Re: socket core
On Tue, Jan 16, 2024 at 09:07:17AM -, Stuart Henderson wrote: | On 2024-01-16, Otto Moerbeek wrote: | > On Tue, Jan 16, 2024 at 08:16:38AM +0100, Janne Johansson wrote: | > | >> Den tis 16 jan. 2024 kl 01:16 skrev Gustavo Rios : | >> > Hi folks. | >> > I have a simple question : How many cores does OBSD support ? | >> | >> amd64 says | >> | >> #define MAXCPUS 64 /* bitmask */ | >> | >> but different arches have different limits. | > | > But do note that OpenBSD is not great in using many cores, expect it | > to not scale in a linear way. It's best to make decisison on actual | > measurments. | | It can vary a lot depending on what you're actually doing on the | machine; pure computation will scale better than file access, for | example. Keep an eye on "spin" in top(1) while testing. If you're seeing | significant numbers for this, adding cores is not all that likely to | help. What Stuart said is very true - here's what I saw on my 16-core machine with SMT enabled while encoding a Blu-Ray movie: 37135 weerd 2 20 1467M 1342M onproc/2 kqread 51.5H 2481.54% ghb With SMT disabled (hw.smt=0), it got to well over 1500% CPU time, so for this job it helped to enable SMT. Network traffic did not scale that well when I last tried. So indeed, very much depends on your workload. Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: shmmax
On Thu, Nov 09, 2023 at 08:04:34PM +0100, Daniele B. wrote: | I'm guessing that for my usage profile I can go with an optimization | like this: | > sysctl kern.shminfo.shmmax=524288 | | Any more feedback? Yes: don't twist knobs when you don't understand what they do. -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: Cannot boot neither use boot -c in computer with Ryzen 9
On Sun, Aug 27, 2023 at 06:50:07AM -0500, vtamara wrote: | You right, | | The problem is with the time that it takes for certain operations | with disk. After long time the installation process continued and | the keyboard worked for that. So .. if you have SATA disks or optical drives (that are not part of the boot disk), you could try disconnecting those from the motherboard. Since you were able to install without problems, I think you may be in this siutation (e.g. if you have NVME(4) storage). | I still cannot use the keyboard in UKC and although I bought a | converter from USB to serial to try remote debugging with "boot> set | tty com0" it didn't work. The BIOS and the booting process of | OpenBSD detect that the board has a com0 port but I don't see a | physical connection for it. | | | I will try to apply your patch and install and hopefully after I | will send a dmesg. Note that it's not a fix in any shape or form. The change only reduces the time you have to wait for the system to complete booting. And you normally wouldn't have to wait for so long if it wasn't for some problem with the AHCI(4) subsystem on your computer (whether it's a bug in OpenBSD or a problem with the board is still unclear - but in my case, devices behind ahci(4) work after a suspend/resume cycle, so I'm guessing there's some (power management) issue with the ahci device on these ASUS boards, but I'm mostly just guessing). Paul | Thanks a lot for your help Paul. | | Blessings. | | El 2023-08-26 01:42, Paul de Weerd escribió: | > Hi, | > | > Pretty sure it doesn't really stop, give it a couple of hours (really) | > and see if it makes progress then. | > | > My guess is, your system has SATA devices (disks or CD/DVD/BD) | > connected to it. If you're not booting from them, one thing you can | > try in UKC is to `disable ahci` and see if that helps. | > | > If it does, this patch will significantly speed up the boot process. | > You will find your SATA devices don't work until such a time that you | > suspend and resume. | > | > Of course, I cannot be certain .. but at least that's the case on my | > AMD Ryzen 7950X in an ASUS motherboard (different board though). Very | > curious if you see the same. If you can arrange serial console, a | > dmesg would be very useful. | > | > Cheers, | > | > Paul 'WEiRD' de Weerd | > | > -- | > Index: sd.c | > === | > RCS file: /cvs/src/sys/scsi/sd.c,v | > retrieving revision 1.333 | > diff -u -p -r1.333 sd.c | > --- sd.c23 Oct 2022 14:39:19 - 1.333 | > +++ sd.c26 Mar 2023 19:24:28 - | > @@ -674,7 +674,7 @@ sdstart(struct scsi_xfer *xs) | > read = ISSET(bp->b_flags, B_READ); | > | > SET(xs->flags, (read ? SCSI_DATA_IN : SCSI_DATA_OUT)); | > - xs->timeout = 6; | > + xs->timeout = 600; | > xs->data = bp->b_data; | > xs->datalen = bp->b_bcount; | > xs->done = sd_buf_done; | > -- | > | > On Fri, Aug 25, 2023 at 04:10:12AM -0500, vtamara wrote: | > | | > | | > | Hi, | > | | > | I'm having issues booting 7.3 and current in a amd64computer with | > | processor AMD Ryzen 9 7950X ( | > | https://www.amd.com/en/products/cpu/amd-ryzen-9-7950x ) and board | > | ASUS ROG STRIX B650-A | > (https://rog.asus.com/us/motherboards/rog-strix/rog-strix-b650-a-gaming-wifi-model/). | > | | > | The kernel detects the hardware but stops after the lines | > | | > | softraid0 at root | > | | > | scsibus3 at sofraid0: 256 targets | > | | > | (I'm attaching picture). | > | | > | If I try with "boot> boot -c" it presents the error message | > | | > | kbc: cmd word write error | > | | > | and in the prompt UKC> it doesn't allow to write. | > | | > | (Attaching picture) | > | | > | I'm considering booting with a serial console to try to disable some | > | devices and diagnose why the normal boot process stops, however the | > | board of this computer doesn't have serial ports. Any suggestions | > | on a USB to Serial adapter to use? Or how to debug under these | > | circumstances? | > | | > | Blessings. | > | | > | -- | > | Dios, gracias por tu amor infinito. | > | -- | > | Vladimir Támara Patiño. http://vtamara.pasosdeJesus.org/ | > | http://www.pasosdejesus.org/dominio_publico_colombia.html | > | | > | -- | > | Dios, gracias por tu amor infinito. | > | -- | > | Vladimir Támara Patiño. http://vtamara.pasosdeJesus.org/ | > | http://www.pasosdejesus.org/dominio_publico_colombia.html | |
Re: Cannot boot neither use boot -c in computer with Ryzen 9
Hi, Pretty sure it doesn't really stop, give it a couple of hours (really) and see if it makes progress then. My guess is, your system has SATA devices (disks or CD/DVD/BD) connected to it. If you're not booting from them, one thing you can try in UKC is to `disable ahci` and see if that helps. If it does, this patch will significantly speed up the boot process. You will find your SATA devices don't work until such a time that you suspend and resume. Of course, I cannot be certain .. but at least that's the case on my AMD Ryzen 7950X in an ASUS motherboard (different board though). Very curious if you see the same. If you can arrange serial console, a dmesg would be very useful. Cheers, Paul 'WEiRD' de Weerd -- Index: sd.c === RCS file: /cvs/src/sys/scsi/sd.c,v retrieving revision 1.333 diff -u -p -r1.333 sd.c --- sd.c23 Oct 2022 14:39:19 - 1.333 +++ sd.c26 Mar 2023 19:24:28 - @@ -674,7 +674,7 @@ sdstart(struct scsi_xfer *xs) read = ISSET(bp->b_flags, B_READ); SET(xs->flags, (read ? SCSI_DATA_IN : SCSI_DATA_OUT)); - xs->timeout = 6; + xs->timeout = 600; xs->data = bp->b_data; xs->datalen = bp->b_bcount; xs->done = sd_buf_done; -- On Fri, Aug 25, 2023 at 04:10:12AM -0500, vtamara wrote: | | | Hi, | | I'm having issues booting 7.3 and current in a amd64computer with | processor AMD Ryzen 9 7950X ( | https://www.amd.com/en/products/cpu/amd-ryzen-9-7950x ) and board | ASUS ROG STRIX B650-A (https://rog.asus.com/us/motherboards/rog-strix/rog-strix-b650-a-gaming-wifi-model/). | | The kernel detects the hardware but stops after the lines | | softraid0 at root | | scsibus3 at sofraid0: 256 targets | | (I'm attaching picture). | | If I try with "boot> boot -c" it presents the error message | | kbc: cmd word write error | | and in the prompt UKC> it doesn't allow to write. | | (Attaching picture) | | I'm considering booting with a serial console to try to disable some | devices and diagnose why the normal boot process stops, however the | board of this computer doesn't have serial ports. Any suggestions | on a USB to Serial adapter to use? Or how to debug under these | circumstances? | | Blessings. | | -- | Dios, gracias por tu amor infinito. | -- | Vladimir Támara Patiño. http://vtamara.pasosdeJesus.org/ | http://www.pasosdejesus.org/dominio_publico_colombia.html | | -- | Dios, gracias por tu amor infinito. | -- | Vladimir Támara Patiño. http://vtamara.pasosdeJesus.org/ | http://www.pasosdejesus.org/dominio_publico_colombia.html -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: nsd listening on localhost is zone transfer possible transfer ?
On Fri, Aug 04, 2023 at 06:23:48PM +0100, Shadrock Uhuru wrote: | hi everyone | i have unbound setup on port 53 | and nsd listening on localhost port 53530 | i have set up another dns server as a secondary | am i correct to assume that i can't zone transfer because | as the nsd's are listening on localhost | the primary can't reach the secondary ? | | i have these errors on the primary | error: xfrd: zone 1.10.10.in-addr.arpa: max notify send count reached, 10.10.1.5 unreachable | error: xfrd: zone forwardzone: max notify send count reached, 10.10.1.5 unreachable Your question isn't quite clear .. where is this other dns server located? Is it on the same network? If you have NSD only listening on localhost, I'm not sure by which logic you concluded that a secondary nameserver would be able to talk to it at all, let alone do zone transfers? At any rate, IP addresses in the 10/8 range are free - you can use more than one without incurring a cost. Then configure your NSD to listen to the additional address and transfer from there. If you have IPv6, this will probably even apply to globally routable addresses. Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: libvirtd on openbsd
On Fri, Jul 28, 2023 at 03:22:48AM +, All wrote: | For some reason I didn't get reply from Stuart to my inbox. | Its on the mailing lists though. Looks like Stuart only replied to the list. He's helpful like that, preventing you from getting the same mail twice. Thanks, Stuart. | Thank you for your reply. I guess there are no solutions to run | VMs with a graphical interface yet. Unless, I run qemu and vnc | to a VM. You can run X on a vmd VM too if you're using vnc. There was some discussion about it recently. Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: Upgrade: Unbound constraint let fw_update always fail
I don't understand - if you configure your system to not have working DNS resolution, then you will not have working DNS resolution. fw_update needs working DNS resolution, so yeah .. if you break the latter, you break the former. Don't break DNS resolution. You really get what you pay for. Having said all that... If you really want to go without DNS resolution, I invite you to travel back a few decades and learn about /etc/hosts. Maybe you can FTP a hosts file from somewhere, for that true historic experience .. but alternatively you can also echo 2a02:898:28:500::3 firmware.openbsd.org | doas tee -a /etc/hosts Good luck with that. Paul 'WEiRD' de Weerd NB: full disclosure, the IP address I gave is the firmware mirror hosted by me; I didn't want to point people to someone else's .. but I also kinda hope noone (else) is foolish enough to break their DNS resolution in such a way to need this kind of tomfoolery. On Tue, Jul 25, 2023 at 09:58:35AM +0200, Daniele B. wrote: | | Hello, | | Just coming from my fresh upgrade to OpenBSD 7.3 and thanks again for | it.. ;) | | No particular problem except my realization that with my settings | (unbound started manually) fw_update goes to fail (all the three | attempts) on each (unattended) upgrade. If fw_update happens to be a | constraint for a successful upgrade, and luckily was not the case this | time, bad times for sure.. | | Any suggestion about it? Thanks! | | | | -- | Daniele Bonini | | -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: Ryzen 9 (7x000) users: do you experience hangs?
(Apologies for the late reply, I've been off for a few days and have spent very little time behind a keyboard) I have such issues. CPU model: hw.model=AMD Ryzen 9 7950X 16-Core Processor Motherboard: hw.vendor=ASUS hw.product=ProArt X670E-CREATOR WIFI Have you experienced crashes: Yes, after approximately 17 hours of uptime. Could be 16, could be 18, but that ballpark. I've been trying for months to identify what causes this, but no luck so far. dmesg (at the end) So far, BIOS updates haven't helped but I see there's a newer BIOS available again. Will try to update soon, but am not holding my breath that this will fix things. Note that (at least for me) it's not really a full crash. There's no response on the glass console or over the network but since I have serial console access, when I'm logged in there as root (before the system gets in this weird state) I can still `reboot -q` (just `reboot` gets stuck, but the (advised against) use of '-q' allows the reboot to succeed and the machine reboots cleanly). I'd be interested if anyone else who has these issues could set up serial console and see if they get the same behaviour. Alternatively, start a tmux session as root and do a `sleep ${WAIT_FOR_CRASH}; reboot -q` (with appropriate values for WAIT_FOR_CRASH, obviously) Paul --- dmesg OpenBSD 7.3-current (GENERIC.MP) #58: Fri Jul 28 15:50:42 CEST 2023 we...@pom.alm.weirdnet.nl:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 136444977152 (130124MB) avail mem = 132290076672 (126161MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.5 @ 0x794a3000 (81 entries) bios0: vendor American Megatrends Inc. version "1415" date 05/16/2023 bios0: ASUS ProArt X670E-CREATOR WIFI efi0 at bios0: UEFI 2.8 efi0: American Megatrends rev 0x5001a acpi0 at bios0: ACPI 6.4Undefined scope: \\_SB_.PCI0.GPP7.UP00.DP40.UP00.DP68 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SSDT SSDT SSDT FIDT MCFG HPET WDRT FPDT VFCT BGRT WPBT TPM2 SSDT CRAT CDIT SSDT SSDT SSDT SSDT SSDT WSMT APIC IVRS SSDT SSDT SSDT SSDT SSDT acpi0: wakeup devices GPP3(S4) GPP4(S4) GPP5(S4) GPP6(S4) GP17(S4) XHC0(S4) XHC1(S4) XHC2(S4) GPP0(S4) GPP1(S4) GPP2(S4) GPP7(S4) UP00(S4) DP40(S4) UP00(S4) DP00(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimcfg0 at acpi0 acpimcfg0: addr 0xf000, bus 0-127 acpihpet0 at acpi0: 14318180 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Ryzen 9 7950X 16-Core Processor, 4500.01 MHz, 19-61-02 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,AVX512F,AVX512DQ,RDSEED,ADX,SMAP,AVX512IFMA,CLFLUSHOPT,CLWB,AVX512CD,SHA,AVX512BW,AVX512VL,AVX512VBMI,UMIP,PKU,L1DF,IBPB,IBRS,STIBP,STIBP_ALL,IBRS_PREF,IBRS_SM,SSBD,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 8-way L2 cache, 32MB 64b/line 16-way L3 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 25MHz cpu0: mwait min=64, max=64, C-substates=1.1, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: AMD Ryzen 9 7950X 16-Core Processor, 4500.00 MHz, 19-61-02 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,AVX512F,AVX512DQ,RDSEED,ADX,SMAP,AVX512IFMA,CLFLUSHOPT,CLWB,AVX512CD,SHA,AVX512BW,AVX512VL,AVX512VBMI,UMIP,PKU,L1DF,IBPB,IBRS,STIBP,STIBP_ALL,IBRS_PREF,IBRS_SM,SSBD,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu1: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 8-way L2 cache, 32MB 64b/line 16-way L3 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: AMD Ryzen 9 7950X 16-Core Processor, 4500.00 MHz, 19-61-02 cpu2:
Re: tmux only possible as root and not as normal user in 7.3?
