spidermonkey78-78.3.1v1 >> >> Is this expected soon after updating? Do I just need to wait for some >> inconsistency in the pkg repo to be resolved? This could either be: - a bug in some port - a package source that does not have a consistent set of files from one build (can happen when a mirror is updating) First thing to do if this happens is check file dates in the mirror's directory listing and see if they're consistent (no big jump between the a* and z* files).
Re: Router advertisements for dynamic IPv6 prefix
On 15/10/20 09:44, Harald Dunkel wrote: On 10/14/20 10:18 AM, Stuart Henderson wrote: On 2020-10-11, Henrik Friedrichsen wrote: Hey, my ISP provides connectivity via PPPoE. An IPv6 prefix is handed out via DHCPv6 PD, which my OpenBSD gateway passes on to clients with the help of router advertisements using rad. This works fine until the ISP disconnects me after 24h (force disconnect on ISP side). The gateway receives a new prefix via prefix delegation and rad advertises it in the local network. So far so good. However, as The IPv6 protocol does not have the necessary features to reliably cope with this setup. (Neither does IPv4 for that matter). I am affected by the same problem, even though my provider (Deutsche Telekom) resets the IPv6 prefix only once in a while. Wasn't there some RFC saying that the ISP has to (or should?) route both prefixes til the old prefix expires and that the forcible disconnect is allowed only for hardware failures or something similar? Resetting the prefix every 24h doesn't sound like that. Renumbering may happen for one reason or another (https://tools.ietf.org/html/draft-ietf-v6ops-slaac-renum). Me, I think robustness of the network shouldn't depend on prefixes being stable. More specifically, hosts should be able to do better. That's the goal of https://tools.ietf.org/html/draft-gont-6man-slaac-renum-08 Thanks, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
Re: Router advertisements for dynamic IPv6 prefix
On 15/10/20 08:02, Christian Weisgerber wrote: On 2020-10-14, Fernando Gont wrote: Set the VL to 30', and the PL to 15'. You could even set the VL to 15', and the PL to 7.5', if necessary. How does this influence the lifetime of privacy addresses? It should affect it at all. Temporary (privacy) addresses enforce an upper limit on the Valid and Preferred Lifetimes. As such, as RAs keep being received, the PL and VL would continue being refreshed/extended, until their "cumulative" values hit the VL and PL for temporary addresses, at which point they would no longer be extended/refreshed, and temporary addresses would be regenerated. (With the current default values, the lifetimes for the prefixes are longer than the PL/VL for temporary addresses... so if you do an ifconfig, you'd see the PL/VL of temporary addresses decreasing over time, until they expire. However, if you employ the suggested values for the PL/VL of RAs, what you see is that VL/PL decrease from say, 30'/15', and upon receipt of an RA they are reset to 30'/15, and start decreasing again... until the commulative values reach the VL/PL for temporary addresses (as specified in RFC4941), at which point you'll finally see them decreasing from 30'/15' until they expire). Even with rad(8)'s defaults, I already need to specify an originating non-privacy address for all long-running ssh sessions, otherwise they die when the privacy address they're using is forcefully expired after a week or so. Yep. After all, "privacy addresses" (RFC4941) are temporary. Unfortunately, IPv6 lacks an appropriate API for apps to specify the semantics of the addresses they intend yo use. If such an API was available, one might expect that ssh would signal the OS that it shoudl use stable addresses as opposed to temporary adddresses when establishing new ssh sessions. Thanks, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
Re: Router advertisements for dynamic IPv6 prefix
Hello, On 15/10/20 07:27, Henrik Friedrichsen wrote: Hey, On Wed, Oct 14, 2020 at 02:30:04PM -0300, Fernando Gont wrote: And you may also look at this other one, which has recommendations for CPEs, which in your case accounts for your DHCPv6-PD and RA daemons: https://tools.ietf.org/html/draft-ietf-v6ops-cpe-slaac-renum-05 Looks like it's a problem that's not (easily) solved yet. Agreed. Thanks for the suggestions everyone. I'll reduce the lifetimes to the numbers suggested in the draft and move the reconnect to 5am as suggested by Stuart. Can this cause problems for connections that exceed these lifetimes? No. Because the RAs are expected to refresh the associated timers. (i.e., if you set the Preferred Lifetiem to 15 minteus and the Valid Lifetime to 30, the idea is that hosts might receive one unsolicited RA every, say, 5 minutes... and these RAs would refresh the associated timers and wouldn't let them expire). It seems that at least macOS will assign a new IPv6 address with every advertisement due to privacy extensions. Could you doublecheck? That'd be a bug. I'd hope that existing sockets will remain connected if the advertised prefix doesn't change, but I'm not sure. Indeed. As long as the Prefix doesn't become invalid, the sockets would remain unaffected. Thanks, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
CARP load balancing problems under KVM
Hi all, Before upgrade from OpenBSD 6.7 to OpenBSD 6.8, my pair firewalls was using carp in IP balance mode without problems from several months. These firewalls are installed in a RHEL 8.2 (fully patched) KVM host. After upgrading to OpenBSD 6.8, carp ip balance mode doesn’t works. I have tested reconfiguring balance mode for ip-stealth and ip-unicast also and the result is always the same: network packets are not processed by firewalls. But if I configure CARP using “the simple configuration” and one node is master and the other is backup all it is working without problems. Since the configuration is exactly the same for version 6.8 as it was for version 6.7, could there be some kind of problem with the virtio driver on the network interfaces in version 6.8? Regards, C. L. Martinez
Re: Issue updating spidermonkey
On Tue, Oct 20, 2020 at 08:26:05PM -0400, Brennan Vincent wrote: > Updated yesterday from 6.7 to a snapshot, and now: > > $ doas pkg_add -u doas pkg_add -u -Dsnap You need to do some things different once you change to -current snapshots. Might also have to wait for -current packages to match the -current snapshot sometimes. Chris Bennett > quirks-3.458 signed on 2020-10-18T13:56:14Z > Can't update spidermonkey-60.9.0v1->spidermonkey78-78.3.1v1: no update found > for spidermonkey-60.9.0v1 > Can't install polkit-0.116p1->0.118: can't resolve spidermonkey78-78.3.1v1 > > Is this expected soon after updating? Do I just need to wait for some > inconsistency in the pkg repo to be resolved? > > Thanks > >
