Re: DMARC/DKIM and OpenBSD Mailinglists

[Josh Grosse via misc]

On March 13, 2024 1:54:14 PM EDT, "Todd C. Miller"  wrote:
>I've just added support to our majordomo for rewriting the From:
>header when the sender's domain has a DMARC policy.  Messages from
>domains using DMARC will now have a From: header like:
>
>From: "John Connor via misc" 
>
>and the original From: address is preserved in the X-Original-From:
>header if one is not already present.
>
>This seems like the only reliable way to address the problem given
>that the mailing list server often reformats or otherwise modifies
>the message body.
>
>The rewriting currently happens even for a DMARC policy of "none"
>since some large senders (for example gmail.com) use a policy of
>"none" but receivers may still enforce SPF.  I could relax this but
>I worry that doing so will lower the IP or domain "reputation" in
>Google's eyes (something that is already a black box).
>
> - todd
>

Thank you! 

  -Josh-

Re: Weird VMD behaviour

[Josh Grosse]

On Thu, Feb 22, 2024 at 09:16:20AM -0300, pela0 wrote:
> on dmesg: 
> vmd[30546]: can't open /etc/firmware/vmm-bios: No such file or directory

Per the FAQ: "In some cases, virtualization capabilities must be
manually enabled in the system's BIOS. Be sure to run the
fw_update(8) command after doing so to get the required vmm-firmware package. 

Re: DNS resolution when 1st nameserver does not know

[Josh Grosse]

On Thu, Feb 15, 2024 at 02:15:07PM +0100, rsyk...@disroot.org wrote:
> my computer is connected to a LAN, from which it obtains its
> IP and also local-DNS-server IP via DHCP. The latter is then
> inserted into /etc/resolv.conf by, I believe, resolvd. The
> computer is furthermore connected via wireguard VPN to
> another network with its own DNS server, serving the local
> IPs there. The DNS server in my LAN, of course, does not
> know the (non-public) IPs in the remote network. However, as
> it comes 1st in /etc/resolv.conf, the nameserver that comes
> next (I manually added it to the file) --- and which would
> know the answer --- is never asked. I can stop resolvd and
> use the DNS server within the VPN for all the traffic. But
> I'd still prefer to have most of the work done by the local
> DNS server, and only if it doesn't know I would ask the
> server in the VPN. Is there anything simple I can do?

Take a look at unwind(8) and unwind.conf(5).

Re: Problem with WireGuard on OpenBSD 7.3

[Josh Grosse]

On Thu, May 04, 2023 at 03:06:13PM +0200, Odd Martin Baanrud wrote:
> Hello,
> 
> I???m configuring a WireGuard server on an OpenBSD 7.3 machine, using this 
> howto:
> https://ianix.com/wireguard/openbsd-howto.html
> 
> I don???t get the wg0 interface up.
> The hostname.wg0 contains:
> inet 10.0.6.1 0xfgffgf00 NONE up !/usrlocal/bin/wg setconf wg0 
> /etc/wireguard/wg0.conf

0xfgffgf00 is an invalid netmask, as it is not hexadecimal (0-f).  Your netmask 
should be one of:

a. address/subnet CIDR notation
b. decimal notation
c. hexadecimal notation

https://en.wikipedia.org/wiki/IP_address#Subnetworks

Re: vlan autoconf fails to conf at boot

[Josh Grosse]

On Fri, Apr 29, 2022 at 09:33:50PM -0700, George Morgan wrote:
> I created a hostname.vlan10 file which has a single line:
> 
> inet autoconf parent vge0 vnetid 10 lladdr ...
> 
> At boot the interface fails to configure but after boot I can login to the 
> console and run "doas sh /etc/netstart" and the interface will configure.
> 
> What am I doing wrong?  Do I need to add something to rc.conf.local to force 
> the parent to configure first?  The parent (vge0) has a static IPv4 address.

The vlan has to be created and assigned parentage before autoconfiguration.
Craft your hostname.vlan10 file in two lines:

vnetid 10 parent vge0 addrr ...
inet autoconf

This information brought to my attention via Reddit:

https://www.reddit.com/r/openbsd/comments/ua0wqd/no_longer_able_to_connect_to_the_internet_after/i5z24fj/

Re: Sysctl settings for transmission bittorrent (udp receive buffer size)

[Josh Grosse]

On Mon, Apr 25, 2022 at 07:47:37PM -, Stuart Henderson wrote:
> On 2022-04-25, Daniel Schuermann  wrote:
> > I can't get transmission (bittorrent client) to work properly.  
> >
> > From the logs: 
> > transmission-daemon: UDP Failed to set receive buffer: 
> > requested 4194304, got 41600
> >
> > On Linux I would do: 
> > sysctl net.core.rmem_max=4194304
> > I couldn't figure out the correct settings for OpenBSD. 
> >
> > net.inet.udp.recvspace sets the default, not the max buffer size, 
> > e.g. sysctl net.inet.udp.recvspace=4194304 causes errors:
> > nslookup openbsd.org
> > nslookup: isc_socket_create: not enough free resources
> 
> That is the right sysctl, the alternative is to set per-socket with
> setsockopt() (SO_SNDBUF, SO_RCVBUF).
> 
> The max is 256K (262144).

Looking through upstream's problem tracker, I see that this is a design
requirement of uTP and that the message, while appearing to be an error,
is informational; uTP will still operate.

https://trac.transmissionbt.com/ticket/4321

https://trac.transmissionbt.com/ticket/5317

Re: Unwind in rdomain1 returning NXDOMAIN for local queries

[Josh Grosse]

On Fri, Mar 25, 2022 at 11:41:08AM +0100, Francisco Gaitan wrote:
> I have setup a WireGuard VPN so I run two instances of unwind, one for
> rdomain 0 (unwind) and another for rdomain 1 (unwind1) this way:
> lrwxr-xr-x  1 root  wheel16 Mar 23 13:44 unwind1 -> /etc/rc.d/unwind
> 
> $ cat /etc/rc.conf.local
> unwind1_flags=-vvv -f /etc/unwind1.conf
> unwind1_rtable=1

Here is where we differ.  Both of my unwind(8) instances use the same
configuration file, but they use different sockets:

 unwind1_flags=-s /dev/unwind1.sock
 unwind1_rtable=1
 unwind_flags=

> 
> After some time and without any output to /var/log/daemon, unwind1 just
> stops replying to queries for the local network until I restart, then it
> works again during some time. 
> 
> This happens since days ago where I did this setup.
> 
> $ cat /etc/resolv.conf
> nameserver 127.0.0.1 # resolvd: unwind
> search home.arpa
> lookup file bind
> 
> $ cat /etc/unwind1.conf
> forwarder 192.168.10.1
> 
> $ route -T 1 exec dig @127.0.0.1 iron.home.arpa
> 
> ; <<>> dig 9.10.8-P1 <<>> @127.0.0.1 iron.home.arpa
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31081
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;iron.home.arpa.IN  A
> 
> ;; AUTHORITY SECTION:
> home.arpa.  3600IN  SOA localhost.
> nobody.invalid. 1 3600 1200 604800 10800
> 
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Fri Mar 25 11:25:43 CET 2022
> ;; MSG SIZE  rcvd: 91
> 
> $ route -T 1 exec dig @127.0.0.1 +short iron.home.arpa
> $ route -T 1 exec dig @192.168.10.1 +short iron.home.arpa
> 192.168.10.10
> $ route -T 1 exec dig +short example.com
> 93.184.216.34
> 
> $ doas rcctl restart unwind1
> unwind1(ok)
> unwind1(ok)
> 
> $ route -T 1 exec dig @127.0.0.1 +short iron.home.arpa
> 192.168.10.10
> $ route -T 1 exec dig @192.168.10.1 +short iron.home.arpa
> 192.168.10.10
> 
> $ ifconfig lo1
> lo1: flags=8049 rdomain 1 mtu 32768
> description: rdomain 1 loopback address
> index 5 priority 0 llprio 3
> groups: lo
> inet6 ::1 prefixlen 128
> inet6 fe80::1%lo1 prefixlen 64 scopeid 0x5
> inet 127.0.0.1 netmask 0xff00
> 
> $ route -T 1 exec netstat -lnf inet
> Active Internet connections (only servers)
> Proto   Recv-Q Send-Q  Local Address  Foreign Address
> TCP-State
> tcp  0  0  127.0.0.1.53   *.*
> LISTEN
> Active Internet connections (only servers)
> Proto   Recv-Q Send-Q  Local Address  Foreign Address
> udp  0  0  192.168.10.10.68   *.*
> udp  0  0  127.0.0.1.53   *.*
> udp  0  0  *.17233*.*
> 

> OpenBSD 7.1-beta (GENERIC.MP) #439: Thu Mar 24 20:01:15 MDT 2022
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 17087004672 (16295MB)
> avail mem = 16551866368 (15785MB)
> random: good seed from bootblocks
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe838b (83 entries)
> bios0: vendor Hewlett-Packard version "K51 v01.87" date 06/10/2019
> bios0: Hewlett-Packard HP Z220 CMT Workstation
> acpi0 at bios0: ACPI 5.0
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP APIC FPDT MCFG HPET SSDT SSDT SLIC SSDT SSDT TCPA ASF!
> acpi0: wakeup devices PS2K(S3) PS2M(S3) USB1(S3) USB2(S3) USB3(S3) USB4(S3) 
> USB5(S3) USB6(S3) USB7(S3) HUB_(S4) RP01(S4) PXSX(S4) RP05(S4) PXSX(S4) 
> RP07(S4) PXSX(S4) [...]
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Xeon(R) CPU E3-1245 V2 @ 3.40GHz, 3392.75 MHz, 06-3a-09
> cpu0: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
> cpu0: apic clock running at 99MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE
> cpu1 at mainbus0: apid 2 (application processor)
> cpu1: Intel(R) Xeon(R) CPU E3-1245 V2 @ 3.40GHz, 3392.31 MHz, 06-3a-09
> cpu1: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
> cpu1: 256KB 64b/line 

Re: No sound on ThinkPad X220 using current snapshot

[Josh Grosse]

On Mon, Feb 14, 2022 at 05:58:37PM +0100, Dirk-Wilhelm Peters wrote:
> "Theo de Raadt"  wrote:
> 
> > > OpenBSD 7.0-current (GENERIC.MP) #325: Thu Feb 10 12:26:12 MST 2022
> > 
> > Your subject says "current snapshot".  But then you show a 4-day old
> > kernel.
> > 
> > You can do better.
> 
> Yes. Kernel #334 is also silent after returning from suspend mode.
 
