Re: unbound(8) + host(1) + AAAA-only issue

[Stuart Henderson]

On 2024-09-20, Stuart Henderson  wrote:
> On 2024-09-20, Mike Fischer  wrote:
>>
>>> Am 20.09.2024 um 12:13 schrieb Stuart Henderson :
>>> 
>>>> From what you've shown I can only assume the auth servers are broken
>>> and probably refusing to respond for A (rather than an empty NOERROR
>>> response).
>>
>> I agree, that is probably the root cause.
>>
>> So that would cause host(1) to abort looking for other RRsets? Is that not a 
>> bug in host(1)?
>>
>> Note: I tried looking at the source code of host(1) but I can’t figure out 
>> how it works.
>
> I think it's generally been fairly common to regard a fqdn (or a fqdn
> + server combination) as failing if any RRset for that fqdn fails with
> certain errors.
>
> Certainly there have been problems in the past where a client has made
> an  request, the recursive NS has received no response (usually in
> this case because the site was using one of the common load-balancing
> auth servers that were broken in this way) and negatively cached this
> against the fqdn, then a followup A request has failed.
>
>>> -only is a somewhat rare case and IPv6 has only been supported in
>>> DNS since 2008 or so, it takes time to get the bugs worked out
>>> especially in custom DNS software like is probably used for a dynamic
>>> dns zone.
>>
>> Yes, a mere 18 years is rather new ;-)
>
> ;)
>
>>> If you show the real hostname, maybe someone can figure it out in
>>> more detail.
>>
>> This is an example hostname I created at dynv6.com for the purpose of 
>> figuring out this issue:
>> test.fwml42.v6.rocks
>>
>> $ dig +short test.fwml42.v6.rocks 
>> 2001:db8::dead:beaf
>> $ host test.fwml42.v6.rocks
>> Host test.fwml42.v6.rocks not found: 2(SERVFAIL)
>
> Well that's interesting.
>
> Querying any of the auth servers directly with host or dig, I do get
> what looks like a sensible response to A queries

Same with base and package versions of host(1), FWIW.

> $ host test.fwml42.v6.rocks. ns1.dynv6.com.
> Using domain server:
> Name: ns1.dynv6.com.
> Address: 95.216.144.82#53
> Aliases: 
>
> test.fwml42.v6.rocks has IPv6 address 2001:db8::dead:beaf
> $ host -t a test.fwml42.v6.rocks. ns1.dynv6.com.
> Using domain server:
> Name: ns1.dynv6.com.
> Address: 95.216.144.82#53
> Aliases: 
>
> test.fwml42.v6.rocks has no A record
>
> Testing with unbound 1.20.0 or 1.21.0 and there's no problem.
> From unbound (1.18.0) I get various of these,
>
> unbound: [93237:0] error: SERVFAIL : exceeded 
> the maximum nameserver nxdomains
> unbound: [93237:0] error: SERVFAIL : all servers 
> for this domain failed, at zone v6.rocks. from 2a01:4f9:c010:95b:: nodata 
> answer
> unbound: [71830:1] error: SERVFAIL : all servers 
> for this domain failed, at zone v6.rocks. from 95.216.144.82 nodata answer
>
> I see this in changelog for 1.19.0 -
>
> Fix #946: Forwarder returns servfail on upstream response noerror no data.
>
> - the problem this fixes was introduced in 1.18.0 - this doesn't
> look from the description like it should be directly relevant (as no
> forwarder is involved), but it seems quite a similar situation.
> #946 is https://github.com/NLnetLabs/unbound/issues/946

Hmm, and also going up a level to this which has both A and :

$ host fwml42.v6.rocks.
fwml42.v6.rocks has address 79.226.210.86
fwml42.v6.rocks has IPv6 address 2003:e4:f33:1d00:30ab:221d:6b6d:7d96
Host fwml42.v6.rocks not found: 2(SERVFAIL)

with this logged:

unbound: [93237:0] error: SERVFAIL : all servers for 
this domain failed, at zone v6.rocks. from 2a01:4f8:1c1c:4c96:: nodata answer

-- 
Please keep replies on the mailing list.

Re: unbound(8) + host(1) + AAAA-only issue

[Stuart Henderson]

On 2024-09-20, Mike Fischer  wrote:
>
>> Am 20.09.2024 um 12:13 schrieb Stuart Henderson :
>> 
>>> From what you've shown I can only assume the auth servers are broken
>> and probably refusing to respond for A (rather than an empty NOERROR
>> response).
>
> I agree, that is probably the root cause.
>
> So that would cause host(1) to abort looking for other RRsets? Is that not a 
> bug in host(1)?
>
> Note: I tried looking at the source code of host(1) but I can’t figure out 
> how it works.

I think it's generally been fairly common to regard a fqdn (or a fqdn
+ server combination) as failing if any RRset for that fqdn fails with
certain errors.

Certainly there have been problems in the past where a client has made
an  request, the recursive NS has received no response (usually in
this case because the site was using one of the common load-balancing
auth servers that were broken in this way) and negatively cached this
against the fqdn, then a followup A request has failed.

>> -only is a somewhat rare case and IPv6 has only been supported in
>> DNS since 2008 or so, it takes time to get the bugs worked out
>> especially in custom DNS software like is probably used for a dynamic
>> dns zone.
>
> Yes, a mere 18 years is rather new ;-)

;)

>> If you show the real hostname, maybe someone can figure it out in
>> more detail.
>
> This is an example hostname I created at dynv6.com for the purpose of 
> figuring out this issue:
> test.fwml42.v6.rocks
>
> $ dig +short test.fwml42.v6.rocks 
> 2001:db8::dead:beaf
> $ host test.fwml42.v6.rocks
> Host test.fwml42.v6.rocks not found: 2(SERVFAIL)

Well that's interesting.

Querying any of the auth servers directly with host or dig, I do get
what looks like a sensible response to A queries

$ host test.fwml42.v6.rocks. ns1.dynv6.com.
Using domain server:
Name: ns1.dynv6.com.
Address: 95.216.144.82#53
Aliases: 

test.fwml42.v6.rocks has IPv6 address 2001:db8::dead:beaf
$ host -t a test.fwml42.v6.rocks. ns1.dynv6.com.
Using domain server:
Name: ns1.dynv6.com.
Address: 95.216.144.82#53
Aliases: 

test.fwml42.v6.rocks has no A record

Testing with unbound 1.20.0 or 1.21.0 and there's no problem.
>From unbound (1.18.0) I get various of these,

unbound: [93237:0] error: SERVFAIL : exceeded the 
maximum nameserver nxdomains
unbound: [93237:0] error: SERVFAIL : all servers 
for this domain failed, at zone v6.rocks. from 2a01:4f9:c010:95b:: nodata answer
unbound: [71830:1] error: SERVFAIL : all servers 
for this domain failed, at zone v6.rocks. from 95.216.144.82 nodata answer

I see this in changelog for 1.19.0 -

Fix #946: Forwarder returns servfail on upstream response noerror no data.

- the problem this fixes was introduced in 1.18.0 - this doesn't
look from the description like it should be directly relevant (as no
forwarder is involved), but it seems quite a similar situation.
#946 is https://github.com/NLnetLabs/unbound/issues/946



-- 
Please keep replies on the mailing list.

Re: unbound(8) + host(1) + AAAA-only issue

[Stuart Henderson]

>From what you've shown I can only assume the auth servers are broken
and probably refusing to respond for A (rather than an empty NOERROR
response).

-only is a somewhat rare case and IPv6 has only been supported in
DNS since 2008 or so, it takes time to get the bugs worked out
especially in custom DNS software like is probably used for a dynamic
dns zone.

If you show the real hostname, maybe someone can figure it out in
more detail.


On 2024-09-20, Mike Fischer  wrote:
> I am seeing a weird result on some OpenBSD 7.5 stable amd64 systems:
>
> The servers are running a local unbound(8) and /etc/resolv.conf is configured 
> to use 127.0.0.1.
> $ cat /etc/resolv.conf
> nameserver 127.0.0.1
> lookup file bind
> $ 
>
> /var/unbound/etc/unbound.conf is almost default. Only the listening addresses 
> and access limitations have been modified. Name resolution generally works 
> fine on the hosts.
>
> I have a DNS hostname, call it test.example.dynv6.net, for which only an  
> record exists. The authoritative name servers don’t use DNSSEC.
>
> Results:
> $ host test.example.dynv6.net
> Host test.example.dynv6.net not found: 2(SERVFAIL)
> $ 
>
> $ dig +short test.example.dynv6.net 
> 2001:db8::dead:beaf
> $ 
>
> But for a different hostname (on a different domain, different nameservers, 
> again with only an  record, no A record, no DNSSEC), host(1) returns the 
> IPv6 address as expected.
>
> Both host(1) and dig(1) should be using the local unbound(8).
>
> So why isn’t host(1) showing the IPv6 address for test.example.dynv6.net? Is 
> this a bug in host(1) or am I doing something wrong?
>
> How can I debug this to find the root cause?
>
>
> I have added »log-servfail: yes« to /var/unbound/etc/unbound.conf and 
> /var/log/daemon shows entries such as these, when the problem happens:
> Sep 20 10:23:03 xxx unbound: [70725:0] error: SERVFAIL 
> : all servers for this domain failed, at zone 
> dynv6.net. from 95.216.144.82 nodata answer
> Sep 20 10:24:10 xxx unbound: [70725:0] error: SERVFAIL 
> : all servers for this domain failed, at zone 
> dynv6.net. from 2a01:4f8:1c1c:4c96:: nodata answer
>
> So the problem seems to happen when host(1) tries to resolve the IPv4 
> address. Apparently once it fails it does not try to resolve the IPv6 address?
>
>
> Thanks!
> Mike
>


-- 
Please keep replies on the mailing list.

Re: OpenBSD support for Mac Mini M2 ?

[Stuart Henderson]

On 2024-09-19, J Doe  wrote:
> Hi list,
>
> I see in the FAQ that the Apple Mac Mini M2 is a supported platform[0]
> and that the WiFi is supported via: bwfmv(4).  I had two questions about
> WiFi support:
>
> 1. Is Host AP mode supported on the Mac Mini M2?  The man pages appear
> to imply that this is supported, but I wanted to double-check.

I have a feeling the wifi may not work particularly reliably on the
M2 machines at all in the first place. On the M2 macbook pro it's not
supported at all yet. No idea about hostap on these.

My usual advice for wifi: if you want an AP, buy an AP.

> 2. Does: bwfmv(4) also support the 10 Gigabit mode that is available as
> an option for the Mac Mini M2 ?[1]  I am aware that OpenBSD may not
> support full bandwidth at 10 Gbps, but would it support a bandwidth
> higher than 1 Gbps if the 10Gbps option is selected when purchasing a Mini ?

The 10Gb nic is aq(4) and AFAIK it should work.


-- 
Please keep replies on the mailing list.

Re: pkgconfig errors

[Stuart Henderson]

On 2024-09-17, Jesse Lawton  wrote:
> What I ended up doing is just using pkgconf (another pkg-config
> package).

That doesn't get anything fixed in openbsd's pkg-comfig.


-- 
Please keep replies on the mailing list.

Re: pkgconfig errors

[Stuart Henderson]

On 2024-09-16, Jesse Lawton  wrote:
> Hi, I am running OpenBSD 7.5 and when I try to compile stuff this
> happens:
> jesse@openbsd ~/source/suckless/st % make
> st build options:
> Deep recursion on subroutine "main::handle_config" at /usr/bin/pkg-config 
> line 331.
> Deep recursion on subroutine "main::handle_config" at /usr/bin/pkg-config 
> line 331.

You can try figuring out what command line it uses to run pkg-config
(make -n might help) and run that yourself with --debug added to see if
that gives any clues.


-- 
Please keep replies on the mailing list.

Re: OpenBSD httpd configuration for cgit with lua support

[Stuart Henderson]

On 2024-09-16, Biswakalyan Bhuyan  wrote:
> Hello there, 
>
> I've been trying to setup cgit on my OpenBSD server and encountered an
> issue with running my own compiled version of `cgit.cgi`. Here's some
> context:
>
> I followed the official instructions from the cgit README
> [https://git.zx2c4.com/cgit/tree/README] and comiled cgit with lua
> support using:
>
> `gmake LUA_PKGCONFIG=luajit CFLAGS="-I/usr/local/include/luajit-2.0" install`
>
> However, when I try to run the `cgit.cgi` with the following OpenBSD
> `httpd` configuration, it doesn't work as expected:
...
> The interesting part is that the official package cgit.cgi works
> perfectly fine with this configuration, but as soon as i switch to my
> compiled version with Lua support, it fails to load.

slowcgi(8) chroots to /var/www by default.

The package version of cgit is statically linked to make it easier to
run in chroot (and sets the config path to /conf/cgitrc, which when run
inside this chroot ends up as /var/www/conf/cgitrc).

> NOTE - I wanna use all the filters in the cgit projects that they have
> provided

If running in chroot, the chroot environment will need to include
any executables/libraries/data files etc that are need to run filters.


-- 
Please keep replies on the mailing list.

Re: elf syspatch on 7.5 stable. Unclear if properly installing. I reverted it.

[Stuart Henderson]

On 2024-09-17, Chris Bennett  wrote:
> On Mon, Sep 16, 2024 at 11:09:05PM -0400, Allan Streib wrote:
>> I have installed the latest syspatches on 4 different 7.5stable amd64
>> machines and had no issues with relinking.
>> 
>> On Mon, Sep 16, 2024, at 22:59, Chris Bennett wrote:
>> 
>> > *** Parse error in /usr/share/relink/kernel/GENERIC.MP: Could not find 
>> > /usr/ports/infrastructure/templates/mk.conf.template (/etc/mk.conf:9)
>> 
>> /usr/ports should not be involved in relinking a kernel AFAIK. I don't
>> have an /etc/mk.conf on any of my machines, maybe move it somewhere else
>> and try again?
>> 
>
> Yes. That did the trick. But why?
> I will look at the reorder_kernel carefully. Oh, I got it, for porting,
> I have:
>
>
> PORTS_PRIVSEP=Yes
> SUDO=sudo -E
> .include "/usr/ports/infrastructure/templates/mk.conf.template"

Those ones are all normally safe to incude in /etc/mk.conf, including
for base/xenocara builds, *but* the .include will fail unless you have
the ports tree on that machine.

> I won't be doing any porting on stable or syspatches on current. That
> must intefer with the build after booting but not at the reorder during
> booting.
>
> As far as the dmesg's, I'll look back in the archives.
> Wow do I feel better now. Panic averted.
>


-- 
Please keep replies on the mailing list.

Re: checksums to detect/correct bit-rot

[Stuart Henderson]

On 2024-09-15, Jonathan Thornburg  wrote:
> Does OpenBSD support any file systems with built-in checksums to
> (try to) ensure metadata and/or data integrity in the face of "bit rot"
> disk (or memory/cpu/USB) errors?  

No.

On 2024-09-15, Kirill A  Korinsky  wrote:
> On Sun, 15 Sep 2024 09:12:08 +0200,
> Jonathan Thornburg  wrote:
>> 
>> But before I reinvent the wheel, can anyone point me to software
>> which already does this?  Bonus points if the software is already
>> in ports.
>>
>
> yabitrot?

yabitrot and bitrot are in ports, I think they're "build a database and
check the files" and don't have anything special to identify a good copy
on a separate disk (though hopefully there will be few enough damaged
files that it's not too much hassle to do that separately).

Re: The relationship between pf and yubkey(FIDO2) (About OpenSSH)

[Stuart Henderson]

On 2024-09-11, WATANABE Takeo  wrote:
> on Tue, 10 Sep 2024 20:22:40 +0200
> Mike Fischer  wrote: 
>
>> The easiest way to test whether pf(4) is interfering with your YubiKey is to 
>> temporarily turn off pf(4) (`doas pfctl -d`) and test. If the problem 
>> persists then pf(4) is not the cause.
>> Turn pf(4) back on again after your test (`doas pfctl -e` or `doas reboot`).
>
> When pf was disabled, the problem no longer occurred.
>
> I also discovered, through trial and error, that
> If I change the SSH port back to the default 22, the problem goes away.
> the problem no longer occurs, even with pf enabled.

It doesn't make sense that either changing the port or disabling/enabling
PF would make any difference as to whether SSH accepts Fido2 authentication.

Perhaps something else is happening and it's a coincidence that it happens
at the same time as you adjust configuration? Is there anything relevant
in /var/log/authlog?

-- 
Please keep replies on the mailing list.

Re: IPv6 static host address inside dynamic network

[Stuart Henderson]

On 2024-09-02, Chris Ross  wrote:
> I’m trying to move from a static IPv6 network to a dynamic allocation from an
> ISP.  The hard part is that some of my hosts have secondary addresses for
> specific services to use.  I need to find a way to listen to router adverts
> but then manually add an alias with a static lower 64 bits.  Looking for
> suggestions.

Are those services internal-only? If so you could just manually configure
ULA addresses, plus run SLAAC for the routable addresses. Unlike v4 with
DHCP, this is easy to do with v6.




-- 
Please keep replies on the mailing list.

Re: clang-format symlink

[Stuart Henderson]

On 2024-09-03, Christer Solskogen  wrote:
> On Tue, Sep 3, 2024 at 9:29 AM  wrote:
>
>> I tried to install 'clang-tools-extra' package on a fresh system,
>> but unfortunately it does not have 'clang-format' program. Instead,
>> it installs 'llvm-16.0.6p24' package, which has 'clang-format-16'.
>> Perhaps I miss something here?
>>
>> Regarding the script, do you mean to make changes in ports/devel/llvm,
>> then prepare diff and send to the tech mailing list?
>>
>
> Ah, that might be because I run current, not stable. The package
> clang-tools-extra-16.0.6 contains /usr/local/bin/clang-format.
> Do you really need llvm-17?

If you do need 17 (or some other specific version), add
/usr/local/llvm17/bin to PATH, there is a clang-format binary there.

("pkg_add pkglocatedb" for the very useful pkglocate command).

-- 
Please keep replies on the mailing list.

Re: WAS: MariaDB install any different for OpenBSD 7.5 than 6.4? NOW: 0.0.0.0 Exploit Impact OpenBSD?

[Stuart Henderson]

> On Sun, Sep 01, 2024 at 05:09:14PM -0400, David Colburn wrote:
>> > > 
>> > > 3. That's the addresses where the server daemon will listen to for
>> > > connections from clients.  It has to be the address of one of the
>> > > machine's interfaces.  See previous messages on the thread, to decide
>> > > whether you want it to listen on a loopback interface, or on an
>> > > egress interface.  Set this option to 0.0.0.0 to listen on all
>> > > available interfaces.

That is talking about the address that mariadb server is listening on.
0.0.0.0 is "listen for requests to any v4 address on the machine".

