Re: amd and 2GB limit

2021-07-03 Thread Janne Johansson
Could be amd(8) and nfsv2 limits too..

Den lör 3 juli 2021 11:23Stuart Longland  skrev:

> On Sat, 3 Jul 2021 01:28:17 -0300
> Gustavo Rios  wrote:
>
> > Is there this limit yet in amd ?
>
> … on AMD64?
> … on RAM?
> … on disk?
> Maximum or minimum?
>
> I've got an AMD64 machine here that's got more than 2GB of both RAM and
> disk… so no if there's a maximum limit, it's a lot bigger than that.
> Limiting RAM or disk to 2GB in 2021 would be ludicrous, so I'm a bit
> confused by your question.
>
> Please be less vague.
> --
> Stuart Longland (aka Redhatter, VK4MSL)
>
> I haven't lost my mind...
>   ...it's backed up on a tape somewhere.
>
>


Re: OpenBSD 6.9 ports upgrade failures

2021-05-12 Thread Janne Johansson
Den ons 12 maj 2021 kl 11:29 skrev Артём Мазуров :
> Hello.
> I'm trying to upgrade ports after upgrading os to 6.9, but I get a lot
> >|library ssl.48.2 not found
> >| /usr/lib/libssl.so.48.1 (system): minor is too small
> >| /usr/lib/libssl.so.49.0 (system): bad major

This usually means the pkg_add URL is wrong, perhaps because you have
something version-specific in PKG_PATH or /etc/installurl that points
to the wrong place, compared to your OS version.

-- 
May the most significant bit of your life be positive.



Re: Remote wipe software

2021-04-27 Thread Janne Johansson
Den tis 27 apr. 2021 kl 11:44 skrev Oliver Leaver-Smith
:
> Hello misc@
> I wonder if anyone could recommend remote wipe software for OpenBSD, should 
> someone want to start using it in an enterprise setting where such features 
> are a requirement?
> Thanks in advance,

Regardless of OS, the "easiest" setup is where you encrypt the drives
and wipe by "forgetting" the keys. Then you can dd the disks if it
makes someone else happy but having FDE and changing the key to
something random that you don't store, and then doing a normal wipe in
the simplest of terms would cover a lot of the practical attacks.

For the ones concerned with theoretical and imaginary enemies,
PXE-booting into a DBAN.iso or similar wiping solutions is probably
the next step. Also OS-independent.

-- 
May the most significant bit of your life be positive.



Re: Technical Documentation - CARP

2021-04-13 Thread Janne Johansson
Den tis 13 apr. 2021 kl 10:29 skrev jannick Weiss :
> Hello,my name is Jannick Weiss and i am currently in the process of taking
> my education as a datatechnician. As part of my education i have to do a
> presentation on a self-elected subject and i have chosen to talk about CARP.
>
> It is my understanding that it is you (OpenBSD) that have developed CARP.
> I am having trouble finding information about CARP, such as the different
> states the protocol goes through or how the election of the master node
> works specifically.
> If you can provide any documentation on CARP it would be greatly
> appreciated.

https://www.openbsd.org/events.html lists a few talks some 15 years
ago which focused on PF and Carp, those might help.

Googling "openbsd carp design" turned this PDF up,
https://core.ac.uk/download/pdf/17210042.pdf from 2006 which perhaps
dives a bit deeper.



--
May the most significant bit of your life be positive.



Re: Default partitions allocate only 1GB to /

2021-02-28 Thread Janne Johansson
Den sön 28 feb. 2021 kl 14:51 skrev :
> I deleted the file and `pkg_add libreoffice` worked as expected.
> Post-install I still have 746MB free in /, according to `df -h`.
>
> This makes little sense to me. Why should deleting a 20MB file on a
> filesystem with >700MB free space be sufficient for the install to go
> through? Especially when the install obviously doesn't need that much
> space on the filesystem in question?
>
> (space available in /usr/local went from 11.4G, pre-install, to 10.8G,
> post-install... was `pkg_add` trying to stage files in /, even though
> /tmp is a separate filesystem?)

Is /var a filesystem of its own? Otherwise it could be /var/tmp or
some other place under /var which is used for unpacking packages.

-- 
May the most significant bit of your life be positive.



Re: Bootable USB stick using dd on OpenBSD

2021-01-26 Thread Janne Johansson
Den tis 26 jan. 2021 kl 14:11 skrev Ivan :
> I wonder why I have to make of=... being equal to some partition instead of 
> the whole memstick?
> Why does man page example tells to use of=/dev/rsd1c but not of=/dev/rsd1? 
> And why does it use exactly 'c' partition but not 'a', does that matter?

http://www.openbsd.org/faq/faq14.html#intro

-- 
May the most significant bit of your life be positive.



Re: www.openbsd.org unreachable for a few days

2020-12-15 Thread Janne Johansson
Den tis 15 dec. 2020 kl 13:00 skrev Ottavio Caruso <
ottavio2006-usenet2...@yahoo.com>:

> Hi,
> I asked on Freenode#OpenBSD and apparently it's only me, but I haven't
> been able to access www.openbsd.org for a few days.
>
> $ traceroute 129.128.5.194
> traceroute to 129.128.5.194 (129.128.5.194), 30 hops max, 60 byte packets
>
>
...


> 11  40ge1-3.core1.lon2.he.net (195.66.224.21)  35.068 ms
> 100ge4-1.core1.nyc4.he.net (72.52.92.166)  101.075 ms  86.105 ms


I heard a similar complaint elsewhere and that was going over he.net also,
whereas I could reach it in the mean time, going over shawn to ualbert.ca
and onwards, so I guess he.net is presently bad at routing to the correct
places.

-- 
May the most significant bit of your life be positive.


Re: support new

2020-12-14 Thread Janne Johansson
Hint to Ingo, the "vpn" section.

;)


Den mån 14 dec. 2020 kl 15:15 skrev porte, su :

> 0
> C Brazil
> P Ceará
> T FORTALEZA
> Z 60410442
> O MDFSoftware
> I Oliveira Filho, D. A.
> A Av. Eduardo Girão 355
> M supo...@mdfsoftware.com.br
> U http://www.mdfsoftware.com.br/
> B +55-85-9-89739017
> X +55-85-9-96110010
> N Auditoria, Desenvolvimento, Suporte comercial para FreeBSD e
> OpenBSD, gateways de Internet, firewalls em cluster, sistemas de
> deteco de intruso e VPNs.
>
>

-- 
May the most significant bit of your life be positive.


Re: support new

2020-12-09 Thread Janne Johansson
There is some,

"We offer the server management service. We work on the deployment and
management of servers with open source technologies such as CentOS, Debian,
FreeBSD, OpenBSD and Ubuntu Server."

Den ons 9 dec. 2020 kl 13:03 skrev Ingo Schwarze :

> Hi,
>
> AMG Labs wrote on Tue, Dec 08, 2020 at 03:55:52PM -0300:
>
> > 0
> > C Brazil
> > P RS
> > T Santo Antonio da Patrulha
> > Z 95500-000
> > O AMG Labs
> > I Angelito Monteiro Goulart
> > A Av. Cel Victor Villa Verde 126/301
> > M cont...@amglabs.net
> > U https://www.amglabs.net/
> > B +55 51 92000 7613
> > X
> > N We are a software development and server management company
> > operating in the market since 2014. We work with the development of
> > customized web systems and the deployment and management of servers
> > based on open source technologies such as CentOS, Debian, FreeBSD,
> > OpenBSD and Ubuntu Server.
>
> Unless i'm mistaken, there is no mention of OpenBSD on your website.
>
> The web hosting offers appear to be for Linux and Windows only, and
> dedicated servers seem to be offered with Linux, Windows, and MacOS X.
>
> Yours,
>   Ingo
>
>

-- 
May the most significant bit of your life be positive.


Re: PayPal pool for developer M1 Mac mini for OpenBSD port

2020-12-03 Thread Janne Johansson
Den tors 3 dec. 2020 kl 02:21 skrev Mihai Popescu :

> I have only good wishes for the project, but I still don't get one thing:
> why do some people start to behave oddly whenever Apple comes into
> discussion.
>

It could also be that if it becomes operable, it is quite a useful machine,
whereas sticking to Pine64 experiment boards and FruityPi clones does quite
limit the usefulness even if they are all aarch64s.

-- 
May the most significant bit of your life be positive.


Re: pf filtering on bridge totally blown my mind

2020-11-27 Thread Janne Johansson
Den fre 27 nov. 2020 kl 10:08 skrev kasak :

> Mine configuration requires to use a brigde:
> I have files:
>


> gater:~$ doas pfctl -sr
> block return all
> pass all flags S/SA
> block drop in on em0 all
> pass out on em0 inet from 172.16.0.0/12 to any flags S/SA nat-to
> 212.233.112.10
> pass in log on bridge0 inet proto tcp from ! 172.16.0.5 to any port =
> 123 flags S/SA rdr-to 127.0.0.1
> pass in log on bridge0 inet proto udp from ! 172.16.0.5 to any port =
> 123 rdr-to 127.0.0.1
>
> pflog doesn't log anything too
>

> Is there some secret, I've failed to found in man?
>
>
Put the "log" keyword on all pass and block rules, the missing packets will
be hitting some rule, and perhaps not the one you did not expect.

-- 
May the most significant bit of your life be positive.


Re: gcc: error trying to exec 'cc1': execvp: no such file or directory

2020-11-20 Thread Janne Johansson
Den fre 20 nov. 2020 kl 15:09 skrev Roderick :

> > obsolete even on your 6.7 install.. i386 has been a default clang arch
> > since OpenBSD /6.2/.
>
> Clang was default, gcc may be obsolete, but /usr/bin/gcc is till now
> there, broken. In the upgrade instructions is not mentioned to delete
> it:
>

Regardless of when and how defaults changed, the openbsd system compiler is
and was always
"cc".

Used to be gcc 2, then 3, then 4, then clang and no one had to change
anything as long as use cc and not calling gcc/clang directly.

The system makes sure the correct stuff is called if you use cc at all
times.

-- 
May the most significant bit of your life be positive.


Re: openssl s_client gives "called a function you should not call"

2020-11-12 Thread Janne Johansson
Den tors 12 nov. 2020 kl 22:15 skrev Paul de Weerd :

> While trying to debug my smtpd setup, I got the error "called a
> function you should not call" from openssl s_client:
>
> $ openssl s_client -starttls smtp -connect localhost:587
> 
> EHLO 
>


> RCPT TO: 
> RENEGOTIATING
>



> Is this something openssl s_client doesn't support?  I notice that
> "RENEGOTIATING" only comes after sending the RCPT TO: command to the
> server.  Futzing around with other commands before sending RCPT TO:
> didn't get to RENEGOTIATING.  Am I doing something wrong?  Should I be
> using some other tool?
>

I think anything starting with capital R in that case (s_client) gets
parsed as RENEGOTIATING.
As for why openssl complains about it is unknown to me, but that gotcha is
old at least.

from 2012:
https://serverfault.com/questions/336617/postfix-tls-over-smtp-rcpt-to-prompts-renegotiation-then-554-5-5-1-error-no-v

-- 
May the most significant bit of your life be positive.


Re: Set environment variable for non-interactive shell

2020-11-06 Thread Janne Johansson
Check init files in /etc, and not only those for csh, since that is not
default for all users.
The manpage for the shell would be a good place to learn which global
configuration files are run.


Den fre 6 nov. 2020 kl 12:27 skrev Kirill Peskov :

> Hi All,
>
> I'm currently trying to figure out, how to set global environment
> variable, valid for multiple users including root, so Ansible will be
> able to accept it as "fact" for both root and non-root users. I've
> already tried to play with .cshrc files and /etc/rc.local, nothing
> worked so far, looks like I'm missing something important.
>
> Thanx in advance,
>
> Kirill
>
>
>

-- 
May the most significant bit of your life be positive.