I have the same X220 hardware.  Bisecting the kernel indicates this
commit caused the regression.  Tested on the X220 with GENERIC.MP.

commit ad814436a071b6401bfaf527a709138b9bf992e2 (refs/bisect/bad)
Author: deraadt 
Date:   Tue Feb 8 17:25:10 2022 +

The suspend/resume code is a sticky mess of MI, MD, and ACPI sequencing.
This splits out the MI sequencing, backing it with per-architecture helper
functions.  Further steps will be neccesary because ACPI and MD are too
tightly coupled, but soon we'll be able to use this code for more 
architectures
(which depends on figuring out the lowest-level cpu sleeping method)
ok kettenis

Re: i386 kernel relinking

[Josh Grosse]

On Tue, May 19, 2020 at 05:21:59PM +0200, Stefan Sperling wrote:
> On Fri, Apr 10, 2020 at 10:25:14AM -0400, Nick Holland wrote:
> > On 2020-04-10 10:10, Stefan Sperling wrote:
> > > On Fri, Apr 10, 2020 at 09:35:16AM -0400, Nick Holland wrote:
> > > FWIW, my soekris net5501 with 256MB of RAM and 512MB swap does manage
> > > to relink a kernel (on 6.6 + syspatches).
> > 
> > Whoops.  Guess I should have mentioned, that was -current, as of
> > yesterday 
> > OpenBSD 6.7-beta (GENERIC.MP) #110: Thu Apr  9 01:20:52 MDT 2020
> > dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
> > real mem  = 334970880 (319MB)
> > avail mem = 313077760 (298MB)
> > 
> > and probably a couple weeks ago for the real (old) hw.
> > 
> > I'm curious if your Soekris can handle 6.7-beta.
> > 
> > Nick.
> 
> It's been fixed in 6.7 release!

Thank you!!!  Awesome!!!

Re: i386 kernel relinking

[Josh Grosse]

FWIW, the GNU linker can reorder the kernel on i386-current
with 256MB RAM:

   # env LD=ld.bfd /usr/libexec/reorder_kernel

---

relink.log:

(SHA256) /bsd: OK
LD="ld.bfd" LDFLAGS="-g" sh makegap.sh 0x gapdummy.o
ld.bfd -T ld.script -X --warn-common -nopie -o newbsd ${SYSTEM_HEAD} vers.o 
${OBJS}
textdatabss dec hex
11916299262796  1101824 13280919caa697
mv newbsd newbsd.gdb
ctfstrip -S -o newbsd newbsd.gdb
rm -f bsd.gdb
mv -f newbsd bsd
install -F -m 700 bsd /bsd && sha256 -h /var/db/kernel.SHA256 /bsd

Kernel has been relinked and is active on next reboot.

SHA256 (/bsd) = 3c9cca9da06acdc92270f6f0e68b57447881a01e3e2584a0086291efb5033ba7

---

On Fri, Apr 10, 2020 at 10:52:37AM -0600, Theo de Raadt wrote:
> I am succesfully relinking kernels on a landisk with 128MB of ram.
> 
> I think this conversation is ridiculous:
> 
> If a machine is too small, then it is too small.  Do I have to paypal
> a $0.05 to some users?
> 
> Nick Holland  wrote:
> 
> > 
> > 
> > 
> > On 2020-04-10 10:10, Stefan Sperling wrote:
> > > On Fri, Apr 10, 2020 at 09:35:16AM -0400, Nick Holland wrote:
> > >> Question about kernel randomization and relinking...
> > >> 
> > >> It seems to take a fair amount of RAM, at least for systems that
> > >> are forced to run i386.  And I mean real RAM -- swap doesn't seem
> > >> to cut it.  
> > >> 
> > >> I discovered that several machines I was intending on using for
> > >> minimal purposes just couldn't complete relinking.  So I built a
> > >> VM and started playing with the RAM.
> > >> 
> > >> Built with 1G RAM, default was a 1.2G swap, worked fine.
> > >> Reduced to 256MB RAM, Kernel failed to relink.  As with my old
> > >> junk.
> > >>
> > >> The magic number seemed to be between 320MB (failed) and 384MB 
> > >> (worked) of RAM.  Ok, fine.  
> > > 
> > > FWIW, my soekris net5501 with 256MB of RAM and 512MB swap does manage
> > > to relink a kernel (on 6.6 + syspatches).
> > 
> > Whoops.  Guess I should have mentioned, that was -current, as of
> > yesterday 
> > OpenBSD 6.7-beta (GENERIC.MP) #110: Thu Apr  9 01:20:52 MDT 2020
> > dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
> > real mem  = 334970880 (319MB)
> > avail mem = 313077760 (298MB)
> > 
> > and probably a couple weeks ago for the real (old) hw.
> > 
> > I'm curious if your Soekris can handle 6.7-beta.
> > 
> > Nick.
> > 
> > 
> > > 
> > > # ls -l relink.log
> > > -rw-r--r--  1 root  wheel  -  507B Apr 10 13:33 relink.log
> > > # cat relink.log   
> > > (SHA256) /bsd: OK
> > > LD="ld" LDFLAGS="-g" sh makegap.sh 0x gapdummy.o
> > > ld -T ld.script -X --warn-common -nopie -o newbsd ${SYSTEM_HEAD} vers.o 
> > > ${OBJS}
> > > textdatabss dec hex
> > > 11815507267748  1101824 13185079c93037
> > > mv newbsd newbsd.gdb
> > > ctfstrip -S -o newbsd newbsd.gdb
> > > rm -f bsd.gdb
> > > mv -f newbsd bsd
> > > install -F -m 700 bsd /bsd && sha256 -h /var/db/kernel.SHA256 /bsd
> > > 
> > > Kernel has been relinked and is active on next reboot.
> > > 
> > > SHA256 (/bsd) = 
> > > a940ce989d708e5b87a1186ee81bd624066baeabe67b8405b52e4fa2988b565
> > > 
> > > 
> > > # dislabel -pm wd0
> > > #size   offset  fstype [fsize bsize   cpg]
> > >   a:   353.0M   64  4.2BSD   2048 16384  5624 # /
> > >   b:   511.1M   722944swap# none
> > >   c: 15280.0M0  unused
> > >   d:   444.8M  1769728  4.2BSD   2048 16384  7116 # /tmp
> > >   e:   607.7M  2680576  4.2BSD   2048 16384  9685 # /var
> > >   f:  1703.0M  3925216  4.2BSD   2048 16384 12958 # /usr
> > >   g:   505.8M  7412896  4.2BSD   2048 16384  8060 # 
> > > /usr/X11R6
> > >   h:  1632.9M  8448736  4.2BSD   2048 16384 12958 # 
> > > /usr/local
> > >   i:  1381.2M 11792960  4.2BSD   2048 16384 12958 # 
> > > /usr/src
> > >   j:  5282.4M 14621632  4.2BSD   2048 16384 12958 # 
> > > /usr/obj
> > >   k:  2850.9M 25439936  4.2BSD   2048 16384 12958 # /home
> > > 
> > 

Re: Openssh over a mobile network

[Josh Grosse]

On Sun, Dec 01, 2019 at 07:13:18PM +0530, putridsou...@gmail.com wrote:
> I am not able to ssh into my home computer connected to
> router,  the client device (termux on android) is on a
> mobile network. Is there something I am supposed to 
> know?. Because I can ssh into my computer easily when
> when both devices are on the same router network. 

I assume your router uses Network Address Translation (NAT). You must instruct
it to *forward* the incoming SSH traffic.  NAT is commonly used to separate
a private network from the Internet, particularly with small business or  
home networks.  

See your router's documentation for port forwarding.  The standard destination
port number for SSH is 22.

Re: Raid0 max volume size

[Josh Grosse]

On Sat, Nov 09, 2019 at 07:01:02AM -0700, Raymond, David wrote:
> Does raid0 allow the creation of file systems bigger than the 2 TB limit of 
> ffs?

RAID 0 stripe sizes may be as large as the smallest physical extent.  

FFS2 -- see newfs(8) -- supports a filesystem size up to 64 PB.

Re: Virtual Web Server

[Josh Grosse]

On Fri, Mar 08, 2019 at 12:09:22PM +, daffodil...@protonmail.ch wrote:
> I installed OpenBSD on my home server with the intention of running Wordpress 
> and some other things (maybe a TOR relay, I don't know). After installing, I 
> used some online guides to get PHP and MySQL as well as httpd (not apache) 
> set up. But after setting up Wordpress, I was getting some errors I was 
> unable to debug (unable to post content, unable to crop images, etc.)
> 
> Now I'm thinking instead to run Linux in a VM to host Wordpress but keeping 
> OpenBSD on the machine as the base operating system. What settings do I need 
> to alter in order to serve http and https from a VM? And is this a normal 
> kind of setup or should I work harder at just debugging what is wrong with 
> Wordpress on the OpenBSD setup?

I'm going to guess you are using either httpd(8) or the nginx package
as your web server.  If so, you will need to create a copy of /etc/resolv.conf
as /var/www/etc/resolv.conf.  Both web servers run in a chroot(2) at
/var/www.  After creating the directory and copying the file, restart your
phpXX_fpm daemon.

It was just a guess, of course, because you didn't state what you're using,
or what you've done.

Re: device node for sd1 not present

[Josh Grosse]

On Fri, Feb 08, 2019 at 04:42:42PM +0300, ??\_(???)_/?? ??\_(???)_/?? wrote:
> Hi,
> I need to mount sd1(install media) in install shell, but it only has device 
> nodes for sd0(hdd).
> How do I create device nodes for sd1 ?
> Also, I can't execute /dev/MAKEDEV("Permission  denied").

# cd /dev && sh MAKEDEV sd1

Re: vlan problem

[Josh Grosse]

On Mon, Jan 28, 2019 at 07:57:01PM +0800, johnw wrote:
> hi, I want create vlan network

vlan(4) **REQUIRES** switching equipment that supports
802.1Q Ethernet tagging.  These are known as "managed
switches".

Re: is there anything like pdfnup or pdfjam?

[Josh Grosse]

On Mon, Jan 21, 2019 at 04:50:08PM +, rsyk...@disroot.org wrote:
> Dear list,
> 
> I want to print a pdf, but with two pages put
> on one physical page.
> 
> On linux, pdfnup or pdfjam can do it.
> 
> I cannot find these for OpenBSD.
> What do you use then?

Both pdfnum and pdfjam are included with the texlive_base package.  For 2-up
printing, I use evince.

Re: does this affect acme-client?

[Josh Grosse]

On Mon, Jan 21, 2019 at 03:18:04PM +0100, Peter J. Philipp wrote:
> Does this affect the acme-client?
> 
> https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209
> 
> Regards,
> -peter

I don't think so, Peter.  Per acme-client(1): "acme-client only implements the 
'http-01' challenge type..."

I love your Emails. This one made my day!

[Josh Grosse]

Thank you!

