Re: With all this CPU/hardware mess, any advice on what to use for an organization?
Hello Chris, There is something extremely weird going on around lately. People are easily take offense where no offense where intended (and hard to find anyway). Nick was just telling you that (in his expert opinion) you shouldn't worry much about "Meltdown, Spectre, insecure motherboard chips", but concentrate on the real security instead. Unfortunately the real security takes years of learning and experience, and can't be "advised" in a couple of emails, but he provided a lot of valuable (and valid) information (which you where not ready to digest, I guess). If you are allowing to run an arbitrary code on you server you are screwed with or without Spectre, otherwise there is nothing to spy on you on that server (even if it's technically possible). If (any) government agency really want to access you server, you are writing to the wrong list, otherwise government installed spying chips (if any) wont really hurt you. On the other hand, crapware (like Superfish) might. BTW, your boss doesn't need to be stupid to compromise your password (or keys), just a "normal" human. Security isn't grokkable by "normal" people. Tuesday, November 20, 2018, 2:11:52 PM, you wrote: CB> On Tue, Nov 20, 2018 at 02:24:55PM -0500, Nick Holland wrote: >> On 11/20/18 11:43, Chris Bennett wrote: >> > I am almost certainly going to be replacing with a new server for an >> > organization I am a member of. >> > With all of this mess with Meltdown, Spectre, insecure motherboard >> > chips,etc. >> > I am pretty clueless on exactly what is going to be a secure set of >> > server hardware. >> > Intel, well no. >> > AMD? I have read about problems with non-CPU chips being compromised. >> > Another architecture? I have never used anything other than Intel/AMD. >> > >> > The server will run httpd, mailserver, PostgreSQL and somehow a good way >> > for well encrypted messaging at times. >> >> all on one server? >> >> And as someone who has run a number of mail servers for a number of >> companies ... don't. Just don't. Running your own mail server is a >> good way to accomplish nothing except wasting a lot of time and making >> people hate you. >> CB> The mail server is ONLY intended for members of the organization. CB> You would have me use gmail or yahoo? CB> The organization is suing another group for slander. >> > It is very likely to run out of Austin, Texas. >> > I think that having a direct connection would be best, but would a >> > proper setup make collocation OK? >> >> You are using poorly defined buzzwords. What you mean by a "direct >> connection", "proper setup", "collocation" and what I mean are likely >> very different. >> CB> Well, then tell me some useful information. Correct my idiotic CB> buzzwords. There was carefully noted in my message that I am facing new CB> territory and need some advice. >> > This isn't going to be my server, I will just be in charge. That's >> > completely new for me. >> > Any advice is really welcome, everywhere I read anything, hardware seems >> > broken and insecure. >> >> Pretty much all new HW is optimized in ways that we are now learning >> (and has been known for a long time) introduce security problems. >> However, most of the problems boil down to having malicious software >> running in the control of someone else on the same physical machine YOUR >> code is running on. >> >> In short: No news. Really. >> >> If someone that wanted to do you evil lived in the same house as you, >> you would not be comfortable, right? What if you put up walls >> (virtualization) that have proven to to be about as robust as paper? >> That make you feel any better? Probably not. Virtualization has been >> proven -- over and over -- not terribly secure. Now we got >> cross-virtualization platforms ways of stealing data from other >> processes. Important? yes. But in the big picture, it's similar to Yet >> Another buffer overflow. >> CB> To be quite frank, and I don't mean anything negative to others using CB> virtualization, you couldn't pay me to even consider using something CB> that idiotic for trying to make a "secure" setup. And using the "clouds" CB> , to me, is getting just a little bit too "high". >> So...split your tasks on different physical systems as much as possible. >> If your webserver is serving static pages, it's probably pretty robust. >> If it's running Wordpress or any other "any idiot can manage the web >> page" apps or dynamic web pages for other reasons, it should be a >> machine of its own and have no other important data on it. CB> Yes, using that idiotic Wordpress crap is exactly one of many problems I CB> am going to immediately fix. Whoever is in charge can't even make that CB> work! >> Your primary goal should be to keep the bad guys off your computer in >> every sense. And again...nothing new here. >> >> But if security is your concern, you want real hw you control in every >> sense. >> CB> Which is exactly what my silly buzzwords was
Re: isakmpd and iked on the same box
Hello Philipp, I use to (reliably) run from two to four parallel instances of isakmpd on same boxes (for years) - first using different ports, then different IPs. It seems like they've had to (peacefully) share the SADB. Did I just not have enough tunnels to trigger the problem? If this isn't the case, why can't iked be as "nice" as isakmpd? Just wondering. Thursday, August 30, 2018, 10:39:21 AM, you wrote: PB> Hi, PB> Am 30.08.2018 10:27 schrieb Sebastian Reitenbach: >> Hi, >> >> I'm wondering if it would be possible to add iked to my box already >> running isakmpd. >> I found this quite old thread: >> http://openbsd-archive.7691.n7.nabble.com/iked-isakmpd-on-the-same-machine-td246610.html PB> Why is it "always" my old threads in this area? :-) PB> I was not following development too closely, but I think that on the PB> kernel side PB> things have not changed. Which means iked and isakmpd will happily "toe PB> tap" PB> on each others SADB in the kernel (even if there is *some* PID PB> handling). PB> Would like to hear if kernel side has "improved" lately, but the overall PB> standpoint PB> looks like: IKEv1 is dead (e.g. see the removal of IKEv1 stubs in iked PB> some "months ago"). PB> [Still stuck with my ikev2 with strongswan on a different box solution] PB> HTH... wait, no: PB> ciao -- Best regards, Borismailto:psi...@prodigy.net
Re: Installer overwrites partition table
Hello Kamil, Your reply is unreasonably aggressive. Is there something wrong with the OpenBSD in that particular area? I use to install the OBSD to an unused partition - pretty strait forward process. Did something change recently? I've checked the FAQ - didn't find big changes nor warnings (except the "know what you are doing"). BTW, I use to run OBSD in VMWare for testing and bug finding - the work was done, but didn't like the experience (a lot). Wednesday, August 24, 2016, 6:41:58 AM, you wrote: KC> On Wed, 24 Aug 2016, Bertram Scharpfwrote: >> Hi, >> >> first of all, I am an experienced OS installer and I did a >> heck of partitioning in my life. Now I had some unused disk >> space and I found it a good idea to install OpenBSD. >> >> The installers partitioning tool didn't offer me a variant >> that keeps my existing partitions. Therefore I immediately >> stopped it. But yet it was too late. The partition table was >> overwritten. >> >> The damage is not hard for me because I tersely do backups. >> But this behaviour is impudent. This blowfish is not a safe >> operating system, it rather is a poorly prepared fugu. >> >> Bertram >> >> >> -- >> Bertram Scharpf >> Stuttgart, Deutschland/Germany >> http://www.bertram-scharpf.de KC> - You have unused disk space. Rather than spinning up a VM to play in, KC> you've instead opted for letting a new OS, that you have no experience KC> with, access and modify the raw disk bits. KC> - You've tried installing the aforementioned new and unknown OS, on a KC> disk that had other important data, that was already governed by KC> another OS. KC> To me, that doesn't sound like what an experienced user would do. KC> <3,K. -- Best regards, Borismailto:psi...@prodigy.net
Re: choosing OpenBSD for fileserver instead of FreeBSD + ZFS
Hello Miles, I did research the matter about 18 month (or maybe 2 years) ago for the business, even asked the list. Decided in favor of FreeNAS (based on FreeBSD+ZFS if someone doesn't know). Can't tell how it went because the project died for reasons unrelated to the storage. If you decide to go with OpenBSD I'd strongly suggest to use a good hardware RAID controller (not relaying on the softraid). Make sure it's supported. I've had a good experience with HP Smart Array Pxx series. You can buy older models quite cheap on ebay (if you trust ebay). Haven't checked it on a "generic" PC though. Install the battery and replace it than the system complains (on boot or otherwise) - also sold on ebay. RAID5 might not be enough than dealing with "few terabytes" - there is a risk of a second disk corruption due a high activity during recovery (google the subject). Consider RAID6 or RAID10 (1E, 1C, etc.) - both require a minimum of four disks. I was told that fsck requires about 1G of memory per 1T of space. Could be dealt with by splitting to multiple partitions (labels). The ZFS memory requirements aren't lower anyway. You need some sort of snapshoted (!) backup. Even if the RAID saves you from the disk corruption (the "if" here bigger than most people think), a human error (or a virus on someone's computer/phone) can destroy all your data, and than a rsync can propagate the "changes" to the backup (also destroying it if you don't have proper snapshots). The snapshots don't need to be called "snapshots" - any sort of backup with possibility to restore to an older date will do. Wednesday, July 20, 2016, 6:52:04 AM, you wrote: MK> Got a fileserver with a few terabytes of important personal media, like all MK> old home movies, baby photos, etc. Files that I want my family to have MK> access to when I die. MK> Really it's more of a file archive. A backup. Just rsync + ssh. Serving MK> it isn't the point. Just preserving it forever. MK> (It's all unencrypted. It's not that kind of private. Private and offline MK> from the outside world, but public within the family.) MK> For years it's been on a Synology, Linux ext4 filesystem. Now I'm making a MK> new clone of it (new PC) to be in a different location. MK> I assumed I'd use FreeBSD + ZFS because of ZFS's checksum features. But MK> really I love and prefer OpenBSD for everything else, and don't want any MK> other ZFS features : just that checksum. MK> So I figure if I use OpenBSD + softraid RAID 5 (across 4 disks) and then MK> write my own little shell script to track the MD5 (find . -type f -exec md5 MK> {} \;) whenever I make changes, that should be enough to see if a file has MK> been changed due to disk corruption. MK> (Which makes me realize I don't know a damn thing about disk corruption, MK> only that it's happened a few times in the past. The occasional JPG or MP3 MK> from the late 90s that used to work but now doesn't, and who-knows-why.) MK> Before I embark on this direction for a fileserver, I thought I should MK> check with the smart people here on misc: MK> Any tips from anyone who's done something similar? MK> Or would anyone advise me against OpenBSD or this MD5 log approach for a MK> fileserver like this? -- Best regards, Borismailto:psi...@prodigy.net
