Re: With all this CPU/hardware mess, any advice on what to use for an organization?

[Boris Goldberg]

Hello Chris,

  There is something extremely weird going on around lately. People are
easily take offense where no offense where intended (and hard to find
anyway). Nick was just telling you that (in his expert opinion) you
shouldn't worry much about "Meltdown, Spectre, insecure motherboard chips",
but concentrate on the real security instead. Unfortunately the real
security takes years of learning and experience, and can't be "advised" in
a couple of emails, but he provided a lot of valuable (and valid)
information (which you where not ready to digest, I guess).
  If you are allowing to run an arbitrary code on you server you are
screwed with or without Spectre, otherwise there is nothing to spy on you
on that server (even if it's technically possible).
  If (any) government agency really want to access you server, you are
writing to the wrong list, otherwise government installed spying chips (if
any) wont really hurt you. On the other hand, crapware (like Superfish)
might.

BTW, your boss doesn't need to be stupid to compromise your password (or
keys), just a "normal" human. Security isn't grokkable by "normal" people.


Tuesday, November 20, 2018, 2:11:52 PM, you wrote:

CB> On Tue, Nov 20, 2018 at 02:24:55PM -0500, Nick Holland wrote:
>> On 11/20/18 11:43, Chris Bennett wrote:
>> > I am almost certainly going to be replacing with a new server for an
>> > organization I am a member of.
>> > With all of this mess with Meltdown, Spectre, insecure motherboard
>> > chips,etc.
>> > I am pretty clueless on exactly what is going to be a secure set of
>> > server hardware.
>> > Intel, well no.
>> > AMD? I have read about problems with non-CPU chips being compromised.
>> > Another architecture? I have never used anything other than Intel/AMD.
>> > 
>> > The server will run httpd, mailserver, PostgreSQL and somehow a good way
>> > for well encrypted messaging at times.
>> 
>> all on one server?
>> 
>> And as someone who has run a number of mail servers for a number of
>> companies ... don't.  Just don't.  Running your own mail server is a
>> good way to accomplish nothing except wasting a lot of time and making
>> people hate you.
>> 

CB> The mail server is ONLY intended for members of the organization.
CB> You would have me use gmail or yahoo?
CB> The organization is suing another group for slander.

>> > It is very likely to run out of Austin, Texas.
>> > I think that having a direct connection would be best, but would a
>> > proper setup make collocation OK?
>> 
>> You are using poorly defined buzzwords.  What you mean by a "direct
>> connection", "proper setup", "collocation" and what I mean are likely
>> very different.
>> 

CB> Well, then tell me some useful information. Correct my idiotic
CB> buzzwords. There was carefully noted in my message that I am facing new
CB> territory and need some advice.


>> > This isn't going to be my server, I will just be in charge. That's
>> > completely new for me.
>> > Any advice is really welcome, everywhere I read anything, hardware seems
>> > broken and insecure.
>> 
>> Pretty much all new HW is optimized in ways that we are now learning
>> (and has been known for a long time) introduce security problems.
>> However, most of the problems boil down to having malicious software
>> running in the control of someone else on the same physical machine YOUR
>> code is running on.
>> 
>> In short: No news.  Really.
>> 
>> If someone that wanted to do you evil lived in the same house as you,
>> you would not be comfortable, right?  What if you put up walls
>> (virtualization) that have proven to to be about as robust as paper?
>> That make you feel any better?  Probably not.  Virtualization has been
>> proven -- over and over -- not terribly secure.  Now we got
>> cross-virtualization platforms ways of stealing data from other
>> processes.  Important? yes.  But in the big picture, it's similar to Yet
>> Another buffer overflow.
>> 

CB> To be quite frank, and I don't mean anything negative to others using
CB> virtualization, you couldn't pay me to even consider using something
CB> that idiotic for trying to make a "secure" setup. And using the "clouds"
CB> , to me, is getting just a little bit too "high".

>> So...split your tasks on different physical systems as much as possible.
>>  If your webserver is serving static pages, it's probably pretty robust.
>>  If it's running Wordpress or any other "any idiot can manage the web
>> page" apps or dynamic web pages for other reasons, it should be a
>> machine of its own and have no other important data on it.

CB> Yes, using that idiotic Wordpress crap is exactly one of many problems I
CB> am going to immediately fix. Whoever is in charge can't even make that
CB> work!

>> Your primary goal should be to keep the bad guys off your computer in
>> every sense.  And again...nothing new here.
>> 
>> But if security is your concern, you want real hw you control in every
>> sense.
>> 

CB> Which is exactly what my silly buzzwords was 

Re: isakmpd and iked on the same box

[Boris Goldberg]

Hello Philipp,

I use to (reliably) run from two to four parallel instances of isakmpd on
same boxes (for years) - first using different ports, then different IPs.
It seems like they've had to (peacefully) share the SADB. Did I just not
have enough tunnels to trigger the problem? If this isn't the case, why
can't iked be as "nice" as isakmpd? Just wondering.


Thursday, August 30, 2018, 10:39:21 AM, you wrote:

PB> Hi,

PB> Am 30.08.2018 10:27 schrieb Sebastian Reitenbach:
>> Hi,
>> 
>> I'm wondering if it would be possible to add iked to my box already
>> running isakmpd.
>> I found this quite old thread:
>> http://openbsd-archive.7691.n7.nabble.com/iked-isakmpd-on-the-same-machine-td246610.html

PB> Why is it "always" my old threads in this area? :-)

PB> I was not following development too closely, but I think that on the 
PB> kernel side
PB> things have not changed. Which means iked and isakmpd will happily "toe 
PB> tap"
PB> on each others SADB in the kernel (even if there is *some* PID 
PB> handling).

PB> Would like to hear if kernel side has "improved" lately, but the overall 
PB> standpoint
PB> looks like: IKEv1 is dead (e.g. see the removal of IKEv1 stubs in iked 
PB> some "months ago").

PB> [Still stuck with my ikev2 with strongswan on a different box solution]

PB> HTH... wait, no:
PB> ciao

-- 
Best regards,
 Borismailto:psi...@prodigy.net

Re: Installer overwrites partition table

[Boris Goldberg]

Hello Kamil,

  Your reply is unreasonably aggressive. Is there something wrong with the
OpenBSD in that particular area?
  I use to install the OBSD to an unused partition - pretty strait forward
process. Did something change recently? I've checked the FAQ - didn't find
big changes nor warnings (except the "know what you are doing").

  BTW, I use to run OBSD in VMWare for testing and bug finding - the work
was done, but didn't like the experience (a lot).


Wednesday, August 24, 2016, 6:41:58 AM, you wrote:

KC> On Wed, 24 Aug 2016, Bertram Scharpf  wrote:
>> Hi,
>>
>> first of all, I am an experienced OS installer and I did a
>> heck of partitioning in my life. Now I had some unused disk
>> space and I found it a good idea to install OpenBSD.
>>
>> The installers partitioning tool didn't offer me a variant
>> that keeps my existing partitions. Therefore I immediately
>> stopped it. But yet it was too late. The partition table was
>> overwritten.
>>
>> The damage is not hard for me because I tersely do backups.
>> But this behaviour is impudent. This blowfish is not a safe
>> operating system, it rather is a poorly prepared fugu.
>>
>> Bertram
>>
>>
>> -- 
>> Bertram Scharpf
>> Stuttgart, Deutschland/Germany
>> http://www.bertram-scharpf.de

KC> - You have unused disk space. Rather than spinning up a VM to play in,
KC>   you've instead opted for letting a new OS, that you have no experience
KC>   with, access and modify the raw disk bits.

KC> - You've tried installing the aforementioned new and unknown OS, on a
KC>   disk that had other important data, that was already governed by
KC>   another OS.

KC> To me, that doesn't sound like what an experienced user would do.

KC> <3,K.

-- 
Best regards,
 Borismailto:psi...@prodigy.net

Re: choosing OpenBSD for fileserver instead of FreeBSD + ZFS

[Boris Goldberg]

Hello Miles,

  I did research the matter about 18 month (or maybe 2 years) ago for the
business, even asked the list. Decided in favor of FreeNAS (based on
FreeBSD+ZFS if someone doesn't know). Can't tell how it went because the
project died for reasons unrelated to the storage.
  If you decide to go with OpenBSD I'd strongly suggest to use a good
hardware RAID controller (not relaying on the softraid). Make sure it's
supported. I've had a good experience with HP Smart Array Pxx series. You
can buy older models quite cheap on ebay (if you trust ebay). Haven't
checked it on a "generic" PC though. Install the battery and replace it
than the system complains (on boot or otherwise) - also sold on ebay.
  RAID5 might not be enough than dealing with "few terabytes" - there is a
risk of a second disk corruption due a high activity during recovery
(google the subject). Consider RAID6 or RAID10 (1E, 1C, etc.) - both
require a minimum of four disks.
  I was told that fsck requires about 1G of memory per 1T of space. Could
be dealt with by splitting to multiple partitions (labels). The ZFS memory
requirements aren't lower anyway.
  You need some sort of snapshoted (!) backup. Even if the RAID saves you
from the disk corruption (the "if" here bigger than most people think), a
human error (or a virus on someone's computer/phone) can destroy all your
data, and than a rsync can propagate the "changes" to the backup (also
destroying it if you don't have proper snapshots). The snapshots don't need
to be called "snapshots" - any sort of backup with possibility to restore
to an older date will do.


Wednesday, July 20, 2016, 6:52:04 AM, you wrote:

MK> Got a fileserver with a few terabytes of important personal media, like all
MK> old home movies, baby photos, etc.  Files that I want my family to have
MK> access to when I die.

MK> Really it's more of a file archive.  A backup.  Just rsync + ssh.  Serving
MK> it isn't the point.  Just preserving it forever.

MK> (It's all unencrypted.  It's not that kind of private.  Private and offline
MK> from the outside world, but public within the family.)

MK> For years it's been on a Synology, Linux ext4 filesystem.  Now I'm making a
MK> new clone of it (new PC) to be in a different location.

MK> I assumed I'd use FreeBSD + ZFS because of ZFS's checksum features.  But
MK> really I love and prefer OpenBSD for everything else, and don't want any
MK> other ZFS features : just that checksum.

MK> So I figure if I use OpenBSD + softraid RAID 5 (across 4 disks) and then
MK> write my own little shell script to track the MD5 (find . -type f -exec md5
MK> {} \;) whenever I make changes, that should be enough to see if a file has
MK> been changed due to disk corruption.

