Re: help debug NFS

2021-04-12 Thread Родин Максим

Hi, James
Thank you for the link.
Since the problem really exists, the only option is to
use a periodical querying the mount point like you recommend or like
I did using while-loop.

11.04.2021 21:11, James Stark пишет:

Hi Maxim,

I ran into the problem with the nfs mounts on linux hanging a few
months ago, when the Linux distro that I'm running (Void) on the NFS
client dropped UDP NFS mounts.  At the time I found this post that
explains the situation:

http://openbsd-archive.7691.n7.nabble.com/nfsd-hangs-Linux-tcp-clients-after-5-minutes-idle-td402844.html

As a work around, I've set up a cron script that stat's the mount
point every four minutes.  That stops the mount from hanging.

I hope that helps.

James

On Sun, Apr 11, 2021 at 2:04 AM Родин Максим  wrote:


Hello
I have an NFS server on OpenBSD 6.8 stable
which exports a folder with default settings.
I have a linux mint client which mounts a share from this NFS server
with these settings:
sudo mount -o wsize=8192,rsize=8192 192.168.1.65:/big
/home/user/store
   which gives a decent speed at about 50-60MB/s both sides which seem ok
for me.
The problem is: when the mount point is not used for a while (5 minutes
and more) the share becomes unresponsive and the only way to unmount the
share is to do
sudo umount -lf /home/user/store
After that I can mount the share once again.
When I imitate using the share on client using
while :; do ls /home/user/store/ && echo "OK" && sleep 3 ; done;
the share remains responsive all the time and shows no problems.

What tweaks(settings) on the client(server) am I missing in my setup
to keep the mount point responsive?
--
Best regards
Maksim Rodin



--
С уважением,
Родин Максим



help debug NFS

2021-04-11 Thread Родин Максим

Hello
I have an NFS server on OpenBSD 6.8 stable
which exports a folder with default settings.
I have a linux mint client which mounts a share from this NFS server 
with these settings:

sudo mount -o wsize=8192,rsize=8192 192.168.1.65:/big
/home/user/store
 which gives a decent speed at about 50-60MB/s both sides which seem ok 
for me.
The problem is: when the mount point is not used for a while (5 minutes 
and more) the share becomes unresponsive and the only way to unmount the 
share is to do

sudo umount -lf /home/user/store
After that I can mount the share once again.
When I imitate using the share on client using
while :; do ls /home/user/store/ && echo "OK" && sleep 3 ; done;
the share remains responsive all the time and shows no problems.

What tweaks(settings) on the client(server) am I missing in my setup
to keep the mount point responsive?
--
Best regards
Maksim Rodin



Split-horizon dns

2021-03-26 Thread Родин Максим

Hello,
Is there a way to do split horizon dns using NSD?
I did not find anything similar in man nsd.conf
--
Best regards
Maksim Rodin



Re: blacklistd analogue

2021-03-25 Thread Родин Максим

Hello,
Why not just use a script that reads auth logs and adds abusive hosts to 
pf table using some patterns?

And you then decide what to do with addresses in that table and how long
should they stay in that table.

user~$ pfctl -t bad_ips -T show | wc -l
   69079

24.03.2021 21:33, jeanpierre пишет:

Does there exist an OpenBSD analogue for FreeBSD's blacklistd daemon?

For the sake of completeness: blacklistd is a daemon that, using pf
anchors, blocks connections from abusive hosts to parctiular services
(e.g. sshd) until they start behaving themselves again.

I find it very useful for timming down log files.

Regards,
Jean-Pierre



--
С уважением,
Родин Максим



Aspeed AST2400 integrated video supported?

2021-02-18 Thread Родин Максим

Hello
Is that type of video chip on server motherboard (Supermicro X11SSL) 
supported?



--
Maksim Rodin



Cisco AnyConnect Secure Mobility Client Alternatives with MFA?

2021-01-31 Thread Родин Максим

Hello,
Our employer decided that AnyConnect Secure Mobility Client with 
multifactor Azure authentication is the only secure option to connect to 
work. No alternatives, no discussions.

There are packages for Windows and Linux only.
Did anybody succeed in running vpn clients compatible with all that 
funny stuff?


--
Best regards
Maksim Rodin



Re: httpd fastcgi socket option not working as expected

2020-12-21 Thread Родин Максим

Hello once again!
I figured it out.
The right syntax is now:

fastcgi socket tcp 127.0.0.1 3031

Thank you Adriano!


21.12.2020 14:53, Adriano Barbosa пишет:
Hi, I’m not able to read the details of your email right now. Are you on 
6.8? httpd(8) changed syntax for fastcgi socket.



