i386 kernel relinking
Question about kernel randomization and relinking... It seems to take a fair amount of RAM, at least for systems that are forced to run i386. And I mean real RAM -- swap doesn't seem to cut it. I discovered that several machines I was intending on using for minimal purposes just couldn't complete relinking. So I built a VM and started playing with the RAM. Built with 1G RAM, default was a 1.2G swap, worked fine. Reduced to 256MB RAM, Kernel failed to relink. As with my old junk. The magic number seemed to be between 320MB (failed) and 384MB (worked) of RAM. Ok, fine. Kernel relinking is important, I get that. Probably time to start tossing old junk. I get that, too. I'm not complaining about the forcible retirement of some of my old junk. I'm just curious why swap didn't "fix" this problem. But that VM failed at 320MB RAM, even though it had 1.2G of swap, mostly unused (MOSTLY. Yes, it was going into swap). Is there a semi-layperson's explanation of this? Or is this a "if you got to ask, you won't understand" kind of thing? And here's the relink log from my VM, but the ones from my physical boxes looked pretty similiar. $ cat relink.log (SHA256) /bsd: OK LD="ld" LDFLAGS="-g" sh makegap.sh 0x gapdummy.o ld -T ld.script -X --warn-common -nopie -o newbsd ${SYSTEM_HEAD} vers.o ${OBJS} textdatabss dec hex 0 0 0 0 0 mv newbsd newbsd.gdb ctfstrip -S -o newbsd newbsd.gdb strip: there are no sections to be copied! rm -f bsd.gdb mv -f newbsd bsd mv: newbsd: No such file or directory *** Error 1 in /usr/share/relink/kernel/GENERIC.MP (Makefile:1131 'newbsd') I also found that a 320MB machine could not build the kernel from scratch. Nothing used much memory until the ld step, which started using large amounts of memory and some swap, and errored out the same way: LD="ld" LDFLAGS="-g" sh makegap.sh 0x gapdummy.o ld -T ld.script -X --warn-common -nopie -o bsd ${SYSTEM_HEAD} vers.o ${OBJS} textdatabss dec hex 0 0 0 0 0 mv bsd bsd.gdb ctfstrip -S -o bsd bsd.gdb strip: there are no sections to be copied! Thanks! Nick.
i386/amd64 boot (and pxeboot) compatibility
Hi, For a long time, the /boot and pxeboot of i386 would boot amd64's kernel and amd64's would boot i386's kernel. My tftp server had both amd64 and i386 bsd.rd files named "bsdamd64.rd" and "bsdi386.rd", snapshots downloaded daily. But recently, I discovered I could not PXE boot i386's bsd.rd from the amd64 pxeboot. I then grabbed a spare laptop, and confirmed this problem happened the other way as well -- an amd64 installed machine could not boot i386 from the amd64 /boot file. I also see the i386 and amd64 boot files have different version numbers now. So...I'm kinda inclined to guess this is not an accident, but figured I'd ask just in case it is. Nick.
Re: upgrade i386 kernel to amd64
On 2020-03-02 18:14, Justin Muir wrote: > Hello all, > > Running GENERIC i386 kernel on on a 64-bit amd machine. Just wondering > whether an upgrade amd64 is warranted. Any opinions? yes. At this point, most OpenBSD development starts on amd64 systems, then moves to other platforms. Plus, the AMD64 platform offers some magic tricks that help improve security, and I do believe generally better package support. amd64 systems have been around for over 15 years. i386 is really almost a "legacy" platform now. If you gotta use it, ok...but otherwise, no. The only reason I can think of to run i386 code on an amd64 system is if your i386 system failed and you moved the disk to an amd64 capable system. > If so, just upgrade system? Re-compile kernel? Other options? DO NOT UPGRADE. No idea what you are even dreaming of by "recompiling the kernel", that makes the bad idea of an upgrade look good (it isn't). Reinstall from scratch. Good time to look at how you used disk and partition better this time. Nick.
Re: openbsd.org - certain https URLs downgraded to http in redirection
Sorry, took a look at this a while back when I didn't have time to fully work through it...and then forgot about it. ;-/ On 2020-02-12 04:34, Aham Brahmasmi wrote: > Namaste misc, > > Overview: > Certain https URLs on openbsd.org get downgraded to http in redirection. > > Steps: > When navigating to https://www.openbsd.org/cgi-bin/man.cgi [1] from a > browser, one ends up on http://man.openbsd.org/cgi-bin/man.cgi. > > Same with https://www.openbsd.org/cgi-bin/cvsweb [1], which ends up on > http://cvsweb.openbsd.org/cgi-bin/cvsweb/. I Google for "openbsd man", I end up with a link to httpS://man.openbsd.org. and it takes me to man.openbsd.org via httpS. I duckduckgo.com for "openbsd man", same thing. (yay. I just used a website as a verb.) Google does seem to show a link for httpS://cvsweb.openbsd.org, but tosses the browser at http://cvsweb.openbsd.org. DuckDuckGo does not and does what you would expect and hope. Looking at the page source for the google return, it DOES appear to be sending the browser to http://, so everything is working as designed. Is there a problem? Yes -- google is aware https:// those sites exists, but doesn't actually send users to them. Apparently your favorite search engine does as well. Perhaps it isn't as privacy friendly as you are thinking it is. The problem isn't with the websites, it's with where the search engine is sending the user. You want it changed so that when someone clicks on a link, they go somewhere OTHER than where that link sends them? I understand your goal (everything should be HTTPS!!), but I don't really like the idea of "click here, go elsewhere". Want https? great. use it. There are times when it's handy to NOT be obsessed with https (i.e., clock is hosed on your computer). So ... unless some developer I really respect (which is just about all of them1) tells me to change this, I'm not planning on changing the behavior of the machines. Nick.
Re: Server 5 SSD/best practice
On 2020-02-20 11:22, Oliver Marugg wrote: > Hi > > I’ve got a Supermicro 5028D desktop server with 5 identical SATA SSDs, > there is no HBA no RAID card in. The purpose of the server is intended > as web/smtp and some vmm vms (os plus /home & /var storage). > What are your suggestions or best practices configuring the device > arrangement (eg. sofraid(4), bio(4),bioctl(4) OS 2x on 2x ssd raid1, > data 3xssd raid5 or 1x single ssd for OS and 4x ssd raid5/10 or better > ideas)? > > many thanks > -oliver > set it up as you need it... If you think your description is anything close to specific for specific recommendations, you need to get out more. Everything you said could vary in demand by many orders of magnitude, except for the model number the server...a curious thing to be specific about. E-mail is one of those things that's really hard to get a good backup of, as it changes minute by minute and is considered fairly important, so I'd consider a three disk RAID1 for the mail store, as a disk system failure invariably means "lost data", even with frequent backups. Three disk RAID1 gives you a simple disk structure that can tolerate a disk failure and still provide redundancy. (some people will tell you that RAID1 is only two disks. These people are wrong, but often include HW RAID controller makers. Three disk RAID1 examples are in the man pages). As for the rest...it's a matter of how much space you need and how much down time you can tolerate, and how you are set up to deal with that downtime. And I'm assuming you aren't combining external and internal services on one box. I suspect that's a bad assumption. And even after much careful analysis it's a bit of a guess. Sometimes you guess wrong. So keep your design flexible and be willing and able to say, "Well, this isn't working, let's rebuild it with the knowledge we now have". This idea that you have to have the perfect build the first time out is ... well, just wrong. Nick.
httpd(8) path stripping and FastCGI mountpoints
I am trying to understand how path stripping works in httpd(8), particularly how FastCGI's SCRIPT_NAME parameter gets filled. The rule about whether it has a trailing slash or not seems inconsistent. I would really appreciate some extra eyes to work through this. I don't know if httpd is at fault, my app, or my understanding of CGI. I am giving a webapp[1] a mountpoint on my site, using `request strip 3` to hide the mountpoint from the app. ``` # /etc/httpd.conf server "default" { listen on localhost port 80 directory auto index location "/path/to/app" { request strip 3 fastcgi socket :5232 } location "/path/to/app/*" { request strip 3 fastcgi socket :5232 } log syslog } ``` with this, I see: http://localhost/path/to/app => 'DOCUMENT_URI': '/path/to/app', 'PATH_INFO': '', 'REQUEST_URI': '/path/to/app', 'SCRIPT_NAME': '/path/to/app', http://localhost/path/to/app/ => 'DOCUMENT_URI': '/path/to/app/', 'PATH_INFO': '', 'REQUEST_URI': '/path/to/app/', 'SCRIPT_NAME': '/path/to/app/', http://localhost/path/to/app/login => 'DOCUMENT_URI': '/path/to/app/login', 'PATH_INFO': '/login', 'REQUEST_URI': '/path/to/app/login', 'SCRIPT_NAME': '/path/to/app', http://localhost/path/to/app/posts/1 => 'DOCUMENT_URI': '/path/to/app/posts/1', 'PATH_INFO': '/posts/1', 'REQUEST_URI': '/path/to/app/posts/1', 'SCRIPT_NAME': '/path/to/app', Up to the strip limit, SCRIPT_NAME doesn't have a trailing slash, after the strip limit it doesn't have a trailing slash, but *at* the strip limit it does. This is causing me angst because I *want* to use the simpler ``` # /etc/httpd.conf server "default" { listen on localhost port 80 directory auto index location "/path/to/app" { request rewrite "$DOCUMENT_URI/" } location "/path/to/app/*" { request strip 3 fastcgi socket :5232 } log syslog } ``` but with this http://localhost/path/to/app => 'DOCUMENT_URI': '/path/to/app/', 'PATH_INFO': '', 'REQUEST_URI': '/path/to/app', 'SCRIPT_NAME': '/path/to/app/', **which gives this warning** "WARNING: SCRIPT_NAME does not match REQUEST_URI" which is complaining that SCRIPT_NAME is not a prefix of REQUEST_URI. SCRIPT_NAME shouldn't have been touched, imo; my goal in `request rewrite "$DOCUMENT_URI/"` was to append to PATH_INFO -- and if I `request rewrite "$DOCUMENT_URI/login"` instead that's exactly what happens, PATH_INFO gets "/login" -- it's only when I add a single "/" that this problem crops up. Unrelated to the rewrite, the same underlying issue, that /path/to/app/ sets PATH_INFO="", also causes Radicale to mistakenly redirect /path/to/app/ to /path/to/app/app/.web [2], because it thinks that means it's being called as /path/to/app/. I don't know if httpd or Radicale is at fault here. I suspect this is an off-by-one in httpd [3] but I'd like to know if there's a better explanation for this behaviour. I think the better behaviour is http://localhost/path/to/app/ => 'DOCUMENT_URI': '/path/to/app/', 'PATH_INFO': '/', 'REQUEST_URI': '/path/to/app/', 'SCRIPT_NAME': '/path/to/app', but I am second-guessing myself a lot. Thank you for your time, and any clues you can toss my way -Nick [1] It's Radicale. But see below for my testing webapp that isolated the issue. [2] https://github.com/Kozea/Radicale/blob/db7587c59335fa00580ce88d583419ce45594143/radicale/app/get.py#L64-L69 [3] https://github.com/openbsd/src/blob/4564063e97c6de536114caf655a9e16da7a4259f/usr.sbin/httpd/server_fcgi.c#L215 # Appendix: Reproduction (OpenBSD 6.6) ``` $ doas pkg_add py3-flup $ cat app.fcgi #!/usr/bin/env python3 """ Python FastCGI example. Opens a FastCGI socket on localhost:5232 that just returns "Hello, World!" but while logging the FastCGI parameters. """ from flup.server.fcgi import WSGIServer from pprint import pprint import sys def application(environ, start_response): pprint(environ, stream=sys.stderr) start_response('200 OK', [('Content-Type', 'text/html')]) yield 'Hello, World!\r\n' if __name__ == "__main__": WSGIServer(application, bindAddress=("localhost", 5232)).run() $ chmod +x app.fcgi ``` ``` $ cat /etc/httpd.conf server "default" { listen on localhost port 80 directory auto index # Add a trailing slash so the app recognizes /base as its own name # as in https://wordpress.org/support/article/htaccess/ #or https://radicale.org/proxy/ location "/path/to/app" { request rewrite "$DOCUMENT_URI/" } location "/path/to/app/*" { request strip 3 fastcg
Re: Replace PF rule + inetd Proxy with 2 PF rules
On 2/14/2020 11:21 AM, Fabio Martins wrote: I am trying now only with the redirect to www.openbsd.org, if it works, I am sure it can be adapted to my case. Unfortunately still no success. # pf.conf: ext_if="xnf0" match in log on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR \ rdr-to 129.128.5.194 port 80 match out log on $ext_if proto tcp to 129.128.5.194 port 80 received-on \ $ext_if nat-to $ext_if match out log quick on $ext_if inet all tagged RDR \ nat-to $ext_if server_open="{ 80,110,443,25,587,465 }" pass in log on $ext_if inet proto tcp from any port 1024:65535 to $ext_if port $server_open tag n_traffic #block all to start block all pass quick tagged RDR pass quick tagged n_traffic pass out on $ext_if On 2/14/2020 6:30 AM, Fabio Martins wrote: Hi Nick, Thanks. I applied both rules below, unfortunately I am still only hitting rule number #1 (rdr-to). nat-to is never reached (added "log" on each to test). I tried inverting the order, too, but no luck. #1 match in on $ext_if proto tcp from to ($ext_if) port 25 \ rdr-to 200.200.200.200 port #2 match out on $ext_if proto tcp to 200.200.200.200 port received-on \ $ext_if nat-to ($ext_if) -- Fabio Martins Odd, are you allowing the traffic with an appropriate pass rule later? I use tagging for rules related to rdr and nat to keep things simple, here is the full working setup I used to bounce port 8099 on the external interface to www.openbsd.org port 80. #Fun reverse redirection of www.openbsd.org match in on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR rdr-to 129.128.5.194 port 80 match out on $ext_if proto tcp to 129.128.5.194 port 80 received-on $ext_if nat-to $ext_if #block all to start block log all pass quick tagged RDR pass out on $ext_if Make sure you are testing from an external host of course. May be a dumb question, but do you have net.inet.ip.forwarding=1 set? tcpdump of a successful test connection: c.c.c.c = remote test client on internet r.r.r.r = firewall external IP pf# tcpdump -ni vmx1 port 8099 or host 129.128.5.194 tcpdump: listening on vmx1, link-type EN10MB 14:34:09.270237 c.c.c.c.63091 > r.r.r.r.8099: S 3178148684:3178148684(0) win 64240 [tos 0x20] 14:34:09.270303 r.r.r.r.62530 > 129.128.5.194.80: S 3178148684:3178148684(0) win 64240 8,nop,nop,sackOK> [tos 0x20] 14:34:09.342800 129.128.5.194.80 > r.r.r.r.62530: S 3355699325:3355699325(0) ack 3178148685 win 16384 1460,nop,nop,sackOK,nop,wscale 6> (DF) [tos 0x20] 14:34:09.342830 r.r.r.r.8099 > c.c.c.c.63091: S 3355699325:3355699325(0) ack 3178148685 win 16384 [tos 0x20] 14:34:09.372450 c.c.c.c.63091 > r.r.r.r.8099: . ack 1 win 1026 [tos 0x20] 14:34:09.372461 c.c.c.c.63091 > r.r.r.r.8099: P 1:436(435) ack 1 win 1026 [tos 0x20] 14:34:09.372477 r.r.r.r.62530 > 129.128.5.194.80: . ack 1 win 1026 [tos 0x20] 14:34:09.372500 r.r.r.r.62530 > 129.128.5.194.80: P 1:436(435) ack 1 win 1026 [tos 0x20] 14:34:09.450714 129.128.5.194.80 > r.r.r.r.62530: P 1:197(196) ack 436 win 273 (DF) [tos 0x20] 14:34:09.450716 129.128.5.194.80 > r.r.r.r.62530: . 197:1657(1460) ack 436 win 273 (DF) [tos 0x20] 14:34:09.450759 r.r.r.r.8099 > c.c.c.c.63091: P 1:197(196) ack 436 win 273 [tos 0x20] 14:34:09.450774 r.r.r.r.8099 > c.c.c.c.63091: . 197:1657(1460) ack 436 win 273 [tos 0x20]
Re: Replace PF rule + inetd Proxy with 2 PF rules
On 2/14/2020 6:30 AM, Fabio Martins wrote: Hi Nick, Thanks. I applied both rules below, unfortunately I am still only hitting rule number #1 (rdr-to). nat-to is never reached (added "log" on each to test). I tried inverting the order, too, but no luck. #1 match in on $ext_if proto tcp from to ($ext_if) port 25 \ rdr-to 200.200.200.200 port #2 match out on $ext_if proto tcp to 200.200.200.200 port received-on \ $ext_if nat-to ($ext_if) -- Fabio Martins Odd, are you allowing the traffic with an appropriate pass rule later? I use tagging for rules related to rdr and nat to keep things simple, here is the full working setup I used to bounce port 8099 on the external interface to www.openbsd.org port 80. #Fun reverse redirection of www.openbsd.org match in on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR rdr-to 129.128.5.194 port 80 match out on $ext_if proto tcp to 129.128.5.194 port 80 received-on $ext_if nat-to $ext_if #block all to start block log all pass quick tagged RDR pass out on $ext_if Make sure you are testing from an external host of course.
Re: Replace PF rule + inetd Proxy with 2 PF rules
Hi Fabio, I believe this will do what you want, seemed to work in quick testing here, adjust to suit your environment. match in on $ext_if proto tcp from to ($ext_if) port 25 rdr-to 200.200.200.200 port match out on $ext_if proto tcp to 200.200.200.200 port received-on $ext_if nat-to ($ext_if) On 2/13/2020 11:56 AM, Fabio Martins wrote: Hi, I am trying to redirect + NAT incoming packets without the need of a TCP Proxy. Currently I have the following setup to redirect hosts abusing SMTP to an email trap: inetd listening in 127.0.0.1:8000 and redirecting to an external host # inetd.conf 127.0.0.1:8000 stream tcp nowait _inetd_proxy /usr/bin/nc nc -w 20 200.200.200.200 and + pf rule redirecting the hosts: # pf.conf table persist file "/etc/pf/tables/spammers.txt pass in log on egress proto tcp from to any port 25 \ rdr-to 127.0.0.1 port 8000 I am trying to remove the inetd from the setup. With Linux iptables I would do a DNAT + MASQUERADE, but with PF I already tried: # pf.conf #1 pass in log on xnf0 proto tcp from to any port nat-to xnf0 #2 pass in log on egress proto tcp from to any port 25 \ rdr-to 200.200.200.200 port Rule #2 is correctly applied and changes the destination address to 200.200.200.200, but rule #1 (NAT) isnt applied. I believe it is possible to NAT an external connection without using a TCP Proxy. Tried also the example from here: https://www.openbsd.org/faq/pf/rdr.html pass in on $int_if proto tcp from $int_net to egress port 80 rdr-to $server pass out on $int_if proto tcp to $server port 80 received-on $int_if nat-to $int_if Without success. Thanks!