alternative places to buy the CDs in US are needed
Hello misc, I've looked (and registered) at openbsdstore.com (USA site) - don't like it (a lot). Use to buy OpenBSD stuff from a US book store, but can't find it (there was a link to it on the openbsd.org, but not any more). Are there alternative (local) options to buy the OpenBSD CDs in the US? -- Best regards, Boris mailto:bo...@twopoint.com
what happened to the encap address_family
Hello misc, The encap address_family isn't in the netstat man page anymore (BTW, there is no 5.7 section at www.openbsd.org/cgi-bin/man.cgi, just current). The netstat -nrf encap gives an error, the netstat -nr doesn't have the Encap section. Don't see anything about netstat nor about encap at http://www.openbsd.org/57.html, the google also didn't help. How do I check VPN related routing besides ipsecctl -s flow (which isn't exactly the strait way) ? -- Best regards, Boris mailto:bo...@twopoint.com
Re: Best filesystem options for large drive
Hello Nick, Thursday, February 12, 2015, 9:26:01 AM, you wrote: NH On 02/12/15 10:10, Boris Goldberg wrote: Hello Nick, NH ... I was entertaining the idea of making a 100 TB OpenBSD based archive storage, even asked the list. The only answer pointed to that FAQ page, and it stopped me from pursuing that idea. Servers with 128 GB of RAM aren't uncommon, but expensive (comparing to 64/32 GB ones). NH I don't care what OS you are using, 100TB single volume archive is NH doing it wrong. NH Chunk your data, you will thank me; when it comes time to upgrade and NH migrate your hardware, you will be kissing my feet. NH The numbers have changed a bit (for the bigger) but the idea is as valid NH today as it was eight years ago: NH http://archives.neohapsis.com/archives/openbsd/2007-04/1572.html Thanks. The facts aren't new, but well put together. Will try to don't plan the storage needs more than a (half) year ahead. It's too bad we don't have 10 TB disks yet. ;) -- Best regards, Borismailto:bo...@twopoint.com
Re: Best filesystem options for large drive
Hello Nick, Wednesday, February 11, 2015, 1:05:20 PM, you wrote: NH On 02/11/15 11:58, Jan Stary wrote: On Feb 10 17:48:22, na...@mips.inka.de wrote: On 2015-02-10, yary not@gmail.com wrote: I know FFS2 can handle that size easily, but I'm worried about fsck taking forever. This machine will have 1.5GB RAM, from what I've read that's not enough memory to fsck a 4TB volume without painful swapping. It vastly depends on the number of files you have on there. Here's an almost full 4TB drive... FAQ4 still says If you make very large partitions, keep in mind that performing filesystem checks using fsck(8) requires about 1M of RAM per gigabyte of filesystem size ^^^ Does that still apply? Jan NH It is probably far less than that currently, but lacking a more precise NH number, I don't think this is a bad rule of thumb, and if you wish to NH disregard it, I suspect you either read and really understand the code NH or do some real world testing on YOUR hardware and file systems. The NH penalties for too much RAM are minimal; the penalties for too little are NH ... substantial. NH Note that you don't have to leave file systems mounted RW all the time, NH especially a backup server. Mount it RW when you need it, dismount or NH RO it when you don't...tripping over the power power cords won't NH (shouldn't?) corrupt a file system that is mounted RO. You don't get to NH ignore the issues, but you can reduce their occurrence. I was entertaining the idea of making a 100 TB OpenBSD based archive storage, even asked the list. The only answer pointed to that FAQ page, and it stopped me from pursuing that idea. Servers with 128 GB of RAM aren't uncommon, but expensive (comparing to 64/32 GB ones). -- Best regards, Borismailto:bo...@twopoint.com
Re: OpenBSD 5.5 ISAKMPD
Hello Motty, Friday, January 16, 2015, 5:24:33 PM, you wrote: MC is actually OpenBSD 4.8 not OpenBSD 5.5, I apologize for the mistake. I'm trying to setup IPSec Tunnel using the following parameters. Phase 1 exchange encryption: AES256 Data Integrity: SHA256 DH: group 20 Agressive Mode phase 2 encryption: AESGCM256 HASH: SHA384 Looking at the manual page for isakmpd.conf, OpenBSD-4.8: {group} is either GRP1, GRP2, GRP5, GRP14, or GRP15 - seems like group 20 isn't supported (not even in current, according to the man). Support of AESGCM starts in 5.0 (again according to man). Not sure if you can use just SHA2 (not SHA2-256 or SHA2-384). Start with suits examples from the man page (of your system). Only if they work - try to adjust them (if really needed). Make sure there are no trailing spaced in your isakmpd.conf. I've had a lot of fun with it in the past. Could be fixed since though. -- Best regards, Borismailto:bo...@twopoint.com
disk quotas bug fix [was: quotas grace period none right away]
Hello misc, I've reported a detailed bug two months ago. The short story - grace period end time isn't being reset if the over_soft_quota stage is reached by chown command. I've confirmed it on i386 5.0 through current (as of month ago) and on amd64 5.4. Developers seemed to don't have time for it, so I've asked our consultant, Ed Bartosh bart...@gmail.com (not subscribed to the list), to look into this. It seems like he has fixed it. Here is the patch for 5.4 (tested on i386 only yet): Index: ufs_vnops.c === RCS file: /cvs/src/sys/ufs/ufs/ufs_vnops.c,v retrieving revision 1.107 diff -u -p -r1.107 ufs_vnops.c --- ufs_vnops.c 11 Jun 2013 16:42:19 - 1.107 +++ ufs_vnops.c 1 Dec 2014 21:54:44 - @@ -448,6 +448,8 @@ ufs_chown(struct vnode *vp, uid_t uid, g int error = 0; daddr_t change; enum ufs_quota_flags quota_flags = 0; + struct ucred *newcr; + if (uid == (uid_t)VNOVAL) uid = DIP(ip, uid); @@ -484,17 +486,26 @@ ufs_chown(struct vnode *vp, uid_t uid, g if ((error = getinoquota(ip)) != 0) goto error; - if ((error = ufs_quota_alloc_blocks2(ip, change, cred, -quota_flags)) != 0) + newcr = crget(); + newcr-cr_uid = uid; + newcr-cr_gid = gid; + + if ((error = ufs_quota_alloc_blocks2(ip, change, newcr, +quota_flags)) != 0) { + crfree(newcr); goto error; + } - if ((error = ufs_quota_alloc_inode2(ip, cred , + if ((error = ufs_quota_alloc_inode2(ip, newcr, quota_flags)) != 0) { - (void)ufs_quota_free_blocks2(ip, change, cred, + (void)ufs_quota_free_blocks2(ip, change, newcr, quota_flags); + crfree(newcr); goto error; } + crfree(newcr); + if (getinoquota(ip)) panic(chown: lost quota); Please advise if you see problems with that patch (besides the fact that it's for 5.4). -- Best regards, Boris mailto:bo...@twopoint.com
support of really big volumes
Hello misc, Has anyone used the OpenBSD with really big arrays - 50 to 200 terabytes? Are there any issues? Is there a rule about how many gigabytes of RAM per terabyte mounted is needed? -- Best regards, Boris mailto:bo...@twopoint.com
Re: quotas grace period none right away
Hello Otto, Monday, October 6, 2014, 10:42:32 AM, you wrote: OM Yeah. Have something similar in my tree. If -Wall is happy, so am I. OM Does it explain 5.4 problems though. OM I did not manage to reproduce those so far. It looks like the time_t patch is applicable to 5.5 (and later) only. Am I wrong? Is there going to be any (further) development about that bug in 5.4? -- Best regards, Borismailto:bo...@twopoint.com
Re: Change routing tables when ISP goes down
Hello Jeff, Wednesday, October 1, 2014, 12:14:53 PM, you wrote: J It sounds like ping -I is what I was looking for, but when I use it, it seems J to be sending out the packet with the right source address, but sending it to J the wrong interface.are there any tricks here? J Here's some data (edited) to show what I'm seeing: J fxp0: inet 10.16.100.1 netmask 0xfff0 broadcast 10.16.100.15 J fxp1: inet 192.168.243.152 netmask 0xff00 broadcast 192.168.243.255 J when I try ping -I 192.168.243.152 ucla.edu, I see the following: J tcpdump -i fxp0 icmp and host ucla.edu J tcpdump: listening on fxp0, link-type EN10MB J 13:06:36.478450 192.168.243.152 128.97.27.37: icmp: echo request J 13:06:37.483393 192.168.243.152 128.97.27.37: icmp: echo request J 13:06:38.493244 192.168.243.152 128.97.27.37: icmp: echo request J The routing table shows: J 10.16.100.0/28 link#1 UC 40 - 4 fxp0 J 192.168.243/24 link#2 UC 10 - 4 fpx1 The output of route -n get ucla.edu would be helpful. It seems like you need more knowledge about routing, otherwise there is a very big chance you shoot yourself in the foot messing around this. Been there, probably still is. -- Best regards, Borismailto:bo...@twopoint.com
Re: quotas grace period none right away