Em seg., 21 de dez. de 2020 às 06:48, Родин Максим <mailto:a23s4a2...@yandex.ru>> escreveu:


Hello.
I have a working Django project
which can be run by its own http-server
using

"./manage.py runserver 0.0.0.0:8000 <http://0.0.0.0:8000>"

One of the apps is available then on

"http://192.168.1.102:8000/it;

The same project can be run using uwsgi's own
http server by adding the option
"http-socket = :8000"
to the uwsgi.ini file:
The whole file is:

[uwsgi]
fastcgi-socket = 127.0.0.1:3031 <http://127.0.0.1:3031>
http-socket = :8000
chdir = /home/someuser/DJANGO/main_site/
wsgi-file = main_site/wsgi.py
master = True
max-requests = 5000
processes = 2
threads = 2
stats = 127.0.0.1:9191 <http://127.0.0.1:9191>
venv = /home/someuser/work_env
touch-reload = /home/someuser/DJANGO/main_site/reload
safe-pidfile2 = /home/someuser/DJANGO/main_site/uwsgi.pid
logto2 = /tmp/uwsgi.log
vacuum = True
# daemonize = yes

I was able to set up OpenBSD httpd to serve
Django applications two years ago.
I lost httpd.conf file which was working for me
but it did not seem too much complicated.
Now I try to reproduce my setup by using the
simplest httpd.conf:

server "192.168.1.102" {
          listen on * port 8000
          fastcgi socket ":3031"


fastcgi socket tcp 127.0.0.1 3031


}

Now I start uwsgi after commenting out the option "http-socket = :8000"
and it is ready to serve on 127.0.0.1:3031 <http://127.0.0.1:3031>:

someuser$ uwsgi uwsgi.ini
[uWSGI] getting INI configuration from uwsgi.ini
*** Starting uWSGI 2.0.19.1 (64bit) on [Mon Dec 21 13:25:29 2020] ***
compiled with version: OpenBSD Clang 10.0.1  on 21 December 2020
07:54:16
os: OpenBSD-6.8 GENERIC#1
nodename: somewebserver
machine: amd64
clock source: unix
pcre jit disabled
detected number of CPU cores: 1
current working directory: /home/someuser/DJANGO/main_site
detected binary path: uwsgi

and its log:

chdir() to /home/someuser/DJANGO/main_site/
your processes number limit is 256
your memory page size is 4096 bytes
detected max file descriptor number: 512
lock engine: ipcsem
thunder lock: disabled (you can enable it with --thunder-lock)
uwsgi socket 0 bound to TCP address 127.0.0.1:3031
<http://127.0.0.1:3031> fd 3
Python version: 3.8.6 (default, Oct 13 2020, 09:04:17)  [Clang 10.0.1 ]
PEP 405 virtualenv detected: /home/someuser/work_env
Set PythonHome to /home/someuser/work_env
Python main interpreter initialized at 0xa81c55ec00
python threads support enabled
your server socket listen backlog is limited to 100 connections
your mercy for graceful operations on workers is 60 seconds
mapped 250080 bytes (244 KB) for 4 cores
*** Operational MODE: preforking+threaded ***
WSGI app 0 (mountpoint='') ready in 1 seconds on interpreter
0xa81c55ec00 pid: 89605 (default app)
*** uWSGI is running in multiple interpreter mode ***
spawned uWSGI master process (pid: 89605)
spawned uWSGI worker 1 (pid: 70095, cores: 2)
writing pidfile to /home/someuser/DJANGO/main_site/uwsgi.pid
spawned uWSGI worker 2 (pid: 17757, cores: 2)
writing pidfile to /home/someuser/DJANGO/main_site/uwsgi.pid
writing pidfile to /home/someuser/DJANGO/main_site/uwsgi.pid
*** Stats server enabled on 127.0.0.1:9191 <http://127.0.0.1:9191>
fd: 11 ***

And this is what httpd shows:

user$ httpd -d
startup
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
server_privinit: adding server 192.168.1.102
server_privinit: adding server 192.168.1.102
server_launch: configuring server 192.168.1.102
server_launch: configuring server 192.168.1.102
server_launch: running server 192.168.1.102
server_launch: configuring server 192.168.1.102
server_launch: running server 192.168.1.102
server_launch: running server 192.168.1.102
server_launch: configuring server 192.168.1.102
server_launch: running server 192.168.1.102
server_launch: configuring server 192.168.1.102
server_launch: running server 192.168.1.102
server_launch: configuring server 192.168.1.102
server_launch: running server 192.168.1.102

Then I try to access http://192.168.1.102:8000/it/

And than httpd shows:

192.168.1.102 192.168.1.57 - - [21/Dec/2020:13:33:21 +0300] "GET /it/
HTTP/1.1&qu

httpd fastcgi socket option not working as expected

2020-12-21 Thread Родин Максим

Hello.
I have a working Django project
which can be run by its own http-server
using

"./manage.py runserver 0.0.0.0:8000"

One of the apps is available then on

"http://192.168.1.102:8000/it;