MK> (Which makes me realize I don't know a damn thing about disk corruption,
MK> only that it's happened a few times in the past.  The occasional JPG or MP3
MK> from the late 90s that used to work but now doesn't, and who-knows-why.)

MK> Before I embark on this direction for a fileserver, I thought I should
MK> check with the smart people here on misc:

MK> Any tips from anyone who's done something similar?

MK> Or would anyone advise me against OpenBSD or this MD5 log approach for a
MK> fileserver like this?

-- 
Best regards,
 Borismailto:psi...@prodigy.net

alternative places to buy the CDs in US are needed

[Boris Goldberg]

Hello misc,

  I've looked (and registered) at openbsdstore.com (USA site) - don't
like it (a lot). Use to buy OpenBSD stuff from a US book store, but can't
find it (there was a link to it on the openbsd.org, but not any more). Are
there alternative (local) options to buy the OpenBSD CDs in the US?

-- 
Best regards,
 Boris  mailto:bo...@twopoint.com

what happened to the encap address_family

[Boris Goldberg]

Hello misc,

 The encap address_family isn't in the netstat man page anymore (BTW, there
is no 5.7 section at www.openbsd.org/cgi-bin/man.cgi, just current).
The netstat -nrf encap gives an error, the netstat -nr doesn't have the
Encap section.
  Don't see anything about netstat nor about encap at
http://www.openbsd.org/57.html, the google also didn't help.

  How do I check VPN related routing besides ipsecctl -s flow (which
isn't exactly the strait way) ?

-- 
Best regards,
 Boris  mailto:bo...@twopoint.com

Re: Best filesystem options for large drive

[Boris Goldberg]

Hello Nick,

Thursday, February 12, 2015, 9:26:01 AM, you wrote:

NH On 02/12/15 10:10, Boris Goldberg wrote:
 Hello Nick,
NH ...
   I was entertaining the idea of making a 100 TB OpenBSD based archive
 storage, even asked the list. The only answer pointed to that FAQ page, and
 it stopped me from pursuing that idea. Servers with 128 GB of RAM aren't
 uncommon, but expensive (comparing to 64/32 GB ones).

NH I don't care what OS you are using, 100TB single volume archive is
NH doing it wrong.

NH Chunk your data, you will thank me; when it comes time to upgrade and
NH migrate your hardware, you will be kissing my feet.

NH The numbers have changed a bit (for the bigger) but the idea is as valid
NH today as it was eight years ago:
NH http://archives.neohapsis.com/archives/openbsd/2007-04/1572.html

  Thanks. The facts aren't new, but well put together. Will try to don't
plan the storage needs more than a (half) year ahead.

  It's too bad we don't have 10 TB disks yet. ;)

-- 
Best regards,
 Borismailto:bo...@twopoint.com

Re: Best filesystem options for large drive

[Boris Goldberg]

Hello Nick,

Wednesday, February 11, 2015, 1:05:20 PM, you wrote:

NH On 02/11/15 11:58, Jan Stary wrote:
 On Feb 10 17:48:22, na...@mips.inka.de wrote:
 On 2015-02-10, yary not@gmail.com wrote:

 I know FFS2 can handle that size easily, but I'm worried about fsck
 taking forever. This machine will have 1.5GB RAM, from what I've read
 that's not enough memory to fsck a 4TB volume without painful
 swapping.

 It vastly depends on the number of files you have on there.
 Here's an almost full 4TB drive...

 FAQ4 still says

If you make very large partitions, keep in mind that performing
filesystem checks using fsck(8) requires about 1M of RAM per gigabyte of
filesystem size
^^^

 Does that still apply?

   Jan


NH It is probably far less than that currently, but lacking a more precise 
NH number, I don't think this is a bad rule of thumb, and if you wish to 
NH disregard it, I suspect you either read and really understand the code 
NH or do some real world testing on YOUR hardware and file systems.  The 
NH penalties for too much RAM are minimal; the penalties for too little are 
NH ... substantial.

NH Note that you don't have to leave file systems mounted RW all the time, 
NH especially a backup server.  Mount it RW when you need it, dismount or 
NH RO it when you don't...tripping over the power power cords won't 
NH (shouldn't?) corrupt a file system that is mounted RO. You don't get to 
NH ignore the issues, but you can reduce their occurrence.


  I was entertaining the idea of making a 100 TB OpenBSD based archive
storage, even asked the list. The only answer pointed to that FAQ page, and
it stopped me from pursuing that idea. Servers with 128 GB of RAM aren't
uncommon, but expensive (comparing to 64/32 GB ones).

-- 
Best regards,
 Borismailto:bo...@twopoint.com

Re: OpenBSD 5.5 ISAKMPD

[Boris Goldberg]

Hello Motty,

Friday, January 16, 2015, 5:24:33 PM, you wrote:

MC is actually OpenBSD 4.8 not OpenBSD 5.5, I apologize for the mistake.

 I'm trying to setup IPSec Tunnel using the following parameters.
 Phase 1
 exchange encryption: AES256
 Data Integrity: SHA256
 DH: group 20
 Agressive Mode

 phase 2
 encryption: AESGCM256
 HASH: SHA384

  Looking at the manual page for isakmpd.conf, OpenBSD-4.8:
  {group} is either GRP1, GRP2, GRP5, GRP14, or GRP15 - seems like group 20
isn't supported (not even in current, according to the man).
  Support of AESGCM starts in 5.0 (again according to man).
  Not sure if you can use just SHA2 (not SHA2-256 or SHA2-384).

  Start with suits examples from the man page (of your system). Only if
they work - try to adjust them (if really needed).

  Make sure there are no trailing spaced in your isakmpd.conf. I've had a
lot of fun with it in the past. Could be fixed since though.

-- 
Best regards,
 Borismailto:bo...@twopoint.com

disk quotas bug fix [was: quotas grace period none right away]

[Boris Goldberg]

Hello misc,

  I've reported a detailed bug two months ago. The short story - grace
period end time isn't being reset if the over_soft_quota stage is reached
by chown command. I've confirmed it on i386 5.0 through current (as of
month ago) and on amd64 5.4.
  Developers seemed to don't have time for it, so I've asked our
consultant, Ed Bartosh bart...@gmail.com (not subscribed to the list), to
look into this. It seems like he has fixed it. Here is the patch for 5.4
(tested on i386 only yet):

Index: ufs_vnops.c
===
RCS file: /cvs/src/sys/ufs/ufs/ufs_vnops.c,v
retrieving revision 1.107
diff -u -p -r1.107 ufs_vnops.c
--- ufs_vnops.c 11 Jun 2013 16:42:19 -  1.107
+++ ufs_vnops.c 1 Dec 2014 21:54:44 -
@@ -448,6 +448,8 @@ ufs_chown(struct vnode *vp, uid_t uid, g
int error = 0;
daddr_t change;
enum ufs_quota_flags quota_flags = 0;
+   struct ucred *newcr;
+
 
if (uid == (uid_t)VNOVAL)
uid = DIP(ip, uid);
@@ -484,17 +486,26 @@ ufs_chown(struct vnode *vp, uid_t uid, g
if ((error = getinoquota(ip)) != 0)
goto error;
 
-   if ((error = ufs_quota_alloc_blocks2(ip, change, cred, 
-quota_flags)) != 0) 
+   newcr = crget();
+   newcr-cr_uid = uid;
+   newcr-cr_gid = gid;
+
+   if ((error = ufs_quota_alloc_blocks2(ip, change, newcr, 
+quota_flags)) != 0) {
+   crfree(newcr);
goto error;
+   }
 
-   if ((error = ufs_quota_alloc_inode2(ip, cred ,
+   if ((error = ufs_quota_alloc_inode2(ip, newcr,
 quota_flags)) != 0) {
-   (void)ufs_quota_free_blocks2(ip, change, cred, 
+   (void)ufs_quota_free_blocks2(ip, change, newcr, 
quota_flags);   
+   crfree(newcr);
goto error;
}
 
+   crfree(newcr);
+
if (getinoquota(ip))
panic(chown: lost quota);


  Please advise if you see problems with that patch (besides the fact that
it's for 5.4).

-- 
Best regards,
 Boris  mailto:bo...@twopoint.com

support of really big volumes

[Boris Goldberg]

Hello misc,

  Has anyone used the OpenBSD with really big arrays - 50 to 200 terabytes?
Are there any issues? Is there a rule about how many gigabytes of RAM per
terabyte mounted is needed?

-- 
Best regards,
 Boris  mailto:bo...@twopoint.com

Re: quotas grace period none right away

[Boris Goldberg]

Hello Otto,

Monday, October 6, 2014, 10:42:32 AM, you wrote:

OM Yeah. Have something similar in my tree. If -Wall is happy, so am I.

OM Does it explain 5.4 problems though.
OM I did not manage to reproduce those so far.

  It looks like the time_t patch is applicable to 5.5 (and later) only.
Am I wrong?
  Is there going to be any (further) development about that bug in 5.4?

-- 
Best regards,
 Borismailto:bo...@twopoint.com

Re: Change routing tables when ISP goes down

[Boris Goldberg]

Hello Jeff,

Wednesday, October 1, 2014, 12:14:53 PM, you wrote:

J It sounds like ping -I is what I was looking for, but when I use it, it 
seems
J to be sending out the packet with the right source address, but sending it to
J the wrong interface.are there any tricks here?

J Here's some data (edited) to show what I'm seeing:

J fxp0: inet 10.16.100.1 netmask 0xfff0 broadcast 10.16.100.15

J fxp1: inet 192.168.243.152 netmask 0xff00 broadcast 192.168.243.255

J when I try ping -I 192.168.243.152 ucla.edu, I see the following:

J tcpdump -i fxp0 icmp and host ucla.edu
J tcpdump: listening on fxp0, link-type EN10MB
J 13:06:36.478450 192.168.243.152  128.97.27.37: icmp: echo request
J 13:06:37.483393 192.168.243.152  128.97.27.37: icmp: echo request
J 13:06:38.493244 192.168.243.152  128.97.27.37: icmp: echo request

J The routing table shows:

J 10.16.100.0/28 link#1 UC 40 - 4 fxp0
J 192.168.243/24 link#2 UC 10 - 4 fpx1


  The output of route -n get ucla.edu would be helpful.
  It seems like you need more knowledge about routing, otherwise there is a
very big chance you shoot yourself in the foot messing around this. Been
there, probably still is.

-- 
Best regards,
 Borismailto:bo...@twopoint.com

Re: quotas grace period none right away

[Boris Goldberg]

Hello Otto,

Wednesday, September 24, 2014, 2:36:58 PM, you wrote:

OM Try to come up with a reproducable test case, include all relevant
OM info and then we can investigate.