Re: Routing and forwarding: directly connected computers

2020-09-03 Thread Janne Johansson
Den tors 3 sep. 2020 kl 17:01 skrev Ernest Stewart <
erneststewar...@hotmail.com>:

> I forgot to say, in every computer I have /etc/sysctl.conf with
> "net.inet.ip.forwarding=1".
>
> And I insist, what shocks me the most is that tcpdump shows in both
> computers the right icmp packets but ping says 100% packets lost.
>

This part has far too little detail to be relevant. Sorry.
We can not divine from remote which of the interfaces you listened to, and
what you saw.

-- 
May the most significant bit of your life be positive.


Re: Routing and forwarding: directly connected computers

2020-09-03 Thread Janne Johansson
Den tors 3 sep. 2020 kl 14:55 skrev Ernest Stewart <
erneststewar...@hotmail.com>:

> I was actually wondering about using netmask 0x for the external
> interface. As you noted, they are different networks, I just wanted to be
> able to use any 192.168/16 ip address in the internal network and use
> nat-to and rdr-to in Computer1 so every packet going to or from the ISP
> router comes from or goes to 192.168.1.10 (and block everything else).
>
> But still, that (external connections) is the last thing I am going to
> test. At the moment not even a ping from two directly connected computers
> that are actually sending and receiving the packets (according to tcpdump
> in both computers) seems to work...
>

The setup for computer01 is still weird, it thinks it has 4 interfaces on
the same identical network, because all the nets overlap,  except it
doesn't overlap physically because they are on separate cards. Just grab
any "how to build networks guide" and start using separate network
numbering for separate networks and things will work out better. The fifth
network card which points to your ISP device is smaller, but still inside
those 4 others, which also is a bad choice.

The way comp01 is set up on your first mail makes it equally valid for it
to send out a packet on any of the 5 network cards to try to reach
192.168.1.254 for instance. This is of course not how you set up a box with
5 networks (even if "the network" is just a cable from comp1-re1 to
comp2-re0)

-- 
May the most significant bit of your life be positive.


Re: Routing and forwarding: directly connected computers

2020-09-03 Thread Janne Johansson
Den tors 3 sep. 2020 kl 11:39 skrev Ernest Stewart <
erneststewar...@hotmail.com>:

> I have a local network with 5 computers:
>
> computer1)
> /etc/hostname.re0: 192.168.1.10 0xff00
>

Different netmask here?


> /etc/hostname.re1: 192.168.2.11 0x
> /etc/hostname.re2: 192.168.2.12 0x
> /etc/hostname.re3: 192.168.2.13 0x
> /etc/mygate:
> 192.168.1.1
>
>
> computer2)
> /etc/hostname.re0: 192.168.1.11 0x
>

..compared to here.


> /etc/hostname.re1: 192.168.2.14 0x
> /etc/mygate:
> 192.168.2.11
>
> computer3)
> /etc/hostname.re0: 192.168.1.12 0x
> /etc/mygate:
> 192.168.2.12
>
> computer4)
> /etc/hostname.re0: 192.168.1.13 0x
> /etc/mygate:
> 192.168.2.13
>
>
> computer5)
> /etc/hostname.re0: 192.168.1.14 0x
> /etc/mygate:
> 192.168.2.14
>
>
> Computer1's physical connections are like this:
> re0->ISP router(192.168.1.1)
>

Seems like you chose overlapping networks for your "internal" things and
the ISP router network. Don't do that.


> re1->Computer2 re0
> re2->Computer3 re0
> re3->Computer4 re0
>
> Computer2's re1 is connected to Computer5's re0.
>
>
-- 
May the most significant bit of your life be positive.


Re: Microsoft's war on plain text email in open source

2020-08-27 Thread Janne Johansson
Den ons 26 aug. 2020 kl 21:17 skrev Mike Hammett :

> Text-only was great in 1985.
> Mike Hammett
> Intelligent Computing Solutions
> Midwest Internet Exchange
> The Brothers WISP
>

Being able to publish and/or send a really small file from computer A to
computer B unchanged in this day and age is still a required feat if you
want to appear as an internet professional.
It doesn't matter if it was "change spaces to tabs", "html made carriage
returns where a space was found" or if it was "make two - - chars into one
single utf-8 -- token" or "spell check/correction edited fnd_trgl_dsk() to
find_triangle_disk()" in your C function. You did not ship what you had
produced in that diff.

If you can't send data 100% with the tools of your choice, the blame is on
you, not on the recipient who did the checking FOR YOU and notified you
about mangled transmissions.

So when your file integrity check or vpn software says "we dropped the
incoming data due to broken checksums", the correct answer is not for the
receiving end to disable checksums. Really.
To even have to tell this to people...

-- 
May the most significant bit of your life be positive.


Re: Adding more syspatch platform.

2020-08-13 Thread Janne Johansson
Den ons 12 aug. 2020 kl 00:50 skrev Predrag Punosevac :

> Theo de Raadt  wrote:
> > No, it is a question of which additional platform, you avoided that
> > didn't you
>
> octeon is the only one I can think of.
>

I would volunteer doing the work and dedicating two octeons of mine for
building syspatches for the supported releases, I have enough of them for
it.

-- 
May the most significant bit of your life be positive.


Re: Should/will OpenBSD support ODROID-C4 board? (ARM A55)

2020-08-06 Thread Janne Johansson
Den tors 6 aug. 2020 kl 18:40 skrev :

> Hardkernel, a Korean company, make an alternative to the Raspberry Pi, the
> latest being the 'Odroid C4', CPU manufactured by Amlogic (American).
> I owned an ODROID board in the past and was impressed with the hardware.
> However, the software support for Linux is majorly lacking, and so quite
> buggy
> (basic things like USB, ethernet) unless using their self-released
> old-patched-up kernels.
>
> But perhaps this is an opportunity for OpenBSD? I don't know how much work
> it is
> to port OpenBSD to an ARM board, or if Hardkernel do a good job of making
> this
> task easy. I noticed the ODROID-N2 is supported by OpenBSD, which would
> give
> an indication (but the N2 has an A73 and so Spectre bugs).
>

Well, it is somewhat sad if they can't even get decent code in mainline for
linux, which I assume
was their intended target OS, the chances of getting support (or code, ha!)
for OpenBSD
seems very slim, or getting decent docs (which if they existed would have
allowed linux
to run fine on them too?) for the stuff around the cpu.

So it might get to work, but I would probably not have my hopes up too much
if it already did not
make it on linux.

-- 
May the most significant bit of your life be positive.


Re: static IPv6 setup is not working stable

2020-08-06 Thread Janne Johansson
No, I think in my case it is Juniper multichassis LAG (link aggregation
groups) getting confused by identical fe80::x for multiple local v6
networks, or something to that effect.

How does the traceroute6's look when it "works"? If you get a "real" v6
there you might (ab)use that as the gw ip?


Den tors 6 aug. 2020 kl 16:04 skrev kug1977 :

> Unfortuanatly, the Provider netcup doesn’t give out IPv6 gw address
> configuration other than fe80::1, so I cannot check these. But all
> virtualization there is based on KVM, too. So I guess the issue is with KVM?
>
>
> > On 06 Aug 2020, at 15:51, Janne Johansson  wrote:
> >
> > I have a setup where the virtualization (KVM) combined with the
> networking does present a IPv6 def-gw as both an fe80:: here> and the more normal 2001:a:b:c:d::1/64 and where the 2001-v6 ip works
> far better on virtual machines due to redundancy mac sync things on the
> network side, and since the ndp list showed the fe80::1 had a
> VRRP/CARP-lookalike mac, it could be the same.
> >
> > In my case both bsd and linux IPv6-using VMs suffer from ndp "drops"
> where it can take seconds for the discovery to figure the mac address out
> again after a drop.
> >
> > So if you can divine what the "real" v6 ip is of the default-gw, try
> setting this hard in the conf or /etc/mygate and retry v6.
> >
> >
> > Den tors 6 aug. 2020 kl 14:46 skrev Matthias Schmidt :
> > Hi,
> >
> > * kug1977 wrote:
> > >
> > > Is this something wrong configured on OpenBSD server or is this
> something
> > > the provider has to check on the gateway side?
> >
> > I also have a VM at the exact same provider (netcup) and face
> > the same problem.  Since all of my VMs at different providers are
> > identical (base install + conf via ansible) and I don't see the issue at
> > other providers (IONOS, Hetzner) I suspect it has nothing to do with
> > OpenBSD...
> >
> > --
> > May the most significant bit of your life be positive.
>
>

-- 
May the most significant bit of your life be positive.


Re: static IPv6 setup is not working stable

2020-08-06 Thread Janne Johansson
I have a setup where the virtualization (KVM) combined with the networking
does present a IPv6 def-gw as both an fe80:: and
the more normal 2001:a:b:c:d::1/64 and where the 2001-v6 ip works far
better on virtual machines due to redundancy mac sync things on the network
side, and since the ndp list showed the fe80::1 had a VRRP/CARP-lookalike
mac, it could be the same.

In my case both bsd and linux IPv6-using VMs suffer from ndp "drops" where
it can take seconds for the discovery to figure the mac address out again
after a drop.

So if you can divine what the "real" v6 ip is of the default-gw, try
setting this hard in the conf or /etc/mygate and retry v6.


Den tors 6 aug. 2020 kl 14:46 skrev Matthias Schmidt :

> Hi,
>
> * kug1977 wrote:
> >
> > Is this something wrong configured on OpenBSD server or is this something
> > the provider has to check on the gateway side?
>
> I also have a VM at the exact same provider (netcup) and face
> the same problem.  Since all of my VMs at different providers are
> identical (base install + conf via ansible) and I don't see the issue at
> other providers (IONOS, Hetzner) I suspect it has nothing to do with
> OpenBSD...
>

-- 
May the most significant bit of your life be positive.


Re: dhcpd synchronization: leases recovery after downtime

2020-07-19 Thread Janne Johansson
Den lör 18 juli 2020 kl 23:28 skrev Guy Godfroy :

> Hello,
>
> I am using two routers on OpenBSD (called mulder and scully), and I wish
> to make dhcpd listen on a carp interface between both of them. I am
> using the synchronization mechanism:
>

I noticed the same issue long time ago, but settled for just running two
unconnected dhcpds and made sure that
1) all fixed replies exist on both (and clients don't mind getting two
answers, they pick the first and stop listening for any extra replies)
and
2) dhcpd checks that ip's don't reply to ping (or exist in arp?) before
handing out an ip from a dynamic range

and this seems to cover most of my concerns, no client would get a
different offer from both dhcpds and ack both, and putting as many fixed
entries as possible on important hosts to make sure they would work in any
case.

-- 
May the most significant bit of your life be positive.


Re: New tool to (quickly) check for available package upgrades

2020-06-17 Thread Janne Johansson
Den ons 17 juni 2020 kl 17:04 skrev Marc Espie :

>
> > > > > The concept you need to understand is snapshot shearing.
> > > > > A full package snapshot is large enough that it's hard to
> guarantee that
> > > > > you will have a full snapshot on a mirror at any point in time.
> > > > > In fact, you will sometimes encounter a mix of two snapshots (not
> that often,
> > > > > recently, but still)
> > > > > Hence, the decision to not have a central index for all packages,
> but to
> > > > > keep (and trust) the actual meta-info within the packages proper.
> > > >
> > > > Sorry, I guess I should've responded to this as well. Isn't snapshot
> shearing going to be a problem regardless of the existence of a single
> central-index? For instance, pkg_add notices a chromium update, which
> requires a newer version of a dependency that hasn't been propagated to the
> mirror yet.
>
> > Even with snapshot shearing though, having this index file could provide
> a substantial speed upgrade. Instead of having to check *all* installed
> package's header for updates, you could use the index to know the subset of
> packages that you expect to have actually changed, and only download
> *those* packages' headers. If the expected "combined" sha of a given
> package doesn't match the index's version, then the mirror is clearly out
> of sync and we could abort an update as usual.
>
>
Do think of what you call "the index file" in terms of "I check/replace
some 100+G of snapshots and packages every 24h", at which point do you
replace that single file, before, under or after none,most,all packages for
your arch are replaced? Will it be synced when the copying passes "i" for
"index.txt" in that packages folder?