>> I was searching to learn about using a specific machine interface vs 0.0.0.0
>> 
>> and came upon this from August 7, 2024 ...
>> 
>> https://www.oligo.security/blog/0-0-0-0-day-exploiting-localhost-apis-from-the-browser

That is talking about browsers allowing client connections *to*
0.0.0.0 which may allow javascript/html to trigger making a connection
to a service that is only listening to 127.0.0.1. Now you could still
connect to that service by connecting to 127.0.0.1, but newer browsers
specifically treat connections to localhost or private network
addresses as more highly privileged, and don't allow random websites to
do that (only trigger connections to internet servers).

That (or the v6 equivalent) doesn't work on OpenBSD anyway.

$ telnet 0.0.0.0 22
Trying 0.0.0.0...
telnet: connect to address 0.0.0.0: Invalid argument

$ telnet :: 22
Trying ::...
telnet: connect to address ::: Invalid argument


>> Although they don't specifically mention OpenBSD is it correct that:
>> 
>> A. Using 0.0.0.0 in my server settings may be less-secure?
>> 
>> B. That in the near future it won't work at all?
>> 
>> C. I'm misunderstanding the article and it's not relevant to my server
>> setup?

C.

Re: Unable to access ~/Downloads folder

[Stuart Henderson]

On 2024-09-01, Marcus MERIGHI  wrote:
> Hello, 
>
> stu.li...@spacehopper.org (Stuart Henderson), 2024.09.01 (Sun) 18:00 (CEST):
>> On 2024-09-01, aalin...@riseup.net  wrote:
>> > When I try to download anything using either Firefox or
>> > Ungoogled-Chromium I get:
>> >
>> > The folder contents could not be displayed
>> > You do not have access to the specified folder
>> >
>> > Does anyone have any suggestions as to the cause or a fix?
>> 
>> There was a diff relating to unveil which was tested in snapshots
>> recently, I suspect it may be triggering this. I think it's now been
>> removed from snaps so try updating base again.
>
> nothing has changed with:
>
> -OpenBSD 7.6-beta (GENERIC.MP) #300: Sat Aug 31 12:25:16 MDT 2024
> +OpenBSD 7.6-beta (GENERIC.MP) #301: Sat Aug 31 15:04:17 MDT 2024
>
> thats the latest i got a couple of minutes ago from
> http://ftp.hostserver.de/pub/OpenBSD

Try a newer one. There's one dated Sun 1 Sep.


-- 
Please keep replies on the mailing list.

Re: Discrepancies between i386 port list and package list

[Stuart Henderson]

On 2024-09-01, Elie Le Vaillant  wrote:
> On Fri Aug 30, 2024 at 11:56 AM CEST, Stuart Henderson wrote:
>> imho you should really be looking for a 64 bit machine if you want to
>> run a web browser.
>
> I am aware that this machine is simply unsufficient for web usage. My
> personal computer needs are quite small. Base, RSS, groff, mpv, and
> links in graphical mode are enough to fulfill my needs.
>
> Still, it works surprisingly well considering that it is a kinda old
> beast.
>
>> pandoc depends on ghc, which is amd64 only.
>
> My bad, I operated based on the lists on posts.to but it is
> apparently outdated.
>
>> When attempting to build chromium and friends on i386, it usually fails
>> for various reasons.
>>
>> In the most recent attempt, iridium and ungoogled-chromium fail with this
>>
>> In file included from 
>> ../../v8/src/compiler/turboshaft/int64-lowering-phase.cc:9:
>> ../../v8/src/compiler/turboshaft/int64-lowering-reducer.h:295:24: error: 
>> call to member function 'Word32Constant' is a
>> mbiguous
>>   295 | new_index = __ Word32Constant(sizeof(int32_t));
>>   | ~~~^~
>
> How did you get these log messages? I was kinda searching for more

I tried to build those ports on i386 and that was the result.

> specific infos on the package building process, but I found nothing in
> the FAQ nor the man pages (maybe I simply searched badly).

Various developers run package builds for various archs, using dpb to
do a full build from scratch each time.

>> Many projects are simply not interested in resource requirements during
>> compilation.
>
> Yes, that's understandable.
>
> Is there a reason why packages are not built on one powerful amd64 server,
> besides the hell of cross-compilation?

OpenBSD policy is to do native builds. It's a good way to make sure that
the OS is exercised on each arch. (And there's no infrastructure in ports
to handle cross compiles).

> Thanks for the valuable information! Are i386 computers more
> power-hungry than amd64 ones? I'd be interested if there's an
> explanation beyond "old hardware was less efficient with power".
> Is it the HDD, the motherboard, the CPU, everything?

Old hw was less efficient, it's everything really.

> Semi-related, but:
>
> I actually have an amd64 laptop, an HP-db. I can install OpenBSD on
> it, but when I boot with bsd.mp, it crashes because of a
> malformed/unknown ACPI command. I'll try to look at it more closely and
> send mails with the full information, but I just have one question: how
> does one dump kernel crashes in files, so I can actually send emails?
>
> Thank you for your quite thorough answer!

If you can boot with the non-mp kernel, use sendbug (run as root) to
generate a report which includes the acpi tables (often done by using
sendbug -P and copy to another machine to include in an email if you
don't have email setup on the first machine). If not, if linux runs you
can run acpidump -b from there and those files should still be useful.
Copying down the text from the crash and including that too would be
useful (if there's working serial console you can copy and paste,
otherwise it can just be copied down and retyped).

You can also try looking for firmware updates to see if the manufacturer
fixed anything on their side. IIRC HP fairly often has ACPI tables which
are a bit difficult to support though.

-- 
Please keep replies on the mailing list.

Re: Unable to access ~/Downloads folder

[Stuart Henderson]

On 2024/09/01 18:11, Lorenz (xha) wrote:
> On Sun, Sep 01, 2024 at 04:00:11PM -0000, Stuart Henderson wrote:
> > On 2024-09-01, aalin...@riseup.net  wrote:
> > > Other than upgrading to the latest snapshot, I have changed nothing on
> > > my Lenovo X1 Carbon 6th Gen.
> > >
> > > When I try to download anything using either Firefox or
> > > Ungoogled-Chromium I get:
> > >
> > > The folder contents could not be displayed
> > > You do not have access to the specified folder
> > >
> > > Does anyone have any suggestions as to the cause or a fix?
> > 
> > There was a diff relating to unveil which was tested in snapshots
> > recently, I suspect it may be triggering this. I think it's now been
> > removed from snaps so try updating base again.
> 
> out of curiosity, is there any way to know what patches are being
> tested in snapshots? it would be nice to know that, cuz if i'd
> encounter such issues, i'd probably spent hours debugging before
> reaching out to misc@ or something.

no, there isn't a way.

Re: Unable to access ~/Downloads folder

[Stuart Henderson]

On 2024-09-01, aalin...@riseup.net  wrote:
> Other than upgrading to the latest snapshot, I have changed nothing on
> my Lenovo X1 Carbon 6th Gen.
>
> When I try to download anything using either Firefox or
> Ungoogled-Chromium I get:
>
> The folder contents could not be displayed
> You do not have access to the specified folder
>
> Does anyone have any suggestions as to the cause or a fix?

There was a diff relating to unveil which was tested in snapshots
recently, I suspect it may be triggering this. I think it's now been
removed from snaps so try updating base again.

-- 
Please keep replies on the mailing list.

Re: Can't load install75.img

[Stuart Henderson]

On 2024-08-30, Lukáš Fiala  wrote:
>
> Hello, I'm new to openBSD. I wanted to install it on my pc (CPU: AMD ryzen=
>  5
> 7600x, MB: Asus tuf gaming B650-plus wifi, NVME: kingston NV2 1T, GPU: asu=
> s 
> dual radeon rx 6700XT 12gb, RAM: 32gb, dual boot with arch using refind). =

I'm not sure what the problem you're seeing is (suspect some kind
of hardware incompatibility) but I would advise against dual boot
until you're more familiar with OpenBSD (at least if you have anything
precious on the existing OS install).


-- 
Please keep replies on the mailing list.

Re: E-mail address openly visible in the WWW

[Stuart Henderson]

On 2024-08-30, Florian Obser  wrote:
>> Do you recommend using a separate, dedicated e-mail address for
>> posting in the misc@ list?
>
> I would recommend not reading misc. But that might just be me.

I fear you may be right. If people would stop replying to stupid messages
on-list it would help those of us who already have setup scorefiles to
make the misc list semi-readable.


-- 
Please keep replies on the mailing list.

Re: Discrepancies between i386 port list and package list

[Stuart Henderson]

On 2024-08-29, Elie Le Vaillant  wrote:
> Hello,
>
> I'm currently daily-driving a 2008 i386 machine on
> -current. Earlier this month, I tried out ungoogled-chromium,
> which was available as a package at the time. I've
> tried again today, and though the ports tree still
> lists i386 as a valid platform, the different mirrors
> I've tried do not provide ungoogled-chromium as a
> package. The same appears to be true for pandoc,
> and chromium: listed in ports as a valid target, but
> not available as a package.

imho you should really be looking for a 64 bit machine if you want to
run a web browser.

> Is this due to a change of policy on i386 packages
> which I've missed? Is this a known issue?

No change of policy - those simply aren't getting built.

pandoc depends on ghc, which is amd64 only.

When attempting to build chromium and friends on i386, it usually fails
for various reasons.

In the most recent attempt, iridium and ungoogled-chromium fail with this

In file included from 
../../v8/src/compiler/turboshaft/int64-lowering-phase.cc:9:
../../v8/src/compiler/turboshaft/int64-lowering-reducer.h:295:24: error: call 
to member function 'Word32Constant' is a
mbiguous
  295 | new_index = __ Word32Constant(sizeof(int32_t));
  | ~~~^~

and chromium fails earlier (I suspect typescript probably runs out of
memory).

FAILED: 
gen/third_party/devtools-frontend/src/front_end/panels/screencast/screencast-tsconfig.json
 gen/third_party/dev
tools-frontend/src/front_end/panels/screencast/InputModel.js 
gen/third_party/devtools-frontend/src/front_end/panels/sc
reencast/InputModel.js.map 
gen/third_party/devtools-frontend/src/front_end/panels/screencast/InputModel.d.ts
 gen/third
_party/devtools-frontend/src/front_end/panels/screencast/ScreencastApp.js 
gen/third_party/devtools-frontend/src/front_
end/panels/screencast/ScreencastApp.js.map 
gen/third_party/devtools-frontend/src/front_end/panels/screencast/Screencas
tApp.d.ts 
gen/third_party/devtools-frontend/src/front_end/panels/screencast/ScreencastView.js
 gen/third_party/devtools
-frontend/src/front_end/panels/screencast/ScreencastView.js.map 
gen/third_party/devtools-frontend/src/front_end/panels
/screencast/ScreencastView.d.ts
python3 
../../third_party/devtools-frontend/src/third_party/typescript/ts_library.py 
--tsconfig_output_location gen/th
ird_party/devtools-frontend/src/front_end/panels/screencast/screencast-tsconfig.json
 --deps ../../core/common/bundle-t
sconfig.json ../../core/host/bundle-tsconfig.json 
../../core/i18n/bundle-tsconfig.json ../../core/sdk/bundle-tsconfig.
json ../../generated/protocol-tsconfig.json 
../../ui/components/icon_button/bundle-tsconfig.json ../../ui/legacy/bundl
e-tsconfig.json --front_end_directory 
../../third_party/devtools-frontend/src/front_end/panels/screencast --reset_time
stamps --sources 
../../third_party/devtools-frontend/src/front_end/panels/screencast/InputModel.ts
 ../../third_party/d
evtools-frontend/src/front_end/panels/screencast/ScreencastApp.ts 
../../third_party/devtools-frontend/src/front_end/pa
nels/screencast/ScreencastView.ts

TypeScript compilation failed. Used tsconfig 
gen/third_party/devtools-frontend/src/front_end/panels/screencast/screenc
ast-tsconfig.json

...

Last time the chromium code was actually compilable on i386, linking
failed about 80% of the time due to running into memory limits on a
32-bit platform (we do native builds on i386, not cross compiles from
amd64).

Browsers still built on i386:

(w3m, lynx, links, links+, elinks)
netsurf
dillo
seamonkey
webkitgtk-based ones (epiphany, luakit, vimb, surf, badwolf)
qtwebengine-based ones (qutebrowser, otter-browser) - though there's
a fairly good chance that future updates will break i386

Also we are also having problems with programs written in rust, the
compiler started using more memory in some more recent release, and
seeing quite a few random build failures there, so some of those will
drop in and out of package snapshots depending on whether they worked
in any particular build.

Many projects are simply not interested in resource requirements during
compilation.

Taking amd64 as 100%, here's how other archs compare in number of
packages in the latest snapshots:

arm 65
powerpc64 68
mips64 69
sparc64 70
powerpc 81
riscv64 84
i386 85
aarch64 98
amd64 100

I'm all for running hardware for a long time to get as much use out
of it as possible. But a new machine costing around GBP/EUR/USD
175 (mini desktop, with 16GB ram / 500GB SSD included in that
price) will run rings round a 2008 i386, use significantly less
electricity, and if it's an intel >= 11th gen (e.g. intel n100
which is common in this class of machines - look for "Control-
Flow Enforcement Technology" in the cpu specs) have a feature
https://en.wikipedia.org/wiki/Indirect_branch_tracking which is well
supported by OpenBSD/amd64 (used in the majority of packages) that
makes some classes of attack very much more difficult. (Though

Re: rspamd service thinks localhost is localhost.town?

[Stuart Henderson]

On 2024-08-28, Kasak  wrote:
>
>
>> 28 авг. 2024 г., в 18:28, Jag Talon  написал(а):
>> 
>> On Wed, 2024-08-28 at 16:45 +0300, kasak wrote:
>>> Check your /etc/hosts
>> 
>> Ah right I forgot to add the hosts file. Here's the full content:
>> 
>> 127.0.0.1   twentytwo.town
>> ::1 twentytwo.town
> localhost should be added to both strings

That is a workaround - modern resolvers ought to follow the "should"
in RFC 6761 about treating "localhost" as local. Not doing so could be
argued as being a security bug.

Re: opensmtpd-filter-rspamd service thinks localhost is localhost.town?

[Stuart Henderson]

On 2024-08-28, Jag Talon  wrote:
> Omar pointed out that this issue should've been patched with this
> commit:
>
> https://codeberg.org/OpenBSD/src/commit/373da8abb60949de81b32d3c8eaecdaabf17bdaa

That's in libc. Go does use that in some cases but not all, and it's
rather complicated to figure out which resolver will be used in any
particular case (unless forced):

https://pkg.go.dev/net#LookupHost
https://github.com/golang/go/blob/master/src/net/conf.go#L19

By setting environment variables you can force one or the other to
identify where the problem lies.

Re: Lenovo ThinkPad E14 Gen6 -- installation freezes

[Stuart Henderson]

On 2024-08-27, Johannes Thyssen Tishman  wrote:
> 2024-08-27T14:19:02Z Tomas Rippl :
>> Laptop configuration:
>> Intel Core Ultra 7 155H Meteor Lake
>> 32768 MB RAM
>> Intel Arc grahics
>> Installation process of 7.5 (and also 7.6 snapshot) stops before completion.
>>
>> The last six rows I see on the screen:
>> isa0 at mainbus0
>> pckbc0 at isa0 port 0x60/5 irq 1 irq 12
>> pckbd0 at pckbc0 (kbd slot)
>> efifb0 at mainbus0: 1920x1200, 32 bpp
>> wsdisplay0 at efifb0 mux1: console (std, vt100 emulation), using wskbd0
>>
>> Can you please advice me how to complete the installation?
>
> I have the same model but different CPU (AMD). I experienced a delay as
> well when the display drivers are loading, but it eventually starts.
> Also, the keyboard doesn't work on mine[1].

The basic model number doesn't mean much here - AMD and Intel versions
of ThinkPads have very different hardware.


-- 
Please keep replies on the mailing list.

Re: postgresql-16.4 error on initdb

[Stuart Henderson]

On 2024/08/27 09:05, David Hill wrote:
> initdb from postgresql-previous (15.4) works with -current...

postgresql-previous doesn't use icu4c, so it will take some different
codepaths relating to i18n, which may change this result

Re: lighttpd in openbsd - cant find devnull

[Stuart Henderson]

On 2024/08/23 22:04, David Colburn wrote:
> On 8/21/24 14:25, Stuart Henderson wrote:
> > On 2024/08/21 14:02, David Colburn wrote:
> > > "$ cat /var/www/dev/null"
> > > 
> > > Returns to the prompt.
> > > 
> > > Here's this ...
> > > 
> > > b7# rcctl -d start lighttpd
> > > doing _rc_parse_conf
> > > lighttpd_flags empty, using default >-f /etc/lighttpd.conf<
> > > doing rc_check
> > > lighttpd
> > > doing rc_start
> > > doing _rc_wait_for_start
> > > doing rc_check
> > > 2024-08-21 13:59:01:
> > > (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1840)
> > > opening errorlog 'logs/error.log' failed: Permission denied
> > Well that is failing on writing /var/www/logs/error.log
> 
> 
> I just checked and the permissions for
> 
> /var/www/logs/error.log
> 
> are 644 converted from "-rw-r--r--" (if I'm reading things correctly).
> 
> Is that correct?
> 
> Owner and Group are "www www" - is that correct?
> 

That depends on what user you have got lighttpd running as.
If it's the default, _lighttpd, then that yser needs to be able
to write to the log file that lighttpd is configured to use.

Seems the port docs, or perhaps defaults, could do with some
tweaks as there are definitely some things which are not obvious
(/dev/null and not mounting nodev) and are a bit hard to figure
out unless you know OpenBSD. But you might want to pick a
different web server if you're needing help with file
permissions etc as there's a lot more documentation you can
find online for e.g. nginx or apache httpd than lighttpd.

Re: lighttpd in openbsd - cant find devnull

[Stuart Henderson]

Lighttpd is running as the _lighttpd user, not as root.

--
 Sent from a phone, apologies for poor formatting.

On 21 August 2024 21:19:20 David Colburn  wrote:


What do I do about the error.log problem?

I'm running as root - so a permissions problem would seem impossible.

Unless lighttpd is changing the User from root to something else ...

NOTE: I did observe that the new User I added, dmc1, wasn't in Wheel
(just added it).

I'm not sure how lighttpd knows dmc1 is even there - I believe that
lighttpd was installed as root -

before I added the dmc1 user.


On 8/21/24 14:37, David Colburn wrote:

Sorry about the old error.log - I didn't even look at the date or
time. My bad.

Keeping locals updated about an escaped inmate atm ...

I did notice in /etc/group "_lighttpd:*585:" - is that correct and in
any way relevant?