  Here is what I could reproduce:

root@mail1 ~ # quota test_spam
Disk quotas for user test_spam (uid 1003):
 Filesystem  KBytesquota   limit   gracefiles   quota   limit   grace
  /var/mail  28   10 100   81  10
root@mail1 ~ # dd if=/dev/random of=w00 bs=1M count=150
150+0 records in
150+0 records out
157286400 bytes transferred in 2.679 secs (58707553 bytes/sec)
root@mail1 ~ # mv w00 ~test_spam/
root@mail1 ~ # chown test_spam /var/mail/test_spam/w00
root@mail1 ~ # quota test_spam
Disk quotas for user test_spam (uid 1003):
 Filesystem  KBytesquota   limit   gracefiles   quota   limit   grace
  /var/mail  153660*  10 100   18:10   91  10
root@mail1 ~ # edquota -t
Time units may be: days, hours, minutes, or seconds
Grace period before enforcing soft limits for users:
/var/mail: block grace period: 30 days, file grace period: 30 days
root@mail1 ~ # date
Mon Sep 29 14:12:42 CDT 2014
root@mail1 ~ # rm /var/mail/test_spam/w00
root@mail1 ~ # quota test_spam
Disk quotas for user test_spam (uid 1003):
 Filesystem  KBytesquota   limit   gracefiles   quota   limit   grace
  /var/mail  28   10 100   81  10

root@mail1 ~ # date
Mon Sep 29 18:47:44 CDT 2014
root@mail1 ~ # quota test_spam
Disk quotas for user test_spam (uid 1003):
  Filesystem  KBytesquota   limit   gracefiles   quota   limit   grace
   /var/mail  28   10 100   81  10
root@mail1 ~ # dd if=/dev/random of=~test_spam/w00 bs=1M count=150
150+0 records in
150+0 records out
157286400 bytes transferred in 2.059 secs (76367302 bytes/sec)
root@mail1 ~ # chown test_spam /var/mail/test_spam/w00
root@mail1 ~ # quota test_spam
Disk quotas for user test_spam (uid 1003):
  Filesystem  KBytesquota   limit   gracefiles   quota   limit   grace
   /var/mail  153660*  10 100   13:31   91  10
root@mail1 ~ # rm /var/mail/test_spam/w00
root@mail1 ~ # quota test_spam
Disk quotas for user test_spam (uid 1003):
  Filesystem  KBytesquota   limit   gracefiles   quota   limit   grace
   /var/mail  28   10 100   81  10

root@mail1 ~ # date
Tue Sep 30 08:38:03 CDT 2014
root@mail1 ~ # quota test_spam
Disk quotas for user test_spam (uid 1003):
  Filesystem  KBytesquota   limit   gracefiles   quota   limit   grace
   /var/mail  28   10 100   81  10
root@mail1 ~ # dd if=/dev/random of=~test_spam/w00 bs=1M count=150
150+0 records in
150+0 records out
157286400 bytes transferred in 2.074 secs (75822855 bytes/sec)
root@mail1 ~ # chown test_spam /var/mail/test_spam/w00
root@mail1 ~ # quota test_spam
Disk quotas for user test_spam (uid 1003):
  Filesystem  KBytesquota   limit   gracefiles   quota   limit   grace
   /var/mail  153660*  10 100none   91  10
root@mail1 ~ # rm /var/mail/test_spam/w00
root@mail1 ~ # quota test_spam
Disk quotas for user test_spam (uid 1003):
  Filesystem  KBytesquota   limit   gracefiles   quota   limit   grace
   /var/mail  28   10 100   81  10

root@mail1 ~ # dmesg | head
OpenBSD 5.4-stable (GENERIC.MP) #3: Wed Apr  2 16:44:04 CDT 2014
r...@build32.twopoint.com:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Xeon(R) CPU 3060 @ 2.40GHz (GenuineIntel 686-class) 2.41 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,LAHF,PERF
real mem  = 3621744640 (3453MB)
avail mem = 3551121408 (3386MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS 
rev. 2.3 @ 0xee000 (47 entries)
bios0: vendor HP version W04 date 04/06/2007
bios0: HP ProLiant DL320 G5


  I've also started the test case on another computer (turned on user
quotas and created a new user) - everything starts unfolding the same way:

# quota test
Disk quotas for user test (uid 1002):
  Filesystem  KBytesquota   limit   gracefiles   quota   limit   grace
/wrk   4   10 100   11  10
# dd if=/dev/random of=/wrk/test/w00 bs=1M count=150
150+0 records in
150+0 records out
157286400 bytes transferred in 14.572 secs (10793030 bytes/sec)
# chown test /wrk/test/w00
# quota test
Disk quotas for user test (uid 1002):
  Filesystem  KBytesquota   limit   gracefiles   quota   limit   grace
/wrk  153636*  10 100   7days   21  10
# rm /wrk/test/w00
# quota test
Disk quotas for user test (uid 1002):
  Filesystem  KBytesquota   limit   gracefiles   quota   limit   grace
/wrk   4   10 

Re: quotas grace period none right away

[Boris Goldberg]

Hello Otto,

Tuesday, September 23, 2014, 10:54:56 AM, you wrote:

OM Grace moves to none if you go above the hard limit. If mail delivery
OM is done by root, quota's are not enforced, so you can go over the hard
OM limit, nulling the grace period.

OM This is a problem I solved a long time ago by using a patch the do
OM local mail delivery as a specific user, but that diff was never
OM committed. 

  I've read your post about it, but in my case it doesn't go above hard
limit, just slightly above the soft one (for a time definitely less than
one day). The quota is 10/100, so there is (should be) a long way
between them.

  Just noticed something else. Was playing creating and deleting big files
yesterday - it was showing grace period 7 days (before I deleted the
files). Created another one today - the grace period is 6 days. Does it
suppose to have that long memory (over 12 hours)? Don't believe it was
like that before (in 5.0).

-- 
Best regards,
 Borismailto:bo...@twopoint.com

Re: quotas grace period none right away

[Boris Goldberg]

Hello Craig,

Wednesday, September 24, 2014, 3:56:35 AM, you wrote:

CRS How about Dovecot  sieve ...

  Does this mean you tried and found out (or knew) that disk quotas where
not going to work for you?

-- 
Best regards,
 Borismailto:bo...@twopoint.com

quotas grace period none right away

[Boris Goldberg]

Hello misc,

  I'm using i386 5.4-stable (GENERIC.MP) with user quotas (only) set on one
FS (it's default FS, nothing special). The grace period is 7 days, edquota
-t confirms it. It works fine if I create/chown files from shell, but
changes to none right away with every day operations (twice already).
  The box have rebooted after quotas where set, so the quotacheck did run.
  This might have something to do with the fact that this is a mail server,
and mail is being delivered by root (by procmail to maildirs if it makes a
difference). I've found an old Otto's message about something remotely
related.

  Does someone have deeper understanding of this situation or experienced
something similar?

-- 
Best regards,
 Boris  mailto:bo...@twopoint.com

dcc port

[Boris Goldberg]

Hello misc,

  We needed to install DCC (to work with SpamAssassin), couldn't find an
OpenBSD port, so we've built it ourselves. Does anyone want it?
  It's for 5.4 i386. We probably can compile it for 5.4 amd64. Wont be able
to compile for 5.5 or 5.6, so can't maintain the port.
  The package installs fine, but requires manual transfer of /var/dcc/
content. That could be improved if someone explains how to put staff
outside of /usr/local/.

-- 
Best regards,
 Boris  mailto:bo...@twopoint.com

Re: IPSEC with redundant remote peer address

[Boris Goldberg]

Hello Stuart,

Wednesday, August 6, 2014, 8:01:21 AM, you wrote:

SH On 2014-08-05, David Dahlberg david.dahlb...@fkie.fraunhofer.de wrote:
 I do not know enough of Cisco to be able to tell you whether or not 
 one may cluster their routers/VPN gateways. But you have multiple
 options to emulate the fallback behaviour that you described above.

 1) Just configure two tunnels, to both Cisco gateways. Give one route(8)
  -priority, or use a dynamic routing protocol.

 2) You may use ifstated or similar to monitor the gateways and tunnels 
  and switch over, when indicated.

SH Note that for these methods you'll need to use some explicit encapsulation
SH (for example, gif or gre) rather than using standard ipsec tunnels. On
SH OpenBSD IPsec is flow-based and there is no option for route-based like
SH various other vendors support.

  I couldn't directly manipulate IPSec related routing, but there is a way
to do it indirectly. The narrower route takes priority, so you can
slightly adjust one the tunnels. For example, if it goes from
192.168.1.0/24 to 10.0.0.0/8 you can make the primary one from
192.168.1.0/24 to 10.0.0.0/9 (and maybe the second primary to 10.128.0.0/9
if you really need it). Or you can make the secondary one from
192.168.0.0/23 to 10.0.0.0/8.
  If you make just two tunnels it will be redundant, but not very
responsive to a lost connection, because tunnels don't check themselves
very often (sometimes this is what you need). If you need something more
responsive you can play with phase 2 lifetimes (not sure if this is a good
idea) or have some watchdog process (ifstated?) to force phase 2
renegotiation if the connection is lost.

-- 
Best regards,
 Borismailto:bo...@twopoint.com

Re: reload isakmpd

[Boris Goldberg]

Hello Motty,

Friday, July 25, 2014, 10:17:15 AM, you wrote:

mc Hello, how to reload configuration without restarting isakmpd?

  I assume you start isakmpd directly (configuring isakmpd.conf and
isakmpd.policy). Than you'll see in the process list something like

process_number_1 ... isakmpd
process_number_2 ... isakmpd: monitor [priv] (isakmpd)

  kill -1 process_number_2 will make isakmpd to reload configuration.

  kill -1 `cat /var/run/isakmpd.pid` also works in most cases.

-- 
Best regards,
 Borismailto:bo...@twopoint.com

Re: nat-to private address

[Boris Goldberg]

Hello Tuyosi,

Thursday, June 26, 2014, 5:34:05 AM, you wrote:

TT accordin to man pf.conf
TT 10.0.0.0 - 10.255.255.255 (all of net 10, i.e. 10/8)
TT 172.16.0.0 - 172.31.255.255 (i.e. 172.16/12)
TT 192.168.0.0 - 192.168.255.255 (i.e. 192.168/16)
TT nat-to is usually applied outbound. If applied inbound, nat-to
TT to a local IP address is not supported.