What happens if a sync gets cut off, restarted and/or if two syncs suddenly
run into eachother and replace files as they go?

What if a new batch of amd64/i386 files appears while one of the ongoing
syncs run, do you restart over and hope yet another new one doesn't appear
while that one is running?

This is the reality of snapshot package today:

du -sh snapshots/packages/*
34.5G snapshots/packages/aarch64
52.4G snapshots/packages/amd64
18.4G snapshots/packages/arm
44.1G snapshots/packages/i386
24.1G snapshots/packages/mips64
10.2G snapshots/packages/mips64el
26.7G snapshots/packages/powerpc
25.4G snapshots/packages/sparc64

Whatever limitations Marcs design has, it makes it possible for us
mirror admins to sync with some kind of best-effort while still giving most
openbsd users the ability to have pkg_add -u leave you with a working
package eco-system on a daily basis. If the cost is that it takes 40
minutes at night from crontab, then I would not trade a greppable file for
losing some or a lot of the above-mentioned gotchas that the current system
somehow actually handles.

Now if someone invents a decent piece of code to use http connection
pooling, quic/http3/rsync or whatever to speed up getting the required
info, I'm sure we mirror admins would be happy to add/edit our server
programs to serve it.

-- 
May the most significant bit of your life be positive.


Re: Filling a 4TB Disk with Random Data

2020-06-05 Thread Janne Johansson
Den fre 5 juni 2020 kl 09:23 skrev Roderick :

> Is not there a SCSI command "sanitize" for that?
> Can be issued with OpenBSD?
> Perhaps his disc supports it.
>

Then again, if you count how many hours it will take to securely erase a
disk, one might doubt the option of "just run this command and it will do
the same in 10 seconds". Might work, might not work. Both will result in a
drive that is hard to read out old data from, but which option gives
confidence?

-- 
May the most significant bit of your life be positive.


Re: Filling a 4TB Disk with Random Data

2020-06-01 Thread Janne Johansson
Den mån 1 juni 2020 kl 16:01 skrev Justin Noor :

> Hi Misc,
> Has anyone ever filled a 4TB disk with random data and/or zeros with
> OpenBSD?
> How long did it take? What did you use (dd, openssl)? Can you share the
> command that you used?
>

My /dev/random on decent x86_64 give out more or less same amount of data
(around 200MB/s) as spinning drives will accept, so you might aswell just
dd random to the raw device for it. At this speed, you are looking at ~5
hours of fun.

https://www.wolframalpha.com/input/?i=4+terabyte+at+200MB%2Fs

-- 
May the most significant bit of your life be positive.


Re: OpenBSD 6.7 and ffs2 FAQs

2020-05-27 Thread Janne Johansson
Den tors 28 maj 2020 kl 07:51 skrev Matthias :

> On a fresh 6.7 installation, mount(8) shows 'type ffs'. Is there any way
> to figure out the version number?
>
>
https://undeadly.org/cgi?action=article;sid=20200326083657

-- 
May the most significant bit of your life be positive.


Re: fw_update verify firmware?

2020-05-14 Thread Janne Johansson
Den tors 14 maj 2020 kl 06:27 skrev Mogens Jensen <
mogens-jen...@protonmail.com>:

> Normally I would just assume that fetched files are verified, but maybe
> in the case with fw_update, the rationale is that firmware files are
> binary blobs so we can't know if they are malicious anyway, therefore
> no reason to bother with verification.
>

It would be sad to mixup the fact that something is signed with a sort of
guarantee that it is without faults or without malice.
The signature proves it didn't change in transport since it was published,
nothing more.

-- 
May the most significant bit of your life be positive.


Re: socket I/O on openbsd

2020-04-22 Thread Janne Johansson
You're still not telling what it is, where it came from, what it does.
Noone here can mind read you. We will not admit we can see what is on your
monitor, so .. step up to the challenge and show your work.

https://i.imgur.com/ArfmbAf.gif


Den ons 22 apr. 2020 kl 08:09 skrev Gustavo Rios :

> apx_connect is an wrapper for connect.
> apx_shutdown is an wrapper for shutdown
>
> Em qua., 22 de abr. de 2020 às 02:09, Stuart Longland
>  escreveu:
> >
> > On 22/4/20 11:48 am, Gustavo Rios wrote:
> > > Dear gentleman,
> > >
> > > i have the an ANSI C code that do the following:
> > >
> > > 0. open a socket
> > > 1. write data to the socket
> > > 2. close the writing end of the socket
> > > 3. read data from the socket
> > > 4. close the read end of the socket
> > >
> > > The the step number 4 returns an error, why ?
> > >
> > > Here it is (Only the relevant part of the code )
> > >
> > > if (!r) r = apx_connect(s, );
> > > if (!r) r = pmp_set(, 1ul, );
> > > if (!r) r = pmpsend(s, );
> > > if (!r) r = apx_shutdown(s, shut_wr);
> > > if (!r) r = pmprecv(, s, );
> > > if (!r) r = apx_shutdown(s, shut_rd);
> > >
> >
> > Dumb question this way…
> >
> > > vk4msl-gap$ man apx_connect
> > > man: No entry for apx_connect in the manual.
> > > vk4msl-gap$ man apx_shutdown
> > > man: No entry for apx_shutdown in the manual.
> >
> > what's `apx_connect` and `apx_shutdown`?  There's some library here you
> > are not telling us about.
> > --
> > Stuart Longland (aka Redhatter, VK4MSL)
> >
> > I haven't lost my mind...
> >   ...it's backed up on a tape somewhere.
>
>

-- 
May the most significant bit of your life be positive.


Re: List a package's dependencies

2020-04-20 Thread Janne Johansson
Den mån 20 apr. 2020 kl 15:08 skrev Marc Espie :

> On Sun, Apr 19, 2020 at 04:36:48PM +0200, Ingo Schwarze wrote:
> > Part of that is due to the unavoidable complexity
> > of the system.  Other parts may be influenced by the fact that
> > espie@ is not tedu@.
>
> I don't think tedu would do much better... or we would have a ports tree
> with only the 100 ports he's using, and nothing more.
>

My guess is i stuck running 6.3 on his SH machine:
https://ftp.eu.openbsd.org/pub/OpenBSD/6.3/packages/sh/

-- 
May the most significant bit of your life be positive.


Re: Regarding randomized times in crontab

2020-04-17 Thread Janne Johansson
Den tors 16 apr. 2020 kl 20:22 skrev Andreas Kusalananda Kähäri <
andreas.kah...@abc.se>:

> On Thu, Apr 16, 2020 at 11:14:59AM -0600, Theo de Raadt wrote:
> > That is a lot of words to cover a simple concept:
> >
> > The specific random values are selected when cron(5) loads
> > the crontab file. New numbers are chosen when crontab -e is used.
> > If you understand that, the conclusions are obvious.
>
> Ah. Good. Then I know the restrictions.  The random times are random,
> but fixed for the lifetime of the cron daemon (or until the crontab is
> reloaded due to being edited).
>

It would be very weird otherwise, if the 24h random example was used, then
it chose 00:01,
ran your "bin/true" command and then re-randomized, it would most certainly
end up wanting
to run again, perhaps twice or more. So if it re-randomized after each
execution
it would have to keep a 24h timer going (in your example, a per-week, a
per-month timer also)
to make sure the newly randomized 11:12 time is actually tomorrows 11:12
and not the upcoming
one in this day. Also, re-randomization would also mean it could start your
one hour backup at 23:59
and once more in 00:01 the next day, which would cause lots of unexpected
chaos for anyone expecting
a daily one-hour job to not collide with itself.

-- 
May the most significant bit of your life be positive.


Re: S3 Virge support on IBM T23 for 6.6

2020-04-17 Thread Janne Johansson
Den tors 16 apr. 2020 kl 18:24 skrev Paolo Aglialoro :

> Thanks Janne for the tech insight.
> So, but for routerboards/CLI boxen, considering that this recent move
> hinders GUI for most P3s, the really viable ones remain P3s/K7s with
> different graphics boards (mostly desktop/tower) and early P4s without
> em64t.


If there was a huge userbase with tons of GUI i386s needing life support,
then perhaps they
can form a group and do the heavy lifting, since many hands make work light.
If there is one box in a corner with S3 virge, then it can just stop
updating and have a
$25 box firewall it off the internet so you can get away with having it
unpatched where it runs with its GUI.

-- 
May the most significant bit of your life be positive.


Re: S3 Virge support on IBM T23 for 6.6

2020-04-16 Thread Janne Johansson
Den ons 15 apr. 2020 kl 23:29 skrev Paolo Aglialoro :

> Is this a hint that soon i386 architecture will be deprecated?
> Considering that supported hw (at least graphics) is going more and more to
> overlap with amd64, at the very end i386 would remain only for some
> routerboards.
>

i386 has seen a fair share of deprecations, from the actual 386 CPUs and
486s without FPU, to machines with 8,16,32,64M ram for whom reordering libs
and kernel isn't really doable with recent OpenBSD releases.

-- 
May the most significant bit of your life be positive.


Re: Compiler warning in ctype.h

2020-03-09 Thread Janne Johansson
Den fre 6 mars 2020 kl 12:29 skrev Thomas de Grivel :

> Hello,
>
> I was using base gcc but switching to base clang fixes the warnings on
> -current at least.
> Is base gcc not supported anymore ?
>

I think you are supposed to use whatever gets used when you call "cc" on
the OpenBSD platform you are on, and if need be, get gcc from ports for an
uptodate version of it.
Since arches are moving from gcc into clang (at various speeds), its not
unthinkable for some of them to have both over the transition, but the
"supported" one is always the binary that gets run if you use "cc" for
compiler and nothing else.

-- 
May the most significant bit of your life be positive.


Re: IPsec and MTU / fragmentation

2020-02-11 Thread Janne Johansson
Den tis 11 feb. 2020 kl 10:25 skrev Simen Stavdal :

>  tunnel will be able to fragment all incoming ip before sending it into the
> ipsec, which will not fragment for you.
> The clients will not have to change, nor any other protocol that sends ip
> via the double-tunnel.>
>
> If a client and a server set up a new conversation over tcp.
> They both have an MTU of 1500 and DF=1
> How will you fragment this, even being a L3 tunnel?
>

You don't fragment DF=1 packets, you send "Fragmentation Needed and Don't
Fragment was Set" back if they don't fit, like any L3 box would do
regardless and they adapt or fail.
That is what you should get for setting DF=1

-- 
May the most significant bit of your life be positive.


Re: IPsec and MTU / fragmentation

2020-02-10 Thread Janne Johansson
Den mån 10 feb. 2020 kl 20:53 skrev Simen Stavdal :

> I think the more complete solution is to run some gif/gre inside ipsec and
>> set low-enough MTU on that one, so it can correctly fragment incoming
>> packets, and optionally rebuild the packets at the remote end, while also
>> giving you an idea of "state" on the link so you optionally can run things
>> like routing daemons or something that cares about and acts on tunnel
>> state. This would cause even lower MTU, but still allow all kinds of
>> traffic and not just the "popular" one.
>>
>
> So, how will your client/server know about this lower mtu? And df bit is
> set more often than not, so fragmentation is now allowed in a lot of cases.
> This is exactly the problem that started this thread...
>
>>
>>
If the inner gif/gre tunnel has a lower mtu, then it being a layer-3 tunnel
will be able to fragment all incoming ip before sending it into the ipsec,
which will not fragment for you.
The clients will not have to change, nor any other protocol that sends ip
via the double-tunnel.

-- 
May the most significant bit of your life be positive.


Re: IPsec and MTU / fragmentation

2020-02-10 Thread Janne Johansson
Den mån 10 feb. 2020 kl 18:18 skrev Peter Müller :

> Hello Lucas,
> as far as I understood, setting MTU on encN interfaces is not supported
> since it is not mentioned by enc(4) and setting it manually fails:
>
> > machine# ifconfig enc0 mtu 1500
> > ifconfig: SIOCSIFMTU: Inappropriate ioctl for device
>

enc(4) interfaces are not to ipsec, what tun(4) is for OpenVPN.
It is not a config device per tunnel.