The same project can be run using uwsgi's own
http server by adding the option
"http-socket = :8000"
to the uwsgi.ini file:
The whole file is:

[uwsgi]
fastcgi-socket = 127.0.0.1:3031
http-socket = :8000
chdir = /home/someuser/DJANGO/main_site/
wsgi-file = main_site/wsgi.py
master = True
max-requests = 5000
processes = 2
threads = 2
stats = 127.0.0.1:9191
venv = /home/someuser/work_env
touch-reload = /home/someuser/DJANGO/main_site/reload
safe-pidfile2 = /home/someuser/DJANGO/main_site/uwsgi.pid
logto2 = /tmp/uwsgi.log
vacuum = True
# daemonize = yes

I was able to set up OpenBSD httpd to serve
Django applications two years ago.
I lost httpd.conf file which was working for me
but it did not seem too much complicated.
Now I try to reproduce my setup by using the
simplest httpd.conf:

server "192.168.1.102" {
listen on * port 8000
fastcgi socket ":3031"
}

Now I start uwsgi after commenting out the option "http-socket = :8000"
and it is ready to serve on 127.0.0.1:3031:

someuser$ uwsgi uwsgi.ini
[uWSGI] getting INI configuration from uwsgi.ini
*** Starting uWSGI 2.0.19.1 (64bit) on [Mon Dec 21 13:25:29 2020] ***
compiled with version: OpenBSD Clang 10.0.1  on 21 December 2020 07:54:16
os: OpenBSD-6.8 GENERIC#1
nodename: somewebserver
machine: amd64
clock source: unix
pcre jit disabled
detected number of CPU cores: 1
current working directory: /home/someuser/DJANGO/main_site
detected binary path: uwsgi

and its log:

chdir() to /home/someuser/DJANGO/main_site/
your processes number limit is 256
your memory page size is 4096 bytes
detected max file descriptor number: 512
lock engine: ipcsem
thunder lock: disabled (you can enable it with --thunder-lock)
uwsgi socket 0 bound to TCP address 127.0.0.1:3031 fd 3
Python version: 3.8.6 (default, Oct 13 2020, 09:04:17)  [Clang 10.0.1 ]
PEP 405 virtualenv detected: /home/someuser/work_env
Set PythonHome to /home/someuser/work_env
Python main interpreter initialized at 0xa81c55ec00
python threads support enabled
your server socket listen backlog is limited to 100 connections
your mercy for graceful operations on workers is 60 seconds
mapped 250080 bytes (244 KB) for 4 cores
*** Operational MODE: preforking+threaded ***
WSGI app 0 (mountpoint='') ready in 1 seconds on interpreter 
0xa81c55ec00 pid: 89605 (default app)

*** uWSGI is running in multiple interpreter mode ***
spawned uWSGI master process (pid: 89605)
spawned uWSGI worker 1 (pid: 70095, cores: 2)
writing pidfile to /home/someuser/DJANGO/main_site/uwsgi.pid
spawned uWSGI worker 2 (pid: 17757, cores: 2)
writing pidfile to /home/someuser/DJANGO/main_site/uwsgi.pid
writing pidfile to /home/someuser/DJANGO/main_site/uwsgi.pid
*** Stats server enabled on 127.0.0.1:9191 fd: 11 ***

And this is what httpd shows:

user$ httpd -d
startup
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
server_privinit: adding server 192.168.1.102
server_privinit: adding server 192.168.1.102
server_launch: configuring server 192.168.1.102
server_launch: configuring server 192.168.1.102
server_launch: running server 192.168.1.102
server_launch: configuring server 192.168.1.102
server_launch: running server 192.168.1.102
server_launch: running server 192.168.1.102
server_launch: configuring server 192.168.1.102
server_launch: running server 192.168.1.102
server_launch: configuring server 192.168.1.102
server_launch: running server 192.168.1.102
server_launch: configuring server 192.168.1.102
server_launch: running server 192.168.1.102

Then I try to access http://192.168.1.102:8000/it/

And than httpd shows:

192.168.1.102 192.168.1.57 - - [21/Dec/2020:13:33:21 +0300] "GET /it/ 
HTTP/1.1"

500 0
server 192.168.1.102, client 1 (1 active), 192.168.1.57:34196 -> 
192.168.1.102:8

000, No such file or directory (500 Internal Server Error)

No change on uwsgi.log
No change on uwsgi stdout

netstat -naf inet
Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address  Foreign Address(state)
tcp  0  0  127.0.0.1.3031 *.*LISTEN
tcp  0  0  *.8000 *.*LISTEN

httpd does not seem to use the fastcgi socket it is pointed to
or is it my annoying mistake?