  It is confusing, but probably means something else. I have a number of
nat-to to private IPs, and they work fine. I'm not running the latest
version, but hope the nat-to behavior hasn't changed (the man hasn't).

 The nat-to could be tricky, you need to make sure packets in question are
going into the interface you want *before* the NAT. Here comes the routing,
which is specially tricky, because in a number of cases running route add
isn't enough (or doesn't help at all).

-- 
Best regards,
 Borismailto:bo...@twopoint.com

Re: LAN vs VLAN interface performance

[Boris Goldberg]

Hello ML,

Thursday, June 19, 2014, 2:21:38 AM, you wrote:

Mm I have four /24 subnets and currently have one subnet per ethernet
Mm interface (1Gbit/s) on my openbsd firewall. Now I was wondering if in
Mm terms of performance (especially latency/pps) it is better to have one
Mm subnet per ethernet interface like I have now or to have the four
Mm subnets on one single interface using vlan interfaces?

Mm The traffic/bandwidth here is not really an issue and the one single
Mm interface would be a 10 Gbit/s interface anyway so it can accommodate
Mm the traffic of 4 VLANs without problem.

Mm Note here that I would also be using the trunk interface to aggregate
Mm two 10 Gbit/s interfaces for redundancy. So my four VLANs would be inside a 
trunk interface.

  Sorry for the OT, but haven't you had separated them for a reason on the
first place? There is no real security separation between vlans.

  Also OT - is OBSD handling 10 gigabit interfaces at full capacity
already?

-- 
Best regards,
 Borismailto:bo...@twopoint.com

antiviruses executable on OpenBSD

[Boris Goldberg]

Hello misc,

  We are building a new mail server (migrating from Linux). It uses amavis
with f-prot, drweb and clam antiviruses to check emails. The f-prot is ok.
The drweb catches much less, but sometimes catch something f-prot doesn't.
The clam catches pretty much nothing.
  The (almost useless) clam is the only one that has an official OpenBSD
support.
  The drweb isn't supporting OpenBSD anymore, it's last OBSD version was
built for OBSD 4.1, but is still working on 5.4 (somehow). For sure won't
work on 5.5. The scan engine and signatures are being updated, but the
situation is not promising.
  The f-prot isn't supporting (any) BSD anymore, the last OBSD version was
built for OBSD 4.8. Had to re-introduce 4.8 compatibility in 5.4 kernel to
make it work - a risky move, requiring putting back some code from the 5.0.
The scan engine isn't being updated. The signatures are being updated and
supported, but the situation is even worse than the one with drweb.

  I did some google`ing and also checked sites of antiviruses known for
good virus catching score (like Kaspersky and Bitdefender) - everyone
seem to drop OpenBSD support.
  Do you know of any reliable antivirus scanners (free or not) that would
run on modern OpenBSD?

-- 
Best regards,
 Boris  mailto:bo...@twopoint.com

Re: upgrades no longer allow ftp for sets

[Boris Goldberg]

Hello Theo,

Wednesday, March 26, 2014, 3:18:59 PM, you wrote:

TdR ... placing openssl there is not part of any solution that would work.
TdR What are other possible solutions?

  Do you think sftp would fit? Can you replace ftp with sftp?
  I'd prefer to maintain a limited access sftp server rather than a http
one.

-- 
Best regards,
 Borismailto:bo...@twopoint.com

Re: upgrades no longer allow ftp for sets

[Boris Goldberg]

Hello misc,

Thursday, March 27, 2014, 9:14:00 AM, Jiri wrote:

JB Could you please elaborate why not sftp for sets (and/or
JB for pkg_add)?

  I'll rephrase: can someone besides Theo elaborate? It was an obvious
mistake to reply to his email (to be fair, I've addressed it to misc, not
to him).
  In his long email Theo was talking about openssl. It's my understanding
that openssh is going away from openssl, so I don't see a direct
connection. I also see that psftp (from the putty) is about 300K, and I
don't believe it has any important dependencies (kerberos could be ignored
in this case).
  BTW, what is limiting the bsd.rd size? It's not for a floppy. I've tried
searching and found only a rumor that there is might be the size limit.

-- 
Best regards,
 Borismailto:bo...@twopoint.com

ciss driver status

[Boris Goldberg]

Hello guys,

  It says in the man ciss:

CAVEATS
 For purposes of status monitoring, the current code only supports one
 logical volume per controller.


  Is this still true? If I make more than one array with one controller and
type bioctl ciss0 - what will it show me?

-- 
Best regards,
 Boris  mailto:bo...@twopoint.com

Re: new queueing subsystem

[Boris Goldberg]

Hello Henning,

Friday, October 18, 2013, 5:37:23 AM, you wrote:

   I extensively use cbq and very confused by the current queuing manual. It
 seems that actual speed will be somewhere between min and max (and wont
 be equal to bandwidth), but how to get an idea where?

HB bandwidth is the target bandwidth, the actual assigned one is
HB somewhere between min and max indeed.

  You do realize that you haven't answered the question, don't you? Your
previous email and the presentation helps a bit, but not really.
  Will the actual queue speed be pushed towards max or bandwidth (and
how close) if other siblings are almost still?
  Will the actual queue speed be pushed towards min or bandwidth (and
how close) if other siblings are extremely busy?
  Other tips to migrate extensive cbq queues (with borrowing) would be
very helpful and appreciated.

-- 
Best regards,
 Borismailto:bo...@twopoint.com

Re: new queueing subsystem

[Boris Goldberg]

Hello Otto,

Wednesday, October 16, 2013, 10:05:04 AM, you wrote:

OM This will not be in 5.4, it wil be in 5.5. If you see shortcomings in
OM the docs explain in more detail.

  It might be a good idea to return the altq section to the pf.conf man
page for current.
  You probably need to mention that the new queuing is using hfsc model and
what hfsc model is.

  I extensively use cbq and very confused by the current queuing manual. It
seems that actual speed will be somewhere between min and max (and wont
be equal to bandwidth), but how to get an idea where?
  Does the set prio affect this queuing or just creates some separate
queues?

-- 
Best regards,
 Borismailto:bo...@twopoint.com

new queueing subsystem

[Boris Goldberg]

Hello misc,

  The changes in the pf queueing subsystem (for some reason not mentioned
in the http://openbsd.org/faq/upgrade54.html) are getting me worried.
  Couldn't find the word altq in the
http://www.openbsd.org/cgi-bin/man.cgi?query=pf.confapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html.
Is the old queueing gone? Is existing pf.conf not going to work with 5.4?
  How is the new queueing work? The manual gives the syntax (quite limited
comparing to the altq - in my opinion), but doesn't really explain
anything. For example - is there a bandwidth borrowing and how is it
prioritizing?

-- 
Best regards,
 Boris  mailto:bo...@twopoint.com

Re: softraid: adding volumes, CPU requirements, RAID5

[Boris Goldberg]

Hello guys,

Thursday, July 4, 2013, 12:40:50 PM, Nick Holland wrote:

   If the softraid is so raw yet, why the old good RAIDFrame was removed
 starting the 5.2? It works just fine for me. Big volumes rebuilds take a
 long while, but it's something working.

NH That's quite a leap from RAID 5 is not ready for use to softraid is
NH so raw.  RAID5 is one discipline of several that isn't complete.  RAID0
NH is ready for use, RAID1 is ready for use, crypto is ready for use.

  I've tried to use the nicer word. Not fully functional and raw are
synonyms.

NH It is also quite a leap to call old RAIDframe good.
NH It was horribly old, unmaintained code, which wasn't well loved by
NH developers when it was fresh and current.

NH Your assumptions are wrong.

  I am not assuming, I'm talking from experience. It works. I can install
to it (after a small tweak in the script). I boot from it (after a small
tweak in the code to pick up swap on raid). It continues to work if one
disk fails. It repairs (automatically if you replace the disk and boot -
doing much better job than md from Linux). In other words - it's fully
functional with some flaws. Fully functional is the key expression here.

  Is the RAIDFrame old? Yes, but old isn't necessary bad if it's working.
  Did it need a replacement? Yes if no one was willing to maintain it.
  Did you need to kill it *before* the replacement is ready? Definitely no.

  Could you, please, return the RAIDframe support until the softraid is
ready?

-- 
Best regards,
 Borismailto:bo...@twopoint.com

Re: softraid: adding volumes, CPU requirements, RAID5

[Boris Goldberg]

Hello Tony,

Friday, July 5, 2013, 10:09:37 AM, you wrote:

TA It works.
TA Translation:
TA It has worked (mostly) for me. (A few times)

  Don't try to translate from the language you don't understand.
  It's in production on more than a few servers now, and has been for more
than ten years.

-- 
Best regards,
 Borismailto:bo...@twopoint.com

Re: softraid: adding volumes, CPU requirements, RAID5

[Boris Goldberg]

Hello guys,

Tuesday, July 2, 2013, 5:53:04 PM, Nick Holland wrote:

NH RAID5 rebuild is still not there - there's no RAID5 rebuild.  I'm not
NH sure how to make it more clear...

NH Ok, let's try this...
NH Today, you take four 1TB disks, and make a 3TB RAID5 volume.  You can do
NH that.  Works great.

NH Now, a lot of people might call this Job Done.  Not me.  The point of
NH RAID isn't to build complicated systems, but to have the system keep
NH your butt out of the fire when things go wrong.

NH Next month, one of those drive fail.  That's ok, RAID5 is designed to
NH keep your data usable with one drive down.  THAT is the point of RAID.

NH You pat yourself on the back and say, I'm glad I am using RAID5.
NH You replace the failed drive and...
NH ...
NH um... now what?
NH You have a three drive degraded RAID5 system with no remaining
NH redundancy...and a new drive that is currently unused.  You have no
NH ability to rebuild the function of the failed drive into the new
NH drive...because the RAID5 rebuild is not there.

NH Oh, poo.

NH Your options?  Well,
NH * you can build a NEW array on other disks (hope you have enough ports
NH to plug them into), copy the data from the old one to the new one
NH * you can hope your backup system is perfect, and rebuild the entire
NH array and reload from backup
NH * you can hope a second drive doesn't fail in your array... for the life
NH of the system.

NH Not much else I can think of.

  If the softraid is so raw yet, why the old good RAIDFrame was removed
starting the 5.2? It works just fine for me. Big volumes rebuilds take a
long while, but it's something working.

-- 
Best regards,
 Borismailto:bo...@twopoint.com

Re: OpenBSD ipsec gateway behind a router

[Boris Goldberg]

Hello Mik,

Sunday, November 13, 2011, 8:06:32 AM, you wrote:

MJ I would like to know if such configuration is possible.