On November 20, 2018 2:24:55 PM EST, Nick Holland  
wrote:
>On 11/20/18 11:43, Chris Bennett wrote:
>> I am almost certainly going to be replacing with a new server for an
>> organization I am a member of.
>> With all of this mess with Meltdown, Spectre, insecure motherboard
>> chips,etc.
>> I am pretty clueless on exactly what is going to be a secure set of
>> server hardware.
>> Intel, well no.
>> AMD? I have read about problems with non-CPU chips being compromised.
>> Another architecture? I have never used anything other than
>Intel/AMD.
>> 
>> The server will run httpd, mailserver, PostgreSQL and somehow a good
>way
>> for well encrypted messaging at times.
>
>all on one server?
>
>And as someone who has run a number of mail servers for a number of
>companies ... don't.  Just don't.  Running your own mail server is a
>good way to accomplish nothing except wasting a lot of time and making
>people hate you.
>
>> It is very likely to run out of Austin, Texas.
>> I think that having a direct connection would be best, but would a
>> proper setup make collocation OK?
>
>You are using poorly defined buzzwords.  What you mean by a "direct
>connection", "proper setup", "collocation" and what I mean are likely
>very different.
>
>> This isn't going to be my server, I will just be in charge. That's
>> completely new for me.
>> Any advice is really welcome, everywhere I read anything, hardware
>seems
>> broken and insecure.
>
>Pretty much all new HW is optimized in ways that we are now learning
>(and has been known for a long time) introduce security problems.
>However, most of the problems boil down to having malicious software
>running in the control of someone else on the same physical machine
>YOUR
>code is running on.
>
>In short: No news.  Really.
>
>If someone that wanted to do you evil lived in the same house as you,
>you would not be comfortable, right?  What if you put up walls
>(virtualization) that have proven to to be about as robust as paper?
>That make you feel any better?  Probably not.  Virtualization has been
>proven -- over and over -- not terribly secure.  Now we got
>cross-virtualization platforms ways of stealing data from other
>processes.  Important? yes.  But in the big picture, it's similar to
>Yet
>Another buffer overflow.
>
>So...split your tasks on different physical systems as much as
>possible.
>If your webserver is serving static pages, it's probably pretty robust.
> If it's running Wordpress or any other "any idiot can manage the web
>page" apps or dynamic web pages for other reasons, it should be a
>machine of its own and have no other important data on it.
>Your primary goal should be to keep the bad guys off your computer in
>every sense.  And again...nothing new here.
>
>But if security is your concern, you want real hw you control in every
>sense.
>
>Unfortunately, if you have performance requirements, your choices are
>AMD and Intel.  Older Intel and AMD chips aren't getting any support to
>deal with these problems, so your choices are incredibly old chips
>which
>are probably not in the most reliable hardware, and a whole bunch of
>other old, unreliable, and slow hardware platforms.  But be realistic.
>Your bosses will probably mandate a VM on someone else's hw, a
>wordpress
>website, one box for everything, and that you give him the root
>password
>which he'll e-mail to himself to keep it "secure".  Your most likely
>breach points will be an easily guessed password (usually, a
>manager's),
>a bug in a web content management system, or someone believing that
>"secure e-mail" is a thing.  In other words, Same Old Shit.  It
>probably
>won't be breached by a Spectre or Meltdown-like attack.  But it MIGHT
>be.  Obsessing about them is generally missing the real day-to-day
>risks.
>
>Nick.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: How can I mount a HDD with full encryption on another system?

[Josh Grosse]

On Fri, Aug 03, 2018 at 12:06:41AM +0200, Felix Maschek wrote:
> Hi!
> 
> I've used a full encrypted HDD (created as described in the OpenBSD FAQ) on
> a broken system and want to backup some data from it.
> 
> I've assembled this HDD into an external USB case and want to mount the HDD
> on another system. How can I mount this HDD? Needless to say that I know the
> passphrase...
> 
> Kind regards
> Felix
> 
See the bioctl(8) man page.  The softraid(4) man page may also be
helpful.

Re: 6.2-Release - Firefox and Codeblocks Issues

[Josh Grosse]

On 2017-10-16 20:30, Josh Grosse wrote:

1. Discussion was moved to ports@.
2. I have tested a fix, which I will publish for -current and 
6.2-stable.
3. I will need to build and test the -stable package, and can then make 
it

   available to you if you want to trust an unsigned package from the
   port maintainer.


To close the loop, an improved fix for devel/codeblocks has been 
submitted

to ports@.

https://marc.info/?t=15111045484=1=2

Re: switching to DUIDs (and back)

[Josh Grosse]

On 2017-11-01 10:08, Alan Corey wrote:


Thank you, I was thinking every partition has a UUID and I needed to
find and use those.  But even in Linux it's apparently only devices
that have UUIDs.  They're almost like DOS/Windows drive serial
numbers, but those are generated when you format a partition and only
apply to the partition.  Yes, I was looking at man pages but what I
was looking for doesn't exist.


I'm sorry.  Originally, you wrote:


I want to replace my fstab with one that accesses my current
partitions using DUIDs.  Disklabel shows me a DUID for the drive, how
do I set up individual partitions?  Or is there already a DUID (or
UUID) for each partition that I need to find and use?


A DUID is per drive, and is reported to you by disklabel(8).

# disklabel wd0 | grep duid

You can change the DUID value as well, if you desire to.
See the "i" command in the disklabel editor section of the
man page.

You'd also written ...


I don't really like DUIDs ...


They were introduced specifically to eliminate needing to
edit fstab(5)entries in the event of device number changes.

Re: switching to DUIDs (and back)

[Josh Grosse]

On Sun, Oct 29, 2017 at 11:30:51AM -0400, Josh Grosse wrote:
> Basically, replace "wd0" with the drive's DUID.

I'm wrong, of course.  Replace "/dev/wd0" with the drive's DUID, 
then append "." followed by the partition.

Re: switching to DUIDs (and back)

[Josh Grosse]

On Sun, Oct 29, 2017 at 11:25:22AM -0400, Alan Corey wrote:
> I thought this was documented somewhere but I'm not finding it in Googling.
> 
> I don't really like DUIDs, but I want to stick in a second drive
> controller temporarily to recover data off some old hard drives.
> Which means /dev/wd0a etc is going to change since the added
> controller (in a PCI slot) becomes primary.  I'm perfectly comfortable
> manually mounting and unmounting the old drives, I don't want to add
> them to an fstab.
> 
> I want to replace my fstab with one that accesses my current
> partitions using DUIDs.  Disklabel shows me a DUID for the drive, how
> do I set up individual partitions?  Or is there already a DUID (or
> UUID) for each partition that I need to find and use?
> 
> The main thing right now is to change fstab so it boots back up
> smoothly with DUIDs.  I'll comment out my current entries and put the
> DUID ones below.  And yes, I already made a backup copy.  All IDE,
> can't afford SCSI.

The fstab(5) man page is your friend. There's even an EXAMPLES section
in there for you to review that shows how DUIDs are addressed.

Basically, replace "wd0" with the drive's DUID.

Re: 6.2-Release - Firefox and Codeblocks Issues

[Josh Grosse]

1. Discussion was moved to ports@.
2. I have tested a fix, which I will publish for -current and 6.2-stable.
3. I will need to build and test the -stable package, and can then make it
   available to you if you want to trust an unsigned package from the 
   port maintainer.

Re: 6.2-Release - Firefox and Codeblocks Issues

[Josh Grosse]

On Sun, Oct 15, 2017 at 12:31:42PM -0400, tec...@protonmail.com wrote:
> Hi,
> 
> Firefox / Firefox-ESR
> I can not access my protonmail.com email account on  both of these versions 
> as I can't get to the login screen (it hangs on the loading screen) - this is 
> evident by going to https://mail.protonmail.com/login.  I have experienced 
> this same issue on two different installs, so I believe anyone trying to 
> access this site or some others will face the same issue.  My guess is that 
> it is due to the JavaScript functions it is running on this page.
> 
> Chromium works without issue and shows the login form.  Problem is, I really 
> despise Chromium and actively try to stay away from all Google services.
> 
> ###
> 
> Codeblocks
> This crashes as soon as I open it.  I can briefly see the codeblocks graphic 
> before it does so.

Thank you for your report regarding codeblocks.  I am able to 
replicate the abort signal, and will try to diagnose.  

--->>> Transitioning this discussion to ports@ <<<---

> 
> $ codeblocks
> Starting Code::Blocks Release 16.01  rev 10692 Oct  2 2017, 19:06:03 - 
> wx2.8.12 (OpenBSD, unicode) - 64 bit
> Initialize EditColourSet .
> Initialize EditColourSet: done.
> Abort trap (core dumped)
> 
> $ gdb
> (gdb) core codeblocks.core
> Core was generated by `codeblocks'.
> Program terminated with signal 6, Aborted.
> #0  0x0f1d99cdb2da in ?? ()

Re: How make X rotation work via xrandr or xorg.conf? Did not get it to work on wsfb at least

[Josh Grosse]

On Fri, Oct 06, 2017 at 05:11:05PM -, ti...@openmailbox.org wrote:
> [...]
> Any ideas how I get screen rotation in X going?

$ xrandr -o right
$ xrandr -o left
$ xrandr -o normal

Re: What decides which port becomes a package?

[Josh Grosse]

On Sun, Sep 10, 2017 at 07:09:37AM +0200, Niels Kobsch??tzki wrote:
> Hi,
> 
> I wanted to install tarsnap today but in the packages I could only find
> tarsnap-gui (and in the packages for 6.2-beta tarsnapper). The
> installation fails because they cannot find tarsnap.

Licensing decides whether an application can be packaged for distribution.
The Ports build subsystem  uses licensing variables to determine if packages
can be  distributed.  

The Tarsnap port's Makefile contains the following comments and licensing
permission settings:


# May not be modified and may only be used with tarsnap.com
# see http://www.tarsnap.com/legal.html
PERMIT_PACKAGE_CDROM=   restrictive licence
PERMIT_PACKAGE_FTP= restrictive licence
PERMIT_DISTFILES_FTP=   restrictive licence


> In the ports though there is tarsnap and after installing that even
> tarsnap-gui installs for example.

Yes, because tarsnap-gui uses a BSD license.  


# BSD
PERMIT_PACKAGE_CDROM =  Yes

 
> 2) Why are there packages that depend on ports?

Most tarsnap-gui users would prefer to install from a binary package, 
as tarsnap-gui is a complex application, with 165 build dependencies.  

As noted in the FAQ, the purpose of Ports is to build packages, as that
is what we install.  But sometimes, distribution of a package is not
possible due to restrictions put in place by the application authors.