--
Best regards
Maksim Rodin



Re: OpenSMTPD-extras manual

2020-12-20 Thread Родин Максим

man table-socketmap is interesting but confusing:
__
"""DESCRIPTION
 This manual page documents the file
 format of "socketmap" tables used by
 the smtpd(8) mail daemon.

 The format described here applies to tables
 as defined in smtpd.conf(5).

SOCKETMAP TABLE
 A "socketmap" table uses a simple protocol.
The client sends a single-
 line request and the server sends
a single-line reply.

 The table may be used for any kind of key-based
lookup and replies are
 expected to follow the formats described in table(5).
"""
__

This table type could be just an experimental
useless table type like ldap tables or
a universal key to any userdata(password) storage if
one manages to make a middleware which
is able to make requests to any userdata storage
and return a needed value in proper format
to smtpd server through socketmap.

But again no clear manual entry makes it useless.
No hint in the manual how to configure this type
of table access


20.12.2020 01:34, Ingo Schwarze пишет:

Hi Maksim & Edgar,

Edgar Pettijohn wrote on Sat, Dec 19, 2020 at 03:37:22PM -0600:

On Sat, Dec 19, 2020 at 08:02:19PM +0300, ??  wrote:



Where can I find any manuals and examples regarding OpenSMTPD-extras?


Try:

$ man -k ^table-
$ man table-passwd table-socketmap table-sqlite table-redis


Which table types are supported and do not have status "experimental"
like ldap tables?
E.g. what is opensmtpd-extras-python and how can I use it?


Not sure about thise questions.


Your best bet is to git clone the repository and search for the tables,
etc you are interested in.


That would be unusual with OpenBSD; when possible, we try to include
documentation in user-installable packages and not only in source
distributions.

Strangely, in this case, there are files

   table-postgres.5 table-mysql.5

in the source tarballs but not in the respective packing lists.

Strangely, the tarball also contains three empty README files.


If there is a manual simply `mandoc file | less`.


Not the best advice ever...  :-/

Manually piping mandoc(1) output to less(1) is never needed.

If you have a manual page in the current directory - say, table-sqlite.5 -
then just

$ man -l table-sqlite.5

is sufficient, and if it's properly installed, as the opensmtpd-extras
package does it, then just

$ man table-sqlite

does the job without even needing to worry about the current directory.


Unfortunantly there aren't manuals for all of the `extras`.


Hmm, you may be right about that one, for example a table-python(5)
manual page doesn't appear to exist.

Yours,
   Ingo



--
С уважением,
Родин Максим



OpenSMTPD-extras manual

2020-12-19 Thread Родин Максим

Hello.
Where can I find any manuals and examples regarding OpenSMTPD-extras?
Which table types are supported and do not have status "experimental"
like ldap tables?
E.g. what is opensmtpd-extras-python and how can I use it?
--
Best regards
Maksim Rodin



OpenSMTPD and ldap+tls

2020-11-30 Thread Родин Максим

Hello
Is there a way to make opensmtpd work
with ldap aliases over a secure connection?

I do not know where to find working examples of this
My current /etc/mail/ldap.conf look like this:
  1 url>>--->---ldap://ldap1.mydomain.ru
  2 basedn>->--->---dc=mydomain,dc=ru
  3 username>--->---cn=service,dc=mydomain,dc=ru
  4 password>--->---passpasspass
  5
  6 domain_filter>-->---(&(objectClass=domain)(dc=%s))
  7 domain_attributes>--dc
  8
  9 credentials_filter>-(&(objectClass=posixAccount)(uid=%s))
 10 credentials_attributes>-uid,userPassword
 11
 12 userinfo_filter>>---(&(objectClass=posixAccount)(uid=%s))
 13 userinfo_attributes>uid,uidNumber,gidNumber,homeDirectory
 14
 15 alias_filter>--->---(&(objectClass=nisMailAlias)(cn=%s))
 16 alias_attributes>---rfc822MailMember

ldapd daemon is set up on another host to work over tls and ssl and
working correctly.

If I change url to ldaps://ldap1.mydomain.ru
or to ldap+tls://ldap1.mydomain.ru
then smtpd -dv shows:
"""
_
vdomains[50952]: warn: ldap_parse_url fail
vdomains[50952]: warn: ldap_connect error
vdomains[50952]: fatal: failed to connect
"""
_

--
Best Regards
Maksim Rodin



Re: incorrect pf rule?

2020-11-29 Thread Родин Максим

It turns out that my caring ISP really has a free firewall service
which is enabled by default.
I asked my ISP to disable it completely and now everything is OK.
Thank you!

29.11.2020 13:08, Stuart Henderson пишет:

On 2020-11-29, Родин Максим  wrote:

The problem is that only port 80 seems to be open from the outside.
I used several online port scanners to check this.
All of them tell:
port 80 OPEN
port 443 CLOSED


Could it be blocked by your ISP? Do you receive packets on your external
interface at all when you test port 443?