MJ LAN1
MJ (192.168.10.0/24) -- OpenBSD .99 -- .254 Router IPx -- Internet -- 
IPy
MJ IPSec_GW (Vendor) -- LAN2 (192.168.20.0/24)

MJ As you can see the OpenBSD 4.9
MJ server sits on the LAN1 and has one physical interface.
MJ When it wants to
MJ access to the internet, its address 192.168.10.99 is natted in IPx and 
that's
MJ how the IPSec_GW(Vendor) sees the source packets.

MJ It's not really important
MJ now if other machines on LAN1 should ping machines on LAN2. I would like for
MJ now that the OpenBSD could ping machines on LAN2.

MJ I have search for examples
MJ on the internet for this particular case because the OpenBSD is behind a nat
MJ router. And I haven't found the proper way to do this. I don't even know if
MJ it's possible. I know some kind of nat-t should be used though.

MJ Does anyone
MJ have this configuration in place ?

  There are two problems in that configuration: IPSEC behind a NAT and one
physical interface.

  IPSEC behind a NAT more often works than not. I have similar working
configuration myself (but with two interfaces). Would recommend to use UDP
encapsulation if the other side supports it.

  I would recommend to get a computer with 2 network interfaces. Otherwise
it's going to be very complicated at best. /24 (on the left) is for sure
not going to work.

Re: Routing issue with VPN tunnel

[Boris Goldberg]

Hello Danial,

Sunday, December 14, 2008, 6:06:12 PM, you wrote:

D The remote tunnel endpoint expects traffic originating from
D a specific ip address - the internal ip of the firewall.

 I have a tunnel successfully set up between my OpenBSD 3.8
 and a Cisco 7200 router.
 ...
 There are ACLs on the $remote_gw which only allow traffic
 NATed with my $int_if ip. Hence this nat in pf.conf:
 nat on enc0 inet from $int_net to $remote_host - $int_if
 ...
 What I CAN do is ping the $remote_host through the tunnel
 from the $int_if with the following command:
 # ping -I $int_if $remote_host

 This works and replies are received!


 But if if try pinging from the $internal_host:
 c:\ ping $remote_host

 This doesn't work. The packets are not sent through the
 tunnel but to the internet.

  I have a working tunnel like yours. May be there is a way to do it
right, but I haven't found one. But here is a workaround:

  Your tunnel is probably host-to-host - don't change it, but add an
additional network-to-host one. That dummy tunnel wont actually transfer
anything, but will route packets from your internal network to enc0, than
your nat rule will change it and everything should work.

-- 
Best regards,
 Borismailto:bo...@twopoint.com

Re: HP DL180 hangs on boot

[Boris Goldberg]

Hello Alexander,

Thursday, November 6, 2008, 7:44:16 AM, you wrote:

AH OpenBSD 4.4-current (RAMDISK_CD) #203: Sun Nov  2 13:41:35 MST 2008
AH [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/RAMDISK_CD

  You might want to try i386.

AH uhid at uhidev1 not configured
AH ...
AH uhid at uhidev3 reportid 2 not configured
AH uhid at uhidev3 reportid 3 not configured
AH uhid at uhidev3 reportid 4 not configured
AH uhid at uhidev3 reportid 16 not configured
AH uhid at uhidev3 reportid 17 not configured

  Try to disable uhid in the kernel.

AH softraid0 at root

  Is there a way to boot without a softraid (just to make sure it's not
causing the problem)?

-- 
Best regards,
 Borismailto:[EMAIL PROTECTED]

Re: Can OpenBSD run in 24 MB of RAM?

[Boris Goldberg]

Hello Shr,

Wednesday, September 3, 2008, 10:00:22 PM, you wrote:

sdc I've searched the FAQ and the Web for any guidance on what the minimum RAM
sdc is for OpenBSD, with and without X.

sdc I just acquired a Compaq Armada 1125 laptop that maxes out at 24 MB of
sdc RAM, and I'm wondering whether or not it's feasible to run OpenBSD on it.

$ dmesg
OpenBSD 3.5 (GENERIC) #34: Mon Mar 29 12:24:55 MST 2004
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel 486DX (486-class)
real mem  = 20824064 (20336K)
avail mem = 13275136 (12964K)
using 279 buffers containing 1142784 bytes (1116K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 01/10/94
pcibios at bios0 function 0x1a not configured
bios0: ROM list: 0xc/0x8000
isa0 at mainbus0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard
vga0 at isa0 port 0x3b0/48 iomem 0xa/131072
wsdisplay0 at vga0: console (80x25, vt100 emulation), using wskbd0
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
wdc0 at isa0 port 0x1f0/8 irq 14
wd0 at wdc0 channel 0 drive 0: WDC AC21600H
wd0: 16-sector PIO, LBA, 1549MB, 3173184 sectors
wd1 at wdc0 channel 0 drive 1: QUANTUM FIREBALL EX5.1A
wd1: 16-sector PIO, LBA, 4892MB, 10018890 sectors
wd0(wdc0:0:0): using BIOS timings
wd1(wdc0:0:1): using BIOS timings
ep0 at isa0 port 0x300/16 irq 10: address 00:20:af:27:c1:5d, utp/aui/bnc 
(default utp)
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16450, no fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16450, no fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask 4040 netmask 4440 ttymask 44c2
pctr: no performance counters in CPU
dkcsum: wd0 matched BIOS disk 80
dkcsum: wd1 matched BIOS disk 81
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302

$ swapctl -kl
Device  1K-blocks UsedAvail Capacity  Priority
swap_device102312 442097892 4%0

$ uptime
10:07AM  up 378 days, 16:48, 1 user, load averages: 0.20, 0.21, 0.14

  It's 486DX4 50MHz with 20 meg of RAM, working as a production (!)
secondary mail/DNS server. Has been used (and occasionally being used) as
an ftp server (vsftp) - login process is slow, but transfer(s) at full T1
speed causing no problem.
  I've installed a GENERIC 3.5 from floppy/ftp very easily. Modern boxes
are giving me much more troubles.
  There is no X, of course.

  Don't know if OBSD 4.4 require much more resources than 3.5, but the
size of GENERIC kernel is just a little bigger.

-- 
Best regards,
 Borismailto:[EMAIL PROTECTED]

Re: OT: Can an SSH alternative to WebDav be use on OpenBSD

[Boris Goldberg]

Hello Daniel,

  I  believe  it  should be possible to set up samba-over-ssh. I mean samba
listening localhost only on the server andputty
(www.chiark.greenend.org.uk/~sgtatham/putty/)   with   port  forwarding  on
clients.
  You  can also use samba-over-ipsec. IPSec is not less secure than ssh and
gives you more flexibility.

-- 
Best regards,
 Borismailto:[EMAIL PROTECTED]

Re: HP DL320G5P doesn't boot

[Boris Goldberg]

Hello RedShift,

Friday, December 21, 2007, 4:41:53 AM, you wrote:

R I've got a new DL320G5P to play with for a very short while, while I'm
R waiting for the SAS controller cable to arrive (it's supposed to have 
R another OS on it, which shall remain nameless). So I have the luxury of 
R testing out this fine machine, but it doesn't boot under OpenBSD. It 
R hangs at the following point:

R uhid at uhidev4 not configured

  It looks like your box is an upgraded version of DL320G I have. OpenBSD
works  on mine after some kernel tuning - there are couple threads about it
in  the  archive. I think you need to enable acpi and (may be) disable uhid
(in  my  case  it's uhci) in a kernel. If it doesn't help with amd64 kernel
you can try i386 (because your cpu is Intel).

  I  don't  see  a  reason  for all that work in a first place, because you
don't  really  need an OpenBSD on that box (you are saying that it will get
an another OS anyway).

-- 
Best regards,
 Borismailto:[EMAIL PROTECTED]

cant properly set up kernel to have root and swap on a RAIDframe device

[Boris Goldberg]

Hello misc,

  I've  been  booting my system from RAIDframe partitions for a long while.
Small  partition  for kernel(s), raidctl -A root raid0 - and I have root on
raid0a and swap on raid0b.
  But with 4.2 I'm getting swapmount: no device error from the kernel and
savecore:  no  core  dump  (no  dumpdev) later. However, root is still on
raid0a (but no swap).

  I've  tried config bsd root on raid0a swap on raid0b dumps on wd0b in a
kernel config, but got:

# config GENERIC.MP.RAID
../../../../arch/i386/conf/GENERIC.RAID:45: bsd: can't make root device from 
`raid0a'
../../../../arch/i386/conf/GENERIC.RAID:45: bsd: can't make swap device from 
`raid0b'
GENERIC.MP.RAID has no configurations!
*** Stop.

  I  have  an idea about a (pretty nasty) workaround, but is there a way to
make it right?

  BTW, config bsd root on wd0a swap on wd0b dumps on wd0b and wd1b should
be ok (according to the main page), but config doesn't like and wd1b.