Hello Otto, Wednesday, September 24, 2014, 2:36:58 PM, you wrote: OM Try to come up with a reproducable test case, include all relevant OM info and then we can investigate. Here is what I could reproduce: root@mail1 ~ # quota test_spam Disk quotas for user test_spam (uid 1003): Filesystem KBytesquota limit gracefiles quota limit grace /var/mail 28 10 100 81 10 root@mail1 ~ # dd if=/dev/random of=w00 bs=1M count=150 150+0 records in 150+0 records out 157286400 bytes transferred in 2.679 secs (58707553 bytes/sec) root@mail1 ~ # mv w00 ~test_spam/ root@mail1 ~ # chown test_spam /var/mail/test_spam/w00 root@mail1 ~ # quota test_spam Disk quotas for user test_spam (uid 1003): Filesystem KBytesquota limit gracefiles quota limit grace /var/mail 153660* 10 100 18:10 91 10 root@mail1 ~ # edquota -t Time units may be: days, hours, minutes, or seconds Grace period before enforcing soft limits for users: /var/mail: block grace period: 30 days, file grace period: 30 days root@mail1 ~ # date Mon Sep 29 14:12:42 CDT 2014 root@mail1 ~ # rm /var/mail/test_spam/w00 root@mail1 ~ # quota test_spam Disk quotas for user test_spam (uid 1003): Filesystem KBytesquota limit gracefiles quota limit grace /var/mail 28 10 100 81 10 root@mail1 ~ # date Mon Sep 29 18:47:44 CDT 2014 root@mail1 ~ # quota test_spam Disk quotas for user test_spam (uid 1003): Filesystem KBytesquota limit gracefiles quota limit grace /var/mail 28 10 100 81 10 root@mail1 ~ # dd if=/dev/random of=~test_spam/w00 bs=1M count=150 150+0 records in 150+0 records out 157286400 bytes transferred in 2.059 secs (76367302 bytes/sec) root@mail1 ~ # chown test_spam /var/mail/test_spam/w00 root@mail1 ~ # quota test_spam Disk quotas for user test_spam (uid 1003): Filesystem KBytesquota limit gracefiles quota limit grace /var/mail 153660* 10 100 13:31 91 10 root@mail1 ~ # rm /var/mail/test_spam/w00 root@mail1 ~ # quota test_spam Disk quotas for user test_spam (uid 1003): Filesystem KBytesquota limit gracefiles quota limit grace /var/mail 28 10 100 81 10 root@mail1 ~ # date Tue Sep 30 08:38:03 CDT 2014 root@mail1 ~ # quota test_spam Disk quotas for user test_spam (uid 1003): Filesystem KBytesquota limit gracefiles quota limit grace /var/mail 28 10 100 81 10 root@mail1 ~ # dd if=/dev/random of=~test_spam/w00 bs=1M count=150 150+0 records in 150+0 records out 157286400 bytes transferred in 2.074 secs (75822855 bytes/sec) root@mail1 ~ # chown test_spam /var/mail/test_spam/w00 root@mail1 ~ # quota test_spam Disk quotas for user test_spam (uid 1003): Filesystem KBytesquota limit gracefiles quota limit grace /var/mail 153660* 10 100none 91 10 root@mail1 ~ # rm /var/mail/test_spam/w00 root@mail1 ~ # quota test_spam Disk quotas for user test_spam (uid 1003): Filesystem KBytesquota limit gracefiles quota limit grace /var/mail 28 10 100 81 10 root@mail1 ~ # dmesg | head OpenBSD 5.4-stable (GENERIC.MP) #3: Wed Apr 2 16:44:04 CDT 2014 r...@build32.twopoint.com:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Xeon(R) CPU 3060 @ 2.40GHz (GenuineIntel 686-class) 2.41 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,LAHF,PERF real mem = 3621744640 (3453MB) avail mem = 3551121408 (3386MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS rev. 2.3 @ 0xee000 (47 entries) bios0: vendor HP version W04 date 04/06/2007 bios0: HP ProLiant DL320 G5 I've also started the test case on another computer (turned on user quotas and created a new user) - everything starts unfolding the same way: # quota test Disk quotas for user test (uid 1002): Filesystem KBytesquota limit gracefiles quota limit grace /wrk 4 10 100 11 10 # dd if=/dev/random of=/wrk/test/w00 bs=1M count=150 150+0 records in 150+0 records out 157286400 bytes transferred in 14.572 secs (10793030 bytes/sec) # chown test /wrk/test/w00 # quota test Disk quotas for user test (uid 1002): Filesystem KBytesquota limit gracefiles quota limit grace /wrk 153636* 10 100 7days 21 10 # rm /wrk/test/w00 # quota test Disk quotas for user test (uid 1002): Filesystem KBytesquota limit gracefiles quota limit grace /wrk 4 10
Re: quotas grace period none right away
Hello Otto, Tuesday, September 23, 2014, 10:54:56 AM, you wrote: OM Grace moves to none if you go above the hard limit. If mail delivery OM is done by root, quota's are not enforced, so you can go over the hard OM limit, nulling the grace period. OM This is a problem I solved a long time ago by using a patch the do OM local mail delivery as a specific user, but that diff was never OM committed. I've read your post about it, but in my case it doesn't go above hard limit, just slightly above the soft one (for a time definitely less than one day). The quota is 10/100, so there is (should be) a long way between them. Just noticed something else. Was playing creating and deleting big files yesterday - it was showing grace period 7 days (before I deleted the files). Created another one today - the grace period is 6 days. Does it suppose to have that long memory (over 12 hours)? Don't believe it was like that before (in 5.0). -- Best regards, Borismailto:bo...@twopoint.com
Re: quotas grace period none right away
Hello Craig, Wednesday, September 24, 2014, 3:56:35 AM, you wrote: CRS How about Dovecot sieve ... Does this mean you tried and found out (or knew) that disk quotas where not going to work for you? -- Best regards, Borismailto:bo...@twopoint.com
quotas grace period none right away
Hello misc, I'm using i386 5.4-stable (GENERIC.MP) with user quotas (only) set on one FS (it's default FS, nothing special). The grace period is 7 days, edquota -t confirms it. It works fine if I create/chown files from shell, but changes to none right away with every day operations (twice already). The box have rebooted after quotas where set, so the quotacheck did run. This might have something to do with the fact that this is a mail server, and mail is being delivered by root (by procmail to maildirs if it makes a difference). I've found an old Otto's message about something remotely related. Does someone have deeper understanding of this situation or experienced something similar? -- Best regards, Boris mailto:bo...@twopoint.com
dcc port
Hello misc, We needed to install DCC (to work with SpamAssassin), couldn't find an OpenBSD port, so we've built it ourselves. Does anyone want it? It's for 5.4 i386. We probably can compile it for 5.4 amd64. Wont be able to compile for 5.5 or 5.6, so can't maintain the port. The package installs fine, but requires manual transfer of /var/dcc/ content. That could be improved if someone explains how to put staff outside of /usr/local/. -- Best regards, Boris mailto:bo...@twopoint.com
Re: IPSEC with redundant remote peer address
Hello Stuart, Wednesday, August 6, 2014, 8:01:21 AM, you wrote: SH On 2014-08-05, David Dahlberg david.dahlb...@fkie.fraunhofer.de wrote: I do not know enough of Cisco to be able to tell you whether or not one may cluster their routers/VPN gateways. But you have multiple options to emulate the fallback behaviour that you described above. 1) Just configure two tunnels, to both Cisco gateways. Give one route(8) -priority, or use a dynamic routing protocol. 2) You may use ifstated or similar to monitor the gateways and tunnels and switch over, when indicated. SH Note that for these methods you'll need to use some explicit encapsulation SH (for example, gif or gre) rather than using standard ipsec tunnels. On SH OpenBSD IPsec is flow-based and there is no option for route-based like SH various other vendors support. I couldn't directly manipulate IPSec related routing, but there is a way to do it indirectly. The narrower route takes priority, so you can slightly adjust one the tunnels. For example, if it goes from 192.168.1.0/24 to 10.0.0.0/8 you can make the primary one from 192.168.1.0/24 to 10.0.0.0/9 (and maybe the second primary to 10.128.0.0/9 if you really need it). Or you can make the secondary one from 192.168.0.0/23 to 10.0.0.0/8. If you make just two tunnels it will be redundant, but not very responsive to a lost connection, because tunnels don't check themselves very often (sometimes this is what you need). If you need something more responsive you can play with phase 2 lifetimes (not sure if this is a good idea) or have some watchdog process (ifstated?) to force phase 2 renegotiation if the connection is lost. -- Best regards, Borismailto:bo...@twopoint.com
Re: reload isakmpd
Hello Motty, Friday, July 25, 2014, 10:17:15 AM, you wrote: mc Hello, how to reload configuration without restarting isakmpd? I assume you start isakmpd directly (configuring isakmpd.conf and isakmpd.policy). Than you'll see in the process list something like process_number_1 ... isakmpd process_number_2 ... isakmpd: monitor [priv] (isakmpd) kill -1 process_number_2 will make isakmpd to reload configuration. kill -1 `cat /var/run/isakmpd.pid` also works in most cases. -- Best regards, Borismailto:bo...@twopoint.com
Re: nat-to private address
Hello Tuyosi, Thursday, June 26, 2014, 5:34:05 AM, you wrote: TT accordin to man pf.conf TT 10.0.0.0 - 10.255.255.255 (all of net 10, i.e. 10/8) TT 172.16.0.0 - 172.31.255.255 (i.e. 172.16/12) TT 192.168.0.0 - 192.168.255.255 (i.e. 192.168/16) TT nat-to is usually applied outbound. If applied inbound, nat-to TT to a local IP address is not supported. It is confusing, but probably means something else. I have a number of nat-to to private IPs, and they work fine. I'm not running the latest version, but hope the nat-to behavior hasn't changed (the man hasn't). The nat-to could be tricky, you need to make sure packets in question are going into the interface you want *before* the NAT. Here comes the routing, which is specially tricky, because in a number of cases running route add isn't enough (or doesn't help at all). -- Best regards, Borismailto:bo...@twopoint.com
Re: LAN vs VLAN interface performance
Hello ML, Thursday, June 19, 2014, 2:21:38 AM, you wrote: Mm I have four /24 subnets and currently have one subnet per ethernet Mm interface (1Gbit/s) on my openbsd firewall. Now I was wondering if in Mm terms of performance (especially latency/pps) it is better to have one Mm subnet per ethernet interface like I have now or to have the four Mm subnets on one single interface using vlan interfaces? Mm The traffic/bandwidth here is not really an issue and the one single Mm interface would be a 10 Gbit/s interface anyway so it can accommodate Mm the traffic of 4 VLANs without problem. Mm Note here that I would also be using the trunk interface to aggregate Mm two 10 Gbit/s interfaces for redundancy. So my four VLANs would be inside a trunk interface. Sorry for the OT, but haven't you had separated them for a reason on the first place? There is no real security separation between vlans. Also OT - is OBSD handling 10 gigabit interfaces at full capacity already? -- Best regards, Borismailto:bo...@twopoint.com