Re: touchpad input driver: testing needed

[Josh Grosse]

Feedback report  
---


Hardware:   Thinkpad X220.
Results:Excellent!
wsconsctl configuration changes:None.

mouse.type=synaptics
mouse.rawmode=0
mouse.scale=1472,5768,1408,5062,0,65,136
mouse.tp.tapping=0
mouse.tp.scaling=0.163
mouse.tp.swapsides=0
mouse.tp.disable=0
mouse1.type=ps2
mouse2.type=usb

OpenBSD 6.1-current (GENERIC.MP) #23: Sun Jul 30 17:07:49 MDT 2017
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
RTC BIOS diagnostic error 80
real mem = 8451125248 (8059MB)
avail mem = 8188645376 (7809MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xdae9c000 (66 entries)
bios0: vendor LENOVO version "8DET73WW (1.43 )" date 10/12/2016
bios0: LENOVO 4291G26
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SLIC SSDT SSDT SSDT HPET APIC MCFG ECDT ASF! TCPA SSDT 
SSDT DMAR UEFI UEFI UEFI
acpi0: wakeup devices LID_(S3) SLPB(S3) IGBE(S4) EXP4(S4) EXP7(S4) EHC1(S3) 
EHC2(S3) HDEF(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz, 2492.30 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: TSC frequency 2492296960 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1.2, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz, 2491.91 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 1, core 0, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz, 2491.91 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 1, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz, 2491.91 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0 addr 0xf800, bus 0-63
acpiec0 at acpi0
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEG_)
acpiprt2 at acpi0: bus 2 (EXP1)
acpiprt3 at acpi0: bus 3 (EXP2)
acpiprt4 at acpi0: bus -1 (EXP4)
acpiprt5 at acpi0: bus 13 (EXP5)
acpiprt6 at acpi0: bus -1 (EXP7)
acpicpu0 at acpi0: C3(350@104 io@0x415), C1(1000@1 halt), PSS
acpicpu1 at acpi0: C3(350@104 io@0x415), C1(1000@1 halt), PSS
acpicpu2 at acpi0: C3(350@104 io@0x415), C1(1000@1 halt), PSS
acpicpu3 at acpi0: C3(350@104 io@0x415), C1(1000@1 halt), PSS
acpipwrres0 at acpi0: PUBS, resource for EHC1, EHC2
acpitz0 at acpi0: critical temperature is 99 degC
acpibtn0 at acpi0: LID_
acpibtn1 at acpi0: SLPB
"PNP0303" at acpi0 not configured
"LEN0020" at acpi0 not configured
"SMO1200" at acpi0 not configured
acpibat0 at acpi0: BAT0 model "42T4875" serial94 type LION oem "Panasonic"
acpiac0 at acpi0: AC unit online
acpithinkpad0 at acpi0
"PNP0C14" at acpi0 not configured
"PNP0C14" at acpi0 not configured
acpidock0 at acpi0: GDCK not docked (0)
acpivideo0 at acpi0: VID_
acpivout at acpivideo0 not configured
acpivideo1 at acpi0: VID_
cpu0: Enhanced SpeedStep 2492 MHz: speeds: 2501, 2500, 2200, 2000, 1800, 1600, 
1400, 1200, 1000, 800 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core 2G Host" rev 0x09
inteldrm0 at pci0 dev 2 function 0 "Intel HD Graphics 3000" rev 0x09
drm0 at inteldrm0
inteldrm0: msi
inteldrm0: 1366x768, 32bpp
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
"Intel 6 Series MEI" rev 0x04 at pci0 dev 22 function 0 not configured
em0 at pci0 dev 25 function 0 "Intel 82579LM" 

Re: Some questions about vmm and xorg

[Josh Grosse]

On 2017-07-27 11:30, G wrote:

Hello.

Some questions about vmm
Does vmm (on openbsd current) support running xorg?


I'll restate this question, because the X11 Windows System uses a 
client/server model,

and X.Org software includes both clients and servers.

   * X11 Clients are the graphical applications.
   * X11 Servers are the X display devices.

So, "What part of the X11 Windows System is available for vmm(4) guests" 
is a better question,

and one that I can answer.

X client applications works fine from within a vmm(4) guest, as they do 
from any server that
does not have a graphics display.  The typical communication path 
between the application
and a workstation display (the X Server) is with ssh(1) X11 Forwarding.  
See sshd_config(5),

ssh_config(5), and ssh(1) man pages for details.

If a user wanted to operate a window manager for the vmm() guest and its 
various X clients,

Xephyr(1) or Xnest(1) are both available.

Re: vmctl: connect: /var/run/vmd.sock: No such file or directory

[Josh Grosse]

On Sat, Jul 22, 2017 at 08:38:56PM +0300, G wrote:
> I get the following messages
> 
> # vmd -vd
> vmd: /dev/vmm: Operation not supported by device
 
The vmm(4) driver requires hardware virtualization features, and if you
have the right hardware, may require you to enable them in your BIOS.
Your dmesg(8) will note if the kernel can load the vmm() driver. For 
example, mine shows:

vmm0 at mainbus0: VMX/EPT

Re: vmctl: connect: /var/run/vmd.sock: No such file or directory

[Josh Grosse]

On Sat, Jul 22, 2017 at 01:21:33PM -0400, I wrote:

>   # vmd -v

I'd like to correct this.  Add -d to prevent running in the background,
and log output to stderr.

# vmd -dv

Re: vmctl: connect: /var/run/vmd.sock: No such file or directory

[Josh Grosse]

On Sat, Jul 22, 2017 at 08:13:03PM +0300, G wrote:
> I already enable vmd. I though enable vmd was enough
> I haven't run rcctl start vmd but when I tried it I get
> # rcctl start vmd
> vmd(failed)
 
Pick an option:

1.  Re-run rcctl with debugging output:

# rcctl -d start vmd

2.  Run vmd manually.  Per the vmd(8) man page, you may add -v
one or more times for additional information.

# vmd -v

> On 07/22/17 20:03, Josh Grosse wrote:
> > On Sat, Jul 22, 2017 at 07:30:19PM +0300, G wrote:
> >> Hello.
> >> Im following vmctl manual and i get.
> >>
> >> # vmctl create disk.img -s 4.5G
> >> vmctl: imagefile created
> >> # vmctl start "myvm" -m 1G -i 1 -b /bsd -d disk.img
> >> vmctl: connect: /var/run/vmd.sock: No such file or directory
> >>
> >> Any ideas?
> > 
> > You must start the vmd(8) daemon.
> > 
> >   # rcctl enable vmd
> >   # rcctl start vmd
> > 
> 

Re: vmctl: connect: /var/run/vmd.sock: No such file or directory

[Josh Grosse]

On Sat, Jul 22, 2017 at 07:30:19PM +0300, G wrote:
> Hello.
> Im following vmctl manual and i get.
> 
> # vmctl create disk.img -s 4.5G
> vmctl: imagefile created
> # vmctl start "myvm" -m 1G -i 1 -b /bsd -d disk.img
> vmctl: connect: /var/run/vmd.sock: No such file or directory
> 
> Any ideas?

You must start the vmd(8) daemon.

  # rcctl enable vmd
  # rcctl start vmd

Re: Mounting DVD with single file burned onto

[Josh Grosse]

Sending to ports@ to continue this part of the discussion.
Please remove misc@ in any replies.

On Thu, Jul 20, 2017 at 01:20:41AM +0200, Stefan Wollny wrote:

> >> When it comes to backups one usual advice (among others) is to make use
> >> of different storage types. So I have tar'ed one folder (~32GB) and
> >> zip'd with p7zip. man p7 explains the '-v{size}bkmg'-switch but I got
> >> "System ERROR: E_NOTIMPL". 
> > 
> > I am unable to recreate this problem on amd64.  I just used 
> > 
> > $ vmctl create 100mb.file -s 100m
> > $ 7z a test.7z 100mb.file -v5k
> > 
> > I obtained 4 output files, test.7z.0001 thru test.7z.0004.
> > 
> 
> This is the actual command and result:
> 
> $ tar cf - /home/sw/Bilder/Nikon\ Transfer/20170430_Keukenhof/ | 7z a
> -t7z -m0=lzma -mx=9 -mfb=64 -md=32m -ms=on -v4880m -si
> Keukenhof_20170430.tar.7z
> tar: Removing leading / from absolute path names in the archive
> 
> 7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
> p7zip Version 16.02 (locale=de_DE.UTF-8,Utf16=on,HugeFiles=on,64 bits,4
> CPUs x64)
> 
> System ERROR:
> E_NOTIMPL

I ran the same command with a small 100MB test file, and didn't bump into
this either.  I can guess that your large pipe is bumping up against a 
limit.  There's only one module where "System ERROR:" is produced:
CPP/7zip/UI/Console/MainAr.cpp. But it's a catch().  I can try to 
reproduce but it will take me some time to prepare a test environment
large enough.  You may be able to set a breakpoint there and obtain
a backtrace to determine the source of the error.  That's what I will
do when I try to recreate with a 32GB test stream.

Re: Mounting DVD with single file burned onto

[Josh Grosse]

On Wed, Jul 19, 2017 at 09:24:56PM +0200, Stefan Wollny wrote:
> Hi there!
>  
> Please excuse if this matter is not strictly OpenBSD-related even though
> I use OpenBSD.

That's OK, I happen to be the maintainer of archivers/p7zip, and also of 
sysutils/shunt, which you may want to experiment with.  Way back in the
old days when I backed up to CD and later DVD, I used shunt to split
backups into disc-sized chunks and burn them in the backup pipeline.  
I haven't used it in years, but it should work for this purpose.
  
> When it comes to backups one usual advice (among others) is to make use
> of different storage types. So I have tar'ed one folder (~32GB) and
> zip'd with p7zip. man p7 explains the '-v{size}bkmg'-switch but I got
> "System ERROR: E_NOTIMPL". 

I am unable to recreate this problem on amd64.  I just used 

$ vmctl create 100mb.file -s 100m
$ 7z a test.7z 100mb.file -v5k

I obtained 4 output files, test.7z.0001 thru test.7z.0004.

> ... Using split(1) I ended with several files of
> ~4.5GB each of which got burned to a DVD like so:
>  
> $ doas growisofs -dvd-compat -Z /dev/rcd0c=

This is your key problem.  The ISO file in "" needs to be
a CD9660/UFS file system when you use this form of the growisofs(1m) 
command.  Instead, it contains random compressed bits.  This is why you
cannot mount it.

Practice burning with DVD-RW or DVD+RW media.  You can continue to play
with it until you have your procedure correct, usable, and reproducable.

Re: Get an MAC address of a LAN PC - OpenBSD

[Josh Grosse]

On Fri, Jun 23, 2017 at 11:10:42AM +0530, Indunil Jayasooriya wrote:
> >
> > > no idea what to do?
> >
> > Plug it back in.  Power it up.  Make sure it has a reachable IP.  Ping
> > it.
> >
> 
> very sorry. It is prohibited to plug it back in and power it up.
> 
> To do it, We might need a special request.

Plug the Evil Compuer in to an isolated Ethernet network.  Perhaps a 
network that consists of only two computers:  The Evil Computer, and a 
second, Hero Computer that will test the Evil Computer to discover its 
Evil MAC Address.

https://en.wikipedia.org/wiki/Air_gap_(networking)

Re: Openbsd6.1 as firewall can access the internet but the LAN behind it cannot

[Josh Grosse]

On 2017-06-21 11:36, lu jian wrote:

Hi

I have an i386 machine with two network interfaces, one of which
connect to the uplink ISP via pppoe, the other connects to the WAN
port of a wireless router to which all LAN machines and cell phones
connect (via wifi).