I just did a new install in a vm with the latest snapshot and could start tmux as a regular user just fine. I have no clue what you've done to get to this state, but perhaps show permissions of all path entries leading up to /tmp/tmux-1000/default, i.e. show the output of: ls -ld /{,tmp/{,tmux-1000/{,default}}} Cheers, Paul 'WEiRD' de Weerd On Fri, Jun 09, 2023 at 02:18:56AM +0200, Thomas Schnell wrote: | Hi there, | | I have three new installed machines, that show the same strange behaviour: tmux is only startable as root, if I want to start it with command "tmux" as normal user (which is in wheel group, btw), I get the error "no sessions", if I try to start it with command "tmux start-server", the error is "no server running on /tmp/tmux-1000/default". | On another machine, where OpenBSD has been installed and upgraded since version 6.7, tmux starts without problems as said user. | I searched FAQ, manpages, www up and down and can not figure out, what goes wrong. | Is there anything I missed in manual or release notes? Was there any change in tmux startup? | Any hints would be highly appreciated! | | thanks in advance | sarag | | -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: sysctl ddb.trigger
Thank you, Stuart, Sebastien and Aaron (and others, off-list). Indeed, `sysctl kern.securelevel=-1` allows entering DDB with `sysctl ddb.trigger=1`. (Yes, I am logged in over serial, and that works well). That was not clear from the ddb manpage, nor from the securelevel manpage (admittedly, I didn't read that until after the replies to my mail, since I didn't think securelevel played into this). I suggest the below diffs to document this requirement. Paul PS: sending BREAK over uplcom still doesn't work, but if I'm reading Stuart correctly, I think this is because my serial getty runs on tty00, not on console: [weerd@pom] $ grep -e console -e tty00 /etc/ttys console "/usr/libexec/getty std.9600" vt220 off secure tty00 "/usr/libexec/getty std.115200" vt220on secure On this machine, I often switch between `set tty pc0` and `set tty com0` for debugging purposes, but I always want a getty running on the serial port. Index: ddb.4 === RCS file: /cvs/src/share/man/man4/ddb.4,v retrieving revision 1.105 diff -u -p -r1.105 ddb.4 --- ddb.4 22 Dec 2022 19:53:22 - 1.105 +++ ddb.4 30 May 2023 06:34:19 - @@ -46,7 +46,9 @@ is invoked upon a kernel panic when the is set to 1. It may be invoked from the console when the sysctl .Va ddb.console -is set to 1, using any of the following methods: +is set to 1 and +.Va kern.securelevel +is set to 0 or -1, using any of the following methods: .Bl -dash -offset 3n .It Using the key sequence Index: securelevel.7 === RCS file: /cvs/src/share/man/man7/securelevel.7,v retrieving revision 1.31 diff -u -p -r1.31 securelevel.7 --- securelevel.7 21 Aug 2019 20:44:09 - 1.31 +++ securelevel.7 30 May 2023 06:36:30 - @@ -73,6 +73,7 @@ raw disk devices of mounted file systems system immutable and append-only file flags may not be removed .It the +.Va ddb.trigger , .Va fs.posix.setuid , .Va hw.allowpowerdown , .Va kern.allowkmem , On Mon, May 29, 2023 at 07:56:51AM -, Stuart Henderson wrote: | On 2023-05-29, Sebastien Marie wrote: | > On Mon, May 29, 2023 at 02:41:00PM +1000, Aaron Mason wrote: | >> On Mon, May 29, 2023 at 4:08 AM Paul de Weerd wrote: | >> > | >> > (for the record, BREAK doesn't work either to enter ddb, I | >> > guessed it was due to the USB-to-serial dongle I'm using (uplcom(4) | >> > lacking support for sending a proper BREAK .. but this may be the same | >> > issue?) | | fwiw BREAK does usually work in uplcom. It's uark that is known not to work. | (but since a BREAK is just holding the line at 0 for longer than a normal | character transmission time, if the console port speed is fairly high, | it's easy to send something that will be interpreted as break by setting | a low speed on the transmitting port and sending a char with enough 0 bits | in it). | | > From the code, to use ddb.trigger (aka DBCTL_TRIGGER), you need: | > | > - kern.securelevel < 1 (on a running system, kern.securelevel = -1) | > OR | > - something related to the console (I suppose "having the tty of the current | > process being the same than the console") | > | > If you are connected to serial, but your console is on VGA, it might be related. | | If that's the case, 1) it would also prevent BREAK on the serial port | from working, and 2) it probably wouldn't help to be able to trigger | ddb anyway, because ddb output will go to the system console, not the | console where ddb.trigger=1 was used. | | > So you might need to set kern.securelevel to lower value ("sysctl kern.securelevel=-1" | > in /etc/rc.securelevel), or make your console on serial (with "set tty com0" on | > bootloader). | | If 'set tty comX' isn't already used, the answer is almost certainly to | set that. | -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
sysctl ddb.trigger
Hi folks, I'm trying to debug an issue where my machine partially locks up after some hours (somewhere between 12 and 48, is my current window). The extent of the locking is still unclear, that's part of what I'm trying to figure out. While debugging, I thought I'd try to enter ddb, so I set ddb.console to 1 in /etc/sysctl.conf and tried to write to ddb.trigger: pom# sysctl ddb.{console,panic} ddb.console=1 ddb.panic=1 pom# sysctl ddb.trigger=1 sysctl: ddb.trigger: Operation not supported by device Am I holding this thing wrong? According to ddb(4), the above should be sufficient, no? One thing to note is that I'm running this from a chroot into a mfs system (as part of the debugging of the locking up), could that affect things? Even if it's from a chroot, I can still change sysctl MIBs - is ddb.trigger special? I'm doing all this through the serial console (glass console and network both are unresponsive in the locked up state), could that be related? (for the record, BREAK doesn't work either to enter ddb, I guessed it was due to the USB-to-serial dongle I'm using (uplcom(4) lacking support for sending a proper BREAK .. but this may be the same issue?) Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: DHCP and apm suspend/resume
On Wed, May 17, 2023 at 06:02:58PM +, l...@fuji.kuistio.me wrote: | Hi | | I have a desktop machine I recently installed OpenBSD 7.3 on. Everything | seems to be working fine except that it doesn't obtain a DHCP lease when | waking up from suspend. I haven't found any docs saying if it even should | do this. However, I also have a laptop running 7.3 and it does automatically | connect to a network when waking up from suspend. So I'm a bit confused | about why this works on the laptop but not on the desktop. | | On both machines I have created a hostname.if file under /etc. The desktop | machine does obtain a dhcp lease after the system has booted up, but it | doesn't do this after waking up from suspend as explained earlier. The | laptop is using wifi and the desktop is using a usb-ethernet adapter. | | Is this kind of behaviour expected? It's not a huge issue, since suspending | the desktop machine is not that necessary. I'm just quite puzzled because | these two machines behave differently even though the configuration should | be almost identical. I tried to resolve the issue by creating a script in | /etc/apm/resume that should run /etc/netstart, but for whatever reason this | script does not seem to run at all when the machine wakes up. Did you make this script executable? It should have these permissions: [weerd@pom] $ ls -l /etc/apm/resume -rwxr--r-- 1 root wheel 586 Apr 29 16:33 /etc/apm/resume (at least readable and executable by root) Running `sh /etc/netstart ${IF}` from /etc/apm/resume should work; but if the device hasn't attached yet, you may need to put a `sleep 5` in (play with the delay to match your hardware). Cheers, Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: hw RNG on APUs
I wanted to see how this would behave on my APUs. One gave 000, another consistently. But then I had this diff in my tree and I rebuilt for my workstation. That has cpu0: AMD Ryzen 9 7950X 16-Core Processor, 4500.00 MHz, 19-61-02 ... ccp0 at pci21 dev 0 function 2 "AMD 17h/90h Crypto" rev 0x00 and it too gives: ccp: rng ccp: rng ccp: rng ccp: rng Is anyone else seeing non-random output from ccp(4) on non-APU systems? Paul On Wed, Apr 19, 2023 at 05:18:11PM +0200, Christian Weisgerber wrote: | Christian Weisgerber: | | > ccp(4) attaches, so presumably it is used as a source of entropy. | > Whether the hardware actually provides random output, I don't know. | | I built a kernel with an instrumented driver. Unfortunately, no | entropy is provided: | | ccp: rng | ccp: rng | ccp: rng | ccp: rng | ccp: rng | | This is with the lastest firmware: | bios0: vendor coreboot version "v4.19.0.1" date 01/31/2023 | | | Index: dev/ic/ccp.c | === | RCS file: /cvs/src/sys/dev/ic/ccp.c,v | retrieving revision 1.3 | diff -u -p -r1.3 ccp.c | --- dev/ic/ccp.c 29 May 2020 04:42:25 - 1.3 | +++ dev/ic/ccp.c 19 Apr 2023 15:12:17 - | @@ -56,6 +56,7 @@ ccp_rng(void *arg) | trng = bus_space_read_4(sc->sc_iot, sc->sc_ioh, CCP_REG_TRNG); | if (trng != 0) | enqueue_randomness(trng); | + printf("ccp: rng %08x\n", trng); | | - timeout_add_msec(>sc_tick, 100); | + timeout_add_msec(>sc_tick, 5000); | } | -- | Christian "naddy" Weisgerber na...@mips.inka.de | -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: Feature Request: watch(1) utility
All you really need is a simple shell script. You can copy this to your ~/bin/ directory: --- cat ~/bin/watch -- #!/bin/sh # watch: repeatedly run a command to watch its output change ## WAIT=1 while : do C=$((`stty -a | awk '/columns/ {print $6}'` - 34)) L=$((`stty -a | awk '/rows/ {print $4}'` - 3)) clear printf "%s %${C}.${C}s\n\n" "`date`" "${*}" eval "${*}" | cut -b1-$((C+34)) | head -n${L} sleep ${WAIT} done -- I've also attached it for convenience. It's trivial, and you can adjust to your preferences rather easily. Paul 'WEiRD' de Weerd On Mon, May 15, 2023 at 07:26:58PM +, Simon Ryabinkov wrote: | Dear OpenBSD Team, | | I am excited to submit a feature request for OpenBSD! | | Feature: watch(1) utility | | Feature Description: watch(1) runs command repeatedly, displaying | its output and errors (the first screenfull). This allows you to | watch the program output change over time. By default, command is | run every 2 seconds and watch will run until interrupted. | | Sample Code: my naive implementation | https://github.com/ssleert/watch/blob/master/watch.c | if you need it I can add a man page and fix the style guide | and try to add to sources and send the diff file. | | If there are any problems with the code, | let me know and I will try to fix them. | | Thanks for your consideration, | Simon -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/ #!/bin/sh # watch: repeatedly run a command to watch its output change ## WAIT=1 while : do C=$((`stty -a | awk '/columns/ {print $6}'` - 34)) L=$((`stty -a | awk '/rows/ {print $4}'` - 3)) clear printf "%s %${C}.${C}s\n\n" "`date`" "${*}" eval "${*}" | cut -b1-$((C+34)) | head -n${L} sleep ${WAIT} done
Re: Booting OpenBSD 7.3's i386 bsd.rd
Are you sure you're using i386 and not amd64? Paul 'WEiRD' de Weerd On Mon, May 01, 2023 at 12:26:41PM +1000, Damian McGuckin wrote: | | What is required please? | | I am trying to boot this bsd.rd (which is a file 4Mb big) on an old | NET5500 which has 512MBytes of RAM. On a running system, | | From the | | boot> | | prompt, doing | | boot> boot bsd.rd | | it appears to loads bsd.rd, but then drops straight back into the BIOS | and starts the BIOS boot. | | Any suggestions. | | Thanks - Damian | | Pacific Engineering Systems International . 20D Grose St, Glebe NSW 2037 | Ph:+61-2-8571-0847 .. Fx:+61-2-9692-9623 | unsolicited email not wanted here | Views & opinions here are mine and not those of any past or present employer | -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: syslog.conf syntax to specify several clients
On Thu, Mar 09, 2023 at 04:00:24AM +, All wrote: | Right. | That is what I was suspecting. I did use wildcard, but some hosts | use completely different fqdns, so... | Anyway, thank you and blocks per host it is then. | | One question. | What is the difference between ++host and +host? Same effect as !prog vs !!prog, as mentioned in the documentation: "work the same way as their prog counterparts". Again, from the same syslog.conf(5) manpage: > !!prog causes the subsequent block to abort evaluation when a message > matches, ensuring that only a single set of actions is taken. !* can be > used to ensure that any ensuing blocks are further evaluated (i.e. > cancelling the effect of a !prog or !!prog). Please carefully read that page, it has all the information you need. Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: syslog.conf syntax to specify several clients
On Wed, Mar 08, 2023 at 03:39:07PM +0100, Noth wrote: | On 07/03/2023 06:35, All wrote: | | > Hi all, | > | > I have a server that acts as a syslog aggregator | > for several other servers. I was trying to see whether | > clients can be specified on one line but I can't see anything | > regarding syntax for such cases in man pages. | > | > Do we need to specify each client on the separate line? | > Like: | > | Hi, yes you do. | > I tried several kinds of semicolon, comma and plus syntax | > but have not being able to make it work. | > I can only see the very first host (eg. server1) in the log, not others. | | From the man page for syslog.conf: | | # Log everything coming from host bastion to a separate file. | ++bastion | *.* /var/log/bastion | +* If you look closely at the manpage[1], it says: > Blocks starting with +host or ++host or +* work the same way as their > prog counterparts, but they match on the hostname instead of the program > name. And for the 'prog counterparts' there's this bit: > Each block of lines is separated from the previous block by a tag. The > tag is a line beginning with !prog and each block will be associated with > calls to syslog from that specific program (matched using glob(7) rules). Note the '(matched using glob(7) rules)' bit. I have this in my /etc/syslog.conf: --- syslog.conf snippet -- # - send logs from ubiquiti wifi access points to their own logfiles ++ubiquiti-*.alm.weirdnet.nl *.* /var/log/ubi +* -- Which sends the logs from ubiquiti-1, ubiquiti-2, ubiquiti-3 and so on and so forth to /var/log/ubi. So, no, you do NOT need to specify each client on a separate line, but you may have to do so if you can't glob(7) the systems together. Cheers, Paul 'WEiRD' de Weerd [1]: https://man.openbsd.org/syslog.conf.5 -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: Safely remove USB drive
On Wed, Feb 08, 2023 at 04:50:32PM +0100, Jan Stary wrote: | On Feb 08 13:56:18, pe...@bsdly.net wrote: | > 1) close any open files stored there | > 2) make sure no process has the media as $PWD (as in, cd away from there, | >and really a variation on the first) | > 3) issue at least one sync command (some folklore will insist on three) | > 4) umount the media from wherever it was mounted | | 4 takes care of 1,2,3, right? Not if the kernel has a file open on it (e.g. a swap file [1]) or if there's another mount somewhere in the filesystem you're trying to unmount (a special case of the first condition, I guess). [weerd@kale] $ doas mount /dev/sd3a /mnt [weerd@kale] $ doas mkdir /mnt/deeper [weerd@kale] $ doas mount /dev/sd3d /mnt/deeper [weerd@kale] $ doas dd if=/dev/zero of=/mnt/swap bs=1M count=4096 [weerd@kale] $ doas swapon /mnt/swap The kernel is not going to let you `umount /mnt`, and forcibly removing the device is very likely going to lead to amazing new learning opportunities. So, yeah, as people have stated .. the way to safely remove a USB drive from your system depends on what you were using the USB drive for. For the generic case, where we have no clue what OP was doing: shut down your machine first and remove the device then. Paul [1]: Putting swap on removable media is a tremendously bad idea - don't do it, unless you're keen on those learning opportunities. -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: AMD EPYC
Hi Kapetanakis, On Wed, Sep 28, 2022 at 11:05:35AM +0300, Kapetanakis Giannis wrote: | Hi, | | Looking for upgrading our firewall/router and thinking about switching from Xeon to EPYC (73F3 - 16C @ 3.5 GHz). | | Anyone running on EPYC? Any problems? I'm running on an AMD EPYC without any issues. Couple of vmm(4) VMs, various internet services (mail, dns, web, etc). Rock solid with OpenBSD. [weerd@despair] $ sysctl hw.model hw.model=AMD EPYC 3201 8-Core Processor Cheers, Paul 'WEiRD' de Weerd --- dmesg OpenBSD 7.1 (GENERIC.MP) #465: Mon Apr 11 18:03:57 MDT 2022 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 68567597056 (65391MB) avail mem = 66472255488 (63392MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xdab19000 (51 entries) bios0: vendor American Megatrends Inc. version "1.0c" date 06/30/2020 bios0: Supermicro Super Server acpi0 at bios0: ACPI 6.1 acpi0: sleep states S0 S5 acpi0: tables DSDT FACP APIC FPDT FIDT SSDT SPMI SSDT MCFG SSDT CRAT CDIT BERT EINJ HEST HPET SSDT UEFI IVRS SSDT WSMT acpi0: wakeup devices S0D0(S3) S0D1(S3) S0D2(S3) S0D3(S3) S1D0(S3) S1D1(S3) S1D2(S3) S1D3(S3) acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD EPYC 3201 8-Core Processor, 1500.27 MHz, 17-01-02 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu0: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 8-way L2 cache cpu0: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu0: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=1.1, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD EPYC 3201 8-Core Processor, 1500.00 MHz, 17-01-02 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu1: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 8-way L2 cache cpu1: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu1: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 2 (application processor) cpu2: AMD EPYC 3201 8-Core Processor, 1500.00 MHz, 17-01-02 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu2: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 8-way L2 cache cpu2: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu2: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: AMD EPYC 3201 8-Core Processor, 1500.00 MHz, 17-01-02 cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu3: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 8-way L2 cache cpu3: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu3: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu3: smt 0, core 3, package 0 cpu4 at mainbus0: apid 8 (application processor) cpu4: AMD EPYC 3201 8-Core Processor, 1500.00 MHz, 17-01-02 cpu4:
Re: necessity to specify CVSROOT each time cvs is run?
On Thu, Jul 28, 2022 at 02:01:54PM +0200, rsyk...@disroot.org wrote: | Ok. Now I perhaps gained some of the missing understanding, but | still not full. | | So if I obtain the tree by downloading a .tar, it is not enough | to just supply -d to cvs once and next time run cvs without the -d; | I must set up the CVSROOT env variable or use the cvschroot command. | | If you get the original tree by cvs (with some -d), the next | time you can run cvs without the -d (and without the need to set up | the environmental CVSROOT). | | But then, one last thing: if I obtain a tree with a certain cvs -d | CVSROOT1, then run cvs -d CVSROOT2, and finally run cvs without -d, | what CVSROOT will be used in the last case? I hope it will be | CVSROOT1, won't it? (Otherwise I would not understand why starting | with a .tar and running subsequently cvs -d is not enough to then | run cvs without the -d...) Basically, yes. What you could do is update all the CVS/Root files to point at a new CVSROOT. For example .. on my machine I have the following: [weerd@pom] $ cat /usr/src/CVS/Root /home/OpenBSD/cvs/ (note that this file is duplicated throughout the tree with the exact same contents; check `md5 -r $(find /usr/src -name Root | head -n 20)` output) Let's say I have /home/weerd/CVSROOT with the new CVSROOT. Now I can for X in `find /usr/src -name Root` do cp /home/weerd/CVSROOT ${X} done (NB: this is safe for a /usr/src checkout, be wary of other repositories that may have files named Root elsewhere than under CVS/ or with paths with spaces) Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: snapshots on artfiles.org mirror currently out of sync
On Fri, Jun 03, 2022 at 10:11:24AM +0200, Andreas Bartelt wrote: | Hi, | | I've just noticed that at least the snapshots on the artfiles.org | mirror haven't been updated since May, 15th. The mirror is still | listed at PKG_PATH=https://mirror.hs-esslingen.de/pub/OpenBSD/snapshots/packages/amd64/ They probably mirror from ftp.eu.openbsd.org which is currently unreachable. See this thread from ~2 weeks ago: https://marc.info/?l=openbsd-misc=165271664310306=2 Work around this by selecting a different mirror. Cheers, Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
login.conf daemon datasize limit effects on VMs with 4GB+ RAM
Hi all, In commit Eg1WuG7hzCoCPdcz, robert@ changed the ulimit for the daemon class in /etc/login.conf for amd64 from 'infinity' to 4096M (see [0] and [1]). This change broke my vmd setup, and I had to dig around to understand what happened. Sharing here in hopes of preventing others from wasting their time like I did. I have a VM that is configured with 4GB of RAM: [weerd@pom] $ grep -B2 4G /etc/vm.conf vm "builder" { owner weerd memory 4G After upgrading to a newer snapshot (and sysmerge'ing login.conf), vmd crashes when this VM gets started: pom vmd[98555]: builder: could not allocate guest memory - exiting: Cannot allocate memory pom vmd[71874]: vmm: read vcp id pom vmd[10670]: priv exiting, pid 10670 pom vmd[73889]: control exiting, pid 73889 (resource limits doing exactly what they're supposed to do here!) It took me longer than I care to admit to realize that this would be caused by the newly reduced datasize limit imposed by Robert's change. I fixed this by adding a dedicated login.conf stanza for vmd: [weerd@pom] $ tail -n7 /etc/login.conf ## # Local changes # # vmd runs VMs with 4GB, so it needs an increased datasize limit: vmd:\ :datasize=5120M:\ :tc=daemon: Alternatively, I could've stuck that bit in /etc/login.conf.d/vmd which would've had the same effect. But with that change everything is working just fine again. When you run into a similar issue, make sure not to just revert back to "infinite" - find a suitable limit for whatever piece of software you have and adjust accordingly. Cheers, Paul [0]: https://marc.info/?l=openbsd-cvs=164542553811748=2 [1]: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc/etc.amd64/login.conf.diff?r1=1.21=1.22 -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: disk space issue
On Wed, Feb 16, 2022 at 12:34:28PM +0100, Kacper Wilgus wrote: | Can someone please explain to me how is it possible to have negative | available space? Wouldn't it be impossible to able to take up 105% of | your disk capacity, and how is it that df(1) reports such when it also | reports 985M of 986M used? Read up on filesystems, specifically the FFS as used in BSD. There are some very good papers out there. Also, read the manpages of tunefs(8) and newfs(8) for info: http://man.openbsd.org/tunefs#m and http://man.openbsd.org/newfs#m specifically will be enlightening. Cheers, Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: Passage about licensing from OpenBSD documentation
On Tue, Feb 08, 2022 at 08:54:08AM -0700, deich...@placebonol.com wrote: | Try archive.org for older versions of openbsd.org. Or just the CVS repository. The openbsd.org website is under revision control, there's 26 years of history available over at http://cvsweb.openbsd.org/www/ You may specifically be interested in the history of the goals and policy pages that were mentioned in this thread: http://cvsweb.openbsd.org/www/goals.html http://cvsweb.openbsd.org/www/policy.html Cheers, Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: NSD: Could not tcp connect to X Operation timed out
On Wed, Jan 19, 2022 at 11:31:07AM +, Laura Smith wrote: | Hi | | OpenBSD NSD slave is driving me nuts with the following message in the logs "Could not tcp connect to X Operation timed out". | | The answer sounds obvious, but I can: | | - Ping the IP | - Do a "dig @$auth_server_ip $auth_domain" Try "-t AXFR" and/or "+tcp" Ping uses icmp and dig defaults to udp. You can force tcp with "+tcp" and you can do the transfer manually with "-t AXFR". If both work, you may have multiple IPs configured, try with all of them. Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: IPv6 autoconf with static IID?
On Tue, Dec 28, 2021 at 12:35:07PM +0100, Mike Fischer wrote: | So I guess the only way to get a stable IID with dynamic prefixes is | to use the eui64 method? (Which is based on the MAC-address and | leaks information.) What information leak are you afraid of? Someone else knowing the MAC-address of your system? You can fix that by changing the MAC address of your interface (see the lladdr option in the ifconfig(8) manpage at http://man.openbsd.org/ifconfig#lladdr for details) Then you leak your "self chosen" MAC address - up to you to decide if that's still a concern (but note that it's not really different from "leaking" your IPv6 address in that case). | My options for running an OpenBSD server using IPv6 thus seem to be: | - Find a provider with static public IPv6 addresses (prefixes) That would work, but means you have to change providers - is that really what you want? Could be a good message to your current ISP to step up their IPv6 game. | - Use dynamic IPv6 addresses (prefixes) and eui64 IIDs Seems like the simplest way, especially using the lladdr option. | - Use an IPv6 tunnel broker like tunnelbroker.net to tunnel a static | IPv6 address (prefix) through IPv4 (6in4 tunnel) Seems less useful / efficient, if your provider offers native IPv6. Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: /etc/bsd.re-config - change a device?
On Tue, Nov 30, 2021 at 08:46:34AM -, Stuart Henderson wrote: | On 2021-11-29, Paul B. Henson wrote: | > I'm upgrading to OpenBSD 7 and I was happy to see the new support for | > /etc/bsd.re-config to allow modified kernels to be automatically | > rebuilt. However, one of the changes I need to make is updating the IRQ | > on com2, as my bios assigns it a non-standard value 8-/. | > | > I can't figure out how to do that? Is it supported? When I put "change | > com2" in /etc/bsd.re-config, config interactively asks me: | > | > change [n] | > | > I tried "change com2 y" and "change com2", then "y" on the next line, | > but the first gave an error and the second still prompted interactively. | > | > Are the only changes supported by /etc/bsd.re-config those that don't | > need further input? | | Currently yes. jcs@ has a diff to change this but it needs review. I believe this has been committed on November 20: https://marc.info/?l=openbsd-cvs=163737802014911=2 However, that means that it won't work in OpenBSD 7.0, you will need to run something newer (which, at the moment, means -current / snapshots). Cheers, Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: type checking/signalling shell and utilities?