-- 
May the most significant bit of your life be positive.


Re: IPsec and MTU / fragmentation

2020-02-10 Thread Janne Johansson
Den mån 10 feb. 2020 kl 16:27 skrev Simen Stavdal :

> This is more a discussion about scalability and practical implementation.
> We both know that PMTU will work partly at best, your entire path back
> must support this, and also, the "offending" client must allow inbound
> control messages on their host firewall for this to work.
> And even if the packets are received by the client, will it support and
> adjust MSS? I have seen a lot of clients not adhering to standards.
>
> Modifying thousands of clients (via dhcp options for instance) to use a
> fixed MTU will affect other applications too (if you choose to go that
> route), not just the ones that need to traverse a tight ipsec tunnel.
> Would you adjust all your clients just because you had a single path using
> SLIP in your network?
>

I would want for noone to ever have to know the complete path, slip or no
slip.


> Point is, there is no perfect solution to this issue, there are just
> different ways of solving bits and bobs on the way.
> Adjust mss will work just fine for all tcp protocols, and no, not for UDP
> because it does not use a three way handshake (no MSS to adjust).
> In my opinion, max-mss works very well in most cases, especially when you
> have full control of the tunnel you are using (as is the case of Lucas'
> original question).
> We use it extensively in many of our applications in my workplace, and as
> of yet has not represented any big issues, so it is a practically good way
> to solve this issue.
>

I think the more complete solution is to run some gif/gre inside ipsec and
set low-enough MTU on that one, so it can correctly fragment incoming
packets, and optionally rebuild the packets at the remote end, while also
giving you an idea of "state" on the link so you optionally can run things
like routing daemons or something that cares about and acts on tunnel
state. This would cause even lower MTU, but still allow all kinds of
traffic and not just the "popular" one.

I am somewhat trying to care for the ones that make a site-2-site ipsec
which may work for the initial setup, and later find out that more than one
non-tcp kind of traffic doesn't work without understanding why ssh,http
works but not list-of-things-like
mosh,wireguard,quic,yet-another-layer-of-ipsec,hosting-udp-game doesn't.

As for UDP, there are options here too in pf.conf (like no-df), but
> personally I have not tested this, but it would be fun to try. It says it
> supports IPv4 (which would include TCP, UDP and ICMP).
> Would be interesting to find if UDP enforces DF in most cases.
>

no-df in PF more or less controls if it will silently drop fragments that
arrive which has DF set. Linux used/uses to send such udp, for much
enjoyment. "noone else should fragment, but I just did and you as the
packet checker can't know who did"

-- 
May the most significant bit of your life be positive.


Re: IPsec and MTU / fragmentation

2020-02-10 Thread Janne Johansson
Den mån 10 feb. 2020 kl 12:15 skrev Simen Stavdal :

> True, but issue was related to downloading over http, which is over tcp.
> So, if http is your only concern I would go for this option.
>

To me, it sounds just a bit like "let this person notice the other errors
later".


> Most clients are configured with an MTU of their physical NIC
> capabilities, and sometimes even with jumbo support.
> MTU is a property of the OS in both ends, while MSS is a property of the
> packets that can be adjusted in-flight.
>
>
MTU is strictly a property of each and every interface in all the hops
between you and your endpoint and equally strictly is mss a property of
_tcp_ packets that can be adjusted. If you run another ipsec inside this
first ipsec tunnel-with-mss-fixed that second one would break, since ESP/AH
is not tcp and will not do the 3way handshake where PF can fix mss for it.
Or mosh, wireguard, or http/3 since they run over UDP.

Not trying to nitpick everything, but internet wasn't built on 1500 MTU
ethernet everywhere, in the old bad days you might go over PPP (576) or
SLIP (296) links at times and it still worked, so if your setups today
break if someone in your path limits you to 1476 or so, then we have
regressed quite a bit since the crap internet days.


> So, if you want to fix the MTU, you will have to configure that on the
> conversation parters and not in pf.
> So, while we agree on the principals, how do you suggest MTU is changed?
>

PMTU discovery would be one method, yes. Middle boxes that will not drop
icmp is part if this of course.


> Statically configured on each host? DHCP option?
>

This depends a bit on where you place your ipsec gw of course, but if you
can't set it on the tunnel (since ipsec on obsd isn't like openvpn or
gif/gre) you might need to set it on the interface where you take in the
traffic, if you can't set it on all clients going via the gw, which is a
believable scenario.


> This might fix the http/ssh issues one might see, because both of those
>> run over TCP, but MSS fixups will not correct large UDP or icmp packets, or
>> any other non-TCP protocol one might run over that ipsec, so making sure
>> the traffic is below the MTU should be the end goal, not fixing 90% with
>> pf.
>>
>

-- 
May the most significant bit of your life be positive.


Re: IPsec and MTU / fragmentation

2020-02-10 Thread Janne Johansson
Den mån 10 feb. 2020 kl 11:58 skrev Simen Stavdal :

> Hi Lucas,
> Have you tried to manipulate the mss during conversation setup?
> This is done with the max-mss directive in pf.conf.
> Basically, it takes the three way handshake, and overrides the MSS value in
> the handshake to something lower than the default.
>

This might fix the http/ssh issues one might see, because both of those run
over TCP, but MSS fixups will not correct large UDP or icmp packets, or any
other non-TCP protocol one might run over that ipsec, so making sure the
traffic is below the MTU should be the end goal, not fixing 90% with pf.

-- 
May the most significant bit of your life be positive.


Re: strange dmesg

2020-02-10 Thread Janne Johansson
Den lör 8 feb. 2020 kl 11:31 skrev :

> Hi,
> I have some strange output from dmesg, what could be ?
> At the follwoing link I've posted some screenshots:
> https://postimg.cc/gallery/1o4wsaw74/
>

dmesg is contained in a memory buffer with (hopefully) room for more than
one dmesg, so you can get
previous versions listed when you run it. If the memory gets slightly
corrupted during reboots,
I guess the "other" dmesgs can come out as garbage, based on how memory
gets reused or
reallocated in the time between reboot and next boot when the OS isn't in
control of the
RAM.

-- 
May the most significant bit of your life be positive.


Re: Process Isolation

2020-02-06 Thread Janne Johansson
Den tors 6 feb. 2020 kl 10:22 skrev Charlie Burnett :

> Sorry if this has been answered before but I couldn't find a satisfactory
> answer searching for it, and this is more of an academic question. So
> security focused Linux distros like Qubes go to extremes to
> compartmentalize/isolate any and all programs it can. FreeBSD has it's jail
> program which is seemingly the gold standard for process isolation when you
> can't be bothered to go to the extent Qubes does. I've been trying to read
> as much OpenBSD source as I can as I find some of the security tricks
> y'all've come up with damn interesting. I know that once upon a time we had
> sysjail, but nowadays we have just have chroot which most systems do. What
> is OpenBSD's solution to this? I'm sure I've read through it I just didn't
> realize the purpose.
>
> I apologize if this was a question I've somehow missed the answer to!
>

Almost looks like you missed the question while posting the answer.
You list some-linux does X, fbsd does Y, obsd does Z (which you find damn
interesting!) and then ask "what is openbsds solution to this?".

As of now, Z is the list of mitigations openbsd does, and that is.. the
solution to "this".

-- 
May the most significant bit of your life be positive.


Re: bad ip cksum 0! -> in enc interface

2020-02-06 Thread Janne Johansson
Den ons 5 feb. 2020 kl 21:01 skrev Riccardo Giuntoli :

> I'm setting up a roadwarrior type ikev2 secure connection from .es to .uk.
> root@ganesha:/etc# cat hostname.enc0
>
> root@smigol:/etc# cat hostname.enc0
> inet 172.16.44.2/32
> up
>

Why are you setting up hostname.enc0?
What guide is recommending you to do that?


> I cannot find solution in Internet and the real think is that in many
> others post people copy and paste packets and this error is visible but no
> one think that is in effect an error or do not speak about.
>

Please set a vpn up like the openbsd faq on IPSec VPNs shows, and take it
from there.
It never mentions adding ip to enc0 (and that is not the purpose of enc0)
so I don't see why you should.

enc(4) is a debug and filtering tool not a config part of vpns.

-- 
May the most significant bit of your life be positive.


Re: bad ip cksum 0! -> in enc interface

2020-02-05 Thread Janne Johansson
Den ons 5 feb. 2020 kl 21:01 skrev Riccardo Giuntoli :

> If i sniff traffic over enc0 interface I found a strange error about ip
> chksum:
>
>  (DF) (ttl 63, id 43164, len 52) (DF) (ttl 64, id 18753, len 72, bad ip
> cksum 0! -> c48a)
> This is the error as you can review.
>
> I cannot find solution in Internet and the real think is that in many
> others post people copy and paste packets and this error is visible but no
> one think that is in effect an error or do not speak about.
>

You often see 0 in packet checksum fields if the packet is heading out on a
device
which claims to do ipv4 checksum offloading in hardware. In such cases, the
OS will
not spend time doing software checksums, but the hardware will do it just
before the
packet leaves for the network, so that is why the software sniffer will see
0 there, but
the remote end (you do look for errors from both ends, right?) will see
something else
there.

-- 
May the most significant bit of your life be positive.


Re: VLAN or aliases or? best way to isolate untrustable hosts in a small network

2020-02-05 Thread Janne Johansson
Den ons 5 feb. 2020 kl 13:07 skrev Denis :

> I've made two VLANs to automatically assign random IPs from a pool by
> dhcpd:
>

[...]


> # /etc/hostname.vlan101
> description 'WLAN attached untrusted hosts'
> inet 192.168.156.0/24 255.255.255.0 vlandev run0
>

VLANs and wifi sounds like a non-starter.

-- 
May the most significant bit of your life be positive.


Re: How to hide my server's IP?

2020-02-03 Thread Janne Johansson
>
> Not sure I understand the whole hierarchy and flatness analogy, I'm very
> new to all of this, but what do I tell those who claim that this leaking of
> the IP poses a security risk and that they therefore should go with FreeBSD
> jails instead?
>

Use a VM if you need to win over "checkboxing security"

And refine the risk strategies, since the above conversation seem to be
centered around the concept of a hacker that

1. Someone successfully attacks your site over the internet, using your
outward facing IP A.A.A.A
2. Manages to run code on your webserver
3. May or may not divinate your internal IP B.B.B.B from that code.
4. The communicates information back to a server of their choice, perhaps
using a third (external) ip C.C.C.C or not

If you think #3 is the only important part, in a scenario where point 1,2
and 4 allows for full communication using the cirtcuit created using
A.A.A.A and C.C.C.C and full code execution inside your environment,
then you are not doing a very good job at risk assessment.

-- 
May the most significant bit of your life be positive.


Re: How to hide my server's IP?

2020-02-03 Thread Janne Johansson
Den mån 3 feb. 2020 kl 07:18 skrev Frank Beuth :

> Otherwise it would be possible for an attacker to, for example, hack
> your webapp to have it phone home to some external server controlled by
> the attacker.


..and in the request logs see where the request comes from so this
information is available here,
combined with the ip used for the actual hack. But the existence of
"ifconfig" means nothing to this
scenario, you can blindly send a icmp, udp or tcp packet to
packet-collectors-R-us.com and see the
ip there. There is exactly zero need to first figure out the local ip and
only then send out blind packets
to your collector.


> The attacker would thereby be able to find your IP
> address.
>

By the time your opponent is running code on your server, this piece of
information is probably the least interesting part of the whole puzzle.

-- 
May the most significant bit of your life be positive.