antiviruses executable on OpenBSD
Hello misc, We are building a new mail server (migrating from Linux). It uses amavis with f-prot, drweb and clam antiviruses to check emails. The f-prot is ok. The drweb catches much less, but sometimes catch something f-prot doesn't. The clam catches pretty much nothing. The (almost useless) clam is the only one that has an official OpenBSD support. The drweb isn't supporting OpenBSD anymore, it's last OBSD version was built for OBSD 4.1, but is still working on 5.4 (somehow). For sure won't work on 5.5. The scan engine and signatures are being updated, but the situation is not promising. The f-prot isn't supporting (any) BSD anymore, the last OBSD version was built for OBSD 4.8. Had to re-introduce 4.8 compatibility in 5.4 kernel to make it work - a risky move, requiring putting back some code from the 5.0. The scan engine isn't being updated. The signatures are being updated and supported, but the situation is even worse than the one with drweb. I did some google`ing and also checked sites of antiviruses known for good virus catching score (like Kaspersky and Bitdefender) - everyone seem to drop OpenBSD support. Do you know of any reliable antivirus scanners (free or not) that would run on modern OpenBSD? -- Best regards, Boris mailto:bo...@twopoint.com
Re: upgrades no longer allow ftp for sets
Hello Theo, Wednesday, March 26, 2014, 3:18:59 PM, you wrote: TdR ... placing openssl there is not part of any solution that would work. TdR What are other possible solutions? Do you think sftp would fit? Can you replace ftp with sftp? I'd prefer to maintain a limited access sftp server rather than a http one. -- Best regards, Borismailto:bo...@twopoint.com
Re: upgrades no longer allow ftp for sets
Hello misc, Thursday, March 27, 2014, 9:14:00 AM, Jiri wrote: JB Could you please elaborate why not sftp for sets (and/or JB for pkg_add)? I'll rephrase: can someone besides Theo elaborate? It was an obvious mistake to reply to his email (to be fair, I've addressed it to misc, not to him). In his long email Theo was talking about openssl. It's my understanding that openssh is going away from openssl, so I don't see a direct connection. I also see that psftp (from the putty) is about 300K, and I don't believe it has any important dependencies (kerberos could be ignored in this case). BTW, what is limiting the bsd.rd size? It's not for a floppy. I've tried searching and found only a rumor that there is might be the size limit. -- Best regards, Borismailto:bo...@twopoint.com
ciss driver status
Hello guys, It says in the man ciss: CAVEATS For purposes of status monitoring, the current code only supports one logical volume per controller. Is this still true? If I make more than one array with one controller and type bioctl ciss0 - what will it show me? -- Best regards, Boris mailto:bo...@twopoint.com
Re: new queueing subsystem
Hello Henning, Friday, October 18, 2013, 5:37:23 AM, you wrote: I extensively use cbq and very confused by the current queuing manual. It seems that actual speed will be somewhere between min and max (and wont be equal to bandwidth), but how to get an idea where? HB bandwidth is the target bandwidth, the actual assigned one is HB somewhere between min and max indeed. You do realize that you haven't answered the question, don't you? Your previous email and the presentation helps a bit, but not really. Will the actual queue speed be pushed towards max or bandwidth (and how close) if other siblings are almost still? Will the actual queue speed be pushed towards min or bandwidth (and how close) if other siblings are extremely busy? Other tips to migrate extensive cbq queues (with borrowing) would be very helpful and appreciated. -- Best regards, Borismailto:bo...@twopoint.com
Re: new queueing subsystem
Hello Otto, Wednesday, October 16, 2013, 10:05:04 AM, you wrote: OM This will not be in 5.4, it wil be in 5.5. If you see shortcomings in OM the docs explain in more detail. It might be a good idea to return the altq section to the pf.conf man page for current. You probably need to mention that the new queuing is using hfsc model and what hfsc model is. I extensively use cbq and very confused by the current queuing manual. It seems that actual speed will be somewhere between min and max (and wont be equal to bandwidth), but how to get an idea where? Does the set prio affect this queuing or just creates some separate queues? -- Best regards, Borismailto:bo...@twopoint.com
new queueing subsystem
Hello misc, The changes in the pf queueing subsystem (for some reason not mentioned in the http://openbsd.org/faq/upgrade54.html) are getting me worried. Couldn't find the word altq in the http://www.openbsd.org/cgi-bin/man.cgi?query=pf.confapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html. Is the old queueing gone? Is existing pf.conf not going to work with 5.4? How is the new queueing work? The manual gives the syntax (quite limited comparing to the altq - in my opinion), but doesn't really explain anything. For example - is there a bandwidth borrowing and how is it prioritizing? -- Best regards, Boris mailto:bo...@twopoint.com
Re: softraid: adding volumes, CPU requirements, RAID5
Hello guys, Thursday, July 4, 2013, 12:40:50 PM, Nick Holland wrote: If the softraid is so raw yet, why the old good RAIDFrame was removed starting the 5.2? It works just fine for me. Big volumes rebuilds take a long while, but it's something working. NH That's quite a leap from RAID 5 is not ready for use to softraid is NH so raw. RAID5 is one discipline of several that isn't complete. RAID0 NH is ready for use, RAID1 is ready for use, crypto is ready for use. I've tried to use the nicer word. Not fully functional and raw are synonyms. NH It is also quite a leap to call old RAIDframe good. NH It was horribly old, unmaintained code, which wasn't well loved by NH developers when it was fresh and current. NH Your assumptions are wrong. I am not assuming, I'm talking from experience. It works. I can install to it (after a small tweak in the script). I boot from it (after a small tweak in the code to pick up swap on raid). It continues to work if one disk fails. It repairs (automatically if you replace the disk and boot - doing much better job than md from Linux). In other words - it's fully functional with some flaws. Fully functional is the key expression here. Is the RAIDFrame old? Yes, but old isn't necessary bad if it's working. Did it need a replacement? Yes if no one was willing to maintain it. Did you need to kill it *before* the replacement is ready? Definitely no. Could you, please, return the RAIDframe support until the softraid is ready? -- Best regards, Borismailto:bo...@twopoint.com
Re: softraid: adding volumes, CPU requirements, RAID5
Hello Tony, Friday, July 5, 2013, 10:09:37 AM, you wrote: TA It works. TA Translation: TA It has worked (mostly) for me. (A few times) Don't try to translate from the language you don't understand. It's in production on more than a few servers now, and has been for more than ten years. -- Best regards, Borismailto:bo...@twopoint.com
Re: softraid: adding volumes, CPU requirements, RAID5
Hello guys, Tuesday, July 2, 2013, 5:53:04 PM, Nick Holland wrote: NH RAID5 rebuild is still not there - there's no RAID5 rebuild. I'm not NH sure how to make it more clear... NH Ok, let's try this... NH Today, you take four 1TB disks, and make a 3TB RAID5 volume. You can do NH that. Works great. NH Now, a lot of people might call this Job Done. Not me. The point of NH RAID isn't to build complicated systems, but to have the system keep NH your butt out of the fire when things go wrong. NH Next month, one of those drive fail. That's ok, RAID5 is designed to NH keep your data usable with one drive down. THAT is the point of RAID. NH You pat yourself on the back and say, I'm glad I am using RAID5. NH You replace the failed drive and... NH ... NH um... now what? NH You have a three drive degraded RAID5 system with no remaining NH redundancy...and a new drive that is currently unused. You have no NH ability to rebuild the function of the failed drive into the new NH drive...because the RAID5 rebuild is not there. NH Oh, poo. NH Your options? Well, NH * you can build a NEW array on other disks (hope you have enough ports NH to plug them into), copy the data from the old one to the new one NH * you can hope your backup system is perfect, and rebuild the entire NH array and reload from backup NH * you can hope a second drive doesn't fail in your array... for the life NH of the system. NH Not much else I can think of. If the softraid is so raw yet, why the old good RAIDFrame was removed starting the 5.2? It works just fine for me. Big volumes rebuilds take a long while, but it's something working. -- Best regards, Borismailto:bo...@twopoint.com
Re: OpenBSD ipsec gateway behind a router
Hello Mik, Sunday, November 13, 2011, 8:06:32 AM, you wrote: MJ I would like to know if such configuration is possible. MJ LAN1 MJ (192.168.10.0/24) -- OpenBSD .99 -- .254 Router IPx -- Internet -- IPy MJ IPSec_GW (Vendor) -- LAN2 (192.168.20.0/24) MJ As you can see the OpenBSD 4.9 MJ server sits on the LAN1 and has one physical interface. MJ When it wants to MJ access to the internet, its address 192.168.10.99 is natted in IPx and that's MJ how the IPSec_GW(Vendor) sees the source packets. MJ It's not really important MJ now if other machines on LAN1 should ping machines on LAN2. I would like for MJ now that the OpenBSD could ping machines on LAN2. MJ I have search for examples MJ on the internet for this particular case because the OpenBSD is behind a nat MJ router. And I haven't found the proper way to do this. I don't even know if MJ it's possible. I know some kind of nat-t should be used though. MJ Does anyone MJ have this configuration in place ? There are two problems in that configuration: IPSEC behind a NAT and one physical interface. IPSEC behind a NAT more often works than not. I have similar working configuration myself (but with two interfaces). Would recommend to use UDP encapsulation if the other side supports it. I would recommend to get a computer with 2 network interfaces. Otherwise it's going to be very complicated at best. /24 (on the left) is for sure not going to work.