On Thu, Nov 18, 2021 at 01:38:14AM +1100, Reuben ua Bríġ wrote: | > Date: Thu, 18 Nov 2021 01:30:25 +1100 | > From: Reuben ua Bríġ | > | > Does anyone know of any shell and utilities where, for example, if | > | > -rf | > | > is a file name, the rm utility will understand so, and not think it is | > a controlling flag (ugh! in-band signalling)? One where an array of | > strings can be past as a single argument? Etc? etc? | | correction: is a file name expanded from a pattern, ... Fix your pattern. From "*" or "??f" to "./*" or "/path/to/??f". Also, look at $* versus $@ in the ksh manpage. First paragraph of http://man.openbsd.org/ksh.1#Parameters Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: Kind of OT - camera/ software to run a long term timelapse camera
Hi Steve, On Mon, Nov 15, 2021 at 10:21:51AM -0800, Steve Williams wrote: | Does anyone have recommendations to accomplish this? It's just a | hobby so I don't want to spend a huge amount of money on it. One thing I've done in the past is to open up my laptop and point its camera in the direction of the object of interest. With fswebcam from the portstree, I then took simple pictures from cron or using the fswebcam option to do so (see the -l option) which I combined into a timelapse video (the rise and fall of my sourdough starter - very exciting). I don't think there's a tool in base that takes pictures; there's only video(1) which has the ability to record videos, as far as I know, but I'm happy to be proven wrong here. This should work equally well with any supported USB webcam. Plug in a camera, `pkg_add fswebcam; sysctl kern.video.record=1` as root and check the fswebcam manpage. Cheers, Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
copying id_ed25519_sk from USB-A yubikey to USB-C yubikey
Hi all, I've been happily using a yubikey together with an id_ed25519 SSH key when logging in over SSH: uhidev7 at uhub3 port 2 configuration 1 interface 1 "Yubico YubiKey OTP+FIDO+CCID" rev 2.00/5.27 addr 9 I would now like to migrate over to a new yubikey with a USB-C connector, as my new personal laptop has no USB-A ports. Digging through the ssh-keygen manpage, I don't see an option to do this; it seems you can only create new keys. Is this indeed impossible, or am I looking at the wrong manpage? Thanks, Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: nvme boot
Hi Jan, On Fri, Oct 15, 2021 at 05:05:01PM +0200, Jan Stary wrote: | Does any of the OpenSBD-supported platforms boot off nvme storage? | So far, I have been able to use nvme storage as a disk, | but not boot from it; but my HW is far from recent. Sure, I boot from nvme (actually, softraid crypto on nvme) on this AMD EPYC system (see below for full dmesg): despair# df -h / Filesystem SizeUsed Avail Capacity Mounted on /dev/sd3a 989M 81.1M858M 9%/ despair# bioctl softraid0 Volume Status Size Device softraid0 0 Online 429499175424 sd3 CRYPTO 0 Online 429499175424 0:0.0 noencl despair# dmesg | grep -e ^nvme0 -e ^scsibus1 -e ^sd0 nvme0 at pci1 dev 0 function 0 "Intel NVMe" rev 0x03: msix, NVMe 1.3 nvme0: INTEL SSDPEKNW512G8, firmware 004C, serial BTNH10651Y7T512A scsibus1 at nvme0: 2 targets, initiator 0 sd0 at scsibus1 targ 1 lun 0: sd0: 488386MB, 512 bytes/sector, 1000215216 sectors Just works (tm) Cheers, Paul OpenBSD 7.0-beta (GENERIC.MP) #0: Mon Aug 30 13:21:08 CEST 2021 we...@builder.alm.weirdnet.nl:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 68587933696 (65410MB) avail mem = 66493251584 (63412MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xdab19000 (51 entries) bios0: vendor American Megatrends Inc. version "1.0c" date 06/30/2020 bios0: Supermicro Super Server acpi0 at bios0: ACPI 6.1 acpi0: sleep states S0 S5 acpi0: tables DSDT FACP APIC FPDT FIDT SSDT SPMI SSDT MCFG SSDT CRAT CDIT BERT EINJ HEST HPET SSDT UEFI IVRS SSDT WSMT acpi0: wakeup devices S0D0(S3) S0D1(S3) S0D2(S3) S0D3(S3) S1D0(S3) S1D1(S3) S1D2(S3) S1D3(S3) acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD EPYC 3201 8-Core Processor, 1500.27 MHz, 17-01-02 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu0: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 8-way L2 cache cpu0: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu0: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=1.1, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD EPYC 3201 8-Core Processor, 1500.00 MHz, 17-01-02 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu1: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 8-way L2 cache cpu1: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu1: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 2 (application processor) cpu2: AMD EPYC 3201 8-Core Processor, 1500.00 MHz, 17-01-02 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu2: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 8-way L2 cache cpu2: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu2: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: AMD EPYC 3201 8-Core Processor, 1500.00 MHz, 17-01-02 cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu3: 64KB
Re: Run a command on "last day of month"
On Wed, Sep 01, 2021 at 04:39:54PM +0200, Adam Paulukanis wrote: | On Wed, 1 Sept 2021 at 16:32, Christian Weisgerber wrote: | > | > Goetz Schultz: | > | > > I would go the other way and check tomorrows date. If it is "01", then I | > > know today is the last of this month: | > > | > > date --date="tomorrow" +%d | > > 02 | > | > That's not OpenBSD. | > | > $ date --date="tomorrow" +%d | > date: unknown option -- - | > usage: date [-aju] [-f pformat] [-r seconds] | > [-z output_zone] [+format] [[cc]yy]mm]dd]HH]MM[.SS]] | > | | | Not sure if it is OpenBSD. I am on Darwin right now | | $ date -v+1d +%d # if today is the last day of the month, tomorrow will be 1st. This will work on OpenBSD: [ $(date -r $(($(date +%s) + 86400)) +%e) -eq 1 ] || exit 0 Although you'll have to be cautious with tricks like these to run this only between 01:00 and 23:00 if your system runs with a timezone that has daylight savings time. Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: resolvd recongizing unbound
On Tue, Aug 31, 2021 at 03:31:18PM +0200, Jan Stary wrote: | The running resolvd recognizes if unwind is running, | and places 127.0.0.1 at the top of resolv.conf accordingly. | | Could we have the same for unbound please? | I run unbound insted of unwind to also serve some | local names the machines around the office (beside resolution). | | But resolvd only recognizes unwind, not unbound; | so resolv.conf lists just the external (dhcp) nameservers | who don't know my local names of course. | | Or is there a reason resolvd only honors unwind | but not unbound? In this case, why would you not simply disable resolvd and put ::1 in /etc/resolv.conf yourself? resolvd is great for when the contents of resolv.conf change as you move from network to network and you may want to use different resolvers as you do. But if you're using unbound on the local system, why would you still run resolvd? 1. rcctl disable resolvd 2. echo ::1 > /etc/resolv.conf 3. ... 4. profit Just because there's a shiny new tool, doesn't mean you MUST use it. Cheers, Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: Can't figure out what's taking up space on /
On Wed, Aug 04, 2021 at 12:56:57AM -0700, Greg Thomas wrote: | I take it I'm dealing with filesystem corruption as Ali mentioned earlier? Could be. Boot the system in single user mode or the bsd.rd installation kernel (at the boot prompt type either 'boot -s' or 'boot bsd.rd'). Enter the shell and run `fsck /`. However, my next guess is that you have some data stored "under" a mountpoint somewhere. Here's what I mean: # mkdir /mnt/test # du -sh install69.iso 544Minstall69.iso # cp install69.iso /mnt/test # du -xsh /mnt 545M/mnt # vnconfig vnd0 /mnt/test/install69.iso # mount /dev/vnd0c /mnt/test/ # du -xsh /mnt 8.0K /mnt Since du can't traverse the hierarchy that the install69.iso image has been mounted over, it also cannot report on the diskspace used by files in that hierarchy. Again, boot into single user mode (or from bsd.rd) and figure this out. Cheers, Paul 'WEiRD' de Weerd | On Tue, Aug 3, 2021 at 11:10 PM Otto Moerbeek wrote: | | > On Tue, Aug 03, 2021 at 10:57:42PM -0700, Greg Thomas wrote: | > | > > I thought Paul's advice only applies if I was trying to figure it out | > > before rebooting? I'd already rebooted before sending my first email. | > | > OK, did the free space come back in df after reboot? If so, then it's | > programs having open files that are unlinked for sure. | > | > -Otto | > | > > | > > | > > | > > On Tue, Aug 3, 2021 at 10:40 PM Otto Moerbeek wrote: | > > | > > > On Tue, Aug 03, 2021 at 12:39:54PM -0700, Greg Thomas wrote: | > > > | > > > > I'm definitely suffering from filesystem corruption on root. I had | > > > > rebooted last night with no change. | > > > > | > > > > I have no options for mounting root. | > > > > | > > > > grits# cat /etc/fstab | > > > > 16a27b4b4549ce04.b none swap sw | > > > > 16a27b4b4549ce04.a / ffs rw 1 1 | > > > > 16a27b4b4549ce04.k /home ffs rw,nodev,nosuid 1 2 | > > > > 16a27b4b4549ce04.d /tmp ffs rw,nodev,nosuid 1 2 | > > > > 16a27b4b4549ce04.f /usr ffs rw,nodev 1 2 | > > > > 16a27b4b4549ce04.g /usr/X11R6 ffs rw,nodev 1 2 | > > > > 16a27b4b4549ce04.h /usr/local ffs rw,wxallowed,nodev 1 2 | > > > > 16a27b4b4549ce04.j /usr/obj ffs rw,nodev,nosuid 1 2 | > > > > 16a27b4b4549ce04.i /usr/src ffs rw,nodev,nosuid 1 2 | > > > > 16a27b4b4549ce04.e /var ffs rw,nodev,nosuid 1 2 | > > > > /dev/sd1c /backup ffs rw,nodev,nosuid 1 2 | > > > > | > > > > I need to upgrade so I can do that from scratch. This is my backup | > > > server | > > > > so the configuration is pretty simple. | > > > > | > > > > Not sure fsck output helps here? | > > > > | > > > > grits# fsck /dev/sd0a | > > > > ** /dev/rsd0a (NO WRITE) | > > > > ** Last Mounted on / | > > > > ** Root file system | > > > > ** Phase 1 - Check Blocks and Sizes | > > > > ** Phase 2 - Check Pathnames | > > > > ** Phase 3 - Check Connectivity | > > > > ** Phase 4 - Check Reference Counts | > > > > ** Phase 5 - Check Cyl groups | > > > > 12852 files, 469195 used, 35516 free (44 frags, 4434 blocks, 0.0% | > > > > fragmentation) | > > > > | > > > > Anyway, I'll reinstall unless someone has more learning experiences | > for | > > > me. | > > > > | > > > > And thank you to Paul for giving a quick explanation of the | > difference | > > > > between df and du. | > > > > | > > > > Thanks all! | > > > | > > > fsck looks normal for a mounted filesystem. | > > > | > > > but did you try following Paul's advice to find an open file that has | > > > no directory entry? That is not corruption, but explains why more | > > > storage is in use than du shows. | > > > | > > > -Otto | > > > | > > > > | > > > > | > > > > | > > > > On Tue, Aug 3, 2021 at 11:39 AM Ali Farzanrad < | > ali_farzan...@riseup.net> | > > > > wrote: | > > > > | > > > > > I also suspected that it is a filesystem corruption. | > > > > > Do you have `async` mount option on your root? | > > > > > | > > > > > Sebastien Marie wrote: | > > > > > > On Tue, Aug 03, 2021 at 10:03:44AM +0200, Paul de Weerd wrote: | > > > > > > > df shows you how much data you can write to an fs, while du | > shows | > > > the | > > > > > > > disk usage
Re: Can't figure out what's taking up space on /
df shows you how much data you can write to an fs, while du shows the disk usage of files it can find. If it can't find a file (because it's been deleted), it won't account for it. But if it's been deleted and still held open by some process, it would still consume disk space. So it looks like a process has a file open on the root filesystem that has been deleted. You're looking for a root-owned process that is (probably) long-running. My guess the file is in /dev/ (that's my crystal ball talking though). Easiest way out is generally to reboot - this stops all processes (d0h), dus freeing up all the resources they had tied up, including files that had been deleted from the filesystem. But going through your process list to see if you can spot something that may have done this can be a good learning experience. In general, base OpenBSD daemons don't behave this way. Cheers, Paul 'WEiRD' de Weerd On Tue, Aug 03, 2021 at 12:48:42AM -0700, Greg Thomas wrote: | grits# df -h | Filesystem SizeUsed Avail Capacity Mounted on | /dev/sd0a 986M936M162K 100%/ | /dev/sd0k 57.7G 23.7G 31.1G43%/home | /dev/sd0d 3.9G 10.0K3.7G 0%/tmp | /dev/sd0f 5.8G1.1G4.4G21%/usr | /dev/sd0g 986M234M702M25%/usr/X11R6 | /dev/sd0h 16.8G 35.5M 15.9G 0%/usr/local | /dev/sd0j 5.8G2.0K5.5G 0%/usr/obj | /dev/sd0i 1.9G2.0K1.8G 0%/usr/src | /dev/sd0e 13.8G 18.8M 13.1G 0%/var | /dev/sd1c 440G305G113G73%/backup | | grits# du -xsh / | 186M/ | | I just removed /bsd.sp to free up a little bit of space but I don't | understand the discrepancy between df and du. How do I troubleshoot | further? | | Thanks, | Greg -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: Where to sleep to wait for lease
Hi Leon, On Wed, Jul 28, 2021 at 08:18:41PM +0200, Leon Fischer wrote: | > no IP address found for vlan34:0 | > /etc/pf.conf:56: could not parse host specification | > pfctl: Syntax error in config file: pf rules not loaded | | Sleeping isn't needed if the address in pf.conf(5) is parenthesized: | | pass out to (vlan34:0) You are right - that solves my issue, thanks for the reminder. Interestingly enough, most other rules in my pf.conf use the parenthesized interface name, can't recall why I didn't use that in this instance. I now have: pass in on $extIF inet proto udp from to ($extAddr) port $wgport Where $extIF is 'vlan34' and $extAddr is 'vlan34:0'. This is better than additional delays during boot. Thanks again! Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Where to sleep to wait for lease
Hi all, I just upgraded my home gateway to the latest snapshot and had a few issues due to dhcpleased not configuring a lease before things progressed. This is due to my v6 setup: I have tunneled IPv6 from elsewhere that I statically configure over a wg(4) tunnel. Of course, that sets a default route (for v6) over the tunnel interface, so a default route is present at boot. Because of that, the sleep that was recently added to /etc/rc doesn't trigger, so when pf loads it fails because my rules reference a non-existing address: no IP address found for vlan34:0 /etc/pf.conf:56: could not parse host specification pfctl: Syntax error in config file: pf rules not loaded (vlan34 is the autoconf interface) Realizing this is a fringe case, I thought I should probably just solve this locally with a more specific sleep (waiting for a v4 address on my upstream interface). What is the recommended place to add this sleep routing? /etc/hostname.vlan34 seems obvious, but perhaps there's a better place for it? Thanks, Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: DHCP non-issues
On Mon, Jul 19, 2021 at 01:59:18PM +0200, Paul de Weerd wrote: | So far, I've found NFS and syslogd to need configuration changes or | /etc/hosts entries to ensure they start properly. As I was asked about this off-list, I went back and re-read my message. Apologies for not being more clear: syslog: If you configure a remote syslog server to receive messages from your OpenBSD machine, there are two separate issues. First, a hostname will not resolve to an IP address if the network is not up yet (because dhcpleased/slaacd are still waiting for a response from the local dhcpd(8) or rad(8)). This shows up as syslogd[73481]: bad hostname "@udp4://tuna" if your configuration has '@udp4://tuna' as a target. The solution is to create an entry in /etc/hosts. However, now when the system boots, syslog will have a target IP address to communicate with, but it still doesn't have an IP address for itself. So any traffic sent to the target is lost, until dhcpleased configures an address on the autoconf interface. This results in, for example, the dmesg from the freshly booting machine not ending up on the remote syslog host. nfs client: If your /etc/fstab contains NFS mounts to a remote host, the fact that dhcpleased doesn't wait for a lease will mean that NFS mounts cannot happen until a lease has been configured. This shows up as "NFS Portmap: RPC: Port mapper failure - RPC: Unable to send", and a delay during boot that's significantly longer than the timeout from dhclient. For the record, my clients here are all vmm(4) VMs running OpenBSD. The NFS server and syslog target also run OpenBSD. Cheers, Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: DHCP non-issues
On Mon, Jul 19, 2021 at 01:42:41PM +0200, Christian Weisgerber wrote: | Look guys, it's simple. | | If you want IPv6 (SLAAC) autoconfiguration, you set "inet6 autoconf" | for that interface. slaacd(8) will then automatically handle things. | | If you want IPv4 (DHCP) autoconfiguration, you set "inet autoconf" | for that interface. dhcpleased(8) will then automatically handle | things. If you require special DHCP options that dhcpleased(8) | doesn't include, then you don't enable autoconfigurarion and run | dhclient(8) instead, which can be extensively configured. | | Both slaacd(8) and dhcpleased(8) pass nameserver information to | resolvd(8), which adds those nameservers to /etc/resolv.conf unless | unwind(8) is running. If you don't want that to happen for some | other reason, you turn off resolvd(8). One thing of note though, is the fact that dhcpleased does its work in the background. This means that other services will start before you get a lease. In the past, dhclient(8) ran in the foreground, trying to get a lease until some timeout expired. *Usually*, that timeout didn't trigger (at least, in my use cases). So far, I've found NFS and syslogd to need configuration changes or /etc/hosts entries to ensure they start properly. One could argue that in these cases, one shouldn't use DHCP and just use statically configured addresses (especially in the case of syslog, where you lose messages when the service starts before an address is configured, even with your remote syslog host added to /etc/hosts) Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: Adding Password Protection to Single User Mode
Hi Valdrin, On Wed, Jul 07, 2021 at 06:44:46AM +, Valdrin MUJA wrote: | Thanks for suggestions, | I removed the "secure" from /etc/ttys but I can still use "boot -s" | without password. Is this about console connection? Please carefully read https://man.openbsd.org/ttys.5: > secure If on is also specified, allows users with a UID of 0 to > log in on this line. If set for the console entry, then > init(8) will start a single-user shell without asking for > the superuser password. That second sentence is very explicit. You need to take the 'secure' keyword out of the line for the 'console' entry. The default is this: [weerd@pom] $ grep ^console /etc/ttys console "/usr/libexec/getty std.9600" vt220 off secure Cheers, Paul 'WEiRD' de Weerd | Updated ttys file; | | # cat /etc/ttys | grep 115200 | tty00 "/usr/libexec/getty std.115200" vt220 off | ____ | From: Paul de Weerd | Sent: Tuesday, July 6, 2021 17:36 | To: Valdrin MUJA | Cc: misc@openbsd.org | Subject: Re: Adding Password Protection to Single User Mode | | On Tue, Jul 06, 2021 at 12:27:03PM +, Valdrin MUJA wrote: | | Hi Folks, | | | | I want to add a small password protection mechanism to | | "boot -s" (single-user mode). | | | | Therefore, I'm working on /sys/stand/boot/boot.c, I've written | | some code in boot.c, and run "make", "make obj", "make install" | | in /sys/. However, I couldn't enable my update "boot" binary on startup. | | On startup, the default boot program is working. | | | | How can I replace my updated boot program with the default one? | | | | P.S.: I've tried compile and install kernel and the result didn't change. | | After building a new boot loader, you will need to use installboot(8) | to actually install said code into the system. Your `make install` | merely placed the bootloader into the spot in the filesystem where | installboot expects to find it, but won't do the special editing of | the disk that installboot does. | | (but also see the replies from others about ttys(5) to deal with your | situation without potentially screwing up your entire system with a | faulty bootloader) | | Cheers, | | Paul 'WEiRD' de Weerd | | -- | >[<++>-]<+++.>+++[<-->-]<.>+++[<+ | +++>-]<.>++[<>-]<+.--.[-] | http://www.weirdnet.nl/ -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: Adding Password Protection to Single User Mode
On Tue, Jul 06, 2021 at 12:27:03PM +, Valdrin MUJA wrote: | Hi Folks, | | I want to add a small password protection mechanism to | "boot -s" (single-user mode). | | Therefore, I'm working on /sys/stand/boot/boot.c, I've written | some code in boot.c, and run "make", "make obj", "make install" | in /sys/. However, I couldn't enable my update "boot" binary on startup. | On startup, the default boot program is working. | | How can I replace my updated boot program with the default one? | | P.S.: I've tried compile and install kernel and the result didn't change. After building a new boot loader, you will need to use installboot(8) to actually install said code into the system. Your `make install` merely placed the bootloader into the spot in the filesystem where installboot expects to find it, but won't do the special editing of the disk that installboot does. (but also see the replies from others about ttys(5) to deal with your situation without potentially screwing up your entire system with a faulty bootloader) Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Automatically enable port forwarding on ssh session to ProxyJump target
Hi all, I'm using ProxyJump with SSH to connect to a bunch of systems behind a jumphost: Host jump HostName bastion.example.tld ProxyJump none ControlPersist 3600 DynamicForward localhost:1080 Host * ForwardAgent yes ProxyJump jump AddKeysToAgent confirm 43200 CanonicalDomains example.tld CanonicalizeHostname yes ServerAliveInterval 5 ServerAliveCountMax 12 ControlPath ~/.ssh/master-%r@%h:%p ControlMaster auto This works well: when I `ssh machine`, I get prompted for the passphrase on my key which then gets loaded into my ssh-agent as SSH first connects to the jump host. Subsequently, I get asked to confirm usage of the key when ssh connects to the target `machine` behind the jump host, and I get logged in. However, I would also like to use the DynamicForward to `jump` to proxy HTTP(S) traffic. To that end I do `ssh -O forward jump`, and the DynamicForward is enabled. Is there a way to tell SSH to automatically enable forwarding to the jump host, so I don't have to `ssh -O forward jump` before using the forwarded port? Thanks, Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: [Ver3.6/3.9] Old version need help
You really should move to a more recent version of the OS; OpenBSD 3.6 was released in 2004, almost 17 years ago. However, the public mirror at ftp.eu.openbsd.org has older versions available for download: http://ftp.eu.openbsd.org/pub/OpenBSD/ And, once you've downloaded a release that you plan to run for all eternity, you should probably make (several) copies of the installation media that you used. Alternatively, I could sell you original versions of the 3.6 and 3.9 media (at least 3.9 is still in shrink-wrap) for a collectors edition price (proceeds to be donated to the OpenBSD foundation). Cheers, Paul 'WEiRD' de Weerd On Tue, Mar 30, 2021 at 02:28:59PM +0800, cclai wrote: | Hello, | | I'm Hachi, | Our company’s server uses the 3.6 and 3.9 version of the system, | Used for more than ten years, | and there is a need to reinstall at present. | | I have tried the file installation on FTP and failed. | > Russia (Moscow) ftp://mirror.yandex.ru/pub/OpenBSD/ | > cd39.iso | | So I hope that your organization can provide | an installation package "3.6 and 3.9 version" to solve the problem. | | It would be of great help to us. | Thank you very much. | | Hachi -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: route -iface doesn't work
Florian helped me off-list: # route add 10.1.1.13 -iface -cloning 10.2.2.13 does the trick (if you do the same on the other end, of course). I'm not really sure how this works, or what RTF_CLONING means other than this comment from the manpage: -cloning RTF_CLONING generates a new route on use So .. uhm .. magic! :-) Anyway, thanks to Florian! Paul On Mon, Mar 08, 2021 at 05:10:16PM +0100, Paul de Weerd wrote: | Hi all, | | I'm probably missing something rather obvious, but I can't get route | -iface to work. According to the manpage: | | If the destination is directly reachable via an | interface requiring no intermediary system to act | as a gateway, the -iface modifier should be | specified; the gateway given is the address of this | host on the common network, indicating the | interface to be used for transmission. | | I'm trying to get this to work on some 'real' system, but reproduced | on a couple of VMs to rule out other factors. I have two VMs on the | same host, connected by the same veb(4). Connectivity works if I use | IP addresses in the same subnet (i.e. I can ping from 10.0.0.1/24 to | 10.0.0.2/24 if that's what I configure). | | On one side I have: | | test1# ifconfig vio0 10.1.1.13/24 | test1# route add -iface 10.2.2.13 10.1.1.13 | add host 10.2.2.13: gateway 10.1.1.13 | | On the other side, I have: | | test2# ifconfig vio0 10.2.2.13/24 | test2# route add -iface 10.1.1.13 10.2.2.13 | add host 10.1.1.13: gateway 10.2.2.13 | | However, pinging from test1 to test2 gives: | | test1# ping -c 1 10.2.2.13 | PING 10.2.2.13 (10.2.2.13): 56 data bytes | ping: sendmsg: Invalid argument | ping: wrote 10.2.2.13 64 chars, ret=-1 | | --- 10.2.2.13 ping statistics --- | 1 packets transmitted, 0 packets received, 100.0% packet loss | | | Yet the route is there: | | test1# route get 10.2.2.13 |route to: 10.2.2.13 | destination: 10.2.2.13 |mask: 255.255.255.255 | interface: vio0 | if address: 10.1.1.13 |priority: 8 (static) | flags: | use mtuexpire |5 0 0 | | | What am I doing wrong here? The destination *is* directly reachable | via an interface and the gateway given is the IP address of "this | host" on the common network, just as required by the manpage. At | least, my read of it .. since it doesn't work, I'm probably | misunderstanding something here. | | I've enabled forwarding (net.inet.ip.forwarding=1) and disabled pf to | test if they were causing grief, but neither helped. Anyone have a | cluebat for me? | | Thanks, | | Paul 'WEiRD' de Weerd | | -- | >[<++>-]<+++.>+++[<-->-]<.>+++[<+ | +++>-]<.>++[<>-]<+.--.[-] | http://www.weirdnet.nl/ | -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
route -iface doesn't work
Hi all, I'm probably missing something rather obvious, but I can't get route -iface to work. According to the manpage: If the destination is directly reachable via an interface requiring no intermediary system to act as a gateway, the -iface modifier should be specified; the gateway given is the address of this host on the common network, indicating the interface to be used for transmission. I'm trying to get this to work on some 'real' system, but reproduced on a couple of VMs to rule out other factors. I have two VMs on the same host, connected by the same veb(4). Connectivity works if I use IP addresses in the same subnet (i.e. I can ping from 10.0.0.1/24 to 10.0.0.2/24 if that's what I configure). On one side I have: test1# ifconfig vio0 10.1.1.13/24 test1# route add -iface 10.2.2.13 10.1.1.13 add host 10.2.2.13: gateway 10.1.1.13 On the other side, I have: test2# ifconfig vio0 10.2.2.13/24 test2# route add -iface 10.1.1.13 10.2.2.13 add host 10.1.1.13: gateway 10.2.2.13 However, pinging from test1 to test2 gives: test1# ping -c 1 10.2.2.13 PING 10.2.2.13 (10.2.2.13): 56 data bytes ping: sendmsg: Invalid argument ping: wrote 10.2.2.13 64 chars, ret=-1 --- 10.2.2.13 ping statistics --- 1 packets transmitted, 0 packets received, 100.0% packet loss Yet the route is there: test1# route get 10.2.2.13 route to: 10.2.2.13 destination: 10.2.2.13 mask: 255.255.255.255 interface: vio0 if address: 10.1.1.13 priority: 8 (static) flags: use mtuexpire 5 0 0 What am I doing wrong here? The destination *is* directly reachable via an interface and the gateway given is the IP address of "this host" on the common network, just as required by the manpage. At least, my read of it .. since it doesn't work, I'm probably misunderstanding something here. I've enabled forwarding (net.inet.ip.forwarding=1) and disabled pf to test if they were causing grief, but neither helped. Anyone have a cluebat for me? Thanks, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: umount at boot possible?