--
С уважением,
Родин Максим



Re: incorrect pf rule?

2020-11-29 Thread Родин Максим

It turns out that my caring ISP really has a free firewall service
which is enabled by default.
I asked my ISP to disable it completely and now everything is OK.
Thank you!

29.11.2020 14:30, Stuart Henderson пишет:

On 2020-11-29, Stuart Henderson  wrote:

On 2020-11-29, Родин Максим  wrote:

The problem is that only port 80 seems to be open from the outside.
I used several online port scanners to check this.
All of them tell:
port 80 OPEN
port 443 CLOSED


Could it be blocked by your ISP? Do you receive packets on your external
interface at all when you test port 443?





Or...if this is behind nat, do you need to add a port-forwarding on your ISP 
router?



--
С уважением,
Родин Максим



incorrect pf rule?

2020-11-28 Thread Родин Максим

Hello
I have a small 5 year old home router (upgraded to OpenBSD 6.8 stable) 
with a static white IP from my internet provider (gotten by dhcp) and a 
simple http/https server (OpenBSD httpd) in my network using VirtualBox 
VM (OpenBSD 6.8) which has a static IP 192.168.1.102.
The http server is available from the internal network on http and https 
ports when 192.168.1.102 is used.
To make the http server work from outside I'm trying to use the 
following PF rule on my router:

...
web_server = "192.168.1.102"
web_ports = "{ http https }"...
...
# Web-server
pass in log on egress inet proto tcp \
from ! to (egress) port $web_ports \
rdr-to $web_server

The problem is that only port 80 seems to be open from the outside.
I used several online port scanners to check this.
All of them tell:
port 80 OPEN
port 443 CLOSED

The whole ruleset is below:
__
"""
router root ~ # grep -v '^#' /etc/pf.conf 




int_if = "{ vether1 em1 em3 athn0 }"
beeline_tv = "{ em0 em2 }"
table  { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
   172.16.0.0/12 192.0.2.0/24 \
   192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\
   }
table  persist file "/etc/pf/bad_ip"
asterisk_server = "192.168.1.101"
web_server = "192.168.1.102"
web_ports = "{ http https }"

block log all

set block-policy drop
set skip on lo

match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from (vether1:network) to any nat-to (egress:0)

pass out quick inet
pass in on $int_if inet

pass on $beeline_tv allow-opts

pass in on egress inet proto tcp from ! \
to (egress) port 22 keep state \
(max-src-conn 2, max-src-conn-rate 2/300, \
overload  flush global)

pass in on egress inet proto udp from ! \
to (egress) port 5060 keep state \
(max-src-states 1) rdr-to $asterisk_server
pass in on $int_if inet proto udp from (vether1:network) \
to (egress) port 5060 \
rdr-to $asterisk_server


pass in on egress inet proto udp from ! \
to (egress) port 1:2 keep state \
(max-src-states 1) rdr-to $asterisk_server

pass in on $int_if inet proto udp from (vether1:network) \
to (egress) port 1:2 \
rdr-to $asterisk_server


pass in on egress inet proto { tcp udp } from ! \
to (egress) port { 5 }  rdr-to 192.168.1.65

pass in log on egress inet proto tcp from ! \
to (egress) port $web_ports \
rdr-to $web_server
"""



I added some log options to try to understand which rule can be blocking 
access to https port from the outside but the log shows the following:



"""
router root ~ # tcpdump -n -e -ttt -i pflog0 port 80 or port 443

tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
Nov 29 08:28:44.602109 rule 23/(match) pass in on vether0: 
5.101.123.139.40470 > 89.179.243.222.80: S 2282440086:2282440086(0) win 
29200  (DF) [tos 0x28]

"""


Access to port http is logged successfully but access to port https is 
nowhere
There are other rdr-to rules in my ruleset and all of them work as 
expected e.g.:
port 5060 udp and port range 1:2 udp are redirected to 
VirtualBox VM (Asterisk) as expected.




--
Best regards
Maksim Rodin



ldapd.conf certificate directive not working?

2020-11-28 Thread Родин Максим

Hello
When I use the following directive in ldapd.conf:
1)
...
listen on em0 ldaps
...
or
...
listen on em0 tls
...
and the certificate (em0.crt) and key (em0.key) files are in 
/etc/ldap/certs,

then "ldapd -n" shows OK.

When I use:
2)
...
listen on em0 ldaps certificate "/etc/ldap/certs/em0.crt"
or
listen on em0 ldaps certificate "/etc/ldap/certs/em0"
...
or
...
listen on em0 tls certificate "/etc/ldap/certs/em0.crt"
or
listen on em0 tls certificate "/etc/ldap/certs/em0"
...
then "ldapd -n" shows the following:
"/etc/ldapd.conf:10: cannot load certificate: /etc/ldap/certs/em0.crt
/etc/ldapd.conf:11: cannot load certificate: /etc/ldap/certs/em0.crt"
or
"/etc/ldapd.conf:10: cannot load certificate: /etc/ldap/certs/em0
/etc/ldapd.conf:11: cannot load certificate: /etc/ldap/certs/em0"

man ldapd.conf says:
"If no certificate name is specified, the /etc/ldap/certs directory is
searched for a file named by joining the interface name with a
.crt extension, e.g. /etc/ldap/certs/fxp0.crt."