# dmesg
OpenBSD 4.2-stable (GENERIC.MP.RAID) #0: Thu Oct 18 17:40:50 CDT 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP.RAID
cpu0: Intel(R) Pentium(R) D CPU 3.00GHz (GenuineIntel 686-class) 3.01 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,CNXT-ID,CX16,xTPR
real mem  = 1071640576 (1021MB)
avail mem = 1028104192 (980MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS 
rev. 2.3 @ 0xee000 (47 entries)
bios0: vendor HP version W04 date 04/06/2007
bios0: HP ProLiant DL320 G5
pcibios0 at bios0: rev 3.0 @ 0xf/0x2000
pcibios0: PCI BIOS has 7 Interrupt Routing table entries
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801GB LPC rev 0x00)
pcibios0: PCI bus #11 is the last bus
bios0: ROM list: 0xc/0xb000 0xcc400/0x3400! 0xcf800/0x1a00 0xe6000/0x2000!
acpi0 at mainbus0: rev 2
acpi0: tables DSDT FACP SPCR MCFG HPET SPMI APIC SSDT
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 200 MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Pentium(R) D CPU 3.00GHz (GenuineIntel 686-class) 3.01 GHz
cpu1: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,CNXT-ID,CX16,xTPR
ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins
acpiprt0 at acpi0: bus 11 (IP2P)
acpiprt1 at acpi0: bus 5 (PCXS)
acpiprt2 at acpi0: bus 4 (PCXA)
acpiprt3 at acpi0: bus 3 (ICHE)
acpiprt3: no apic found for irq 47
acpiprt4 at acpi0: bus 6 (IPE4)
acpiprt5 at acpi0: bus 1 (PTA0)
acpiprt6 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
acpicpu1 at acpi0
acpicpu2 at acpi0
acpicpu3 at acpi0
acpicpu4 at acpi0
acpicpu5 at acpi0
acpicpu6 at acpi0
acpicpu7 at acpi0
acpitz0 at acpi0, critical temperature: 31 degC
ipmi0 at mainbus0: version 2.0 interface KCS iobase 0xca2/2 spacing 1
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel E7230 MCH rev 0xc0
ppb0 at pci0 dev 1 function 0 Intel E7230 PCIE rev 0xc0
pci1 at ppb0 bus 1
ppb1 at pci1 dev 0 function 0 vendor TI, unknown product 0x8231 rev 0x03
pci2 at ppb1 bus 2
puc0 at pci2 dev 0 function 0 Sunix 40XX rev 0x01: ports: 2 com
pccom3 at puc0 port 0 apic 8 int 16 (irq 11): ti16750, 64 byte fifo
pccom4 at puc0 port 1 apic 8 int 16 (irq 11): ti16750, 64 byte fifo
ppb2 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01
pci3 at ppb2 bus 3
ppb3 at pci3 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xb5
pci4 at ppb3 bus 4
bge0 at pci4 dev 4 function 0 Broadcom BCM5714 rev 0xa3, BCM5715 A3 (0x9003): 
apic 8 int 16 (irq 11), address 00:1b:78:07:c8:fc
brgphy0 at bge0 phy 1: BCM5714 10/100/1000baseT PHY, rev. 0
bge1 at pci4 dev 4 function 1 Broadcom BCM5714 rev 0xa3, BCM5715 A3 (0x9003): 
apic 8 int 17 (irq 10), address 00:1b:78:07:c8:fd
brgphy1 at bge1 phy 1: BCM5714 10/100/1000baseT PHY, rev. 0
ppb4 at pci4 dev 8 function 0 ServerWorks HT-1000 PCIX rev 0xb4
pci5 at ppb4 bus 5
ppb5 at pci0 dev 28 function 4 Intel 82801G PCIE rev 0x01
pci6 at ppb5 bus 6
ppb6 at pci6 dev 0 function 0 vendor IDT, unknown product 0x8018 rev 0x04
pci7 at ppb6 bus 7
ppb7 at pci7 dev 0 function 0 vendor IDT, unknown product 0x8018 rev 0x04
pci8 at ppb7 bus 8
em0 at pci8 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev 0x06: apic 8 int 
17 (irq 10), address 00:18:fe:2e:27:25
em1 at pci8 dev 0 function 1 Intel PRO/1000 QP (82571EB) rev 0x06: apic 8 int 
16 (irq 11), address 00:18:fe:2e:27:24
ppb8 at pci7 dev 1 function 0 vendor IDT, unknown product 0x8018 rev 0x04
pci9 at ppb8 bus 9
em2 at pci9 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev 0x06: apic 8 int 
18 (irq 5), address 00:18:fe:2e:27:27
em3 at pci9 dev 0 function 1 Intel PRO/1000 QP (82571EB) rev 0x06: apic 8 int 
17 (irq 10), address 00:18:fe:2e:27:26
ppb9 at pci0 dev 28 function 5 Intel 82801G PCIE rev 0x01

Re: HP ProLiant DL320 v. Sun Fire V125

[Boris Goldberg]

Hello Kai,

  Thank you very much for the reply. It's helpful.

Wednesday, October 31, 2007, 8:57:53 AM, you wrote:

KM We run quite fine here with 4.2-current from today on a DL320G5, after:

KM enabling write cache in the HP Bios !

  It  looks  like  that  BIOS  write cache settings don't change anything
(atactl does it).

KM enabling amd64 bsd.mp

  Your CPU is Xeon, mine is Pentium D. Don't think amd64 will work for me.

KM enabling acpi

  How exactly do you do it?
  Mine acpi-related lines are

#option ACPIVERBOSE
#option ACPI_ENABLE

acpi0   at mainbus?
acpitimer*  at acpi?
#acpihpet*  at acpi?
#acpiac*at acpi?
#acpibat*   at acpi?
#acpibtn*   at acpi?
acpicpu*at acpi?
#acpidock*  at acpi?
acpiec* at acpi?
acpiprt*at acpi?
acpitz* at acpi?

  Do I need to uncomment options or they are active by default anyway? Is
there any documents about it?

KM enabling write cache for wd0 in the system with:
KM # atactl wd0 writecacheenable

  Where  do  you  put  these  command?  For now I just ran it manually (and
tested  the  result).  I  think  it makes sense to activate the write cache
before  checking (and possibly recovering) RAIDframe devices, but rc.secure
and  rc.local  are  being called after that. Is it a good idea to put these
atactl commands to /etc/rc right before #Configure ccd devices line?

KM Before we had horrible 2MByte write speed, now we have 67MByte.

  I'm  getting  an about 16 times speed increase on copying a 1.2 gig file.
Is there any performance tests for the OpenBSD, BTW?

KM The bge interfaces also seem to run fine.

  Have  you  tried to boot with a network cable unplugged and than plug it?
My  bge*  (on  two  computers so far) detects a media of 10 megabit in that
case  (ifconfig  down/up  makes  it to detect the right media - 100 or 1000
megabit). em* devices don't have that (minor?) bug.

KM Compaq iLO rev 0x03 at pci6 dev 4 function 0 not configured
KM Compaq iLO rev 0x03 at pci6 dev 4 function 2 not configured
KM uhci4 at pci6 dev 4 function 4 Hewlett-Packard USB rev 0x00: apic 8 int 
23 (irq 11)
KM Hewlett-Packard IPMI rev 0x00 at pci6 dev 4 function 6 not configured
KM usb1 at uhci4: USB revision 1.0
KM uhub1 at usb1 Hewlett-Packard UHCI root hub rev 1.00/1.00 addr 1

  Did  you  do  something special about uhci*? Mine is giving errors on two
computers already. Sometimes it even crashes to ddb:

uhci4 at pci7 dev 4 function 4 Hewlett-Packard USB rev 0x00: irq 11
uhci4: cannot stop
Hewlett-Packard IPMI rev 0x00 at pci7 dev 4 function 6 not configured
Stopped at  uvm_pglistalloc_simple+0xc5:addl$0x1000,0xffec(%ebp)
uvm_pglistalloc_simple(1,100,3fe64000,d08c7af0,d07ac860) at 
uvm_pglistalloc_simple+0xc5
uvm_pglistalloc(1000,100,3fe64000,1000,0,d08c7af0,1,0) at 
uvm_pglistalloc+0x35c
_bus_dmamem_alloc_range(d075d900,1000,10,0,d18f6b4c) at 
_bus_dmamem_alloc_range+0x52
_bus_dmamem_alloc(d075d900,1000,10,0,d18f6b4c,1,d18f6b54,1) at 
_bus_dmamem_alloc+0x30
usb_block_allocmem(d075d900,1000,10,d08c7bd0) at usb_block_allocmem+0xa1
usb_allocmem(d191f000,1000,10,d08c7bd0) at usb_allocmem+0x39
uhci_alloc_sqh(d191f000,1000,1000,d191f274,d18f7234) at uhci_alloc_sqh+0x4a
uhci_init(d191f000,4,d078ebe0,80072000) at uhci_init+0x130
uhci_pci_attach_deferred(d191f000,8007f800,c,0,20) at 
uhci_pci_attach_deferred+0x24
config_process_deferred_children(d18f7180,0,0,d18f7200,20) at 
config_process_deferred_children+0x59
ddb c
usb1 at uhci4: USB revision 1.0
uhub1 at usb1: Hewlett-Packard UHCI root hub, rev 1.00/1.00, addr 1

  Also, does iLO 2 Remote Console (a Java one) work for you?

-- 
Best regards,
 Borismailto:[EMAIL PROTECTED]

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Boris Goldberg]

Hello Brian,

Wednesday, October 24, 2007, 3:28:36 PM, you wrote:

B OpenNTPD runs as a 'daemon,' yes, but it does so using privilege
B separation and other goodies.  The network code runs as a normal user,
B isolated from other users.  This is superior to running rdate AS ROOT
B from a cronjob.  OpenNTPD does not open any TCP or UDP ports by default.

B It is true that rdate has about 63% less lines of code than ntpd and is
B older, and may have had more code audits performed; However, ntpd is new
B code, written with security in mind, runs as a normal user (privilege
B separated for the most part) and has superior time keeping ability.

B Your advice about not running a daemon if it's possible to do the task
B otherwise may be true with a (bloated) daemon such as ntp.org ntpd,
B however, with OpenNTPD the tables are turned.  It is far safer to run
B the 'daemon' than to perform the task otherwise.

B That being said, it is up to the individual users to decide what to do.
B  Hopefully this above explanation will help those who don't necessarily
B understand the risks of running programs as root vice daemons which
B execute code with proper separation of privileges.

  Thank you very much for that (valuable) reply!
  BTW,  this  is  an argument for making an OpenNTPD ntpdate tool or adding
one_time_synchronization functionality into ntpd. :)

-- 
Best regards,
 Borismailto:[EMAIL PROTECTED]

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Boris Goldberg]

Hello Mark,

Thursday, October 25, 2007, 4:13:09 PM, you wrote:

MZ On Thu, Oct 25, 2007 at 11:19:21AM -0500, Boris Goldberg wrote:
 
   Thank you very much for that (valuable) reply!
   BTW,  this  is  an argument for making an OpenNTPD ntpdate tool or adding
 one_time_synchronization functionality into ntpd. :)

MZ From ntpd(8):

MZ  -s  Set the time immediately at startup if the local clock is 
off
MZ  by more than 180 seconds.  Allows for a large time correc-
MZ  tion, eliminating the need to run rdate(8) before starting
MZ  ntpd.

MZ Or is that not what you meant?

MZ Just put ntpd_flags=-s into /etc/rc.conf.local.

  No, I mean synchronize_and_exit - like rdate -ncav, but more secure (with
a privilege separation, like Brian explained above in a thread).

-- 
Best regards,
 Borismailto:[EMAIL PROTECTED]

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Boris Goldberg]

Hello Clint,

Tuesday, October 23, 2007, 5:36:15 PM, you wrote:

CP  From what I have read in this thread, it looks like only one guy
CP prefers the old timed and rdate tools. A few are even telling him he is 
CP giving bad advice when promoting the usage of these tools. Henning 
CP mentioned that rdate and timed are pretty much useless and others have 
CP said that timed is obsolete. So why don't we remove them from the source 
CP tree?