On 8/21/24 14:25, Stuart Henderson wrote:

On 2024/08/21 14:02, David Colburn wrote:

"$ cat /var/www/dev/null"

Returns to the prompt.

Here's this ...

b7# rcctl -d start lighttpd
doing _rc_parse_conf
lighttpd_flags empty, using default >-f /etc/lighttpd.conf<
doing rc_check
lighttpd
doing rc_start
doing _rc_wait_for_start
doing rc_check
2024-08-21 13:59:01:
(/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1840)

opening errorlog 'logs/error.log' failed: Permission denied

Well that is failing on writing /var/www/logs/error.log



2024-08-21 13:59:01:
(/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/server.c.1935)

Opening errorlog failed. Going down.
daemonized server failed to start; check error log for details
doing _rc_rm_runfile
(failed)

And ...

2024-08-13 22:29:37:
(/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1891)

opening /dev/null failed: No such file or directory
2024-08-13 22:29:37:
(/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/server.c.1935)

Opening errorlog failed. Going down.

And that is old


On 8/21/24 12:46, Stuart Henderson wrote:

On 2024/08/21 12:11, David Colburn wrote:

On 2024/08/21 10:21, David Colburn wrote:

Notes:

1. I've read the manual entry, and multiple threads related to
this, more than once.

2. The “chroot location” as defined in /etc/lighttpd.conf. is
unchanged - /var/www

3. Someone suggested, and I also tried "/var/www/" - same error.

4. As previously noted - Stuart's answer was tested on a clean,
unmodified, lighttpd.conf.

5. As previously noted I also tried removing "nodev" from
/etc/fstab on line "/var ffs
rw,nosuid 1 2"

Did you either reboot or remount /var after changing this?

Yes. Reboot.

Try this:

$ cat /var/www/dev/null

It should just return to the prompt (same as "cat /dev/null").

If it says "Device not configured" then for some reason it still
seems to be mounted with nodev. (Or check "mount | grep /var")..

If that test works, what's the output from

# rcctl -d start lighttpd

and what, if any, new entries in lighttpd's error log do you have?

Re: postgresql-16.4 error on initdb

[Stuart Henderson]

On 2024/08/22 14:14, Jeremy Evans wrote:
> On 08/22 11:53, Markus Hennecke wrote:
> > Hello Jeremy,
> > 
> > when trying to create a new postgresql 16.4 instance on -current I run into
> > this error:
> > 
> > fixing permissions on existing directory /var/postgresql/data ... ok
> > creating subdirectories ... ok
> > selecting dynamic shared memory implementation ... posix
> > selecting default max_connections ... 100
> > selecting default shared_buffers ... 128MB
> > selecting default time zone ... Europe/Berlin
> > creating configuration files ... ok
> > running bootstrap script ... ok
> > performing post-bootstrap initialization ... 2024-08-22 11:29:47.157 CEST
> > [54316] FATAL:  syntax error at or near "FOR" at character 5
> > 2024-08-22 11:29:47.157 CEST [54316] STATEMENT:  FOR asciiword,
> > hword_asciipart, asciihword
> > WITH french_stem;
> > 
> > child process exited with exit code 1
> > initdb: removing contents of data directory "/var/postgresql/data"
> > 
> > Existing databases from previous 16.x versions are working, it is only the
> > initdb step that is failing.
> > 
> > I am pretty much lost how to proceed. The statement seems to be somewhere in
> > the middle of snoball_create.sql and I didn't see any obvious problems.
> 
> I've had two separate reports with the same error when using initdb,
> part of PostgreSQL.  These don't occur on an older snapshot when using
> PostgreSQL 16.4 (the version in -current), so something outside of
> PostgreSQL in -current in the last few days seems likely to be the
> cause.  I will be doing some testing, but my guess is, the older
> version of PostgreSQL (16.3) also has the same issues on -current.

Confirmed, 16.3 does the same on -current.

> Does anyone have an idea of what could have caused this?

There were some libc changes, it may be a bit fiddly to test with
this as there was a bump, easiest way is probably to start with
say ftp.hostserver.de:/archive/2024-08-01-0105 on a scratch machine
(it has packages too), and move forwards between snapshots, testing
initdb each time.

Re: diskless boot openbsd using debian server: issues with nfs UDP vs. TCP connection

[Stuart Henderson]

On 2024-08-21, Sandeep Gupta  wrote:
>
> I got this fixed. There is a way to turn on udp connection for nfs on
> debian via /etc/nfs.conf:
> https://groups.google.com/g/linux.debian.user/c/Da_aYR2c7qk?pli=1

They probably changed the default because of the fragment problem
mentioned in "Using NFS over UDP on high-speed links" on
https://www.man7.org/linux/man-pages/man5/nfs.5.html

(This has been a problem with some commercial NAS devices too)

>>  However I am not able to pass this option to
>>  clients boot process (no option in /etc/bootparams) to specify this.

afaik that's an old Sun protocol and I don't think it's possible to
signal use of TCP.


-- 
Please keep replies on the mailing list.

Re: lighttpd in openbsd - cant find devnull

[Stuart Henderson]

On 2024/08/21 14:02, David Colburn wrote:
> "$ cat /var/www/dev/null"
> 
> Returns to the prompt.
> 
> Here's this ...
> 
> b7# rcctl -d start lighttpd
> doing _rc_parse_conf
> lighttpd_flags empty, using default >-f /etc/lighttpd.conf<
> doing rc_check
> lighttpd
> doing rc_start
> doing _rc_wait_for_start
> doing rc_check
> 2024-08-21 13:59:01:
> (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1840)
> opening errorlog 'logs/error.log' failed: Permission denied

Well that is failing on writing /var/www/logs/error.log


> 2024-08-21 13:59:01:
> (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/server.c.1935)
> Opening errorlog failed. Going down.
> daemonized server failed to start; check error log for details
> doing _rc_rm_runfile
> (failed)
> 
> And ...
> 
> 2024-08-13 22:29:37:
> (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1891)
> opening /dev/null failed: No such file or directory
> 2024-08-13 22:29:37:
> (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/server.c.1935)
> Opening errorlog failed. Going down.

And that is old

> 
> On 8/21/24 12:46, Stuart Henderson wrote:
> > On 2024/08/21 12:11, David Colburn wrote:
> > > > On 2024/08/21 10:21, David Colburn wrote:
> > > > > Notes:
> > > > > 
> > > > > 1. I've read the manual entry, and multiple threads related to this, 
> > > > > more than once.
> > > > > 
> > > > > 2. The “chroot location” as defined in /etc/lighttpd.conf. is 
> > > > > unchanged - /var/www
> > > > > 
> > > > > 3. Someone suggested, and I also tried "/var/www/" - same error.
> > > > > 
> > > > > 4. As previously noted - Stuart's answer was tested on a clean, 
> > > > > unmodified, lighttpd.conf.
> > > > > 
> > > > > 5. As previously noted I also tried removing "nodev" from /etc/fstab 
> > > > > on line "/var ffs
> > > > > rw,nosuid 1 2"
> > > > Did you either reboot or remount /var after changing this?
> > > Yes. Reboot.
> > Try this:
> > 
> > $ cat /var/www/dev/null
> > 
> > It should just return to the prompt (same as "cat /dev/null").
> > 
> > If it says "Device not configured" then for some reason it still
> > seems to be mounted with nodev. (Or check "mount | grep /var")..
> > 
> > If that test works, what's the output from
> > 
> > # rcctl -d start lighttpd
> > 
> > and what, if any, new entries in lighttpd's error log do you have?
> > 
> > 

Re: lighttpd in openbsd - cant find devnull

[Stuart Henderson]

(oops, sent to David but I forgot to CC the list back)


On 2024/08/21 12:11, David Colburn wrote:
> 
> > On 2024/08/21 10:21, David Colburn wrote:
> > > Notes:
> > > 
> > > 1. I've read the manual entry, and multiple threads related to this, more 
> > > than once.
> > > 
> > > 2. The “chroot location” as defined in /etc/lighttpd.conf. is unchanged - 
> > > /var/www
> > > 
> > > 3. Someone suggested, and I also tried "/var/www/" - same error.
> > > 
> > > 4. As previously noted - Stuart's answer was tested on a clean, 
> > > unmodified, lighttpd.conf.
> > > 
> > > 5. As previously noted I also tried removing "nodev" from /etc/fstab on 
> > > line "/var ffs
> > > rw,nosuid 1 2"
> > Did you either reboot or remount /var after changing this?
> Yes. Reboot.

Try this:

$ cat /var/www/dev/null

It should just return to the prompt (same as "cat /dev/null").

If it says "Device not configured" then for some reason it still
seems to be mounted with nodev. (Or check "mount | grep /var")..

If that test works, what's the output from

# rcctl -d start lighttpd

and what, if any, new entries in lighttpd's error log do you have?



- End forwarded message -

Re: lighttpd in openbsd - cant find devnull

[Stuart Henderson]

t/html")
> 
>  proxy module
> ## read proxy.txt for more info
> #proxy.server   = ( ".php" =>
> #   ( "localhost" =>
> # (
> #   "host" => "192.168.0.101",
> #   "port" => 80
> # )
> #   )
> # )
> 
>  fastcgi module
> ## read fastcgi.txt for more info
> ## for PHP don't forget to set cgi.fix_pathinfo = 1 in the php.ini
> #fastcgi.server = ( ".php" =>
> #   ( "localhost" =>
> # (
> #   "socket" => 
> "/var/run/lighttpd/php-fastcgi.socket",
> #   "bin-path" => "/usr/local/bin/php-cgi"
> # )
> #   )
> #    )
> 
>  CGI module
> #cgi.assign = ( ".pl"  => "/usr/bin/perl",
> #   ".cgi" => "/usr/bin/perl" )
> #
> 
>  SSL engine
> #ssl.engine = "enable"
> #ssl.pemfile    = "/etc/ssl/private/lighttpd.pem"
> 
>  status module
> #status.status-url  = "/server-status"
> #status.config-url  = "/server-config"
> 
>  auth module
> ## read authentication.txt for more info
> #auth.backend   = "plain"
> #auth.backend.plain.userfile = "lighttpd.user"
> #auth.backend.plain.groupfile = "lighttpd.group"
> 
> #auth.backend.ldap.hostname = "localhost"
> #auth.backend.ldap.base-dn  = "dc=my-domain,dc=com"
> #auth.backend.ldap.filter   = "(uid=$)"
> 
> #auth.require   = ( "/server-status" =>
> #   (
> # "method"  => "digest",
> # "realm"   => "download archiv",
> # "require" => "user=jan"
> #   ),
> #   "/server-config" =>
> #   (
> # "method"  => "digest",
> # "realm"   => "download archiv",
> # "require" => "valid-user"
> #   )
> # )
> 
>  url handling modules (rewrite, redirect, access)
> #url.rewrite    = ( "^/$" => "/server-status" )
> #url.redirect   = ( "^/wishlist/(.+)" => "http://www.123.org/$1"; )
>  both rewrite/redirect support back reference to regex conditional using 
> %n
> #$HTTP["host"] =~ "^www\.(.*)" {
> #  url.redirect    = ( "^/(.*)" => "http://%1/$1"; )
> #}
> 
> #
> # define a pattern for the host url finding
> # %% => % sign
> # %0 => domain name + tld
> # %1 => tld
> # %2 => domain name without tld
> # %3 => subdomain 1 name
> # %4 => subdomain 2 name
> #
> #evhost.path-pattern    = "/srv/www/vhosts/%3/htdocs/"
> 
>  expire module
> #expire.url = ( "/buggy/" => "access 2 hours", "/asdhas/" => 
> "access plus 1
> seconds>
> 
>  ssi
> #ssi.extension  = ( ".shtml" )
> 
>  rrdtool
> #rrdtool.binary     = "/usr/local/bin/rrdtool"
> #rrdtool.db-name    = "/var/lib/lighttpd/lighttpd.rrd"
> 
>  setenv
> #setenv.add-request-header  = ( "TRAV_ENV" => "mysql://user@host/db" )
> #setenv.add-response-header = ( "X-Secret-Message" => "42" )
> 
> ## for mod_trigger_b4_dl
> # trigger-before-download.gdbm-filename = "/var/lib/lighttpd/trigger.db"
> # trigger-before-download.memcache-hosts = ( "127.0.0.1:11211" )
> # trigger-before-download.trigger-url = "^/trigger/"
> # trigger-before-download.download-url = "^/download/"
> # trigger-before-download.deny-url = "http://127.0.0.1/index.html";
> # trigger-before-download.trigger-timeout = 10
> 
>  variabl

Re: lighttpd in openbsd - cant find devnull

[Stuart Henderson]

Hmm. That should be ok...

--
 Sent from a phone, apologies for poor formatting.

On 18 August 2024 21:19:25 David Colburn  wrote:

total 0
crw-rw-rw- 1 root  wheel  2, 2 Aug 18 10:07 null


On 8/18/24 16:00, Stuart Henderson wrote:

Did you do the mkdir etc? What does ls -l /var/www/dev show?

--
Sent from a phone, apologies for poor formatting.


On 18 August 2024 17:01:52 David Colburn  wrote:


I removed "nodev" from the /var line and rebooted.

Same error:

2024-08-13 22:29:37:
(/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1891)
opening /dev/null failed. No such file or directory.
2024-08-13 22:29:37:
(/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/server.c.1935)
Opening errorlog failed.


On 8/18/24 11:19, David Colburn wrote:

/etc/fstab currently looks like this:

none swap sw
/ ffs rw 1 1
/home ffs rw,nodev,nosuid 1 2
/tmp ffs rw,nodev,nosuid 1 2
/usr ffs rw,nodev 1 2
/usr/X11R6 ffs rw,nodev 1 2
/usr/local ffs rw,wxallowed,nodev 1 2
/usr/obj ffs rw,nodev,nosuid 1 2
/usr/src ffs rw,nodev,nosuid 1 2
/var ffs rw,nodev,nosuid 1 2


On 8/18/24 10:28, David Colburn wrote:

That's very helpful, thanks!

/var is mounted "ffs rw,nodev,nosuid, 1 2"

/var/www isn't specifically mentioned.

Would it be affected by the /var mount settings?

Thanks again.

On 8/18/24 07:50, Stuart Henderson wrote:

On 2024-08-15, David Colburn  wrote:

This is a multi-part message in MIME format.
--SIjdwSa43FawypA6wB8kzt18
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Dell OptiPlex 7050

OpenBSD 7.5

php 8.3.10

lighttpd-1.4.74-mysql

I'm using root.

"*rcctl -df start lighttpd*" errors

"/daemonized server failed to start; check error log for details doing
_rc_rm_runfile (failed)/"

error.log says:

"...
(/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1981)

opening /dev/null failed: No such file or directory"

"...
(/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1935)

Opening errorlog failed: No such file or directory"

According to this:

https://www.reddit.com/r/openbsd/comments/nygjdm/lighttpd_cant_find_devnull_on_69/


there's supposed to be a directory here: /usr/sbin/chroot/ but
chroot is
actually a file.

I'm not sure how to proceed to fix the dev/null problem ...

Assuming /var/www/dev does not already exist, this should do it:

# mkdir /var/www/dev
# cd /var/www/dev
# sh /dev/MAKEDEV std
# rm !(null)

If it already exists then you may need to adapt the rm command to
preserve existing entries, or use mknod(8) manually to just create
the "null" node.

You'll also need to make sure that /var/www is _not_ mounted with
the "nodev" option (/etc/fstab).

If this is a hard requirement for lighttpd then the port could
probably do with explaining it somewhere .. (maintainer cc'd)

Re: lighttpd in openbsd - cant find devnull

[Stuart Henderson]

Did you do the mkdir etc? What does ls -l /var/www/dev show?

--
 Sent from a phone, apologies for poor formatting.

On 18 August 2024 17:01:52 David Colburn  wrote:


I removed "nodev" from the /var line and rebooted.

Same error:

2024-08-13 22:29:37:
(/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1891)
opening /dev/null failed. No such file or directory.
2024-08-13 22:29:37:
(/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/server.c.1935)
Opening errorlog failed.


On 8/18/24 11:19, David Colburn wrote:

/etc/fstab currently looks like this:

none swap sw
/ ffs rw 1 1
/home ffs rw,nodev,nosuid 1 2
/tmp ffs rw,nodev,nosuid 1 2
/usr ffs rw,nodev 1 2
/usr/X11R6 ffs rw,nodev 1 2
/usr/local ffs rw,wxallowed,nodev 1 2
/usr/obj ffs rw,nodev,nosuid 1 2
/usr/src ffs rw,nodev,nosuid 1 2
/var ffs rw,nodev,nosuid 1 2


On 8/18/24 10:28, David Colburn wrote:

That's very helpful, thanks!

/var is mounted "ffs rw,nodev,nosuid, 1 2"

/var/www isn't specifically mentioned.

Would it be affected by the /var mount settings?

Thanks again.

On 8/18/24 07:50, Stuart Henderson wrote:

On 2024-08-15, David Colburn  wrote:

This is a multi-part message in MIME format.
--SIjdwSa43FawypA6wB8kzt18
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Dell OptiPlex 7050

OpenBSD 7.5

php 8.3.10

lighttpd-1.4.74-mysql

I'm using root.

"*rcctl -df start lighttpd*" errors

"/daemonized server failed to start; check error log for details doing
_rc_rm_runfile (failed)/"

error.log says:

"...
(/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1981)

opening /dev/null failed: No such file or directory"

"...
(/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1935)

Opening errorlog failed: No such file or directory"

According to this:

https://www.reddit.com/r/openbsd/comments/nygjdm/lighttpd_cant_find_devnull_on_69/


there's supposed to be a directory here: /usr/sbin/chroot/ but
chroot is
actually a file.

I'm not sure how to proceed to fix the dev/null problem ...

Assuming /var/www/dev does not already exist, this should do it:

# mkdir /var/www/dev
# cd /var/www/dev
# sh /dev/MAKEDEV std
# rm !(null)

If it already exists then you may need to adapt the rm command to
preserve existing entries, or use mknod(8) manually to just create
the "null" node.

You'll also need to make sure that /var/www is _not_ mounted with
the "nodev" option (/etc/fstab).

If this is a hard requirement for lighttpd then the port could
probably do with explaining it somewhere .. (maintainer cc'd)

Re: lighttpd in openbsd - cant find devnull

[Stuart Henderson]

Yes

--
 Sent from a phone, apologies for poor formatting.

On 18 August 2024 15:29:07 David Colburn  wrote:


That's very helpful, thanks!

/var is mounted "ffs rw,nodev,nosuid, 1 2"

/var/www isn't specifically mentioned.

Would it be affected by the /var mount settings?

Thanks again.