Re: automounter (amd) local file system issue
On 2020-01-15 11:05, Strahil Nikolov wrote: > On January 13, 2020 5:40:06 AM GMT+02:00, Nick Holland > wrote: >>On 2020-01-12 15:39, Antoine Jacoutot wrote: >>> Sounds like something is keeping your fs busy. Could be gio-kqueue, >>do you have glib2 installed? >> >>That would be my first guess, too -- it's not unmounting because it >>shouldn't. But ... this is a VERY single purpose machine (backups >>via rsync --link-dest), and the only third party package is rsync >>and my scripts to do the backups. X is installed, but not running. >> >>$ pkg_info >>intel-firmware-20191115p0v0 microcode update binaries for Intel CPUs >>inteldrm-firmware-20181218 firmware binary images for inteldrm(4) >>driver >>quirks-3.216exceptions to pkg_add rules >>rsync-3.1.3 mirroring/synchronization over low bandwidth links >>vmm-firmware-1.11.0p2 firmware binary images for vmm(4) driver >> >>I was careful to access the amd mounts by ls , while >>sitting in my home directory, which is NOT part of the amd, so I >>didn't have a task under a doas or su camped out on the amd vols. >> >>I've tesed a lot of ways, but I just did an upgrade to -current and >>immediately "looked" at the amd mount, so even my backup scripts >>haven't run. >> >>Plus -- as a control, /v/2 has absolutely nothing on it, and it >>behaves the same way. Not that something couldn't camp out on the >>empty file system, but not much reason for something to do so. >> >>Thanks for looking! >> >>Nick. >> >> >>>  >>> Antoine >>> >>>> On 13 Jan 2020, at 06:01, Nick Holland >>wrote: >>>> >>>> Hiya. >>>> >>>> I'd like to use amd(8) to automatically mount and dismount local >>file >>>> systems. The file systems in question are big, lots of complicated >>>> links, lots of files, and take a while to fsck if the power goes out >>>> unexpectedly, and are used relatively rarely (maybe an hour a day). >>>> Sounds like a perfect job for amd(8)! >>>> >>>> The file systems in question are mounted to /v/1 and /v/2 >>>> >>>> I've got the following set up: >>>> >>>> $ cat /etc/rc.conf.local >> >>>> amd_flags=-l syslog -x all -c 10 -w 10 >>>> lockd_flags= >>>> portmap_flags= >>>> >>>> $ cat /etc/amd/master >> >>>> /v amd.v >>>> >>>> $ cat /etc/amd/amd.v >>>> 1 type:=ufs;dev:=/dev/sd2i >>>> 2 type:=ufs;dev:=/dev/sd2j >>>> >>>> >>>> ANDit works! >>>> >>>> start the system up, I get this: >>>> >>>> $ df >>>> Filesystem 512-blocks Used Avail Capacity Mounted on >>>> /dev/sd2a 101167620381275728421%/ >>>> /dev/sd2h 1031983648 9803800 0%/home >>>> /dev/sd2f 413682820 3929968 0%/tmp >>>> /dev/sd2d 8264188 2369920 548106030%/usr >>>> /dev/sd2e 2065116 2104 1959760 0%/usr/local >>>> /dev/sd2g 4136828 64920 3865068 2%/var >>>> amd:365830 0 0 100%/v >>>> >>>> $ ls /v/1/ >>>> [...expected output from files and directories on that file >>system...] >>>> >>>> $ df >>>> Filesystem 1K-blocks Used Avail Capacity Mounted on >>>> /dev/sd2a 505838 83602 39694617% / >>>> /dev/sd2h 515991824 4901900 0%/home >>>> /dev/sd2f 206841410 1964984 0%/tmp >>>> /dev/sd2d 4132094 1280264 264522633%/usr >>>> /dev/sd2e 1032558 1052979880 0%/usr/local >>>> /dev/sd2g 2068414 32572 1932422 2%/var >>>> amd:92953 0 0 0 100%/v >>>> /dev/sd2i 2106117872 298739480 170207250415% >>/tmp_mnt/dbu/v/1 >>>> >>>> Success!! >>>> well...no. Seems it never umounts the amd file systems. And that >>is >>>> basically the point of this exercise -- to increase the odds that a >>FS >>>> isn't mounted when the power goes out. >>>> >>>> Am I doing something wrong? Do I have inaccurate expectations of >>>> what amd(8) does with local file systems? >>>> >>>> Nick. >>>> ... > Hi Nick, > > Can you test removing '-w 10' from the daemon's flags in order to test with > the default 2min timeout. > > I have a vague feeling that 10 seconds is way too short... You are right -- that was something I tried so I quit having to wait 5+ minutes every time I tried something different, so I stuffed absurdly short timeouts in place for testing, but there was no change. I've reverted those changes, and (as I expected), it is still not unmounting. New: $ cat /etc/rc.conf.local amd_flags=-l syslog -x all lockd_flags= portmap_flags= (the -x all was added to see if amd logged any dismount attempts or why they failed...nothing) So thanks, but ... no change. :-/ Nick.
Re: automounter (amd) local file system issue
On 2020-01-12 15:39, Antoine Jacoutot wrote: > Sounds like something is keeping your fs busy. Could be gio-kqueue, do you > have glib2 installed? That would be my first guess, too -- it's not unmounting because it shouldn't. But ... this is a VERY single purpose machine (backups via rsync --link-dest), and the only third party package is rsync and my scripts to do the backups. X is installed, but not running. $ pkg_info intel-firmware-20191115p0v0 microcode update binaries for Intel CPUs inteldrm-firmware-20181218 firmware binary images for inteldrm(4) driver quirks-3.216exceptions to pkg_add rules rsync-3.1.3 mirroring/synchronization over low bandwidth links vmm-firmware-1.11.0p2 firmware binary images for vmm(4) driver I was careful to access the amd mounts by ls , while sitting in my home directory, which is NOT part of the amd, so I didn't have a task under a doas or su camped out on the amd vols. I've tesed a lot of ways, but I just did an upgrade to -current and immediately "looked" at the amd mount, so even my backup scripts haven't run. Plus -- as a control, /v/2 has absolutely nothing on it, and it behaves the same way. Not that something couldn't camp out on the empty file system, but not much reason for something to do so. Thanks for looking! Nick. > — > Antoine > >> On 13 Jan 2020, at 06:01, Nick Holland wrote: >> >> Hiya. >> >> I'd like to use amd(8) to automatically mount and dismount local file >> systems. The file systems in question are big, lots of complicated >> links, lots of files, and take a while to fsck if the power goes out >> unexpectedly, and are used relatively rarely (maybe an hour a day). >> Sounds like a perfect job for amd(8)! >> >> The file systems in question are mounted to /v/1 and /v/2 >> >> I've got the following set up: >> >> $ cat /etc/rc.conf.local >> amd_flags=-l syslog -x all -c 10 -w 10 >> lockd_flags= >> portmap_flags= >> >> $ cat /etc/amd/master >> /v amd.v >> >> $ cat /etc/amd/amd.v >> 1 type:=ufs;dev:=/dev/sd2i >> 2 type:=ufs;dev:=/dev/sd2j >> >> >> ANDit works! >> >> start the system up, I get this: >> >> $ df >> Filesystem 512-blocks Used Avail Capacity Mounted on >> /dev/sd2a 101167620381275728421%/ >> /dev/sd2h 1031983648 9803800 0%/home >> /dev/sd2f 413682820 3929968 0%/tmp >> /dev/sd2d 8264188 2369920 548106030%/usr >> /dev/sd2e 2065116 2104 1959760 0%/usr/local >> /dev/sd2g 4136828 64920 3865068 2%/var >> amd:365830 0 0 100%/v >> >> $ ls /v/1/ >> [...expected output from files and directories on that file system...] >> >> $ df >> Filesystem 1K-blocks Used Avail Capacity Mounted on >> /dev/sd2a 505838 8360239694617%/ >> /dev/sd2h 515991824 4901900 0%/home >> /dev/sd2f 206841410 1964984 0%/tmp >> /dev/sd2d 4132094 1280264 264522633%/usr >> /dev/sd2e 1032558 1052979880 0%/usr/local >> /dev/sd2g 2068414 32572 1932422 2%/var >> amd:92953 0 0 0 100%/v >> /dev/sd2i 2106117872 298739480 170207250415%/tmp_mnt/dbu/v/1 >> >> Success!! >> well...no. Seems it never umounts the amd file systems. And that is >> basically the point of this exercise -- to increase the odds that a FS >> isn't mounted when the power goes out. >> >> Am I doing something wrong? Do I have inaccurate expectations of >> what amd(8) does with local file systems? >> >> Nick. >> >> OpenBSD 6.6-current (GENERIC.MP) #599: Sat Jan 11 18:52:00 MST 2020 >>dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP >> real mem = 2038652928 (1944MB) >> avail mem = 1964462080 (1873MB) >> mpath0 at root >> scsibus0 at mpath0: 256 targets >> mainbus0 at root >> bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xebd30 (52 entries) >> bios0: vendor American Megatrends Inc. version "1020" date 12/15/2014 >> bios0: PowerSpec V400 >> acpi0 at bios0: ACPI 5.0 >> acpi0: sleep states S0 S3 S4 S5 >> acpi0: tables DSDT FACP APIC FPDT MSDM MCFG LPIT SLIC HPET SSDT SSDT SSDT >> UEFI >> acpi0: wakeup devices XHC1(S3) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) PWRB(S0) >> a
automounter (amd) local file system issue
Hiya. I'd like to use amd(8) to automatically mount and dismount local file systems. The file systems in question are big, lots of complicated links, lots of files, and take a while to fsck if the power goes out unexpectedly, and are used relatively rarely (maybe an hour a day). Sounds like a perfect job for amd(8)! The file systems in question are mounted to /v/1 and /v/2 I've got the following set up: $ cat /etc/rc.conf.local amd_flags=-l syslog -x all -c 10 -w 10 lockd_flags= portmap_flags= $ cat /etc/amd/master /v amd.v $ cat /etc/amd/amd.v 1 type:=ufs;dev:=/dev/sd2i 2 type:=ufs;dev:=/dev/sd2j ANDit works! start the system up, I get this: $ df Filesystem 512-blocks Used Avail Capacity Mounted on /dev/sd2a 101167620381275728421%/ /dev/sd2h 1031983648 9803800 0%/home /dev/sd2f 413682820 3929968 0%/tmp /dev/sd2d 8264188 2369920 548106030%/usr /dev/sd2e 2065116 2104 1959760 0%/usr/local /dev/sd2g 4136828 64920 3865068 2%/var amd:365830 0 0 100%/v $ ls /v/1/ [...expected output from files and directories on that file system...] $ df Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/sd2a 505838 8360239694617%/ /dev/sd2h 515991824 4901900 0%/home /dev/sd2f 206841410 1964984 0%/tmp /dev/sd2d 4132094 1280264 264522633%/usr /dev/sd2e 1032558 1052979880 0%/usr/local /dev/sd2g 2068414 32572 1932422 2%/var amd:92953 0 0 0 100%/v /dev/sd2i 2106117872 298739480 170207250415%/tmp_mnt/dbu/v/1 Success!! well...no. Seems it never umounts the amd file systems. And that is basically the point of this exercise -- to increase the odds that a FS isn't mounted when the power goes out. Am I doing something wrong? Do I have inaccurate expectations of what amd(8) does with local file systems? Nick. OpenBSD 6.6-current (GENERIC.MP) #599: Sat Jan 11 18:52:00 MST 2020 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 2038652928 (1944MB) avail mem = 1964462080 (1873MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xebd30 (52 entries) bios0: vendor American Megatrends Inc. version "1020" date 12/15/2014 bios0: PowerSpec V400 acpi0 at bios0: ACPI 5.0 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC FPDT MSDM MCFG LPIT SLIC HPET SSDT SSDT SSDT UEFI acpi0: wakeup devices XHC1(S3) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) PWRB(S0) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Pentium(R) CPU J2900 @ 2.41GHz, 2417.12 MHz, 06-37-08 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN cpu0: 1MB 64b/line 16-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 83MHz cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3.3, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Pentium(R) CPU J2900 @ 2.41GHz, 2416.67 MHz, 06-37-08 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN cpu1: 1MB 64b/line 16-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Pentium(R) CPU J2900 @ 2.41GHz, 2416.69 MHz, 06-37-08 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN cpu2: 1MB 64b/line 16-way L2 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Pentium(R) CPU J2900 @ 2.41GHz, 2416.68 MHz, 06-37-08 cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16
Re: Odd /tmp behavior
On 2020-01-07 14:06, Karel Gardas wrote: > > > On 1/7/20 7:38 PM, Jordan Geoghegan wrote: >> > Using softdep on /tmp is a silly idea. > > Why? To naive eyes it may look like a natural solution: e.g. before temp > file is even created (on drive), it may be deleted which means there is > no meta-data change hence speedup of operation on /tmp. In case of > classical ffs, you will need to create file (sync meta-data update), > save some data (async), delete file (sync meta-data update). But > honestly still need to read the code... > I'm not going to go nearly as far as to say it's a silly idea (as I do it myself) but ... be aware softdep is funky. Weird stuff happens when Softdeps are working as designed. When you do things out of order, things happen...well, out of order. So ... create file delete file create file delete file create file delete file create file delete file create file delete file sounds perfectly safe, as long as "file" is smaller than available disk space, right? Softdeps...no so much. This can actually result in running out of disk space, as the deletes may not happen until after the creates. Another place where softdeps will sometimes bite you is when you unpack tar balls that overwrite existing files -- simple thought process says, "as long as you have enough space to cover the growth, fine". Softdeps might surprise you. You may get an "out of disk space" error, and a minute later, see much more space than you thought you could ever need to accomplish the task, once the deletions have time to take effect. So ... make sure you have lots of extra disk space...if things are snug, it's a bad place to use softdeps. Nick.
Re: Boot fail using internal SATA port, success using USB port.
On 2020-01-05 12:29, hkew...@cock.li wrote: > summary: OpenBSD installs to internal HDD from external USB but fails > to load after the first reboot. If the HDD is removed from the internal > port and is connected via a "SATA to USB" cable it boots succesfully. > > I am a new and inexperienced user, excuse my ignorance. > > All the details and things I have tried so far: > > -All relevant UEFI options configured to legacy mode. careful with this. Just because it says it supports legacy mode doesn't mean the BIOS was extensively tested in legacy mode. I'd try both modes, just for giggles. > -minirootXX.fs copied to USB using rufus. > -USB boot using legacy mode. > -In install: whole disk mbr-auto config. see above. :) > -After reboot DELL logo is displayed 3 times. On the 3rd time it stays > static. > --Using gpt format instead results in an infinite boot loop. oh. you did try GPT. nevermind. > -Starting UEFI-menu(f2) or diagnostics(f5) or boot-menu(f12) appear to > initiate but then stay static. The UEFI appears to be completely > "bricked". There is no way to proceed. > --Resetting UEFI using CMOS and booting with the HDD in internal port > still renders UEFI "bricked" although it gives a PXE option because it > is enabled by default in the now reset UEFI. > --Merely performing a "clean" on diskpart(win7) to the HDD and plugging > it back "unbricks" the UEFI. > --Merely removing the HDD "unbricks" the UEFI. > -Connecting HDD using "SATA to USB" cable(even without CMOS reset) > works and OpenBSD boots. > -Installing Windows 7(in the same manner OpenBSD was) works and boots > from the internal SATA port. > > Deduction: There seems to be something not allowing OpenBSD to boot > from the internal SATA port, in addition to it rendering the laptop > unusable until the HDD is removed, cleaned or connected via USB port. > > I have taken the time to write all the UEFI configuration I use. Please > check it if you think the problem stems from there. ouch. However, the effort is appreciated. > hardware: DELL Latitude e5440 Pretty sure I've tested one of those, they work. As I recall, the E5440 is a few years old, and if I recall properly, the battery wasn't very long-lived in it. And the Dells of that vintage had a really wacked default -- someone decided it would be best to default to "RAID" for disk mode. Yes, on a one drive laptop. For safety reasons, OpenBSD (and many other non-windows OSs) disable disk access if the disk controller is in RAID mode rather than ACHI or "legacy" mode. So ... is it possible the CMOS battery is bad on your machine? This would explain a "Power up, set up machine, install, reboot -- ok". "power off, power back on later, won't successfully boot" (the kernel would load, but be unable to access the disks and then panic). I'm not convinced this is the problem, but might be. Nick.
Re: Hardware for Access Point on OpenBSD
On 2020-01-01 13:42, Zé Loff wrote: > > On Wed, Jan 01, 2020 at 08:54:46AM -0700, List wrote: >> Hi *, >> I am currently building a home router based upon OpenBSD. >> I therefore need some kind of WIFI Hardware. This piece of hardware >> needs to be connected over usb. >> Do you have any suggestions or recommendations ? As far as I can see >> it's pretty hard to find an antenna which is connected via USB an runs >> on a supported chipset. It is easy to get your hands on a >> realtek-chipset driven device. But urtw(4) doesn't support Host AP >> mode. Only ones that do are: athn(4), ral(4), ath(4). >> Finding those is hard. >> >> Maybe you guys know things I couldn't find ? >> >> g, >> Stephan >> > > In all honesty, and I've tried what you are aiming for a couple of times > in the past, it's just easier to get a dedicated AP (or a cheap wifi > router with a cable on the ethernet switch, which is usually bridged > with the wifi interface) and connect to an OpenBSD router which will > do all the necessary packet filtering (including keeping the AP/router's > firmware from reaching the internet, if needed be). IMHO this will be > stabler and faster than trying to find an adequate wifi board. And > these days you're bound to get nice perks like multiple SSIDs and > 802.11ac speeds (or whatever the latest 802.11* protocol is), which > AFAIK aren't available on OpenBSD yet. Also, note that (if I am not > mistaken) ural(4) are the only USB Wi-Fi interfaces that can handle Host > AP mode, and they only do 802.11b/g which is kind of slow by today's > standards. Agreed. Not only does the SW/HW work better, usually the best place to put an AP is not the best place to put a router. My AP is in my attic, my router is in my basement, with one chunk of CAT6 between them. Putting an important radio receiver next to a bunch of RF-noisy computers doesn't work so hot. :) Nick.
Re: Hyperbola Gnu Linux changing to Bsd
On 2019-12-30 14:31, SOUL_OF_ROOT 55 wrote: ... > What are the opinions of the OpenBSD developers about Hiperbola GNU/Linux? Just my opinion... A linux distribution (repacking other people's stuff) that I never heard of is going to abandon their old work and users in favor of actually making a new operating system, which will involve actually making code and making it work "some day". What could go wrong? Other than their rather twisted definition of "free", which has been sufficiently hashed and rehashed, I don't see anything there to think about. There's no product. Just a lot of words. And most of them are stupid words. I just spot checked one of the "license problems" they think they spotted in the OpenBSD tree. http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/sys/arch/landisk/include/endian.h?rev=1.2 What exactly are they planning on licensing in that? When they have something to show...let's be real, I'll probably ignore that, too. There's nothing about their goals and objectives that interests me at all. Nick.
Re: cvs checkout of src,ports and xenocara gives duplicate key msg
On 2019-12-15 09:42, putridsou...@gmail.com wrote: > I recently did a checkout of the src,ports and xenocara > repositories and was greeted by the following message on > each checkout. After this the command proceeds smoothly. > Also doing "echo $?" gives "0" so it's not a error. > > cvs server: duplicate key found for 'y' > > A quick search online tied this message to file corruption. > On further testing, the message repeated itself. Can anyone > indicate if this has something to do with my hard disk or > anoncvs server. You left out an incredible amount of information and context here, so I'm going to say there's a PEBKAC here somewhere. Now, if you want to tell us in detail what you are doing and what is actually happening. Otherwise, best I can say is something ain't right. Nick.
Re: Third server now locked up after reboot due to no keyboard attached
On 2019-12-14 14:28, Alfred Morgan wrote: > I have now another machine running OpenBSD not recover from a reboot. I > thought I was having hardware issues with my two other servers (both zbox) > and now this third one (Dell) with totally different hardware is having the > same problem getting stuck at the boot> prompt. The problem goes away and > boots continue normally if I attach a USB keyboard in all three cases. I > feel like this problem started showing up around OpenBSD 6.4. Is this a > known issue? certainly not a universal issue...(i.e., I haven't experienced it) > When there is no keyboard attached the boot> prompt shows a box with a > question mark in it looking like an unknown character. Picture showing this > on bootx64 3.46: > https://photos.app.goo.gl/7HAqQic6GArLGzaXA Well...yeah. If the boot loader echoed anything, it's behaving As Desired -- a char at the command line means "STOP ALL BOOTING, I have something special I want you to do". The boot loader is entirely depenedent upon the firmware (BIOS), the kernel isn't loaded, OpenBSD isn't running. There's not a lot that OpenBSD can do about this -- the boot loader could "eat" all chars sitting in the buffer, but that would make interrupting the boot process just a little more difficult when you DO want to stop it. However, I think there are a few things you might be able to do to solve your problem... 1) BIOS upgrade. Long shot, but maybe? 2) BIOS config option? Also a long shot, but since I'd call this a boot firmware bug, maybe some combination of USB related options would fix this? 3) a boot.conf file should fix -- simply putting "boot" in /etc/boot.conf should override anything in the keyboard buffer. Need to "control" the boot? plug in a keyboard and hold down either CTRL key, and you will be given the boot> prompt. Nick. > Here is the dmesg from my latest Dell server: > > OpenBSD 6.6 (GENERIC.MP) #3: Thu Nov 21 03:20:01 MST 2019 > r...@syspatch-66-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/ > GENERIC.MP > real mem = 8487182336 (8094MB) > avail mem = 8217251840 (7836MB) > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe (71 entries) > bios0: vendor Dell Inc. version "A02" date 11/14/2014 > bios0: Dell Inc. OptiPlex 3020M ...