Re: Routing issue with VPN tunnel
Hello Danial, Sunday, December 14, 2008, 6:06:12 PM, you wrote: D The remote tunnel endpoint expects traffic originating from D a specific ip address - the internal ip of the firewall. I have a tunnel successfully set up between my OpenBSD 3.8 and a Cisco 7200 router. ... There are ACLs on the $remote_gw which only allow traffic NATed with my $int_if ip. Hence this nat in pf.conf: nat on enc0 inet from $int_net to $remote_host - $int_if ... What I CAN do is ping the $remote_host through the tunnel from the $int_if with the following command: # ping -I $int_if $remote_host This works and replies are received! But if if try pinging from the $internal_host: c:\ ping $remote_host This doesn't work. The packets are not sent through the tunnel but to the internet. I have a working tunnel like yours. May be there is a way to do it right, but I haven't found one. But here is a workaround: Your tunnel is probably host-to-host - don't change it, but add an additional network-to-host one. That dummy tunnel wont actually transfer anything, but will route packets from your internal network to enc0, than your nat rule will change it and everything should work. -- Best regards, Borismailto:bo...@twopoint.com
Re: HP DL180 hangs on boot
Hello Alexander, Thursday, November 6, 2008, 7:44:16 AM, you wrote: AH OpenBSD 4.4-current (RAMDISK_CD) #203: Sun Nov 2 13:41:35 MST 2008 AH [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/RAMDISK_CD You might want to try i386. AH uhid at uhidev1 not configured AH ... AH uhid at uhidev3 reportid 2 not configured AH uhid at uhidev3 reportid 3 not configured AH uhid at uhidev3 reportid 4 not configured AH uhid at uhidev3 reportid 16 not configured AH uhid at uhidev3 reportid 17 not configured Try to disable uhid in the kernel. AH softraid0 at root Is there a way to boot without a softraid (just to make sure it's not causing the problem)? -- Best regards, Borismailto:[EMAIL PROTECTED]
Re: Can OpenBSD run in 24 MB of RAM?
Hello Shr, Wednesday, September 3, 2008, 10:00:22 PM, you wrote: sdc I've searched the FAQ and the Web for any guidance on what the minimum RAM sdc is for OpenBSD, with and without X. sdc I just acquired a Compaq Armada 1125 laptop that maxes out at 24 MB of sdc RAM, and I'm wondering whether or not it's feasible to run OpenBSD on it. $ dmesg OpenBSD 3.5 (GENERIC) #34: Mon Mar 29 12:24:55 MST 2004 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel 486DX (486-class) real mem = 20824064 (20336K) avail mem = 13275136 (12964K) using 279 buffers containing 1142784 bytes (1116K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 01/10/94 pcibios at bios0 function 0x1a not configured bios0: ROM list: 0xc/0x8000 isa0 at mainbus0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard vga0 at isa0 port 0x3b0/48 iomem 0xa/131072 wsdisplay0 at vga0: console (80x25, vt100 emulation), using wskbd0 wsdisplay0: screen 1-5 added (80x25, vt100 emulation) wdc0 at isa0 port 0x1f0/8 irq 14 wd0 at wdc0 channel 0 drive 0: WDC AC21600H wd0: 16-sector PIO, LBA, 1549MB, 3173184 sectors wd1 at wdc0 channel 0 drive 1: QUANTUM FIREBALL EX5.1A wd1: 16-sector PIO, LBA, 4892MB, 10018890 sectors wd0(wdc0:0:0): using BIOS timings wd1(wdc0:0:1): using BIOS timings ep0 at isa0 port 0x300/16 irq 10: address 00:20:af:27:c1:5d, utp/aui/bnc (default utp) pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker sysbeep0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16450, no fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16450, no fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask 4040 netmask 4440 ttymask 44c2 pctr: no performance counters in CPU dkcsum: wd0 matched BIOS disk 80 dkcsum: wd1 matched BIOS disk 81 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 $ swapctl -kl Device 1K-blocks UsedAvail Capacity Priority swap_device102312 442097892 4%0 $ uptime 10:07AM up 378 days, 16:48, 1 user, load averages: 0.20, 0.21, 0.14 It's 486DX4 50MHz with 20 meg of RAM, working as a production (!) secondary mail/DNS server. Has been used (and occasionally being used) as an ftp server (vsftp) - login process is slow, but transfer(s) at full T1 speed causing no problem. I've installed a GENERIC 3.5 from floppy/ftp very easily. Modern boxes are giving me much more troubles. There is no X, of course. Don't know if OBSD 4.4 require much more resources than 3.5, but the size of GENERIC kernel is just a little bigger. -- Best regards, Borismailto:[EMAIL PROTECTED]
Re: OT: Can an SSH alternative to WebDav be use on OpenBSD
Hello Daniel, I believe it should be possible to set up samba-over-ssh. I mean samba listening localhost only on the server andputty (www.chiark.greenend.org.uk/~sgtatham/putty/) with port forwarding on clients. You can also use samba-over-ipsec. IPSec is not less secure than ssh and gives you more flexibility. -- Best regards, Borismailto:[EMAIL PROTECTED]
Re: HP DL320G5P doesn't boot
Hello RedShift, Friday, December 21, 2007, 4:41:53 AM, you wrote: R I've got a new DL320G5P to play with for a very short while, while I'm R waiting for the SAS controller cable to arrive (it's supposed to have R another OS on it, which shall remain nameless). So I have the luxury of R testing out this fine machine, but it doesn't boot under OpenBSD. It R hangs at the following point: R uhid at uhidev4 not configured It looks like your box is an upgraded version of DL320G I have. OpenBSD works on mine after some kernel tuning - there are couple threads about it in the archive. I think you need to enable acpi and (may be) disable uhid (in my case it's uhci) in a kernel. If it doesn't help with amd64 kernel you can try i386 (because your cpu is Intel). I don't see a reason for all that work in a first place, because you don't really need an OpenBSD on that box (you are saying that it will get an another OS anyway). -- Best regards, Borismailto:[EMAIL PROTECTED]
cant properly set up kernel to have root and swap on a RAIDframe device
Hello misc, I've been booting my system from RAIDframe partitions for a long while. Small partition for kernel(s), raidctl -A root raid0 - and I have root on raid0a and swap on raid0b. But with 4.2 I'm getting swapmount: no device error from the kernel and savecore: no core dump (no dumpdev) later. However, root is still on raid0a (but no swap). I've tried config bsd root on raid0a swap on raid0b dumps on wd0b in a kernel config, but got: # config GENERIC.MP.RAID ../../../../arch/i386/conf/GENERIC.RAID:45: bsd: can't make root device from `raid0a' ../../../../arch/i386/conf/GENERIC.RAID:45: bsd: can't make swap device from `raid0b' GENERIC.MP.RAID has no configurations! *** Stop. I have an idea about a (pretty nasty) workaround, but is there a way to make it right? BTW, config bsd root on wd0a swap on wd0b dumps on wd0b and wd1b should be ok (according to the main page), but config doesn't like and wd1b. # dmesg OpenBSD 4.2-stable (GENERIC.MP.RAID) #0: Thu Oct 18 17:40:50 CDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP.RAID cpu0: Intel(R) Pentium(R) D CPU 3.00GHz (GenuineIntel 686-class) 3.01 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,CNXT-ID,CX16,xTPR real mem = 1071640576 (1021MB) avail mem = 1028104192 (980MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS rev. 2.3 @ 0xee000 (47 entries) bios0: vendor HP version W04 date 04/06/2007 bios0: HP ProLiant DL320 G5 pcibios0 at bios0: rev 3.0 @ 0xf/0x2000 pcibios0: PCI BIOS has 7 Interrupt Routing table entries pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801GB LPC rev 0x00) pcibios0: PCI bus #11 is the last bus bios0: ROM list: 0xc/0xb000 0xcc400/0x3400! 