On Tue, Feb 02, 2021 at 01:30:28PM +0100, misc nick wrote: | Hello | | I have a separate disk that i was mounting as a nfs partition. That disk crashed (it was very old). Now that OpenBSD 6.7/i386 release system cannot boot because it can't mount the disk. | Is it possible to umount the partition or somehow skip mounting it at boot time and continue booting from the disk that contains the OS? Before loading the OpenBSD kernel, at the bootloader type `boot -s`. This boots the system in single user mode. Now you can manually mount the root filesystem (`mount -u -w /`), and you can then fix your /etc/fstab to exclude the broken disk. Note that in single user mode, many userland tools are not available if /usr is on a separate partition (which is a sane default). You'll have to fix /etc/fstab with tools like cat and ed, or mount /usr. Once things are fixed, unmount everything that you manually mounted, and remount the root filesystem read-only again (`mount -u -r /`). Then exit the single user shell, the system should continue booting from there. Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: rm: fts_read: No such file or directory
Hi Otto, Thanks for your reply. On Thu, Jan 14, 2021 at 08:22:33AM +0100, Otto Moerbeek wrote: | > Could there be some TOCTOU issue here somewhere? Or some cache | > misbehaviour? Or is it really dying hardware? | | My first bet would be some form of corruption. FLipped bits in e..g | directories while operating normally cannot be seen by the | clean/unclean flag in the superblock. That one only records if the | filesystem was unmounted before reboot, shutdown or crash. I understand that - but then why would the error clear on subsequent runs of rm? | The forced fsck might reveal more. It did find some issues, and then was waiting for my input over night (when the backup run mounted the filesystem and changed things). ** /dev/sd2a (ebb54a869d056df3.a) ** File system is already clean ** Last Mounted on /backup ** Phase 1 - Check Blocks and Sizes ** Phase 2 - Check Pathnames ** Phase 3 - Check Connectivity ** Phase 4 - Check Reference Counts ZERO LENGTH DIR I=57604332 OWNER=root MODE=40755 SIZE=0 MTIME=Jan 13 13:56 2021 CLEAR? [Fyn?] y ** Phase 5 - Check Cyl groups FREE BLK COUNT(S) WRONG IN SUPERBLK SALVAGE? [Fyn?] y SUMMARY INFORMATION BAD SALVAGE? [Fyn?] y BLK(S) MISSING IN BIT MAPS SALVAGE? [Fyn?] y 27766624 files, 396630326 used, 267754002 free (2016066 frags, 33217242 blocks, 0.3% fragmentation) * FILE SYSTEM WAS MODIFIED * I ran it once more after that, more issues were found: ** /dev/sd2a (ebb54a869d056df3.a) ** File system is already clean ** Last Mounted on /backup ** Phase 1 - Check Blocks and Sizes ** Phase 2 - Check Pathnames ** Phase 3 - Check Connectivity ** Phase 4 - Check Reference Counts ** Phase 5 - Check Cyl groups FREE BLK COUNT(S) WRONG IN SUPERBLK SALVAGE? [Fyn?] y SUMMARY INFORMATION BAD SALVAGE? [Fyn?] y BLK(S) MISSING IN BIT MAPS SALVAGE? [Fyn?] y 27884252 files, 397169471 used, 267214857 free (1944825 frags, 33158754 blocks, 0.3% fragmentation) * FILE SYSTEM WAS MODIFIED * Until the third fsck came back clean: ** /dev/sd2a (ebb54a869d056df3.a) ** File system is already clean ** Last Mounted on /backup ** Phase 1 - Check Blocks and Sizes ** Phase 2 - Check Pathnames ** Phase 3 - Check Connectivity ** Phase 4 - Check Reference Counts ** Phase 5 - Check Cyl groups 27884252 files, 397169471 used, 267214857 free (1944825 frags, 33158754 blocks, 0.3% fragmentation) 136m19.01s real 4m00.56s user20m33.85s system I'll write it off to those errors, but I still don't understand why re-trying would fix these kinds of issues. Thanks again, Otto! Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
rm: fts_read: No such file or directory
Hi all, While doing some clean-up on my backup filesystem (which extensively uses hardlinks), I came across the error in Subject: rm: fts_read: No such file or directory Traversing the hierarchy I was trying to remove, I get similar fts_read errors when I `ls` in certain places, but a repeated rm runs to completion fine (the tree is gone afterwards). There's nothing in dmesg suggesting filesystem corruption, the filesystem unmounts and remounts cleanly, I'm running a forced fsck now which says "** File system is already clean". It's a rather large filesystem with many inodes in use, so it'll take some time to complete. Also, it's on a softraid crypto device, if that matters: sd2: 5231654MB, 512 bytes/sector, 10714427745 sectors Reading fts_read(3) wasn't really enlightening as to why a directory that's supposedly there, wouldn't be there anymore. (note that I wasn't running another rm in the same tree in parallel when I got these errors - I did try to force the error by doing just that, but that went through without a single error). Could there be some TOCTOU issue here somewhere? Or some cache misbehaviour? Or is it really dying hardware? Paul 'WEiRD' de Weerd OpenBSD 6.8-current (GENERIC.MP) #267: Sat Jan 9 19:23:55 MST 2021 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 34311208960 (32721MB) avail mem = 33256046592 (31715MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe6690 (57 entries) bios0: vendor Dell Inc. version "2.10.0" date 05/24/2018 bios0: Dell Inc. PowerEdge R210 II acpi0 at bios0: ACPI 4.0 acpi0: sleep states S0 S4 S5 acpi0: tables DSDT FACP SPMI DMAR ASF! HPET APIC MCFG BOOT SSDT ASPT SSDT SSDT SPCR HEST ERST BERT EINJ acpi0: wakeup devices P0P1(S4) GLAN(S0) EHC1(S4) EHC2(S4) XHC_(S4) RP01(S5) PXSX(S4) RP02(S5) PXSX(S4) RP03(S5) PXSX(S4) RP04(S5) PXSX(S4) RP05(S5) PXSX(S4) RP06(S5) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E31260L @ 2.40GHz, 2394.91 MHz, 06-2a-07 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Xeon(R) CPU E31260L @ 2.40GHz, 2394.58 MHz, 06-2a-07 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 1, core 0, package 0 cpu2 at mainbus0: apid 2 (application processor) cpu2: Intel(R) Xeon(R) CPU E31260L @ 2.40GHz, 2394.58 MHz, 06-2a-07 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 1, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Xeon(R) CPU E31260L @ 2.40GHz, 2394.58 MHz, 06-2a-07 cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 1, core 1, package 0 cpu4 at mainbus0: apid 4 (application processor) cpu4: Intel(R) Xeon(R) CPU E31260L @ 2.40GHz, 2394.58 MHz, 06-2a-07 cpu4: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu4: 256KB 64b/line 8-way L2 cache cpu4: smt 0, core 2, package 0 cpu5 at mainbus0: apid 5 (application processor) cpu5: Intel(R) Xeon(R) CPU E31260L @
Re: -current amd64 packages not updated? Impatient or broken?
On Thu, Jan 07, 2021 at 09:30:13PM +0100, Christian Weisgerber wrote: | Steve Williams: | | > I hesitate to send this because perhaps I'm just too impatient, but then | > again, perhaps not. This is not critical/time sensitive. | > | > I just thought I'd check if there a problem with the current packages folder | > from the mirrors? | | No, the amd64 package builds have been slightly delayed. A good reminder that you are building these package snaps very often, thanks to you (and all the other pkg builders and Theo and other base snap builders) for providing us with with these very regular updates. Cheers, Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: OpenBSD Monitor Sleep No Response
On Mon, Dec 21, 2020 at 09:46:34AM -0500, ben wrote: | Hello; | | >You could try typing your password to see if it wakes up. | | For whatever reason my keyboard shuts off as well, as in I can't type anything. | I've tried entering my password, trying caps and num lock, and yet nothing | seems to work. | | >Last thought, maybe there's a relevant BIOS setting? | | I've disabled everything that could be problematic in the BIOS, such as secure | boot, and a bunch of other built in features which could cause problems. | | Is there a way to just shut off the screensaver in OpenBSD? I've tried taking a | look at the output of sysctl(8) and I couldn't find any relevant information. You may want to have a look at https://man.openbsd.org/xset.1#s Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: openssl s_client gives "called a function you should not call"
Hi Claus, On Fri, Nov 13, 2020 at 06:42:28AM +0100, Claus Assmann wrote: | On Thu, Nov 12, 2020, Paul de Weerd wrote: | | > $ openssl s_client -starttls smtp -connect localhost:587 | | > RCPT TO: | ^ = RENEGOTIATING | | and the syntax is wrong too: NO space after colon, see the fine RFCs. Ah, good one. Fortunately, most (all?) MTAs I've come across while doing manual SMTP (admittedly, this is not my biggest hobby, so not that many) are lenient enough to allow for the space. But I'll keep that in mind. | openssl(1): | When used interactively (which means neither -quiet nor -ign_eof have | been given), the session will be renegotiated if the line begins with an | R; if the line begins with a Q or if end of file is reached, the | connection will be closed down. It's actually documented! Would not have thought to look for this in the manpage .. thank you for the pointer! Cheers, Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: openssl s_client gives "called a function you should not call"
Hi Janne, On Fri, Nov 13, 2020 at 07:59:22AM +0100, Janne Johansson wrote: | I think anything starting with capital R in that case (s_client) gets | parsed as RENEGOTIATING. | As for why openssl complains about it is unknown to me, but that gotcha is | old at least. Wow .. unexpected. But thanks for the clue-by-4, using 'rcpt to:' instead of 'RCPT TO:' allows me to deliver mail without a problem using openssl s_client. Cheers, Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
openssl s_client gives "called a function you should not call"
While trying to debug my smtpd setup, I got the error "called a function you should not call" from openssl s_client: $ openssl s_client -starttls smtp -connect localhost:587 EHLO 250- Hello [127.0.0.1], pleased to meet you 250-8BITMIME 250-ENHANCEDSTATUSCODES 250-SIZE 36700160 250-DSN 250-AUTH PLAIN LOGIN 250 HELP AUTH LOGIN 334 VXNlcm5hbWU6 Tm9wZSE= 334 UGFzc3dvcmQ6 cmVkYWN0ZWQ= 235 2.0.0 Authentication succeeded MAIL FROM: 250 2.0.0 Ok RCPT TO: RENEGOTIATING 9754412775936:error:1404C042:SSL routines:ST_OK:called a function you should not call:/usr/src/lib/libssl/ssl_lib.c:2415: Is this something openssl s_client doesn't support? I notice that "RENEGOTIATING" only comes after sending the RCPT TO: command to the server. Futzing around with other commands before sending RCPT TO: didn't get to RENEGOTIATING. Am I doing something wrong? Should I be using some other tool? Thanks for any insights! Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: uvn_flush: WARNING: changes to page may be lost
On Thu, Nov 12, 2020 at 07:34:41PM +0100, Jurjen Oskam wrote: | On Wed, Nov 11, 2020 at 05:54:36AM -0700, Todd C. Miller wrote: | | > On Wed, 11 Nov 2020 10:20:41 +0100, Jan Stary wrote: | | > > uvn_flush: obj=0x0, offset=0x7c2. error during pageout. | > > uvn_flush: WARNING: changes to page may be lost! | | > This happens when /usr/libexec/reorder_kernel runs and your /usr | > is full. If you have upgraded the system multiple times there is | | I ran into this earlier this year, and tried to figure out how a filesystem becoming | full could result in kernel messages such as this. As there are no softupdates | involved, I would have expected the kernel only to return a message about /usr | being 100% full, and the (user space) kernel relinking to simply fail. | | I wasn't able to figure out what was going on. Is the relinking special in some | way? Or is it possible that other situations where a filesystem fills up can | result in messages like this? (Not counting situations where softupdates are | enabled) >From the reply Mark sent me on June 9th[1]: > What you're seeing is what happens when a program writes to a file by > using mmap(2) and there is no disk space available when the kernel > finally decides to write out the modified memory to disk. There's plenty of space available in RAM, so you can create a file that's bigger than the amount of space available on disk. Then trying to write it to disk will fail with the error you got. Cheers, Paul [1]: https://marc.info/?l=openbsd-bugs=159170985316978=2 -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: uvn_flush: WARNING: changes to page may be lost
Hi Jan, On Wed, Nov 11, 2020 at 10:20:41AM +0100, Jan Stary wrote: | uvn_flush: obj=0x0, offset=0x7c2. error during pageout. | uvn_flush: WARNING: changes to page may be lost! | uid 0 on /usr: file system full | Are the uvn and klog errors simply artifacts of the full /usr ? Having experienced this myself, yes, this is /usr being full. Kernel relinking isn't working out. Make sure /usr is bigger to prevent issues like these. https://marc.info/?l=openbsd-bugs=159171382418585=2 If you want to use sysupgrade, you'll have X sets installed every time so increasing /usr's size (or adding a dedicated partition for /usr/X11R6) can help. Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: Impact of 002_icmp6.patch
On Fri, Oct 30, 2020 at 11:15:31AM +0100, js-openbsd-m...@webkeks.org wrote: | What about link-local IPv6? That's active by default, isn't it? It is not. You need to enable IPv6 on an interface to get a link-local address on it, only the loopback interface is special in this sense that it gets ::1 (localhost) and fe80::1%lo0 (link-local for the loopback interface) by just bringing it up. This has been the case since 23 June 2014 (5.6 was the first release with this change): http://cvsweb.openbsd.org/src/sys/net/if.c?rev=1.291=text/x-cvsweb-markup Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: USB to 3.5mm jack audio adapter
On Wed, Sep 09, 2020 at 09:36:01PM +0200, Alexandre Ratchov wrote: | Try searching for "TRRS to USB adapter" then check in the detailed | description that: | - it's an "external sound card" for computers (Windows/macOS supported) | - it requires no device driver (means it's USB class-compliant) | - supports 3.5mm "TRRS" headset jacks (what most phones use) Thanks Alexandre, I did that and found one that looks like the thing you are talking about. Will give it a shot ;) On Thu, Sep 10, 2020 at 09:47:43AM +1000, Stuart Longland wrote: | On 9/9/20 11:49 pm, Paul de Weerd wrote: | > I mean, I have a USB audio device that | > has a 3.5mm jack, but that's output only (TRS, so no microphone). | | Does that adaptor also have a separate microphone input? | | You can buy adaptors that split the microphone and earpiece contacts out | to separate 3.5mm jacks which would allow you to then connect your | single 4-pole jack headset to a conventional USB audio dongle. And thank you, Stuart; my uaudio(4) indeed has a separate mic-in. I'll see if I can find one of these adapters too. Cheers, Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
USB to 3.5mm jack audio adapter
Hi all, As I don't have a microphone to use with my azalia(4) sound card, and my webcam only has audio input (no output), I can't use my current hardware in firefox to do videoconferencing. So I purchased (what I thought was) a USB to audio adapter[1]. This one simply offers a 3.5mm jack connector that I would then plug my existing headphones into for full duplex audio. Unfortunately, it doesn't seem to be an actual uaudio(4) device: uhidev0 at uhub0 port 1 configuration 1 interface 0 "Samsung Electronics Samsung Type-C to 3.5pi gender adapter" rev 2.01/1.33 addr 2 uhidev0: iclass 3/0, 2 report ids uhid0 at uhidev0 reportid 1: input=0, output=63, feature=0 uhid1 at uhidev0 reportid 2: input=63, output=0, feature=0 Are there uaudio(4) devices that do provide full duplex (TRRS i.e. mic plus speakers) behind a 3.5mm jack? Anyone have experience with one of these they can recommend? I mean, I have a USB audio device that has a 3.5mm jack, but that's output only (TRS, so no microphone). Thanks, Paul [1]: https://www.samsung.com/us/mobile/mobile-accessories/phones/usb-c-headphone-jack-adapter-ee-uc10juwegus/ -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: Running out of pty's
On Thu, Aug 27, 2020 at 02:52:04PM +0200, Mischa wrote: | Hi All, | | I am managing a OpenBSD instance for a customer of mine who uploads camera images via sftp to be used in a single location. | It looks like there are quite a number of camera’s uploading at once. | I am seeing a lot of message like: | | Aug 27 13:53:28 images sshd[68494]: error: do_exec_no_pty: fork: Resource temporarily unavailable | Aug 27 13:53:43 images sshd[53989]: error: do_exec_no_pty: fork: Resource temporarily unavailable For the archives .. you're not running out of pty's but. you can't fork. That's another resource that's limited. There's a kernel limit (sysctl kern.maxproc), but there's also ulimits (those you are more likely to hit, especially if it's all the same user). | I have tried adding a bunch of pty’s and increased them, | inadvertently from 62 to 620, but I guess I missed something. :/ You missed the 'fork' part. Oh, and the "no_pty" part of the function that was complaining: sftp can work without a pty (see https://man.openbsd.org/ssh#T - sftp doesn't need a pseudo terminal IIRC). | Any insights someone can share? Cheers, Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
sensor value last change time not updated?