Re: FreeBSD daemon(8)-like command for OpenBSD

2020-01-31 Thread Janne Johansson
Den fre 31 jan. 2020 kl 11:48 skrev Andrew Easton :

> On Fri, Jan 31, 2020 at 10:47:17AM +0100, Patrick Kristiansen wrote:
> > On Fri, Jan 31, 2020, at 09:29, Janne Johansson wrote:
> > > Den tors 30 jan. 2020 kl 21:08 skrev Patrick Kristiansen <
> patr...@tamstrup.dk>:
> > > >  > Properly starting up a daemon process requires several steps,
> > > >  > often involving unveil(2), pledge(2), chroot(2), prviledge
> > > >  > dropping, sometimes fork+exec for privilege separation, and so on
> > > >
> > > >  The process I need to run is written in Clojure and thus runs on the
> > > >  Java Virtual Machine. Do you have any suggestions on how to best go
> > > >  about making it "daemon-like"? I am not sure that I can call
> unveil(2),
> > > >  pledge(2) and chroot(2) from Clojure without some strange sorcery.
>
>
For the record, I am also interested in information on how pledge(2) and
> unveil(2) would interact with a "higher level language".


man OpenBSD::Pledge will show how you call pledge from perl (if you accept
that as a higher level language in this case), and it works mostly because
perl will not silently have tons of secret underlying operations so that
when
you ask perl to concatenate two strings, it will not open sockets and pipe
them to itself in order to do that, or write them to $TEMPDIR or some other
possible construct in order to make a simple operation suddenly require
file system access or socket binding capacity. The more weird (or generic)
your runtime is, the less chances will you get to be able to say "from now
on, I will not open any more files, sockets or call reboot()" because the
runtime may just do one of those, when garbage collecting or something.



> I would also
> be happy to learn more about how they interact with assembly.
>

I'm sure they interact equally well as with C, given that the C program that
calls pledge/unveil at that time is assembler.


> Concretely:
> Just to start off easy, how can I find conceptual documentation on
> what an operating system "process" is in OpenBSD and how deeply a libc
> is tied into that by design? As far as I am aware a process has the
>

libc isn't all that tied to a process, it's just that libc contains some
very neat
and useful functions (like wrapping calloc() over malloc()/mmap() so the
kernel
only exposes one single way for a process to allocate memory, but libc can
still
implement realloc(), calloc() and so on for you, using normal code and the
give-me-some-pages-of-RAM syscall.


> "current working directory" associated with it, in order to be able to
> resolve relative paths and is also where "environment variables" are
> stored.


Well, you can still reach the environment without libc, but libc makes it
easier for you, just like with the something*alloc() routines.


>
> (I am also still fuzzy on how intertwined an operating system and a CPU
> are. From my superficial understanding, e.g.  the operating system has
> to be aware of the MMU.


I think that is a completely separate dimension, but yes, given that the OS
controls and commands the MMU to do various things, it most certainly
is "aware" of it.

-- 
May the most significant bit of your life be positive.


Re: FreeBSD daemon(8)-like command for OpenBSD

2020-01-31 Thread Janne Johansson
Den tors 30 jan. 2020 kl 21:08 skrev Patrick Kristiansen <
patr...@tamstrup.dk>:

> > Properly starting up a daemon process requires several steps, often
> > involving unveil(2), pledge(2), chroot(2), prviledge dropping,
> > sometimes fork+exec for privilege separation, and so on
>
> The process I need to run is written in Clojure and thus runs on the
> Java Virtual Machine. Do you have any suggestions on how to best go
> about making it "daemon-like"? I am not sure that I can call unveil(2),
> pledge(2) and chroot(2) from Clojure without some strange sorcery.


So not related to only Clojure but rather on runtimes that are large and
unwieldy,
this seems to be exactly why plegde() and unveil() came into being in
the first place, after seeing things that needs to do certain privileged
operations
at some early point, but because of design/runtime/hard-to-pledge or
whatever has
to run with the sum of all privileges, all capabilities at all times and at
the same time being exposed to potential hostile data.

I can fully see why Ingo would say "I would not run things like that
exposed",
partly because I figure he actually has a choice to not do it, but
regardless
of what electric fences you like (Selinux, capsicum, pledge/unveil, chroots)
if you create a huge monolith running in an environment which actively
prevents you from activating any kinds of protections, then I can see how
you would see some friction.

-- 
May the most significant bit of your life be positive.


Re: Awaiting a diff [was: Re: File systems...]

2020-01-10 Thread Janne Johansson
Den fre 10 jan. 2020 kl 10:55 skrev Consus :

> On 20:06 Thu 09 Jan, Marc Espie wrote:
> > It's been that way for ages. But no-one volunteered
> > to work on this.
>
> Anyone even knows about this? Aside from OpenBSD developers (who have
> their plates full already) how an average person can find out that there
> is rusty piece of code that should be taken care of?
>

By using the parts that OpenBSD is made up of, and not automatically moving
to other OSes as soon as you leave the comfort zone.
Guess that is how many ports gets added. $prg exist for $other_os but not
OpenBSD, someone does the work to make it run on OpenBSD and there you go.

-- 
May the most significant bit of your life be positive.


Re: Awaiting a diff [was: Re: File systems...]

2020-01-09 Thread Janne Johansson
Den tors 9 jan. 2020 kl 02:11 skrev Ingo Schwarze :

>
> Are you aware that even Bob Beck@ is seriously scared of some
> parts of our file system code, and of touching some parts of it?
> Yes, this Bob Beck, who isn't really all that easily scared:
>
>   https://www.youtube.com/watch?v=GnBbhXBDmwU
>
> One of our most senior developers, regularly and continuously
> contributing since 1997, and among those who understand our
> file system code best.
>

And here I thought you would post thib@s talk literally named
"Things that makes Bob scream" from the f2k9/Slackathon conf:

https://www.youtube.com/watch?v=HTD9Gow1wTU

-- 
May the most significant bit of your life be positive.


Re: Following patch or stable branch on Octeon

2019-12-22 Thread Janne Johansson
>
>  I was under impression that original octeon
> (mips64) packages were built on SGI hardware which is no longer
> supported so I was curios about new build machines. I am fully aware
> that mips64 packages are available for 6.6 even though I try to stick
> for most part with tools from the base.
>

Mips64 is the cpu arch, octeon is just one of the implementations of a
mips64 machine, so a package from any mips64 box would work (except
little-endian mips64le ones from loongson).
As for the original question, I do collect a bunch of octeons and go with
-current/snaps on them. The very far-apart breaks I experience are less a
problem than the joy of getting improvements quickly.
Almost all crashes get fixes (or reverts) in a day or so. Also, the more
often you upgrade your snaps, the easier it gets to back a few days worth
of kernel, as opposed to only updating once per year and then finding some
issue (like the sppp stack frame bug in 6.6 for octeons).

-- 
May the most significant bit of your life be positive.


Re: SIGBUS on octeon for my program

2019-11-27 Thread Janne Johansson
There was a fix recently for the stack getting unaligned committed just
recently, do you have that?
If not, test on current.


Den ons 27 nov. 2019 kl 14:48 skrev Peter J. Philipp :

> Hi,
>
> My DNS program gets a SIGBUS when I execute it.  I have ktraced it, upped
> limits and searched in the mips64 source for answers, could this be a
> compiler
> problem?
>
> ktrace->
>  41651 dddctl   CALL  connect(6,0xfcacb0,16)
>  41651 dddctl   STRU  struct sockaddr { AF_INET, 192.168.177.2:10053 }
>  41651 dddctl   RET   connect 0
>  41651 dddctl   CALL  kbind(0xfc9b48,24,0x801d30cbade359aa)
>  41651 dddctl   RET   kbind 0
>  41651 dddctl   PSIG  SIGBUS SIG_DFL code BUS_ADRALN<1> addr=0xfca17d
> trapno=0
>  82637 dddctl   RET   wait4 41651/0xa2b3
> <---
>
> The SIGBUS code ADRALN I have found in /sys/arch/mips64/mips64/trap.c
> around
> line 463 on OpenBSD 6.6:
>
> >
> case T_ADDR_ERR_LD+T_USER:  /* misaligned or kseg access */
> case T_ADDR_ERR_ST+T_USER:  /* misaligned or kseg access */
> ucode = 0;  /* XXX should be PROT_something */
> signal = SIGBUS;
> sicode = BUS_ADRALN;
> break;
> <---
>
> I have also set the stack ulimit to 32K but no relief.  I'm stuck,
> wondering
> if you guys can help with interpreting this.
>
> My program can be downloaded with
>
> ftp https://delphinusdns.org/download/snapshot/delphinusdnsd-snapshot.tgz
>
> Where it's remade at midnight CET every day.
>
> As far as I know it should work on macppc although this particular function
> wasn't tested on macppc.  And it works on amd64 as I run this delphinusdnsd
> in production on my personal nameservers.  Getting this working on octeon
> would broaden my test network.
>
> Best Regards,
> -peter
>
>

-- 
May the most significant bit of your life be positive.


Re: Home NAS

2019-11-17 Thread Janne Johansson
Den lör 16 nov. 2019 kl 22:49 skrev Karel Gardas :

> > I tried a home NAS with ZFS, then BTRFS. Those filesystems needs tons of
> RAM (~1 GB of RAM by TB of disk), preferably ECC.
>
> For NAS you prefer ECC anyway and 1 GB RAM consumption per 1 TB of drive
> is urban legend probably passed by folks using deduplication.


Or people who do not want to swap while doing extensive fsck of huge
partitions with lots of small files in them.
Most recommendations are based on all corner cases and not just the
happy-case when you stash a single movie on a nas over the home network.

Yes, dedup uses ram most of the time if it can, but other things do too.
Also, "excess" ram in these cases turn into read caches so its not lost on
you either.

-- 
May the most significant bit of your life be positive.


Re: build error on octeon, 6.6

2019-11-08 Thread Janne Johansson
I wonder if this part is relevant:
c++: error: unable to execute command

Is there any permissions on /net that prevents execution?

I seems it wants to run stuff from here:

...
*** Error 254 in
/net/sirius/temp/routie-build/6.6/src/gnu/usr.bin/clang/libLLVM
(:67 'AMDGPUTargetMachine.o': @c++ -O2 -pipe -...)
*** Error 1 in /net/sirius/temp/routie-build/6.6/src/gnu/usr.bin/clang


> I've noticed that my /tmp partition might be too small (64M). I'm going
> to reinstall with bigger /tmp (1GB) and try again...
>


-- 
May the most significant bit of your life be positive.


Re: build error on octeon, 6.6

2019-11-07 Thread Janne Johansson
Den ons 6 nov. 2019 kl 23:36 skrev Christian Groessler :

> Hi,
> I've installed OpenBSD 6.6 on an EdgeRouter Lite. I wanted to rebuild
> the system.
>
> Maybe the machine has too little memory?
>
> routie$ swapctl -lk
> Device  1K-blocks UsedAvail Capacity  Priority
> /dev/sd0b  22077035824   18494616%0
> routie$
> routie$ sysctl -a | grep physmem
> hw.physmem=536870912
>

A while back when I needed/wanted to build ports-llvm on ERL, I added some
8G of swap over NFS (to an ssd-x86_64 server) which helps with large builds.
Takes ages, but works.

-- 
May the most significant bit of your life be positive.


Re: How can I remove sets installed by sysupgrade?

2019-09-16 Thread Janne Johansson
>
>  My reasoning behind NOT installing the X, Comp and Game sets have
> little
> to do with saving space, although I am using an 8GB SSD. I learned in my
> research that one of the most fundamental ways to improve network/system
> security is to minimize the attack surface by not installing unneeded
> software. If it isn't installed, any potential vulnerabilities, known or
> not, are irrelevant.
>

What is not irrelevant is the person/program that somehow has a shell on
your box can paste the required 500 bytes of hex data into "openssl base64
-d" to get a binary on your system, so removing the Comp set is one of
those "it would be super hard for me to imagine what I need to run a local
privilege escalation so it must require all these tools" whereas the
hackers that do own other boxes will already have the short_ASM_sequence*
tested locally and only need to get those over the same path the exploit
took in order to get a better foothold on your machine.

So removing comp sets just mean you can't patch locally when a scary
advisory comes out, it also means you need to special-case your sysupgrades
and those two choices will probably mean you will stay vulnerable for a
longer time just because you hoped leaving cc(1),as(1) and battlestar(6)
out of the box will "save" you.

Yes, I can imagine some few scenarios where it might, but as the other
reply you already got says, when you make your own box a surprise to
administer and reason about, you are making it worse already so the
comparisons about what choice is safer doesn't even start from the same
level.