  I've never suggested (or mentioned) the timed.
  Of course I was talking about the -n mode of rdate (as a replacement to
ntpdate like Paul de Weerd was suggesting in this thread).
  May  be  it makes sense to set -ncv as a default behavior of rdate, but
there is should be a way to synchronize time without running a demon (don't
understand  why  are  people  so  aggressive  about that) if you don't need
up-to-second  synchronization  (in my case modern hardware goes less than a
second off per day, and really old hardware - less than 10 seconds).

-- 
Best regards,
 Borismailto:[EMAIL PROTECTED]

Re: HP ProLiant DL320 v. Sun Fire V125

[Boris Goldberg]

Hello evo,

Wednesday, October 24, 2007, 12:51:13 AM, you wrote:

e I'm choosing firewall/proxy/mail-gateway hardware running (of course)
e OpenBSD for medium office and my shortlist is:
e (a) HP ProLiant DL320 and (b) Sun Fire V125

  I'm   upgrading   my  servers/firewalls  to HP ProLiant DL320 G5, and the
experience...  isn't  easy.  First  of  all you need to allow acpi in an MP
kernel,  otherwise it's slow and unstable (it's disabled by default and not
really documented).

  Then you have couple more issues I couldn't resolve yet:

  Fists - uhci (uhci4 in my case) giving an error during boot and shutdown:

OpenBSD 4.2-stable (GENERIC) #1: Thu Oct 18 12:35:10 CDT 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) D CPU 3.00GHz (GenuineIntel 686-class) 3.01 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,CNXT-ID,CX16,xTPR
real mem  = 1071640576 (1021MB)
avail mem = 1028595712 (980MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS 
rev. 2.3 @ 0xee000 (47 entries)
bios0: vendor HP version W04 date 04/06/2007
bios0: HP ProLiant DL320 G5
pcibios0 at bios0: rev 3.0 @ 0xf/0x2000
pcibios0: PCI BIOS has 7 Interrupt Routing table entries
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801GB LPC rev 0x00)
pcibios0: PCI bus #7 is the last bus
bios0: ROM list: 0xc/0xb000 0xcc400/0x1000 0xcd400/0x1000 0xce400/0x3400! 
0xe6000/0x2000!
acpi at mainbus0 not configured
ipmi0 at mainbus0: version 2.0 interface KCS iobase 0xca2/2 spacing 1
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel E7230 MCH rev 0xc0
ppb0 at pci0 dev 1 function 0 Intel E7230 PCIE rev 0xc0
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01
pci2 at ppb1 bus 2
ppb2 at pci2 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xb5
pci3 at ppb2 bus 3
bge0 at pci3 dev 4 function 0 Broadcom BCM5714 rev 0xa3, BCM5715 A3 (0x9003): 
irq 11, address 00:1b:78:07:c9:9a
brgphy0 at bge0 phy 1: BCM5714 10/100/1000baseT PHY, rev. 0
bge1 at pci3 dev 4 function 1 Broadcom BCM5714 rev 0xa3, BCM5715 A3 (0x9003): 
irq 10, address 00:1b:78:07:c9:9b
brgphy1 at bge1 phy 1: BCM5714 10/100/1000baseT PHY, rev. 0
ppb3 at pci3 dev 8 function 0 ServerWorks HT-1000 PCIX rev 0xb4
pci4 at ppb3 bus 4
ppb4 at pci0 dev 28 function 4 Intel 82801G PCIE rev 0x01
pci5 at ppb4 bus 5
em0 at pci5 dev 0 function 0 Intel PRO/1000 PT (82571EB) rev 0x06: irq 11, 
address 00:1b:78:57:58:e0
em1 at pci5 dev 0 function 1 Intel PRO/1000 PT (82571EB) rev 0x06: irq 10, 
address 00:1b:78:57:58:e1
ppb5 at pci0 dev 28 function 5 Intel 82801G PCIE rev 0x01
pci6 at ppb5 bus 6
uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x01: irq 5
uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x01: irq 5
uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x01: irq 5
uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x01: irq 5
ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x01: irq 5
usb0 at ehci0: USB revision 2.0
uhub0 at usb0: Intel EHCI root hub, rev 2.00/1.00, addr 1
ppb6 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xe1
pci7 at ppb6 bus 7
vga1 at pci7 dev 3 function 0 ATI ES1000 rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
Compaq iLO rev 0x03 at pci7 dev 4 function 0 not configured
Compaq iLO rev 0x03 at pci7 dev 4 function 2 not configured
uhci4 at pci7 dev 4 function 4 Hewlett-Packard USB rev 0x00: irq 11
uhci4: cannot stop
Hewlett-Packard IPMI rev 0x00 at pci7 dev 4 function 6 not configured
usb1 at uhci4: USB revision 1.0
uhub1 at usb1: Hewlett-Packard UHCI root hub, rev 1.00/1.00, addr 1
ichpcib0 at pci0 dev 31 function 0 Intel 82801GB LPC rev 0x01: PM disabled
pciide0 at pci0 dev 31 function 1 Intel 82801GB IDE rev 0x01: DMA, channel 0 
configured to compatibility, channel 1 configured to compatibility
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 disabled (no drives)
pciide1 at pci0 dev 31 function 2 Intel 82801GB SATA rev 0x01: DMA, channel 0 
configured to native-PCI, channel 1 configured to native-PCI
pciide1: using irq 7 for native-PCI interrupt
wd0 at pciide1 channel 0 drive 0: FB160C4081
wd0: 16-sector PIO, LBA48, 152627MB, 312581808 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
usb2 at uhci0: USB revision 1.0
uhub2 at usb2: Intel UHCI root hub, rev 1.00/1.00, addr 1
usb3 at uhci1: USB revision 1.0
uhub3 at usb3: Intel UHCI root hub, rev 1.00/1.00, addr 1
usb4 at uhci2: USB revision 1.0
uhub4 at usb4: Intel UHCI root hub, rev 1.00/1.00, addr 1
usb5 at uhci3: USB revision 1.0
uhub5 at usb5: Intel UHCI root hub, rev 1.00/1.00, addr 1
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, 

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Boris Goldberg]

Hello Marc,

Wednesday, October 24, 2007, 1:13:23 PM, you wrote:

   May  be  it makes sense to set -ncv as a default behavior of rdate, but
 there is should be a way to synchronize time without running a demon (don't
 understand  why  are  people  so  aggressive  about that) if you don't need
 up-to-second  synchronization  (in my case modern hardware goes less than a
 second off per day, and really old hardware - less than 10 seconds).

MB You don't understand the implications of changing the time of a computer
MB at runtime.

  I believe I do. :)
  There  are  pros  and  cons  in  the  demon and in the cron schema. I
decided  to  use  cron and I know why. Every sysadmin/architect should make
that  decision  for  *his*  systems  (and  know  why).  Home users should
probably  stay  with the default (ntpd), but they are usually using Windows
and cheap hardware firewalls anyway. ;)

MB If  either  case is acceptable depends on the software that runs on the
MB computer.

  Exactly.  And  I  believe  that  usual  case is not a cluster, monetary
transaction server or traffic control system.

MB A  computer  that  controls  an  insulin  pump  probably  should run at
MB constant  speed  whereas  a computer that does a task at a certain time
MB should not skip time units.

  Have  you  seen  an  insulin  pump ran by OpenBSD system? ;) Give me some
*real* examples (if you want to).

MB If a cronjob runs at 17:10 and at 17:00 your wise cronjob sets the time
MB to 17:20, cron will not start that job.

  First  of  all,  this  is not a *real* case again. I was talking about 10
seconds  a  day,  not  20  minutes.  If  your *production* hardware goes 20
minutes off a day you will probably replace it (I believe, for new hardware
it's a warranty case).
  Second   of  all,  I've  seen  that  behavior  (with  much  smaller  time
adjustments)  on  SCO, but OpenBSD handles it pretty good - my cron doesn't
repeat itself after adjusting time back.

-- 
Best regards,
 Borismailto:[EMAIL PROTECTED]

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Boris Goldberg]

Hello Clint,

Tuesday, October 23, 2007, 5:42:47 AM, you wrote:

CP One  system  would  get time from the NTP pool and all other servers on
CP the network would sync to the local server.

  You  don't  really  need ntpd on all systems. One (timeserver) runs ntpd,
and others use rdate, called from cron (once a day is usually enough).

-- 
Best regards,
 Borismailto:[EMAIL PROTECTED]

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Boris Goldberg]

Hello Rogier,

Tuesday, October 23, 2007, 9:01:32 AM, you wrote:

RK On 10/23/07, Boris Goldberg [EMAIL PROTECTED] wrote:
 You  don't  really  need ntpd on all systems. One (timeserver) runs ntpd,
 and others use rdate, called from cron (once a day is usually enough).

RK While your suggestion would work, it would also entail more work
RK without adding benefit. Upon install, you get the question of whether
RK you want to use ntpd. Starting with 4.2, it even asks for a specific
RK NTP server.

  It's always better to don't run a demon if you don't have to. :)
  Talking  about  a more work - I don't think that someone avoiding small
after  install  tuning  like  this  should  be taking care of any network
besides his home one. ;) Anyway, for the last five years no version of OBSD
(including  4.2) worked for me without tuning a kernel, so an extra line in
a crontab is nothing. :)

-- 
Best regards,
 Borismailto:[EMAIL PROTECTED]

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Boris Goldberg]

Hello Pierre-Yves,

Tuesday, October 23, 2007, 11:39:10 AM, you wrote:

 You  don't  really  need ntpd on all systems. One (timeserver)
 runs ntpd, and others use rdate, called from cron (once a day is
 usually enough).

PYR I hope nobody takes what you say seriously. Running rdate instead of
PYR ntpd like you describe is wrong for many reasons which have been stated
PYR over and over in the last few years. Please do not spread wrong
PYR information around, and do your homework before giving others advice
PYR on what you think is good sysadmin practice.

  The  ntpd  from  OBSD  is  raw  and lame yet. It takes days (!) to really
synchronize, adjusting time and clock frequency back and forth (even if you
start  with  -s) so it's too early to say that using it is right. It will
be right after it matures, gets more useful synchronization algorithm and
it's own ntpdate (or a parameter to synchronize and exit).

-- 
Best regards,
 Borismailto:[EMAIL PROTECTED]

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Boris Goldberg]

Hello Paul,

Tuesday, October 23, 2007, 12:38:43 PM, you wrote:

PdW ... run rdate, it has the -n switch.