Re: Softdep and noatime
On 2019-11-30 08:12, Raymond, David wrote: > I am switching to OpenBSD from Linux and I have questions about the > use of softdep and noatime in mounting disks. I have a variety of > systems with a mix of SSDs and rotating disks. > > Softdep seems to have some advantages in speeding file access, but it > is not the default. Are there any downsides in using softdep? it's more complicated, and thus, will have more bugs. My personal experience: I'd trust softdep more than any modern Linux filesystem, BUT its still more complicated, and thus will have more bugs than the default FFS. > On SSDs in particular, is it worth setting noatime to reduce the > number of disk writes? Nothing to do with SSDs, as your quest to minimize writes on SSDs is demonstrated stupid and pointless. SSDs fail much more often for reasons other than write fatigue, Optimizing for write fatigue is like protecting your ship against icebergs hitting the propeller. VERY VERY few applications use atime, and yet, it requires an update to the directory for EVERY SINGLE ACCESS. Ouch. So, it's a non-trivial performance gain if you turn it off. That's a great reason to turn it off. Not SSDs. HOWEVER...if you don't need performance and you can't point to a real benefit, as always, keep it on the default. Nick.
Re: Installing OpenBSD -current snapshots
On 2019-11-29 02:26, Clay Daniels wrote: > Nick, thanks for straightening me out about what is actually going on here > with the install. I see that there is now a fresh snapshot with today's > date, not the one I downloaded and ran yesterday. This might tend to keep > one busy. I'm not sure I would not be better off doing what Bruno & Marc > suggested and run sysupgrade. Thanks to them for the advice. sysupgrade does upgrades of existing systems. Very slick. However, it isn't for fresh installs, and if you have convenient console access, it's not the preferred way of doing it. And based on the questions here, NO WAY. You need to understand what's going on before you start doing unattended upgrades. It also (by default) assumes network upgrades, and if you are wanting everything on local media, there are existing better solutions. And yes, following current is a never-ending quest. However, problems are relatively rare and usually not a big deal, and generally fixed on the next snapshot. > If I do decide to put the filesets on the the install thumbdrive, I see a > total of 26 files in the directory. Obviously some are not necessary like > the floppy or both the .fs & .iso (just one needed), nor the test > instructions, etc. > So which files do I REALLY need on my usb thumbdrive to get a complete > install, x included? STOP STOP STOP STOP. You need to re-read what I wrote and the install part of the FAQ some more times. The install66.fs file is an image with the *entire install set included*. You do not want to add things. You COULD do some voodoo to add stuff to the miniroot66.fs, but PLEASE DON'T...you would just be re-inventing the install66.fs, poorly and with more difficulty. > > Please excuse the "top-posting". That's the only way my darn google mail > does reply's. Kind of irritating, to me and the reader too. Bottom posting was invented for those who can't write in complete thoughts with context. You know, like most of the computer world. :-/ Nick. > Clay > > > > > On Thu, Nov 28, 2019 at 12:34 PM Nick Holland > wrote: > >> On 2019-11-27 21:29, Edgar Pettijohn wrote: >> > On Wed, Nov 27, 2019 at 08:05:30PM -0600, Clay Daniels wrote: >> >> I have successfully installed OpenBSD 6.6 release and would like to give >> >> the Current Snapshots a try. I went to a mirror, and to: >> >> >> >> Index of /pub/OpenBSD/snapshots/amd64/ >> >> >> >> I saw install66.fs (probably for usb memstick) and install66.iso (surely >> >> for a cd/dvd) at ~450Mb. I picked the install66.fs, wrote it to a usb >> >> thumbdrive, and it starts the install. When i get into the install it >> asks >> >> where are the file sets? Humm, maybe it gets these online and it tries >> to >> >> do this but no luck. It was late last night, and I checked to see if it >> had >> >> written anything to my disk, which it had not, and went to bed. This >> >> evening I'm looking a bit deeper at the snapshot directory and I >> suspect I >> >> need to provide the install with base66.tzg at ~239Mb. >> >> NO! >> >> [snip misleading stuff] >> > I noticed this also, but hadn't had time to figure out if I had messed >> up or >> > the installer had. As a general rule I assume its me that messed up. Its >> odd >> > if you mount the install66.fs you can see the pub/amd64 directory, but >> during >> > installation it can't seem to find the directory regardless of what I >> have >> > tried. >> > >> > Edgar >> >> First of all...nothing at all to do about snapshots -- the OpenBSD >> installation process has remained amazingly stable over the last 20 >> years. >> New options here and there, but overall, very similar. Unless something >> changed in the last few days, installing a snapshot is identical to >> installing 6.6. >> >> The installXX.iso and installXX.fs are complete, stand-alone installation >> kits. Everything you need is on them. You can boot from them, and all >> the installation files are right there. Look Ma! No network needed! >> ...well...unfortunately there is the issue of firmware files, which are >> legally not feasible to put on the install media, so you will need network >> for most machines eventually. But let's ignore that for now. :) >> >> Once the system has booted on the install kernel, you have three devices >> you are working with: >> 1) the install kernel's internal "RAM disk" that is part of bsd.rd which >> you booted from, >> 2) your target disk >> 3) the USB drive with the install f
Re: Installing OpenBSD -current snapshots
On 2019-11-27 21:29, Edgar Pettijohn wrote: > On Wed, Nov 27, 2019 at 08:05:30PM -0600, Clay Daniels wrote: >> I have successfully installed OpenBSD 6.6 release and would like to give >> the Current Snapshots a try. I went to a mirror, and to: >> >> Index of /pub/OpenBSD/snapshots/amd64/ >> >> I saw install66.fs (probably for usb memstick) and install66.iso (surely >> for a cd/dvd) at ~450Mb. I picked the install66.fs, wrote it to a usb >> thumbdrive, and it starts the install. When i get into the install it asks >> where are the file sets? Humm, maybe it gets these online and it tries to >> do this but no luck. It was late last night, and I checked to see if it had >> written anything to my disk, which it had not, and went to bed. This >> evening I'm looking a bit deeper at the snapshot directory and I suspect I >> need to provide the install with base66.tzg at ~239Mb. NO! [snip misleading stuff] > I noticed this also, but hadn't had time to figure out if I had messed up or > the installer had. As a general rule I assume its me that messed up. Its odd > if you mount the install66.fs you can see the pub/amd64 directory, but during > installation it can't seem to find the directory regardless of what I have > tried. > > Edgar First of all...nothing at all to do about snapshots -- the OpenBSD installation process has remained amazingly stable over the last 20 years. New options here and there, but overall, very similar. Unless something changed in the last few days, installing a snapshot is identical to installing 6.6. The installXX.iso and installXX.fs are complete, stand-alone installation kits. Everything you need is on them. You can boot from them, and all the installation files are right there. Look Ma! No network needed! ...well...unfortunately there is the issue of firmware files, which are legally not feasible to put on the install media, so you will need network for most machines eventually. But let's ignore that for now. :) Once the system has booted on the install kernel, you have three devices you are working with: 1) the install kernel's internal "RAM disk" that is part of bsd.rd which you booted from, 2) your target disk 3) the USB drive with the install files on it. The reason you can't see the install files on the USB stick from the install kernel is they aren't mounted. You didn't boot from the entire USB stick, you booted from ONE TINY LITTLE bsd.rd file, that just happened to be sitting on the big USB stick...but as far as bsd.rd is concerned, the USB stick isn't part of the booted environment (yet). You aren't booting from a "Live Media". You are booting from a tiny kernel with a built in file system that's sitting on the same inert file system as the install files. Read that over and over until you understand what I'm saying, not what you are assuming is going on. It's really important to understand. It's very different from many Linux installation processes -- you are running off a file only 10MB in size which is now completely in RAM. That file JUST HAPPENED to come from a USB stick that's much bigger. So, when it comes to answering where your install files are, they are on a disk, but it's NOT a mounted disk. It's on your USB drive that's not mounted now, and won't be after installation, but could be useful shortly. Your next problem is...WHICH disk? On a minimal system, it would be the next sd device after your install disk -- assuming you are installing to sd0, your USB stick might be sd1. HOWEVER, if you have a flash media reader on your system, who knows where it is. One trick would be to unplug your USB drive and plug it back in and look at the white-on-blue console message that come up at you. Yes, you are unpluging your boot device, sounds bad, but read what I wrote earlier, it's no longer using that -- the boot has completed, and it's running from RAM now, it's completely ignoring that USB drive. So let's say you do this and you see it's sd4. Tell the installer the files are coming from a file system not currently mounted and when it asks, tell it "sd4" Nick.
Re: Deleting softraid Devices Fujitsu Sparc
On 2019-11-27 11:23, Kihaguru Gathura wrote: > Hi, > > An error while deleting softraid device follows > > -- > Available disks are: sd0 sd1 sd2. > Which disk is the root disk? ('?' for details) [sd0] ? > sd0: FUJITSU, MAT3073N SUN72G, 0602 > serial.FUJITSU_MAT3073N_SUN72G_000506B00RAR_AAN0P5200RAR (68.4G) > sd1: FUJITSU, MAT3073N SUN72G, 0602 > serial.FUJITSU_MAT3073N_SUN72G_000506B00SSL_AAN0P5200SSL (68.4G) > sd2: OPENBSD, SR RAID 1, 006 (68.4G) > Available disks are: sd0 sd1 sd2. > Which disk is the root disk? ('?' for details) [sd0] ! > Type 'exit' to return to install. > www# bioctl -d sd2 > bioctl: Can't locate sd2 device via /dev/bio > > > The aim is to remove the device from the system and then: > > # dd if=/dev/zero of=/dev/rsd0c bs=1m count=1 > # dd if=/dev/zero of=/dev/rsd1c bs=1m count=1 > > to reuse the disks. > > Thanks, > > Kihaguru > The install kernels have very minimal disk support. In the case of amd64/i386, it's one wd device -- wd0, not sure about sparc64, but I'd bet a cheap lunch that sd2 is not there. :) After booting your install kernel, do this: # cd /dev # sh MAKEDEV sd0 sd1 sd2 or whatever you need to accomplish your task at hand. NOW you will be able to do what you wish. Yes, the installer script does this for you. And yes, this is a common issue regardless of platform. Nick.
Re: Home NAS
On 2019-11-17 11:39, Jean-François Simon wrote: > Hi, > > I found it, there exist glastree which is available from ports. > > Nice small "poor man's" backup as the author qualifies, > though makes incremental backup through hard links: > > # if yesterday does not exist or today is newer, copy the file > # else hard link the file to yesterday rsync --link-dest -- it's been in rsync for well over 10 years at this point. Little wrapper shell script and away you go... Nick.
Re: OpenBSD and solid state disks
On 2019-11-02 16:10, Raymond, David wrote: > I recently installed OpenBSD on a Lenovo X1 Carbon with a solid state > drive and it works great. yep. > My question is whether OpenBSD addresses the special characteristics > of solid state drives, especially those having to do with longevity > and reliability. Just Use them, and plan on replacing them when they need to be replaced, or at least demoting them to "when this fails, I won't cry" uses. In other words, treat them JUST LIKE EVERY OTHER DRIVE. If I hand you a five year old magnetic drive, would you put it in a mission critical application? Probably not. If you have five year old hardware in a mission critical application, you should be looking at replacement. Treat your SSDs exactly the same way, you will have no problems. Used very hard, SSDs last many years. Used like most people use a laptop, you will be replacing for other reasons (capacity, hw it is in is uselessly old, etc.) long before the drives wear out. The obsession with SSD write fatigue is silly. All drives can (and do) fail, you must have a plan to deal with that, and in my experience with SSDs, write fatigue is NOT the primary killer, it's just a predictable one. Nick.
Re: Will Theo de Raadt and other OpenBSD developer answer this topic (https://marc.info/?l=openbsd-misc=157234932505571=2)?
On 2019-10-29 23:50, Clark Block wrote: > Will Theo de Raadt and other OpenBSD developer answer this topic ( [...link to drivel deleted...] What, are you looking for someone to provide comments on your term paper? Ok, You did cite a reference, not proper bibliography format. It's been a long time, but I thought they did teach proper citing of references in sixth grade. Bonus points for reading a book. Lost points for only one source. But nothing you have said qualifies as profound for anything above primary school level. Nothing indicates you actually KNOW anything about the topics you write. Dude. You post meaningless crap on this list and yet show no evidence of actually being an OpenBSD user. You think you have great ideas about how things should be done? Prove it. DO something. Don't talk about it. If your desire in life is to argue about the number of angels that can dance on the head of a pin or "best programming languages" or "desktop experience", please, go elsewhere. Nick.
Re: Misc i386 questions
On 10/13/19 12:39 AM, Sean Kamath wrote: > Doh! > > set tty com0 > > Alix is coming along OK now. Still have questions about i386 and > SCSI. . . > > Sean > > >> On Oct 12, 2019, at 23:13, Sean Kamath >> wrote: >> >> Hi. >> >> In my odyssey to get larger disks on my Alix machines, I bought >> some 16G CompactFlash cards. I put install65.fs on a card and tried >> to boot it on the Alix, but it just reboots after it loads the >> kernel. >> >> Meanwhile, the VM I used to dd the install65.fs file to the CF card >> is running 6.0, so figured I should update it (with a reinstall, >> rather than updates). I tried to boot bsd.rd and install 6.5, but >> it didn’t see the SCSI drive on the VM (but 6.0 did with no >> issue). I even downloaded install65.iso and tried to install on a >> brand new VM (VMware Fusion 11.5 on a Mac running Mojave) with a >> SCSI drive, but nope. IDE drives are seen just fine. >> >> So. . . did I just miss something about i386 and SCSI support? What SCSI hw are you emulating in your VM? What happens if you change that? And to be clear -- when you say it doesn't see the SCSI drive, how are you not seeing it (i.e., what did you do to "see it" and what was the result?). Nick.
Re: BACK TO BASICS
On 10/9/19 11:19 AM, openbsd.s...@0sg.net wrote: > Here's what I think. ...[bla bla bla]... > Amirite ? ;) I don't know. Let's see your work. I don't care what your theoretical arguments are, I want to see results. Nick.
Re: A sad raid/fsck story
On 10/4/19 8:37 AM, sven falempin wrote: ... > How [do I] check the state of the MIRROR raid array , to detect large > amount of failures on one of the two disk ? > > Best. > fsck has NOTHING to do with the status of your drives. It's a File System ChecKer. Your disk can be covered with unreadable sectors but if the file system on that disk is intact, fsck reports no problem. Conversely, your disks can be fine, but your file system can be scrambled beyond recognition; bad news from fsck doesn't mean your drive is bad. To check the status of the disks, you probably want to slip a call to bioctl into /etc/daily.local: # bioctl softraid0 Volume Status Size Device softraid0 0 Online 7945693712896 sd2 RAID1 0 Online 7945693712896 0:0.0 noencl 1 Online 7945693712896 0:1.0 noencl This is a happy array. If you have a bad drive, one of those physical drives is going to not be online. Nick.
Re: A sad raid/fsck story
On 10/3/19 10:01 AM, sven falempin wrote: > Dear readers, > > I was running a OpenBSD (6.4) device, with a raid mirror array. > One of the disk failed, so the system ask me to fsck, Probably not quite that simple. More likely, the disk failed, that took the system down hard, and it needed an fsck on reboot. Which is normal, RAID or otherwise. > which I did before checking the raid status manually ( :'( ) , > THEN I rebooted and softraid told me: one of the hard drive is dead. > > But fsck already destroyed a few file on the mirror. that seems unlikely. that's not what fsck does -- fsck's job is to repair a file system. If it removes a file, the file is already damaged. > Probably a user error, nevertheless, In openbsd 'simply work' mindset, > maybe the /etc/rc could warn or even perform some bioctl check on raid > array when first fsck / mount > fails. I'm not seeing what this has to do with RAID, soft or otherwise. If your system needed an fsck, it needed it whether it was a simple drive or a RAID array. If you need an fsck, you are likely to have lost data. > ( Lost data recovered from backup ) And again...nothing to do with either fsck or RAID -- you have to have a backup. RAID doesn't change that. Nick.
Re: How can I contribute code to openbsd
subject fixed, hopefully. :) On 9/28/19 7:05 PM, cc wrote: > > Hello, > > > I recently started to study openbsd. I am a computer major student. How can I > contribute to openbsd? > while ! dead; do DoSomething. submission="sucks" # Accept this. It's probably true. while [[ $submission == "sucks" ]]; do SubmitIt AcceptCriticism learn if [[ $criticism == "no way" ]]; do break # not everything is appropriate. fi reviseBasedOnCriticism done # Congrats, your submission was accepted! done # not dead yet. People usually screw up on accepting that their first submission sucks. And they really get confused when they are told what to fix and resubmit it, "why doesn't the committer just do it?" That's where the "learn" step comes in -- the committer is trying to help you get a point your submissions DON'T suck initially. Find something you want to fix or improve...do it, and enter the loop. :) Nick.
Re: How can I remove sets installed by sysupgrade?
On 9/17/19 12:23 PM, Marc Espie wrote: > On Tue, Sep 17, 2019 at 02:31:59PM -, Stuart Henderson wrote: >> (To be clear, I think installing a restricted subset of the OS for >> security reasons is pointless here, but can be really helpful when you >> have to deal with limited space in partitions - and those just saying >> "storage is cheap" are ignoring the often very real cost of getting >> to the machine to replace the storage :) > > Ditto. > > We still run on somewhat cramped machines, and even replacing an SD card > with a bigger model might sometimes be an issue because of various reasons. > > ... or stuff with utterly outdated controler formats, where you may > get in situations that your SCSI3 disk buys it and that's it, no more > full installs for you. > Ditto followed by a single quote? We also work great on some really slow storage, like USB flash drives. Leaving out x*tgz, and compXX.tgz are big time savers when upgrading a flash based install. On the other hand, KARL and library randomization are also killing those solutions...so I guess it might be time to move on? Nick.
Re: authpf unable to exit ssh without control C
On 9/15/19 7:31 AM, shadrock uhuru wrote: > hi everyone > i can login with authpf but unable to exit or control D out of the ssh > session > the only way out is to control C which also kills any other ordinary ssh > user connected to the server > my authpf user has authpf as its login shell and login class, > is this normal behaviour ? > shadrock > If I understand your request, you want someone to log into your system, which brings up authpf, and you want them to be able to do something to exit to a shell prompt on that server and still leave the authpf rules in place? That's not the way authpf was designed. The idea is that when authpf is invoked, it activates certain rules, presumably regarding the IP address in question, and when authpf exits, it removes those changes. Connect to authpf, now you can access the web site, or FTP or whatever it is you need, terminate authpf, and no one else at your IP can do those things. If you are letting these same users access the shell prompt, your usage is not as paranoid as authpf was designed to deal with, it's probably not the right tool for the job, or your expectations are wrong. I run a private IRC server, which is blocked on the 'net by PF, but as all the users are people I know in real life and friends, I trust them to be able to activate their own IP addresses, so I just wrote a simple (and surely insecure) script to add that user's IP address to the PF table that permits them access to the system. What this doesn't do (and I'm not sure how you expect to do this) is clear the connections when they leave. In my case, I don't care -- the odds that after Fred gets a new IP address that his old IP address will end up in the hands of someone wanting to have access to my IRC server for malicious reasons (and they find it!) is pretty small. But that might not be your use case. If you need to close those openings...you had best think hard about how you expect that to happen. Nick.