*) SEE ALSO: https://en.wikipedia.org/wiki/SQL_Slammer

-- 
May the most significant bit of your life be positive.


Re: SAD ( pkg_add does linux like stuff ie: not working, no explanation )

2019-08-28 Thread Janne Johansson
Den ons 28 aug. 2019 kl 16:06 skrev sven falempin :

> Maybe obvious ? if so why no message from the software ?
> # pkg_add php_curl
> [URLHERE] php-curl-7.2.17.tgz
>
> 
> LIKE WHY PLEASE ?
>

Given that the difference probably is - versus _ and that last sentence in
all caps, I'd say your problem is that the keyboard gives you shift or
CAPSLOCK at the wrong moments.

-- 
May the most significant bit of your life be positive.


Re: SCM

2019-07-23 Thread Janne Johansson
Den mån 22 juli 2019 kl 17:05 skrev Австин Ким :

> Hi,
>
> As someone completely new to OpenBSD the one immediate first impression
> that most peculiarly sticks out like a sore thumb to me is the Project’s
> use of CVS for source code management.   I am curious why the Project
> continues to use CVS and/or if developers have in the past considered
> migrating the codebase to a distributed SCM system like Mercurial which
> IMHO might make branching and merging easier on developers, especially more
> recent developers coming out of universities.  Is it because the Project
> prefers using a centralized versus distributed SCM system?  Or is it just
> because that’s just the way it has always been done and why change that?
> And would migration to something like hg be a possibility in the future
> that might possibly lower the psychological barrier of entry for newer
> developers?  (And btw this is meant as a sincere question with no intention
> to start a contentious debate; really just asking out of curiosity because
> seeing CVS diffs in the mailing lists was what visually jumped out most
> prominently to me for the first time; I’m sure after spending more time
> with OpenBSD it could be something I could just get used to.)
> Thanks for all the wonderful responses to my previous post which really
> helped me gain a better understanding of the Project!
>


As Nick Holland wrote here on the same topic:
https://marc.info/?l=openbsd-misc=136724343006024=2
the last quote is kind of telling it all:
---
Want to sell OpenBSD on an alternative?  Find a product that was really
crappy, switched development tools, and suddenly started rivaling
OpenBSD for quality for no reason other than the switch of development
tools.
---

-- 
May the most significant bit of your life be positive.


Re: Did I install correctly the openbsd?

2019-07-10 Thread Janne Johansson
Den ons 10 juli 2019 kl 02:16 skrev SOUL_OF_ROOT 55 :

> I installed openbsd 6.5 in Virtualbox for Windows 7, the following
> screenshots show it:
> I tried to install openbsd according to the following video:
> Did I install correctly the openbsd?
>

Good tip on reporting when things didn't go as planned:
"What did you do, what did you expect would happen, and what happened
instead"
Try that next time.

-- 
May the most significant bit of your life be positive.


Re: cd command, chdir syscall, shell behavour

2019-06-30 Thread Janne Johansson
Den lör 29 juni 2019 kl 22:42 skrev ropers :

> Anyway, in an ideal world, typing man  would always show the man
> page
> actually relevant to what the box would do if the user typed  at
> the
> prompt. I don't know how this could be solved though;


and how would
$ unset PATH ; man cc
behave? By showing nothing now that you can no longer find a c compiler?
or
$ PATH=$HOME/bin  man cc
should not show manpage for system compiler but dig out that local cc you
built in your home dir long time ago?
There is a rabbit hole to fall into if you want docs to change depending on
your definition of "relevant" in the sentence above.

-- 
May the most significant bit of your life be positive.


Re: bwfm bcm43569

2019-06-29 Thread Janne Johansson
Den fre 28 juni 2019 kl 06:45 skrev Joseph Mayer <
joseph.ma...@protonmail.com>:

> point today (due to not using block device multiqueueing and I get the
> impression that the disk/IO subsystem is mostly not parallellized, for
> some usecases also the 3GB buffer cap limit matters).
>

That last point is solved in current,
My box now says:

Memory: Real: 361M/15G act/tot Free: 899M Cache: 14G Swap: 0K/81M

and some go even further:
https://twitter.com/mlarkin2012/status/1136821764959350784

-- 
May the most significant bit of your life be positive.


Re: PF firewall for desktop

2019-05-28 Thread Janne Johansson
Den sön 26 maj 2019 kl 10:03 skrev Walt :

> I like having a firewall that would pretty much require someone physically
> entering the computer room in order to attack the firewall.  With OpenBSD,
> your firewall can control your network traffic without having an IP address
> at all.
> One thing that you could try is to use the OpenBSD VM as the firewall, but
> don't assign any IP address to the firewall.  The Win7 VM would have the
> actual IP address, but the OpenBSD VM would control the network.
> I am curious if there is any way to attack the firewall if it has no IP
> addresses.
>

If you build it like the emails before listed, you still have the attack
surface of the whole OS that runs VirtualBox, then the whole codebase of
Virtualbox on top of that before you reach your obsd ip-less
un-maintainable VM to "protect you" from evil packets.

-- 
May the most significant bit of your life be positive.


Re: OpenBSD on VMware ESXi

2019-05-22 Thread Janne Johansson
Den ons 22 maj 2019 kl 12:52 skrev Roderick :

> Hallo!
> As far as I read in WWW, OpenBSD do run on VMware ESXi out of the box.
> What does run better on amd64 virtual machine? i386 or amd64?
> Are there reasons to preffer one to the other?
>

The ESX template for 64-bit comes with more recent "hardware" in the
environment IIRC, so it will be less tweaking the supplied virtualized
hardware if you select 64bit guest instead of 32bit.
Apart from that, 64bit is better on both virtual and real hw.

-- 
May the most significant bit of your life be positive.


Re: 6.5 PowerPC Packages

2019-05-09 Thread Janne Johansson
Den tors 9 maj 2019 kl 16:49 skrev Andrew Luke Nesbit <
em...@andrewnesbit.org>:

> > Unless https://www.openbsd.org/plat.html is out of date, it doesn't look
> > like OpenBSD is currently supporting POWER8 or POWER9 plaftorms.
>
> I wonder what is the best way to determine interest in getting OpenBSD
> to work on POWER8/9?
>

Look for amount of diffs published in the direction of getting it to work.
If that is zero or very close to zero, then interest is probably at the
same level.

-- 
May the most significant bit of your life be positive.


Re: OpenBSD httpd: PCI - DSS Compliance

2019-04-10 Thread Janne Johansson
I think that point was badly made by the site, they don't list what they
did look at or how they deduced it, only that "it may" even though that
same report later says no version string was sent as if that was a good
thing. I guess this means "because you did as expected and did not send a
version, we think it may be super old and could be bad but we can't tell".

I did not sign up to get a more detailed report, but from what I could see
it was kind of a blunt report sweeping in broad terms, as presented.

I'm sure PCI auditors would be glad to spend a lot of your money to look at
the version and file a report taking days to write about how it actually
seems ok, for now. 8-(


Den ons 10 apr. 2019 kl 09:20 skrev Kihaguru Gathura :

> Hi,
>
> The message below refers. Has httpd met the particular requirement
> 6.5.1 - 6.5.10 as shown? or is it a matter of further configuration.
>
> "Requirement 6.5
> Fingerprinted versions of web software used on the website may contain
> publicly known vulnerabilities (cf. PCI DSS 6.5.1-6.5.10). Investigate
> as soon as possible.
> Misconfiguration or weakness"
>
> actual report here:
>
> https://www.htbridge.com/websec/?id=cGZfIatq
>
> Thanks,
>
> Kihaguru.
>
>

-- 
May the most significant bit of your life be positive.


Re: Is it worth considering compling a generic MPPF kernel for user convenience

2019-04-02 Thread Janne Johansson
With MPPF it can go away almost ~5x as fast on a 6-core machine.


Den tis 2 apr. 2019 kl 13:35 skrev Theo de Raadt :

> No, this is not our style, it very much doesn't fit the development
> process to have users running prototype code for 6 months.
>
> And anyways why do you want this, since pf is going away.
>
> Tom Smyth  wrote:
>
> > I was wondering what devs / more experienced users think about
> > having BSDMPPF kernel as an option in the upcoming release
> > so that users could opt to test that  by selecting alternate BSDMPPF
> kernel
> > (without having to re-compile the kernel)
> >
> > the tested benefits on a  PC engines  apuc2 is at least 2x performance
> > from my lab testing here
> >
> > I think having a higher install base of consistently complied generic
> > kernels with
> > pf enabled would be beneficial
> >
> > what do the more experienced users of OpenBSD think about this?
> >
> > are there any down sides with this approach ?
> >
> > Thanks,
> >
> > Tom Smyth
> >
>
>

-- 
May the most significant bit of your life be positive.


Re: Golang under Arm or Octeon

2019-03-22 Thread Janne Johansson
I gave it a low-effort check for octeon, and Go needs/wants to build from a
super-old implementation in C which is actively trying to tell you its not
supported, then from that you are supposed to build tons of versions on top
of each other to get to a modern version.

Doesn't really help when 99.9% of all "port go to new platform" pages and
guides boil down to "oh, type this to get prebuilt linux binaries for that
already-ported-to-platform".

This may or may not help:

https://groups.google.com/d/msg/golang-dev/SRUK7yJVA0c/JeoCRMwzBwAJ might
help.


Den tors 21 mars 2019 kl 21:53 skrev Valdrin MUJA :

> Hi Misc,
>
>
>
> I want to learn if there is any work-in-progress port for Golang under Arm
> or Octeon cpu architectures?
>
> Thanks.
>
>
>
> --
>
> Best wishes
>
> Valdrin Muja
>


-- 
May the most significant bit of your life be positive.


Re: TLS suddenly not working over IKED site-to-site - SOLVED?

2019-03-15 Thread Janne Johansson
Den tors 14 mars 2019 kl 21:51 skrev Zhi-Qiang Lei :

> Mine is resolved by applying a smaller max-mss in pf and disabling ipcomp.
> Only disabling ipcomp didn’t work.
>
> > On Thu, Dec 20, 2018 at 6:54 PM Theodore Wynnychenko 
> wrote:
> >> Then, I took the advice above, and disable ipcomp on the tunnel, and,
> BAHM, https (and imaps) were working without an issue from openbsd, Windows
> 7, and Macs!
>

I ran into something similar a while ago, and even if "fixing" https/imaps
works with mss clamping, it will still cause
issues with fragmented UDP and large icmp, since those will not care about
mss, only TCP does.

The problem is still there, its just a tcp-only workaround to lower mss
in-flight for a problem that is mostly visible
when doing *s services since they ship long lists of preferred algorithms
which causes large packets to be sent,
whereas simple ldap lookups or ntp/dns/http get by with less info sent and
hence send smaller packets.

Still, large non-tcp ip will see unexpected drops in such scenarios where
you only lower mss and not the MTU
on some in-between L3 interface so it correctly fragments when needed.

-- 
May the most significant bit of your life be positive.


Re: Running stuff when a network becomes available

2019-03-11 Thread Janne Johansson
Den mån 11 mars 2019 kl 14:11 skrev Ipsen S Ripsbusker
:
>
> I want a few things to happen as soon as I get an internet connection
> after not having had one.
> It would suffice to add a crontab entry that runs the attachment
> periodically.

ifstated(8) can be taught to watch over an interface and run whatever
scripts you like
when some interface comes up, so as long as you can run all mail
sending operations
and the like from a script, you should be done real quickly.

-- 
May the most significant bit of your life be positive.



Re: Puffy Security smtpd out of date ( closed )

2019-03-11 Thread Janne Johansson
Den fre 8 mars 2019 kl 20:59 skrev Sean Kamath :
> > It's a shame good work like this is
> > of no use anymore. According to my opinion, it's well written and easy to 
> > follow.
> >
>
> So, I’ll take issue with the “well written” part of that.  It doesn’t do much 
> in the way of explaining anything, just a lot of “put this here”, “put that 
> there”.