On 8/18/24 07:50, Stuart Henderson wrote:

On 2024-08-15, David Colburn  wrote:

This is a multi-part message in MIME format.
--SIjdwSa43FawypA6wB8kzt18
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Dell OptiPlex 7050

OpenBSD 7.5

php 8.3.10

lighttpd-1.4.74-mysql

I'm using root.

"*rcctl -df start lighttpd*" errors

"/daemonized server failed to start; check error log for details doing
_rc_rm_runfile (failed)/"

error.log says:

"...
(/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1981)
opening /dev/null failed: No such file or directory"

"...
(/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1935)
Opening errorlog failed: No such file or directory"

According to this:

https://www.reddit.com/r/openbsd/comments/nygjdm/lighttpd_cant_find_devnull_on_69/

there's supposed to be a directory here: /usr/sbin/chroot/ but chroot is
actually a file.

I'm not sure how to proceed to fix the dev/null problem ...

Assuming /var/www/dev does not already exist, this should do it:

# mkdir /var/www/dev
# cd /var/www/dev
# sh /dev/MAKEDEV std
# rm !(null)

If it already exists then you may need to adapt the rm command to
preserve existing entries, or use mknod(8) manually to just create
the "null" node.

You'll also need to make sure that /var/www is _not_ mounted with
the "nodev" option (/etc/fstab).

If this is a hard requirement for lighttpd then the port could
probably do with explaining it somewhere .. (maintainer cc'd)

Re: lighttpd in openbsd - cant find devnull

[Stuart Henderson]

On 2024-08-15, David Colburn  wrote:
> This is a multi-part message in MIME format.
> --SIjdwSa43FawypA6wB8kzt18
> Content-Type: text/plain; charset=UTF-8; format=flowed
> Content-Transfer-Encoding: 7bit
>
> Dell OptiPlex 7050
>
> OpenBSD 7.5
>
> php 8.3.10
>
> lighttpd-1.4.74-mysql
>
> I'm using root.
>
> "*rcctl -df start lighttpd*" errors
>
> "/daemonized server failed to start; check error log for details doing 
> _rc_rm_runfile (failed)/"
>
> error.log says:
>
> "... 
> (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1981) 
> opening /dev/null failed: No such file or directory"
>
> "... 
> (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1935) 
> Opening errorlog failed: No such file or directory"
>
> According to this:
>
> https://www.reddit.com/r/openbsd/comments/nygjdm/lighttpd_cant_find_devnull_on_69/
>
> there's supposed to be a directory here: /usr/sbin/chroot/ but chroot is 
> actually a file.
>
> I'm not sure how to proceed to fix the dev/null problem ...

Assuming /var/www/dev does not already exist, this should do it:

# mkdir /var/www/dev
# cd /var/www/dev
# sh /dev/MAKEDEV std
# rm !(null)

If it already exists then you may need to adapt the rm command to
preserve existing entries, or use mknod(8) manually to just create
the "null" node.

You'll also need to make sure that /var/www is _not_ mounted with
the "nodev" option (/etc/fstab).

If this is a hard requirement for lighttpd then the port could
probably do with explaining it somewhere .. (maintainer cc'd)

Re: OpenBSD equivalent to FreeBSD hw.uart.console boot setting

[Stuart Henderson]

On 2024-08-16, Laura Smith  wrote:
> On Friday, 16 August 2024 at 09:52, Peter N. M. Hansteen  
> wrote:
>
>> On Fri, Aug 16, 2024 at 08:31:50AM +, Laura Smith wrote:
>> 
>> > Is there an OpenBSD equivalent to the below flag which is set in 
>> > /boot/loader.conf.local on FreeBSD ?
>> > 
>> > hw.uart.console="mm:0xfedc9000,rs:2"
>> 
>> 
>> In order to get useful responses it is always a good idea to give some 
>> context on
>> what it is you are trying to do.
>> 
>
> I am trying to get console output during boot.
>
> This is on Deciso hardware, specifically the newer models.
>
> On the *older* models, getting OpenBSD working was simple:
> echo "stty com0 115200" >> /etc/boot.conf
> echo "set tty com0" >> /etc/boot.conf
>
> But this does not work on the newer models.
>
> After experimenting with FreeBSD (on which OPNsense that is bundled with 
> Decisio hardware) is based, I achieved a "known-good" config of:
>
> echo hw.uart.console="mm:0xfedc9000,rs:2" > /boot/loader.conf.local
>
> Therefore all I am looking to replicate that on OpenBSD.
>
>
>
>
>

No idea about the rs: and I couldn't find any FreeBSD docs about
what that does.

mm: looks like an address to use for memory-mapped io.

You might get somewhere with 'machine comaddr '.

Details from 'sendbug -P' run as root might give enough information
to figure out a bit more about what to do with the machine.

-- 
Please keep replies on the mailing list.

Re: Lastest snapshot - all application got a speed increase

[Stuart Henderson]

On 2024-08-07, Mihai Popescu  wrote:
> Is it some change in graphics? Some changes in kernel?

There's a reasonable chance it's Claudio's "Stop using KERNEL_LOCK to
protect the per process kqueue list" commit. select() and poll()
are implemented using kqueue these days and are very common.

Re: Regarding 802.1x support in OpenBSD 7.3

[Stuart Henderson]

On 2024-08-06, Y C  wrote:
> I=E2=80=99m seeking assistance with 802.1x security support using OpenBSD 7=
> .3 as a
> firewall/router.
>
> Here=E2=80=99s a depiction of my setup: I am attempting to use 802.1x secur=
> ity on a
> client VM.
>
> **RADIUS Server VM (Ubuntu OS)** -- connected  **Authenticator
> VM (Ubuntu OS)** --connected - **(vic0) OpenBSD Router
> (vic1)** --- **Client VM (Ubuntu)**
>
> When the OpenBSD Router is not present, everything functions correctly.
>
> With OpenBSD router, When 802.1x security is disabled, pinging between all
> VMs works, and the interface is able to connect.
>
> On OpenBSD:
>
>-
>
>I have created a bridge.
>-
>
>Added two interfaces, vic0 and vic1, into bridge0.
>-
>
>Allowed `net.ip.inet.forwarding=3D1`.
>-
>
>In pf.conf added 'pass all' one rule only.
>
> The RADIUS Server authenticates the client request. The Authenticator VM
> passes the packets to the server using the hostapd utility. On the client,
> I am using a UI-based method to set up the 802.1x security.
>
> My question is: Why are EAPOL packets not being forwarded by the OpenBSD
> Router?

EAPoL frames wouldn't be forwarded by a _router_ anyway as they are not IP.

The MAC address used, 01:80:C2:00:00:03, is part of the 01:80:C2:00:00:0x
set of "MAC Bridge Filtered MAC Group Addresses" (802.1d) that a switch
is not supposed to forward.

There is a special purpose "mini switch" in OpenBSD, tpmr(4), that only
handles two ports. That one _can_ be configured to permit these protocols
(see the manual, it only talks about LACP/STP but EAPoL should be handled
the same) which might let you do what you want.

-- 
Please keep replies on the mailing list.

Re: curious about where system is spinning

[Stuart Henderson]

On 2024-08-05, Geoff Steckel  wrote:
> This is not a complaint.
> I'm very happy with 400MB/sec through a cheap power efficient system.
> I'm trying to deduplicate some of my 10,000,000+ files.
>
> Top reports spin (mostly on CPU0) up to 10%.
> I'm curious which resource is being competed for.

My wild guess would be filesystem access.

> If a waterfall graph would answer my question
> any pointers to instructions would be gratefully taken.

I can probably dig out more details if needed, but you might have
enough in /usr/src/share/btrace/kprofile.bt to get started.

Re: radiusd

[Stuart Henderson]

On 2024-08-04, Mike  wrote:
>
> authentication method was not PAP
>  (radiusd_bsdauth(8) supports only PAP)
>
> OK, that's the likely problem.  My WiFi access point is an old Linksys,
> an LAPN600.  When I go to the "Wireless Security" screen on the access
> point, I see nothing to choose a protocol to use.

For WPA-Enterprise, wifi access points typically tunnel EAP
authentication (coming from the *client*, not the AP) to the RADIUS
server. As well as handling auth, the RADIUS server also generates
keying material for the session. OpenBSD radiusd doesn't support EAP or
this key material generation. (The EAP method used is as chosen between
client and RADIUS server).

> So, it seems I have to stick with freeradiusd (and OpenBSD's insecure
> version of it) for the nonce.

I presume you're talking about "BlastRADIUS". This affects PAP, CHAP, or
MS-CHAP over RADIUS/UDP, not EAP, so a typical WPA-Enterprise config
is unaffected. It also requires that an attacker can view and modify
RADIUS packets in transit, clearly a big issue where somebody runs
the protocol over open internet connections (though this is something
that has never really been OK with RADIUS anyway), but much less of
a problem where it's run on a private network.

While it is a serious issue, it certainly doesn't affect all
configurations, and I can't help feeling that it's slightly overblown -
there was a lot of publicity from inkbridge (recently rebranded from
"network radius") who I note sell verification tools, upgrade guide and
Excel worksheet. Certainly useful in some situations but people should
read to see if they're actually vulnerable.

The version of FreeRADIUS with fixes requires an additional function
from libssl that libressl doesn't support yet. It's been added but
not exposed until we're ready for a library bump. Once that's done
I have an update ready to go. It won't be committed to -stable due to
the need for that libssl change and another change to libcrypto that
already went in.

See https://www.inkbridgenetworks.com/blastradius/faq and
https://www.freeradius.org/security/ for more info and mitigations that
can be done via config until the software is uodated.




-- 
Please keep replies on the mailing list.

Re: xfreerdp / remmina won't connect to Win11 RDP with NLA

[Stuart Henderson]

On 2024-07-31, Lévai  Dániel  wrote:
>
>> Have you tried the same freerdp version on e.g. Linux to see how that
>> works?
>
> I haven't, admittedly. 2.11.7 fails to build here on arch, there's an
> issue reported for the compilation error but upstream treats 2.x as
> oldstable and would only provide security fixes.
>
> What I also wanted to try was building 2.11.7 linked with OpenSSL on OpenBSD
> but couldn't figure out the magic build option combination, yet. There's a
> -DWITH_LIBRESSL flag in 3.x, but it's 3.x and I'm afraid it works the other
> way around (i.e. forcing LibreSSL instead of disregarding it).

I've not tried it with freerdp - in general you'll need something like

-I/usr/local/include/eopensslXX in CPPFLAGS or CFLAGS/CXXFLAGS

-Wl,-rpath /usr/local/lib/eopensslXX -L/usr/local/lib/eopensslXX in LDFLAGS

Also need to make sure that it find /usr/local/include/eopensslXX
_before_ /usr/include/openssl which often needs patches. I suggest
temporarily adding #error in some strategic file like
/usr/include/openssl/opensslconf.h to make sure that it doesn't get
included by mistake - mismatching headers and libraries is guaranteed
to cause trouble.

You'll also need to disable linking to any libraries that pull in
libressl - this includes at least cups-libs.

(btw https://junkpile.org/freerdp320.diff is the latest I have if anyone
is interested in trying to do something with timer_*.)

Re: iked authentication logging ?

[Stuart Henderson]

On 2024/07/30 20:19, J Doe wrote:
> On 2024-07-30 19:39, Stuart Henderson wrote:
> 
> > On 2024-07-30, J Doe  wrote:
> > > As a result with continuing to experiment with my configuration, I ran
> > > into a new issue.  I followed the instructions in the OpenBSD FAQ[0] for
> > > an X.509 configuration - in particular the following (with hostnames for
> > > my server and Mac):
> > > 
> > >   server1# ikectl ca vpn certificate client1.domain create
> > >   server1# cp /etc/ssl/vpn/client1.domain.crt /etc/iked/certs/
> > >   server1# ikectl ca vpn certificate client1.domain export
> > 
> > BTW this is a shortcut that ikectl implements to make things easy,
> > although it does mean that the client's "private" key actually ends
> > up on the server.
> > 
> > The traditional way of doing this is exactly like an X509 cert for a
> > web server, i.e. the client generates a private key and cert signing
> > request, the key is never transferred off the machine, only the CSR
> > which is taken to the CA. The CA then uses that to produce a cert
> > which is signed by the CA and sent back.
> > 
> > See the X.509 AUTHENTICATION section in isakmpd(8) for some gory
> > details which are mostly hidden if you use "ikectl ca".
> > 
> > >   server1# tar -C /tmp -xzf client1.domain.tgz *pfx
> > >   server1# cp /tmp/export/client1.domain.pfx \
> > >   /var/www/htdocs/client1.domain.pfx
> > > 
> > > ...so on my OpenBSD server I have the client's X.509 certificate and the
> > > CA certificate at: /etc/iked/certs.
> > > 
> > > I then removed the _client_ certificate from this location on the server
> > > and attempted connecting from the Mac and it authenticated.
> > > 
> > > My new question is - shouldn't the server reject a X.509 authentication
> > > attempt if the _client_ certificate is not on the server ?
> > 
> > No, that's not how it is expected to work, you don't need the client cert
> > on the server, just a way to validate that it's correct (by checking the
> > CA's signature and, IIUC, checking the subjectAltName against srcid).
> 
> 
> Hi Stuart,
> 
> Thanks for your reply.
> 
> Ok, I will make a note to read through the X.509 AUTHENTICATION section
> in: man 8 isakmpd.
> 
> In regards to your last paragraph, where you state:
> 
> "... just a way to validate that it's correct (by checking the CA's
> signature ..."
> 
> ... does that mean if I remove my: ca.crt file from: /etc/iked/ca on the
> _server_ that the client should _not_ be able to authenticate, or is
> validating the CA's signature not dependent on that ?

As far as I know that's correct, I don't think there's anywhere else
that it should be picking up the CA cert from.

Re: iked authentication logging ?

[Stuart Henderson]

On 2024-07-30, J Doe  wrote:
> As a result with continuing to experiment with my configuration, I ran
> into a new issue.  I followed the instructions in the OpenBSD FAQ[0] for
> an X.509 configuration - in particular the following (with hostnames for
> my server and Mac):
>
>  server1# ikectl ca vpn certificate client1.domain create
>  server1# cp /etc/ssl/vpn/client1.domain.crt /etc/iked/certs/
>  server1# ikectl ca vpn certificate client1.domain export

BTW this is a shortcut that ikectl implements to make things easy,
although it does mean that the client's "private" key actually ends
up on the server.

The traditional way of doing this is exactly like an X509 cert for a
web server, i.e. the client generates a private key and cert signing
request, the key is never transferred off the machine, only the CSR
which is taken to the CA. The CA then uses that to produce a cert
which is signed by the CA and sent back.

See the X.509 AUTHENTICATION section in isakmpd(8) for some gory
details which are mostly hidden if you use "ikectl ca".

>  server1# tar -C /tmp -xzf client1.domain.tgz *pfx
>  server1# cp /tmp/export/client1.domain.pfx \
>  /var/www/htdocs/client1.domain.pfx
>
> ...so on my OpenBSD server I have the client's X.509 certificate and the
> CA certificate at: /etc/iked/certs.
>
> I then removed the _client_ certificate from this location on the server
> and attempted connecting from the Mac and it authenticated.
>
> My new question is - shouldn't the server reject a X.509 authentication
> attempt if the _client_ certificate is not on the server ?

No, that's not how it is expected to work, you don't need the client cert
on the server, just a way to validate that it's correct (by checking the
CA's signature and, IIUC, checking the subjectAltName against srcid).

Re: xfreerdp / remmina won't connect to Win11 RDP with NLA

[Stuart Henderson]

On 2024-07-30, Lévai  Dániel  wrote:
> Hi all,
>
> I'm noticing that xfreerdp and remmina fails to connect to a Windows 11 
> machine while using NLA:
>
> $ xfreerdp /v:host /u:u...@example.com /d:MicrosoftAccount /sec:nla
> [17:04:04:954] [26344:92f3b640] [WARN][com.freerdp.crypto] - Certificate 
> verification failure 'unable to get local issuer certificate (20)' at stack 
> position 0
> [17:04:04:954] [26344:92f3b640] [WARN][com.freerdp.crypto] - CN = 
> daniell-kvm-windows11
> Password:
> [17:04:08:675] [26344:92f3b640] [ERROR][com.freerdp.core.transport] - 
> BIO_read returned an error: error:1404C438:SSL routines:ST_OK:tlsv1 alert 
> internal error
> [17:04:08:675] [26344:92f3b640] [ERROR][com.freerdp.core] - 
> transport_read_layer:freerdp_set_last_error_ex 
> ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
> [17:04:08:823] [26344:92f3b640] [ERROR][com.freerdp.core.transport] - 
> BIO_read returned an error: error:1404C438:SSL routines:ST_OK:tlsv1 alert 
> internal error
> [17:04:08:823] [26344:92f3b640] [ERROR][com.freerdp.core] - 
> transport_read_layer:freerdp_set_last_error_ex 
> ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
> [17:04:08:823] [26344:92f3b640] [ERROR][com.freerdp.core] - 
> freerdp_post_connect failed
>
> Remmina just says "Cannot connect to the RDP server" after a couple of 
> seconds.
>
> Funny thing is, every attempt results in a successful logon event on Windows.
>
> Switching off NLA on the Windows machine and trying /sec:tls with xfreerdp 
> (or switching to TLS security in Remmina) shows the usual graphical logon 
> screen where I can login without a problem. Same clients on other OSes also 
> work (Android, Linux, etc...).
>
> Is this something to do with LibreSSL, maybe? Has this ever worked on OpenBSD?

I'm able to connect to a W2022 DC using "xfreerdp /u:username
/d:somedomain /v:xx.xx.xx.xx:3389 /sec:nla" and typing the password at
the Password: prompt. I'm not sure how to tell if it's really using NLA
but I suspect that non-NLA logins are probably disabled on the Windows
side.

Have you tried the same freerdp version on e.g. Linux to see how that
works?

(Better to compare the same version if possible otherwise there is an
extra complication - the old workaround for lack of posix timers is
no longer enough, we cannot update to freerdp 3.x, so maybe missing
upstream fixes - it's possible they may have fixed something for newer
versions of Windows).

Re: doas tab completion

[Stuart Henderson]

On 2024-07-29, Robert Palm  wrote:
>
> Hi,
>
> wonder how I can get TAB completion in the shell when using doas ...
>
> Do I need to add something to .profile ?

pkg_add dmenu, then you can add this:

set -A complete_doas `dmenu_path`

(note it will not update automatically if a new program is installed;
either restart the shell, or re-run the 'set' command)

Re: Startup script for Netbox: can't start with a user and can't stop

[Stuart Henderson]

here you tell it to run it as www:

> daemon_flags="--name netbox --pid /var/run/netbox.pid --user=www --group=www 
> --config=${_BASEDIR}/gunicorn.py"
> daemon_flags="${daemon_flags} --log-level=info --log-file=- netbox.wsgi"

but you start as _netbox:

> daemon_user="_netbox"

that won't work, it needs root to change uid (to www).