The problem is that this i386 machine (which I intend as a firewall)
can access the internet, but all LAN machines cannot.

Hint: my wireless router can obtain dhcp address from the i386 machine.

These two network interfaces on the i386 are bge0 and fxp0.

1) Configuration for fxp0:
# cat /etc/hostname.fxp0
up
# cat /etc/hostname.pppoe0
inet 0.0.0.0 255.255.255.255 NONE \
   pppoedev fxp0 authproto chap \
   authname 'account' authkey '123' up
 dest 0.0.0.1

!/sbin/route add default -if pppoe0 0.0.0.1

2) Configuration for bge0:
# cat /etc/hostname.bge0
   inet 192.168.0.1 255.255.255.0 192.168.0.255


This is a subnet within RFC 1918 - a private network, not
directly routea-able on the Internet.

You must add Network Address Translation (NAT) to your PF configuration 
in order

to access the Internet from that subnet.

See the NAT section of the PF User's Guide.

http://www.openbsd.org/faq/pf/nat.html

Re: vmm(4) - Virtual Machine owner and (re)starting VMs?

[Josh Grosse]

On Sat, Apr 15, 2017 at 12:10:14PM -0500, Ax0n wrote:

> I'm still trying to figure out how VM ownership works.

For disabled VMs, the owner (who also owns the disk image files) can
start and stop the VM's, and connect to the console.

Re: Difficulties making local connection to Mailman

[Josh Grosse]

On Sun, Feb 19, 2017 at 04:51:41PM +0200, Anne Wainwright wrote:
> Hi,
> 
> I have OpenBSD 6.0 recently installed with the package for Mailman 2
> 
> When trying to connect locally I get a 500 Internal Server Error
> eg: 192.168.0.21/mailman/cgi-bin/create .
> 
> I believe I have a correct httpd.conf, slowcgi is running.
> 
> I have tried running this chrootless, generally following the procedure
> found on www.quernus.co.uk (Matt Hamilton) but still get an error.
> 
> If I run the links to the mailman 'create' scripts I get an error in
> maillog "Group mismatch error. Mailman expected the CGI wrapper script
> to be executed by a member of the "_mailmanq" group".
> 
> # group info _mailmanq
> shows no members
> 
> so who should I add, assuming that I am on the right trail here?
> 
> I can navigate locally to the IP address and a basic index.html comes up 
> fine so httpd is good.
> 
> Thanks for any advice on way to go
> 
> inksi

Hi, Anne, it looks like you missed the README file.  See the guidance
in /usr/local/share/doc/pkg-readmes/

Re: OpenBSD Stable

[Josh Grosse]

On 2017-01-18 12:51, George wrote:


I didnt change any paths on dpb since i followed the pdf josg grosse
send me. I run dpb as root so i guess permissions dont matter.


They matter.  dpb(1) went through a sea-change in its security model
between when that out-of-date presentation was developed and when you
tried to follow it today.

See THE SECURITY MODEL OF DPB in the dpb(1) man page for up-to-date
information.


[demime 1.01d removed an attachment of type text/x-log which had a
name of awaiting-locks.log]


Attachments are removed on misc@.

Re: OpenBSD Stable

[Josh Grosse]

On 2017-01-18 09:37, Farid Joubbi wrote:

I found this very informative:
http://daemonforums.org/showthread.php?t=9374


As the OP on that thread, I can state it's well out-of-date.  And the
SEMIBUG presentation I wrote in December 2015 (date typo
on the first page) is also out-of-date, as I would
not recommend pkg_delete(1) -X on a build machine now that
proot(8) is available.

www.semibug.org/building.stable.v1.pdf

Re: kicad will not install on 6.0/i386

[Josh Grosse]

On Mon, Jan 02, 2017 at 04:23:57PM -0800, Tracy Bales wrote:
> kicad will not install using pkg_add.  It reports that it cannot resolve
> wxWidgets-gtk2-2.8.12p12

Tracy, it appears to me that you have an old glib2 installed, from 5.9-release.
The glib2 for 6.0-release is 2.48.1, whereas your installed version is 2.46.2p0:

> $ doas pkg_add -i kicad
> quirks-2.241 signed on 2016-07-29T15:39:09Z
> Can't install wxWidgets-gtk2-2.8.12p12 because of libraries
> |library gio-2.0.4200.3 not found
> | /usr/local/lib/libgio-2.0.so.4200.2 (glib2-2.46.2p0): minor is too small
> |library glib-2.0.4200.3 not found
> | /usr/local/lib/libglib-2.0.so.4200.2 (glib2-2.46.2p0): minor is too small
> |library gobject-2.0.4200.3 not found

You should keep your packages in sync with the release you're using.  After you
upgraded from 5.9 to 6.0, you should have updated all of your installed packages
with # pkg_add -u.  Back up your system, give that a try before installing 
packages for 6.0 that expect any installed  dependencies to be at the correct
revisions.

Re: fw_update stops with Fatal error: Unsigned package ...

[Josh Grosse]

On 2016-10-03 14:11, Mihai Popescu wrote:

I've installed a snapshot somewhile ago, then I needed to update the
firmware for athn device. I get this error:

# fw_update
UNSIGNED PACKAGES: athn-firmware-1.1p1
Fatal error: Unsigned package
http://firmware.openbsd.org/firmware/snapshots/athn-firmware-1.1p1.tgz
 at /usr/libdata/perl5/OpenBSD/PkgAdd.pm line 717.

As you can see from dmesg, I have other firmare needed hardware
installed, but theirs firmware was loaded at first boot with no
problem then.

What is a way to get the proper firmware installed, please?


OpenBSD 6.0-current (GENERIC.MP) #2432: Sat Sep 10 14:06:57 MDT 2016

dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

[snip]

Update your snapshot.  Packages (including firmware) use a new
signing methodology.

http://marc.info/?l=openbsd-tech=147283361813517=2

Re: Multiple web servers behind NAT

[Josh Grosse]

On Fri, Sep 30, 2016 at 11:42:11AM +0200, Radek wrote:
> Hi, 
> I have one web_serwer_1 behind OpenBSD 5.9 router/NAT with single IP. 
> 
> web_serwer_1 -apache,virtualhosts- (10.0.8.11):
> 1.domain.com
> 2.domain.com
> 3.domain.com
> 
> pf.conf:
> pass in log quick on $ext_if inet proto tcp from any to $ext_if port 80 
> rdr-to $web_serwer_1 port 80 set prio (1, 6) keep state
> pass in log quick on $ext_if inet proto tcp from any to $ext_if port 443 
> rdr-to $web_serwer_1 port 443 set prio (1, 6) keep state
> 
> Everything works fine.
> 
> Now, I need to add another web_serwer_2. It would be the "main" web server.
>  
> web_serwer_2 - native httpd,virtualhosts- (10.0.8.22):
> 4.domain.com
> 5.domain.com
> 6.domain.com
> 
> How can I make it work?
> Any help appreciated.

If the two web servers share the same external IP address, use relayd(8),
as it is designed to inspect HTTP URLs.

Re: USB ports disabled on Lenovo Thinkpad T61

[Josh Grosse]

On Mon, Sep 19, 2016 at 05:11:43AM -0400, Mike Schreckengost wrote:
> Hello misc,
> 
> Sometime between the OpenBSD-current snapshot released on Sep 10 2016
> and the snapshot dated Sep 18 2016, the USB ports on my Lenovo Thinkpad
> T61 ceased to function. Upon plugging a device into any of the 3
> available ports, I receive messages such as these:
> 
> uhub2: device problem, disabling port 2
> uhub3: device problem, disabling port 1
> 
> Is anyone else experiencing a similar issue? 

Yes, I have a similar issue on an X220, but for me it manifests with the
fingerprint reader, a ugen(4) device, and not with two types of umass(4)
devices -- both memory stick and dvd burner work fine.

It appears to me if I revert src/sys/dev/usb/usb_subr.c to r1.128, the
device problem is eliminated, so Martin is in copy for his awareness.
(He may already be aware, of course.)

Re: can't find fstab entry ?

[Josh Grosse]

On 2016-09-08 09:46, Bob Jones wrote:

Soany one care to give a more sensible suggestion than Theo's
unnecessary anti-Linux rant ??


Well, Bob, I didn't perceive it as anti, just that you want to use
a Linux-specific fstab entry on an OS which isn't Linux.  Of course,
I was just a disinterested observer of the thread.

Here are three possible suggestions for your consideration.

1. Follow the specifications listed in the fstab(5) man page
   when provisioning /etc/fstab.

2. Develop a proposed set of diffs to fstab.h and mount(8) to 
accommodate your

   requirement.  You can then use it, and if you think it would be of
   value to the Project and its users, submit your diffs to the Project
   for consideration.

3. Use Linux, if neither of the two previous suggestions meet your
   needs.



On Monday, 5 September 2016, Theo de Raadt  wrote:


> OpenBSD 6.0 GENERIC.MP#0 amd64
>
> My fstab entry looks like :
>
> 10.10.10.10:/srv/share /mnt/ops_test nfs defaults,noexec,nosuid,nodev,auto
0 0
>
> However:
>
> $ doas mount /mnt/ops_test
> doas (m...@example.com ) password:
> mount: can't find fstab entry for /mnt/ops_test
>
>
> Any ideas  ?  That style of fstab entry seems to work fine on my linux
> boxes (albeit with nfs4 instead of nfs, but that makes no difference
> on openbsd).

Well, openbsd is not linux.

Have no idea what that word "defaults" in there means.

Re: startx is taking a long time to initiate

[Josh Grosse]

On June 5, 2016 8:15:15 PM EDT, francois miville-deschenes 
 wrote:
>hello,
>
>i am encountering a problem when starting X server after login.
>when my router is connected to the computer, startx takes about 2
>minutes to initiate. if i remove the power from the router, startx
>works
>normally... 
>
>does anyone else have experience this ? 
>
>beside plugin the router after initiating startx, any suggestions on
>how to resolve this ?
>
>i am using the latest snapshots.
>
>thank you,
>
>francois

http://www.openbsd.org/faq/faq8.html#RevDNS
-- 
Sent by phone. Please excuse the mess. 

Re: libtorrent build fail

[Josh Grosse]

On 2016-05-26 11:50, Thuban wrote:

Hi,
I'm trying to build libtorrent [1], but can't figure out how to have
./configure detect boost library.


Have you tried installing the libtorrent package? :)

If you'd like to see how libtorrent is built, see the net/libtorrent
port, which includes dependencies, OpenBSD-specific patches, and build
instructions.