The intro to The Book of PF has a REALLY good mantra here on the "This
is not a HOWTO"
https://home.nuug.no/~peter/pf/en/preface.html

I feel it applies equally well to running your own mail server as
building your own firewall.

-- 
May the most significant bit of your life be positive.



Re: Missing libraries.

2019-02-11 Thread Janne Johansson
Den mån 11 feb. 2019 kl 06:15 skrev Kihaguru Gathura :

> Hi,
> Any ideas on how to fix the missing libraries,
> www# pkg_add -v mini_sendmail-chroot
> Can't install mini_sendmail-chroot-1.3.9 because of libraries
> |library c.95.0 not found
> | /usr/lib/libc.so.92.6 (system): bad major
>

It really DOES try to tell you what it wants, and what you have.
I looks for libc of version 95.0, och your system seems to be three
major versions lower, which implies you have not upgraded the system (from
bsd.rd, snapshots, source)
in a long while, but the people that build snapshot packages have, because
that is what the requirements
for running snapshot packages is. Keep the base,x11 and ports/packages in
sync.

Now there was a week recently where libc.94 was quite short-lived so if you
didn't upgrade every week from snapshots
you could end up with something similar to this, but here, I think the age
of the existing libc says it is close to three months
old:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/shlib_version.diff?r1=1.201=1.202=h

If this happened to me, I'd run a
ls /usr/lib/libc.so.*
and see what the output of that is, compared to what the snapshot port
wanted (.95.0) and then either wait until
arm snaps show base6x.tgz comes with such a libc, or grab current sources
and compile the base system yourself
to get uptodate (the FAQ has good guides on how this is done)

-- 
May the most significant bit of your life be positive.


Re: is pfsync loosing data on reboot?

2019-02-01 Thread Janne Johansson
Den fre 1 feb. 2019 kl 07:17 skrev Harald Dunkel :

> Hi folks,
> I have a question about pfsync protocol in a master-backup firewall
> configuration (OpenBSD 6.3 and 6.4):
> If I reboot (let's say) the backup host, will it receive the whole
> set of state information again, when it gets back online?
> Hopefully I am not too blind to see, but pfsync(4) doesn't tell.
>
>
> Yes, it will get a full dump since it has zero pre-existing knowledge of
the current situation regarding states.

I think carp will delay itself until the sync is done, so it will not try
to take over even if it has lower advskew than the other, until the sync is
complete.

-- 
May the most significant bit of your life be positive.


Re: boot problems, nvme?

2019-01-31 Thread Janne Johansson
I think I saw something similar on a box, until I disabled X-APIC in BIOS
setup.
If you have that option, do try disabling it.


Den tors 31 jan. 2019 kl 14:37 skrev Kapetanakis Giannis <
bil...@edu.physics.uoc.gr>:

> Hi,
>
> I've just installed current as well 6.4 on a new pc and I have problems
> booting it.
>
> Although I can boot bsd.rd and install system fine I cannot boot the
> normal kernel.
> Boot hungs after
> wskbd0 at pckbd0: console keyboard, using wsdisplay1
>
> In bsd.rd next line is
> softraid0 at root
>
> I couldn't transfer the dmesg from bsd.rd so I took pictures of it.
> Maybe someone can have a look?
> https://nefeli.cc.uoc.gr/index.php/s/ce6hAZzTWPcNOLu
>
> thanks
>
> G
>
>

-- 
May the most significant bit of your life be positive.


Re: article : undefined behavior and the purpose of C

2019-01-17 Thread Janne Johansson
Den tors 17 jan. 2019 kl 14:05 skrev Mayuresh Kathe :
>
> Don't know if this has been discussed here before, but I found the
> following excerpt from the article at
> http://www.yodaiken.com/2018/12/31/undefined-behavior-and-the-purpose-of-c/
> unnerving;
> ... often the writers of the ISO C Standard have thrown up their hands
> and labeled the effects of non-portable and potentially non-portable
> operations "undefined behavior" for which they provided only a fuzzy
> guideline.  Unfortunately, the managers of the gcc and clang C compilers
> have increasingly ignored the guideline and ignored well-established
> well-understood practice, producing  often bizarre and dangerous results
> ...
>

This came up before clang replaced gcc on certain arches:

https://marc.info/?l=openbsd-misc=137530560232232


-- 
May the most significant bit of your life be positive.



Re: mirror download speed variation

2019-01-08 Thread Janne Johansson
Den tis 8 jan. 2019 kl 14:26 skrev Mihai Popescu :

> So, I still have two questions about mirrors:
> Can a mirror limit your download speed ?

Sure they could, I don't think many do though.

> Do a CDN url point to an existing mirror, or is it a diffeent server?

Different servers, spread around the world and you get a dns response
that is trying to be
close to you.

-- 
May the most significant bit of your life be positive.



Re: USB stick recovery after dd with miniroot64.fs

2019-01-03 Thread Janne Johansson
Den tors 3 jan. 2019 kl 17:21 skrev Mihai Popescu :
> I used a storage USB stick to dd the miniroot64.fs on it. It was the
> wrong one with some useful files saved on it and I did the dd
> if=miniroot64.fs of=/dev/rsd1c bs=1m and let it write. The USB size is
> almost 32Gb, it was configured as one msdos partition, sd1i.
>
> Is there any chance to recover even some files from this USB stick?
> I read some disaster recipes, but I want to ask for the best one, to
> avoid even more damage.


http://ports.su/sysutils/ddrescue
or
http://ports.su/sysutils/testdisk

perhaps?


-- 
May the most significant bit of your life be positive.



Re: Automated remote install

2018-12-17 Thread Janne Johansson
Den mån 17 dec. 2018 kl 11:19 skrev :
>
> Has anyone successfully automated (i.e with Ansible/etc) the process of
> installing OpenBSD on a remote server?
>

> jcs indicates that his QEMU-based method demands knowing what kind of network
> card is in the server. This seems hard to automate.

I think you can prepopulate a ton of /etc/hostname.0
configs all saying "dhcp" and cover a wide range of emulated network hardware
in order to get a reachable machine for which later configs (like more
ifs and so forth)
can be set.

-- 
May the most significant bit of your life be positive.



Re: netstat *:* udp sockets

2018-12-14 Thread Janne Johansson
Den fre 14 dec. 2018 kl 03:58 skrev Philip Guenther :
> On Thu, Dec 13, 2018 at 10:40 AM Ted Unangst  wrote:
> > netstat -an tells me I am listening to all the udp.
> >
> > Active Internet connections (including servers)
> > Proto   Recv-Q Send-Q  Local Address  Foreign Address
> > (state)
> > udp  0  0  *.**.*
> > udp  0  0  127.0.0.1.53   *.*
> > udp  0  0  *.**.*
> > udp  0  0  *.5353 *.*
> > udp  0  0  *.**.*
> >
> > What are those *.* sockets doing? How can you listen to all the ports?
>
> Those are just UDP sockets on which connect() hasn't been called and that
> aren't in the middle of a recvfrom()  or recvmsg(), no?

Isn't there something inherently weird in listing a lot of things
which "sort -u" would remove?

The streams at the bottom of netstat output are at least unique in some sense:
0x81e50880 stream  0  00x0
0x81e509000x00x0
..even if they might not tell me much more than udp *.*

-- 
May the most significant bit of your life be positive.



Re: Fetching full CVS tree (-current -stable) by /usr/bin/cvs

2018-12-05 Thread Janne Johansson
Den ons 5 dec. 2018 kl 14:07 skrev Denis :
> I'm using cvsync currently, but it is not so secure as SSH wrapped
> /usr/bin/cvs fetching.
>
> According to OpenBSD FAQ: https://www.openbsd.org/anoncvs.html
> I can follow -stable -or current by executing separate commands and it
> seems I should have to separate directories for -current and -stable.

cvsync gets you a clone of the repo, "cvs co" gets you a checkout, which for
cvs (and svn, but not git) is not the same, which is why you would have two
separate dirs, one where you checked out -current and one where you track
the -stable branch.

> May I fetch from public available anonymous CVS servers full cvs repo
> with -current and -stable branches to have them locally by single
> /usr/bin/cvs command like: cvs -qd anon...@anoncvs.ca.openbsd.org:/cvs
> checkout

.. which makes this part moot, since the cvs command will not collect
all branches
but only the one you specify or -current if you don't.

-- 
May the most significant bit of your life be positive.



Re: Core Dev?

2018-12-04 Thread Janne Johansson
> Does anyone has any suggestions for me? I want OpenBSD due to reliability and 
> security issues. AWS is the leader in hosting market. It is only natural to 
> expect at least a FAQ or HOW-TO from openbsd team on this topic.

One possibility is to read up on how you create AMIs (obsd ones at
that) and make one for yourself. You are not forced to consume someone
elses AMI.

-- 
May the most significant bit of your life be positive.



Re: [OT?] I have 4 IPs. How is outbound IP selected, say run lynx URL on server?

2018-11-30 Thread Janne Johansson
Den fre 30 nov. 2018 kl 21:32 skrev Chris Bennett
:
> I'm just curious. Is there a default method to select on this? Random?
> Can I control this somehow?
> It's clear how everything else selects IP, but I just wanted to know in
> case that ever mattered, say one of my IPs were blocked.
> And I wanted to be sure which IP outbound is or is not used for running
> something like lynx, etc.
>
> Not terribly important, but at least interesting question for me.

Normally, the IP on the interface which the route table says lead to
the destination
get chosen, unless the program deliberately chooses (or allows to choose) one of
the other IPs you have.

-- 
May the most significant bit of your life be positive.



Re: Untable ssl connections over ikev2 VPN

2018-11-30 Thread Janne Johansson
Den fre 30 nov. 2018 kl 04:21 skrev Theodore Wynnychenko :
>
> > -Original Message-
> > Hello
> >
> > I have been having trouble getting an openBSD laptop to connect to ssl
> > connections when communicating over ikev2.
> >

Check if the MTU is causing issues, sometimes VPNs (which lower the
MTU of the link)
cause the effect that pings and "small" traffic works, but when you do
SSH or SSL and
it sends large pubkeys or large lists of possible crypto algs, the
packets suddenly get
too large to work, and then it freezes.


-- 
May the most significant bit of your life be positive.



Re: Using /32 resp. /128 netmask for carp ips

2018-11-23 Thread Janne Johansson
Den fre 23 nov. 2018 kl 18:50 skrev Joerg Streckfuss :
>
> Dear list,
>
> i want to know why it is good practice to use /32 netmask for ipv4
> respectively /128 netmask for ipv6 addresses on carp interfaces, while using 
> the
> "real" netmask for example /24 for a dedicated address on an interface.

So that the real interface gets used for outgoing traffic generated on
the boxes, like ntp,
syslog, mails and so forth, even if the carp currently is not up (ie not master)

-- 
May the most significant bit of your life be positive.



Re: CURRENT userland does not compile due to games/glorkz

2018-11-12 Thread Janne Johansson
Den mån 12 nov. 2018 kl 09:00 skrev Jyri Hovila [Turvamies.fi]
:
> Theo: > Upgrade to from a snap.
> Thanks, but: NO! XD
> Seriously: As crazy as it may sound, I'm very stubborn about following the 
> CURRENT without taking shortcuts.

It's not a shortcut, it is how it's done. It is not cheating, or
dodging or anything, the docs are very clear on that for any
non-trivial situation where you want to go to -current, you start with
upgrading into as recent snapshot as possible, then build from there.
Period. It's fine if you want to waste your own time, but this is the
one single method of getting out of many holes, like yours.

-- 
May the most significant bit of your life be positive.



Re: vmm(4) direct device resources access from guests

2018-11-01 Thread Janne Johansson
Den tors 1 nov. 2018 kl 08:53 skrev Denis :
>
> Is it possible to have full I/O access to PCI-express devices from guest
> OSes like Penguin?
>

https://www.openbsd.org/faq/faq16.html

-- 
May the most significant bit of your life be positive.



Re: OpenBSD site

2018-10-27 Thread Janne Johansson
Manual edits, no hurry to jump on this weeks fashionable web
framework, testing with lynx goes a long way to keep it simple and
readable.