Re: handling snapshot installation in production environment
On 9/2/19 6:48 AM, Marcus MERIGHI wrote: > Hello Joerg, > > just passing on my user experience...: > > streckf...@dfn-cert.de (Joerg Streckfuss), 2019.09.02 (Mon) 10:15 (CEST): >> Furthermore I'm not sure which snapshot should I run. Almost every day >> there will be a fresh one. > > you seem to be watching closely, therefore you will notice a time when > there are no new daily snapshots for a couple of days. this is usually > when the next release is tagged/built. additionally you can monitor > ports@ to see when the ports tree gets locked for the next release. Careful with this ... While this is what I used to do (which is kinda odd, since I only run snapshots!), in recent releases, especially since the CD production was cut out of the release process, the time between "tagging" and resumed development and new snapshots has dropped a LOT to the point that it's difficult to catch. I think Ian's tip is a bit safer. Nick.
Re: obsd web server
On 9/1/19 5:49 PM, Gustavo Rios wrote: > Hi folks, > > i would like to confgiure my obsd server as a web server. > > I would like to configure my web server to handle multiple domains > without having to set each domain one by one. > > I mean: > Every request for www.x.com is mapped into the root directory > /var/web/www.x.com > > Got the idea ? If a new server is required, All i needed to do would > create a directory inside /var/web with the full access string : > > mkdir /var/web/www.newdomain.com > > And i should not need to manipulate config files. > > Thanks in advance I don't think that's doable as you request, nor do I think it is a noble goal. , Unless you have a really really unusual use case, you will have per-site specific settings -- for example, HTTPS certificates. HOWEVER, with some trivial scripting, you can easily accomplish something that appears to be what you request. When you have a lot of similar things to manage, think scripts. :) Here's a primitive and untested concept: newweb: #!/bin/ksh mkdir -m755 /var/www/$1 chown (whomwever) /var/www/$1 cat >>/etc/httpd <<__ENDSITE server "$1" { alias "www.$1" listen on $ext_addr port 80 log style combined log access $1.access log error $1.error root /$1 } __ENDSITE /etc/rc.d/httpd reload Now, in real life, you would want to flesh out that config a bit more, and you would probably want to save a copy of the httpd.conf file, and check if httpd errored, and if so, restore the old copy. Lots of other error checking would be appropriate as well. You could also just do something more sophisticated, like create an httpd.d directory and create a template domain.conf file in there for each one, and just add an "include" line in your httpd.conf for each new domain. Now when you decide that all your domains are NOT just alike, you can easily rev the ones that are different. Nick.
Re: Recommended web and database server specification
On 8/14/19 9:20 PM, Aaron Mason wrote: > Hi Tito > > Can you tell us more about the database? How often will its data be > changed, added to, etc? How much data do you have? How complex are > your DB queries? These answers will help determine the RAM and > processor requirements for the database. > > As for the web server daemon itself, I think Reyk Floeter would be the > best placed to answer that question - also paging Nick Holland for > more hardware expertise. > > On Thu, Aug 15, 2019 at 12:57 PM Tito Mari Francis Escano > wrote: >> >> Hi to everyone at misc, >> >> I'm recently working on an OpenBSD-based PHP7 web application with >> PostgreSQL-backend for a local government agency and was wondering what >> would you recommend as the acceptable server specification. This web >> application won't reach the Google or Facebook level of visits per day, >> but I was hoping to prepare this be deployed and run for quite a long >> time and ready for about 60,000 visits per day at most. >> >> Your advise and recommendation would be greatly appreciated. Thanks so much. Dang, somehow, I've got a bad habit of hitting CTRL-ENTER at the end of lines, and that's "SEND" on some mail clients. Did that twice in the 24 hours on two different mail clients. sigh. ANYWAY... 60,000 hits per day isn't the question. Rarely does load come in evenly spread out, usual things are spikey -- after school, after work, before work, whatever. So the scaling question is "how many hits per second can you expect peak?" and "how much delay will your users tolerate at that peak moment?" And really, you need to test your own app in your own environment with your expected peak load. IF your bosses are insisting on "buy once for five years", you are going to horribly overspend. They are damn fools. But, they are also "The Boss", so you live by 'em. You will save a lot of money by buying something that will PROBABLY work for a year or so, and replace it *IF* it turns out to be undersized. If you want to do it right, take an old pc with a standard SATA disk, build it out as a web server, and load test it with your peak expected load with your application being used in a realistic way. If it works, get a faster server with more memory and use SSDs, and you will be in great shape. Nick.
Re: Recommended web and database server specification
On 8/14/19 9:20 PM, Aaron Mason wrote: > Hi Tito > > Can you tell us more about the database? How often will its data be > changed, added to, etc? How much data do you have? How complex are > your DB queries? These answers will help determine the RAM and > processor requirements for the database. > > As for the web server daemon itself, I think Reyk Floeter would be the > best placed to answer that question - also paging Nick Holland for > more hardware expertise. > > On Thu, Aug 15, 2019 at 12:57 PM Tito Mari Francis Escano > wrote: >> >> Hi to everyone at misc, >> >> I'm recently working on an OpenBSD-based PHP7 web application with >> PostgreSQL-backend for a local government agency and was wondering what >> would you recommend as the acceptable server specification. This web >> application won't reach the Google or Facebook level of visits per day, >> but I was hoping to prepare this be deployed and run for quite a long >> time and ready for about 60,000 visits per day at most. >> >> Your advise and recommendation would be greatly appreciated. Thanks so much. heh. got called out, doesn't take much to make me start talking. :)
Re: Multiple video cards in X?
On 6/28/19 5:01 AM, Joe M wrote: (yes, over a month ago...) > Hello, > > I have multiple video cards (AMD Radeon) cards working with OpenBSD. > I have 2 monitors connected to each card (HDMI and DVI ports). > > The issues are that I can use only fvwm and I cannot move x windows > across the video cards. I can move x windows across monitors > connected to the same video card though. > > I tried to hack around the Xenocara codebase to figure out if I can > fix it. During my adventures, I realized that though Xenocara can be > modified to support this, the issue is in the radeon driver > (radeondrm, I think). At that point, I gave up as I did not have the > bandwidth to figure out how radeondrm works. > > It took me quite a lot of time to figure out the correct > configuration. I was hoping that I could get cwm to work. But, I > could not. Only fvwm works. I did not bother to dig through why. > > joe:10114$ cat /etc/X11/xorg.conf > > # get the xorg.conf.firstcard and xorg.conf.secondcard to work # > startx # uses xorg.conf # cd /etc/X11; start -- :1 -config > xorg.conf.secondcard # to get the second card working # once both of > them work, below is bringing them together to show all monitors at > the same time > > # leave out the monitor sections as the X fills up the holes > > Section "ServerLayout" Identifier "Default Layout" Screen 0 "Screen > 0" Screen 1 "Screen 1" RightOf "Screen 0" EndSection > > Section "Screen" Identifier "Screen 0" Device "Card 0" EndSection > > Section "Device" Identifier "Card 0" Driver "radeon" BusID > "PCI:1:0:0" #Option "Monitor-HDMI-0" "HG281D" Option "Monitor-DVI-0" > "AL2223W" EndSection > > Section "Monitor" Identifier "AL2223W" Option "LeftOf" "HDMI-0" > EndSection > > Section "Screen" Identifier "Screen 1" Device "Card 1" EndSection > > Section "Device" Identifier "Card 1" Driver "radeon" BusID > "PCI:11:0:0" EndSection > > joe:10131$ tail -5 /home/j/.xsession > > # cwm cannot spawn multiple cards # exec /usr/X11R6/bin/cwm exec > fvwm > > Hope it helps. Quite a bit, if nothing else, just gave me hope and a starting place! Here's what I ended up with as a MINIMAL xorg.conf that seems to work for me, with the same quirks you describe: == Section "ServerLayout" Identifier "Default Layout" Screen 0 "Screen 0" Screen 1 "Screen 1" Above "Screen 0" EndSection Section "Screen" Identifier "Screen 0" Device "Card 0" EndSection Section "Screen" Identifier "Screen 1" Device "Card 1" EndSection Section "Device" Identifier "Card 0" Driver "radeon" BusID "PCI:3:0:0" EndSection Section "Device" Identifier "Card 1" Driver "radeon" BusID "PCI:4:0:0" EndSection == I added some monitor sections and not only did it work exactly as it does with this, I couldn't make it do anything better or different. Key parts: * the BusID lines seem critical. Otherwise, just get first card. * a "Screen" appears to be all monitors attached to one Device. * My primary video card ("Screen 0" is attached to two monitors on my desk, the secondary video card ("Screen 1") is attached to two monitors above them. Hence, the "Screen 1" Above "Screen 0" I found Fluxbox seems to work with all four monitors as you described fvwm doing. The mouse can move appropriately between all four monitors, but tasks can only go side-to-side in one "screen" (two monitors). This, I was actually excited about, as I wanted to be able to have multiple INDEPENDENT desktops between monitors. Ok, I got it between PAIRS of monitors. Doesn't suck. What DOES suck is some of the apps I wanted on both screens...don't. Firefox and Chrome both refuse to start a new instance in the other screen. Not the end of the world, there are more browsers out there, I suspect I can run iridium or something similar in one "screen" and a cousin in the other. My "screens" are slightly dissimilar -- screen 0 is two 1920x1200 monitors, screen 1 is two 1920x1080 monitors. No issues noted. The login box and the ssh key box are centered between two monitors. Annoying, but not a show stopper. In general, while two monitors on one card seemed to keep track of
Re: problem to copy a (possibly large) file over a network device
On 7/31/19 3:45 AM, Rudolf Sykora wrote: > Dear list, [probably irrelevant stuff snipped] > I actually wanted to do a backup of the subtree with rsync over the > network, but that didn't work, spitting sth. like > > rsync error: unexplained error (code 255) at io.c(820) [sender=3.1.3] > [sender] _exit_cleanup(code=10, file=io.c, line=820): about to call > exit(255) ... Well, that looks broke. Not supposed to do that. > As I have no idea what can cause this behaviour, I am asking for any > help. Well, looking at the version of OpenBSD that you are using ... oh. Well, your dmesg shows ... hmm. Looking at your rsync command line I see ... well... Your environment is ... hm. no idea about that either. Not much to work with you on here other than you got an error message you probably shouldn't have got. As for your follow up, no, there is no setting deliberately set to, "don't work properly" you need to change to "work correctly" in OpenBSD. Nick.
Multiple video cards in X?
Hiya. Before I spend a lot of time on what might be impossible, is it likely I could succeed at getting multiple multi-head video cards working on OpenBSD (amd64, radeon cards)? I've got this in the machine: OpenBSD 6.5-current (GENERIC.MP) #2: Sun Jun 2 00:29:17 MDT 2019 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP ppb2 at pci0 dev 3 function 0 "Intel X58 PCIE" rev 0x22: msi pci3 at ppb2 bus 3 radeondrm0 at pci3 dev 0 function 0 "ATI Radeon HD 5450" rev 0x00 drm0 at radeondrm0 radeondrm0: msi ppb3 at pci0 dev 7 function 0 "Intel X58 PCIE" rev 0x22: msi pci4 at ppb3 bus 4 radeondrm1 at pci4 dev 0 function 0 "ATI Radeon HD 3450" rev 0x00 drm1 at radeondrm1 radeondrm1: msi ... so I got a pair of cards recognized. Two monitors on one card Just Work with X with no xorg.conf file. xrandr sees the config and seems to work, driving the monitors at full resolution. But the other card is ... idle. Is it possible to use my other monitors in X on OpenBSD? Any Broad General Tips in doing so? Man pages to read? Authoritative tips, including "Don't be an idiot, it's easy" to "it's not possible"? To save 45k per copy of this message, links to dmesg and xorg log: http://nickh.org/Xorg.0.log.txt http://nickh.org/dmesg.txt Nick.
Re: HIPPA supported ciphers
On 6/21/19 12:43 AM, Kihaguru Gathura wrote: > OpenBSD 6.5 (GENERIC.MP) #84: Wed Apr 17 05:53:43 MDT 2019 > > Hi, > > SSL compliance tests below refers. (htbridge) > > > 2:SUPPORTED CIPHERS > TLSv1.2 > TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Non-compliant with HIPAA guidance > TLS_RSA_WITH_CAMELL TLS_RSA_WITH_CAMELLIA_128_CBC_SHA Non-compliant > with HIPAA guidance > TLS_RSA_WITH_CAMELLIA_128_CBC_SHA Non-compliant with HIPAA guidance > > Under what circumstances could these ciphers be not considered for > HIPPA compliance? They could be things that aren't on the list that was compiled ten years ago, they could be sub-optimal options that are still in widespread use today. You are asking the wrong people. Talk to your compliance people and/or auditors. Do what they tell you to do, it's easier than reasoning with them. Remember: Security is important for ethical reasons. Compliance is important for legal reasons. The key to workplace contentment is understanding they are unrelated to each other. Both are important, but one does not lead to the other. And audits go better when the auditor finds something to complain about and get you to change. Nick.
Re: Filesystem corruption on OpenBSD routers after power outage?
On 6/4/19 1:29 PM, Mogens Jensen wrote: > I'm going to build a router for use in a remote location, and I have > chosen OpenBSD 6.5 for the task. Unfortunately, it's not possible to > protect the router with an UPS, so it will have to be resilient enough > to survive sudden power outages and still boot without manual > intervention. > > In the past I have built a few Linux based routers and they were > configured to run from RAM. I have made some research to see if this is > also possible on OpenBSD and found that, while there are solutions to > have / read-only, none of this is officially supported. > > Can anyone with experience running OpenBSD routers without UPS, tell if > filesystem corruption is going to be a problem after power outages, or > if there are any officially supported ways to make the system resilient > enough to not break after a power outage? > > I'm using an mSATA disk with MLC flash in the router. I realized a few decades ago that consumer UPSs are a bad investment. Industrial UPSs are a dubious idea in business unless you have a dual-power supply machine and can hook each PS to a DIFFERENT UPS -- in my area, grid power is more reliable than cheap UPSes (your mileage may vary). And you have to MAINTAIN your UPSs, otherwise after a few years, UPSs turn minor glitches into power outages (thank you very much). I'm also fond of proving my own claims, so I very often just yank the cord on my systems rather than doing orderly shutdowns. Yes, if you drop power on an OpenBSD system, you will get an fsck on reboot. Solution: Make your partitions as small as reasonable. Just because you got a 500G disk for cheap, no reason to allocate all 500G. For a router, 10G is PLENTY, and will fsck quickly. If you have slow media (i.e., flash drives), you might want to aim for 1G. Every once in a long while, you might catch a really bad time for the power to go out, and have to manually say "Fix it!" to fsck, but for the most part, the system will just come back up after the power comes back on. The less you write to disk, the less risk you have of having to manually intervene in your system's reboot. IF you want to do some fancy logging, keep the logging partition out of the fstab file, and have a script that brings it up with a "fsck -y" AFTER the system comes up, and start the fancy logging AFTER the big logging partition successfully mounts. But don't do stupid games to try to improve your chances, just make sure there's a monitor and keyboard available to fix any problems that might happen. Simple systems have simple problems. Complex systems break in complex ways. You want me to swear you'll never have to manually intervene in boot after an "event"? Nope. But I've walked non-technical people through single-user fsck's over the phone; when your bastardized system breaks, you will be down for a lot longer and you will be going on-site to fix. Nick.
Re: mounting an existing softraid/crypto partition for install/update
On 6/3/19 8:17 PM, Bryan Stenson wrote: > Hi all - > > I'm running -CURRENT on a SSD with FDE encryption using softraid/crypto > with a passphrase entered via the keyboard at boot. It worked great. > Then, I upgraded to a build that had a broken bootloader (reported to be > fixed now: "Re: amd64 snapshot very broken (Jun 1 02:24:13)"). Per that > thread, I'm trying to boot from temp boot media to update to the fixed > image. ouch. :( > I've tried booting both snapshots/amd64/install65.fs and > snapshots/amd64/miniroot65.fs, and while it appears the bootloader > recognizes my softraid crypto device, it's clearly not mounting the crypto > device (I'm not prompted for a passphrase), and by the time I get to the > install script, it shows: > > Available disks are: . > Which disk is the root disk? ('?' for details) > > Asking for details, both my SSD (sd0) and temp boot media (sd1) are shown, > but I'm not able to see the encrypted device. > > I've dropped to a shell, and created the device (it wasn't there) via "cd > /dev && sh MAKEDEV sd0", and can see my RAID partition via "disklabel sd0". You probably need to make sd1 and sd2, as well (sd1 your install media, will probably be made for you, but as long as you are in the neighborhood... sd2 will hold the actual file systems on the encrypted "disk" that you will be installing to. > But, now I'm stuck/confused...I'm trying to figure it out by following: > https://www.openbsd.org/faq/faq14.html#softraidFDE > > Do I re-create the softraid/crypto with something like "bioctl -c C sd0a > softraid0"? Or, will this will wipe out the existing data and give me a > fresh new partition to install to? yep. bioctl -c C -l /dev/sd0a softraid0 should do it. I'm just peeking at a script I use to manually mount an encrypted file system post-boot. > How can I mount the existing crypto volume for use by the installer? > (Also, am I asking the right questions here?) Once you have "unlocked" the encryped partition and it becomes a new logical drive, make note of that, and answer that drive to the installer if it doesn't figure it out on its own. Nick.
Re: Upgrade procedure (6.4 -> 6.5)
On 5/7/19 8:32 AM, Dumitru Moldovan wrote: > On Sun, May 05, 2019 at 05:05:11PM +0200, Ingo Schwarze wrote: >>Hi, >> >>Consus wrote on Fri, May 03, 2019 at 02:24:10PM +0300: >> >>> Maybe it's a good idea to note this on the upgrade page? Something like >>> "the upgrade procedure may leave some files behing; you can manually >>> clean them up using sysclean package"? >> > > [...] > >> >>For example, it is definitely useful to remove stale Perl libraries. >>It is also useful for stale header files if you compile software >>from source. It is useful (but not terribly important) for stale >>manual pages. It is usually detrimental for old versions of shared >>libraries, unless you are *really* short on disk space (which is getting >>less common nowadays) *and* you are very careful. >> >>For most use cases, we do not recommend using sysclean. > > I think there's a less common scenario not covered in this thread. > Suppose you have locally-compiled binaries, linked to previous versions > of libraries, belonging to an older version of the OS. Those libs will > never get patched after you upgrade, so any vulnerabilities they expose > will remain exploitable in the binaries linked to them. Ok, I admire your confidence that the problem in your local binaries are the OpenBSD libraries. :D This swings both ways. When doing an upgrade, if the upgrade deleted all those libraries BEFORE you had a chance to upgrade that binary, it would quit working. While I'm all for "Fail Closed", it might be premature to call it a failure. Or not. It is very hard to please all, and even harder to cover all possible situations. Nick.