> pexp="${_BASEDIR}/env/bin/python3.10 ${daemon}${daemon_flags:+ 
> ${daemon_flags}}"

> echo "pkill -f ${daemon}"

?

> rc_pre() {
>     cat  APPDIR=${_BASEDIR}/netbox
>
> packages:${APPDIR}${PYTHONPATH:+:${PYTHONPATH}}
> cd ${_BASEDIR}/netbox
> . ${_BASEDIR}/env/bin/activate
> export 
> PYTHONPATH=${_BASEDIR}/env/lib/python3.10/site-packages:${APPDIR}${PYTHONPATH:+:${PYTHONPATH}}
> exec gunicorn ${daemon_flags}
> EOF
>     chmod u+x /var/run/netbox_start
>     chmod o+x /var/run/netbox_start
> }

this doesn't make a lot of sense, why not either start it from the
rc script itself, or save a separate script to disk, rather than
writing to /var/run?

also if you run commands from the venv bin directory, they set
things up for you so you don't need to source "activate".

> rc_stop() {
>     pkill -f "${_BASEDIR}/env/bin/gunicorn"
> }

if pexp was set correctly then you wouldn't need to override rc_stop.

> doing rc_check
> [2024-07-25 00:52:55 +0200] [61573] [INFO] Starting gunicorn 22.0.0
> ...
> PermissionError: [Errno 13] Permission denied: '/var/run/tmp5jrbni2l'
> doing _rc_rm_runfile
> (failed)
>
> I don't know why it's trying to create /var/run/tmp5jrbni2l

must be something in gunicorn or netbox.

> If I remove daemon_user="_netbox", everything works

in that case, it starts as root, so it can write there (at least until
it drops privs).

> ii) When I try to stop the process, it doesn't work
> # ps ax | grep /var/www/htdocs/applications/netbox-4.0.7/env/bin/gunicorn
> 61611 p1  S    0:00.75 
> /var/www/htdocs/applications/netbox-4.0.7/env/bin/python 
> /var/www/htdocs/applications/netbox-4.0.7/env/bin/gunicorn --name netbox 
> --pid /var/run/netbox.pid --user=www --group=www 
> --config=/var/www/htdocs/appli
...
> # /etc/rc.d/netbox -d stop
> doing _rc_parse_conf
> netbox_flags empty, using default >--name netbox --pid /var/run/netbox.pid 
> --user=www --group=www 
> --config=/var/www/htdocs/applications/netbox-4.0.7/gunicorn.py 
> --log-level=info --log-file=- netbox.wsgi<
> pkill -f /var/www/htdocs/applications/netbox-4.0.7/env/bin/gunicorn
> doing _rc_parse_conf /var/run/rc.d/netbox
> doing rc_check

I didn't check carefully but I guess pexp doesn't match this process,
so rc_check doesn't find it running.

You could try

pexp="/var/www/htdocs/applications/netbox-4.0.7/env/bin/python 
/var/www/htdocs/applications/netbox-4.0.7/env/bin/gunicorn --name netbox.*"



-- 
Please keep replies on the mailing list.

Re: avoid single-user mode boot

[Stuart Henderson]

On 2024-07-24, 04-psyche.tot...@icloud.com <04-psyche.tot...@icloud.com> wrote:
> Hi all,
>
> I have a machine that will be placed in a remote location, and have no
> physical access to. The connection will be made through ssh only.
>
> I'd like to make it as resilient to failure as possible.
>
> A big concern to me is for a disk failure to happen (say a power
> outage), and the machine to be rebooted in single user mode. At that
> point, the machine has no network access, and so I lose contact to it.

If there's an actual disk failure, you're going to have to visit.
I guess you mean "dirty filesystem that requires changes before it
can be marked clean".

> Is there any way to disable going to single user mode when fsck is not
> happy?

No.

You can reduce the chance of fsck failing by:

- reduce writes to mounted filesystems: noatime, use memory buffers
or network for syslog, use mfs for things like /tmp /var/run
- mounting filesystems read-only where possible

Sometimes people modify /etc/rc to use "do_fsck -y" instead of just
"do_fsck" on systems like this. (imho: if the only thing you'd do when
running fsck manually is hit 'F' or keep hitting 'y' then this change
is no worse, though some people don't like it).

> Is it reasonable to change the /etc/fstab to modify the fsck flag from
> 1 and 2 to 0, to bypass the fsck checks ?

If a filesystem is marked "dirty" you can't mount it read-write.

> Alternatively, is there a way to have ssh access in single user mode?

Sure, start network and run sshd. You may be able to do this from
/etc/profile. You just need someone/something to press enter to the
question about running the shell...


On 2024-07-24, Crystal Kolipe  wrote:
> The normal way to handle this and other boot-related problems is with a serial
> connection from another machine that is still accessible via the network.
>
> Depending on your budget, what this system is being used for, and the
> connectivity that is available at the remote location, there are various ways
> of making that happen.

Exactly. (Note that some consumer/small business-ish routers can handle
running as a serial console server over a USB/RS232 interface - e.g.
picocom and USB serial port drivers can often be installed on openwrt -
routeros has /system serial-terminal or /system special-login).

Re: trying to boot on HP EliteBook 820 G1

[Stuart Henderson]

On 2024/07/22 21:04, Jan Stary wrote:
> On Jul 22 15:08:15, stu.li...@spacehopper.org wrote:
> > On 2024-07-22, Jan Stary  wrote:
> > > I am trying to boot current/amd64 on this HP laptop from  USB stick.
> > >
> > > Disabling the "secure boot" in BIOS, so that something else
> > > than the preinstalled windows is even allowed to boot,
> > > and choosing USB Flash Disk as the boot source,
> > > I see the usual
> > >
> > >   Using drive 0, partition 3
> > >
> > > etc, up to
> > >
> > >   boot>
> > >
> > > There, the rotating slash either stops and nothing else happens,
> > > or the machine reboots after the first number in
> > >
> > >   booting hd0a:/bsd 12345678 + [reboot]
> > >
> > > This happens with both bsd and bsd.rd.
> > >
> > > The USB stick holds a full current/amd64 installation
> > > which I regularly boot on various amd64 machines,
> > > so I don;t suppose that is the problem.
> > >
> > > Any clues please?
> > 
> > Some things you could perhaps try -
> 
> Thanks for the hints.
> 
> > - does a 7.5 kernel boot? 7.4? (7.3, [..]?)
> 
> No. The same happens with 7.5, 7.4 and 7.3;
> also, the current/amd64 I was trying was about two weeks old,
> but the same happens with the currently current current.
> 
> > - "machine mem" output might be useful to someone looking at this
> 
> Sorry for the jpeg (attached), no cereal here.

so that's approx 19GB of mail sending to all misc subscribers, plus
the people who you want to see this might well be reading mail somewhere
that image attachments are at least a slight pain.

typing is not so hard, so we can at least do something about the
second part of that:

Region 0: type 1 at 0x0 for 631KB
Region 1: type 2 at 0x9dc00 for 9KB
Region 2: type 2 at 0xe for 128KB
Region 3: type 1 at 0x10 for 3058172KB
Region 4: type 2 at 0xbab7f000 for 19456KB
Region 5: type 4 at 0xbbe7f000 for 1024KB
Region 6: type 3 at 0xbbf7f000 for 512KB
Region 7: type 1 at 0xbbfff000 for 4KB
Region 8: type 2 at 0xbc00 for 16384KB
Region 9: type 2 at 0xbd00 for 34816KB
Region 10: type 2 at 0xe000 for 262144KB
Region 11: type 2 at 0xfec0 for 4KB
Region 12: type 2 at 0xfed1 for 16KB
Region 13: type 2 at 0xfed18000 for 4KB
Region 14: type 2 at 0xfed19000 for 4KB
Region 15: type 2 at 0xfed1c000 for 16KB
Region 16: type 2 at 0xfee0 for 4KB
Region 17: type 2 at 0xff80 for 8192KB
Region 18: type 1 at 0x1 for 1030144KB
Low ram: 631KB  High ram: 3058172KB
Total free memory: 4088951KB

Re: trying to boot on HP EliteBook 820 G1

[Stuart Henderson]

On 2024-07-22, Jan Stary  wrote:
> I am trying to boot current/amd64 on this HP laptop from  USB stick.
>
> Disabling the "secure boot" in BIOS, so that something else
> than the preinstalled windows is even allowed to boot,
> and choosing USB Flash Disk as the boot source,
> I see the usual
>
>   Using drive 0, partition 3
>
> etc, up to
>
>   boot>
>
> There, the rotating slash either stops and nothing else happens,
> or the machine reboots after the first number in
>
>   booting hd0a:/bsd 12345678 + [reboot]
>
> This happens with both bsd and bsd.rd.
>
> The USB stick holds a full current/amd64 installation
> which I regularly boot on various amd64 machines,
> so I don;t suppose that is the problem.
>
> Any clues please?

Some things you could perhaps try -

- does a 7.5 kernel boot? 7.4? (7.3, [..]?)
- how about trying an older bootloader (extract usr/share/mdec
files from old baseXX.tgz and installboot)
- "machine mem" output might be useful to someone looking at this

HP machines are often a bit awkward, have been for many years.


-- 
Please keep replies on the mailing list.

Re: Frustrating feature in Evolution mail

[Stuart Henderson]

On 2024-07-17, Crystal Kolipe  wrote:
> On Wed, Jul 17, 2024 at 09:59:01AM +0100, Mark Gary wrote:
>> /etc/login.conf - yes I did run cap_mkdb.
>
> Don't.
>
> On a small personal system there is no point in using the db format for
> login.conf.

Nor on a big server either, really. Pretty much any time saved in
parsing the file is going to be lost in one instance of forgetting to
rebuild the db and having to debug.

>  Remove the db version and stick to the plain text file.

+1.

Re: Frustrating feature in Evolution mail

[Stuart Henderson]

On 2024-07-18, Mark Gary  wrote:
> On Wed, 2024-07-17 at 13:13 +0200, Rob Schmersel wrote:
>> On Wed, 17 Jul 2024 09:59:01 +0100
>> Mark Gary  wrote:
>> 
>> > HI All,
>> > 
>> > I'm trying to resolve a trivial, but annoying problem with using
>> > Evolution mail on my OpenBSD setup. The style of date used in the
>> > list
>> > of mail in my inbox is in US format, i.e month first, day second,
>> > and
>> > I want it is UK format, day first, then month.  I know how to fix
>> > this in FreeBSD by  including LANG=en_GB.UTF-8 etc in a number of
>> > text files. However on OpenBSD, this hasn't worked in exactly the
>> > same way.  As an aside, I was getting a similar problem with
>> > Libreoffice defaulting to USA dictionaries, but that has been fixed
>> > and is picking up its locale properly from one of the text files I
>> > amended.
>> > 
>> > text files where i have the correct variable is :
>> > 
>> > .bashrc
>> > .bash_profile
>> > .xinitrc
>> > .xsession
>> > .profile
>> > /etc/login.conf - yes I did run cap_mkdb.
>> > 
>> > when I issue the locale command from the terminal, it shows all the
>> > correct en_GB.UTF-8 variables. So everything looks OK, but i'm
>> > obviously missing something.  So if there is another text file to
>> > amend I would apprecate any suggestion.
>> > 
>> Don't use evolution, but what about following the advise in the
>> manual:
>
> Well yes, but I like evolution, I've used it for years (on other
> systems).  However I don't like mysteries, even if they are very
> trivial. 
>
>> https://gnome.pages.gitlab.gnome.org/evolution/help/mail-change-time-format.html
>> 
>
> I did already change that.  However it only changes the header view, on
> the email. Not the column view on list of emails.  This is picked up
> from the machine locale settings.

OpenBSD's standard library functions don't support different national
formats, so if Evolution is relying on this (e.g. strftime), it's
expected that it won't work.

Some info in setlocale(3).

-- 
Please keep replies on the mailing list.

Re: default route for a subset of addresses

[Stuart Henderson]

Your route-to should specify the IP to send packets to, not an interface 
(which would expand to the _local_ address on that interface)


--
 Sent from a phone, apologies for poor formatting.

On 16 July 2024 20:17:08 Sonic  wrote:


On Mon, Jul 15, 2024 at 6:17 PM Stuart Henderson
 wrote:

Your main options are to use PF route-to (config for this is reasonably
obvious, but make sure that wgaip is set to allow the relevant addresses),

route-to is reasonably obvious.


The problem I'm having with route-to is the packets go out the wg
interface but replies are lost.
For instance either:
pass in quick on $int_if from  to !$int_if:0 route-to wg4
or
pass in quick on $int_if from  to !$int_if:0 route-to wg4 nat-to wg4

work to get the packets to the wg interface but they don't get back to
the host on the vlan

a tcpdump on the wg interface while pinging yahoo.com from the host gives:
15:05:23.348778 192.168.77.182 > 74.6.143.25: icmp: echo request (DF)
15:05:23.397312 74.6.143.25 > 10.2.0.2: icmp: echo reply (DF)
15:05:24.348037 192.168.77.182 > 74.6.143.25: icmp: echo request (DF)
15:05:24.395843 74.6.143.25 > 10.2.0.2: icmp: echo reply (DF)

the wg interface address is 10.2.0.2 and the wgaip is 0.0.0.0/0

I also do not see the reply hitting the $int_if which it would need to
do to get to the switch so the switch can route it to the vlan

I must be missing something.

Re: Apache chroot ?

[Stuart Henderson]

On 2024-07-15, J Doe  wrote:
> I know in the past (before OpenBSD's httpd), the Apache package on
> OpenBSD was packaged to run in a chroot.  Does this still hold for
> Apache 2.4.61 on OpenBSD 7.5 ?

The version of Apache httpd (1.x) that used to be in the base OS (before
it was replaced by nginx) included a patch to chroot by default. That's
never (IIRC) been the case for the 2.x versions in ports/packages.

The mod_unixd module is included in the port though - that has a way to
chroot (see https://httpd.apache.org/docs/2.4/mod/mod_unixd.html) but
isn't done by default.


-- 
Please keep replies on the mailing list.

Re: default route for a subset of addresses

[Stuart Henderson]

On 2024-07-15, Sonic  wrote:
> Hello,
>
> I'm trying to find the best way (although I haven't been successful at
> finding any way currently) to have a default route for a subset of
> addresses.
>
> I have several vlans, but no vlan interfaces on the OpenBSD router as
> the routing between vlans is handled by a layer 3 switch. I also have
> several wireguard vpn interfaces on the router.
> All works quite well but I would like to change the default route for
> several addresses from one of the vlans to use a particular wg
> interface for its route to the outside world instead of the default
> route.
>
> Ideas?

Your main options are to use PF route-to (config for this is reasonably
obvious, but make sure that wgaip is set to allow the relevant addresses),
or use multiple rtables and use PF to adjust the rtable used for packets
coming from those addresses on the vlan.

route-to is reasonably obvious.

For the multiple rtables method you'd probably put the wg interface
in some other rdomain, adding an rtable with the same number as that
rdomain with a default route pointing over wg, and using PF as a
selector to select traffic from those specific addresses on the vlan and
rewrite the rtable ("pass in on XX from YY rtable 2" or similar)

-- 
Please keep replies on the mailing list.

Re: pf.conf issue.

[Stuart Henderson]

On 2024-07-15, Irreverent Monk  wrote:
> Question 1:  What's causing inbound ssh to only work with IP address and
> not DNS name?

No idea about that, there's no reason for this to affect anything unless
the DNS is broken or returning an incorrect address etc (or returning
a v6 address if you have broken v6 connectivity).

> Question 2:  Why is it that the iphone 15 can login from *anywhere* whereas
> the iphone 13 can only login from *somewhere*??
> Question 3:  What's stopping ubuntu server from connecting at all?

Not sure, but I would try without this (or at least without the
random-id and no-df) first:

> match in all scrub (no-df random-id max-mss 1440)



-- 
Please keep replies on the mailing list.

Re: Filesystem corruption on OpenBSD routers after power outage?

[Stuart Henderson]

On 2024-07-10, Tom Smyth  wrote:
> I don't include a swap partition on the routers  in the field as I
> don't want them swapping to disk, we over specify the hardware so that
> memory exhaustion is (should be anyway)  not a concern.

fwiw I don't know if they're (still? ever?) valid, but I've heard
comments in the past that not having any swap can sometimes cause
problems.

Re: Filesystem corruption on OpenBSD routers after power outage?

[Stuart Henderson]

On 2024-07-10, Marcus MERIGHI  wrote:
> Hello Tom, 
>
> tom.sm...@wirelessconnect.eu (Tom Smyth), 2024.07.10 (Wed) 18:40 (CEST):
>> swap /var/log mfs rw,nosuid,noexec,nodev,-s=524288,-P=/persist-fs/var/log 0 0
>> mfs:97883 on /var/log type mfs (asynchronous, local, nodev, noexec,
>>   nosuid, size=524288 512-blocks)
>
> as you do not save the logs, why not syslog "to an in-memory buffer that may 
> be
> read using syslogc(8)" (text taken from syslog.conf(5)?
>
> I have everything commented out in syslog.conf(5), except for: 
> *.* :256:full
>
> And in rc.conf.local(8):
> syslogd_flags=-s /var/run/syslogd.sock
>
> You can then read the logs with 
> $ syslogc -f full

That can be useful, but there are some gotchas. For example you can't
use syslogc twice at the same time.

Re: Building Rust program with libreSSL on a --current machine

[Stuart Henderson]

On 2024-07-10, Rob Schmersel  wrote:
> Hi,
>
> Looking for advice on how one can build rust programs that require
> openSSL support on OpenBSD -current
>
> No matter what I try I keep coming back to errors like:
>
>  cargo:libressl_version_number=309f
>
>   --- stderr
>   thread 'main' panicked at
>   
> /home/lobo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/openssl-sys-0.9.96/build/main.rs:334:5:
>
>
>   This crate is only compatible with OpenSSL (version 1.0.1 through
>   1.1.1, or 3), or LibreSSL 2.5 through 3.8.1, but a different version
>   of OpenSSL was found. The build is now aborting due to this version
>   mismatch.
>
> Or is it better to ask this on ports@?
>
> BR/Rob


This is handled automatically for things in ports using the framework
you get with MODULES=devel/cargo.

Otherwise you will need to patch openssl-sys-*/build/main.rs to
loosen the version check.


-- 
Please keep replies on the mailing list.