Hi all, I'm trying to read temperature sensor values from my ugold(4) device. Seems to work alright (I get the same temperature reading as sysctl(8) returns for the sensor), but the 'sensor value last change time' doesn't seem to be updated. [weerd@pom] $ cat sensor_last_change.c #include #include #include #include int main() { int mib[5]; size_t sensorlen; struct sensor sensor; mib[0] = CTL_HW; mib[1] = HW_SENSORS; mib[2] = 3; /* ugold0 on my machine */ mib[3] = SENSOR_TEMP; mib[4] = 0; sensorlen = sizeof(sensor); sysctl(mib, 5, , , NULL, 0); printf("%lld.%06ld: %.2f\n", sensor.tv.tv_sec, sensor.tv.tv_usec, ((sensor.value-27315)/100.0)); return 0; } [weerd@pom] $ make sensor_last_change cc -O2 -pipe -MD -MP -o sensor_last_change sensor_last_change.c [weerd@pom] $ ./sensor_last_change 0.00: 32.32 [weerd@pom] $ sysctl -n hw.sensors.ugold0.temp0 32.32 degC (inner) The 'tv' member of struct sensor seems to always be 0.0. Am I doing something wrong? Cluesticks very welcome... Thanks, Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: ssh X forwarding and google-chrome
Hi Gregory, On Thu, Jul 02, 2020 at 05:33:20PM +0300, Gregory Edigarov wrote: | Hello, everybody | | does anybody know if there is any tricks? | | In my office pc (currently linux) I have google-chrome installed, | and I absolutely need to access it from home. | | "ssh -Y google-chrome" just shows an empty and blank | window, no menu, no address bar. | May be there is some command line flags I am not aware of? If you absolutely must access something on one machine and ssh forwarding doesn't work, you could look at VNC-solutions such as x11vnc (available as a package on OpenBSD, probably also on your linux distro of choice). Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: Filling a 4TB Disk with Random Data
Hi Justin, On Thu, Jun 04, 2020 at 08:39:24PM -0700, Justin Noor wrote: | Thanks you @misc. | | Using dd with a large block size will likely be the course of action. | | I really need to refresh my memory on this stuff. This is not something we | do, or need to do, everyday. | | Paul your example shows: | | bs=1048576 | | How did you choose that number? Could you have gone even bigger? Obviously | it is a multiple of 512. It's just 1m. Yes, I could've gone bigger, but that wouldn't add much. 1m is just my defaut so i can more easily tell how much has been done upon SIGINFO, as the records are then 1m large. So in my sample output 30111 MB had been written. | The disks in point are 4TB Western Digital Blues. They have 4096 sector | sizes. 1m is of course a multiple of 4k :) | I used a 16G USB stick as a sacrificial lamb to experiment with dd. | Interestingly, there is no difference in time between 1m, 1k, and 1g. How | is that possible? Obviously this will not be an accurate comparison of the | WD disks, but it was still a good practice exercise. | | Also Paul, to clarify a point you made, did you mean forget the random data | step, and just encrypt the disks with softraid0 crypto? I think I like that | idea because this is actually a traditional pre-encryption step. I don't | agree with it, but I respect the decision. For our purposes, encryption | only helps if the disks are off the machine, and someone is trying to | access them. This automatically implies that they were stolen. The chances | of disk theft around here are slim to none. We have no reason to worry | about forensics either - we're not storing nuclear secrets. Well, you didn't mention the why: what are you trying to accomplish by overwriting your 4TB disk with random data? If it is to prevent others from accessing the data after you dispose of the disk then you should be aware of the caveat I mentioned. I get rid of old computers by overwriting the disk(s) and installing the latest snapshot. That's why I do this .. but it's not clear why you want to do it. Cheers, Paul | Thanks for your time | | | On Mon, Jun 1, 2020 at 7:28 AM Paul de Weerd wrote: | | > On Mon, Jun 01, 2020 at 06:58:01AM -0700, Justin Noor wrote: | > | Hi Misc, | > | | > | Has anyone ever filled a 4TB disk with random data and/or zeros with | > | OpenBSD? | > | > I do this before disposing of old disks. Have written random data to | > several sizes of disk, not sure if I ever wiped a 4TB disk. | > | > | How long did it take? What did you use (dd, openssl)? Can you share the | > | command that you used? | > | > It takes quite some time, but OpenBSD (at least on modern hardware) | > can generate random numbers faster than you can write them to spinning | > disks (may be different with those fast nvme(4) disks). | > | > I simply used dd, with a large block size: | > | > dd if=/dev/random of=/dev/sdXc bs=1048576 | > | > And then you wait. The time it takes really depends on two factors: | > the size of the disk and the speed at which you write (whatever the | > bottleneck). If you start, you can send dd the 'INFO' signal (`pkill | > -INFO dd` (or press Ctrl-T if your shell is set up for it with `stty | > status ^T`)) This will give you output a bit like: | > | > 30111+0 records in | > 30111+0 records out | > 31573671936 bytes transferred in 178.307 secs (177074202 bytes/sec) | > | > Now take the size of the disk in bytes, divide it by that last number | > and subtract the second number. This is a reasonable ball-park | > indication of time remaining. | > | > Note that if you're doing this because you want to prevent others from | > reading back even small parts of your data, you are better of never | > writing your data in plain text (e.g. using softraid(4)'s CRYPTO | > discipline), or (if it's too late for that), to physically destroy the | > storage medium. Due to smart disks remapping your data in case of | > 'broken' sectors, some old data can never be properly overwritten. | > | > Cheers, | > | > Paul 'WEiRD' de Weerd | > | > -- | > >[<++>-]<+++.>+++[<-->-]<.>+++[<+ | > +++>-]<.>++[<>-]<+.--.[-] | > http://www.weirdnet.nl/ | > -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: Filling a 4TB Disk with Random Data
On Mon, Jun 01, 2020 at 06:58:01AM -0700, Justin Noor wrote: | Hi Misc, | | Has anyone ever filled a 4TB disk with random data and/or zeros with | OpenBSD? I do this before disposing of old disks. Have written random data to several sizes of disk, not sure if I ever wiped a 4TB disk. | How long did it take? What did you use (dd, openssl)? Can you share the | command that you used? It takes quite some time, but OpenBSD (at least on modern hardware) can generate random numbers faster than you can write them to spinning disks (may be different with those fast nvme(4) disks). I simply used dd, with a large block size: dd if=/dev/random of=/dev/sdXc bs=1048576 And then you wait. The time it takes really depends on two factors: the size of the disk and the speed at which you write (whatever the bottleneck). If you start, you can send dd the 'INFO' signal (`pkill -INFO dd` (or press Ctrl-T if your shell is set up for it with `stty status ^T`)) This will give you output a bit like: 30111+0 records in 30111+0 records out 31573671936 bytes transferred in 178.307 secs (177074202 bytes/sec) Now take the size of the disk in bytes, divide it by that last number and subtract the second number. This is a reasonable ball-park indication of time remaining. Note that if you're doing this because you want to prevent others from reading back even small parts of your data, you are better of never writing your data in plain text (e.g. using softraid(4)'s CRYPTO discipline), or (if it's too late for that), to physically destroy the storage medium. Due to smart disks remapping your data in case of 'broken' sectors, some old data can never be properly overwritten. Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: booting from a SD card on APU2: ERR R
On Wed, Apr 22, 2020 at 11:54:22PM +0200, Jan Stary wrote: | Booting from Hard Disk... | Using drive 0, partition 3. | Loading | ERR R These "ERR x" error codes are documented in biosboot(8)[1]. They're brief because the biosboot program is quite space constrained. In this particular case, "ERR R", the documentation says: >ERR RRead error. The BIOS returned an error indication when biosboot > attempted to read a disk sector. This might be any media error, > including bad sectors (common on floppy disks), and invalid > sectors (can occur with bad geometry translations). > > If this error occurs during an LBA boot (no ‘;’ after > “Loading”), then a CHS boot may succeed. To do this, you should > reboot, then hold down either Shift key before biosboot starts. > You should see a ‘!’ before “Loading” as confirmation that your > override was accepted. So that's also something you may want to try. Although the suggestion to try more recent firmware from Leslie is generally a good first step. Cheers, Paul 'WEiRD' de Weerd [1]: http://man.openbsd.org/biosboot#DIAGNOSTICS -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: ssh-agent confirmation for use by default
On Tue, Apr 07, 2020 at 12:48:34PM -, Stuart Henderson wrote: | > After a discussion at work, I started looking at enabling confirmation | > before authentication through ssh-agent by default. When logging in | > through xdm, the default Xsession runs `ssh-add < /dev/null` (see line | > 36 in /etc/X11/xdm/Xsession). My keys are loaded and I can log in to | > remote hosts. On some machines, I skip loading the keys or unload | > them after logging in and then load or re-add them using ssh-add -c, | > so I am asked for confirmation every time the agent is used. | | ITYM /etc/X11/xenodm/Xsession :-) Yeah, was pointed out to me offline as well; finger memory, sorry! | I had a similar problem (I wanted some extra keys added by default). | Xsession is in the xetc set, so it can be modified without being | overwritten in a standard upgrade, you just need to sysmerge it | sometimes. Hmm, that's an excellent point; I'll do that. | I have a different related problem as well, I would like to add *some* | keys with -c and others without (i.e. confirm for connecting to more | important hosts), but don't really want to have to run ssh-add twice | (i.e. ask for the passphrase twice). Actually, that would be even nicer. I guess that would mean an option on the actual key file (the *private* part). Anyway, your suggestion of "sucking it up" during sysmerge time (which, in the case of the system Xsession file, doesn't change often anyway), works for my most prominent use cases .. thank you for the clue-by-four. Cheers, Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
ssh-agent confirmation for use by default
Hi all, After a discussion at work, I started looking at enabling confirmation before authentication through ssh-agent by default. When logging in through xdm, the default Xsession runs `ssh-add < /dev/null` (see line 36 in /etc/X11/xdm/Xsession). My keys are loaded and I can log in to remote hosts. On some machines, I skip loading the keys or unload them after logging in and then load or re-add them using ssh-add -c, so I am asked for confirmation every time the agent is used. However, I would like this to be the default on my machines. Is there an easy way to achieve this without carrying a local diff? I checked the ssh-keygen manpage to see if there are any key-options that force this, but couldn't find anything (the options are generally to limit what happens on the remote end). ssh-add allows for it (obviously), but then you need a change to the command line, and that's in a system file: I don't want to propose that as a diff, as I don't think this makes sense in all cases (I have other machines where I wouldn't want this to happen by default). How are others doing this? Thanks, Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: pkg_outdated binary?
Hi Luke, On Mon, Mar 09, 2020 at 01:55:18PM -0600, Luke A. Call wrote: | Hi. I see a manual page for pkg_outdated, online and on my 6.6 stable | machine, but no binary, or result from "type pkg_outdated", even with, | as root: | cd / | find . -iname "*outdated*" 2>&1 | less | ...though that did find some perl things. | Check out the ports tree and try again. More specifically, look in /usr/ports/infrastructure/bin There's a number of tools there that are of use when porting, pkg_outdated is one such tool. It requires the ports tree to operate (it compares installed packages with versions found in the ports tree) and as such is only available in the ports tree itself. Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: heads up: amd64 snap
On Mon, Mar 09, 2020 at 07:28:10PM +0100, Paul de Weerd wrote: | Indeed it did :) My machine would not POST anymore (Dell Optiplex | 9020; dmesg at the end) I meant: dmesg in the follow-up e-mail... OpenBSD 6.6-current (GENERIC.MP) #38: Sat Mar 7 19:58:17 MST 2020 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 34243903488 (32657MB) avail mem = 33193492480 (31655MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xec410 (88 entries) bios0: vendor Dell Inc. version "A22" date 02/01/2018 bios0: Dell Inc. OptiPlex 9020 acpi0 at bios0: ACPI 5.0 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC FPDT SLIC LPIT SSDT SSDT SSDT HPET SSDT MCFG SSDT ASF! DMAR acpi0: wakeup devices UAR1(S3) RP01(S4) PXSX(S4) PXSX(S4) PXSX(S4) RP05(S4) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) GLAN(S4) EHC1(S3) EHC2(S3) XHC_(S4) HDEF(S4) PEG0(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz, 3691.95 MHz, 06-3c-03 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz, 3691.47 MHz, 06-3c-03 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz, 3691.47 MHz, 06-3c-03 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz, 3691.47 MHz, 06-3c-03 cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 0, core 3, package 0 ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins acpihpet0 at acpi0: 14318179 Hz acpimcfg0 at acpi0 acpimcfg0: addr 0xf800, bus 0-63 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (RP01) acpiprt2 at acpi0: bus 2 (RP05) acpiprt3 at acpi0: bus -1 (PEG0) acpiprt4 at acpi0: bus -1 (PEG1) acpiprt5 at acpi0: bus -1 (PEG2) acpiec0 at acpi0: not present acpicpu0 at acpi0: C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS acpicpu1 at acpi0: C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS acpicpu2 at acpi0: C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS acpicpu3 at acpi0: C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS acpitz0 at acpi0: critical temperature is 105 degC acpitz1 at acpi0: critical temperature is 105 degC acpipci0 at acpi0 PCI0: 0x0010 0x0011 0x acpicmos0 at acpi0 acpibtn0 at acpi0: PWRB "PNP0C14" at acpi0 not configured acpivideo0 at acpi0: GFX0 acpivout0 at acpivideo0: DD1F cpu0: using VERW MDS workaround (except on vmm entry) cpu0: Enhanced SpeedStep 3691 MHz: speeds: 3401, 3400, 3200, 3000, 2800, 2700, 2500, 2300, 2100, 1900, 1700, 1500, 1400, 1200, 1000, 800 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel Core 4G Host" rev 0x06 inteldrm0 at pci0 dev 2 function 0 "Intel HD Graphics 4600" r
Re: heads up: amd64 snap
On Mon, Mar 09, 2020 at 06:47:10PM +0100, Sebastien Marie wrote: | On Mon, Mar 09, 2020 at 04:51:00PM +, Anthony Campbell wrote: | > On 09 Mar 2020, Otto Moerbeek wrote: | > > On Mon, Mar 09, 2020 at 03:56:53PM +, Anthony Campbell wrote: | > > | > > > This discussion is very interesting. The same thing happened to me | > > > on 6 March, when after completing the upgrade my Dell Optiplex 3020 | > > > refused to boot. I assumed it was a hardware failure and spent the | > > > next three days bringing up an older Acer n460 which the Dell had | > > > replaced. | | yes, it looks like a hardware failure. Indeed it did :) My machine would not POST anymore (Dell Optiplex 9020; dmesg at the end) | in my case, 4 hosts with the same motherboard model failed at the same time (I | ran sysupgrade via ansible), so hardware failure was a bit excluded. I only have this one machine that showed the behaviour. Several VMs, my gateway and my laptop worked fine so I didn't really tie it to the bootloader changes (especially since the machine didn't POST). I couldn't boot from any other medium as long as the boot disk (an SSD) was connected; my conclusion was that a failed SSD prevented the system from POSTing (something I've seen in the past with failed HDDs). | > > > I don't have the facility at present to put the disk in another | > > > machine so it looks like I'm stuck. | | I agree it could be difficult. If the disk is plugged, bios stuck. If the disk | is unplugged, bios is fine, but you can't modify the disk data. | | As sthen@ said, you could try to change bios setting to make the bios to not | look at the disk. I dunno if it would work or not. I played around with that a little bit, but didn't get to a working machine. | Alternatively, if you disk support hotplugging (sata disk should), try to | connect the disk after the bios started could help. If so, I would try to plug | it as soon as possible after bios init. That was a bit of a scary option for me :) | Depending your configuration, you could also try to use USB/SATA or USB/IDE | adapter (depending your disk), in order to plug the disk after bios init. For | me, I had problem with this method too: when my sata disk is plugged in sata | connector it is showed with 512 bytes/sector, whereas with USB/SATA connector it | showed with 4096 bytes/sector and so disklabel is incoherent. In the end, after reading Otto's mail about reverting his changes, I connected the SSD from my not-booting machine to my laptop and upgraded the snapshot on it. That allowed my desktop machine to boot properly again. I've seen Otto's commit message from earlier today, so I will test out the next snap on my machine tomorrow. At least now I know not to jump to conclusions about failing hardware :) Thanks to Otto for his work on this area; looking forward to running my machine on all-ffs2. Cheers, Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: Full disk encryption including /boot, excluding bootloader?
On Tue, Feb 18, 2020 at 05:12:25AM +, Frank Beuth wrote: | Yes, it's a cool way to combine things to get unexpected functionality. | I haven't dug into the bootloader much... is there a reasonably easy way | to get the USB-stick-bootloader to boot the hard drive partition by | default? Best way to dig into the bootloader is by starting at its fine manpage which you can read online at http://man.openbsd.org/man8/amd64/boot.8 The quick answer is `echo 'boot sr0a:/bsd' > /etc/boot.conf` (on the USB-stick's root filesystem). Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: Detecting DoH using PF
Hi Erik, On Mon, Feb 17, 2020 at 06:07:59PM +, Erik Lauritsen wrote: | Hi, | | Is a DNS over HTTPS recognizable somehow so that it can be fingerprinted | and redirected or blocked using pf? I haven't studied this in close detail, but since it's just a "normal" (albeit generally small) HTTPS request, I doubt they can be easily fingerprinted. But I wonder: what is your interest? My concern is not users using safe (encrypted) transports for their DNS lookups, but users unwittingly sending their data to certain large companies. To that end I've populated a table in pf with IP addresses from https://en.wikipedia.org/wiki/Public_recursive_name_server and simply have block out log from any to to prevent anyone on the local network from accessing them. Some of them are more popular than others but it works well enough: # pfctl -vvt openrecursor -T show | awk '/\[/ {p+=$4; b+=$6} END {print p, b}' 14672 1100046 so 14672 packets / 1100046 bytes blocked to these open recursors. Note that the rule blocks both DoH as well as 'normal' DNS or DoT requests. | I am thinking about the ability of PF to detect when requests are coming from | a windows machine for example. OS fingerprinting looks at TCP characteristics; DoH requests are inside an encrypted transport and (probably) hard to discern from 'normal' HTTPS traffic. Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: Full disk encryption including /boot, excluding bootloader?
On Mon, Feb 17, 2020 at 01:35:38PM +, Frank Beuth wrote: | > | This way the evil maid would have nothing to tamper with. | > | > Note that with this approach, a default OpenBSD install to your | > machine will still install a bootloader on the physical disk inside | > your machine. It's then on you to NOT use that. | | That's a heck of a hack! Not sure how you mean that - I don't think it's that much of a hack, mostly an interesting side-effect of how the bootloader works in general. Taken in combination with a "normal" install to removable media, you get basically exactly what you want at no additional cost. Note that you don't have to do a full (or even minimal) install, if all you really want is use the bootloader on the removable media. It's just the easiest way to prepare it that I know of. Besides, if you do a 'normal' install, you have a convenient 'live' or 'rescue' system to carry around with you whenever you go: I've got one of these on my keychain :) Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: Full disk encryption including /boot, excluding bootloader?