Re: Upgrade procedure (6.4 -> 6.5)
On 5/3/19 2:32 PM, Strahil Nikolov wrote: > On May 3, 2019 10:49:55 PM GMT+03:00, Nick Holland > wrote: >> On 5/2/19 1:52 AM, Consus wrote: >>> Hi, >>> >>> I've upgraded my systems from 6.4 to 6.5 without a glitch, but I >>> see that /etc/networks and some other files (like malloc.conf.5) >>> are >> still >>> present, although there is no use for them in the new release. >>> >>> Is there a reason why these files are not listed in "FIles to >> remove"? >>> Is there a way to track them? It's not like something gonna >>> break, >> but >>> old configuration files (and manual pages) lying around can make >>> someone's life harder during the debug session. >> >> There is no promise that an upgraded machine will be file-for-file >> identical to a fresh install. Here is the list of problems this >> might cause you, as you can see, it's a long list and quite >> horrible: >> >> * If you use the same hw for 20 years, you might run out of disk >> space? >> >> Ok, not very long and not very horrible. >> >> You are trying to solve a non-problem. And sometimes, 'specially >> on an upgraded machine, it's great to see how things WERE when the >> machine was set up. If you really care, go ahead, delete stuff. >> >> Nick. > > Hi All, > > As I linux guy (my experience in openBSD can be easily measured in > days) I can share the view of less experienced user that was planing > to upgrade from 6.4 to 6.5 and that eneded with a full reinstall. > > I tried to update a VM (stock setup) with a 10 GB disk from 6.4 to > 6.5 and thus it seemed that booting from the 6.5 DVD will do the > trick. Sadly the installer never checked the avalable space , but > just started to do it's stuff until reporting that not enough space > is available. The installer didn't check. Neither did you. Let's blame the installer. Ok, sure, might be nice, but when there are a snootload of different platforms with radically different size binaries, it's not trivial. But feel free to send in a patch. Test on two or three different platforms, first, though, please. And ... considering the number of times I've seen and heard about Linux systems hose themselves with upgrades, I question your implication. Major Linux upgrade? Most people I know just say "Screw it. Rebuild, reload". Linux might have the edge on incremental upgrades, but eventually, you are going to need to move to the more current release...and then OpenBSD starts looking REALLY GOOD. 10g disk? When I first started working with OpenBSD, that was really big. But then, I had to manually partition the disk. 20 years later, 10G is tiny. The installer auto-partioner is really intended for bigger disks. Yeah, you are in "Special Case" territory, which isn't a good spot to be as a new user. > Why did the installer allow installation despite the available space > is low ( even windows checks available space :) )??? The average windows user doesn't know what the units of storage mean. > Why should the end-user delete old unnecessary/problematic files ? That's my question. What's the big deal? On a modern disk, just ignore them. They won't be a problem until long after your rotate out the hw. Problem is, you used a 2001 vintage size disk. You should have rotated that out around 2005. And I'm curious how a CentOS 6 to Centos 7 upgrade would go on a 10G disk. I have my suspicions, and I suspect it would be entertaining to watch...assuming it wasn't something you were dependent upon. > Usually we do have package management system to take care of that (or > at least to rename those files in case we really need them). Yeah, you need to wait until Linux "package management" screws itself into a knot for you. > For me, system upgrade is a very complicated and error prone > procedure. OpenBSD has what I call a "Learning Curb". You gotta lift your feet. Not a lot, it's not hard, but you can't just shuffle along mindlessly and expect to be carried to the next level without your engaging your brain If you used Linux for a little bit and figured that OpenBSD is "just like Linux, but different", yeah, no, you are going to be disappointed. Different beast. From a management perspective, I'd say Linux and Windows are much more alike than Linux and OpenBSD. Linux is written for and by those frustrated with Windows ("Reinventing Windows, poorly"). OpenBSD is Unix. It's probably the simplest Unix out there to use and manage, but it's not Windows (or Linux). Or... Think of Linux (and windows) as the big cushy luxury car. Easy to drive, assuming you work within the anticipated parameters, but you really have no id
Re: User who invoke doas
On 5/2/19 8:04 AM, Ted Unangst wrote: > Nick Holland wrote: >> > In a shell script invoked by doas, is it possible to find which user >> > invoke the script? my search a the moment has come up empty. >> >> most likely place would be an environment variable, right? > >> >> # echo "I started out as $LOGNAME" >> I started out as nick > > Note that LOGNAME and other variables can be set by the user to indicate a > different user name. > > $ env LOGNAME=somebody doas sh -c 'echo $LOGNAME' > somebody And that's important -- I (silently) assumed a semi-friendly environment, not a good idea. Evaluate my suggestion based on your actual needs and risks. But then, if the wrong person has sudo access on your box, this may not be your biggest problem of the day. Nick.
Re: User who invoke doas
On 5/1/19 10:28 PM, Adam Steen wrote: > Hi > > In a shell script invoked by doas, is it possible to find which user > invoke the script? my search a the moment has come up empty. most likely place would be an environment variable, right? So ... $ whoami nick $ doas -s # whoami root # env |grep nick LOGNAME=nick HOME=/home/nick MAIL=/var/mail/nick PATH=/home/nick/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R/bin:/usr/local/bin:/usr/local/sbin:/usr/games:. USER=nick # echo "I started out as $LOGNAME" I started out as nick 'dar ya go. Nick.
Re: Upgrade procedure (6.4 -> 6.5)
On 5/2/19 1:52 AM, Consus wrote: > Hi, > > I've upgraded my systems from 6.4 to 6.5 without a glitch, but I see > that /etc/networks and some other files (like malloc.conf.5) are still > present, although there is no use for them in the new release. > > Is there a reason why these files are not listed in "FIles to remove"? > Is there a way to track them? It's not like something gonna break, but > old configuration files (and manual pages) lying around can make > someone's life harder during the debug session. There is no promise that an upgraded machine will be file-for-file identical to a fresh install. Here is the list of problems this might cause you, as you can see, it's a long list and quite horrible: * If you use the same hw for 20 years, you might run out of disk space? Ok, not very long and not very horrible. You are trying to solve a non-problem. And sometimes, 'specially on an upgraded machine, it's great to see how things WERE when the machine was set up. If you really care, go ahead, delete stuff. Nick.
Re: 6.5 auto_install fails due to custom /var/tmp?
On 4/29/19 6:09 PM, Lyndon Nerenberg wrote: > While trying to PXE install a 6.5 machine I was hit with this failure: > > Installing bsd 100% |**| 15163 KB00:00 > > Installing bsd.mp 100% |**| 15248 KB00:00 > > Installing bsd.rd 100% |**| 9984 KB00:00 > > Installing base65.tgz99% |* | 189 MB00:00 > ETAtar: Unable to remove directory ./var/tmp: Device busy > Installing base65.tgz 100% |**| 190 MB00:14 > > Installation of base65.tgz failed. Continue anyway? [no] no > > which I suspect is related to this: > > / 1G > swap4G-16G 10% > /tmp2G > /usr4G > /usr/local 2-6G 10% > /var10-20G 20% > /var/tmp10-20G 15% > /var/log20-40G 30% > /u 1G-* yeah. > I've never run into this until today, when I tried to carve out an explicit > /var/tmp. Autopartitioning be able to handle /var/tmp, no? normally, /var/tmp is a symlink to /tmp. It can't make the link. No surprise. Answer "Yes" to the "Continue anyway?" prompt, and all will be fine, I believe. Nick.
Re: chromium OpenBSD defaults
On 4/17/19 4:01 PM, Tom Smyth wrote: > Hello, > > I was wondering what people would think of disabling chromium offering > to save passwords for sites... it is a default in browsers in other operating > systems that gives me a rash... it is also a likely attack surface... > I would rather have it disabled and if people need / want it they can > enable it ? Personally, no, I don't like that at all. A couple reasons pop into mind quickly: 1) It doesn't save passwords without asking your permission. So Just Answer No. And unless you disable it completely and irreversibly, people can just turn it back on. 2) It's useful for sites that insist on passwords for idiotic reasons -- i.e., patches and documentation downloads. Makes it much easier to use one-site passwords, and if someone pops my machine, the last thing in the world I care about is someone can read docs on some piece of sh** software. I'm much more concerned /when their/ site gets popped, and they thought "rot13" a good password hash, I had no reason to use a common password on multiple sites. You are trying for "sounds good, make it painful security", whereas this feature is useful for real security reasons. You can't fix stupid behavior with technology. Nick.
Re: How to overrule bioctl "chunk already in use"
On 3/28/19 10:29 AM, Rachel Roch wrote: > Hi, > > I've been following the instructions here > https://www.openbsd.org/faq/faq14.html > <https://www.openbsd.org/faq/faq14.html> to setup softraid. > > Unfortunately I somehow messed up the original attempt through my own > stupidity. it happens. And best that it happen before production than after. > So I've been trying to go through the steps again. However nothing > I do can elminate the "softraid0 sd0a chunk already in use" message > at the "bioctl -c 1 -l sd0a,sd1a softraid0" step. > > I've tried everything ! Rebooting the server, /dev/zero to the > first 500MB of sd0 and sd1, changing uuid in disklabel, erasing and > re-writing disk label. > > I looked at the man page and thought "ah ha !" ... maybe "-C force", > but nope ! you were close with the zeroing the head of the components. In fact, I'm not sure what you did wrong, but that's the solution. I'd suggest starting by zeroing the beginning of each physical disk -- using the r device and the c partition -- i.e., # dd if=/dev/zero of=/dev/rsd0c # dd if=/dev/zero of=/dev/rsd1c I've had enough problems, I really suggest this unless you are absolutely sure your disk has never even heard of OpenBSD before you install it. :) (I think I had figured out at one point that zeroing the RAID partitions was sufficient, but when it comes to zeroing, a little more is never too much. :) Now, if you were going to script this, you would put a block size and a count in there...but since you are just typing this at the command line, count to three and hit CTRL-C then do the next. You really only have to clear a megabyte or so, and probably a LOT less...you can't hit CTRL-C fast enough, I suspect. :) By using the 'r' device and the 'c' partion, you have wiped the very very start of the disk -- sector zero onward. I'd reboot after that. I don't think it's needed, but either the disklabel or MBR partition can be held in memory and written back out to disk under some circumstance, I don't recall exactly what (probably having to do with mounted partitions), so a reboot, and then verifying that fdisk sd0 shows lots of zeros everywhere including the Signature. NOW fdisk, create your OpenBSD partition, then your RAID disklabel partitions, and you should be in business. If that doesn't do it, show us your exact commands and exact output you are seeing. Nick.
Re: using an USB stick with "openbsd" type partition/slices
On 3/21/19 6:49 AM, Mihai Popescu wrote: > Hello, > > I want to move my usb stick from msdos partition to more specific to > OpenBSD. I use this stick to keep some configuration files and > documents on it. > > sd1 at scsibus2 targ 1 lun 0: SCSI4 > 0/direct fixed serial.07815571010812120514 > sd1: 30532MB, 512 bytes/sector, 62530624 sectors > > Steps I've done to achieve this: > > # fdisk -e sd1 >> reinit ... > # disklabel -E sd1 > Label editor (enter '?' for help at any prompt) ...[create an a partition, proper starting offset, etc.] > # newfs sd1a ... > > For mount I use mount /dev/sd1a /mnt. (no options yet!) > > I want to ask if there are some suggestions in creating > partition(s)/slice(s), types and mount options, please. I don't need > softupdates. Files used are small and I copy a few at the time. Well...if you are just moving files around, I wouldn't worry much about partitioning. If you want to actually make it bootable, that's a different discussion. Only exception I can think of -- if you want to split it between OpenBSD and Windows use, fdisk to make a DOS partition (first) and an OpenBSD fdisk partition (physically after the DOS/FAT partition), disklabel it and format it on Windows, then format it on OpenBSD. Few small files a few at a time? Just use the defaults. If performance matters, mounting with "noatime" and "softdep" are HUGE wins. If you aren't waiting, though, you won't get any benefit, so just use the defaults. Nick.
Re: Support for Nvidia chipsets, never running X
On 3/7/19 7:19 AM, Chris Bennett wrote: > I've avoided anything with Nvidia like the plague. > But it just occurred to me to ask, ignoring X completely and never > running it, are the rest of the Nvidia parts supported or is Nvidia > anything a total no-go? > > Thanks, > Chris Bennett > > it..varies. A few couple years ago, I retired an nvidia chipped system I used as a firewall for a few years. Disk I/O was slow, USB support seemed slow (I was booting from a USB flash drive). NICs were some em(4) and dc(4) add-in cards. However, it pumped packets around just fine, but the rest of the machine was "eh". So... If you end up with an nvidia powered machine in your pile, give it a try and see how it works for *your application*. If you are buying, no, I'd just avoid it, the alternatives work better. Nick.
Re: cvsweb.openbsd.org - same as cvsweb in ports?
On 2/21/19 5:52 PM, Nam Nguyen wrote: > Adam Thompson writes: > >> What version of cvsweb does cvsweb.openbsd.org run? And where is that >> software available? It appears to not quite be the same as cvsweb in >> ports, so... ? > > It looks the same to me, other than some customized CSS. > > You can see the log here: > https://cvsweb.openbsd.org/ports/devel/cvsweb/Makefile > customized CSS? You have more faith in my skills than you should. :) It's the stock ports, with a few knobs twisted in the config file. Nick.
Re: ssd drive disappears when booting
On 2/17/19 2:57 AM, Jason McIntyre wrote: > On Sun, Feb 17, 2019 at 01:23:44AM +, tfrohw...@fastmail.com wrote: ... >> This sounds like the problem that I (and others) have seen when the hard >> drive is set to RAID in the Bios/firmware. Try setting it to AHCI if your >> bios lets you. >> > > wow, that was exactly it! i don;t understand how it was running one > minute, and then changed, but setting the drive to ahci worked (it was > indeed parked on raid). > > thanks so much - you just saved me a ton of hassle. > > jmc > > OpenBSD 6.4-current (GENERIC.MP) #713: Wed Feb 13 22:35:28 MST 2019 > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP ... > bios0: vendor Dell Inc. version "A15" date 08/15/2012 Your CMOS battery is dying. I've got a Dell a bit newer than yours with the same problem -- under circumstances I haven't quite figured out, the CMOS resets to default, which, oddly, is RAID. Nick.
Re: dell universal d6000 dock
On 2/12/19 3:19 AM, ¯\_(ツ)_/¯ ¯\_(ツ)_/¯ wrote: > try running stable. > Stunningly bad advice for a hardware problem. There's literally nothing in -stable that isn't in -current, and when it comes to hardware support, a most recent snapshot is always the best. Nick.
Re: CPU platform
On 2/10/19 8:41 AM, Mihai Popescu wrote: > Hello all, > > I usually take my computers for OpenBSD from used/refurbished market > since they are much cheaper and I don't need edge hardware. Lately, > AMD processors platforms are not so easy to find ( I prefer a > combination of cpu + video + brand name). > I have a much bigger offer from Intel side. There are many options. > Regarding the Meltdown and Spectre issues, is it still fine to go for > an Intel platform? > How did you folks with Intel based production systems mitigated this? Most likely, you are going to start by panicking about Meltdown and Spectre. Then you are going to go load up your system with poorly written software which is far more likely to be the REAL cause of a breach. OpenBSD Developers are on the problems as well or better than anyone else. At this point, worry much more about the decisions you make OTHER than HW platform, as they matter far more. Nick.
Re: vultr
On 1/5/19 5:22 PM, ed...@pettijohn-web.com wrote: > I was thinking about spinning up a new instance on vultr to play with. > They have an option to install OBSD 6.3/4. Has anyone tried these? I > attempted the FBSD one in the past, but the default install was all > whacked out and I had to start over with a fresh install. as others have said, they support OpenBSD, that's enough. Don't expect perfection on their install, it sucks actually. But their SW supports OpenBSD. Use their install ONLY to put your own bsd.rd in root (everyone seems to obsess over loading an ISO. Who cares? Just use a -current bsd.rd!), boot off that, reinstall exactly as you want it. The Vultr console works great on OpenBSD chrome and firefox browsers. Use DHCP for network. Done. If you have ever used VMWare's craptastic management clients, you will be amazed how well Vultr works. Nick.
Re: Advice on Security Cameras
On 1/1/19 12:46 PM, Elias M. Mariani wrote: > Hi list, > I'm thinking in installing some cameras in my private home, I have > been looking for solutions, my concern is that I wish to be able to > look the videos from outside the house and I'm a little paranoid about > the quality of the software that the different vendors use. you've seen any sign of quality in those things? :) > I have > seen clusters of camaras that only work over ActiveX... > I know that is a little off-topic but maybe someone knows about a good > brand of cameras. > Of-course one can always set a VPN tunnel trough OpenBSD for the > security matter, OpenVPN works on Android so is easy to access from a > smartphone. But I would prefer to have a single secure service running > that adding a layer of complexity with the VPN. > > I'm looking for: > - Not overpriced cameras. > - They don't need to be "external cameras", they will be covered under a roof. > - I need to set at least 4, so I need them to be accessible from a > single platform. > - Android / Browser friendly (not only IE plz...) > - WiFi is not needed, I have a 12v supply and Ethernet connections for > each camera. > - Good video quality but I'm not looking for anything super great... > - the ability to centralize recording and access to view the cameras is a > must. Bringing it back to OpenBSD, ... just use SSH and port forwarding and an otherwise off-the-shelf solution. No add-on SW needed. Did this with a friend's business. Little OpenBSD box in their office as a gateway, the DVR on one port (don't trust the security of the damn things, so keep it off the business network) and the owner can click on a PuTTY icon on their Windows desktop (or android or ...) to establish the SSH connection (key, no PW to enter, yes I set this up for them, took just a few minutes in their house), and a second click to bring up the bookmarked browser-based app the thing used. Neat thing is you don't have to change the default PWs on the DVR now, so that's one less thing to worry about. Very non-computer-person user friendly -- "Click here to connect to your office, then connect here to view the cameras". Yes, I'd suggest an OpenBSD gateway to a commercial DVR security system rather than rolling your own, if it is really to be a security system (as opposed to maybe a, "who's at my front door?" or "what are the local wildlife doing when I'm asleep?" cameras). The police may need to extract the video from it without your assistance if you are unavailable (or worse) as part of whatever they are investigating and maintain a chain of custody; this won't happen if you roll your own. I'll admit I hadn't thought of that until a police officer friend of mine started telling me about the training he was taking on exactly this topic -- *they* need to be able to get the video out of the device in a timely manner, and they have to explain to the judge and jury how it was done. Nick.
Re: ahci error during install of 6.4
On 12/28/18 5:37 PM, Juan Francisco Cantero Hurtado wrote: > On Fri, Dec 28, 2018 at 08:18:38AM +, Paul Swanson wrote: >> Hi, >> >> I'm currently trying to install 6.4 on a Dell Latitude E7470 laptop (Intel >> Skylake). >> >> During the whole disk (G) partitioning process, setup fails with the >> following messages: >> >> newfs: wtfs: write error on block 8352576: Input / output error >> ahci0: attempting to idle devices >> atascsi_disk_sync_done: error >> ahci0: NCQ errored slot 14 is idle (2000 active) >> >> Assuming that perhaps there might be a bad block on the drive (nvme ssd) >> I've run read / write bad block tests on the whole drive, but nothing showed. >> >> The drive has had a working install of Ubuntu up till now, and I've >> subsequently installed Xubuntu on it successfully. >> >> As it stands I can't proceed with the install; very sad. >> >> Any help would be appreciated. > > Install OpenBSD on a usb stick, run OpenBSD from there and use dd to > write zeroes to the disk. If the disk has bad blocks you will see > similar errors in the dmesg. You can do the same with linux. > > Sometimes bad units pass the checks of badblocks programs because these > run read-only tests by default and the flash controller lies. You only > see the bad sectors when you try to write to the disk. Actually...you won't see most SSD style write errors --they will be silently remapped. After writing zeros with dd, do it again with 0xff (377 octal) -- tr '\0' '\377' < /dev/zero | dd bs=1m if=- of=/dev/rsdXc That will run a lot slower than the zeros, but now you have tested every bit of the disk for one and zero storage and remapped them. Did this recently with some annoying SSDs that have been bugging me for years, and the results have been ... promising (NO problems since). Nick.
Re: Best way to change disk layout?
On 12/23/18 3:16 PM, John Long wrote: > I'm running release instead of stable like I did years ago. Syspatch is > a better solution for me than building from source. I want to change my > disk layout because when I set up this box I was thinking of building > from source like the old days. I want to eliminate some filesystems and > move /var and resize it. I can't growfs where /var is right now, the > filesystems I want to get rid of precede it. > > Is it better to do this kind of thing single-user (is it even possible > to run without /var) or is it better to boot the installer disk and do > it from a shell without anything mounted? It depends. If you have to ask the question, the answer is probably you shouldn't. You don't want to run with a /var directory. You can't easily populate a /var directory from a mounted /var. You can't umount /var and have a happy day (guess how I know). IF you have a drive with some free space, there are lots of options, including making or recycling partitions and shuffling things around until you get what you want. For example, you could maybe copy /var to /tmp, change fstab so your old /tmp is /var on reboot, reboot, then you can do what you want with the old /var. When done, copy the data from your tmp var to the goal var, and change fstab again, reboot, ta-da. (note: you want to make sure only you are on the box and no exposed services are running when you do things that hose the OpenBSD security models!) You can't use growfs on a live file system, but if you plan/work things out right, there's a lot you can often do without even having a remote console. This is again why I argue, just because you got a 500g drive on your firewall doesn't mean you need to allocate all of it. Give me 20g spare space and there isn't much I couldn't shuffle on a system, even remotely (I can't move /. I can't necessarily save data without someplace else to put it). Nick.