Re: "intel(0): switch to mode 640x400" on Thinkpad T410

[Stuart Henderson]

On 2024-07-08, Jan Stary  wrote:
> This is current/amd64 on a Thinkpad T410 (full dmesg below).
> Strangely, upon booting, xenodm sets the resolution to 640x480:
>
> [   974.100] (II) intel(0): Modeline "1440x900"x0.0   96.10  1440 1488 1552 
> 1728  900 903 909 926 -hsync -vsync (55.6 kHz eP)
> [   974.100] (II) intel(0): Modeline "1440x900"x0.0   80.30  1440 1488 1552 
> 1728  900 903 909 926 -hsync -vsync (46.5 kHz e)
> [   994.984] (II) intel(0): switch to mode 640x400@60.0 on LVDS1 using pipe 
> 0, position (0, 0), rotation normal, reflection none

shouldn't that be using modesetting rather than intel? or is the machine too 
old?

> If I ctrl-alt-del the running X, it restarts with 1440x900;
> both X logs below, the point is that the restarted xenodm
> no longer chooses the 640x400 mode:
>
> [  1022.036] (II) intel(0): Modeline "1440x900"x0.0   96.10  1440 1488 1552 
> 1728  900 903 909 926 -hsync -vsync (55.6 kHz eP)
> [  1022.036] (II) intel(0): Modeline "1440x900"x0.0   80.30  1440 1488 1552 
> 1728  900 903 909 926 -hsync -vsync (46.5 kHz e)
>
> So I have a simple workaround, but why is that happening?
> How can I debug that?
>
>   Jan
>
>
>
> dmesg:
>
> OpenBSD 7.5-current (GENERIC.MP) #173: Mon Jul  8 03:04:31 MDT 2024
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 8357658624 (7970MB)
> avail mem = 8081145856 (7706MB)
> random: good seed from bootblocks
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xe0010 (78 entries)
> bios0: vendor LENOVO version "6IET75WW (1.35 )" date 02/01/2011
> bios0: LENOVO 2537BN8
> acpi0 at bios0: ACPI 4.0
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP SSDT ECDT APIC MCFG HPET ASF! SLIC BOOT SSDT TCPA 
> DMAR SSDT SSDT SSDT
> acpi0: wakeup devices LID_(S3) SLPB(S3) IGBE(S4) EXP1(S4) EXP2(S4) EXP3(S4) 
> EXP4(S4) EXP5(S4) EHC1(S3) EHC2(S3) HDEF(S4)
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpiec0 at acpi0
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Core(TM) i5 CPU M 560 @ 2.67GHz, 2926.14 MHz, 06-25-05, patch 
> 0007
> cpu0: cpuid 1 
> edx=bfebfbff
>  
> ecx=29ae3ff
> cpu0: cpuid 6 eax=7 ecx=1
> cpu0: cpuid 7.0 edx=9c00
> cpu0: cpuid a vers=3, gp=4, gpwidth=48, ff=3, ffwidth=48
> cpu0: cpuid 8001 edx=28100800 ecx=1
> cpu0: cpuid 8007 edx=100
> cpu0: MELTDOWN
> cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 4-way I-cache, 256KB 
> 64b/line 8-way L2 cache, 3MB 64b/line 12-way L3 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 133MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: Intel(R) Core(TM) i5 CPU M 560 @ 2.67GHz, 2926.23 MHz, 06-25-05, patch 
> 0007
> cpu1: smt 1, core 0, package 0
> cpu2 at mainbus0: apid 4 (application processor)
> cpu2: Intel(R) Core(TM) i5 CPU M 560 @ 2.67GHz, 2926.39 MHz, 06-25-05, patch 
> 0007
> cpu2: smt 0, core 2, package 0
> cpu3 at mainbus0: apid 5 (application processor)
> cpu3: Intel(R) Core(TM) i5 CPU M 560 @ 2.67GHz, 2926.42 MHz, 06-25-05, patch 
> 0007
> cpu3: smt 1, core 2, package 0
> ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins, remapped
> acpimcfg0 at acpi0
> acpimcfg0: addr 0xe000, bus 0-255
> acpihpet0 at acpi0: 14318179 Hz
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus -1 (PEG_)
> acpiprt2 at acpi0: bus 2 (EXP1)
> acpiprt3 at acpi0: bus 3 (EXP2)
> acpiprt4 at acpi0: bus -1 (EXP3)
> acpiprt5 at acpi0: bus 5 (EXP4)
> acpiprt6 at acpi0: bus 13 (EXP5)
> acpibtn0 at acpi0: LID_(wakeup)
> acpibtn1 at acpi0: SLPB(wakeup)
> acpipci0 at acpi0 UNCR
> acpipci1 at acpi0 PCI0: 0x 0x0011 0x0001
> acpicmos0 at acpi0
> tpm0 at acpi0 TPM_ 1.2 (TIS) addr 0xfed4/0x5000, device 0x104a rev 
> 0x4e
> acpibat0 at acpi0: BAT0 model "42T4751" serial  1780 type LION oem "SANYO"
> acpiac0 at acpi0: AC unit online
> acpithinkpad0 at acpi0: version 1.0
> "*pnp0c14" at acpi0 not configured
> "PNP0C14" at acpi0 not configured
> acpicpu0 at acpi0: C3(350@245 mwait.3@0x20), C2(500@205 mwait.3@0x10), 
> C1(1000@3 mwait.1), PSS
> acpicpu1 at acpi0: C3(350@245 mwait.3@0x20), C2(500@205 mwait.3@0x10), 
> C1(1000@3 mwait.1), PSS
> acpicpu2 at acpi0: C3(350@245 mwait.3@0x20), C2(500@205 mwait.3@0x10), 
> C1(1000@3 mwait.1), PSS
> acpicpu3 at acpi0: C3(350@245 mwait.3@0x20), C2(500@205 mwait.3@0x10), 
> C1(1000@3 mwait.1), PSS
> acpipwrres0 at acpi0: PUBS, resource for EHC1, EHC2
> acpitz0 at acpi0: critical temperature is 100 degC
> acpivideo0 at acpi0: VID_
> acpivout0 at acpivideo0: LCD0
> acpivideo1 at acpi0: VID_
> cpu0: using IvyBridge MDS workaround
> cpu0: Enhanced SpeedStep 2926 MHz: speeds: 2667, 2666, 2533, 2399, 2266, 
> 2133, 1999, 1866, 1733, 1599, 1466, 1333, 1199 MHz
> pci0 at mainbus0 bus 255
> pchb0 at pci0 dev 0 function

Re: smtpd warn: not enough disk space

[Stuart Henderson]

On 2024-07-09, Christian Schulte  wrote:
>
>
> On 07.07.24 03:51, Jeremy Evans wrote:
>> On Fri, Jul 5, 2024 at 9:16 PM Christian Schulte > > wrote:
>> 
>> Just wondering how the postgresql
>> port is configured. Really should setup quotas automatically when
>> pkg_adding in a way, just to ensure, that no one ever runs into a
>> situation, that there is no way out of a disk full situation.

The port can't sanely do that, because it doesn't know how the admin
has configured their system.

Also, openbsd doesn't enable filesystem quotas by default.

> I did not criticize the postgresql port in any way. I am just 
> suggesting, that when you want to setup a postgresql server in a 
> fire-and-forget way of things, it would be cool to restrict it from 
> eating up all available storage.

That is simple, use a separate filesystem for /var/postgresql.

-- 
Please keep replies on the mailing list.

Re: smtpd warn: not enough disk space

[Stuart Henderson]

On 2024-07-09, Christian Schulte  wrote:
>For example: Just 
> remove the patches in this directory - well a lot of them - and see how 
> those GNU folks have turned into complete idiots. I don't get it.
>
> https://github.com/openbsd/ports/tree/master/devel/gettext/patches

A lot of those patches are to avoid triggering warnings from ld when
linking other programs which use the gettext library due to the
api warnings openbsd has for some libc functions.


-- 
Please keep replies on the mailing list.

Re: Hard freeze during `pkg_add -u` on -current

[Stuart Henderson]

Only thing I can really suggest at that point is uninstalling packages
and reinstalling them. The steps would be similar to those in faq 15
"Duplicating Installed Packages on Another Machine" but rather than
transferring "list" to another machine, pkg_delete /var/db/pkg/* and
install them locally.

If the pkg database in too bad a state to pkg_delete, you could produce
a list, move /var/db/pkg out of the way, and pkg_add using that list
over the top - there will be "missing package registration, do you want
to fix?" questions which you can answer yes to.



On 2024/07/05 15:01, Ronald Dahlgren wrote:
> Thank you for the reply, Stuart.
> 
> Running pkg_check startout out fine and then went off the rails. The output 
> is captured here ->
> https://sw.gy/files/pkg_check.html
> 
> The control characters passed through xterm and a clipboard so they may not 
> be accurate. Here
> are some screenshots of the original:
> 
> https://sw.gy/files/pkg_check-1.png
> https://sw.gy/files/pkg_check-2.png
> 
> Thankfully this behavior did not crash the system :)
> 
> Ron
> 
> On Fri, Jul 5, 2024 at 12:33 PM Stuart Henderson  
> wrote:
> 
> On 2024-07-05, Ronald Dahlgren  wrote:
> > --cbf9af061c80339e
> > Content-Type: text/plain; charset="UTF-8"
> > Content-Transfer-Encoding: quoted-printable
> >
> > Hello,
> >
> > On July 2nd, I updated a machine to the latest snapshot and rebooted. It
> > came back without issue. I then issued `pkg_add -U`. This machine was 
> last
> > updated on June 6th, so not terribly long ago. Partway during the 
> process,
> > the disk indicated it was full (not true) and no commands were available
> > (ls, cd, etc). Unable to do anything, I terminated my SSH session and
> > attempted to reconnect. The machine failed to respond to pings. I had
> > someone onsite reboot the machine. It then came back up. I did not try 
> the
> > `pkg_add -u` command again. Inspection showed that partitions had 
> plenty of
> > available space and inodes.
> >
> > The daily insecurity output that ran the following day, on Wednesday the
> > 3rd, had this unusual snippet:
> >
> > ```
> > vmm-firmware-1.16.3p0 firmware binary images for vmm(4) driver
> > -xz-5.4.5            library and tools for XZ and LZMA compressed files
> > +xz-5.6.2
> > /??^L???.???/?..??/??$???+DESC???/?
> >  
> +CONTENTS0^L+REQUIRED_BY??=
> > 
> ???=
> > 
> ???=
> > 
> ???=
> > 
> ???=
> > ??
> >  zsh-5.9p0           Z shell, Bourne shell-compatible
> > ```
> 
> The filesystem holding /var/db/pkg has some corruption.
> I'd try running pkg_check and allow it to repair, reinstall xz
> "pkg_add -r -D installed xz", and see how you get on.
> 
> > Given the package with the wacky description is `xz`, I'm more concerned
> > than I would be otherwise.
> 
> The same could have happened to any package, there's nothing special
> about xz there.
> 
> > I can see in `/var/log/messages` the snapshot update occurred without
> > issue. Logs after the physical reboot show no core dump and only have
> > complaints about filesystems not being properly unmounted - expected 
> when
> > the plug is pulled.
> >
> > Are there any other logs I can check and share to help get to the 
> bottom of
> > this? The impacted computer has been running current and humming along
> > happily in a network closet for over a year.
> 
> Not sure about the disk full message (spurious seems unlikely - if space
> is ok, is some filesystem tight on inodes? df -hi) or the hang.
> 
> --
> Please keep replies on the mailing list.
> 
> 

Re: Hard freeze during `pkg_add -u` on -current

[Stuart Henderson]

On 2024-07-05, Ronald Dahlgren  wrote:
> --cbf9af061c80339e
> Content-Type: text/plain; charset="UTF-8"
> Content-Transfer-Encoding: quoted-printable
>
> Hello,
>
> On July 2nd, I updated a machine to the latest snapshot and rebooted. It
> came back without issue. I then issued `pkg_add -U`. This machine was last
> updated on June 6th, so not terribly long ago. Partway during the process,
> the disk indicated it was full (not true) and no commands were available
> (ls, cd, etc). Unable to do anything, I terminated my SSH session and
> attempted to reconnect. The machine failed to respond to pings. I had
> someone onsite reboot the machine. It then came back up. I did not try the
> `pkg_add -u` command again. Inspection showed that partitions had plenty of
> available space and inodes.
>
> The daily insecurity output that ran the following day, on Wednesday the
> 3rd, had this unusual snippet:
>
> ```
> vmm-firmware-1.16.3p0 firmware binary images for vmm(4) driver
> -xz-5.4.5library and tools for XZ and LZMA compressed files
> +xz-5.6.2
> /??^L???.???/?..??/??$???+DESC???/?
>  +CONTENTS0^L+REQUIRED_BY??=
> ???=
> ???=
> ???=
> ???=
> ??
>  zsh-5.9p0   Z shell, Bourne shell-compatible
> ```

The filesystem holding /var/db/pkg has some corruption.
I'd try running pkg_check and allow it to repair, reinstall xz
"pkg_add -r -D installed xz", and see how you get on.

> Given the package with the wacky description is `xz`, I'm more concerned
> than I would be otherwise.

The same could have happened to any package, there's nothing special
about xz there.

> I can see in `/var/log/messages` the snapshot update occurred without
> issue. Logs after the physical reboot show no core dump and only have
> complaints about filesystems not being properly unmounted - expected when
> the plug is pulled.
>
> Are there any other logs I can check and share to help get to the bottom of
> this? The impacted computer has been running current and humming along
> happily in a network closet for over a year.

Not sure about the disk full message (spurious seems unlikely - if space
is ok, is some filesystem tight on inodes? df -hi) or the hang.

-- 
Please keep replies on the mailing list.

Re: Packet filter can't NAT devices 2 hops away?

[Stuart Henderson]

On 2024-07-03, jrmu  wrote:
>
> When I run $ ping 1.1.1.1 from R2, packets are successfully NAT'd to the
> public IP address, and ping works.
>
> However, when I run $ ping 1.1.1.1 from any other node (R3, R4, or R5), the
> packets are sent to R1 but not properly NAT'd. Here is what I see when I run
> tcpdump on the egress interface:
>
> host# tcpdump -ne -i em1 'host 1.1.1.1'
> tcpdump: listening on em1, link-type EN10MB
> 14:34:25.531207 00:25:90:5a:2d:92 ac:1f:6b:fe:ca:98 0800 98: 10.5.3.1 > 
> 1.1.1.1: icmp: echo request
> 14:34:26.549336 00:25:90:5a:2d:92 ac:1f:6b:fe:ca:98 0800 98: 10.5.3.1 > 
> 1.1.1.1: icmp: echo request
> 14:34:27.549307 00:25:90:5a:2d:92 ac:1f:6b:fe:ca:98 0800 98: 10.5.3.1 > 
> 1.1.1.1: icmp: echo request
> 14:34:28.549275 00:25:90:5a:2d:92 ac:1f:6b:fe:ca:98 0800 98: 10.5.3.1 > 
> 1.1.1.1: icmp: echo request
>
> The ping from node R5 is properly routed to R1, and is being sent out the
> egress interface, but for some reason, R1 is not properly performing NAT. NAT
> seems only to work for devices directly connected to R1.

NAT certainly works on packets coming from multiple hops away.

Check your pf rules carefully. And check your routing/bridging config
carefully, this setup with loads of veb and whatever vports certainly
makes things more complicated. Do you actually need it, what are you
trying to achieve with it? Simplify if you can. As far as I'm concerned
ridging on pf boxes would be a special case that I'd try to avoid unless
there's no alternative.

Standard PF diagnosis tools are to add "log" to various rules, or add
"match log(matches)" to the top of the ruleset, and tcpdump -nei pflog0,
but N.B. due to a bug in (iirc) 7.3 to 7.5 the rule numbers printed by
tcpdump will be wrong if you have any anchors in the ruleset - that's
fixed in -current.

> At R1, I have this packet filter rule to perform NAT on packets going to the
> Internet:
>
> match out on egress from !(egress:network) to any nat-to (egress:0)

This line by itself doesn't help much, the position of the match rule
(and of course any "set skip") can make a difference.

For simplicity and performance I'd also suggest:

- avoid "from !(egress:network)", there aren't many places where this
is really useful. listing the specific prefix or prefixes that you want
to nat (10.0.0.0/8 might work for you) is simpler to debug and avoids an
extra couple of lookups for each newly created state.

- avoid "nat-to (egress:0)" if possible (only needed for a dynamic
address) and use a specific address instead.


-- 
Please keep replies on the mailing list.

Re: how to verify OpenBSD CVS repositories from mirrors?

[Stuart Henderson]

On 2024-07-03, Anon Loli  wrote:
> How do you verify the CVS repository that you got from the available Anonymous
> CVS Servers?
> All that I see in manual pages and FAQ is(summarized):
> 1. CVS CHECKOUT, CVS CHECKOUT, CVS CHECKOUT
> 3. compile
> 4. boom, you now became awesome
>
> but what about step 2?
> Like when you fetch binary images of OpenBSD, you are instructed to use 
> signify(1)
> in order to verify the integrity/maliciousness of the fetched data.
> Now how in the bug do you do that for CVS repositories?

Best you can do is checkout from a couple of mirrors (verifying ssh key
fingerprints against the set on https://www.openbsd.org/anoncvs.html
to guard against mitm) and compare the checkouts (being aware that they
may have been updated at different times so might not all have the most
recent commits).

-- 
Please keep replies on the mailing list.

Re: Copying files from an Android phone

[Stuart Henderson]

On 2024-07-02, Sadeep Madurange  wrote:
> Hello,
>
> I'm trying to backup some files (~1000 photos and two short videos, in
> total about 3GB) from an Android phone to OpenBSD. In the past I used
> Android file transfer (MTP) client. I couldn't find it on OpenBSD.
> What's the best way to achieve this?

Probably an Android sftp client, or termux + rsync. You'll be lucky if
you can get USB between OpenBSD and Android working well enough for the
various client programs in the libmtp package.


-- 
Please keep replies on the mailing list.

Re: OpenBSD runs hotter than Linux with same laptop, draws more electricity?

[Stuart Henderson]

On 2024-07-01, A B  wrote:
> I just wonder why OpenBSD requires more CPU load for the same kind of 
> activity (web browsing), and also appears to draw more electricity from the 
> power supply when measured, compared to Linux, when using the same laptop?

This is not unexpected.

> Perhaps more Assembly instructions to complete the same task? But why? Memory 
> protection kinds of checks?
>
> Note this is also when using the integrated (Intel) GPU.

A lot of this is down to Linux having spent more time on optimising
things for power consumption. Things like choices made in the scheduler
(deciding which cpu to run a process on) have an effect, especially on
certain cpu types, as well as code selecting cpu frequencies etc.


-- 
Please keep replies on the mailing list.