Re: httpd and php fastcgi in OpenBSD 5.9

[Josh Grosse]

On Sun, May 22, 2016 at 02:45:44PM +, andreas wrote:
> Hi all,
> 
> I'm struggling to set up php under httpd in 5.9.
> 
> The example in the man page of httpd.conf use php-fpm, but the php-fpm
> package seems to have disappeared from the package list between
> versions 5.8 and 5.9.

php-fpm is no longer a *separate* package.  It is included in the base
package for the php version you are using.

Try:   

$ pkg_info -L php | grep fpm

Re: Any experience with D-Link DGS-1100 and static trunk aggregation?

[Josh Grosse]

On May 14, 2016 8:55:37 AM EDT, teckel  wrote:
>According to the D-Link website, the DGS-1100-08 supports "802.3ad Link
>Aggregation [2 groups, 2-4 ports per group]".  Here's the link:
>
>http://us.dlink.com/products/business-solutions/dgs-1100-series-smart-managed-10-port-gigabit-poe-switch/
>
>I have heard there's a newer version of this switch, which could be why
>they're saying it now supports 802.3ad when previously it didn't.  I'm
>getting a DGS-1100-08 today and going to attempt to use LACP with my
>QNAP
>TVS-471-i3 NAS.
>
>Tim
>
>
>
>--
>View this message in context:
>http://openbsd-archive.7691.n7.nabble.com/Any-experience-with-D-Link-DGS-1100-and-static-trunk-aggregation-tp265608p296155.html
>Sent from the openbsd user - misc mailing list archive at Nabble.com.

Sorry for the top post,  using my phone.  I have one of the v1 switches,  works 
fine with static trunks. 
-- 
Sent by phone. Please excuse the mess. 

Re: problem with packages after update

[Josh Grosse]

On Sun, May 08, 2016 at 05:00:28PM +0200, Zoran Kolic wrote:
> Sorry to bother the list, but I got stranded after updating to
> the latest snapshot, amd64.
> Update went as usual. Tried to update packages, but it failed,
> saying "because of libraries". Some reading and I decided to
> delete packages with "pkg_delete -X". Unfortunatelly, it went
> nowhere. I still cannot install packages, spite I have none and
> the system works.
> I see that both packages and bsd.rd are from 8th may. Someone
> might know what I have to do at the moment?
> Cannot say what more data I could offer to enlighten the issue.
> It surprises me a lot.
> Best regards
> 
>Zoran
> 

Zoran,

http://www.openbsd.org/faq/current.html#r20160507

It is likely that not all packages are from 8 May. 

Re: Small FW boxes for CORP use (was: T40E APU?)

[Josh Grosse]

On Sat, Mar 12, 2016 at 10:34:16AM +, Kapfhammer, Stefan wrote:
> But how would you feed the CAT female jack out of the original
> pcengines enclosure? There are no further mounting holes in it.

I was thinking of the Alix, where enclosures are not included.

Re: Small FW boxes for CORP use (was: T40E APU?)

[Josh Grosse]

On Fri, Mar 11, 2016 at 04:42:23PM -0500, Alan McKay wrote:
> On Fri, Mar 11, 2016 at 4:36 PM, Josh Grosse <j...@jggimi.homeip.net> wrote:
> > 100Mbit?  You could go even smaller, such as the PCEngines Alix
> > platform.  They are 32-bit (i386) only, however.
> >
> > Each NIC is able to sustain 70-80 Mbps, in my experience.
> 
> Do those have 4 NICs?

1-3 x 100Mbps is the maximum for their 32-bit Alix, and 3 x 1000Mbps for 
their 64-bit APU. http://pcengines.ch

Additional NICs could be added via expansion slots, perhaps.

http://pcengines.ch

Re: change partition size impossible?

[Josh Grosse]

On 2016-02-24 07:55, dmitry.sensei wrote:

Like this:
http://daemonforums.org/showthread.php?t=5332


As the author of the guidance in that ancient forum thread, please note
that the recommendation in my first response to use one large filesystem 
should
be disregarded.  The prevalent use of disks larger than a BIOS is able 
to

address may cause boot problems -- as noted in FAQ 14.6.

I do think that the step-by-step "howto" I created for the thread's OP 
near
the end may be helpful, but only if it is understood that the whole 
point is

the procedure is to chaing the wings on our aircraft while we are parked
on the tarmac, and not currently in flight at 10,000 meters.

And, like any random "howto" one finds on the Interwebs, use with 
caution.

Never ever ever blindly copying and pasting *any* of it.  ANY OF IT.



On Wed, Feb 24, 2016 at 12:20 PM, Jaap Bosman  wrote:

Hello

Is it possible to change partition size in OpenBSD 5.9?

Try to change partition size on install: error message: "partition f 
is
currently 4194304 sectors in size and can have a maximum size of 
4194304

sectors."

Tried to use disklabel.
delete partition and make new one with preferred size  message is now 
"Open

partition would move or shrink"

I want partition l and f and e to change.

Filesystem SizeUsed   Avail Capacity  Mounted on
/dev/sd0a 1005M   51.8M903M 5%/
/dev/sd0l  298G   36.0K283G 0%/home -->  10 GB
/dev/sd0d  3.9G   10.0K3.7G 0%/tmp
/dev/sd0f  2.0G364M1.5G19%/usr --->  150 GB
/dev/sd0g 1005M210M745M22%/usr/X11R6
/dev/sd0h  9.8G218K9.3G 0%/usr/local
/dev/sd0k  2.0G2.0K1.9G 0%/usr/obj
/dev/sd0j  2.0G2.0K1.9G 0%/usr/src
/dev/sd0e 11.5G7.6M   10.9G 0%/var -->  150 GB

I am on amd64 OpenBSD_5.9

thanks

Jaap

Re: fsck_ffs mystic

[Josh Grosse]

On 2016-02-15 09:08, lilit-aibolit wrote:

On 02/15/2016 04:03 PM, Josh Grosse wrote:



See the words "NO WRITE" in that message?  This happens because you
are attempting to fsck(8) a *mounted* file system.


Yes, it's true. But I can't unmount /var under normal boot.
And then why errors haven't been fixed or even detected in single mode,
where partitions are unmounted.


When you are in a normal multi-user boot, daemons are running with files 
open in /var,
and in particular, /var/run.  The warnings you get from fsck() relate to 
all of these

open files.

Your filesystem was repaired, and is now working properly.  You are only 
seeing these
messages because you are running fsck() against a mounted filesystem 
with open files.

Re: fsck_ffs mystic

[Josh Grosse]

On 2016-02-15 07:57, lilit-aibolit wrote:

Hi list.
After unclear shutdown I've booted in single user mode
by typing "boot -s".
I executed "fsck -fp" and "fsck -fy" few times and got
no problem, see screenshot here:
http://i.piccy.info/i9/f7bced6083e3f77d29dc832102147bfd/1455540839/795750/999296/image1.jpg

But after reboot with normal login I got next.
How can I fix errors and why they aren't fixed in single mode?

# fsck_ffs -f /dev/sd0e
** /dev/rsd0e (NO WRITE)



See the words "NO WRITE" in that message?  This happens because you
are attempting to fsck(8) a *mounted* file system.

Re: carp dhclient

[Josh Grosse]

On 2016-02-01 11:32, sven falempin wrote:

Dear Readers,
Without IP carp is marked as inactive,
i tried to set up a stupid IP on it and then call dhclient.
It sends packet but does configure interface.
:'(
Any particular reason for this ?
Thank you.


Carp requires static addresses. You can establish carp on
an inward network, and use carp advertisements in concert
with ifstated(8) to transfer the use of a MAC address between
active systems on the outer, dynamic network.

See https://sites.google.com/site/bsdstuff/dhcarp and adapt
to your requirements.

Re: Making and using a release

[Josh Grosse]

On Sun, Jan 31, 2016 at 02:38:59PM +, Mark Carroll wrote:
> On 31 Jan 2016, Mark Carroll wrote:
> 
> > I thought that one option might be to update my sources to the latest
> > OPENBSD_5_8 revision, build and install the update on one, then make the
> > release on it and copy and unpack it to the other machines so that they
> > could then have the patches too.
> 
> I should have of course added the note that these machines are all
> already running an earlier version of 5.8 stable.

-stable is merely the published errata, and occasionally patches which 
do not rate receiving errata publication.  Since these do not change 
the system, you can indeed update simply by copying the kernel and
extracting the filesets. 

The folowing "update" script is what I use to update systems which
are already at an older -stable.  I don't use this when
transiting releases; for that I use the bsd.rd upgrade script.

I've replaced my local -stable build machine name with /path/to
in this example.

The servers that use this are uniprocessors, so I don't need to
worry about the bsd.sp kernel, the bsd kernel mentioned below
is GENERIC, not GENERIC.MP.

#!/bin/sh
rel=58
cd /
echo backing up kernels...
cp -p bsd bsd.rd bkupboot/
ftp http://path/to/stable/bsd
ftp http://path/to/stable/bsd.rd
ftp -mo - http://path/to/stable/base$rel.tgz | tar xzphf -
ftp -mo - http://path/to/stable/comp$rel.tgz | tar xzphf -
ftp -mo - http://path/to/stable/game$rel.tgz | tar xzphf -
ftp -mo - http://path/to/stable/man$rel.tgz | tar xzphf -

Re: Making and using a release

[Josh Grosse]

On Sun, Jan 31, 2016 at 12:24:03PM -0500, Josh Grosse wrote:
> The folowing "update" script is what I use to update systems which
> are already at an older -stable.  I don't use this when
> transiting releases; for that I use the bsd.rd upgrade script.

For clarity, the script is only used with a release(8) I've 
built myself, and where the -stable systems to be updated are 
at the same  version.  I would NEVER recommend using it in 
any other way.

In addition, the /bkupboot directories must be 
created in advance.  

Re: ifconfig inet dhcp and static alias support

[Josh Grosse]

On Sun, Jan 17, 2016 at 12:21:51PM -0800, Yury Shefer wrote:
> Hi misc,
> 
> I was not able to find the information about ifconfig support for the IPv4
> address configuration where I have primary address assigned by DHCP
> (Comcast) and alias with static IP. My cable modem mgmt IP belongs to
> 192.168.100.0/24 subnet and to access it - I have to add an alias - but it
> always overwrite DHCP-assigned address (OpenBSD 5.8-stable (GENERIC.MP)).
> 
> I tried the following hostname.if config but the last line overwrite dhcp
> address:
> 
> $ cat /etc/hostname.em0
> lladdr b8:c7:ff:cd:ff:0e
> dhcp
> up
> rtsol
> inet alias 192.168.100.50 255.255.255.0
> 
> # sh /etc/netstart em0
> em0: no link . got link
> DHCPREQUEST on em0 to 255.255.255.255
> DHCPACK from 96.xxx.xx.113 (00:01:5c:63:fc:46)
> bound to 67.xxx.xx.xx9 -- renewal in 92649 seconds.
> # ifconfig em0
> em0: flags=208843 mtu 1500
> lladdr b8:c7:ff:cd:ff:0e
> priority: 0
> groups: egress
> media: Ethernet autoselect (1000baseT full-duplex)
> status: active
> inet6 fe80::bac7::abcd:abc%em0 prefixlen 64 scopeid 0x1
> inet6 2001:abc:dead:10d:beef:be0b:2e16:9486 prefixlen 128 pltime
> 343370 vltime 343370
> inet 192.168.100.50 netmask 0xff00 broadcast 192.168.100.255
 
Instead of seting an alias, just route the 192.168.100/24 subnet through your 
upstream gateway.