Re: SSH server immediately closes connection
On 12/14/18 00:27, Максим wrote: > Hello, > I've got a PC running OpenBSD current. > After the latest upgrade I cannot ssh to it. > > When I run "ssh 10.26.5.70" > I get this: > "Connection to 10.26.5.70 closed by remote host. > Connection to 10.26.5.70 closed." > As an SSH client I use another OpenBSD box and a Linux machine > with the same result. > When I run "ssh -vvv 10.26.5.70" > the last messages are: > > "debug3: receive packet: type 52 > debug1: Authentication succeeded (publickey). > Authenticated to 10.26.5.70 ([10.26.5.70]:22). > debug1: channel 0: new [client-session] > debug3: ssh_session2_open: channel_new: 0 > debug2: channel 0: send open > debug3: send packet: type 90 > debug1: Requesting no-more-sessi...@openssh.com > debug3: send packet: type 80 > debug1: Entering interactive session. > debug1: pledge: network > debug3: send packet: type 1 > debug1: channel 0: free: client-session, nchannels 1 > debug3: channel 0: status: The following connections are open: > #0 client-session (t3 nr0 i0/0 o0/0 e[write]/0 fd 4/5/6 sock -1 cc -1) > > debug3: fd 1 is not O_NONBLOCK > Connection to 10.26.5.70 closed by remote host. > Connection to 10.26.5.70 closed. > Transferred: sent 2644, received 1932 bytes, in 0.0 seconds > Bytes per second: sent 1085498.2, received 793185.5 > debug1: Exit status -1" > > > No errors in /var/log/daemon > No errors in /var/log/authlog > > The result doesn't depend on the user which I use to login. I just happened to have upgraded a system last night to the most recent snapshot, I am NOT having any such problem. OpenBSD 6.4-current (GENERIC.MP) #510: Thu Dec 13 06:20:42 MST 2018 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP So ... Doesn't appear to be a systemic problem, most likely either a knob you twisted before the upgrade or something about your upgrade process. You need to provide more details about what you did...both before and during the upgrade...and some indication of what platform you are running and the snapshot you upgraded to. Nick.
Re: Core Dev?
On 12/04/18 01:47, Ahmad Bilal wrote: ... > Does anyone has any suggestions for me? Yes. Read your request carefully to yourself... > I want OpenBSD due to reliability and security issues. Good plan. > AWS is the leader in hosting market. but ... not security. By that reasoning, we should all be using Windows XP. > It is only natural to expect at least a FAQ or HOW-TO from openbsd > team on this topic. Sometimes "don't", or "if you do, you get to keep all the pieces" is a good answer. Sometimes "no comment" is even better. Hey, I run OpenBSD on a chunk of rented HW myself, but I don't pretend it is as secure as a real box in my environment that I control. But I picked my hosting provider based on ease and support of getting OpenBSD working, not "leadership". "cloud" hosting is a bit like living in a building with randomly assigned people and sharing a bathroom. You may end up learning things about others you may not want to know. Nick.
Re: Boot reboot issue after upgrade to 6.4 on amd64
On 11/27/18 05:48, Riccardo Mottola wrote: > Hi all, > > I have a strange and blocking issue after upgrade to 6.4 on my x86-64 > laptop, which was running 6.3 just fine. > > I got the bsd.rd kernel, booted it and installed, quick, easy no issue. > Now, if I reboot, the kernel will reboot just after having written the > first line of numbers on the screen. So far, with one or two exceptions, everyone complaining about this has a One Big Partition disk layout. A bad idea, not suggested, and I don't think you will get much sympathy. I know of one machine that behaves as you describe with a very modest (smaller than suggested) root partition, but I'm feeling very alone here. :D Nick.
Re: With all this CPU/hardware mess, any advice on what to use for an organization?
On 11/20/18 11:43, Chris Bennett wrote: > I am almost certainly going to be replacing with a new server for an > organization I am a member of. > With all of this mess with Meltdown, Spectre, insecure motherboard > chips,etc. > I am pretty clueless on exactly what is going to be a secure set of > server hardware. > Intel, well no. > AMD? I have read about problems with non-CPU chips being compromised. > Another architecture? I have never used anything other than Intel/AMD. > > The server will run httpd, mailserver, PostgreSQL and somehow a good way > for well encrypted messaging at times. all on one server? And as someone who has run a number of mail servers for a number of companies ... don't. Just don't. Running your own mail server is a good way to accomplish nothing except wasting a lot of time and making people hate you. > It is very likely to run out of Austin, Texas. > I think that having a direct connection would be best, but would a > proper setup make collocation OK? You are using poorly defined buzzwords. What you mean by a "direct connection", "proper setup", "collocation" and what I mean are likely very different. > This isn't going to be my server, I will just be in charge. That's > completely new for me. > Any advice is really welcome, everywhere I read anything, hardware seems > broken and insecure. Pretty much all new HW is optimized in ways that we are now learning (and has been known for a long time) introduce security problems. However, most of the problems boil down to having malicious software running in the control of someone else on the same physical machine YOUR code is running on. In short: No news. Really. If someone that wanted to do you evil lived in the same house as you, you would not be comfortable, right? What if you put up walls (virtualization) that have proven to to be about as robust as paper? That make you feel any better? Probably not. Virtualization has been proven -- over and over -- not terribly secure. Now we got cross-virtualization platforms ways of stealing data from other processes. Important? yes. But in the big picture, it's similar to Yet Another buffer overflow. So...split your tasks on different physical systems as much as possible. If your webserver is serving static pages, it's probably pretty robust. If it's running Wordpress or any other "any idiot can manage the web page" apps or dynamic web pages for other reasons, it should be a machine of its own and have no other important data on it. Your primary goal should be to keep the bad guys off your computer in every sense. And again...nothing new here. But if security is your concern, you want real hw you control in every sense. Unfortunately, if you have performance requirements, your choices are AMD and Intel. Older Intel and AMD chips aren't getting any support to deal with these problems, so your choices are incredibly old chips which are probably not in the most reliable hardware, and a whole bunch of other old, unreliable, and slow hardware platforms. But be realistic. Your bosses will probably mandate a VM on someone else's hw, a wordpress website, one box for everything, and that you give him the root password which he'll e-mail to himself to keep it "secure". Your most likely breach points will be an easily guessed password (usually, a manager's), a bug in a web content management system, or someone believing that "secure e-mail" is a thing. In other words, Same Old Shit. It probably won't be breached by a Spectre or Meltdown-like attack. But it MIGHT be. Obsessing about them is generally missing the real day-to-day risks. Nick.
Re: OpenBSD migration
On 11/17/18 15:13, Martin Sukany wrote: > Hi, > > I want to migrate OpenBSD 6.4 (stable) from VM to bare metal. I see, as > usual, two options: > > 1) install everything from scratch > 2) create some flashimage (I did such thing on Solaris few years ago) > and apply the image on new hw. > > I'd be glad for any personal experience / recommendations. > > NOTE: Server is not so important so downtime is not a problem here I'm going to suggest option 3... 3) Restore from backup. You got a backup, right? You think it works, right? Here's /THE/ time to find out. I have done image migrations (dd partition->file, dd file->partition), I've done complete rebuilds, and they all work if done properly. OpenBSD is easier than most other OSs, regardless of how you do it, if you understand all the pieces. But really, this is when you get to test your backup. And, this should be the lowest down-time -- you can fully test the new system (AND FIX YOUR BACKUP PROCESS) before you flip the switch. Nick.
Re: performance of intel multithreading
On 11/07/18 11:34, Kihaguru Gathura wrote: > Hi, > > > On Wednesday, November 7, 2018, Nick Holland > wrote: >> On 11/05/18 23:51, Kihaguru Gathura wrote: >>> Hi, >>> >>> From a security standpoint, >>> which platform will offer better performance >> >> huh? What's your priority, security or performance? >> > > Security is the Priority. > >> If you have one and no budget to buy something ...um... modern, use it. > > I have the PrimePower 250 > >> UltraSPARC will probably give them a bigger surprise. > > Please explain further if possible. Most attackers are what we call script kiddies -- they don't know what they are doing, but they have a script, they throw it at a target and it either works and they move in or it doesn't, and they move on to the next target (or often, their magic cracking kit does it for them). For these people, "computers" are all IBM PC descended and all powered by Intel processors. Something not running Windows or Linux and not running on an Intel chip will be a huge deterrent IF they get into your system and try to run their binary tool kits. Now, someone who knows their mouse from their keyboard...no. And a state sponsored attacker that's after YOU personally? No. But they will have to hand you over to the next tier guys. :) The analogy I've used often is much of computer security logic, if applied to your household security, would involve putting the door to your house on a different side than your neighbors's doors and putting the door knob on the opposite sideand maybe painting the door purple. And sure enough, the guy wandering down the street with instructions saying "Door on front of house, color brown, handle on left side" will totally miss the door of your house and your house will be "secure" even if the door is unlocked. And fortunately, 99.9% of the attackers out there are going to be stopped by your oddly placed backwards purple door. The problem is...there are tens of thousands of attackers, so quite a few aren't going to be confused by this. > But if you are >> running web services, you are probably running apps written by someone >> without any idea what they are doing in an interpreted language like >> PHP, and the exact same exploits will take out either platform, because >> the exploits will be at a much higher level than the processor. > > Self written services in C language. Now, who do you think is a better programmer, the people who put together OpenBSD or you? Not to show you any disrespect, but honestly, I'm putting my money on the OpenBSD devs. Most likely, OpenBSD won't be the entry point for your attacker. A lot of the brilliant work that the OpenBSD devs have done may HELP your system survive a flaw in your program, but your program is still more likely to be the entry point (or data exfiltration point) than the OS is, so your Plat X vs. Plat Y decision is probably not the big thing to worry about. Nick.
Re: performance of intel multithreading
On 11/05/18 23:51, Kihaguru Gathura wrote: > Hi, > > From a security standpoint, > which platform will offer better performance huh? What's your priority, security or performance? > solution in web and database now that OpenBSD > multithreading is switched off for Intel? > > > (Fujitsu PRIMEPOWER 250 - Version F - 2 X SPARC64 V 1.98 GHz) a very old, SCSI based computer. > or > (Fujitsu PRIMERGY RX300 S6 - 2 X Xeon 6 core 12 thread E5620 2.4 > GHz) A not quite as old SATA/SAS system (but still hardly new). If you have both, do your own benchmarks. If you have one and no budget to buy something ...um... modern, use it. If you have neither, buy something ELSE. My guess is that the Intel powered system will outrun the SPARC system in raw performance in every measure you make. Probably won't even need to use a stopwatch to compare. And a modern laptop will embarrass both of them, multi-threading or not. I'd not put a SCSI system into production as you won't find too many drives less than ten years old, and they are tiny, power hungry, and slow by modern disk standards. At least the SAS based system, you can get new drives for, or even stock it with SSDs and really have fun. Security? Eh. I suspect you aren't getting ROM updates for either. If someone pops your system security and tries to run a binary on it, the UltraSPARC will probably give them a bigger surprise. But if you are running web services, you are probably running apps written by someone without any idea what they are doing in an interpreted language like PHP, and the exact same exploits will take out either platform, because the exploits will be at a much higher level than the processor. Nick.
OpenBSD site
I was wondering how you maintain and update such high quality content in OpenBSD's site. Do you manually edit html files, use a cms, or something else? I am asking to shamelessly copy your best practices. ;-) Thanks, Nick
Re: macppc - Booting with a SATA PCI drive
On 10/25/18 14:51, Katherine Rohl wrote: > I’m trying to run OpenBSD and Tiger on one hard drive on a Mac G4 > tower. I’ve successfully installed 6.4 onto the drive and I can still > boot from Tiger, so that’s good. I then copied ofwboot to the Tiger > partition (since it’s the first HFS+ partition). > > I have an Silicon Image 3112-based PCI SATA controller that’s > recognized by OF. Unfortunately, I can’t remember how to tell Open > Firmware to boot from a SATA drive attached to a PCI controller so I > can specify the OpenBSD boot image! > > Does anyone know how to find out the partition’s location in the > device tree so I can boot to BSD? I’m not good with Open Firmware, > unfortunately. I’m more of a Classic person, with my Mac usually in > OS 9. You have much greater faith in Apple firmware doing things with non-Apple HW than I do. :) Apple built their firmware to boot MacOS from MacHW, and anything beyond that that actually works is more good luck than their intent. I'm not saying it's impossible, it's just not guaranteed. And it might be buggy if it does try to work. I'd suggest just booting off your IDE disk and use your SATA disk as non-boot space. Or perhaps a SATA to IDE adapter and attach it to the factory IDE port. Nick.
Re: migrate users from old system
On 10/16/18 10:39, Markus Rosjat wrote: > hi all, > > > what is the right way to do a migration of users from one system to > another? I did the following but it seems to get some problems with > permissions on the files and directories. > > 1. copy passwd, group, master.passwd to new machine yep. > 2. clean up files (some users doent exist anymore) how did you do this? > > 3. use pwd_mkdb to create a new db IF you use vipw to remove users that no longer exist, when you exit, it will sync everything for you. If not, make a token edit with vipw, then save it. > this gave no errors but after migrating some files with rsync to the new > machine it seems that some directories not read- /writeable (for example > by openLDAP) even all the permissions are set correct. If you rsync through an intermediary machines, i.e., an rsync backup system, make sure you use the --numeric-ids option, otherwise, it will try to sync the names (rather than numeric IDs) of the things it can -- and totally scramble the things it can't. If you are going directly from the old machine to the new machine, make sure you copy over the passwd, master.passwd and group files first. Also -- assuming there was an OS upgrade, copying over the user and group files just broke all new system users, so re-run sysmerge. Nick.
Re: Problems with a quad Realtek NIC
On 10/12/18 21:42, Martin Hanson wrote: >> It is preferable to just include the whole dmesg directly in the mail >> Better still, when it's a "sometimes works" problem, include a "diff -u" >> between the two (the context to show where the lines are added/removed). > > I have pasted a "diff -u" on https://paste FYI... I don't click on links for stuff that should be in-message. I suspect I'm not alone. But yes, I agree with Stuart, sounds like a HW problem. When things come and go without changing, that pretty well screams "hw". Different OSs may work around different hw bugs differently, but it's still a HW bug. In your case, looks like the BIOS isn't initializing the PCI-PCI bridges properly. > +ppb1 at pci1 dev 0 function 0 > vendor "ASMedia", unknown product 0x1184 rev 0x00 > +pci2 at ppb1 bus 2 > +ppb2 at pci2 dev 1 function 0 vendor "ASMedia", unknown product 0x1184 > rev 0x00: not configured by system firmware === > +ppb3 at pci2 dev 3 function 0 vendor "ASMedia", unknown product 0x1184 (man ppb) And yes, while Realteks used to be condemned and insulted, the new network devices on many ARM boards is making Realteks look good. At least their limitations are understood and dealt with well in SW. Most people don't need the absolute best HW. But in your case, you probably want those PCI-PCI bridges configured. :) Nick.
Re: Equipment for OBSD based firewall
On 09/04/18 00:57, Joel Wirāmu Pauling wrote: > But - The thing that isn't mentioned here is basically Power Cost and > Consumption vs PPS(Packet Processing Speed). > > IMNSHO running on anything that doesn't ; > > A) Have passive Cooling > B) Is older than a couple of years (in intel/amd terms anything with a > TDPW above 65W) > > - is probably not a great idea. Mainly because the on-going cost of > supplying power to old junkers isn't worth what you can do with a > 'newish' junker. > > If you have free electricity, feel free to do what you like I guess. TDP is the MAXIMUM power draw. MAXIMUM (and of only the CPU) Your OpenBSD firewall isn't going to be running at the maximum power consumption on a P4 or newer processor very often or very long. For home use, you really care about idle power draw and the ability of the HW to do the job. Every era has its "The Answer Is" system, this year, it's PCengines and ARM/Octeon. Before, it was Soekris. People get stupid with that stuff. What's "greener", keeping something out of a landfill that draws 40w or something brand new that draws 15W? How many years do you have to run the 15W system to pay for the cost of it? How much is your time spent fighting with its quirks worth? Will it pay off before your ISP ups your downlink speed to the point where your barely-does-the-job HW is now "can't do the job"? Some old P3/P4 systems have very modest power consumptions when idle. Get yourself a wattmeter, and see what you have. After install, remove power from the CD/DVD, maybe some of the case fans, and maybe consider a USB flash drive to boot. Slow the clock speed, remove some RAM. Pull out the sound card/modem/whatever. And when things break, unless you just HAPPEN to have a serial terminal infrastructure laying around, an ol' keyboard and monitor used to debug your system will beat the heck out of finding a USB to Serial adapter and a null modem cable when you need it. Heck, I have a serial infrastructure in my life, and I'm really wondering if my serial-only firewall is worth the pain. I recently moved from a USB drive to a real hard disk because while it draws more power, it boots and works a LOT faster (kernel and library randomization is horrible on USB flash drives). I get the "I hate Intel" thing, but unfortunately, most of the non-Intel systems show why Intel (and AMD) own the serious computer market. Nick.
Re: Moving a system disk from one server to another
On 07/25/18 15:38, Jay Hart wrote: > Hello al, > > Just bought a new server and wanted to see what the practicality would be of > moving my disk from > one box to the other. Its a stock 6.3 install, fully patched, with a few > packages. The old > processor is a VIA based CPU running generic i386 kernel. The new box is > based on an Intel Celeron > J1900 64-bit CPU. > > My thought is it should move over and boot up on the stock generic i386 > kernel, at which time I > could update to 64-bit or just wait until 6.4 comes out and then update. > > Curious if you think this will work, or should I just do a clean install. Yes. No. Yes, you should be able to move the disk from one machine to the other (with suitable adapters), and after adjusting your network adapters, you should just take off and run. No. Do not try to "update" to 64 bit. Reload from scratch. OpenBSD treats i386 and amd64 as two DIFFERENT platforms. Would you take a SPARC64 or MacPPC disk and put it on a PC and just "update" to the new platform? NO! You would reinstall. And that's what you should do here. At which point...what are you trying to gain by moving a disk from the old system to the new one? Just put a new disk on the new system, load the platform of choice, and copy your key config files from the old one to the new one, and that way, your old system still exists. Nick.
Re: Installed current on top of FAT32 flash, Recover old filesystem??
On 07/14/18 15:16, Chris Bennett wrote: > I very carefully and surely tested which flash drive to use and then > pulled out the wrong one. > I stopped the install with halt and done nothing else. > Should I have yanked it, halted it or just said goodbye? > > ddrescue or something else or nothing else? It depends on when you stopped the install. If you had just done the disk layout, you could probably create (using OpenBSD) a FAT32 partition that covered the entire disk (where did your original start? you might have to recreate some history on an identical device here to find out) and see if your data is intact. It very well could be. If you completed the install...uh...you have got a problem. Still, there are tools around now that will find, with amazing success, particular types of files on "overwritten" media, though of course anything that was actually overwritten is not going to be recovered. Nick.
Re: Ratgod leadership?