This works OK
But the following:

"If the certificate name is an absolute path, a .crt and .key
extension are appended to form the certificate path and key path
respectively."
This part does not seem to work at all.
Neither it tries to search certificates using the absolute path nor
it tries to append .crt or .key extension to the absolute path when no 
extension is used in config.


Or I do it completely wrong?

--
Maksim Rodin



Re: Help debugging slow nfs (40kB/s); linux client

2020-04-18 Thread Родин Максим

Hello,
Try these options:

sudo mount.nfs -o wsize=8192,rsize=8192 IPADDRESS:/shara /home/myuser/shara/

Play with wsize and rsize to achieve better speed.
These are mines.

18.04.2020 02:31, Nathan Clement пишет:

Hello,

I am trying to get an Intel atom mini itx board running as an OpenBSD 6.6
NAS.
I've got the necessary daemons running on the mini itx board:


doas rcctl ls started

cron
httpd
mountd
nfsd
ntpd
pflogd
portmap
slaacd
smtpd
sndiod
sshd
syslogd

and exports is set up:


cat /etc/exports

/home/nathan/shared -alldirs -ro

I am mounting this from my laptop which runs on arch linux at the moment.
On the linux client machine, this is the relevant line from mount:

192.168.1.4:/home/nathan/shared on /home/nathan/mnt type nfs
(rw,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=192.168.1.4,mountvers=3,mountport=997,mountproto=udp,local_lock=none,addr=192.168.1.4)

I can copy small files over nfs, but anything large takes way too long.
I've read rsync isn't necessarily the best way to gauge transfer speed, but
rsync shows I'm getting about 38kB/s transfer speed. For comparison, I
tried using sshfs to mount the same directory on the itx to the same
location on the linux system and I get ~1.1MB/s, wow! Even that isn't
great, but I'm the laptop is on wifi and I figure I can get to more tuning
later.

It seems clear I'm not (just) dealing with hardware limitations in this nfs
mount. What else can I do to debug this?

Thanks,
Nathan



--
С уважением,
Родин Максим



Re: Does Intel driver supports Intel g31?

2020-04-12 Thread Родин Максим

Clearly Russia is guilty of everything in this world.
But Kazakhstan is not Russia.
And your post shows that stupid people live not only in Kazakhstan.

11.04.2020 18:24, m brandenberg пишет:

On Sat, 11 Apr 2020, Nikita Stepanov wrote:


Does Intel driver supports Intel g31?


Clearly, Russia's GRU has been tasked with killing Theo by aneurism.

--
Monty Brandenberg



--

Maksim Rodin



IPTV handling on OpenBSD soft router

2019-06-16 Thread Родин Максим

Hello,
I am trying to set up an IPTV-box behind a soft router.

When my internet (iptv) provider installed the IPTV box he said that
I need a switch before my soft router to let IPTV stream successfully 
pass to the IPTV box.

I thought that a virtual bridge interface would be enough for this purpose.
I created a bridge0 interface and added three interfaces to it:
em0 - a physical one which delivers internet and iptv from my provider.
em2 - a physical one to which the IPTV-box is connected and which 
receives a mac binded ip address from the local network of my provider

(100.65.129.0/24).
vether0 - a virtual one which receives an external ip address from dhcp 
server of my provider (it therefore belongs to egress group) and through 
which my home computers access the internet using NAT ({ vether1 em1 em3 
athn0 }).


When PF is disabled the IPTV-box is working.
When PF is enabled the IPTV box works for several seconds and then the 
picture freezes. When I change to another TV channel it works again for 
several seconds and then it freezes again.
My pf settings are listed below (I used some of the config in PF user's 
guide)

I do no filtering on the ports needed (em0, em2)

When I do:
tcpdump -n -e -i pflog0 not ifname vether0
It shows no blocked packets

What am I missing?