On Mon, Feb 17, 2020 at 08:50:14AM +, Frank Beuth wrote: | > > How do you do this on OpenBSD? | > @frank: https://www.openbsd.org/faq/faq14.html#softraidFDEkeydisk | | That's telling me how to use a keydisk -- how to put the softraid FDE | encryption key material on a USB disk. | | If an evil made came by and got access to my machine, they would still | be able to tamper with the bootloader code to harvest the FDE password | when I returned. | | I want to put the whole bootloader (including the code used to decrypt | the softraid-FDE-encrypted root-partition-containing media) on a USB | disk. But you can already do this. If your machine supports booting from USB, you can do a minimal install to a USB stick (using FDE, if you want). Now you have a portable OpenBSD environment you can boot on any system capable of booting from USB (and supporting the same kernel architecture). What you can also do with this USB stick is use its bootloader to boot the OS stored on the disk inside your machine (FDE encrypted or not). I've used this to fix up installs gone sour on my machines in the past. Works a treat. I don't use it to prevent the evil maid case you describe though, but I think it would work just fine. | This way the evil maid would have nothing to tamper with. Note that with this approach, a default OpenBSD install to your machine will still install a bootloader on the physical disk inside your machine. It's then on you to NOT use that. Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: using first alias as masquerading ip on pf.conf
On Wed, Feb 12, 2020 at 12:09:12PM +0100, Federico Donati wrote: | Hi all, | | I have a couple of firewalls with carp configured and I need them to | reach the Internet even when they are in BACKUP state. | I'm managing pf via Ansible/GIT, so I'd like to keep the | configuration of pf.conf standard and simple as much as possible. | | Usually, I use the notation "nat-to ($interface)" to let pf use the | correct ip, but in this case I've BGP configured and the provider | forces me to use a complex configuration with an alias on the | external interface, like this: | | # ifconfig vlan835 | vlan835: flags=8943 mtu 1500 | lladdr b0:26:28:1e:e6:6e | index 13 priority 0 llprio 3 | encap: vnetid 835 parent trunk0 txprio packet rxprio outer | groups: vlan egress | media: Ethernet autoselect | status: active | inet 1.1.1.1 netmask 0xfff0 broadcast 1.1.1.255 | inet 2.2.2.2 netmask 0xfff0 broadcast 2.2.2.255 Surely the provider doesn't force 1.1.1.1 to be the "primary" and 2.2.2.2 to the be alias? How could they tell the difference? | So, 1.1.1.1 is the "transit ip" for the BGP, the one we must use to | talk with the provider's router and that I can't use as masquerading | ip. | | The ip 2.2.2.2 is the one that I should use to mask my traffic to | the Internet, and is different on each firewall. | | Is there a way to tell pf to use the first alias of interface to | mask the traffic? Something like "nat-to (vlan835:1)"... Could you make 1.1.1.1 the alias and 2.2.2.2 the primary address? Then your NAT rule could simply use (vlan835:0). Alternatively, you could refer to a hostname that you then specify in /etc/hosts (with a different address on each host). As far as I know, there's no way to refer to the 'first alias'. What is the 'first alias' anyway? The first one you configured? Or the last one? Since you're using the '(interface)' specification (with the parentheses), you're using dynamically changing addresses .. what does that mean in the context of 'first alias'? | I would like to keep things simple and avoid to use the include | directive, if possible. I tend to dislike the whole IP address "aliases" thing more and more recently... :) Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: IPsec and MTU / fragmentation
On Mon, Feb 10, 2020 at 12:15:37PM +0100, Simen Stavdal wrote: | True, but issue was related to downloading over http, which is over tcp. | So, if http is your only concern I would go for this option. | | Most clients are configured with an MTU of their physical NIC capabilities, | and sometimes even with jumbo support. | MTU is a property of the OS in both ends, while MSS is a property of the | packets that can be adjusted in-flight. | | So, if you want to fix the MTU, you will have to configure that on the | conversation parters and not in pf. | So, while we agree on the principals, how do you suggest MTU is changed? One interesting option that I recently discovered thanks to florian@ is the 'mtu'[1] setting in /etc/rad.conf on your IPv6 router. By lowering the MTU, packets had a smaller MSS, which aligned with the MTU of the IPv6 tunnel I was using in that situation. This, in turn, allowed me to use software my bank has provided for my mobile device over IPv6 without a problem. Admittedly, after learning that this worked, I switched back to scrubbing the MSS in pf.conf for this particular bank, and I've told them to either stop filering ICMPv6 Packet Too Large errors or restrict the MSS to a lower value on their end (as they said they were doing) to fix this for all their users. The effect of using 'mtu' in rad(8) is a lower configured MTU on your SLAAC enabled clients, affecting also IPv4 (and local IPv6) traffic. Cheers, Paul 'WEiRD' de Weerd [1]: http://man.openbsd.org/rad.conf#mtu | Statically configured on each host? DHCP option? | | Cheers, | Simon. | | On Mon, 10 Feb 2020 at 12:06, Janne Johansson wrote: | | > Den mån 10 feb. 2020 kl 11:58 skrev Simen Stavdal : | > | >> Hi Lucas, | >> Have you tried to manipulate the mss during conversation setup? | >> This is done with the max-mss directive in pf.conf. | >> Basically, it takes the three way handshake, and overrides the MSS value | >> in | >> the handshake to something lower than the default. | >> | > | > This might fix the http/ssh issues one might see, because both of those | > run over TCP, but MSS fixups will not correct large UDP or icmp packets, or | > any other non-TCP protocol one might run over that ipsec, so making sure | > the traffic is below the MTU should be the end goal, not fixing 90% with | > pf. | > | > -- | > May the most significant bit of your life be positive. | > -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: FreeBSD daemon(8)-like command for OpenBSD
Hi Patrick, On Tue, Jan 28, 2020 at 09:29:20AM +0100, Patrick Kristiansen wrote: | Hi Ingo | | Thank you for your reply. | | I can't say I disagree with your and the OpenBSD team's attitude about | bug-free daemons. But I am just a lowly application programmer, and | sometimes I introduce horrible bugs that make our systems crash. In many | cases it will be preferable to just start the process again (and, of | course, fix the bug) for the purposes of keeping our business running. | | But another use for daemon(8) is for its ability to detach the child | process from the controlling terminal and furthermore redirect its | stdout/stderr to syslog. Is there some mechanism to do that from the | shell? Perhaps a combination of nohup and starting a background job? What I do to run a "normal" (non-daemon) program like a daemon, is to start it in tmux. To have this start during system startup, I have an @reboot cronjob: -- [weerd@cube] $ cat ~/bin/conlog #!/bin/sh # conlog: start a tmux session with cu logging to a file ## # Can be used with the following @reboot cron line to start at boot: # # @reboot /home/weerd/bin/conlog PATH=/bin:/usr/bin LOG="/home/weerd/data/conlog/log.`date +%s`" mkdir -p `dirname ${LOG}` tmux new -d "script -c 'cu -l cuaU0 -s 115200' ${LOG}" -- At reboot, this will start a new (detached) tmux session that launches cu (under script) to log the serial console output from another OpenBSD machine. I can attach the tmux session and interact with the console of that machine if necessary. For the purpose of restarting crashing programs, you could do something similar: run your program in a tmux session (convenient to attach to when you want to look at its stdout/stderr output) and script something to restart when it errors out. You could then also send yourself e-mail to alert you to the restart. Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: interface modifiers :network and :0 picking different subnets for IPv6
Hi Richard, On Tue, Jan 28, 2020 at 04:42:02PM +1300, richard.n.proc...@gmail.com wrote: | Does the patch below help? It does! Great, thank you! (tested on my test vm as that has a source tree checked out) [weerd@test1] $ echo 'block in on vio0 proto { tcp, udp } from vio0:network to ! vio0:0 port domain' | pfctl -nvf - block drop in on vio0 inet proto tcp from 192.168.34.0/24 to ! 192.168.34.157 port = 53 block drop in on vio0 inet proto udp from 192.168.34.0/24 to ! 192.168.34.157 port = 53 block drop in on vio0 inet6 proto tcp from 2a02:898:28:200::/64 to ! fe80::fce1:bbff:fed1:c6d9 port = 53 block drop in on vio0 inet6 proto udp from 2a02:898:28:200::/64 to ! fe80::fce1:bbff:fed1:c6d9 port = 53 [weerd@test1] $ echo 'block in on vio0 proto { tcp, udp } from vio0:network to ! vio0:0 port domain' | obj/pfctl -nvf - block drop in on vio0 inet proto tcp from 192.168.34.0/24 to ! 192.168.34.157 port = 53 block drop in on vio0 inet proto udp from 192.168.34.0/24 to ! 192.168.34.157 port = 53 block drop in on vio0 inet6 proto tcp from 2a02:898:28:200::/64 to ! 2a02:898:28:200:4706:3e7a:afb9:5137 port = 53 block drop in on vio0 inet6 proto udp from 2a02:898:28:200::/64 to ! 2a02:898:28:200:4706:3e7a:afb9:5137 port = 53 Looks great and would be perfect to have in I think. One rule to concisely describe the behaviour I want :) Thanks again! Paul | I think you have found an oversight in the original implementation of | ':0', which defines a non-alias as the first defined address (of the given | address family) [0]. The patch makes ':0' skip link-local addresses, | matching the behaviour of ':network'. | | best, | Richard. | | [0] sbin/pfctl/pfctl_parser.c 1.186 ifa_lookup() | | Index: sbin/pfctl/pfctl_parser.c | === | RCS file: /cvs/src/sbin/pfctl/pfctl_parser.c,v | retrieving revision 1.342 | diff -u -p -u -p -r1.342 pfctl_parser.c | --- sbin/pfctl/pfctl_parser.c 17 Oct 2019 21:54:28 - 1.342 | +++ sbin/pfctl/pfctl_parser.c 28 Jan 2020 03:11:27 - | @@ -1546,6 +1546,8 @@ ifa_lookup(const char *ifa_name, int fla | continue; | if ((flags & PFI_AFLAG_NETWORK) && p->ifindex > 0) | continue; | + if ((flags & PFI_AFLAG_NOALIAS) && p->ifindex > 0) | + continue; | if (last_if == NULL || strcmp(last_if, p->ifname)) | got4 = got6 = 0; | last_if = p->ifname; -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
interface modifiers :network and :0 picking different subnets for IPv6
Hi all, Following up from my previous (PEBKAC) issue[1], I kept working on my ruleset. I found, what I believe to be, another issue. Here's the reduced ruleset that reproduces the problem: [root@ferrari] # cat pf.tmp IntIF=em1 # only allow DNS to the unbound instance listening on em1 (v4 and v6) block in on $IntIF proto { tcp, udp } from $IntIF:network to ! $IntIF:0 port domain [root@ferrari] # pfctl -nvf pf.tmp IntIF = "em1" block drop in on em1 inet6 proto tcp from 2a02:898:28:300::/64 to ! fe80::2e0:67ff:fe15:cc6d port = 53 block drop in on em1 inet6 proto udp from 2a02:898:28:300::/64 to ! fe80::2e0:67ff:fe15:cc6d port = 53 block drop in on em1 inet proto tcp from 192.168.150.0/24 to ! 192.168.150.1 port = 53 block drop in on em1 inet proto udp from 192.168.150.0/24 to ! 192.168.150.1 port = 53 The problem is in the IPv6 rules. Here "em1:network" expands to the global unicast network configured on the interface but "em1:0" expands to the link-local address. This doesn't really make sense to me. If both would expand to the link-local version, that would be unfortunate but understandable. I'm hoping to have both expand to the global unicast version ("from 2a02:898:28:300::/64 to ! 2a02:898:28:300::1"). Why is pfctl picking different addresses for these two modifiers? This is the interface configuration: [root@ferrari] # ifconfig em1 em1: flags=808843 mtu 1500 lladdr 00:e0:67:15:cc:6d description: LAN index 2 priority 0 llprio 3 groups: lan media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active inet6 fe80::2e0:67ff:fe15:cc6d%em1 prefixlen 64 scopeid 0x2 inet6 2a02:898:28:300::1 prefixlen 64 inet6 2a02:898:28:300::2 prefixlen 128 inet 192.168.150.1 netmask 0xff00 broadcast 192.168.150.255 inet 192.168.150.2 netmask 0x Is there a way to tell pf to use the global unicast address for em1:0 other than hardcoding the address in the ruleset? Cheers, Paul 'WEiRD' de Weerd [1]: https://marc.info/?l=openbsd-misc=157994923220390=2 -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: combining macro with interface modifiers in pf.conf
Hi Philipp, On Sat, Jan 25, 2020 at 12:06:49PM +0100, Philipp Buehler wrote: | | Hey Paul, | | Am 25.01.2020 11:43 schrieb Paul de Weerd: | > block in on $IntIF inet proto { tcp, udp } from $IntIF:network to ! | > $IntIF:0 port domain | > block in on $IntIF inet6 proto { tcp, udp } from $IntIF:network to ! | > $IntIF:0 port domain | | I just tested this with "IntIF=vio0" and works on 6.6-stable. | | Is there more in the story, like concat macros, quotes in quotes or | others along that? Thanks for your reply, you helped me find the answer. I obviously should've published my full ruleset. [weerd@pom] $ printf "IntIF=\"em0\"\nblock inet from \$IntIF:network to \$IntIF:0\n" | pfctl -nvf - IntIF = "em0" block drop inet from 192.168.0.0/24 to 192.168.0.149 [weerd@pom] $ printf "IntIF=\" em0 \"\nblock inet from \$IntIF:network to \$IntIF:0\n" | pfctl -nvf - IntIF = " em0 " stdin:2: syntax error I have (by now 'had') spaces in my macros, so IntIF gets expanded quite literally to the value I gave it with spaces (as it should). As usual, PEBKAC. Again, thank you for the clue-by-4. Everything works as it should and I have been properly educated. Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
combining macro with interface modifiers in pf.conf
Hi all, I'm rewriting some pf.conf rulesets and thought to use interface modifiers to make them more generic. Here's an example of what I came up with: block in on $IntIF inet proto { tcp, udp } from $IntIF:network to ! $IntIF:0 port domain block in on $IntIF inet6 proto { tcp, udp } from $IntIF:network to ! $IntIF:0 port domain These rules force users to use the local recursor for DNS lookups. However, pfctl complains about syntax errors on both lines. Replacing the $IntIF:network and $IntIF:0 with em1:network and em1:0 solves the syntax errors. From pf.conf(5), it's not quite clear to me that it isn't allowed to combine macros with interface modifiers. On macros it says: > Macros can be defined that will later be expanded in context. Macro > names must start with a letter, digit, or underscore, and may > contain any of those characters. Macro names may not be reserved > words (for example pass, in, out). Macros are not expanded inside > quotes. and on modifiers: > Interface names, interface group names, and self can have modifiers > appended: To me that suggests you can combine a macro with a modifier. Am I missing something obvious? Is there a way to achieve this? Thanks, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/ OpenBSD 6.6-current (GENERIC.MP) #603: Mon Jan 13 13:21:42 MST 2020 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8478527488 (8085MB) avail mem = 8209100800 (7828MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xec120 (49 entries) bios0: vendor American Megatrends Inc. version "5.11" date 07/20/2018 acpi0 at bios0: ACPI 5.0 acpi0: sleep states S0 S5 acpi0: tables DSDT FACP APIC FPDT FIDT MCFG SSDT SSDT SSDT UEFI LPIT CSRT acpi0: wakeup devices SIO1(S0) BRC1(S0) XHC1(S4) HDEF(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Celeron(R) CPU J3060 @ 1.60GHz, 1600.39 MHz, 06-4c-04 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN cpu0: 1MB 64b/line 16-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 80MHz cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3.3, IBE cpu1 at mainbus0: apid 4 (application processor) cpu1: Intel(R) Celeron(R) CPU J3060 @ 1.60GHz, 1600.03 MHz, 06-4c-04 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN cpu1: 1MB 64b/line 16-way L2 cache cpu1: smt 0, core 2, package 0 ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 115 pins acpimcfg0 at acpi0 acpimcfg0: addr 0xe000, bus 0-255 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (RP01) acpiprt2 at acpi0: bus 2 (RP02) acpiprt3 at acpi0: bus -1 (RP03) acpiprt4 at acpi0: bus -1 (RP04) acpiec0 at acpi0: not present acpicpu0 at acpi0: C3(10@1000 mwait.1@0x64), C2(10@500 mwait.1@0x58), C1(1000@1 mwait.1), PSS acpicpu1 at acpi0: C3(10@1000 mwait.1@0x64), C2(10@500 mwait.1@0x58), C1(1000@1 mwait.1), PSS acpipwrres0 at acpi0: ID3C, resource for ISP3 acpipwrres1 at acpi0: CLK0, resource for CAMD acpipwrres2 at acpi0: CLK0, resource for CAM1 acpipwrres3 at acpi0: CLK1, resource for CAM2, CAM3 acpipwrres4 at acpi0: USBC, resource for XHC1 acpipwrres5 at acpi0: FN00, resource for FAN0 acpitz0 at acpi0: critical temperature is 95 degC acpicmos0 at acpi0 acpipci0 at acpi0 PCI0: 0x0004 0x0011 0x0001 extent `acpipci0 pcibus' (0x0 - 0xff), flags=0 extent `acpipci0 pciio' (0x0 - 0x), flags=0 0x70 - 0x77 0xcf8 - 0xcff 0x1 - 0x extent `acpipci0 pcimem' (0x0 - 0x), flags=0 0x0 - 0x9 0x10 - 0xafff 0xe000 - 0x "BCM2E64" at acpi0 not configured "BCM4752" at acpi0 not configured "SMO91D0" at acpi0 not configured "INTCF1C" at acpi0 not configured acpibtn0 at acpi0: SLPB "PNP0C0B" at acpi0 not configured acpivideo0 at acpi0: GFX0 acpivout0 at acpivideo0: DD1F cpu0: using VERW MDS workaround cpu0: Enhanced SpeedStep 1600 MHz: speeds: 1601, 1600, 1520, 1440, 1360, 1280, 1200, 1120, 1040, 960, 880, 800, 720, 640, 560, 480 MHz
Re: dig -p 5353 foo.bar core dumped
On Tue, Jan 21, 2020 at 11:25:33AM -0800, Jordan Geoghegan wrote: | dig doesnt core dump for me, it just prints this warning: ";; Error, | only port 53 supported". I wonder why the error isnt being printed | for OP. Interesting. Are you on -current? I updated to the latest snapshot yesterday and get this: [weerd@pom] $ dig -p 1234 foo.bar @127.0.0.1 Abort trap [weerd@pom] $ dmesg | tail -n1 dig[69548]: pledge "dns", syscall 28 You may be doing something similar yet different? Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: dig -p 5353 foo.bar core dumped
On Tue, Jan 21, 2020 at 06:58:02PM +0100, Dieter Rauschenberger wrote: | Hi misc, | | on my intranet i have unbound and nsd running, both on the same | machine. unbount is listening on port 53, nsd is listening on port | 5353 on 127.0.0.1. If i run | | dig @127.0.0.1 -p 53 foo.bar | | everything is fine. But if I want to query nsd direct with | | dig @127.0.0.1 -p 5353 foo.bar | | dig core dumps and I can read the following line in /var/log/messages: That's pledge, as the below kernel message explains. | Jan 21 18:42:44 ws /bsd: dig[59239]: pledge "dns", syscall 28 Dig is only allowed to do port 53. This can be worked around by using dig from the bind port, or with a patch to dig that allows you to use other ports when -p is given on the command line. However, I'd recommend running nsd on port 53 on 127.0.0.1; there it doesn't interfere with unbound (assuming that's not listening on 127.0.0.1). Alternatively, you can easily add a second IP address on your loopback interface (::2) and have nsd listen there. | The issue can be easily reporduced with any other port. No need to | have a nsd running. That's because it has nothing to do with nsd but with dig. Dig has promised not to use ports other than 53, and then when you do use ports other than 53, the kernel terminates the process. Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: dhcpd and unbound on a small LAN
On Mon, Jan 06, 2020 at 09:33:44AM -0500, Steve Litt wrote: | On Mon, 06 Jan 2020 14:03:20 +0100 | "Boudewijn Dijkstra" wrote: | | | > Another way is to configure the DHCP server to give alice the same | > address every time. | > | > host alice { | > hardware ethernet 00:19:b9:e0:2f:de; | > fixed-address 192.168.0.68; | > } | | I need something like that for my situation. Two questions: | | 1) Does the preceding setup prevent anyone with a different mac address | from getting 192.168.0.68? That specific snippet of DHCP configuration does not prevent dhcpd from handing it out to other machines (with different macs). It depends on the rest of your configuration and on whether this machine is currently alive with that address on your network. If you have configured a range for dynamic allocation that covers the assigned fixed-address, then that fixed-address may be assigned to another machine. This may result in problems for host alice when it boots. The easy solution is to not do that: don't have your statically assigned addresses overlap with the dynamic range. | 2) Is there a way I can set it up so ONLY specific mac addresses can | get a dhcp lease from my server?*** I'd like to keep the man on the | street from getting a lease: If I don't know the person and machine | ahead of time, I don't want them getting a lease. If you want to only allow specific MACs, then you'll need to specify the MAC addresses in the configuration file, and assign each one an address, so you'll need to pre-assign IPs to MACs. | *** I presume one way is to set aside just enough IP addresses to cover | known mac addresses. I was wondering if there's a way that involves | less arithmetic. Not sure what arithmetic you're referring to specifically: simply enumerate all machines by MAC and give each one a static lease ('fixed-address') in your /etc/dhcpd.conf, much like the host 'alice' in the sample Boudewijn showed you. Leave out a dynamic 'range' for unknown clients, and you're done. This is what I have done in the past on my private home network. Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: How to setup date on startup with ntpd on OpenBSD 6.6
On Thu, Nov 21, 2019 at 03:48:44PM +0500, dmitry.sensei wrote: | Hi! | | Since "-s" key had been deleted how I can setup time on startup? >From ntpd(8): > ntpd makes efforts to verify and correct the time at boot if > constraints are configured and satisfied or if trusted servers or > sensors return results, and if the clock is not being moved backwards. So you should configure a constraint[1] or a trusted[2] server or sensor. Then, at boot, ntpd will take care of correcting the clock if it's off by too much. See ntpd.conf(5) for details. This was documented in an e-mail to tech@ by Theo two weeks ago, there's an undeadly.org article[3] with his post and references to the various commits that play a part here. Cheers, Paul 'WEiRD' de Weerd [1]: http://man.openbsd.org/ntpd.conf#CONSTRAINTS [2]: http://man.openbsd.org/ntpd.conf#sensor [3]: http://undeadly.org/cgi?action=article;sid=2019075815 -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: wrong pkg_add url after sysupgrade
On Wed, Oct 09, 2019 at 01:40:42PM +, shadrock uhuru wrote: | after trying sysupgrade for the first time on my laptop running snapshots | running the following command returns no such dir. | | doas pkg_add -u | https://ftp.OpenBSD.org/pub/OpenBSD/6.6/packages/amd64/: no such dir | pkg_info p5-finance | https://ftp.OpenBSD.org/pub/OpenBSD/6.6/packages/amd64/: no such dir | | my /etc/installurl has | cat /etc/installurl | https://ftp.OpenBSD.org/pub/OpenBSD | | does this need editing | if so what url should i use ? Same url, different command: pkg_add -u -Dsnap Twice a year there's a brief window where snapshots have the name of the upcoming release. During that time, you must add -Dsnap to pkg_add. It doesn't hurt to have -Dsnap when you're running something -current or -beta, so if you always run snaps, best to train you muscle memory to do -Dsnap always :) Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: How can I remove sets installed by sysupgrade?