On 07/10/18 12:57, Email wrote: > [drivel snipped] Probably about 20 years ago, I had despaired of the "solution of the week!" of Linux, and figured, while it was cool that a bunch of people had put together a free Unix-like OS, the churn was too great to be practical for businesses expecting a low-maintenance solution. While reading through an on-line forum, I tripped across crap like the OP here posted (and much worse and more literate, of course) being said about this Theo de Raadt character. It wasn't intellectual disagreement on technical issues, it was childish name calling, leading to the "conclusion" that anything Theo did must be wrong. Well...anyone who generates THAT much blind hatred has to be checked out, they are obviously either onto (or into) something. So I read up on OpenBSD, LOVED the philosophy of "security matters", downloaded it, and never regretted it. Following the fantastic OpenBSD documentation, I accomplished more in three days with OpenBSD than I had in several years of poking at Linux. So, while obvious trolls like this are annoying...they also serve a purpose. I thank those mindless haters for pointing me in a very interesting direction a couple decades ago, and I'll thank this ass in particular for reminding me that I'm a bit behind in my project donations (I do miss the CDs). That has now been fixed. Nick.
Re: CVS Download: Timeout Error
On 07/09/18 12:54, MonsieurFugu wrote: > Hi OpenBSD forum, > > I'm new to OpenBSD and I'm running into an issue downloading the CVS > libraries and I cannot figure out the problem. source code, not libraries...but whatever. > I've downloaded the libs before but the vm I was using got corrupted, and > after following the same steps as before I keep getting this error: > > host$ cvs -qd anon...@anoncvs.fr.openbsd.org:/cvs checkout -rOPENBSD_6_3 -P > src > ssh: connect to host anoncvs.fr.openbsd.org port 22: Operation timed out > cvs [checkout aborted]: end of file from server (consult above messages if > any) pretty clear: something is blocking SSH traffic (port 22) between your computer and the CVS mirrors you tried. No SSH, no CVS over SSH. > I've gone through all the steps on this tutorial > (https://www.openbsd.org/anoncvs.html) and tried multiple mirrors but to no > avail. I've disabled the firewall in case that was the issue but it fixed "the" firewall. Which "the" firewall? :) > nothing. I'm able to use the ping command, however traceroute doesn't seem > to work. I can provide more info if needed. So...sounds like a lot of things are blocked. > Does anyone know how I can fix this? Unblock port 22? Or more likely, move to a non-port 22 blocking network. Lots of businesses block port 22 outbound, which you need. Nick.
Re: smtpd.conf new grammar
Final update. I've been working with Edgar who has helped no end and I now have a working config. For me the working line is actually: action "lmtp-local" mda "/usr/libexec/mail.lmtp -d unix:/var/dovecot/lmtp -f %{sender} %{dest}" virtual and the corresponding match is: match tag "SPAM_IN" from any for domain action "lmtp-local" Hopefully this might help someone in the future. Regards - Nick On 28/05/2018 16:48, Nick Ryan wrote: Hi Mark, viq, did either of you get it to work with the virtual table? Mine mostly works with: action "lmtp-local" mda "/usr/libexec/mail.lmtp -d unix:/var/dovecot/lmtp -f %{sender} %{rcpt}" virtual but it ignores the virtual table completely. If I miss out the ${rcpt}, I get a no recipient specified and if I have the {user.username} it gives a similar error. Did your virtual work or am I doing something daft? Regards - Nick On 27/05/2018 08:51, viq wrote: On 18-05-27 09:34:10, Mark Patruck wrote: For me it works with %{user.username} as mail.lmtp(8) user. See "FORMAT SPECIFIERS" in smtpd.conf(5) for details. Shows how well I read the man page With this it works, thank you! On Sun, May 27, 2018 at 09:04:56AM +0200, viq wrote: > On 18-05-26 19:18:56, Edgar Pettijohn III wrote: > > > > > Sorry, I've read the announcements, looked at man pages and examples, > > > but still didn't manage to figure out how to translate "deliver via dovecot > > > lmtp" > > > (to have sieve working) into the new syntax. So far my config was: > > > > > > table vusers ldap:/etc/mail/ldap.conf > > > table vdomains ldap:/etc/mail/ldap.conf > > > table passwd ldap:/etc/mail/ldap.conf > > > > > > accept from local for local virtual deliver to lmtp > > > "/var/dovecot/lmtp" > > > accept from any for domain virtual deliver to lmtp > > > "/var/dovecot/lmtp" > > > > > > > > > I tried changing those into: > > > > > > action "lmtp-local" mda "/usr/libexec/mail.lmtp -d /var/dovecot/lmtp" > > > > try: > > action "lmtp-local" mda "/usr/libexec/mail.lmtp -d unix:/var/dovecot/lmtp -f > > %{sender}" > > Well, this time I'm getting > result=TempFail stat=Error ("mail.lmtp: no recipient was specified") > so there's difference. So I tried > action "lmtp-local" mda "/usr/libexec/mail.lmtp -d unix:/var/dovecot/lmtp -f %{sender} %{recipient}" virtual > but that resulted in > result=TempFail stat=Error ("smtpd: mda command line could not be expanded: Interrupted system call") > same with %{rcpt-to} > > Where did you get the %{} syntax? I haven't seen it anywhere when > reading about this. > > > However, this does feel odd. I need to switch over as well, but still trying > > to wrap my brain around the new config. > > > virtual > > > action "relay" relay > > > match from local for local action "lmtp-local" > > > match from any for domain action "lmtp-local" > > > match from local for any action "relay" > > > > > > > > > but delivery attempts fail with Error ("mail.lmtp: sender must be specified > > > with -f") > > > > > > What would be the proper config for this? > > > -- > > > viq > > > -- Mark Patruck ( mark at wrapped.cx ) GPG key 0xF2865E51 / 187F F6D3 EE04 1DCE 1C74 F644 0D3C F66F F286 5E51 http://www.wrapped.cx
Re: smtpd.conf new grammar
Hi Edgar, this is the format: postmas...@nr.ie n...@nr.ie webmas...@nr.ien...@nr.ie n...@nr.ie vmail Is this where it's pulling the %{user.username} being vmail from? Dovecot is expecting u...@domain.tld Regards - Nick On 28/05/2018 18:28, Edgar Pettijohn III wrote: On 05/28/18 10:48, Nick Ryan wrote: Hi Mark, viq, did either of you get it to work with the virtual table? Mine mostly works with: action "lmtp-local" mda "/usr/libexec/mail.lmtp -d unix:/var/dovecot/lmtp -f %{sender} %{rcpt}" virtual but it ignores the virtual table completely. If I miss out the ${rcpt}, I get a no recipient specified and if I have the {user.username} it gives a similar error. Did your virtual work or am I doing something daft? Regards - Nick It really depends on how your dovecot is set up. Is it expecting a `u...@domain.tld' for the username or just the user part? How is your set up? Personally, I think its easier in the long run to either use a passwd-file from extras or an sql table of some sort. That way smtpd and dovecot can share more easily. Edgar On 27/05/2018 08:51, viq wrote: On 18-05-27 09:34:10, Mark Patruck wrote: For me it works with %{user.username} as mail.lmtp(8) user. See "FORMAT SPECIFIERS" in smtpd.conf(5) for details. Shows how well I read the man page With this it works, thank you! On Sun, May 27, 2018 at 09:04:56AM +0200, viq wrote: > On 18-05-26 19:18:56, Edgar Pettijohn III wrote: > > > > > Sorry, I've read the announcements, looked at man pages and examples, > > > but still didn't manage to figure out how to translate "deliver via dovecot > > > lmtp" > > > (to have sieve working) into the new syntax. So far my config was: > > > > > > table vusers ldap:/etc/mail/ldap.conf > > > table vdomains ldap:/etc/mail/ldap.conf > > > table passwd ldap:/etc/mail/ldap.conf > > > > > > accept from local for local virtual deliver to lmtp > > > "/var/dovecot/lmtp" > > > accept from any for domain virtual deliver to lmtp > > > "/var/dovecot/lmtp" > > > > > > > > > I tried changing those into: > > > > > > action "lmtp-local" mda "/usr/libexec/mail.lmtp -d /var/dovecot/lmtp" > > > > try: > > action "lmtp-local" mda "/usr/libexec/mail.lmtp -d unix:/var/dovecot/lmtp -f > > %{sender}" > > Well, this time I'm getting > result=TempFail stat=Error ("mail.lmtp: no recipient was specified") > so there's difference. So I tried > action "lmtp-local" mda "/usr/libexec/mail.lmtp -d unix:/var/dovecot/lmtp -f %{sender} %{recipient}" virtual > but that resulted in > result=TempFail stat=Error ("smtpd: mda command line could not be expanded: Interrupted system call") > same with %{rcpt-to} > > Where did you get the %{} syntax? I haven't seen it anywhere when > reading about this. > > > However, this does feel odd. I need to switch over as well, but still trying > > to wrap my brain around the new config. > > > virtual > > > action "relay" relay > > > match from local for local action "lmtp-local" > > > match from any for domain action "lmtp-local" > > > match from local for any action "relay" > > > > > > > > > but delivery attempts fail with Error ("mail.lmtp: sender must be specified > > > with -f") > > > > > > What would be the proper config for this? > > > -- > > > viq > > > -- Mark Patruck ( mark at wrapped.cx ) GPG key 0xF2865E51 / 187F F6D3 EE04 1DCE 1C74 F644 0D3C F66F F286 5E51 http://www.wrapped.cx
Re: smtpd.conf new grammar
Hi Mark, viq, did either of you get it to work with the virtual table? Mine mostly works with: action "lmtp-local" mda "/usr/libexec/mail.lmtp -d unix:/var/dovecot/lmtp -f %{sender} %{rcpt}" virtual but it ignores the virtual table completely. If I miss out the ${rcpt}, I get a no recipient specified and if I have the {user.username} it gives a similar error. Did your virtual work or am I doing something daft? Regards - Nick On 27/05/2018 08:51, viq wrote: On 18-05-27 09:34:10, Mark Patruck wrote: For me it works with %{user.username} as mail.lmtp(8) user. See "FORMAT SPECIFIERS" in smtpd.conf(5) for details. Shows how well I read the man page With this it works, thank you! On Sun, May 27, 2018 at 09:04:56AM +0200, viq wrote: > On 18-05-26 19:18:56, Edgar Pettijohn III wrote: > > > > > Sorry, I've read the announcements, looked at man pages and examples, > > > but still didn't manage to figure out how to translate "deliver via dovecot > > > lmtp" > > > (to have sieve working) into the new syntax. So far my config was: > > > > > > table vusers ldap:/etc/mail/ldap.conf > > > table vdomains ldap:/etc/mail/ldap.conf > > > table passwd ldap:/etc/mail/ldap.conf > > > > > > accept from local for local virtual deliver to lmtp > > > "/var/dovecot/lmtp" > > > accept from any for domain virtual deliver to lmtp > > > "/var/dovecot/lmtp" > > > > > > > > > I tried changing those into: > > > > > > action "lmtp-local" mda "/usr/libexec/mail.lmtp -d /var/dovecot/lmtp" > > > > try: > > action "lmtp-local" mda "/usr/libexec/mail.lmtp -d unix:/var/dovecot/lmtp -f > > %{sender}" > > Well, this time I'm getting > result=TempFail stat=Error ("mail.lmtp: no recipient was specified") > so there's difference. So I tried > action "lmtp-local" mda "/usr/libexec/mail.lmtp -d unix:/var/dovecot/lmtp -f %{sender} %{recipient}" virtual > but that resulted in > result=TempFail stat=Error ("smtpd: mda command line could not be expanded: Interrupted system call") > same with %{rcpt-to} > > Where did you get the %{} syntax? I haven't seen it anywhere when > reading about this. > > > However, this does feel odd. I need to switch over as well, but still trying > > to wrap my brain around the new config. > > > virtual > > > action "relay" relay > > > match from local for local action "lmtp-local" > > > match from any for domain action "lmtp-local" > > > match from local for any action "relay" > > > > > > > > > but delivery attempts fail with Error ("mail.lmtp: sender must be specified > > > with -f") > > > > > > What would be the proper config for this? > > > -- > > > viq > > > -- Mark Patruck ( mark at wrapped.cx ) GPG key 0xF2865E51 / 187F F6D3 EE04 1DCE 1C74 F644 0D3C F66F F286 5E51 http://www.wrapped.cx
Re: Snapshot upgrade to 6.2 -> 6.2 : kernel relink issue
On 05/20/18 12:32, Rick Ballard wrote: > I can log to the console and have a functioning router/firewall. > > However, most commands fail: > > drmons0544w-142-166-18-133# vi test > 4▒▒: not found/vim[1]:ELF▒ > /usr/local/bin/vim[2]: syntax error: `(' unexpected third party package error. (/usr/local?) > > SSH exits immediately after I type in my password. /usr/ problem? > However, I can use ed, less, etc. sound like root (/bin, /sbin) is good. > Here is what I see on the console during the reboot: > ... > > *em0: bound to 192.168.2.11 from 192.168.2.1 (a8:39:44:8f:68:20)* > > *reordering libraries:/usr/sbin/openssl[1]:ELF▒4▒?4: not found* /usr problems ... > *starting early daemons: syslogd pflogd unbound ntpd.* $ which syslogd pflogd unbound ntpd /usr/sbin/syslogd /sbin/pflogd /usr/sbin/unbound /usr/sbin/ntpd hm. But not sure how much griping of those /usr apps would make or would get through the rc scripts. > *starting RPC daemons:.* > > *savecore: no core dump* > > *acpidump: Can't find ACPI information* > ** > *drmons0544w-142-166-18-133# dmesg* $ which dmesg /sbin/dmesg > OpenBSD 6.3-current (RAMDISK_CD) #41: Sat May 19 22:45:21 MDT 2018 > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD > real mem = 1056833536 (1007MB) > avail mem = 1021075456 (973MB) > mainbus0 at root > bios0 at mainbus0 > acpi at bios0 not configured > mpbios0 at bios0: Intel MP Specification 1.4 > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: Genuine Intel(R) CPU @ 1.00GHz, 1000.12 MHz > cpu0: So my hunch is you screwed up your /usr partition during the upgrade, which usually means this: What really cool trick did you do that seemed like a great idea at the time that most OpenBSD would not do and the developers would not have thought worth planning for in the upgrade scripts? I'm thinking symlinks of something to somewhere else, etc. Nick.
Re: Is -current snapshot only used in current system?
On 05/16/18 05:42, Nan Xiao wrote: > Hi Peter & Otto, > > Thanks very much for your response! > > My laptop is very old: Fujitsu LifeBook T5010 > (https://www.pcmag.com/article2/0,2817,2352819,00.asp) . > > During booting, it shows: > >>>OpenBSD/amd64 BOOT 3.39 "very old" and "amd64" is the first warning sign. (or maybe it just means I need to upgrade my hw :) ) > Then it flashes one line (I can't see that line clearly, and it > should display load something), and the system will reboot again. > > The system will loop the above flow, reboot again and again. That's close (though not precisely what I recall, but it's been a few years) to what happens if you run amd64 on a 32 bit only proc. > Now I doubt it is related to partition issue, but not sure. > I divided the whole disk (MBR) into 2 partitions: > >>From offset 64, 4G swap, the left is mounted as '/'. > > This method at least works for OpenBSD 6.2. it's also possible your BIOS doesn't support loading data from "big" disks. Your new kernel might have landed higher than your BIOS can read. There are reasons your One Big Partition isn't recommended. > On Wed, May 16, 2018 at 5:07 PM, Otto Moerbeek <o...@drijf.net> wrote: >> On Wed, May 16, 2018 at 04:51:24PM +0800, Nan Xiao wrote: >> >>> Hi misc@, >>> >>> Greeting from me! >>> >>> Maybe a dumb question here. I want to use -current snapshot, and >>> my current OBSD is 6.3. So I download the newest -current bsd.rd, >>> and use it to upgrade. It prompts me the upgrade is success, but >>> the system can't boot. So I think this method only applies to system >>> is already -current, right? Because I can't find answer from >>> https://www.openbsd.org/faq/current.html, just want to confirm it. Nope. As long as you move FORWARD, all is good. -current is just a step along the way to next -release, the next -release is just a spot in the -current continuum. Nick.
Re: fdisk MBR contains more than one OpenBSD partition!
On 05/09/18 05:06, Rudolf Sykora wrote: > Hello misc, > > I wanted to use a MBR partition for backup purposes, > so I (almost) created (using fdisk) another OpenBSD MBR (A6) > partiotion, but then I got the message > > MBR contains more than one OpenBSD partition! > Write MBR anyway? [n] > > So am I doing it wrong? yep. In addition to "same disk backups"? [insert template rant here] ... Think of the fdisk partition as a way to mark off a part of the disk for OpenBSD. It should generally be one contiguous block. The beginning of *the* OpenBSD partition holds the disklabel, which is the important part for marking off OpenBSD disk (sub?)partitions. When you think about that, the reason for ONE OpenBSD partition starts becoming more clear. IF possible, just enlarge your existing OpenBSD partition to include the new disk space. disklabel, done. If not ... just make the fdisk partition something else, and create an OpenBSD partition in that space using disklabel, format it as normal. And don't ever us an OS on the machine of the type of the fdisk partition you picked. :) Nick.
Re: Troubleshooting rl instability on OpenBSD 6.1
On 04/30/18 18:04, Stuart Longland wrote: > On 01/05/18 03:00, Solene Rapenne wrote: >> >> Stuart Longland writes: >> >>> On 29/04/18 18:08, Solene Rapenne wrote: >>>> >>>> Stuart Longland writes: >>>> >>>>> Hi all, >>>>> >>>>> I've got an Advantech UNO-1150G industrial PC running OpenBSD 6.1 acting >>>>> as an ADSL router, public NTP server and DNS server. dmesg info: >>>>> >>>>>> OpenBSD 6.1 (GENERIC) #291: Sat Apr 1 13:49:08 MDT 2017 >>>> >>>> OpenBSD 6.1 isn't supported anymore, please upgrade. >>>> >>> >>> Upgrade what? The OS, the router? If I'm 100% certain that moving to >>> 6.2/6.3 will fix rl, then sure, but this answer is not helpful, as I've >>> been battling this problem for over a month. >> >> Maybe your issue is fixed in 6.2 or 6.3, who knows. 6.1 isn't supported >> anymore and you use it on a router connecting to the Internet. I can >> only recommend upgrading. >> > > It might conversely also be made worse by 6.2 or 6.3. In theory, it > shouldn't, but then again, in theory, I shouldn't have been getting this > problem either. > > An update of the OS will have to wait until I can purchase another CF > card to load with OpenBSD 6.3 and migrate the configuration. > > Alternatively, if the problem is hardware, I can just replace the whole > box. Updating OpenBSD on the existing one would be a waste of time. > > I need a way of ruling out the hardware as being an issue. Until then, > OpenBSD 6.1 stays, unless the debugging facilities in 6.2/6.3 are > drastically different that make troubleshooting this problem easier. > > I think I've tracked down the driver source here: > https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/dev/ic/rtl81x9.c > The log suggests it has not changed since the release of OpenBSD 6.1. > Here's the thing. There are rules to the game with every OS. With OpenBSD, if you have to stay up to date -- the support tail is only about a year long, and that is really only security issues. So, what are you after? A magic, secret sysctl, "sysctl rl.work.properly=1" ? Nope, no such thing. Sorry. A patch to fix it? Not going to happen against 6.1, 6.2, or even 6.3, most likely. -current is where development happens, only security issues and maybe some behavior regressions are ever pushed back to old releases...not operational improvements, new features, or new hw support. Now, rl chips were considered the worst pieces of network junk around until the ARM systems started sprouting networking chips. Don't get me wrong, I've used a lot of them, and had pretty good luck with them, but a lot of people I respect and who know better than me hate the #$%^ things. You say a couple things that catch my eye -- 1) 6.1 is over a year old, and you say you have been battling the problem for a month. So something changed. That's hinting hw, not sw. (typically. Or the load changed. or something). 2) you say you had "similar" problems with another OS. Similar to what, I'm not sure, but that sounds like you have a HW problem. Keep in mind, when it comes to networks, it's not just the computer -- the wire and the switch are also all suspect. But it boils down to this: if you want help on OpenBSD, you play by the rules and run either -current or at least a supported release (and if you contend it's an OS issue, you verify it still exists in -current!). If you don't need OpenBSD help...this isn't the place. And if you can say with certainty, "everything is the same", you will have no trouble adding debugging info and figure out your own problem. Nick.