""
router root ~ # cat /etc/pf.conf
#   $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

int_if = "{ vether1 em1 em3 athn0 }"
table  { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
   172.16.0.0/12 192.0.2.0/24 224.0.0.0/3 \
   192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\
   203.0.113.0/24 }
table  persist file "/etc/pf/bad_ip"

block log all

set block-policy drop
set loginterface egress
set skip on lo

match out on egress inet from (vether1:network) to any nat-to (egress:0)

block in quick on egress from  to any
block return out quick on egress from any to 
pass out quick inet
pass in on $int_if inet

#  IPTV
pass on em2
pass on em0

#
pass in on egress inet proto tcp from ! to (egress) port 22
pass in on egress inet proto tcp from ! to (egress) port 80
pass in on egress inet proto { tcp udp } from any to (egress) port { 
51413 22034 6890:6999 6881 }  rdr-to 192.168.1.4
pass in on egress inet proto { tcp udp } from any to (egress) port { 
5 }  rdr-to 192.168.1.65


#block return   # block stateless traffic
#pass   # establish keep-state

# By default, do not permit remote connections to X11
#block return in on ! lo0 proto tcp to port 6000:6010
"""


--
Best regards
Maksim Rodin



Re: Django + httpd + relayd

2019-03-31 Thread Родин Максим

Django + httpd is explained here:
https://uwsgi.readthedocs.io/en/latest/OpenBSDhttpd.html?highlight=openbsd

30.03.2019 17:22, Michael Joy пишет:

Apologies in advance for the noobish question.
Does anyone have a tutorial or example of a working configuration for a
Django app being served with httpd and relayd? Beating my head off the wall
with it at this point.



--
С уважением,
Родин Максим



Re: SSH server immediately closes connection

2018-12-15 Thread Родин Максим

Hello,
That was my fault. I misconfigured my login.conf last time.

14.12.2018 16:14, Nick Holland пишет:

On 12/14/18 00:27, Максим wrote:

Hello,
I've got a PC running OpenBSD current.
After the latest upgrade I cannot ssh to it.

When I run "ssh 10.26.5.70"
I get this:
"Connection to 10.26.5.70 closed by remote host.
  Connection to 10.26.5.70 closed."
As an SSH client I use another OpenBSD box and a Linux machine
with the same result.
When I run "ssh -vvv 10.26.5.70"
the last messages are:

"debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
Authenticated to 10.26.5.70 ([10.26.5.70]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting no-more-sessi...@openssh.com
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug3: send packet: type 1
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
   #0 client-session (t3 nr0 i0/0 o0/0 e[write]/0 fd 4/5/6 sock -1 cc -1)

debug3: fd 1 is not O_NONBLOCK
Connection to 10.26.5.70 closed by remote host.
Connection to 10.26.5.70 closed.
Transferred: sent 2644, received 1932 bytes, in 0.0 seconds
Bytes per second: sent 1085498.2, received 793185.5
debug1: Exit status -1"


No errors in /var/log/daemon
No errors in /var/log/authlog

The result doesn't depend on the user which I use to login.


I just happened to have upgraded a system last night to the most recent
snapshot, I am NOT having any such problem.
OpenBSD 6.4-current (GENERIC.MP) #510: Thu Dec 13 06:20:42 MST 2018
 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

So ... Doesn't appear to be a systemic problem, most likely either a
knob you twisted before the upgrade or something about your upgrade process.

You need to provide more details about what you did...both before and
during the upgrade...and some indication of what platform you are
running and the snapshot you upgraded to.

Nick.



--
С уважением,
Родин Максим



Re: How to make the cwm window manager reread new config

2018-09-16 Thread Родин Максим

Thank you very much, it works.
I always thought this would restart my whole session and I would loose
all my open windows.

15.09.2018 21:38, Antoine Jacoutot пишет:

On Sat, Sep 15, 2018 at 08:41:52PM +0300, Родин Максим wrote:

Hello,
May be a silly question,
how can I make the cwm window manager reread its config file
without loosing my working session?


 From cwmrc(5):
BIND FUNCTION LIST
  restart  Restart the running cwm(1).

And from cwm(1):
  cwm rereads its configuration file when it receives a hangup signal,
  SIGHUP, by executing itself with the name and arguments with which it was
  started.  This is equivalent to the restart function.



--
Maksim



Re: Deploy Django app - strategy?

2018-09-16 Thread Родин Максим

I deploy my django app using uwsgi and venv in my home dir
uWSGi starts on its default port and httpd server uses this port
to handle my app requests. Everything just like in the official manual 
of uwsgi.


26.08.2018 23:41, Chris Narkiewicz пишет:

On 26/08/2018 21:01, Paul de Weerd wrote:

Use python3 -m venv /path/to/venv to create a virtualenv using python3
and be done with it.


Yeah, it did the trick. I'm going to deplrecate use of virtualenv,
since it's no longer needed with Python 3.6.

   That will use a symlink to the actual python3

binary in /usr/local, so no issues with the lack of wxallowed on /var.
However, you'll have to deal with the chroot implications there...


I guess it's a non-starter with Django... I guess it'd be easier to
simply run it in Docker.


What webserver are you using?