Re: /tmp on mfs is blocked

[Stuart Henderson]

On 2024-06-27, Vitaliy Makkoveev  wrote:
>> On 28 Jun 2024, at 02:07, Kirill A. Korinsky  wrote:
>> 
>> misc@,
>> 
>> I just encountered wired case when my /tmp was blocked, and nothing had
>> worked.
>> 
>> via ps I saw:
>> 
>>  root 59095  0.0  1.1 1049488 174152 ??  D  Wed10PM0:40.02 
>> /sbin/mount_mfs -o rw -o nodev -o nosuid -s 1024m swap /tmp
>> 
>> and fstat -p 59095 points nothing abnormal:
>> 
>>  USER CMD  PID   FD MOUNTINUM  MODE R/WSZ|DV
>>  root mount_mfs  59095 text /   53639  -r-xr-xr-x r   240160
>>  root mount_mfs  59095   wd /   2  drwxr-xr-x r  512
>> 
>> htop reports that some swap was used and df points that ~200mb were used and
>> /tmp had plenty of free space.
>> 
>> Have you seen that before? How can I dig it future?
>> 
>
> This could be deadlock. You can enter ddb(1) and share 'show locks' output.

Only on a kernel with WITNESS.


-- 
Please keep replies on the mailing list.

Re: u-blox GPS card in Dell Latitude

[Stuart Henderson]

On 2024-06-28, Geoff Steckel  wrote:
> On 6/27/24 22:23, Bryan Vyhmeister wrote:
>> I'm looking at purchasing a Dell Latitude rugged laptop that has an
>> option for a u-blox GPS card. It is a fairly expensive option and I am
>> wondering if anyone has been able to get one of these cards to work with
>> ntpd in OpenBSD. I have searched the archives and have not been able to
>> find reports of a device that works fine but hopefully that is a good
>> sign. Anyone use one of these u-blox GPS cards?
>>
>> Bryan
>>
> I have a precision GPS-disciplined oscillator which contains
> a u-blox gps module. It connects to one machine via a serial port and 
> works well
> as a time reference. The NMEA data comes through perfectly.
>
> You'd have to figure out what device the OS will see - serial? usb? ??
> The only interface I've -seen- for them is serial but that doesn't mean
> something else hasn't been made.
>
> Then, perhaps harder, is finding a program to use the data.

The kernel can read NMEA sentences - see nmea(4), ldattach(8).
It populates sensors; openntpd can read the time from there.



-- 
Please keep replies on the mailing list.

Re: accidentally overwritten wrong drive with DD, please help

[Stuart Henderson]

On 2024-06-27, Anon Loli  wrote:
> On Thu, Jun 27, 2024 at 01:12:05PM +0100, Kirill A. Korinsky wrote:
>> On Thu, 27 Jun 2024 05:12:57 +0100,
>> Anon Loli  wrote:
>> 
>> Right now we have some comercial and open-source software which may support
>> OpenBSD FS, or may simple make a search in data to get some files.
>
> I'm not using anything commercial OR proprietary

You'd best get familiar with fs(5), fsdb(8) and all the documentation
you can get your hands on about UFS/FFS implementation then.

> No one is getting any image or file or anything from me, and I'm not sending 
> my
> drives to anyone. This might sound rude or stupid to you, I'm sorry, but 
> that's
> not debatable..

Levels of paranoia make me wonder about this email username you're using.

> Can't I just need to somehow fix the 1st 74M, and then somehow magically the

"just" and "somehow" are doing *heavy* lifting there.

Anyway I have no more I can add so I'm ducking out of this thread.

Re: route -n show blackhole routes

[Stuart Henderson]

On 2024-06-24, Tom Smyth  wrote:
> Folks,
> while  reviewing  nsh  I was wondering how to improve show route commands...
> reviewing the man route man page,
>
> there doesnt seem to be a  straight forward way of displaying
> blackhole routes without using
>
> route show |grep B for blackhole
>
> route show |grep R for Reject
>
> is there something Im missing,
>
> would I be better off improving route(8) rather than stringing
> commands together for NSH ?

It's not an efficient operation in the first place; kernel lookup is
done with the address/prefix as a key and the flags (B/R etc) are only
found once you've fetched a route (similar if you wanted to e.g. find
routes with a specific destination router).

In order to find all routes with a certain flag you do need to dump
the whole route table and check it.

It could be done slightly more efficiently with a check for the
relevant flag rather than going via a text processing tool like grep,
but I bet the actual overall time isn't going to be very different...

Re: accidentally overwritten wrong drive with DD, please help

[Stuart Henderson]

On 2024-06-25, Steve Litt  wrote:
> Stuart Henderson said on Mon, 24 Jun 2024 22:35:59 - (UTC)
>
>>Turning it directly into a working filesystem is probably not going to
>>happen.
>
> If I read and understood him correctly, right now he has the encrypted
> drive open as unencrypted, giving him a chance to just rsync that data
> off the computer. Now those files might be compromised, but it's an
> excellent start. If I understood correctly.

The softraid device is attached but IIUC the filesystem on that device
is broken and not mountable.

Re: accidentally overwritten wrong drive with DD, please help

[Stuart Henderson]

On 2024-06-24, Anon Loli  wrote:
> On Mon, Jun 24, 2024 at 07:36:57AM -0400, Steve Litt wrote:
>> Anon Loli said on Sun, 23 Jun 2024 12:19:15 +
>> 
>> 
>> >Okay, I've enabled the drive now, how do I approach this?
>> >I want the drive that's receiving the data copy to be encrypted, and
>> 
>> Encrypted? Man, you're getting too complicated for the situation.
>> Priorities. Task 1 is to copy over the borked drive to a USB drive so
>> you have a stable "go back to" point. Task 2 is to have a second drive
>> to experiment on, safe in the knowledge that you can always restore
>> from the copy from task 1. Encryption just makes it more likely you'll
>> bork things again.
>> 
>> >it'll have to be over ssh, so I'm assuming some combination of DD and
>> >SCP?
>> 
>> SSH and SCP? Say what? How bout a USB3 rotating drive? And NOT a
>> Seagate.
>> 
>> >
>> >I've looked on the internet now, and it seems like dump/restore are
>> >perfect for this (and even faster than dd?)
>> >So maybe something like
>> >`dump af /dev/sd3i | ssh receiving-computer "restore xf -"`
>> >But where would the sd3i end up then and how? would it turn in a file,
>> >or become a /dev/sd3i copy on the receiving computer?
>> >If you don't respond, I'll search the internet and try to do it on my
>> >own (for the 1st time) and possibly overwrite something again lol
>> >
>> >Would be great if I could find some great read about this
>> >
>> 
>> Personally, I think you're making this much harder than it has to be.
>> If you care about those old photos, spend the money for enough USB hard
>> drives, and don't get fancy until you have a copy of your files AND a
>> backup of the copy of those files. Then you can treat the copy like a
>> backup and copy them back.
>> 
>> Seriously, priorities. Prioritize getting those files back, and don't
>> let anything complicate that task. Don't skip steps.
>> 
>> SteveT
>> 
>> Steve Litt 
>> 
>> http://444domains.com
>> 
>
> I don't understand what's so complicated about DD, ssh/scp or encryption?
> I'll have to find my USB adapter, this is going too slow over the network, 
> that
> being said, I think that I mentioned the source drive being over 200GB in 
> size,
> so why mention USB sticks? lol

USB drive != "USB stick" (not that 200GB is much for a USB stick these
days).

(use bs=1m on the writing side to write in larger chunks if you're
dd'ing to flash media or SMR HDD).

> Encryption is a must, it's not just family photos, but even if it was, I'm
> still not putting them on clear disk

If you don't trust the machine you're attaching it to, you're screwed
anyway.

And some of the tools that might be able to help with recovery won't be
much help with a softraid-encrypted disk.

> I need to make a filesystem out of the backed-up copy if I understand
> correctly,

Turning it directly into a working filesystem is probably not going to
happen.

You need to try to extract what bits of data are still recoverable.
Think more in terms of trying to find what valid files you can and
copying them elsewhere.

> Like what use is backing it up now and then making the filesystem on the same
> drive and fucking up that entire drive?

Yeah, you want to treat that copy as read-only, the same way you'd treat
any drive you're trying to recover data from as read-only.

If you're going to try and write anything to it, you'll then want
_another_ copy to work on.

-- 
Please keep replies on the mailing list.

Re: accidentally overwritten wrong drive with DD, please help

[Stuart Henderson]

On 2024-06-22, Anon Loli  wrote:
> On Sat, Jun 22, 2024 at 12:35:56PM -0300, Crystal Kolipe wrote:
>> 
>> In theory most of your data would be recoverable from that image, but it 
>> would
>> require a lot of work and knowledge of ffs filesystem layout.

At one point I had access to R-Studio for something else (Windows RAID
recovery) and tried pointing it at slightly broken OpenBSD FFS while
I was there to see how it went - much better than I thought it would -
though it was pre FFS2 and I don't have access any more to check if
it's still useful. Might possibly be worth a try (obviously with
a copy not a live drive).

> So what you're saying is that I need a new disk that's at least the size of 
> the
> overwritten SSD, and then make an image of sd3 and copy it over to the new
> disk?
> I don't think that I have as you said enough knowledge about FFS...
>
> I can use the other computer that has enough storage space, but I can't 
> install
> OpenBSD well, it's the other recent mail with "Installer" in name, if we solve
> that, then I can install OpenBSD on there and gain access to a drive where I
> can then copy over the image of sd3 over ssh then..

If this is really important, I suggest going to buy another drive to
plug in and dd to rather than trying to do anything complicated.

-- 
Please keep replies on the mailing list.

Re: installing packages mentioned as dependency in ports package

[Stuart Henderson]

On 2024-06-22, Sandeep Gupta  wrote:
> --c423ae061b737168
> Content-Type: text/plain; charset="UTF-8"
> Content-Transfer-Encoding: quoted-printable
>
> This is working but only partially.  The OS is on the snapshot branch
> (sysupgrade -s) .  I checkout out the current branch for ports, configured
> the prerequisites, then make prepare FETCH_PACKAGES=3D-Dsnap
> ```
> make prepare FETCH_PACKAGES=3D-Dsnap
>=3D=3D=3D> libreoffice-24.2.3.2v0 depends on: kio-* - not found
>=3D=3D=3D>  Verifying install for kio-* in devel/kf5/kio
>=3D=3D=3D>  Looking for kio-5.116.0.tgz in $PKG_PATH - Can't install
> gstreamer1-plugins-bad-1.24.4 because of libraries
>|library nettle.7.3 not found
>| /usr/local/lib/libnettle.so.7.2 (libnettle-3.9.1): minor is too small
> Direct dependencies for gstreamer1-plugins-bad-1.24.4 resolve to
> soundtouch-2.3.3 libbs2b-3.1.0p5 opus-1.5.2 lcms2-2.16p0 librsvg-2.58.1
> gstreamer1-plugins-base-1.24.4 json-glib-1.8.0 libnettle-3.9.1
> libass-0.17.1p0
> ```
> I am not sure which branch of ports CVS to use or redo sysupgrade -s?

Wait until a new package snapshot with libnettle-3.10 is built,
update to it, and retry.

-- 
Please keep replies on the mailing list.

Re: installing packages mentioned as dependency in ports package

[Stuart Henderson]

On 2024-06-21, Sandeep Gupta  wrote:
> --7b80c9061b67819e
> Content-Type: text/plain; charset="UTF-8"
>
> I am trying to compile and build a branch of libreoffice (for collabra
> online tools).
> The dependencies are numerous  to list out manually. I am using the
> dependencies listed in the ports folder : /usr/ports/editors/libreoffice
> (downloaded from ftp https://cdn.openbsd.org/pub/OpenBSD/$(uname
> -r)/{ports.tar.gz,SHA256.sig}).
> Using the command: `make print-build-depends`.
>
> However when I use the output from there to install using pkg_add : `doas
> pkg_add jbigkit-2.1p0 javaPathHelper-2.3 metaauto-1.0p4 autoconf-2.52p6
> cdparanoia-3.a9.8p5 libdaemon-0.14p1` I get several  can't find messages:
> Can't find p5-URI-5.27
> Can't find libsodium-1.0.19
> Can't find xz-5.4.5
>
> My query is how to install build dependency of a package listed in ports?

make sure that your ports tree is up to date for whichever version of
OpenBSD that you're using (cvs head for -current, OPENBSD_7_5 for
7.5, etc - you can use a downloaded ports.tar.gz to start from if
you must, but then do the relevant cvs update), then:

make prepare FETCH_PACKAGES=

Re: epub reader

[Stuart Henderson]

Plain ordinary mupdf can open them too. (And also msoffice xml files in
the 1.24 versions; formatting for msoffice is not brilliant, but it's
often good enough to quickly read text).

On 2024-06-19, Mizsei Zoltán  wrote:
> AFAIK Zathura ( zathura-pdf-mupdf ) can open EPUBs. Feel free to try that.
>
> Regards,
> -ext
>
> Dan írta 2024. jún.. 19, Sze-n 18:18 órakor:
>> Hello,
>>
>> I'm here asking for an epub ebook reader port as Foliate (almost under my 
>> XFCE)
>> appears broken from a while and Calibre is not exactly a light ebook reader.
>>
>> Thnks!
>>
>> -Dan
>


-- 
Please keep replies on the mailing list.

Re: booting and RAID-5

[Stuart Henderson]

On 2024-06-17, Stuart Henderson  wrote:
> On 2024-06-15, Marco van Hulten  wrote:
>> Hello,
>>
>> I got a new amd64 system with 3 NVMe disks of each 2 TB, with the idea
>> to put them in RAID-5.  I did not realise until now that one cannot
>> boot from RAID-5.
>
> Why do you want to run three drives in softraid RAID5?
>
> You'll get the same capacity with three drives in RAID1, and it will
> be simpler and much easier to recover in a failure situation.

hmm, think I need coffee before doing such complicated calculations. oops.

-- 
Please keep replies on the mailing list.

Re: booting and RAID-5

[Stuart Henderson]

On 2024-06-15, Marco van Hulten  wrote:
> Hello,
>
> I got a new amd64 system with 3 NVMe disks of each 2 TB, with the idea
> to put them in RAID-5.  I did not realise until now that one cannot
> boot from RAID-5.

Why do you want to run three drives in softraid RAID5?

You'll get the same capacity with three drives in RAID1, and it will
be simpler and much easier to recover in a failure situation.

Re: mouse cursor no longer changes over hyperlinks in Firefox on OpenBSD 7.5

[Stuart Henderson]

On 2024-06-11, Stuart Henderson  wrote:
>> On Mon, Jun 10, 2024 at 03:07:24PM -0600, Andy Bradford wrote:
>>> Hello,
>>> 
>>> I'm not  sure if  this is expected  behavior or not,  but it  seems that
>>> after upgrading to  OpenBSD 7.5 the mouse cursor no  longer changes from
>>> an arrow pointer to  a hand when I hover over links  in Firefox. It does
>>> work for some  other programs though. Also, moving the  mouse over other
>>> elements (like text  entry) does work. It's just moving  over links that
>>> no longer visibly changes the mouse cursor.
>>> 
>>> Is  this a  problem isolated  to Firefox?  Is anyone  aware of  a change
>>> that  would  cause this  and  more  to the  point,  how  to recover  the
>>> functionality?
>
> It's isolated to firefox, afaik most likely (maybe only likely?)
> to occur if you don't use a "desktop environment", it's due to
> https://bugzilla.mozilla.org/show_bug.cgi?id=1871863
> (see also https://bugzilla.mozilla.org/show_bug.cgi?id=1876366#c15)
> and it's a flipping nuisance.
>
> On 2024-06-10, Hiltjo Posthuma  wrote:
>> iirc it can be worked around by setting in about:config:
>>
>> widget.gtk.legacy-cursors.enabled to true
>
> That is the hack they added that is supposed to undo this change.
> It doesn't do anything for me though.

Oh, huh, it didn't help after just restarting firefox, but did after
a reboot? Very odd.


>
> If you're not using a desktop environment, you can run xsettingsd
> with this in .xsettingsd to set a cursor theme:
>
> Gtk/CursorThemeName "Adwaita"
>
> However then in some setups you'll get stupidly large pointers in
> Gtk based software.
>
>
>


-- 
Please keep replies on the mailing list.

Re: mouse cursor no longer changes over hyperlinks in Firefox on OpenBSD 7.5

[Stuart Henderson]

> On Mon, Jun 10, 2024 at 03:07:24PM -0600, Andy Bradford wrote:
>> Hello,
>> 
>> I'm not  sure if  this is expected  behavior or not,  but it  seems that
>> after upgrading to  OpenBSD 7.5 the mouse cursor no  longer changes from
>> an arrow pointer to  a hand when I hover over links  in Firefox. It does
>> work for some  other programs though. Also, moving the  mouse over other
>> elements (like text  entry) does work. It's just moving  over links that
>> no longer visibly changes the mouse cursor.
>> 
>> Is  this a  problem isolated  to Firefox?  Is anyone  aware of  a change
>> that  would  cause this  and  more  to the  point,  how  to recover  the
>> functionality?

It's isolated to firefox, afaik most likely (maybe only likely?)
to occur if you don't use a "desktop environment", it's due to
https://bugzilla.mozilla.org/show_bug.cgi?id=1871863
(see also https://bugzilla.mozilla.org/show_bug.cgi?id=1876366#c15)
and it's a flipping nuisance.

On 2024-06-10, Hiltjo Posthuma  wrote:
> iirc it can be worked around by setting in about:config:
>
> widget.gtk.legacy-cursors.enabled to true

That is the hack they added that is supposed to undo this change.
It doesn't do anything for me though.

If you're not using a desktop environment, you can run xsettingsd
with this in .xsettingsd to set a cursor theme:

Gtk/CursorThemeName "Adwaita"

However then in some setups you'll get stupidly large pointers in
Gtk based software.

Re: [Solved] Edit: Installation amd64 7.5: How to access the distribution sets on the USB stick?

[Stuart Henderson]

On 2024-06-08, Jan Stary  wrote:
> On Jun 08 15:33:15, rfab...@mhsmail.ch wrote:
>> The issue was the USB stick did not appear in the disk selection dialog.
>
> That's hard to believe. If the installer booted from it,
> it must have been recognized as one of the sd? disks
> during the bsd.rd boot.

If the installer booted from it, that means BIOS/UEFI was able to
read from it. That's quite different to having a working driver for
the storage device/controller.


-- 
Please keep replies on the mailing list.