Re: Raid offline when newfs
On 04/29/18 20:23, Mimoza wrote: > > > Le 30/04/2018 à 00:01, Mimoza a écrit : >> Hi, >> I have a problem to create a second RAID 1 on my router an Soekris >> 6501-70 (http://www.soekris.com/products/net6501-1.html) > […] >> I can rebuild the offline device but he still offline … >> >> So, there any option or configuration to explain/solve that ? Something >> wrong with what i do ? >> >> Maybe something bad with the expansion card ? >> >> Thanks for any help. >> > > Well, i respond to myself but i foud the guilty. > My last question was the good way. I don't know why but the expansion > card do something wrong. I created the RAID system on another computer > and go back on router with the expansion card with the 2 HDD ready to > use and it's fine ! > > Sorry for the noise > Did you disable the RAID functionality of this card? If not, the BIOS probably tried to "rebuild" one disk onto the other, causing you all kinds of pain. softraid has to do everything for this to work properly. Nick.
Re: cloning to smaller hard disk
On 04/22/18 14:46, Tuyosi T wrote: > hi all . > i manage to clone bigger HDD(sd1) to smaller HDD(sd0) > > this is dangerous , so please test . > and there may be some errors , then please point them out . Ok, how do I put this nicely... PLEASE DON'T DO THIS KIND OF "documentation". Ok, you accomplished your task. Congrats, I'm proud of you. But your initial config was bad, your final config was bad, and your process was trivial and very specific to your config. Your "documentation" doesn't explain the WHY of what you do, or the VERY special (and wrong) case of your config that allowed this to work. It's not a teaching document. While I'm a big defender of free speech, this is not helpful in the way you probably intended. If your goal is training people to think before they follow stuff they find on the 'net, great, ok, I guess -- nothing teaches like a bullet in the foot. But I don't think that was your goal. Your initial system and final system were One Big Partition layouts -- Bad idea. And you copied over just the 'a' partition. Useless for the recommended OpenBSD config. And tar has trouble with really long paths. And really, your task is simple -- * Boot the system with the new disk attached. * Stop all processes you can that are changing important data on the disk. Can also be done by booting from bsd.rd. * If you booted from bsd.rd, you will probably need to /dev/MAKEDEV [sw]d1, as bsd.rd has only one sd and wd device. * fdisk (if needed) and disklabel your new disk. For simplicity, I'll assume same disklabel setup on the new disk and old. * newfs all the new partitions * for each FS, * Mount the new one somewhere * dump | restore each existing partition to the new partition. * umount the new partition. * Set up the boot code on the new disk. Interestingly, that's basically the process for any Unix-Like OS (ULOS). The last step (set up the boot code) will vary tremendously from ULOS to ULOS, and SELinux will require some voodoo that few understand to make things work after moving them in the name of security. Nick.
Re: Virtualbox vs latest snapshot
On 04/12/18 09:47, Consus wrote: > On 08:28 Thu 12 Apr, Nick Holland wrote: >> Another "failure mode" of VirtualBox people should be aware of: >> I understand through good sources, Oracle monitors the IP addresses that >> it's downloaded from, and if they can trace it back to a commercial IP >> (i.e., not a home address), and if they see you download (or update) the >> "not for unrestricted free use" parts, their lawyers will contact you >> and send you a bill...and they really don't care about "for work" or >> "not for work related" uses. >> >> I'd really recommend removing this product from your computers. > > This won't stand in court. You sources are so high on crack it's not > even funny. Think about it a moment, Using my real name, and a public, trackable identity, I just accused a very big company with lots of lawyers (and they know how to use them!) of something. If my facts are not in order, I could be in big trouble. My facts are in order. It's not about court. It's about threatening lots of companies and hoping a few pay up to avoid the cost of going to court -- which is considerable, win or lose. What you believe changes nothing. Their licenses are complicated, easy to use wrong, and they seem to care. I recommend against using their products for that reason. Nick.
Re: Virtualbox vs latest snapshot
Another "failure mode" of VirtualBox people should be aware of: I understand through good sources, Oracle monitors the IP addresses that it's downloaded from, and if they can trace it back to a commercial IP (i.e., not a home address), and if they see you download (or update) the "not for unrestricted free use" parts, their lawyers will contact you and send you a bill...and they really don't care about "for work" or "not for work related" uses. I'd really recommend removing this product from your computers. Nick.
wireless installation
I would like to install OpenBSD wirelessly, but my card requires additional firmware (iwn) that is not included in the installer. Is there a way to overcome this obstacle?
Re: Check if fsck will be run on a partition
On 04/03/18 02:54, Mik J wrote: > Thank you Nick, I understand > > I mount my partition like that > /sbin/bioctl -s -c C -l /dev/sd0h softraid0 > /sbin/mount -o rw,nodev,nosuid,softdep /dev/sd1c encrypted > > And it appears this partition always have 0,1% of fragmentation. > However the mount doesn't trigger any warning when there's 0,1% > fragmentation. > > From what I understand in your answer is that I should search why I have > this 0,1% fragmentation rather than something else. > I don't know if this fragmentation is expected. Nope. Fragmentation is not your issue. However, using the 'c' partition most likely is -- as I recall, if you do that, all kinds of things go wrong, including having problems determining if your partition was unmounted cleanly or if it needs an fsck. re-read the docs on softraid -- you are building a "disk", you have to treat it accordingly -- including an fdisk partition table and in that, a disklabel partitioning, and NOT using the 'c' partition. Nick.
Re: Check if fsck will be run on a partition
On 04/02/18 02:28, Mik J wrote: > @Theo: The fsck is not superfast, it takes 20s I end with that message39256 > files, 5904368 used, 10865841 free (15345 frags, 1356312 blocks, 0.1% > fragmentation) you missed his point. If it took 20 seconds to run, you needed to run it. If you didn't need to run it, it would have said the file system was clean. Watch: # umount /var/www # time doas fsck /var/www ** /dev/sd2p (30b584a557ce1aea.p) ** File system is clean; not checking 0m00.07s real 0m00.00s user 0m00.01s system # doas mount -a That's a 200G partition, btw. I think less than a tenth of a second is quite good. Superfast, even. The message you got clearly indicates that an fsck was needed. I use this technique myself on some systems. Just run fsck, it won't slow you down unless needed. Nick.
Re: Dell Latitude E6540 OpenBSD 6.2 amd64 freezes when adjusting refresh rate using xrandr
On 03/20/18 11:49, Xianwen Chen wrote: > Dear OpenBSD users, > > I run OpenBSD 6.2 amd64 on a Dell Latitude E6540 laptop. > > I hook a Dell U2412M monitor to the laptop using VGA port. xrandr > recognizes the maximum resolution of the external monitor, but the > refresh rate is slightly below 60: > VGA-1 connected (normal left inverted right x axis y axis) >1920x1200 59.95 + ... > I can visibly see the flickering of the screen on the external monitor. > Is this because the refresh rate is below 60? no. And I'm stopping your message here, as you are barking up the wrong tree. For 60hz, 59.95 is more than "close enough". Plus, LCD monitors are NOT like CRTs in refresh. CRTs draw one scan line at a time, that scan line and a few above it are lit up at any moment, so the entire screen flashes at the refresh rate. 60hz is about the minimum that is tolerable for most people, and many people can "feel" (if not exactly see) the difference for significantly faster refresh rates (and the faster, the better) LCDs have a much more static picture. The screen refresh rate will matter for how smooth motion can appear, but the screen itself does NOT flicker. Prove this to yourself by holding your hand out, fingers spread, and waving it back and forth rapidly in front of a CRT (if you can find one) and an LCD monitor. You will see very different results. Most likely what you are seeing is your monitor having a bad time with the timing of the computer. I suspect the "Auto-adjust" button will do wonders, but I have also found that some computers just put out garbage to the analog video port. And in one case, I found that having both the VGA and HDMI cable attached to the monitor, even though only the VGA was attached to the computer, caused annoying flicker on the monitor that mostly went away when I happened to need that HDMI cable elsewhere. Nick.
Re: How recursive copy to clone OS installation (devices, links, owners, privileges etc.)?
On 03/14/18 21:08, Tinker wrote: > Say you have an OpenBSD installation (with /dev and all) mounted on > /mnt , and you'd like to clone it to /mnt2 , which is a partition > of different size, so dd is not an option. Not necessarily true. If the source is smaller than the destination, you can still image it with "dd", rsdXc partition to rsdXc partition. You can then use "growfs" to expand the last partition -- if you planned it right, your last partition is the one that needs the most space. You can also dd over individual partitions. Create a new 'a' partition, copy over the 'a' partition (/dev/rsdXa) first, now make a /new/ disk label (that's stored in the 'a' partition, so copying over 'a' blew your old one away -- order here is kinda important), make all the new partitions the size you want them to be, then dd them over from the source to the dest, then growfs each of them to fluff them out to the size you got. Not saying it's the best way to do things, but it's educational. :) Nick.
opensmtpd: limit mta for mx
Hi misc@, long time no see (and please CC me), In smtpd.conf, the "limit mta" line can be qualified like this: limit mta for domain gmail.com inet4 which I did because I recently started getting bounces from google saying 550-5.7.1 [2001:19f0:5001:2f5:5400:ff:fe77:861d] Our system has detected that this message does not meet IPv6 sending guidelines regarding PTR records and authentication. Please review https://support.google.com/mail/?p=IPv6AuthError for more information . d63si3145626edc.222 - gsmtp I think they started prioritizing their (IPv6) records over their A (IPv4) DNS records, so now opensmtpd is preferring to use IPv6. I tried a bit but I don't really know what they're mad about, and whatever, I don't want to fight them, I just want my mail to get through. That limit line fixed it for gmail.com, but now I have a new problem: the huge number of domains that are actually hosted on smtp.gmail.com. I am wondering if there is some way to express "use IPv4 if the mail *server* is gmail" instead of "if the mail *domain* is gmail". Something like: limit mta for mx smtp.gmail.com inet4 Right now I'm stuck enumerating all Google Apps for Business accounts I know of and adding a line for each. = Nick
Re: ffs mount options or tuning to prevent corrupted fs on power-outage
On 03/03/18 14:48, Thomas Huber wrote: > Hi, > > can someone give me a recomendations for ffs mount options or further > tuning to prevent file-system corruption on power-outage? > > I run a PC-Engines APU2c3 with -stable in a rural place where power-outage > takes place approx. once a month. Most of the time every things starts fine > when power is back, but sometimes (now the third time in one year) I end up > with an corrupted /var and I´ve to go to that place and do manual fsck_ffs > which could always repair the fs. ... Wrong question focusing on the wrong problem. The bigger issue is, "Why is my machine so difficult to fix when things go wrong?" Answer: You got the wrong machine for the environment. I know, this week, the answer to all questions is "APU", just as some years ago it was "Soekris", regardless of the question. Just as wrong now as it was then. You need a computer with a real keyboard and a real monitor attached, so you *WHEN* things go wrong (NOT JUST POWER), you can walk the locals through fixing (or at least diagnosing) the problem. Normal people (you know, with weekends, social lives, significant others, things like that) can't handle serial consoles, nor should they be expected to. Murphy's law dictates that the harder it is to get console, the more often you need it. I know, it's not true, but I swear the ONLY times an OpenBSD won't come up after a hard power down is when the keyboard and monitor aren't attached or hard to get attached. Realistically, it's just that when you have keyboard and monitor attached, the fix is just a few minutes away, rather than hours or days, and you can walk just about anyone through it over the phone, and thus becomes a "non-event". Nick.
Re: sudoedit for doas?
On 03/01/18 06:50, Solène Rapenne wrote: > What you said mimics visudo (to edit sudo configuration file), not > sudoedit which is documented in sudo(8) : > > 1.Temporary copies are made of the files to be edited with the owner >set to the invoking user. > 2.The editor specified by the policy is run to edit the temporary >files. The sudoers policy uses the SUDO_EDITOR, VISUAL and EDITOR >environment variables (in that order). If none of SUDO_EDITOR, >VISUAL or EDITOR are set, the first program listed in the editor >sudoers(5) option is used. > 3.If they have been modified, the temporary files are copied back to >their original location and the temporary versions are removed. what is the reason for your obsession with sudoedit or visudo or anything other than just editing the $%&^& file, saving your change and testing them on another terminal window? Like is done on almost every other config file in a Unix environment? There is no pfconfedit, daily.localedit, virc.conf, dhcpd.confedit, and we do just fine without it. If you are so obsessed with doing things the sudo way, just use sudo (from packages) as has been already said. Otherwise, just edit doas.conf, test, and have a great day! Nick.
Re: noip freezes my 6.0
On 02/28/18 02:06, Hess THR wrote: > Hello, > > pkg_add ...pub/OpenBSD/6.0/packages/amd64/no-ip-2.1.9p4.tgz ... > How can I help the community, how to debug this problem? (before opening a > low-level bugreport, want to make it a more quality report) Step 1: upgrade to a 6.2-current snapshot. Nothing is being looked at or thought about in the 6.0 world. 6.3 is coming soonish. That's the only place a fix will happen, if it is an OpenBSD problem. It will not be fixed in 6.2 or 6.1, and certainly not something as old as 6.0. Step 2: give your hardware a good workout. Building the system from source might be a good way. What you describe could just be marginal hw or a power glitch or a bad disk which fails during the 1:30am daily self-checks, and got lucky once when you also happened to turn off the no-ip app. This really does sound more like a hw issue than an OS or application issue. Step 3: contact the port maintainer. Maybe they are aware of something. Do not do this before steps 1 and 2 are complete, however. After that, file a proper bug report. Nick.
Re: OpenBSD IRQ sharing on ISA
On 02/08/18 04:31, Захаров Анатолий wrote: > I install OpenBSD on my Fastwell CPB905 Singleboard compter. IT have > 4-RS-232 port on same IRQ, but on different address on isa bus. Then i > setup only one port using configure command all ports work normally. But > when i setup 2 of them in one boot configuration i get in dmesg: irq > already in use. I found next thing in OpenBSD 3.8. documentation: > > ISA devices can not share IRQs. If you find ISA devices sharing IRQs, you > must correct this problem. > > But how it works on Linux & QNX? REALLY, if you have to ask such questions, you should not be using 35+ year old HW designs like ISA. The world is much simpler now, focused on a less experienced userbase. The ISA bus was designed for one device, one interrupt. The OS would install code to deal with device X on IRQ Y. When IRQ Y was detected, the code to handle device X was run and -- BY DEFINITION -- it knew it could close out the interrupt and get back to whatever else the computer was doing. The software was written that way, and the HW was designed that way -- devices could apply a logic zero or logic one to a IRQ pin. Start sharing IRQs, you could end up with one card trying to pull the pin high, another pulling it low (so even if you write fancy software that polls multiple devices sharing an IRQ, odds are, the HW won't allow it to work). Now, there are things that APPEAR to violate this one device, one interrupt rule. For example, I have a Boca 8 port serial card in a machine that has a total of ten serial ports: boca0 at isa0 port 0x100/64 irq 10 com4 at boca0 slave 0: ns16550a, 16 byte fifo com5 at boca0 slave 1: ns16550a, 16 byte fifo com6 at boca0 slave 2: ns16550a, 16 byte fifo com7 at boca0 slave 3: ns16550a, 16 byte fifo com8 at boca0 slave 4: ns16550a, 16 byte fifo com9 at boca0 slave 5: ns16550a, 16 byte fifo com10 at boca0 slave 6: ns16550a, 16 byte fifo com11 at boca0 slave 7: ns16550a, 16 byte fifo com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo In this case, the ENTIRE Boca board is ONE device sharing an IRQ, there is no violation. The drivers for it know when it gets called by an IRQ, it has to poll ALL the devices looking for something that needs to be done. It is a Boca driver (which happens to have eight ports), not a generic ISA COM port driver. Your system is most likely along these lines. Someone wrote the driver for your cluster of serial ports-as-one-device for other OSs, and you are trying to use the ISA com port driver on OpenBSD. Your options are to either write some code (hint: the boca driver might be a good starting point, but notice that it is NOT part of the base system ... for a reason! (that's a custom compiled kernel I showed a snippet of the dmesg of) Nick.
Re: History documentation
On 01/24/18 08:12, mazocomp wrote: > On Wed, Jan 24, 2018 at 12:22:18PM +0100, who one wrote: >> Hey, strange, there is 5.3 in >> https://cloudflare.cdn.openbsd.org/pub/OpenBSD/doc/history/ >> >> is this still maintained? >> >> Many thanks. >> >> > Sent: Saturday, January 20, 2018 at 1:21 PM >> > From: mazocomp <mazoc...@disroot.org> >> > To: misc@openbsd.org >> > Subject: History documentation >> > >> > Hi! >> > Both obsd-faq.txt and pf-faq.txt in pub/OpenBSD/doc/ are same as >> > obsd-faq52.txt and pf-faq52.txt in pub/OpenBSD/doc/history/ >> > So I wonder is there a point to keep them out of date? >> > >> > >> > > Well, it doesn't look like it is maintained. correct. Might be of some value to people running old versions of OpenBSD on legacy hw (certainly wouldn't want to put a mac68k in production on old SW, but then, not sure why anyone would use a mac68k in any kind of production in the last 20+ years, and it's sometimes fun to put an OS on old hw), or OSs with legacy versions of PF. I use it from time to time, because ... well, I slipped notes to myself into the FAQ. And now that I'm not maintaining it, some of my crib notes have been deleted! :) Hopefully, I'm the only user of THAT type... Nick.
Re: identifying software and licenses used in base install
On 01/17/18 18:11, Kent Watsen wrote: > > I'm throwing together a quick proof-of-concept thingy to give to a > customer and thought it might be fun to use OpenBSD as the OS for the > VM image.  Unfortunately, the not so fun part of it is that I'm > required to get permission to use/distribute this open source software, > which entails needing to identify all the internal software components > and licenses used. I thought this was going to be easy, but it's > proving to be anything but... I'm a little puzzled by this. You have been granted the permission to use/distribute the software. No one is going to give you a personal note of permission, unless you want to chuck a lot of money someone's way. http://www.openbsd.org/policy.html This shows the common open source licenses, and the OpenBSD take on them. Have your requestor look at those licenses, have them tell you which are objectionable, and see if the OpenBSD "take" is similar. For example, if your requestor says, "I don't accept GPL3", great, OpenBSD is on the same page. if they don't like GPL2, you lose the compiler tools. > My system only has the following installed: bsd, bsd.rd, bsd.mp, base62, > etc62, and man62. > > Is there, by chance, such a breakdown available for these already? Since > OpenBSD is distributed in binary form, is there a copyright attributions > listing somewhere to satisfy the "must reproduce the above copyright" > clause, or do you just point to the also-distributed source for all that? > > In lieu of that, it seems that a script could analyze the source code - > everything is contained in sys.tar.gz (the kernel) and src.tar.gz > (userland), right? the source tree pretty well shows you how the utilities are licensed. Things that are ISC/BSD compatible. Things that aren't BSD-ish license are in /usr/src/gnu. If that's where your problem is, that's what you want to leave out. ... > I'm beginning to think that this might be more trouble than it's worth, > and that I might be better off having the customer download/install > OpenBSD themselves, and then run something like an Ansible script to > install/configure the demo... naw. Better than that, walk them through the install over the phone, configuring the thing and all. Really, I've done it several times with people, it is so stupidly easy to do in person, you can easily guide someone through it over the phone, just having them read to you what is on the screen, and tell them the appropriate response. They will be wowed beyond belief, I suspect. Nick.
Re: Writing "ones" instead of "zeroes" when wiping disk
On 01/11/18 09:45, Andreas Thulin wrote: > Hi! > > Again, an ignorant question (as usual): > > How might I do something similar to > > # dd if=/dev/one of=/dev/sd0 bs=1M > > as a complement to the usual and well-described > > # dd if=/dev/zero of=/dev/sd0 bs=1M > > followed by > > # dd if=/dev/urandom of=/dev/sd0 bs=1M > > in order to achieve paranoid disk-wiping? Another answer to your question might be to change those zeros to ones. One way to do that: # tr "\0" "\377"