On Tue, Sep 17, 2019 at 03:14:22PM +0200, Marc Espie wrote: | On Tue, Sep 17, 2019 at 01:48:19PM +0200, Paul de Weerd wrote: | > On Tue, Sep 17, 2019 at 01:27:23PM +0200, Marc Espie wrote: | > | > By having each set install a specific file in a well-known location. | > | > Before sysupgrade I wrote my own script to upgrade machines, this uses | > | > /var/db/sets/{base,comp,game,man,xbase,xfont,xserve,xshare} to | > | > determine what has been installed and upgrade only those sets. | > | | > | We actually know what file belongs to which set. | > | see /usr/lib/locate/src.db | > | > This doesn't list files from x-sets. | | ... there's obviously the corresponding database for x in xbase, duh Right. Wasn't aware of that one, but doesn't really make it easier: So, if /usr/lib/locate/src.db exists, we can see if the files that it knows about can be found on the local filesystem and then per set pick a file to check for existence. And if /usr/X11R6/lib/locate/xorg.db exists, we can do the same for the x-sets. What if I chose to only install xfont, to use the TTF fonts with my webserver? Then I don't have the xorg.db locate database but would still have a working system, but now you're not upgrading xfont? The "file to set"-mapping isn't very convenient to determine which sets were installed and have to be upgraded. Having each set contain one small (empty?) file in a known location would make this trivial at a very small cost. But I repeat: the argument that not installing all sets gives you a 'non standard' system suggests that this approach isn't viable. Cheers, Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: How can I remove sets installed by sysupgrade?
On Tue, Sep 17, 2019 at 01:27:23PM +0200, Marc Espie wrote: | > By having each set install a specific file in a well-known location. | > Before sysupgrade I wrote my own script to upgrade machines, this uses | > /var/db/sets/{base,comp,game,man,xbase,xfont,xserve,xshare} to | > determine what has been installed and upgrade only those sets. | | We actually know what file belongs to which set. | see /usr/lib/locate/src.db This doesn't list files from x-sets. Cheers, Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: How can I remove sets installed by sysupgrade?
On Tue, Sep 17, 2019 at 09:39:00AM +0100, cho...@jtan.com wrote: | Marc Espie writes: | > On Tue, Sep 17, 2019 at 09:01:47AM +0100, cho...@jtan.com wrote: | > > Marc Espie writes: | > > > I'm a bit surprised nobody looked at instrumenting what sets are actually | > > > installed on a machine during install/manual upgrade and cloning that | > > > into sysupgrade to avoid this kind of surprise... | > > | > > I mentioned the possibility wrt. syspatch but it was rejected in favour | > > of expecting users to run a default system or, in effect, become | > > developers. Not a stance I entirely agree with but which nevertheless | > > has its merits. | > | > But sysupgrade is a much "simpler" mechanism than syspatch. | > | > More importantly, | > - sysupgrade is definitely about the sets | > - if you have a non default installation, syspatch happens *at user level* | > so you have every opportunity to figure out what's going on. | > Where sysupgrade ? reboot the machine, see your disks overflow. Boom machine | > kaput. | | The problem boils down to: how does sysupgrade, or any other tool, know | which sets have been installed? By having each set install a specific file in a well-known location. Before sysupgrade I wrote my own script to upgrade machines, this uses /var/db/sets/{base,comp,game,man,xbase,xfont,xserve,xshare} to determine what has been installed and upgrade only those sets. However, the argument that not installing all sets gives you a 'non standard' system suggests that this approach isn't viable. Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: vmd eating lots of memory
Just confirmed I can reproduce this on the latest snapshot (both on host and VMs) on my home workstation: OpenBSD 6.5-current (GENERIC.MP) #143: Fri Jul 26 00:37:38 MDT 2019 If I use the host to send traffic with tcpbench, traffic rate peaks around 1Gbit/s (1055.923 Mbps, according to tcpbench), and memory consumption is growing at a rate that seems to correlate to the bandwidth used by the tcpbench traffic. The test is simply `tcpbench -s -p X` on the VM and `tcpbench -p X vm` on the host. Paul On Thu, Jul 25, 2019 at 09:54:22PM +0200, Paul de Weerd wrote: | A little more follow-up on this vmd-memory-leak issue. | | Comparing the two VMs I have running, I started to stress parts where | these two hosts differ. The testvm hardly does any traffic, while the | undeadly vm sees quite a few visitors on a daily basis, so networking | may be part of the leak. | | Running tcpbench against this machine (averaging at ~250Mbit/s) | results in vmd growing by about 80MB to 100MB per minute. Running | tcpbench against the testvm has similar results. | | The undeadly VM also has a second disk configured (on slower storage), | but putting load on that didn't significantly change the memory | consumption (above the 'expected' growth that I've been seeing). | | The growth during daily(8) runs still confuses me, as that doesn't do | anything network-related... | | Paul | | On Sat, Jul 20, 2019 at 04:23:27PM +0200, Paul de Weerd wrote: | | Hi all, | | | | I'm running two vmd(8) VMs: | | | | [weerd@despair] $ cat /etc/vm.conf | | vm "undeadly" { | | owner root | | memory 2G | | disk /home/vmm/undeadly.dsk | | disk /storage/vmm/undeadly.dsk | | interface switch "vmmswitch" lladdr "fe:e1:bb:02:6b:bf" | | } | | | | vm "testvm" { | | owner root | | memory 2G | | disk /home/vmm/testvm.dsk | | interface switch "vmmswitch" lladdr "fe:e1:bb:02:6b:be" | | } | | | | switch "vmmswitch" { | | enable | | interface bridge0 | | } | | | | Both machines have been up since boot of the host machine: | | | | [weerd@despair] $ vmctl status | |ID PID VCPUS MAXMEM CURMEM TTYOWNERSTATE NAME | | 2 23133 12.0G1.1G ttyp1 root running testvm | | 1 42094 12.0G1.5G ttyp0 root running undeadly | | [weerd@despair] $ uptime | | 4:11PM up 43 days, 57 mins, 12 users, load averages: 0.02, 0.07, 0.07 | | [weerd@despair] $ ssh undeadly uptime | | 4:11PM up 43 days, 57 mins, 2 users, load averages: 0.28, 0.12, 0.10 | | [weerd@despair] $ ssh testvm uptime | | 4:11PM up 43 days, 57 mins, 0 users, load averages: 0.00, 0.00, 0.00 | | | | However, the undeadly VM consumes signficantly more memory that the | | other VM: | | | | [weerd@despair] $ ps wwwaux | grep -e vm[d] -e [P]ID | | USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND | | _vmd 42094 3.7 57.9 28769236 19398792 ?? Ip 7Jun19 4741:37.66 vmd: undeadly (vmd) | | _vmd 4567 0.0 0.0 1384 1384 ?? Isp7Jun190:00.01 vmd: vmm (vmd) | | root 84392 0.0 0.0 1564 1436 ?? Isp7Jun190:00.02 /usr/sbin/vmd | | _vmd 55269 0.0 0.0 1304 1468 ?? Isp7Jun190:00.01 vmd: control (vmd) | | root 51181 0.0 0.0 1236 928 ?? Is 7Jun190:00.01 vmd: priv (vmd) | | _vmd 23133 0.0 0.2 2100100 70272 ?? Ip 7Jun19 1886:16.18 vmd: testvm (vmd) | | | | All systems run snaps from around the same time: | | | | [weerd@despair] $ sysctl kern.version | | kern.version=OpenBSD 6.5-current (GENERIC.MP) #6: Tue Jun 4 15:05:10 MDT 2019 | | dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP | | | | [weerd@despair] $ ssh undeadly sysctl kern.version | | kern.version=OpenBSD 6.5-current (GENERIC) #7: Fri Jun 7 00:45:34 MDT 2019 | | dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC | | | | [weerd@despair] $ ssh testvm sysctl kern.version | | kern.version=OpenBSD 6.5-current (GENERIC) #6: Tue Jun 4 14:57:43 MDT 2019 | | dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC | | | | So it looks like there's a memory leak, either only for busy VMs or it | | shows more for busier VMs. Has anyone seen anything similar on their | | vmm VMs? | | | | I'll reboot the undeadly VM for now, as other processes are getting | | killed for out of memory reasons (bgpd, in my case; see end of below | | dmesg of host machine 'despair'). | | | | Paul | | | | --- despair dmesg | | OpenBSD 6.5-current (GENERIC.MP) #6: Tue Jun 4 15:05:10 MDT 2019 | | dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP | | real mem = 34332733440 (32742MB) | | avail mem = 33282105344 (31740MB) | | mpath0 at root | | scsibus0 at mpath0: 256 targets | | mainbus0 at root |
Re: vmd eating lots of memory
Hi Bryan, On Fri, Jul 26, 2019 at 04:02:10PM +0900, Bryan Linton wrote: | On 2019-07-25 13:01:28, Mike Larkin wrote: | > On Thu, Jul 25, 2019 at 09:54:22PM +0200, Paul de Weerd wrote: | > > A little more follow-up on this vmd-memory-leak issue. | > > | > > Comparing the two VMs I have running, I started to stress parts where | > > these two hosts differ. The testvm hardly does any traffic, while the | > > undeadly vm sees quite a few visitors on a daily basis, so networking | > > may be part of the leak. | > > | > > Running tcpbench against this machine (averaging at ~250Mbit/s) | > > results in vmd growing by about 80MB to 100MB per minute. Running | > > tcpbench against the testvm has similar results. | > > | > > The undeadly VM also has a second disk configured (on slower storage), | > > but putting load on that didn't significantly change the memory | > > consumption (above the 'expected' growth that I've been seeing). | > > | > > The growth during daily(8) runs still confuses me, as that doesn't do | > > anything network-related... | > > | > > Paul | > > | > | > I'll try to look for leaks in that area then. Thanks for the report. | > | > -ml | > | | To Paul, is it related to disk activity on the VM? I.e. Does | doing lots of I/O on the system cause memory usage to increase? It does not, I specifically tried that (also because the VM with this issue has two disks, one of them on slower media) but I didn't notice a difference. | Can you test it with a snapshot/kernel dated May 7th or earlier? Not easily on the undeadly production environment. But I'm building a test environment at home that I may be able to use for this. | I CCed both of you into a bug report I just submitted to bugs@ | because I thought it may possibly be related. | | https://marc.info/?l=openbsd-bugs=156412299418191=2 Yep, saw that. I can definitely try reverting that diff on my test environment later today. | In brief, I'm seeing large amounts of memory being consumed | followed by a system hang when files are copied to a vnd(4) | device. | | I don't see it with regular disk I/O, only with vnds. | | If the VMs are using/accessing memory in a similar way to the | method that vnd(4) does, it might explain why the daily(8) runs | are causing the memory usage to increase. I can't really comment on that as I'm not familiar with the implementation of these parts of the kernel. | If this is an unrelated issue, then I apologize for the noise. I | figured it better to CC both of you in so you could evaluate it on | your own rather than for me to do nothing. Cheers, Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: vmd eating lots of memory
A little more follow-up on this vmd-memory-leak issue. Comparing the two VMs I have running, I started to stress parts where these two hosts differ. The testvm hardly does any traffic, while the undeadly vm sees quite a few visitors on a daily basis, so networking may be part of the leak. Running tcpbench against this machine (averaging at ~250Mbit/s) results in vmd growing by about 80MB to 100MB per minute. Running tcpbench against the testvm has similar results. The undeadly VM also has a second disk configured (on slower storage), but putting load on that didn't significantly change the memory consumption (above the 'expected' growth that I've been seeing). The growth during daily(8) runs still confuses me, as that doesn't do anything network-related... Paul On Sat, Jul 20, 2019 at 04:23:27PM +0200, Paul de Weerd wrote: | Hi all, | | I'm running two vmd(8) VMs: | | [weerd@despair] $ cat /etc/vm.conf | vm "undeadly" { | owner root | memory 2G | disk /home/vmm/undeadly.dsk | disk /storage/vmm/undeadly.dsk | interface switch "vmmswitch" lladdr "fe:e1:bb:02:6b:bf" | } | | vm "testvm" { | owner root | memory 2G | disk /home/vmm/testvm.dsk | interface switch "vmmswitch" lladdr "fe:e1:bb:02:6b:be" | } | | switch "vmmswitch" { | enable | interface bridge0 | } | | Both machines have been up since boot of the host machine: | | [weerd@despair] $ vmctl status |ID PID VCPUS MAXMEM CURMEM TTYOWNERSTATE NAME | 2 23133 12.0G1.1G ttyp1 root running testvm | 1 42094 12.0G1.5G ttyp0 root running undeadly | [weerd@despair] $ uptime | 4:11PM up 43 days, 57 mins, 12 users, load averages: 0.02, 0.07, 0.07 | [weerd@despair] $ ssh undeadly uptime | 4:11PM up 43 days, 57 mins, 2 users, load averages: 0.28, 0.12, 0.10 | [weerd@despair] $ ssh testvm uptime | 4:11PM up 43 days, 57 mins, 0 users, load averages: 0.00, 0.00, 0.00 | | However, the undeadly VM consumes signficantly more memory that the | other VM: | | [weerd@despair] $ ps wwwaux | grep -e vm[d] -e [P]ID | USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND | _vmd 42094 3.7 57.9 28769236 19398792 ?? Ip 7Jun19 4741:37.66 vmd: undeadly (vmd) | _vmd 4567 0.0 0.0 1384 1384 ?? Isp7Jun190:00.01 vmd: vmm (vmd) | root 84392 0.0 0.0 1564 1436 ?? Isp7Jun190:00.02 /usr/sbin/vmd | _vmd 55269 0.0 0.0 1304 1468 ?? Isp7Jun190:00.01 vmd: control (vmd) | root 51181 0.0 0.0 1236 928 ?? Is 7Jun190:00.01 vmd: priv (vmd) | _vmd 23133 0.0 0.2 2100100 70272 ?? Ip 7Jun19 1886:16.18 vmd: testvm (vmd) | | All systems run snaps from around the same time: | | [weerd@despair] $ sysctl kern.version | kern.version=OpenBSD 6.5-current (GENERIC.MP) #6: Tue Jun 4 15:05:10 MDT 2019 | dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP | | [weerd@despair] $ ssh undeadly sysctl kern.version | kern.version=OpenBSD 6.5-current (GENERIC) #7: Fri Jun 7 00:45:34 MDT 2019 | dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC | | [weerd@despair] $ ssh testvm sysctl kern.version | kern.version=OpenBSD 6.5-current (GENERIC) #6: Tue Jun 4 14:57:43 MDT 2019 | dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC | | So it looks like there's a memory leak, either only for busy VMs or it | shows more for busier VMs. Has anyone seen anything similar on their | vmm VMs? | | I'll reboot the undeadly VM for now, as other processes are getting | killed for out of memory reasons (bgpd, in my case; see end of below | dmesg of host machine 'despair'). | | Paul | | --- despair dmesg | OpenBSD 6.5-current (GENERIC.MP) #6: Tue Jun 4 15:05:10 MDT 2019 | dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP | real mem = 34332733440 (32742MB) | avail mem = 33282105344 (31740MB) | mpath0 at root | scsibus0 at mpath0: 256 targets | mainbus0 at root | bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe66d0 (57 entries) | bios0: vendor Dell Inc. version "1.2.3" date 07/21/2011 | bios0: Dell Inc. PowerEdge R210 II | acpi0 at bios0: rev 2 | acpi0: sleep states S0 S4 S5 | acpi0: tables DSDT FACP SPMI ASF! HPET APIC MCFG BOOT SSDT ASPT SSDT SSDT SPCR DMAR HEST ERST BERT EINJ | acpi0: wakeup devices P0P1(S4) GLAN(S0) EHC1(S4) EHC2(S4) PXSX(S4) RP01(S5) PXSX(S4) RP02(S5) PXSX(S4) RP03(S5) PXSX(S4) RP04(S5) PXSX(S4) RP05(S5) PXSX(S4) RP06(S5) [...] | acpitimer0 at acpi0: 3579545 Hz, 24 bits | acpihpet0 at acpi0: 14318179 Hz | acpimadt0 at acpi0 addr 0xfee0: PC-AT compat | cpu0 at mainbus0: apid 0 (boot processor) | cpu0: Intel(R) Xeon(R) CPU E31260L @ 2.40GHz, 2400.39 MHz, 06-2a-07 | cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8
Re: vmd eating lots of memory
On Sun, Jul 21, 2019 at 10:46:06AM +0200, Paul de Weerd wrote: | on both VMs and host. If the problem was there too, it didn't affect | anything else on the system until I upgraded. Forgot to make explicit: the other vm remains at a constant memory footprint; also while running /etc/daily Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: vmd eating lots of memory
Hi Mike, On Sat, Jul 20, 2019 at 10:23:02AM -0700, Mike Larkin wrote: | Did this just start happening? Nothing relevant has changed in vmd(8) recently | that would cause this, from what I remember. Prior to this kernel version, I was running OpenBSD 6.5 (GENERIC.MP) #847: Tue Apr 9 09:12:46 MDT 2019 on both VMs and host. If the problem was there too, it didn't affect anything else on the system until I upgraded. Now that I've found this, I started measuring a bit more. It looks like the vmd for undeadly consumes about 8 to 10 MB per hour (approximately 2MB per 15 minutes, my sample interval). It varies quite a bit, and there's a bit spike around when /etc/daily runs of 340 MB and 74 MB. I'm attaching my samples so far, they're epoch + the VSZ column from ps for the vmd process per line. Is there anything else I can collect that can help debug this? Thanks, Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/ 1563659689 2207536 1563659712 2207568 1563660312 2210584 1563660912 2213136 1563661512 2215732 1563662112 2218504 1563662713 2220980 1563663313 2223704 1563663913 2226748 1563664513 2228976 1563665113 2231824 1563665713 2572920 1563666313 2647712 1563666913 2650232 1563667514 2653052 1563668114 2655504 1563668714 2658308 1563669314 2661260 1563669914 2663836 1563670514 2666324 1563671114 2668944 1563671714 2671452 1563672314 2673780 1563672914 2676392 1563673514 2678700 1563674114 2680980 1563674714 2683788 1563675314 2685924 1563675914 2688648 1563676514 2691404 1563677114 2693676 1563677715 2695844 1563678315 2697920 1563678915 2699868 1563679515 2701944 1563680115 2703868 1563680715 2705668 1563681315 2707488 1563681915 2709712 1563682515 2711472 1563683115 2713196 1563683715 2715432 1563684315 2717280 1563684915 2719156 1563685515 2721528 1563686115 2723672 1563686715 2725828 1563687315 2727812 1563687915 2729848 1563688515 2731488 1563689116 2735600 1563689716 2737380 1563690316 2739648 1563690916 2742280 1563691516 2744240 1563692116 2746120 1563692716 2748192 1563693316 2750148 1563693916 2752156 1563694516 2754424 1563695116 2757576 1563695716 2760144 1563696316 2762860 1563696916 2764992 1563697516 2767408 1563698116 2769756 1563698716 2771680
vmd eating lots of memory