It's pretty standard stack:

* postgresql on localhost
* uwsgi on localhost with http/fastcgi protocol
* httpd on egress

Best regards,
Chris



--
С уважением,
Родин Максим



How to make the cwm window manager reread new config

2018-09-15 Thread Родин Максим

Hello,
May be a silly question,
how can I make the cwm window manager reread its config file
without loosing my working session?
--
Maksim



Re: Different sound sources interfere with each other

2018-06-18 Thread Родин Максим
May be the system becomes ... too busy to serve these actions 
simultaneously?
It seemed to me that any task which made decent use of computer 
resources was able to cause that behavior.


18.06.2018 18:22, Maxim Tarasov пишет:

Hi,

I was able to find another trigger for this sound glitch:

dd if=/dev/zero of=/tmp/test bs=1m count=256
rm /tmp/test

Sound sometimes interrupts in the middle of dd(1) call, and always
interrupts at the time of rm(1) call on files larger than 200 Mb. It
looks like in case of dd/rm not only sound is affected, but mouse
cursor controlled by USB mouse also stops responding.

unlink(2) call seem to take a long time:

$ dd if=/dev/zero of=test bs=1m count=1024 && ktrace rm test && kdump -R | grep 
unlink
1024+0 records in
1024+0 records out
1073741824 bytes transferred in 2.265 secs (473858546 bytes/sec)
24666 rm   0.01 CALL  unlink(0x7f7bb91b)
24666 rm   0.431070 RET   unlink 0

Can anybody provide any pointers on how to debug this further or
suggestions on what the problem might be?



--
С уважением,
Родин Максим



Re: 4-ports router under $150

2018-04-09 Thread Родин Максим

https://ru.aliexpress.com/item/QOTOM-310G4-3215U-Barebone-mini-pc-Dual-core-4-nics-Mini-pc-Ubuntu-Industrial-desktop-Computer/32769767156.html

This is what I bought for similar purposes.

It has 4 Intel Gigabit ports and their efficiency is 99%.


08.04.2018 00:59, Anatoli пишет:

Hi All!

I'm looking for a modest 4-5 ports router under $150 that works well 
with OpenBSD. I don't need WiFi, USB or console port, and the 
throughput don't need to exceed 100Mbps. The ideal device would be 
EdgeRouter X (compact, 5 ports, $50) but I know it's not supported at 
this moment and probably never will be.


EdgeRouter (ER) Lite only has 3 ports and the switch ports (eth2-4) of 
ERPOE-5 are not yet supported.


ER-4 would be great, but the 4th port is SFP, I'd need to by an SFP 
NIC for one of my devices and I'm not sure it's supported as the 
octeon page says ER PRO SFP ports are not supported yet. Also it's a 
bit expensive ($190).


Banana Pi R2 would be great too, but I couldn't find if it's supported 
by OpenBSD (it has MediaTek MT7623N, Quad-core ARM Cortex-A7).


Are there 4-5 port devices that are known to work well with OpenBSD?

Thanks,
Anatoli



--
С уважением,
Родин Максим



Re: 4-ports router under $150

2018-04-09 Thread Родин Максим
https://ru.aliexpress.com/item/QOTOM-310G4-3215U-Barebone-mini-pc-Dual-core-4-nics-Mini-pc-Ubuntu-Industrial-desktop-Computer/32769767156.html 



This is what I bought for similar purposes.

It has 4 Intel Gigabit ports and their efficiency is 99%.


08.04.2018 00:59, Anatoli пишет:

Hi All!

I'm looking for a modest 4-5 ports router under $150 that works well 
with OpenBSD. I don't need WiFi, USB or console port, and the 
throughput don't need to exceed 100Mbps. The ideal device would be 
EdgeRouter X (compact, 5 ports, $50) but I know it's not supported at 
this moment and probably never will be.


EdgeRouter (ER) Lite only has 3 ports and the switch ports (eth2-4) of 
ERPOE-5 are not yet supported.


ER-4 would be great, but the 4th port is SFP, I'd need to by an SFP 
NIC for one of my devices and I'm not sure it's supported as the 
octeon page says ER PRO SFP ports are not supported yet. Also it's a 
bit expensive ($190).


Banana Pi R2 would be great too, but I couldn't find if it's supported 
by OpenBSD (it has MediaTek MT7623N, Quad-core ARM Cortex-A7).


Are there 4-5 port devices that are known to work well with OpenBSD?

Thanks,
Anatoli



--
С уважением,
Родин Максим



webcam in browser not seen

2018-04-07 Thread Родин Максим

Hello,
I have a laptop with OpenBSD 6.3 64bit installed.
There is a webcam on the laptop which is detected in dmesg as uvideo0 
device.
The problem is that the webcam is not seen in browser. I tried to setup 
a Google Meet session.
Audio and mic seem to have been detected (after I installed 
gstreamer1-plugins-good and gstreamer1-plugins-libav).

The webcam section shows that there is no webcam in the system.


--
Best regards
Maxim Rodin