Re: Share one of machines IP via WireGuard

[Stuart Henderson]

On 2024-06-08, Kirill A  Korinsky  wrote:
> On Fri, 07 Jun 2024 16:25:48 +0100,
> Stuart Henderson  wrote:
>>
>> I think you'll need proxy ARP then.
>>
>
> After a few attempts to make it works, I think I need help.
>
> My setup.
>
> Server: where em0 is uplink with routed 1.2.3.4/24 and 1.2.4.5/24 with
> expected gateway 1.2.3.1 and 1.2.4.1, em0 is included into bridge0 and
> 1.2.3.4/24 is configured as input point at route domain 0.
>
> To make things simpler each IP is associeted with it's own MAC address and
> switch expects that 1.2.4.5 with 00:50:56:01:1d:40. So, I have:
>
>   $ cat /etc/hostname.vether1 
>  
>   lladdr 00:50:56:01:1d:40
>   rdomain 2
>   up
>   !arp -s 1.2.4.5 00:50:56:01:1d:40 pub
>
>   $ cat /etc/hostname.wg0 
>   rdomain 2
>   wgkey ...
>   wgpeer ... \
>   wgaip 1.2.4.5/32 \
>   wgpka 25
>   wgport 51820
>   wgrtable 0
>   up
>   $ 

rdomains will at least complicate things as you then need a way to
"leak" routes between rdomains, plus I don't think you need them.

I don't think the vether is doing anything useful either, and I think
the separate MAC is working against you




> when I run ping from client to 1.2.4.1 I see traffic on wg0 on the server,
> but I can't figure out how to redirect it to vether1 and send to the switch.
>
> I feel that I miss some pice. I see route-to in pf.conf which probably the
> missed pice but I can't figure out how to use it.

I think this should be possible with the standard route table, without
route-to. Essentially you need:

1. your machine to answer arp for the wg ip so other hosts will send
ethernet packets to it

2. your machine to not be configured with the wg ip itself

3. route entries such that those packets end up sent out the wg interface
(you may possibly need a route command with -ifp wg0)




> --
> wbr, Kirill
>
>


-- 
Please keep replies on the mailing list.

Re: cpu cores

[Stuart Henderson]

On 2024-06-08, Otto Moerbeek  wrote:
> On Sat, Jun 08, 2024 at 03:58:30PM +0200, Andreas Kähäri wrote:
>
>> Not knowing too much about these things, I think it looks a bit strange
>> that *two* out of eight CPUs are disabled due to hypethreading.  I would
>> have expected every second one be disabled, i.e., four out of eight.
>
> This simple rule does not apply to more modern CPUs, which can have
> different types of cores, some with hyperthreading and some without.

Exactly. dmesg | grep smt will make it obvious. The cache information
for each attached cpu will probably also show differences between the
P and E cores.

-- 
Please keep replies on the mailing list.

Re: Daily insecurity email: Setuid changes: /usr/bin/ssh-agent

[Stuart Henderson]

On 2024-06-07, Why 42? The lists account.  wrote:
>
> I noticed this email message this morning:
>> Subject: mjoelnir.fritz.box daily insecurity output
>> From: "Charlie Root @ mjoelnir_aa1667" ...
>> To: ...
>> Date: Fri, 07 Jun 2024 01:32:17 +0200 (CEST)
>> 
>> 
>> Running security(8):
>> 
>> Setuid changes:
>> -r-x--s--x 1 root _sshagnt 435040 May 20 14:18:15 2024 /usr/bin/ssh-agent
>> -r-x--s--x 1 root _sshagnt 435040 Jun 6  12:07:27 2024 /usr/bin/ssh-agent
>
> It's true:
> mjoelnir:2024 7.06 14:00:57 % stat -x /usr/bin/ssh-agent
>   File: "/usr/bin/ssh-agent"
>   Size: 435040   FileType: Regular File
>   Mode: (2511/-r-x--s--x) Uid: (0/root)  Gid: (   34/_sshagnt)
> Device: 4,21   Inode: 156169Links: 1
> Access: Fri Jun  7 01:30:01 2024
> Modify: Thu Jun  6 12:07:27 2024
> Change: Thu Jun  6 12:07:27 2024
>
> mjoelnir:2024 7.06 16:10:01 % ls -ltra /usr/bin | tail
> -r-xr-xr-x   1 root  bin  191200 May 19 23:41 info*
> -r-xr-xr-x   1 root  bin   24000 May 19 23:41 infokey*
> -r-xr-xr-x   1 root  bin  281960 May 19 23:41 makeinfo*
> -r-xr-xr-x   1 root  bin   31568 May 19 23:41 install-info*
> -r-xr-xr-x   1 root  bin   30560 May 19 23:41 texindex*
> -r-xr-xr-x   1 root  bin   28070 May 19 23:41 texi2dvi*
> -r-xr-xr-x   1 root  bin 665 May 19 23:41 texi2pdf*
> drwxr-xr-x  16 root  wheel   512 May 20 00:31 ../
> -r-x--s--x   1 root  _sshagnt 435040 Jun  6 12:07 ssh-agent*
> drwxr-xr-x   2 root  wheel  6144 Jun  6 12:07 ./
>
> Is that not a bit weird? Why would ssh-agent have changed / been
> "touched"? Maybe that's when I booted the system ... Does it make sense
> that starting an executable would cause its mtime to be set?

grep ssh-agent /etc/rc

> Just wondering ...
>
> Cheers,
> Robb.
>
>


-- 
Please keep replies on the mailing list.

Re: Share one of machines IP via WireGuard

[Stuart Henderson]

I think you'll need proxy ARP then.

--
 Sent from a phone, apologies for poor formatting.

On 7 June 2024 16:23:56 Kirill A. Korinsky  wrote:


On Fri, 07 Jun 2024 12:36:20 +0100,
Stuart Henderson  wrote:


Configure the IP address on the wg interface with some subnet of 1.2.4.0/24 
that
includes 1.2.4.5, and use wgaip 1.2.4.5/32 (or a larger block if you wish 
to route

multiple addresses over wg) for the relevant peer.



Here the catch on which I blocked: I do have only two IPs from two different
network on em0 and it's all.

The switch on ISP side I assume simple routes to my port traffic for both IP
and I strugle on how redirect traffic from wg interface to em, I can't use
bridge and I can't expect that traffic is routed via em's IP.

--
wbr, Kirill

Re: Share one of machines IP via WireGuard

[Stuart Henderson]

On 2024-06-07, Kirill A  Korinsky  wrote:
> misc@,
>
> I wonder if it is possible to share an IP associated with a machine through
> a WireGuard connection?
>
> Suppose I have a machine that has two IPs on different networks:
>  - 1.2.3.4/24 gw 1.2.3.1
>  - 1.2.4.5/24 gw 1.2.5.1
>
> I'd like to allow incoming connections via WG to 1.2.3.4 and forward 1.2.4.5
> to the WG client.
>
> The best I can do now is create rdomain with wg and vether interfaces, and
> use PF nat to vether.
>
> But maybe it is possible to avoid NAT somehow?

Definitely is. I run externally accessible machines on my home network this way
(I have a /29 from my ISP anyway but changed to this after a line outage, and 
have
left it that way since).

Configure the IP address on the wg interface with some subnet of 1.2.4.0/24 that
includes 1.2.4.5, and use wgaip 1.2.4.5/32 (or a larger block if you wish to 
route
multiple addresses over wg) for the relevant peer.

Set net.inet.ip.forwarding as usual.

-- 
Please keep replies on the mailing list.

Re: Open Source / BSD License Copyright infringements

[Stuart Henderson]

On 2024-06-06, Peter J. Philipp  wrote:
>  if the outcome may be that the Copyright does not protect my works 
> and its license then there is no need to retain a license at the top of every 
> source file at all.

Without a license the default position in many jurisdictions is "this is
copyright and you can't reproduce it".

Putting the license and warranty disclaimer on every file is to make
sure that it's clear that people *can* do with it what they want, with
the limited exceptions stated.



-- 
Please keep replies on the mailing list.

Re: VLAN-tagging - follow-up

[Stuart Henderson]

On 2024-06-07, Martin  wrote:
> Are you supposed to "bridge" the vlan with the physical interface?

No.

Bridging a vlan with the physical interface used as parent for that vlan
makes no sense at all.

In some cases you might want to bridge a vlan with a *different* physical
interface.

> I have:
>
> $ cat /etc/hostname.em0
> up
>
> $ cat /etc/hostname.vlan101
> vnetid 101 parent em0
> inet autoconf
> up
>
> In /etc/pf.conf I have replaced em0 with vlan101 for ext_if.
>
> I get "No route to host" if I try to ping something, etc.
>
> But if add:
>
> $ cat /etc/hostname.bridge0
> add vlan101
> add em0
> up
>
> Then it works.
>
> Was the bridge part missed in the previous emails about how to use
> VLAN-tagging or am I missing something?

Seems like whatever you're connecting to is either not sending you vlan
tagged packets, or not dealing with vlan tagged packets sent by you.


-- 
Please keep replies on the mailing list.

Re: Open Source / BSD License Copyright infringements

[Stuart Henderson]

On 2024-06-05, Peter J. Philipp  wrote:
> I have been made aware of hearsay that someone took my open source code
> protected under the same license as OpenBSD and sold it for a lot of money.

There is nothing in either the ISC license used in OpenBSD (or in the
GNU public license for that matter), to prevent people from doing that.
People who receive the code under that license are of course allowed
to pass it on though.

The ethos of the license typically used for OpenBSD code is basically
"do what you want with this code" (but expressed in a way that tries to
cover all the bases). If you want to restrict commercial use then it's
the wrong license to use.

> I have no proof of this personally but I ask you to help me find evidence of
> this.  There is not much I can do about this, except if the person or persons
> were stupid enough to change the license to their names.

If they've removed or changed the license, that isn't allowed (though they
can add an additional license for changes). Actual enforcement might well
be difficult/expensive though.

Re: IPv6 routing problems with vether and vmm

[Stuart Henderson]

On 2024-06-04, Kapetanakis Giannis  wrote:
> On 04/06/2024 08:50, jrmu wrote:
>>> When you manage a hypervisor, using only 1x/64 is less than ideal. It's just
>>> not enough because you can have more than 1 'type of usage'. I always
>>> request at least 1x/56.
>> Thanks. I spoke with the ISP and he gave me a larger subnet,
>>
>> 2602:fccf:4::/48, I've been experimenting it by manually adding the
>> route and it seems to have worked.
>
>
>::/48 is probably the provider's network, not yours.

Unlikely. If the provider have their own assignment from an RIR it's
probably at least a /32. /48 is common for a single user running
multiple networks, many providers (even just end-user DSL/FTTP ISPs)
give their users a /48 that they can subnet as they wish.

-- 
Please keep replies on the mailing list.

Re: amd64 bsd.rd for 7.0, 7.1, 7.2

[Stuart Henderson]

On 2024-06-04, Jan Stary  wrote:
>> > I want to upgrade an amd64 system running 6.9.
>
> Backup, reinstall current from scratch,
> restore from backup.
>
>> > wget https://cdn.openbsd.org/pub/OpenBSD/7.{0,1,2}/amd64/bsd.rd
>> > returns 404 for all three queries.
>> > Where can I find the bsd.rd images for these versions?
>
> For example
> https://ftp.eu.openbsd.org/pub/OpenBSD/7.0/amd64/bsd.rd
>
> But don't do it, reinstall.

As long as there's enough free space, upgrading is fine, there's no need
to reinstall.



-- 
Please keep replies on the mailing list.

Re: Using nopass on a single user machine

[Stuart Henderson]

On 2024-06-03, 04-psyche.tot...@icloud.com <04-psyche.tot...@icloud.com> wrote:
> Hi all,
>
> Is there any downside is using the nopass option of doas, for a single user 
> machine?
>
> It's a machine that I access to only via ssh, with an identity file.
>
> In what way would it increase the attack surface to do so?

It makes your account equivalent to root.

Re: vim editor with TERM

[Stuart Henderson]

On 2024-05-31, 04-psyche.tot...@icloud.com <04-psyche.tot...@icloud.com> wrote:
> Hi all,
>
> I use the following terminal:
>
> echo $TERM
> xterm-256color
>
> when in my ~/.profile I do:
>
> export EDITOR=nano
>
> everything works well.
>
> However, if I do 
>
> export EDITOR=vim
>
> then when I ssh into the machine, up and down arrow in the terminal do not 
> work anymore (it does not give me access to previous commands entered).

It's an extremely annoying misfeature in ksh.

If $EDITOR starts with the letters "vi" then it defaults to vi-style
command line editing. You can use "set -o emacs" to override that, but
then if you sudo/doas to root it will reset to vi-style editing because
of the exported EDITOR variable.

On some machines I got fed up enough with this to symlink
"emacs-notreally" to vim and set EDITOR=emacs-notreally...

Re: [7.5/amd64] ipsec + npppd + sasyncd + carp - doesn't pick up the VPN session at switchover

[Stuart Henderson]

On 2024-05-30, Radek  wrote:
> Thank you all for your replies. 
>
> Actually, I did not know that providing seamless switching VPN solutions is 
> so problematic. If it can't be done in a simple way, then it doesn't have to 
> be seamless at any cost. Users will manually reconnect to this VPN when CARP 
> does switchover and there will be no drama. 
>
> I am currently using IPSEC/L2TP, but I do not insist on switching to 
> wireguard. IPSEC/L2TP simply works smoothly on win10/11/mac. About 2020 I 
> switched IKEv2 to IPSEC/L2TP when my CA certificate expired and I couldn't 
> cope with updating it to get a VPN back to work. It was a pandemic, and 
> everybody worked remotely. Then I quickly switched IKEv2 to IPSEC/L2TP to 
> allow users to work remotely again, and so it remains to this day. Maybe it's 
> time to replace IPSEC/L2TP with other/newer VPN solution - on the occasion of 
> CARP deployment.

IKEv2 with certs signed by a publically trusted CA is fairly easy
to work with on the client side. The server side is a bit fiddly on
OpenBSD; iked can send the necessary intermediate certs now but it's not
obvious which file they need to go in (and I forgot the details..)

> I also need to assign to users static IP addresses per user - if I remember 
> that IKEv2 assigned to users random addresses from the entire VPN pool and I 
> couldn't cope with IP/user assignment. 

IKEv2 certainly can, it depends on the software. The in-tree
version of iked doesn't have a way to do it yet, but the patches at
https://marc.info/?l=openbsd-tech&m=170895540813042&w=2 allow doing that
via RADIUS config.

Re: Call sysctl before sysctl.conf

[Stuart Henderson]

On 2024-05-30, 04-psyche.tot...@icloud.com <04-psyche.tot...@icloud.com> wrote:
> Hi all,
>
> When openBSD runs my processor at 100%, it makes a noise. Interestingly, when 
> in bios, this noise does not appear.
>
> To get rid of the noise I call sysctl with this:
>
> sysctl hw.perfpolicy=manual
> sysctl hw.setperf=99
>
> The problem is, at the beginning of boot, openBSD runs the processor with 
> hw.setperf=100, so the noise is present.
>
> Using a /etc/sysctl.conf with:
>
> hw.perfpolicy=manual
> hw.setperf=99
>
> does not help, as this happen too late.
>
> I also tried to use a /etc/rc.securelevel with:
> sysctl hw.perfpolicy=manual
> sysctl hw.setperf=99
>
> but it also happens too late, and the noise is present (if brief).
>
> Is there a way to make hw.setperf=99 really permanent, or happen even earlier 
> during boot?

Yes, modify /etc/rc (or the kernel) and you can make it happen earlier.

-- 
Please keep replies on the mailing list.

Re: [7.5/amd64] ipsec + npppd + sasyncd + carp - doesn't pick up the VPN session at switchover

[Stuart Henderson]

On 2024-05-29, Vitaliy Makkoveev  wrote:
> He wants replication. This means both wireguard "servers" know the client
> state. No client reconnection at failure, no delay, seamless migration
> from failed node to the backup. Something like sasyncd(8), but for
> npppd(8) or wg(4).

wireguard doesn't have a "reconnection" in the way IKEv2+MSCHAP or
IKE+L2TP do, the user doesn't have to do anything, so as long as peers
are configured on all carp members it should be fairly seamless.

It doesn't care about IP addresses as long as one end can get packets
through to the other's last known address.

(Reason for ifstated would be to stop any carp backup machines from
trying to send wireguard packets and confusing things.)

Re: binding on privileged ports as user

[Stuart Henderson]

On 2024-05-29, Gregory Edigarov  wrote:
> Hello, everybody
>
> I remember exactly, that I was able to do that with systrace. 
> Can I do that now? Is there any workaround for that?

You could listen on another port and rdr-to.

> If for example I need to run some potentially exploitable service,
> and cannot change the port it listens on, and therefore want to chroot
> -u and allow  it to grab the port.
>
> --
> With best regards,
>  Gregory Edigarov
>
>


-- 
Please keep replies on the mailing list.

Re: [7.5/amd64] ipsec + npppd + sasyncd + carp - doesn't pick up the VPN session at switchover

[Stuart Henderson]

On 2024/05/29 18:08, Vitaliy Makkoveev wrote:
> On Wed, May 29, 2024 at 01:23:47PM -0000, Stuart Henderson wrote:
> > On 2024-05-29, Vitaliy Makkoveev  wrote:
> > > On Wed, May 29, 2024 at 12:48:41PM +0200, Radek wrote:
> > >> Thank you, that explains everything. 
> > >> Does wireguard support replication? Will it work properly in my CARP 
> > >> setup?
> > >> 
> > >
> > > No for both questions. However, wireguard allows to create complicated
> > > connections where one wg(4) interface could have multiple associated
> > > peers on "client" side too.
> > 
> > It maybe worth seeing whether wg combined with ifstated might
> > do the trick (bring wg down when carp is down, and vice-versa).
> > 
> 
> ifstated can't help, he wants seamless switch between "servers".

Depends on the exact use case, I can think of some situations
where it could help.

Re: OpenBSD bgpd / rad "Permission denied" messages ?

[Stuart Henderson]

On 2024-05-28, Claudio Jeker  wrote:
> On Tue, May 28, 2024 at 06:28:27PM +0200, Rachel Roch wrote:
>> Hi
>> 
>> I'm struggling to understand what is going on here.
>> 
>> I have an Openbsd 7.2 box which has been working beautifully for about 3 
>> years.
>> 
>> Now it seemingly suddenly refuses to do anything involving the outside 
>> world, posting weird messages such as the following to the logs:
>> 
>> May 28 17:18:04 foo bgpd[7529]: neighbor : connect: Permission 
>> denied 
>> May 28 17:19:05 foo rad[74960]: sendmsg on vlan2008: Permission denied
>> 
>> What on earth does "permission denied" mean ? 
>> 
>> I can still ping the bgpd neighbours.   There have been zero pf rule 
>> changes, so it can't be that either.
>> 
>> Ideas ?
>
> Packet is blocked by pf(4) most probably or since it is such a old machine
> it may also be the stupid iked / ipsec default of blocking ALL IPv6
> traffic if there is any flow loaded.

ktrace might give clues as to exactly what it's asking the kernel
to do, which might allow working out where the EACCES comes from.

-- 
Please keep replies on the mailing list.