Hi all, I'm running two vmd(8) VMs: [weerd@despair] $ cat /etc/vm.conf vm "undeadly" { owner root memory 2G disk /home/vmm/undeadly.dsk disk /storage/vmm/undeadly.dsk interface switch "vmmswitch" lladdr "fe:e1:bb:02:6b:bf" } vm "testvm" { owner root memory 2G disk /home/vmm/testvm.dsk interface switch "vmmswitch" lladdr "fe:e1:bb:02:6b:be" } switch "vmmswitch" { enable interface bridge0 } Both machines have been up since boot of the host machine: [weerd@despair] $ vmctl status ID PID VCPUS MAXMEM CURMEM TTYOWNERSTATE NAME 2 23133 12.0G1.1G ttyp1 root running testvm 1 42094 12.0G1.5G ttyp0 root running undeadly [weerd@despair] $ uptime 4:11PM up 43 days, 57 mins, 12 users, load averages: 0.02, 0.07, 0.07 [weerd@despair] $ ssh undeadly uptime 4:11PM up 43 days, 57 mins, 2 users, load averages: 0.28, 0.12, 0.10 [weerd@despair] $ ssh testvm uptime 4:11PM up 43 days, 57 mins, 0 users, load averages: 0.00, 0.00, 0.00 However, the undeadly VM consumes signficantly more memory that the other VM: [weerd@despair] $ ps wwwaux | grep -e vm[d] -e [P]ID USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND _vmd 42094 3.7 57.9 28769236 19398792 ?? Ip 7Jun19 4741:37.66 vmd: undeadly (vmd) _vmd 4567 0.0 0.0 1384 1384 ?? Isp7Jun190:00.01 vmd: vmm (vmd) root 84392 0.0 0.0 1564 1436 ?? Isp7Jun190:00.02 /usr/sbin/vmd _vmd 55269 0.0 0.0 1304 1468 ?? Isp7Jun190:00.01 vmd: control (vmd) root 51181 0.0 0.0 1236 928 ?? Is 7Jun190:00.01 vmd: priv (vmd) _vmd 23133 0.0 0.2 2100100 70272 ?? Ip 7Jun19 1886:16.18 vmd: testvm (vmd) All systems run snaps from around the same time: [weerd@despair] $ sysctl kern.version kern.version=OpenBSD 6.5-current (GENERIC.MP) #6: Tue Jun 4 15:05:10 MDT 2019 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP [weerd@despair] $ ssh undeadly sysctl kern.version kern.version=OpenBSD 6.5-current (GENERIC) #7: Fri Jun 7 00:45:34 MDT 2019 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC [weerd@despair] $ ssh testvm sysctl kern.version kern.version=OpenBSD 6.5-current (GENERIC) #6: Tue Jun 4 14:57:43 MDT 2019 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC So it looks like there's a memory leak, either only for busy VMs or it shows more for busier VMs. Has anyone seen anything similar on their vmm VMs? I'll reboot the undeadly VM for now, as other processes are getting killed for out of memory reasons (bgpd, in my case; see end of below dmesg of host machine 'despair'). Paul --- despair dmesg OpenBSD 6.5-current (GENERIC.MP) #6: Tue Jun 4 15:05:10 MDT 2019 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 34332733440 (32742MB) avail mem = 33282105344 (31740MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe66d0 (57 entries) bios0: vendor Dell Inc. version "1.2.3" date 07/21/2011 bios0: Dell Inc. PowerEdge R210 II acpi0 at bios0: rev 2 acpi0: sleep states S0 S4 S5 acpi0: tables DSDT FACP SPMI ASF! HPET APIC MCFG BOOT SSDT ASPT SSDT SSDT SPCR DMAR HEST ERST BERT EINJ acpi0: wakeup devices P0P1(S4) GLAN(S0) EHC1(S4) EHC2(S4) PXSX(S4) RP01(S5) PXSX(S4) RP02(S5) PXSX(S4) RP03(S5) PXSX(S4) RP04(S5) PXSX(S4) RP05(S5) PXSX(S4) RP06(S5) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E31260L @ 2.40GHz, 2400.39 MHz, 06-2a-07 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 100MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Xeon(R) CPU E31260L @ 2.40GHz, 2400.02 MHz, 06-2a-07 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 1, core 0, package 0 cpu2 at mainbus0: apid 2 (application processor) cpu2:
Re: Newer snapshots on ALIX
Hi Claudio, others, First of, let me apologize for the severe lack of details in my previous post. I thought to quickly check if anyone else had seen what I'm seeing. I've gone to my archive of snapshots and extracted all the pxeboot's from every snapshot I have, a total 1972 snapshot over the last 4+ years. I found 91 different pxe bootloaders, so at most 7 attempts to find the breaking one :) As I only have an archive of amd64 installers, I used the amd64 pxeboot (even though ALIX is an i386 platform, the bootloader from amd64 has worked fine - and I did verify the i386 pxeboot from 6.5 and the latest snapshot have the same behaviour). My method was using the pxeboot loader to boot bsd.rd from the local storage. The only change I made between reboots was installing a different version of pxeboot on my tftp server. With a reasonable starting guess, I brought it down to 5 attempts. First to fail is the pxeboot from the snapshot dated 2019-04-10 at 18:10:42, kernel build number 817. This shows some extra information during boot though: >> OpenBSD/amd64 PXEBOOT 3.43 boot> boot hd0a:/bsd.rd booting hd0a:/bsd.rd: 3107327+1352704+3362824+0+458752 [363419+98+289008+28303]=0x8cc8a0 64 bit entry point at 0x2000d4 entry = 0x2000d4 kern_pml4 = 0 kern_pml3 = 0 kern_pml2 = 1 kern_pml1 = 0 end of bootstrap page tables = 0xa The pxeboot from the snapshot before that (kernel build time 2019-04-10 at 11:52:59, with kernel build number 816) shows: >> OpenBSD/amd64 PXEBOOT 3.42 boot> boot hd0a:/bsd.rd booting hd0a:/bsd.rd: 3107327+1352704+3362824+0+458752 [363419+98+289008+28303]=0x8cc8a0 entry point at 0x2000d4 Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2018 OpenBSD. All rights reserved. https://www.OpenBSD.org The next (different) pxeboot from the snapshot with the kernel built on 2019-04-12 at 20:40:53 (kernel build number 0) gets stuck at the `entry point at 0x2000d4` again: >> OpenBSD/amd64 PXEBOOT 3.43 boot> boot hd0a:/bsd.rd booting hd0a:/bsd.rd: 3107327+1352704+3362824+0+458752 [363419+98+289008+28303]=0x8cc8a0 entry point at 0x2000d4 So, I was looking at commits to the boot code at or shortly after april 10. The only one I see is this one, where Florian brings sys/stand/boot/boot.c to version 1.48: -- Modified files: sys/stand/boot : boot.c Log message: Unbreak "boot bsd.up" line in /etc/boot.conf Found the hard way by Raf Czlonka (rczlonka AT gmail), thanks! OK deraadt -- But I don't see how Florian's change could break things this way. I'll try a revert, but it's going to take a bit of time to configure my build environment and to figure out how to make the pxe bootloader. If anyone has any suggestions in the mean time, I'm eager to hear them. Thanks, Paul On Wed, Jun 19, 2019 at 08:55:06AM +0200, Claudio Jeker wrote: | On Wed, Jun 19, 2019 at 08:37:28AM +0200, Paul de Weerd wrote: | > Morning folks, | > | > I ran into a problem after upgrading my ALIX to a more recent snapshot | > in that it won't boot anymore. It gets to "entry point 0x2d0" and | > then stops. I tried using the PXE bootloader to load the local kernel | > from disk (both bsd and bsd.rd) and to load kernels from tftp, but all | > fails in similar ways with the entry point being the last output. | > | > I grabbed another ALIX to test, but I'm afraid I screwed that one up | > and now that one doesn't boot either anymore. This is probably user | > error, but now I'd like to confirm: has anyone successfully upgraded | > their ALIX to a recent snapshot? | > | > It could be that my hardware is dying on me (I should find my piggy | > bank for some nickels), so confirmation that this still works for | > others is appreciated. | > | | There were some boot(8) changes so try some older pxeboot from 6.4, 6.5 or | the snapshot archive to see when the breakage was introduced. -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Newer snapshots on ALIX
Morning folks, I ran into a problem after upgrading my ALIX to a more recent snapshot in that it won't boot anymore. It gets to "entry point 0x2d0" and then stops. I tried using the PXE bootloader to load the local kernel from disk (both bsd and bsd.rd) and to load kernels from tftp, but all fails in similar ways with the entry point being the last output. I grabbed another ALIX to test, but I'm afraid I screwed that one up and now that one doesn't boot either anymore. This is probably user error, but now I'd like to confirm: has anyone successfully upgraded their ALIX to a recent snapshot? It could be that my hardware is dying on me (I should find my piggy bank for some nickels), so confirmation that this still works for others is appreciated. Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: "ucode too large"
Hi Claudio, Jonathan, Thank you both for the diff - it has fixed the 'ucode too large' problem (this machine uses biosboot, not UEFI), and has made a difference in dmesg: cpu[01] both gained flags MD_CLEAR,TSXFA,L1DF,SSBD And a further down this changed: -cpu0: using Skylake AVX MDS workaround +cpu0: using VERW MDS workaround (except on vmm entry) -vmm0 at mainbus0: VMX/EPT (using slow L1TF mitigation) +vmm0 at mainbus0: VMX/EPT Full dmesg below. Thanks! Paul OpenBSD 6.5-current (GENERIC.MP) #6: Tue Jun 4 15:05:10 MDT 2019 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 34263703552 (32676MB) avail mem = 33215160320 (31676MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x8d717000 (86 entries) bios0: vendor American Megatrends Inc. version "5.12" date 05/28/2018 acpi0 at bios0: rev 2 acpi0: sleep states S0 S5 acpi0: tables DSDT FACP APIC FPDT MCFG SSDT FIDT SSDT HPET SSDT SSDT UEFI SSDT LPIT WSMT SSDT SSDT SSDT SSDT DBGP DBG2 SPCR DMAR ASF! acpi0: wakeup devices PS2K(S0) PS2M(S0) PXSX(S0) RP09(S0) PXSX(S0) RP10(S0) PXSX(S0) RP11(S0) PXSX(S0) RP12(S0) PXSX(S0) RP13(S0) PXSX(S0) RP01(S0) PXSX(S0) RP02(S0) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 2395.13 MHz, 06-8e-09 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 24MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 2394.43 MHz, 06-8e-09 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 120 pins acpimcfg0 at acpi0 acpimcfg0: addr 0xe000, bus 0-255 acpihpet0 at acpi0: 2399 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (PEG0) acpiprt2 at acpi0: bus -1 (PEG1) acpiprt3 at acpi0: bus -1 (PEG2) acpiprt4 at acpi0: bus -1 (RP09) acpiprt5 at acpi0: bus -1 (RP10) acpiprt6 at acpi0: bus -1 (RP11) acpiprt7 at acpi0: bus -1 (RP12) acpiprt8 at acpi0: bus -1 (RP13) acpiprt9 at acpi0: bus 1 (RP01) acpiprt10 at acpi0: bus 2 (RP02) acpiprt11 at acpi0: bus 3 (RP03) acpiprt12 at acpi0: bus 4 (RP04) acpiprt13 at acpi0: bus 5 (RP05) acpiprt14 at acpi0: bus 6 (RP06) acpiprt15 at acpi0: bus -1 (RP07) acpiprt16 at acpi0: bus -1 (RP08) acpiprt17 at acpi0: bus -1 (RP17) acpiprt18 at acpi0: bus -1 (RP18) acpiprt19 at acpi0: bus -1 (RP19) acpiprt20 at acpi0: bus -1 (RP20) acpiprt21 at acpi0: bus -1 (RP21) acpiprt22 at acpi0: bus -1 (RP22) acpiprt23 at acpi0: bus -1 (RP23) acpiprt24 at acpi0: bus -1 (RP24) acpiprt25 at acpi0: bus -1 (RP14) acpiprt26 at acpi0: bus -1 (RP15) acpiprt27 at acpi0: bus -1 (RP16) acpiec0 at acpi0: not present acpicpu0 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33), C1(1000@1 mwait.1), PSS acpicpu1 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33), C1(1000@1 mwait.1), PSS acpipwrres0 at acpi0: WRST acpipwrres1 at acpi0: WRST acpipwrres2 at acpi0: WRST acpipwrres3 at acpi0: WRST acpipwrres4 at acpi0: WRST acpipwrres5 at acpi0: WRST acpipwrres6 at acpi0: WRST acpipwrres7 at acpi0: WRST acpipwrres8 at acpi0: WRST acpipwrres9 at acpi0: WRST acpipwrres10 at acpi0: WRST acpipwrres11 at acpi0: WRST acpipwrres12 at acpi0: WRST acpipwrres13 at acpi0: WRST acpipwrres14 at acpi0: WRST acpipwrres15 at acpi0: WRST acpipwrres16 at acpi0: WRST acpipwrres17 at acpi0: WRST acpipwrres18 at acpi0: WRST acpipwrres19 at acpi0: WRST acpipwrres20 at acpi0: FN00, resource for FAN0 acpipwrres21 at acpi0: FN01, resource for FAN1 acpipwrres22 at acpi0: FN02, resource for FAN2 acpipwrres23 at acpi0: FN03, resource for FAN3 acpipwrres24 at acpi0: FN04, resource for FAN4 acpitz0 at acpi0: critical temperature is 119 degC acpitz1 at
"ucode too large"
I've just replaced my home gateway with a brandless machine with an i5-7200U. While preparing, I noticed the message "ucode too large" scrolling by on the serial console, just before the kernel starts. The dmesg shows cpu0 as mode 06-8e-09: cpu0: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 2395.19 MHz, 06-8e-09 While /etc/firmware/intel/06-8e-09 is the biggest file in that directory (at 193kB), so this probably has something to do with that and the MDS "fun". Machine works fine as far as I can tell (typing this mail over an SSH session through it). Cheers, Paul 'WEiRD' de Weerd OpenBSD 6.5-current (GENERIC.MP) #6: Tue Jun 4 15:05:10 MDT 2019 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 34263703552 (32676MB) avail mem = 33215164416 (31676MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x8d717000 (86 entries) bios0: vendor American Megatrends Inc. version "5.12" date 05/28/2018 acpi0 at bios0: rev 2 acpi0: sleep states S0 S5 acpi0: tables DSDT FACP APIC FPDT MCFG SSDT FIDT SSDT HPET SSDT SSDT UEFI SSDT LPIT WSMT SSDT SSDT SSDT SSDT DBGP DBG2 SPCR DMAR ASF! acpi0: wakeup devices PS2K(S0) PS2M(S0) PXSX(S0) RP09(S0) PXSX(S0) RP10(S0) PXSX(S0) RP11(S0) PXSX(S0) RP12(S0) PXSX(S0) RP13(S0) PXSX(S0) RP01(S0) PXSX(S0) RP02(S0) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 2395.19 MHz, 06-8e-09 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 24MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 2394.44 MHz, 06-8e-09 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 120 pins acpimcfg0 at acpi0 acpimcfg0: addr 0xe000, bus 0-255 acpihpet0 at acpi0: 2399 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (PEG0) acpiprt2 at acpi0: bus -1 (PEG1) acpiprt3 at acpi0: bus -1 (PEG2) acpiprt4 at acpi0: bus -1 (RP09) acpiprt5 at acpi0: bus -1 (RP10) acpiprt6 at acpi0: bus -1 (RP11) acpiprt7 at acpi0: bus -1 (RP12) acpiprt8 at acpi0: bus -1 (RP13) acpiprt9 at acpi0: bus 1 (RP01) acpiprt10 at acpi0: bus 2 (RP02) acpiprt11 at acpi0: bus 3 (RP03) acpiprt12 at acpi0: bus 4 (RP04) acpiprt13 at acpi0: bus 5 (RP05) acpiprt14 at acpi0: bus 6 (RP06) acpiprt15 at acpi0: bus -1 (RP07) acpiprt16 at acpi0: bus -1 (RP08) acpiprt17 at acpi0: bus -1 (RP17) acpiprt18 at acpi0: bus -1 (RP18) acpiprt19 at acpi0: bus -1 (RP19) acpiprt20 at acpi0: bus -1 (RP20) acpiprt21 at acpi0: bus -1 (RP21) acpiprt22 at acpi0: bus -1 (RP22) acpiprt23 at acpi0: bus -1 (RP23) acpiprt24 at acpi0: bus -1 (RP24) acpiprt25 at acpi0: bus -1 (RP14) acpiprt26 at acpi0: bus -1 (RP15) acpiprt27 at acpi0: bus -1 (RP16) acpiec0 at acpi0: not present acpicpu0 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33), C1(1000@1 mwait.1), PSS acpicpu1 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33), C1(1000@1 mwait.1), PSS acpipwrres0 at acpi0: WRST acpipwrres1 at acpi0: WRST acpipwrres2 at acpi0: WRST acpipwrres3 at acpi0: WRST acpipwrres4 at acpi0: WRST acpipwrres5 at acpi0: WRST acpipwrres6 at acpi0: WRST acpipwrres7 at acpi0: WRST acpipwrres8 at acpi0: WRST acpipwrres9 at acpi0: WRST acpipwrres10 at acpi0: WRST acpipwrres11 at acpi0: WRST acpipwrres12 at acpi0: WRST acpipwrres13 at acpi0: WRST acpipwrres14 at acpi0: WRST acpipwrres15 at acpi0: WRST acpipwrres16 at acpi0: WRST acpipwrres17 at acpi0: WRST acpipwrres18 at acpi0: WRST acpipwrres19 at acpi0: WRST acpipwrres20 at acpi0: FN00, resource for FAN0 acpipwrres21 at acpi0: FN01, resource for FAN1 acpipwrres22 at acpi0: FN02, resource for FAN2 acpipwrres23 at acpi0: FN03, resource for FAN3 acpipwrres24 at acpi0: FN04, resource
Re: Activating second crypted (or other raid) device
On Sun, May 05, 2019 at 05:41:38PM -0400, trondd wrote: | It's really not that big of a deal to call 'fsck' and 'mount' yourself in | rc.local. It's not, but it would be nice if this could be done automatically somehow, for services that start at boot (e.g. httpd) that need data on other softraid crypto devices. Doing an `rcctl restart httpd` in /etc/rc.local right after the fsck and mount seems a bit silly. | Unless you have system data on /srv (which would be it's own inconsistency | with a standard system) needed during rc. How about a huge /var/www or /var/ that's not on your primary softraid crypto device? | In fstab, I set the RAID partition to noauto and disable automatic fsck. | Then in rc.local call 'bioctl blah && fsck UUID.partition && mount /srv' | | I use a password so it's interative for me and I see if anything goes | wrong. Log a message with 'logger' or send an email or whatever if | something fails for your situation. Then you're done dealing with this. I use the -p option to bioctl in a hotplugd(8) attach script to automatically mount partitions on hot-plugged (USB) disks that use softraid crypto. Having a way to do this for extra disks at boot is something I've briefly looked at in the past but didn't find a nice solution for. Maybe Matthew finds something interesting :) Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: 6.5 auto_install fails due to custom /var/tmp?
On Tue, Apr 30, 2019 at 01:29:47PM -0700, Lyndon Nerenberg wrote: | > Sadly, no :-( | > | > But I should be able to accomplish what I need using rc.firsttime and | > a tiny bit of hackery. | | Sadly, no :-( | | What I was aiming for was to have the newly installed machines come | up with a 2GB MFS /tmp and a ~20GB /var/tmp. But MFS /tmp really | needs help in the system boot scripts. Why? I've been running with MFS /tmp for *years* on several machines. This indeed required some changes when /var/tmp was changed into a symlink to /tmp, but that was really no issue at all. There's very little difference between a /tmp on disk and a /tmp in RAM (through mfs): both get mounted during boot at the same time. [weerd@pom] $ grep /tmp /etc/fstab swap /tmp mfs rw,nodev,noatime,async,nosuid,-s=8388608 [weerd@pom] $ df -h /tmp Filesystem SizeUsed Avail Capacity Mounted on mfs:12547 3.9G227M3.5G 6%/tmp | The critical part for us is that /var/tmp not overwhelm /var, and | we can get that with the current scheme by sizing /tmp accordingly. Having /var/tmp not overwhelm /var is accomplished by having /var/tmp symlink to /tmp (assuming /var and /tmp are on separate filesystems). If you need more room in /var/tmp then you want to assign to your MFS /tmp, then you need a different solution - but that's probably something that can also be solved in a different way (don't use /var/tmp for temporary storage, but another (dedicated) location for whatever needs to write so much there). Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/