0xcf800/0x1a00 0xe6000/0x2000! acpi0 at mainbus0: rev 2 acpi0: tables DSDT FACP SPCR MCFG HPET SPMI APIC SSDT acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 200 MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Pentium(R) D CPU 3.00GHz (GenuineIntel 686-class) 3.01 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,CNXT-ID,CX16,xTPR ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins acpiprt0 at acpi0: bus 11 (IP2P) acpiprt1 at acpi0: bus 5 (PCXS) acpiprt2 at acpi0: bus 4 (PCXA) acpiprt3 at acpi0: bus 3 (ICHE) acpiprt3: no apic found for irq 47 acpiprt4 at acpi0: bus 6 (IPE4) acpiprt5 at acpi0: bus 1 (PTA0) acpiprt6 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0 acpicpu1 at acpi0 acpicpu2 at acpi0 acpicpu3 at acpi0 acpicpu4 at acpi0 acpicpu5 at acpi0 acpicpu6 at acpi0 acpicpu7 at acpi0 acpitz0 at acpi0, critical temperature: 31 degC ipmi0 at mainbus0: version 2.0 interface KCS iobase 0xca2/2 spacing 1 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel E7230 MCH rev 0xc0 ppb0 at pci0 dev 1 function 0 Intel E7230 PCIE rev 0xc0 pci1 at ppb0 bus 1 ppb1 at pci1 dev 0 function 0 vendor TI, unknown product 0x8231 rev 0x03 pci2 at ppb1 bus 2 puc0 at pci2 dev 0 function 0 Sunix 40XX rev 0x01: ports: 2 com pccom3 at puc0 port 0 apic 8 int 16 (irq 11): ti16750, 64 byte fifo pccom4 at puc0 port 1 apic 8 int 16 (irq 11): ti16750, 64 byte fifo ppb2 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01 pci3 at ppb2 bus 3 ppb3 at pci3 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xb5 pci4 at ppb3 bus 4 bge0 at pci4 dev 4 function 0 Broadcom BCM5714 rev 0xa3, BCM5715 A3 (0x9003): apic 8 int 16 (irq 11), address 00:1b:78:07:c8:fc brgphy0 at bge0 phy 1: BCM5714 10/100/1000baseT PHY, rev. 0 bge1 at pci4 dev 4 function 1 Broadcom BCM5714 rev 0xa3, BCM5715 A3 (0x9003): apic 8 int 17 (irq 10), address 00:1b:78:07:c8:fd brgphy1 at bge1 phy 1: BCM5714 10/100/1000baseT PHY, rev. 0 ppb4 at pci4 dev 8 function 0 ServerWorks HT-1000 PCIX rev 0xb4 pci5 at ppb4 bus 5 ppb5 at pci0 dev 28 function 4 Intel 82801G PCIE rev 0x01 pci6 at ppb5 bus 6 ppb6 at pci6 dev 0 function 0 vendor IDT, unknown product 0x8018 rev 0x04 pci7 at ppb6 bus 7 ppb7 at pci7 dev 0 function 0 vendor IDT, unknown product 0x8018 rev 0x04 pci8 at ppb7 bus 8 em0 at pci8 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev 0x06: apic 8 int 17 (irq 10), address 00:18:fe:2e:27:25 em1 at pci8 dev 0 function 1 Intel PRO/1000 QP (82571EB) rev 0x06: apic 8 int 16 (irq 11), address 00:18:fe:2e:27:24 ppb8 at pci7 dev 1 function 0 vendor IDT, unknown product 0x8018 rev 0x04 pci9 at ppb8 bus 9 em2 at pci9 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev 0x06: apic 8 int 18 (irq 5), address 00:18:fe:2e:27:27 em3 at pci9 dev 0 function 1 Intel PRO/1000 QP (82571EB) rev 0x06: apic 8 int 17 (irq 10), address 00:18:fe:2e:27:26 ppb9 at pci0 dev 28 function 5 Intel 82801G PCIE rev 0x01
Re: HP ProLiant DL320 v. Sun Fire V125
Hello Kai, Thank you very much for the reply. It's helpful. Wednesday, October 31, 2007, 8:57:53 AM, you wrote: KM We run quite fine here with 4.2-current from today on a DL320G5, after: KM enabling write cache in the HP Bios ! It looks like that BIOS write cache settings don't change anything (atactl does it). KM enabling amd64 bsd.mp Your CPU is Xeon, mine is Pentium D. Don't think amd64 will work for me. KM enabling acpi How exactly do you do it? Mine acpi-related lines are #option ACPIVERBOSE #option ACPI_ENABLE acpi0 at mainbus? acpitimer* at acpi? #acpihpet* at acpi? #acpiac*at acpi? #acpibat* at acpi? #acpibtn* at acpi? acpicpu*at acpi? #acpidock* at acpi? acpiec* at acpi? acpiprt*at acpi? acpitz* at acpi? Do I need to uncomment options or they are active by default anyway? Is there any documents about it? KM enabling write cache for wd0 in the system with: KM # atactl wd0 writecacheenable Where do you put these command? For now I just ran it manually (and tested the result). I think it makes sense to activate the write cache before checking (and possibly recovering) RAIDframe devices, but rc.secure and rc.local are being called after that. Is it a good idea to put these atactl commands to /etc/rc right before #Configure ccd devices line? KM Before we had horrible 2MByte write speed, now we have 67MByte. I'm getting an about 16 times speed increase on copying a 1.2 gig file. Is there any performance tests for the OpenBSD, BTW? KM The bge interfaces also seem to run fine. Have you tried to boot with a network cable unplugged and than plug it? My bge* (on two computers so far) detects a media of 10 megabit in that case (ifconfig down/up makes it to detect the right media - 100 or 1000 megabit). em* devices don't have that (minor?) bug. KM Compaq iLO rev 0x03 at pci6 dev 4 function 0 not configured KM Compaq iLO rev 0x03 at pci6 dev 4 function 2 not configured KM uhci4 at pci6 dev 4 function 4 Hewlett-Packard USB rev 0x00: apic 8 int 23 (irq 11) KM Hewlett-Packard IPMI rev 0x00 at pci6 dev 4 function 6 not configured KM usb1 at uhci4: USB revision 1.0 KM uhub1 at usb1 Hewlett-Packard UHCI root hub rev 1.00/1.00 addr 1 Did you do something special about uhci*? Mine is giving errors on two computers already. Sometimes it even crashes to ddb: uhci4 at pci7 dev 4 function 4 Hewlett-Packard USB rev 0x00: irq 11 uhci4: cannot stop Hewlett-Packard IPMI rev 0x00 at pci7 dev 4 function 6 not configured Stopped at uvm_pglistalloc_simple+0xc5:addl$0x1000,0xffec(%ebp) uvm_pglistalloc_simple(1,100,3fe64000,d08c7af0,d07ac860) at uvm_pglistalloc_simple+0xc5 uvm_pglistalloc(1000,100,3fe64000,1000,0,d08c7af0,1,0) at uvm_pglistalloc+0x35c _bus_dmamem_alloc_range(d075d900,1000,10,0,d18f6b4c) at _bus_dmamem_alloc_range+0x52 _bus_dmamem_alloc(d075d900,1000,10,0,d18f6b4c,1,d18f6b54,1) at _bus_dmamem_alloc+0x30 usb_block_allocmem(d075d900,1000,10,d08c7bd0) at usb_block_allocmem+0xa1 usb_allocmem(d191f000,1000,10,d08c7bd0) at usb_allocmem+0x39 uhci_alloc_sqh(d191f000,1000,1000,d191f274,d18f7234) at uhci_alloc_sqh+0x4a uhci_init(d191f000,4,d078ebe0,80072000) at uhci_init+0x130 uhci_pci_attach_deferred(d191f000,8007f800,c,0,20) at uhci_pci_attach_deferred+0x24 config_process_deferred_children(d18f7180,0,0,d18f7200,20) at config_process_deferred_children+0x59 ddb c usb1 at uhci4: USB revision 1.0 uhub1 at usb1: Hewlett-Packard UHCI root hub, rev 1.00/1.00, addr 1 Also, does iLO 2 Remote Console (a Java one) work for you? -- Best regards, Borismailto:[EMAIL PROTECTED]
Re: Network Time Synchronization using timed or ntpd or a Combination?
Hello Brian, Wednesday, October 24, 2007, 3:28:36 PM, you wrote: B OpenNTPD runs as a 'daemon,' yes, but it does so using privilege B separation and other goodies. The network code runs as a normal user, B isolated from other users. This is superior to running rdate AS ROOT B from a cronjob. OpenNTPD does not open any TCP or UDP ports by default. B It is true that rdate has about 63% less lines of code than ntpd and is B older, and may have had more code audits performed; However, ntpd is new B code, written with security in mind, runs as a normal user (privilege B separated for the most part) and has superior time keeping ability. B Your advice about not running a daemon if it's possible to do the task B otherwise may be true with a (bloated) daemon such as ntp.org ntpd, B however, with OpenNTPD the tables are turned. It is far safer to run B the 'daemon' than to perform the task otherwise. B That being said, it is up to the individual users to decide what to do. B Hopefully this above explanation will help those who don't necessarily B understand the risks of running programs as root vice daemons which B execute code with proper separation of privileges. Thank you very much for that (valuable) reply! BTW, this is an argument for making an OpenNTPD ntpdate tool or adding one_time_synchronization functionality into ntpd. :) -- Best regards, Borismailto:[EMAIL PROTECTED]
Re: Network Time Synchronization using timed or ntpd or a Combination?
Hello Mark, Thursday, October 25, 2007, 4:13:09 PM, you wrote: MZ On Thu, Oct 25, 2007 at 11:19:21AM -0500, Boris Goldberg wrote: Thank you very much for that (valuable) reply! BTW, this is an argument for making an OpenNTPD ntpdate tool or adding one_time_synchronization functionality into ntpd. :) MZ From ntpd(8): MZ -s Set the time immediately at startup if the local clock is off MZ by more than 180 seconds. Allows for a large time correc- MZ tion, eliminating the need to run rdate(8) before starting MZ ntpd. MZ Or is that not what you meant? MZ Just put ntpd_flags=-s into /etc/rc.conf.local. No, I mean synchronize_and_exit - like rdate -ncav, but more secure (with a privilege separation, like Brian explained above in a thread). -- Best regards, Borismailto:[EMAIL PROTECTED]
Re: Network Time Synchronization using timed or ntpd or a Combination?