Den lör 27 okt. 2018 kl 11:14 skrev misc nick :
>
> I was wondering how you maintain and update such high quality content in 
> OpenBSD's site.
> Do you manually edit html files, use a cms, or something else? I am asking to 
> shamelessly
> copy your best practices. ;-)
>
> Thanks,
> Nick
>


-- 
May the most significant bit of your life be positive.



Re: set owner/group: operation not permitted

2018-10-25 Thread Janne Johansson
Den ons 24 okt. 2018 kl 20:48 skrev Carlos Aguilar :
> Then, when I execute the following command as unprivileged user sg:
> sg:/home/sg$mv /var/www/cgi-bin/my-site/posts/messages/*.txt /tmp
> I got the following error message:
>
> mv:  /tmp/OneFile.txt:  set owner/group: Operation not permitted
>
> However, it does actually move the file and change the permissions
> accordingly:
>
> Under /tmp
>
> -rw-r--r--  1 sgwheel  6163795 Oct XX XX:XX OneFile.txt

What is your idea of "accordingly" ?
If you only ask it to move, it would not change user/group, but since
you are not
allowed to make files owned by someone else than you there, it gets your id,
and complains it can't make it www:www.

Since you are probably moving across filesystems, the mv becomes a "cp + rm",
and the cp part is redoing the file from scratch there.

-- 
May the most significant bit of your life be positive.



Re: iked(8) bad-ip-version 7 (encap) error after 6.4 upgrade

2018-10-19 Thread Janne Johansson
Den 19 okt. 2018 kl 00:44 skrev Jason Tubnor :

> 09:14:42.281631 (authentic,confidential): SPI 0x03096f78: bad-ip-version 7
> (encap)

IPv7? I thought me using v6 was hipster enough, but the cool kids have
surpassed me by far.

(sorry for not helping with your actual issue though)
-- 
May the most significant bit of your life be positive.



Re: _writes_to_HOME directories in /

2018-10-18 Thread Janne Johansson
Den tors 18 okt. 2018 kl 19:55 skrev schwack :
>
> Was prepping for 6.4 upgrade and noticed a bunch of *_writes_to_HOME 
> directories in my root file systyem. (as shown below)
> All created on Sept 16th. Not sure what I might have been doing on the system 
> that day.

"building ports" most likely.

> Any thoughts on what these directories are, how they got there, and if safe 
> to delete?
>

yes.

Googling for openbsd writes_to_home points to bsd.port.mk, and the env
PORTHOME for which the manpage of bsd.port.mk
says:
PORTHOME
 Setting of env variable HOME for most shell invocations.  Default
 will trip ports that try to write into $HOME while building.

-- 
May the most significant bit of your life be positive.



Re: 6.4 available but sources incorrect

2018-10-18 Thread Janne Johansson
Den tors 18 okt. 2018 kl 15:37 skrev Peter J. Philipp :
>
> Hi,
>
> I know the announcement hasn't made it out yet afaik.  But I want to give
> notice that on ftp.eu as well as cdn mirrors the sources don't check out.
> For one the key is the old 6.3 key and then it fails to signify.
>
> pub -x SHA256.sig-tgz ports.tar.gz
> <
> Signature Verified
> ports.tar.gz: FAIL
> upsilon$ rm *gz
> upsilon$ ls
> SHA256.sig  install64.iso
>
> I'm holding off on installing until this is fixed.  Thanks!  The amd64 
> binaries
> at least in the .iso from ftp.eu checked out fine on the 64 key.

New SHA256.sig out on ftp.eu. mirror now.

-- 
May the most significant bit of your life be positive.



Re: Routing stops after ipsec/gre tunnel activates

2018-10-01 Thread Janne Johansson
Den mån 1 okt. 2018 kl 16:56 skrev Kaya Saman :

> Hi,
> I've got an issue where something strange is happening with the routing
> table after establishing an ipsec connection it's quite hard to
> describe but what happens is that the tunnel establishes then routing
> goes down completely. The netstat -r command when run on the router just
> hangs and doesn't complete (show any routes).
>

Perhaps you can't reach your resolver, try running "netstat -rn" to prevent
netstat
from trying to resolve all ips and networks it lists.

-- 
May the most significant bit of your life be positive.


Re: IPv6 router advertisement rdns not working?

2018-09-14 Thread Janne Johansson
Den tors 13 sep. 2018 kl 18:49 skrev Mike Coddington :

> On Thu, Sep 13, 2018 at 06:15:28AM +0200, Sebastien Marie wrote:
> > On Wed, Sep 12, 2018 at 10:26:40PM -0500, Mike Coddington wrote:
> > >  However, if I decide to go with just IPv6 by
> > > simplifying my /etc/hostname.if file and using "inet6 autoconf" by
> > > itself, I cannot do any DNS lookups.
> > >
> > rad(8) has support for sending rdns information, but currently nothing
> > in base has support to get resolv.conf configured with such information.
>
> Good to know. I'll stop spinning my wheels. That might be a nice project
> for me to start tinkering with. Thank you!
>

Do mind that it is somewhat non-trivial to figure out a method of having
0,1,2,more
sources of resolver information that all want to update /etc/resolv.conf
when adding
or removing resolvers as your interfaces go up and down without stomping on
eachothers toes. But having code that gets the info from rad(8) would still
be a part
of that, so it would be interesting to have anyhow.

-- 
May the most significant bit of your life be positive.


Re: Can't open /dev/bio on arm

2018-08-05 Thread Janne Johansson
Is there MAKEDEV things to add also?

Den sön 5 aug. 2018 09:15Jonathan Gray  skrev:

> On Sat, Aug 04, 2018 at 06:38:20PM +1000, Jonathan Gray wrote:
> > On Sat, Aug 04, 2018 at 05:37:11PM +1000, Jonathan Gray wrote:
> > > On Sat, Aug 04, 2018 at 09:33:45AM +0300, Kihaguru Gathura wrote:
> > > > Hi,
> > > >
> > > > I am getting message:  bioctl: Can't open /dev/bio: Device not
> configured
> > > >
> > > > No clue whatsoever on how to go about this. Please assist.
> > > >
> > > > Instructions
> > > > --
> > > > almandine# fdisk -iy sd0
> > > > Writing MBR at offset 0.
> > > > almandine# fdisk -iy sd1
> > > > Writing MBR at offset 0.
> > > > almandine# disklabel -E sd0
> > > > Label editor (enter '?' for help at any prompt)
> > > > > a
> > > > partition: [a]
> > > > offset: [64]
> > > > size: [15727571] *
> > > > FS type: [4.2BSD] RAID
> > > > > w
> > > > > q
> > > > No label changes.
> > > > almandine# disklabel sd0 > layout
> > > > almandine# disklabel -R sd1 layout
> > > > almandine# rm layout
> > > > almandine# bioctl -c 1 -l sd0a,sd1a softraid0
> > > > bioctl: Can't open /dev/bio: Device not configured
> > > > --
> > >
> > > softraid is not currently built as part of the ramdisk kernel on arm*
> > > also the case for landisk, loongson, luna88k, octeon, sgi, socppc
> >
> > bio as well
>
> And then someone needs to add support to armv7/arm64 efiboot to be able
> to boot from it like amd64, i386 and sparc64 can.
>
>


Re: autri(4) disabled by default

2018-07-31 Thread Janne Johansson
Den tis 31 juli 2018 kl 12:47 skrev Peter Kay :

> I see autri(4) is disabled by default in an amd64 kernel, probably
> others too, and has been for a very long time.
>
> I can't see any notice of why this is so, anyone know?
>
>
>
Seems like it came over with the initial amd64 port from i386, and noone
tested it on amd64, so it never got enabled but remained commented out.

-- 
May the most significant bit of your life be positive.


Re: Julia on OpenBSD?

2018-07-13 Thread Janne Johansson
Den fre 13 juli 2018 kl 10:46 skrev Rudolf Sykora :

> Hello,
>
> has anyone any experience with running Julia (language)
> on OpenBSD? How difficult was it to set it up? (It isn't
> in the Ports.)
>
>
http://daemonforums.org/showthread.php?p=63134
the internet seems to point to bcallah@


-- 
May the most significant bit of your life be positive.


Re: arm64 recommendation Pine64 or Rock64

2018-07-08 Thread Janne Johansson
Den sön 8 juli 2018 kl 07:04 skrev Predrag Punosevac :

>  I am in particularly keen on building an
> embedded computer which will use  Arduino UNO a microcontroller
> motherboard(s) to pool DHT22 AM2302 Digital Temperature And Humidity
> Measurement Sensor as well as HC-SR501 Human Sensor Module Pyroelectric
> Infrared. I see arduino-1.0.2p6v0.tgz among aarch64 packages so I am
> guessing somebody has already tried this. Any feed back on developing
> Arduino sketches from arm64 board?
>
>
I haven't tried it, but it should be doable.

Still, nothing prevents one from compiling the arduino hexes on another
machine and using avrdude on the arm64 to upload and later talk to the
Arduino if need be.
As for using openbsd (in my case on amd64) in general to develop arduino
stuff, it works great if you skip the IDE and use Makefiles to compile and
upload the code.

-- 
May the most significant bit of your life be positive.


Re: clearing the disk cache

2018-07-03 Thread Janne Johansson
Den tis 3 juli 2018 kl 10:59 skrev Maximilian Pichler <
maxim.pich...@gmail.com>:

>
> > The buffer cache is implemented as two 2-queue and therefor a simple cat
> > bigfile will not fill the cache.
>
> What sort of data structure or algorithm is this? Any reference would
> be much appreciated.
>
>
>
2Q

https://www.tedunangst.com/flak/post/2Q-buffer-cache-algorithm


-- 
May the most significant bit of your life be positive.


Re: 20% package loss on CARP after upgrade to 6.3

2018-06-21 Thread Janne Johansson
Den tors 21 juni 2018 kl 10:31 skrev Stefan Sperling :

> On Thu, Jun 21, 2018 at 10:07:06AM +0200, Janne Johansson wrote:
> > Den ons 20 juni 2018 kl 19:59 skrev Henrik Dige Semark :
> >
> > > Hey everybody,
> > >
> > > # Server 1
> > > My /etc/hostname.* for CARP's and pfsync + host adaptor:
> > > https://pastebin.com/vrtuPqnQ
> > > My /etc/pf.conf: https://pastebin.com/yhVkG4x4
> > >
> > > # Server 2
> > > My /etc/hostname.* for CARP's and pfsync + host adaptor:
> > > https://pastebin.com/a7fuM923
> > > My /etc/pf.conf: https://pastebin.com/xNr1TtZ7
> > >
> > > Any help or pointers would be fantastic.
> > > I have struggled with this for a week now and I'm running out of
> idears -
> > > the only solution I have right now is turning off the backup server.
> > >
> >
> > You should have different advskew on  expected master and slave carps,
> no?
>
> Looks to me like that is already the case (Server 1 is has advskew 0,
> Server 2 has advskew 100).
>

Oh damned, I might have looked at the same url twice. My bad.

-- 
May the most significant bit of your life be positive.


Re: FTP login delay

2018-06-21 Thread Janne Johansson
Den ons 20 juni 2018 kl 23:28 skrev Maximilian Pichler <
maxim.pich...@gmail.com>:

> I've enabled ftpd and am experiencing very long delays (consistently
> 75 seconds) when logging in from localhost.
>
> Running nc reveals that the connection is accepted immediately, but
> the server waits before spitting out the 'ready' line:
>
> $ nc -4v localhost 21
> Connection to localhost 21 port [tcp/ftp] succeeded!
> <<...75 seconds go by...>>
> 220 zen-thought.my.domain FTP server ready.
>
> This smelled a lot like https://www.openbsd.org/faq/faq8.html#RevDNS,
> but of course localhost is in /etc/hosts (and /etc/resolv.conf has
> 'lookup file bind').
>

Try running the ftpd under a ktrace and then use kdump to see what it does
just before those 75 seconds?
RevDNS was a good guess though. ;)


-- 
May the most significant bit of your life be positive.


  1   2   3   4   5   >