  Here we go! :D

-- 
Best regards,
 Borismailto:[EMAIL PROTECTED]

Re: RaidFrame woes on 4.2 (RAIDFRAME: failed rf_ConfigureDisks with 2)

[Boris Goldberg]

Hello knitti,

Saturday, October 13, 2007, 3:43:27 PM, you wrote:

k raidlookup on device: /dev/wd3d  failed !
k ...
k START disks
k /dev/wd3d

  Shouldn't it be /dev/wd0d ?

k /dev/wd1d
k ...
k # disklabel wd0
k ...
k   d:606244905 18892440RAID
k ...
k # disklabel wd1
k ...
k   d:606244905 18892440RAID

  You've  said  that  you'd tried different configurations, but the one you
are showing here just can't work, because you don't have wd3.

-- 
Best regards,
 Borismailto:[EMAIL PROTECTED]

Re: TLS/FTP via OpenBSD NAT

[Boris Goldberg]

Hello Mikel,

Friday, October 12, 2007, 6:46:20 AM, you wrote:

ML ... the client wants to be able to connect to an FTP server that
ML is using TLS.

ML My first thought of this was you can't.  however, I was quickly
ML disabused of this idea by connecting to their server using the program
ML they use (FileZilla) within a Windows XP instance running inside
ML Parrallels through a Netlink ADSL modem.  That is two sets of
ML translation happening!

ML This got me confused as everything I have read about TLS says this
ML can't be done.  At least not with NAT.

  I'm confused too. :)
  Why  wont it work over a NAT? You might need to bypass ftp-proxy for that
server (like I did), but only if it's using standard ftp ports (20/21). And
it should be passive, of course.

-- 
Best regards,
 Borismailto:[EMAIL PROTECTED]

Re: SMP Support?

[Boris Goldberg]

Hello Daniel,

  Just  want  to  make sure that we are on the same page: I'm talking about
i386.  It  seems  from  below  that your concern is more about amd64, but I
didn't really try it, because my CPU isn't even a Xeon.

Wednesday, September 19, 2007, 6:00:16 PM, you wrote:

   I  have  pretty  much the same picture with HP ProLiant 320 G5 (Dual Core
 Pentium-D  925).  The  server  is  new  and  passes  all  tests from the HP
 maintenance CD.

DO I couldn't make what BIOS version you were actually running there, but 
DO you did check to make sure you have the latest one right?

DO http://h18023.www1.hp.com/support/files/server/us/revision/9753.html

  Yes, my BIOS is from 2007.04.06 that mentioned there.

DO Le me know how it goes with current...

  We've  done  boot  testing  with 4.2 -current generic.mp (with the path
from http://marc.info/?l=openbsd-techm=118975639013313w=2) turning on/off
APIC in the BIOS (default on) and acpi in the kernel (default off).

APIC off, acpi off - boots with one CPU:

OpenBSD 4.2-current (GENERIC.BUILD.MP) #2: Wed Sep 19 17:11:01 CDT 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.BUILD.MP
cpu0: Intel(R) Pentium(R) D CPU 3.00GHz (GenuineIntel 686-class) 3.01 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MW
AIT,DS-CPL,EST,CNXT-ID,CX16,xTPR
real mem  = 1071640576 (1021MB)
avail mem = 1028599808 (980MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS 
rev. 2.3 @ 0xee000 (47 entries)
bios0: vendor HP version W04 date 04/06/2007
bios0: HP ProLiant DL320 G5
pcibios0 at bios0: rev 3.0 @ 0xf/0x2000
pcibios0: PCI BIOS has 7 Interrupt Routing table entries
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801GB LPC rev 0x00)
pcibios0: PCI bus #7 is the last bus
bios0: ROM list: 0xc/0xb000 0xcc400/0x1000 0xcd400/0x1000 0xce400/0x3400! 
0xe6000/0x2000!
acpi at mainbus0 not configured
ipmi0 at mainbus0: version 2.0 interface KCS iobase 0xca2/2 spacing 1
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel E7230 MCH rev 0xc0
ppb0 at pci0 dev 1 function 0 Intel E7230 PCIE rev 0xc0
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01
pci2 at ppb1 bus 2
ppb2 at pci2 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xb5
pci3 at ppb2 bus 3
bge0 at pci3 dev 4 function 0 Broadcom BCM5714 rev 0xa3, BCM5715 A3 (0x9003): 
irq 11, address 00:1b:78:07:c9:9a
brgphy0 at bge0 phy 1: BCM5714 10/100/1000baseT PHY, rev. 0
bge1 at pci3 dev 4 function 1 Broadcom BCM5714 rev 0xa3, BCM5715 A3 (0x9003): 
irq 10, address 00:1b:78:07:c9:9b
brgphy1 at bge1 phy 1: BCM5714 10/100/1000baseT PHY, rev. 0
ppb3 at pci3 dev 8 function 0 ServerWorks HT-1000 PCIX rev 0xb4
pci4 at ppb3 bus 4
ppb4 at pci0 dev 28 function 4 Intel 82801G PCIE rev 0x01
pci5 at ppb4 bus 5
em0 at pci5 dev 0 function 0 Intel PRO/1000 PT (82571EB) rev 0x06: irq 11, 
address 00:1b:78:57:58:e0
em1 at pci5 dev 0 function 1 Intel PRO/1000 PT (82571EB) rev 0x06: irq 10, 
address 00:1b:78:57:58:e1
ppb5 at pci0 dev 28 function 5 Intel 82801G PCIE rev 0x01
pci6 at ppb5 bus 6
Intel 82801GB USB rev 0x01 at pci0 dev 29 function 0 not configured
Intel 82801GB USB rev 0x01 at pci0 dev 29 function 1 not configured
Intel 82801GB USB rev 0x01 at pci0 dev 29 function 2 not configured
Intel 82801GB USB rev 0x01 at pci0 dev 29 function 3 not configured
ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x01: irq 5
usb0 at ehci0: USB revision 2.0
uhub0 at usb0: Intel EHCI root hub, rev 2.00/1.00, addr 1
ppb6 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xe1
pci7 at ppb6 bus 7
vga1 at pci7 dev 3 function 0 ATI ES1000 rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
Compaq iLO rev 0x03 at pci7 dev 4 function 0 not configured
Compaq iLO rev 0x03 at pci7 dev 4 function 2 not configured
Hewlett-Packard USB rev 0x00 at pci7 dev 4 function 4 not configured
Hewlett-Packard IPMI rev 0x00 at pci7 dev 4 function 6 not configured
ichpcib0 at pci0 dev 31 function 0 Intel 82801GB LPC rev 0x01: PM disabled
pciide0 at pci0 dev 31 function 1 Intel 82801GB IDE rev 0x01: DMA, channel 0 
configured to compatibility, channel 1 configured to 
compatibility
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 disabled (no drives)
pciide1 at pci0 dev 31 function 2 Intel 82801GB SATA rev 0x01: DMA, channel 0 
configured to native-PCI, channel 1 configured to na
tive-PCI
pciide1: using irq 7 for native-PCI interrupt
wd0 at pciide1 channel 0 drive 0: FB160C4081
wd0: 16-sector PIO, LBA48, 152627MB, 312581808 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pmsi0 at pckbc0 

Re: SMP Support?

[Boris Goldberg]

Hello Daniel,

Monday, September 17, 2007, 3:14:05 PM, you wrote:

DO Now that is working do me a favor and try to compile the userland and
DO kernel with that bsd.mp acpi enable kernel.

DO Also, try if possible to make transfer of huge files between two boxes 
DO well connected to try to at a minimum get close to 100Mb/sec of 
DO transfer, or more if you have Gb access.

DO In my case, it will crash every time still.

DO Then the compile is ok with bsd, but still crash with bsd.mp in some cases.

DO I am curious to know if that specific to my hardware, or if others have 
DO the same problem.

  I  have  pretty  much the same picture with HP ProLiant 320 G5 (Dual Core
Pentium-D  925).  The  server  is  new  and  passes  all  tests from the HP
maintenance CD.
  If  we  enable  APIC  in the BIOS it's very slow, reboots itself, crashes
with  random  error  or  hangs with bsd.mp, and not really stable even with
bsd.  If  disable APIC - than sees only one CPU with bsd.mp. If enable ACPI
in the bsd.mp (using config -ef) having APIC disabled - crashes during boot
(with that path you where talking about or without it):

OpenBSD 4.1 (GENERIC.MP) #1225: Sat Mar 10 19:23:18 MST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Pentium(R) D CPU 3.00GHz (GenuineIntel 686-class) 3.01 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,CNXT-ID,CX16,xTPR
real mem  = 1071640576 (1046524K)
avail mem = 970375168 (947632K)
using 4278 buffers containing 53706752 bytes (52448K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS 
rev. 2.3 @ 0xee000 (47 entries)
bios0: HP ProLiant DL320 G5
pcibios0 at bios0: rev 3.0 @ 0xf/0x2000
pcibios0: PCI BIOS has 7 Interrupt Routing table entries
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801GB LPC rev 0x00)
pcibios0: PCI bus #7 is the last bus
bios0: ROM list: 0xc/0xb000 0xcc400/0x1000 0xcd400/0x1000 0xce400/0x3400! 
0xe6000/0x2000!
acpi0 at mainbus0: rev 2panic: malloc: allocation too large
Stopped at  Debugger+0x4:   leave
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
ddb{0} trace
Debugger(191f9000,0,d08bbca8,2,7) at Debugger+0x4
panic(d068111a,d08bbcc4,1000,d0760520,) at panic+0x63
malloc(f0009bd8,2,1,d064d1a8) at malloc+0x7a
acpi_load_table(0,f0009bd0,d1a33c3c,0,0) at acpi_load_table+0x19
acpi_loadtables(d1a33c00,e91f7f00,1,11) at acpi_loadtables+0x14d
acpi_attach(d1a31fc0,d1a33c00,d08bbe80,0,e91f7000) at acpi_attach+0xc6
config_attach(d1a31fc0,d073d550,d08bbe80,d048faf4) at config_attach+0xef
mainbus_attach(0,d1a31fc0,0,0,d08ba330) at mainbus_attach+0x2e5
config_attach(0,d073a4cc,0,0,d077fe80) at config_attach+0xef
config_rootfound(d06a1b18,0,d08bbf38,d0463166) at config_rootfound+0x27
cpu_configure(0,1,3,0,2) at cpu_configure+0x29
main(0,0,0,0,0) at main+0x368
ddb{0} c

The operating system has halted.
Please press any key to reboot.

  Played  with 4.1 -stable so far. Didn't consider beta for production, but
will try -current. I'm going to combine and post detailed report later.

-- 
Best regards,
 Borismailto:[EMAIL PROTECTED]