In my case, none of my inner subnets are 192.168.100/24, so any packets
to that subnet go to the default route assigned by dhcp.

Re: dpb question for understanding.

[Josh Grosse]

On Sat, Jan 16, 2016 at 03:09:57AM +0100, Christoph R. Murauer wrote:
> Hello !
> 
> I used today dpb and readed also the man page. But I have a question
> as none developer / coder. I followed the FAQ and put 3 ports in the
> localfile. Everything builds fine. dpb is runned as root on a local
> drive used a tmpfs to build. All 3 ports are builded but only the
> first was installed (tried it re-running make install in the other
> port directories to verify everything was builded).
> 
> I also have no lock files in /usr/ports/logs/amd64/locks/. My question
> (maybe a stupid one) is now, how find I out, why dpb builds everything
> but installes only the first port (could someone point me please to
> the right logfile and for what I should watch there) ?
> 
> Thanks for answers.
> 
> P.S. : I let the dmesg this time.
 
See the -I option in the dpb(1) man page.  That installs a path or list
of paths to install.  Otherwise, dpb() will build packages, and those 
that remain installed at the completion of the build will only be 
the most recent packages built.  Packages which are unneeded (because
the are not build dependencies of the packages in queue for building)
are removed with pkg_delete(1) from time to time.  See the junk= and
-J options.

Re: Connect to OpenVPN from OpenBSD

[Josh Grosse]

On Sat, Jan 02, 2016 at 08:55:35PM +0500, art.istom wrote:
> Is it possible to connect to OpenVPN (riseup.net) from OpenBSD without
> installing openvpn client to OpenBSD?

No. OpenVPN servers require OpenVPN clients.

> I don't understand all this vpn-technologies very well, but know that
> OpenBSD has built-in vpn-services/clients, so I don't want to install
> openvpn-client if it possible to use software distributed/developed
> with/by OpenBSD.

The "built-in" VPN technology is IPSec, which is not used by OpenVPN.
 
> I've tried googling but all results are OpenVPN-client to OpenVPN-server.
> 
> Thanks.

Re: dpb - wow!

[Josh Grosse]

On 2015-11-02 13:33, Alan Corey wrote:

I'd never tried it before but it's saving me a lot of babysitting to
start the next build compared to doing them one at a time.

There's probably a way to do this but I'd never tried dpb because I
didn't have a list of pkgpaths to feed it.  I could query sqlports I
guess, but a command-line flag to pkg_info to have it give full
pkgpaths would be good.  My goal is to be able to make a list of
pkgpaths on a machine, save it, put in a new hard drive, do an OpenBSD
install, then run dpb on the saved list of pkgpaths.


Hey, Alan.  I've been an end-user of dpb() for some years. It's the
bees' knees. A couple of hints which may help:

* out-of-date(1) produces pkgpath output, which I use with dpb -R for
  -stable package builds.

* pkg_info(1) has a -P option, which along with -mq produces a nice list 
of

  manually installed pkgpaths.


And my hyperthreaded P4 now gets detected as MP?  Neat.  Just jumping
it from 5.0 to 5.7.


5.8 was released October 18.  :) :)

Re: Avahi daemon, dbus daemon

[Josh Grosse]

On Sat, Oct 24, 2015 at 04:14:40PM -0400, Richard Thornton wrote:
> I am now using the 5.8 release. I have tried to start avahi in my
> rc.conf.local file but it always fails to load. In 5.7 I never had this
> problem. What's the correct way to load these daemons?

Richard,

If I recall correctly, the avahi daemon relies on the dbus daemon,
which had a name change between 5.7 and 5.8.  The dbus dameon was
named "dbus_dameon" at 5.7, and was named "messagebus" for 5.8.

This is noted in the Upgrade Guide, which you may have missed.

http://www.openbsd.org/faq/upgrade58.html#Pkgup

Re: Question about core dumps and swap space.

[Josh Grosse]

On 2015-10-20 07:55, Nick Holland wrote:

But still -- remember what developers ask for most often: a good 
problem

report: panic message, trace and ps output, a dmesg and info about how
to repeat the problem.  If people would reliably provide that, they'd
make developers very very happy.

Not being a coder, I hesitate to say this, but I don't recall anyone
being asked for a system core dump by a developer.  (my statement is
accurate: I don't recall.  The conclusions you draw may or may not be 
:)


One of the nice things about having a successful savecore(8) is that
the captured dump can provide all the critical bits.  So dumps are very
useful to have.  Tools like ps(1) and dmesg(8) have -N and -M options 
for

post-mortem analysis.

The crash(8) man page has been extremely helpful to me over the years.  
And, there's

also very helpful guidance in FAQ 2.4.

I've never sent anyone a crash dump, but I've certainly pulled info
from them to make a dish of copypasta.

Re: Install on compact flash

[Josh Grosse]

On Mon, Oct 19, 2015 at 04:34:31AM +0200, Einfach Jemand wrote:
>  No. As far as I understand it:
> The type (char or block), the major and minor number of the device
> special file and its name are means to activate the corresponding device
> handler ("driver") in the kernel and the bytes are sent to the device
> specified by the file. 

Ok.  I can at least tell you that the last time I tested an r/o
/dev was at OpenBSD 3.8 or so, and the filesystem was CD9660 rather
than FFS.  

It failed.  So from that point, until I stopped making live media
images at 5.0, I never tested again. /dev was merely one of a half
dozen r/w filesystems I used with MFS.

Re: Install on compact flash

[Josh Grosse]

On Sun, Oct 18, 2015 at 01:08:48PM +0200, Paolo Aglialoro wrote:

> ...Still cannot understand why some of you have adviced to put /dev on
> ramdisk: isn't MAKEDEV just run at install time and then only manually?
> From what emerged in the discussion it looks that, besides /home, /var is
> the only place where system makes its usual writes.

The "some of you" was me, if I recall the complete discussion thread.  :)

While it's true MAKEDEV needs to create the device special files, the
device special files that are stored there need to be writeable.  

Here's one key example:

You mount(8) a device special file when you mount a filesystem.  
All write operations to that mounted filesystem are directed through 
the device special file.



While you won't run MAKEDEV while the system is up and running,
take a look at the MAKEDEV(8) man page.  You'll see a lot of device
special files that will need to be writeable.

Re: pip for python3.4

[Josh Grosse]

On Sat, Oct 17, 2015 at 06:58:44PM +0300, Joseph Oficre wrote:
> Hello!
> How can i install pip for 3.4 python? I want to set up virtualenv and
> stuff, but in packages just 2.7 version.
> I've found out that pip3 can be installed from ports, but i want easy way
> solution without ports. Is it possible or ports is only way?
 
Are you looking for the py3-pip package?  It's been in the standard 
package build since May of 2014.  

Re: Install on compact flash

[Josh Grosse]

On 2015-10-15 12:19, Paolo Aglialoro wrote:

MyTL;DR - Don't bother.  I used to create "live media" read/only 
systems,

with MFS filesystems for read/write.

You'll find maintaining a read-only system much more difficult.

I recommend just treating your flash memory like a disk drive.  Modern
wear leveling technology means read-only CF devices are no longer
a necessity.  I run several routers with CF cards, and all filesystems
are read/write.

As to your questions:


... 1. What are the dirs I should take into account to go to ramdisk?


/dev, /etc, /var, and /tmp require write capability, and while they
do not require it, consider adding /root and /home to list of writeable
filesystems.

2. What is the correct filesystem type to put in fstab for all the 
entries

of point 1. in order to store them in ramdisk?


See the -P option of mount_mfs(8)

Re: /bsd: em0: watchdog timeout -- resetting

[Josh Grosse]

On 2015-10-05 10:41, Theo de Raadt wrote:
On Sun, Oct 4, 2015 at 12:00 PM, Stuart Henderson 
 wrote:

> I'm hoping it isn't this, but please try backing out the last commits to
> if_em.c and if_em.h ("cd /sys/dev/pci; cvs up -D 2015/09/29 if_em*") to
> see if it makes a difference.

Same issue here. Reverting now and will post if problem resurfaces.


The snapshots contain an uncommited diff in the same direction as that
em commit.  Problem is unknown.  Few more days, still trying to learn
what is amiss, and not stall out the promised advancement.


I reported yesterday [1] that I was unable to recreate the problem with
these two patches reverted.

I *was* able to reproduce the problem when testing earlier the same day
with a kernel built from the committed tree.

I'm using the em(4) NIC as a vlandev, which may be a contributing 
factor.



[1] http://marc.info/?l=openbsd-misc=144397409121292=2

Re: /bsd: em0: watchdog timeout -- resetting

[Josh Grosse]

On Fri, Oct 02, 2015 at 09:09:37PM -0700, Scott Vanderbilt wrote:
> On 10/2/2015 8:32 AM, Gregor Best wrote:
> >Looks similar for my machine, em0 works for a short time and then
> >timeouts. `ifconfig em0 up` seems to hang though.

I had the same issue after updating from a September 22 snapshot.  

This appears to possibly be related to the September 30 em(4) updates
for MP support.  I reverted src/sys/dev/pci/{if_em.c,if_em.h} to 1.305
and 1.57, respectively, and I can no longer reproduce the problem.

Re: rookie questions about flavors

[Josh Grosse]

On 2015-09-23 09:41, Peter N. M. Hansteen wrote:

On Wed, Sep 23, 2015 at 02:55:21PM +0200, Thuban wrote:



Is it possible to upgrade from 5.7 yo 5.8 using this flag :
cvs -d$CVSROOT checkout -rOPENBSD_5_8 -P src


In almost all cases, a binary upgrade followed by sysmerge will be 
quicker and

easier, but in the general case, yes.


Source code "upgrades" are possible, but completely unsupported.  So any 
user
conducting one is entirely on his own.  I used to do this when I was 
preparing live media
images some years ago, so they would be ready the same day as an actual 
release.


It requires *very* careful application of the Following -current FAQ 
entries, especially

any ABI/API changes -- the so-called "flag day" actions.

---

(I cannot believe I'm offering any sort of correction of a statement by 
Peter Hansteen.

Is the sky falling?)

Re: rookie questions about flavors

[Josh Grosse]

On 2015-09-23 10:52, Ted Unangst wrote:


You may well be the first person to even try it.