Hello Clint, Tuesday, October 23, 2007, 5:36:15 PM, you wrote: CP From what I have read in this thread, it looks like only one guy CP prefers the old timed and rdate tools. A few are even telling him he is CP giving bad advice when promoting the usage of these tools. Henning CP mentioned that rdate and timed are pretty much useless and others have CP said that timed is obsolete. So why don't we remove them from the source CP tree? I've never suggested (or mentioned) the timed. Of course I was talking about the -n mode of rdate (as a replacement to ntpdate like Paul de Weerd was suggesting in this thread). May be it makes sense to set -ncv as a default behavior of rdate, but there is should be a way to synchronize time without running a demon (don't understand why are people so aggressive about that) if you don't need up-to-second synchronization (in my case modern hardware goes less than a second off per day, and really old hardware - less than 10 seconds). -- Best regards, Borismailto:[EMAIL PROTECTED]
Re: HP ProLiant DL320 v. Sun Fire V125
Hello evo, Wednesday, October 24, 2007, 12:51:13 AM, you wrote: e I'm choosing firewall/proxy/mail-gateway hardware running (of course) e OpenBSD for medium office and my shortlist is: e (a) HP ProLiant DL320 and (b) Sun Fire V125 I'm upgrading my servers/firewalls to HP ProLiant DL320 G5, and the experience... isn't easy. First of all you need to allow acpi in an MP kernel, otherwise it's slow and unstable (it's disabled by default and not really documented). Then you have couple more issues I couldn't resolve yet: Fists - uhci (uhci4 in my case) giving an error during boot and shutdown: OpenBSD 4.2-stable (GENERIC) #1: Thu Oct 18 12:35:10 CDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) D CPU 3.00GHz (GenuineIntel 686-class) 3.01 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,CNXT-ID,CX16,xTPR real mem = 1071640576 (1021MB) avail mem = 1028595712 (980MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS rev. 2.3 @ 0xee000 (47 entries) bios0: vendor HP version W04 date 04/06/2007 bios0: HP ProLiant DL320 G5 pcibios0 at bios0: rev 3.0 @ 0xf/0x2000 pcibios0: PCI BIOS has 7 Interrupt Routing table entries pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801GB LPC rev 0x00) pcibios0: PCI bus #7 is the last bus bios0: ROM list: 0xc/0xb000 0xcc400/0x1000 0xcd400/0x1000 0xce400/0x3400! 0xe6000/0x2000! acpi at mainbus0 not configured ipmi0 at mainbus0: version 2.0 interface KCS iobase 0xca2/2 spacing 1 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel E7230 MCH rev 0xc0 ppb0 at pci0 dev 1 function 0 Intel E7230 PCIE rev 0xc0 pci1 at ppb0 bus 1 ppb1 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01 pci2 at ppb1 bus 2 ppb2 at pci2 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xb5 pci3 at ppb2 bus 3 bge0 at pci3 dev 4 function 0 Broadcom BCM5714 rev 0xa3, BCM5715 A3 (0x9003): irq 11, address 00:1b:78:07:c9:9a brgphy0 at bge0 phy 1: BCM5714 10/100/1000baseT PHY, rev. 0 bge1 at pci3 dev 4 function 1 Broadcom BCM5714 rev 0xa3, BCM5715 A3 (0x9003): irq 10, address 00:1b:78:07:c9:9b brgphy1 at bge1 phy 1: BCM5714 10/100/1000baseT PHY, rev. 0 ppb3 at pci3 dev 8 function 0 ServerWorks HT-1000 PCIX rev 0xb4 pci4 at ppb3 bus 4 ppb4 at pci0 dev 28 function 4 Intel 82801G PCIE rev 0x01 pci5 at ppb4 bus 5 em0 at pci5 dev 0 function 0 Intel PRO/1000 PT (82571EB) rev 0x06: irq 11, address 00:1b:78:57:58:e0 em1 at pci5 dev 0 function 1 Intel PRO/1000 PT (82571EB) rev 0x06: irq 10, address 00:1b:78:57:58:e1 ppb5 at pci0 dev 28 function 5 Intel 82801G PCIE rev 0x01 pci6 at ppb5 bus 6 uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x01: irq 5 uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x01: irq 5 uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x01: irq 5 uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x01: irq 5 ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x01: irq 5 usb0 at ehci0: USB revision 2.0 uhub0 at usb0: Intel EHCI root hub, rev 2.00/1.00, addr 1 ppb6 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xe1 pci7 at ppb6 bus 7 vga1 at pci7 dev 3 function 0 ATI ES1000 rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) Compaq iLO rev 0x03 at pci7 dev 4 function 0 not configured Compaq iLO rev 0x03 at pci7 dev 4 function 2 not configured uhci4 at pci7 dev 4 function 4 Hewlett-Packard USB rev 0x00: irq 11 uhci4: cannot stop Hewlett-Packard IPMI rev 0x00 at pci7 dev 4 function 6 not configured usb1 at uhci4: USB revision 1.0 uhub1 at usb1: Hewlett-Packard UHCI root hub, rev 1.00/1.00, addr 1 ichpcib0 at pci0 dev 31 function 0 Intel 82801GB LPC rev 0x01: PM disabled pciide0 at pci0 dev 31 function 1 Intel 82801GB IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 disabled (no drives) pciide0: channel 1 disabled (no drives) pciide1 at pci0 dev 31 function 2 Intel 82801GB SATA rev 0x01: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide1: using irq 7 for native-PCI interrupt wd0 at pciide1 channel 0 drive 0: FB160C4081 wd0: 16-sector PIO, LBA48, 152627MB, 312581808 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 usb2 at uhci0: USB revision 1.0 uhub2 at usb2: Intel UHCI root hub, rev 1.00/1.00, addr 1 usb3 at uhci1: USB revision 1.0 uhub3 at usb3: Intel UHCI root hub, rev 1.00/1.00, addr 1 usb4 at uhci2: USB revision 1.0 uhub4 at usb4: Intel UHCI root hub, rev 1.00/1.00, addr 1 usb5 at uhci3: USB revision 1.0 uhub5 at usb5: Intel UHCI root hub, rev 1.00/1.00, addr 1 isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard,
Re: Network Time Synchronization using timed or ntpd or a Combination?
Hello Marc, Wednesday, October 24, 2007, 1:13:23 PM, you wrote: May be it makes sense to set -ncv as a default behavior of rdate, but there is should be a way to synchronize time without running a demon (don't understand why are people so aggressive about that) if you don't need up-to-second synchronization (in my case modern hardware goes less than a second off per day, and really old hardware - less than 10 seconds). MB You don't understand the implications of changing the time of a computer MB at runtime. I believe I do. :) There are pros and cons in the demon and in the cron schema. I decided to use cron and I know why. Every sysadmin/architect should make that decision for *his* systems (and know why). Home users should probably stay with the default (ntpd), but they are usually using Windows and cheap hardware firewalls anyway. ;) MB If either case is acceptable depends on the software that runs on the MB computer. Exactly. And I believe that usual case is not a cluster, monetary transaction server or traffic control system. MB A computer that controls an insulin pump probably should run at MB constant speed whereas a computer that does a task at a certain time MB should not skip time units. Have you seen an insulin pump ran by OpenBSD system? ;) Give me some *real* examples (if you want to). MB If a cronjob runs at 17:10 and at 17:00 your wise cronjob sets the time MB to 17:20, cron will not start that job. First of all, this is not a *real* case again. I was talking about 10 seconds a day, not 20 minutes. If your *production* hardware goes 20 minutes off a day you will probably replace it (I believe, for new hardware it's a warranty case). Second of all, I've seen that behavior (with much smaller time adjustments) on SCO, but OpenBSD handles it pretty good - my cron doesn't repeat itself after adjusting time back. -- Best regards, Borismailto:[EMAIL PROTECTED]
Re: Network Time Synchronization using timed or ntpd or a Combination?
Hello Clint, Tuesday, October 23, 2007, 5:42:47 AM, you wrote: CP One system would get time from the NTP pool and all other servers on CP the network would sync to the local server. You don't really need ntpd on all systems. One (timeserver) runs ntpd, and others use rdate, called from cron (once a day is usually enough). -- Best regards, Borismailto:[EMAIL PROTECTED]
Re: Network Time Synchronization using timed or ntpd or a Combination?
Hello Rogier, Tuesday, October 23, 2007, 9:01:32 AM, you wrote: RK On 10/23/07, Boris Goldberg [EMAIL PROTECTED] wrote: You don't really need ntpd on all systems. One (timeserver) runs ntpd, and others use rdate, called from cron (once a day is usually enough). RK While your suggestion would work, it would also entail more work RK without adding benefit. Upon install, you get the question of whether RK you want to use ntpd. Starting with 4.2, it even asks for a specific RK NTP server. It's always better to don't run a demon if you don't have to. :) Talking about a more work - I don't think that someone avoiding small after install tuning like this should be taking care of any network besides his home one. ;) Anyway, for the last five years no version of OBSD (including 4.2) worked for me without tuning a kernel, so an extra line in a crontab is nothing. :) -- Best regards, Borismailto:[EMAIL PROTECTED]
Re: Network Time Synchronization using timed or ntpd or a Combination?
Hello Pierre-Yves, Tuesday, October 23, 2007, 11:39:10 AM, you wrote: You don't really need ntpd on all systems. One (timeserver) runs ntpd, and others use rdate, called from cron (once a day is usually enough). PYR I hope nobody takes what you say seriously. Running rdate instead of PYR ntpd like you describe is wrong for many reasons which have been stated PYR over and over in the last few years. Please do not spread wrong PYR information around, and do your homework before giving others advice PYR on what you think is good sysadmin practice. The ntpd from OBSD is raw and lame yet. It takes days (!) to really synchronize, adjusting time and clock frequency back and forth (even if you start with -s) so it's too early to say that using it is right. It will be right after it matures, gets more useful synchronization algorithm and it's own ntpdate (or a parameter to synchronize and exit). -- Best regards, Borismailto:[EMAIL PROTECTED]
Re: Network Time Synchronization using timed or ntpd or a Combination?
Hello Paul, Tuesday, October 23, 2007, 12:38:43 PM, you wrote: PdW ... run rdate, it has the -n switch. Here we go! :D -- Best regards, Borismailto:[EMAIL PROTECTED]
Re: RaidFrame woes on 4.2 (RAIDFRAME: failed rf_ConfigureDisks with 2)
Hello knitti, Saturday, October 13, 2007, 3:43:27 PM, you wrote: k raidlookup on device: /dev/wd3d failed ! k ... k START disks k /dev/wd3d Shouldn't it be /dev/wd0d ? k /dev/wd1d k ... k # disklabel wd0 k ... k d:606244905 18892440RAID k ... k # disklabel wd1 k ... k d:606244905 18892440RAID You've said that you'd tried different configurations, but the one you are showing here just can't work, because you don't have wd3. -- Best regards, Borismailto:[EMAIL PROTECTED]
Re: TLS/FTP via OpenBSD NAT
Hello Mikel, Friday, October 12, 2007, 6:46:20 AM, you wrote: ML ... the client wants to be able to connect to an FTP server that ML is using TLS. ML My first thought of this was you can't. however, I was quickly ML disabused of this idea by connecting to their server using the program ML they use (FileZilla) within a Windows XP instance running inside ML Parrallels through a Netlink ADSL modem. That is two sets of ML translation happening! ML This got me confused as everything I have read about TLS says this ML can't be done. At least not with NAT. I'm confused too. :) Why wont it work over a NAT? You might need to bypass ftp-proxy for that server (like I did), but only if it's using standard ftp ports (20/21). And it should be passive, of course. -- Best regards, Borismailto:[EMAIL PROTECTED]
Re: SMP Support?
Hello Daniel, Just want to make sure that we are on the same page: I'm talking about i386. It seems from below that your concern is more about amd64, but I didn't really try it, because my CPU isn't even a Xeon. Wednesday, September 19, 2007, 6:00:16 PM, you wrote: I have pretty much the same picture with HP ProLiant 320 G5 (Dual Core Pentium-D 925). The server is new and passes all tests from the HP maintenance CD. DO I couldn't make what BIOS version you were actually running there, but DO you did check to make sure you have the latest one right? DO http://h18023.www1.hp.com/support/files/server/us/revision/9753.html Yes, my BIOS is from 2007.04.06 that mentioned there. DO Le me know how it goes with current... We've done boot testing with 4.2 -current generic.mp (with the path from http://marc.info/?l=openbsd-techm=118975639013313w=2) turning on/off APIC in the BIOS (default on) and acpi in the kernel (default off). APIC off, acpi off - boots with one CPU: OpenBSD 4.2-current (GENERIC.BUILD.MP) #2: Wed Sep 19 17:11:01 CDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.BUILD.MP cpu0: Intel(R) Pentium(R) D CPU 3.00GHz (GenuineIntel 686-class) 3.01 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MW AIT,DS-CPL,EST,CNXT-ID,CX16,xTPR real mem = 1071640576 (1021MB) avail mem = 1028599808 (980MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS rev. 2.3 @ 0xee000 (47 entries) bios0: vendor HP version W04 date 04/06/2007 bios0: HP ProLiant DL320 G5 pcibios0 at bios0: rev 3.0 @ 0xf/0x2000 pcibios0: PCI BIOS has 7 Interrupt Routing table entries pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801GB LPC rev 0x00) pcibios0: PCI bus #7 is the last bus bios0: ROM list: 0xc/0xb000 0xcc400/0x1000 0xcd400/0x1000 0xce400/0x3400! 0xe6000/0x2000! acpi at mainbus0 not configured ipmi0 at mainbus0: version 2.0 interface KCS iobase 0xca2/2 spacing 1 cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel E7230 MCH rev 0xc0 ppb0 at pci0 dev 1 function 0 Intel E7230 PCIE rev 0xc0 pci1 at ppb0 bus 1 ppb1 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01 pci2 at ppb1 bus 2 ppb2 at pci2 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xb5 pci3 at ppb2 bus 3 bge0 at pci3 dev 4 function 0 Broadcom BCM5714 rev 0xa3, BCM5715 A3 (0x9003): irq 11, address 00:1b:78:07:c9:9a brgphy0 at bge0 phy 1: BCM5714 10/100/1000baseT PHY, rev. 0 bge1 at pci3 dev 4 function 1 Broadcom BCM5714 rev 0xa3, BCM5715 A3 (0x9003): irq 10, address 00:1b:78:07:c9:9b brgphy1 at bge1 phy 1: BCM5714 10/100/1000baseT PHY, rev. 0 ppb3 at pci3 dev 8 function 0 ServerWorks HT-1000 PCIX rev 0xb4 pci4 at ppb3 bus 4 ppb4 at pci0 dev 28 function 4 Intel 82801G PCIE rev 0x01 pci5 at ppb4 bus 5 em0 at pci5 dev 0 function 0 Intel PRO/1000 PT (82571EB) rev 0x06: irq 11, address 00:1b:78:57:58:e0 em1 at pci5 dev 0 function 1 Intel PRO/1000 PT (82571EB) rev 0x06: irq 10, address 00:1b:78:57:58:e1 ppb5 at pci0 dev 28 function 5 Intel 82801G PCIE rev 0x01 pci6 at ppb5 bus 6 Intel 82801GB USB rev 0x01 at pci0 dev 29 function 0 not configured Intel 82801GB USB rev 0x01 at pci0 dev 29 function 1 not configured Intel 82801GB USB rev 0x01 at pci0 dev 29 function 2 not configured Intel 82801GB USB rev 0x01 at pci0 dev 29 function 3 not configured ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x01: irq 5 usb0 at ehci0: USB revision 2.0 uhub0 at usb0: Intel EHCI root hub, rev 2.00/1.00, addr 1 ppb6 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xe1 pci7 at ppb6 bus 7 vga1 at pci7 dev 3 function 0 ATI ES1000 rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) Compaq iLO rev 0x03 at pci7 dev 4 function 0 not configured Compaq iLO rev 0x03 at pci7 dev 4 function 2 not configured Hewlett-Packard USB rev 0x00 at pci7 dev 4 function 4 not configured Hewlett-Packard IPMI rev 0x00 at pci7 dev 4 function 6 not configured ichpcib0 at pci0 dev 31 function 0 Intel 82801GB LPC rev 0x01: PM disabled pciide0 at pci0 dev 31 function 1 Intel 82801GB IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 disabled (no drives) pciide0: channel 1 disabled (no drives) pciide1 at pci0 dev 31 function 2 Intel 82801GB SATA rev 0x01: DMA, channel 0 configured to native-PCI, channel 1 configured to na tive-PCI pciide1: using irq 7 for native-PCI interrupt wd0 at pciide1 channel 0 drive 0: FB160C4081 wd0: 16-sector PIO, LBA48, 152627MB, 312581808 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pmsi0 at pckbc0
Re: SMP Support?
Hello Daniel, Monday, September 17, 2007, 3:14:05 PM, you wrote: DO Now that is working do me a favor and try to compile the userland and DO kernel with that bsd.mp acpi enable kernel. DO Also, try if possible to make transfer of huge files between two boxes DO well connected to try to at a minimum get close to 100Mb/sec of DO transfer, or more if you have Gb access. DO In my case, it will crash every time still. DO Then the compile is ok with bsd, but still crash with bsd.mp in some cases. DO I am curious to know if that specific to my hardware, or if others have DO the same problem. I have pretty much the same picture with HP ProLiant 320 G5 (Dual Core Pentium-D 925). The server is new and passes all tests from the HP maintenance CD. If we enable APIC in the BIOS it's very slow, reboots itself, crashes with random error or hangs with bsd.mp, and not really stable even with bsd. If disable APIC - than sees only one CPU with bsd.mp. If enable ACPI in the bsd.mp (using config -ef) having APIC disabled - crashes during boot (with that path you where talking about or without it): OpenBSD 4.1 (GENERIC.MP) #1225: Sat Mar 10 19:23:18 MST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Pentium(R) D CPU 3.00GHz (GenuineIntel 686-class) 3.01 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,CNXT-ID,CX16,xTPR real mem = 1071640576 (1046524K) avail mem = 970375168 (947632K) using 4278 buffers containing 53706752 bytes (52448K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS rev. 2.3 @ 0xee000 (47 entries) bios0: HP ProLiant DL320 G5 pcibios0 at bios0: rev 3.0 @ 0xf/0x2000 pcibios0: PCI BIOS has 7 Interrupt Routing table entries pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801GB LPC rev 0x00) pcibios0: PCI bus #7 is the last bus bios0: ROM list: 0xc/0xb000 0xcc400/0x1000 0xcd400/0x1000 0xce400/0x3400! 0xe6000/0x2000! acpi0 at mainbus0: rev 2panic: malloc: allocation too large Stopped at Debugger+0x4: leave RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC! DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION! ddb{0} trace Debugger(191f9000,0,d08bbca8,2,7) at Debugger+0x4 panic(d068111a,d08bbcc4,1000,d0760520,) at panic+0x63 malloc(f0009bd8,2,1,d064d1a8) at malloc+0x7a acpi_load_table(0,f0009bd0,d1a33c3c,0,0) at acpi_load_table+0x19 acpi_loadtables(d1a33c00,e91f7f00,1,11) at acpi_loadtables+0x14d acpi_attach(d1a31fc0,d1a33c00,d08bbe80,0,e91f7000) at acpi_attach+0xc6 config_attach(d1a31fc0,d073d550,d08bbe80,d048faf4) at config_attach+0xef mainbus_attach(0,d1a31fc0,0,0,d08ba330) at mainbus_attach+0x2e5 config_attach(0,d073a4cc,0,0,d077fe80) at config_attach+0xef config_rootfound(d06a1b18,0,d08bbf38,d0463166) at config_rootfound+0x27 cpu_configure(0,1,3,0,2) at cpu_configure+0x29 main(0,0,0,0,0) at main+0x368 ddb{0} c The operating system has halted. Please press any key to reboot. Played with 4.1 -stable so far. Didn't consider beta for production, but will try -current. I'm going to combine and post detailed report later. -- Best regards, Borismailto:[EMAIL PROTECTED]