Peter was correct, though.  It is *possible*.  :)

I haven't produced live media since 5.1, so it's been several years
since I last needed to do this.  And, if I'd done a better job of
pre-launch planning, I'd have built from a previous -current rather
than already having all my -current systems beyond the nexxt -release.

Re: update/upgrade

[Josh Grosse]

On Sun, Sep 20, 2015 at 10:36:12PM -0400, Quartz wrote:
> >Does your embedded storage run NOR/NAND or something like SDHC Memory
> >Cards?
> >
> >If your systems are running SDHC you can easily create clones with a
> >laptop&  the DD utility.
> 
> A couple of them do, but it doesn't matter in this case. The main issue with
> compiling is that it can effectively knock the system offline for hours
> which isn't acceptable. Any process that involves shutting the machine off
> or booting into a separate OS image has the same problem.
> 
> It's just a question of minimizing downtime.

You build a release of -stable on one single platform, such as a workstation,
and then deploy it as a binary update to your production servers.
Build time is then separate from production maintenance windows.

My flight of -stable servers share the same architecture, and I have a single
build machine.  These servers are in redundant configurations using carp(4)
so I am able to perform maintenance without any operational downtime.  

I'll repeat -- without any operational downtime. 

But I have the luxury of deploying redundant systems with carp(4).

The maintenance windows do take about 10 minutes of wall time, because these 
machines are all "embedded" sized -- Alix systems -- and the slowest part of 
the update is untarring filesets onto their compact flash storage devices.
If they had magnetic drives or SSDs the windows would be less than 5 minutes.

Re: update/upgrade

[Josh Grosse]

On Sun, Sep 20, 2015 at 09:36:55PM -0400, Quartz wrote:
> >You think the master builds are done on a machine that is identical to
> >yours at home?
> 
> Obviously not, but that doesn't have any bearing on what I said.
> 
> 
> >Build a -stable release on a same platform faster machine.  Now unpack
> >the .tgz files on the target machines, copy in /bsd, /bsd.rd, reboot.
> >ta-da, patched machine.  None of your configuration is touched by this
> >process.
> 
> Maybe I'm unclear on what building -stable actually does. Correct me if I'm
> wrong, but "world" encompasses a lot more than just the kernel and ramdisk,
> right? Simply replacing just those two alone isn't fully keeping on top of
> things.
 
Please see FAQ 5.4, which articulates how to build a release (-stable, or 
-current).  The definitive documentation is release(8).

Re: update/upgrade

[Josh Grosse]

On Sun, Sep 20, 2015 at 04:49:45PM -0400, Quartz wrote:
> We have a bunch of low power embedded devices that we'd like to keep
> reasonably up to date, but the disk space and cpu overhead of tracking
> -stable is kind of a nonstarter. Is there another/better way of doing things
> these days? (Other than applying dozens of patches manually).

https://stable.mtier.org/

Re: Problems building userland

[Josh Grosse]

On Sat, Sep 19, 2015 at 10:35:07AM -0500, Amit Kulkarni wrote:
> Hello,
> 
> How are you guys able to build userland? I double-checked that the
> 
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/Makefile?rev=1.125=text/plain
> 
> is still referring to ${SUDO}
> 
> here is the result.
> 
> # make build
> cd /usr/src/share/mk && exec /usr/bin/sudo -E make install
> /bin/sh: /usr/bin/sudo: not found
> *** Error 127 in /usr/src (Makefile:75 'build')
> 
> Thanks
> 

The sudo application moved from built-in to ports.  See the details in
the Following -current FAQ:

http://www.openbsd.org/faq/current.html#20150703

Re: file sets and CVS tree

[Josh Grosse]

On Wed, Sep 16, 2015 at 09:27:25PM +0100, Mark Carroll wrote:
> When I first install OpenBSD there is a phase where I choose file sets
> like base57.tgz which it then downloads and untars. Then for upgrades I
> can check out the CVS tree and build and install the patch branch or
> whatever.
> 
> One thing that isn't yet clear to me is what one has to do with the
> other. For instance, does the patch branch include everything for which
> there is a file set? Does the installation of the freshly built stuff
> from CVS retain any awareness of which file sets were originally chosen
> during installation? If there is documentation explaining this
> relationship, feel free to just point me to it.
 
Mark,

The filesets are built when you make a release.  See FAQ 5.4, and the
release(8) man page.

Re: per-vlan traffic control

[Josh Grosse]

On 2015-08-20 08:47, Paulo Coimbra wrote:

Hi all,

I'm now doing some tests with openbsd+pf+queueing. My scenario is:

[MIKROTIK 1] - [OPENBSD BOX]--[MIKROTIK 2]

I've configured vlan 100 with physical interface em0 at openbsdBox and
mikrotik 1, and create two queues (vlan100_in and vlan100_out) to limit
bandwidth at 10M each direction. But... It doesn't works.


[snip]


queue v100 on em0 bandwidth 1000M
queue vlan100_in parent  v100 bandwidth 10M default
queue vlan100_out parent v100 bandwidth 10M


[snip]


pass in quick on vlan100 set queue vlan100_in
pass out quick on vlan100 set queue vlan100_out

Any ideas? What am I doing wrong?


Queuing only works on packets that are *outbound*.  Once inbound packets
have arrived, they are already present.

So, if you want to limit the rate of traffic from the Internet to your 
local
LAN, do so when those packets are forwarded by the router.  Those are 
outbound

packets, and they can be queued.

Re: pf_rules

[Josh Grosse]

On 2015-08-12 14:13, Holger Glaess wrote:

hi

i miss the option pf_rules= for rc.conf.local in current ( build today 
)

is this correct ?

holger


See http://www.openbsd.org/faq/current.html#20150502

Re: Repartitioning

[Josh Grosse]

On 2015-08-10 11:21, Benny Lofgren wrote:


Sacrifice a chicken at sunset.


For clarity, I recall best practice is to use a rooster.  :)

Re: Repartitioning

[Josh Grosse]

On Sun, Aug 09, 2015 at 12:01:30AM -0400, Quartz wrote:
 The disklabel(8) tool is used to delete and create partitions.
 
 So part of the reason I started this thread is that I want to be clear since
 OpenBSD has two different kinds of partitions. For what I'm doing, on an
 i386 platform, I don't need to mess with fdisk at all... Is that correct?

Correct.  On the half-dozen architectures which use MBRs, they're for boot
procedures and/or define the sectors where the OS may scribble on the drive.
For the dozen or so other architectures, they're not used at all.
 
 growfs is like other partition expanders in that can only expand forward
 and not backward, right? As in, I couldn't nuke src and obj and then use
 growfs to expand home into that space.

Correct.

 Assuming that's right, I'm probably going to make a new /var partition
 rather than expand an existing one.

Recall one of my examples: deleting the partitions for /usr/obj and /usr/src,
replacing those 2GB with a new /var partition.

 The best practice for
 moving of FFS filesystems is through the use of dump(8)/restore(8).
 
 I'm not sure that's what I want to be doing in my case. Especially when
 collapsing the /usr/* stuff down into just /usr, a simple cp or tar would be
 better, no?

I recommend dump/restore because it eliminates problems with linked files
and eliminates problems with file path byte length.  You may have trouble
with both, using other methods. The result will be files that are not 
copied, and links that are broken. 

Don't fear dump/restore.  They're easy to use.  Here's a quick howto, 
though the man pages should be reviewed.  Never blindly copy/paste 
instructions you read from me -- especially when they are from memory,
as in this example.

1. Mount a freshly formatted partition.  
2. cd to the mount point.
3. Dump the old partition, piping the output to restore.  The old partition
   does not need to be mounted.  Assuming the contents of partition f of 
   drive sd0 is to be moved to the working directory:

   # dump -0af - /dev/sd0f | restore -rf -

4. Since you aren't using incremental dumps, you can then delete the
   restoresymtable file created by restore(8).

5. Edit your fstab(5) to point to the new partition.

Re: Repartitioning

[Josh Grosse]

On Sun, Aug 09, 2015 at 12:10:38AM -0400, Quartz wrote:
 Also, another question: this system keeps nothing in the user's home
 directories past a few dot files. /home is using less than 1m of space.
 Would it be safe from a security/reliability standpoint to just move the
 home folders directly into / ?
 
If you aren't using /home, you can eliminate the partition, rolling it
into the root partition. 

There are implications, yes.  One of the reasons for partitioning is for
governance of security.  And /home is normally mounted with two mount
options that restrict its use:  nodev and nosuid.  These security
restrictions would be eliminated if /home were located in the root 
partition.  Whether this is a problem for your use-case will depend
on who has a userid located in /home, and what authority and trust
they are intended to have.

Re: Repartitioning

[Josh Grosse]

On Sat, Aug 08, 2015 at 08:24:53PM -0400, Quartz wrote:
 One man already asked you for disklabel output.
 
 That WAS the disklabel output (minus sizes and offsets).  When I next get a
 chance to ssh into it from somewhere else I'll copy the actual output, but
 the exact blocks shouldn't really matter for all this.

You've stated you have a 10GB disk, and that this is 4.9.  The disklabel(8)
man page at 4.9 described the automatic layout at that time:

 Disks  6.5 Gigabytes
   /5% of disk.  80M - 1G
   swap 5% of disk.  80M - 2x max physical memory
   /tmp 8% of disk. 120M - 4G
   /var13% of disk.  80M - 2x size of crash dump
   /usr 2% of disk. 600M - 2G
   /usr/X11R6   3% of disk. 512M - 1G
   /usr/local   5% of disk.   2G - 6G
   /usr/src 3% of disk.   1G - 2G
   /usr/obj 3% of disk.   1G - 2G
   /home   53% of disk.   1G - 300G

You have stated that /usr/src and /usr/obj are unused, /var is full, and 
/usr/local (used for packages and some infrastructure components) is nearly 
empty.

If you boot in single-user mode, you can manipulate any partition 
other than the root partition.  For that, you must use the RAMDISK kernel.

The disklabel(8) tool is used to delete and create partitions.  With it, 
you can delete the partitions for /usr/src and /usr/obj, as they are unused.  
That will give you a 2GB empty area which you may repurpose.  For example,
you could create a new partition in that space, and move /var there.

You could continue to move, mix and match, and restructure as needed.
For example, you could migrate the contents of /usr/local into /usr, freeing
an additional 0.5 GB, and you could do the same with /usr/X11R6 ... assuming
there is room in /usr.  Eliminating all partitions between /usr/X11R6 and 
/usr/obj, inclusively, would allow you to grow /usr with growfs(8).  However, 
you can't grow it until the other partitions have been removed, so you may 
need to do some backup / restore to external media, or perhaps use freespace
in /home as a temporary location to store dump(8) output, if it has capacity.

The newfs(8) tool is used to format partitions.  The best practice for
moving of FFS filesystems is through the use of dump(8)/restore(8).

FAQ 14 may also be helpful, as it lays out the basics of disk management.

Re: Which tools to monitor traffic and alert ?

[Josh Grosse]

On Thu, Aug 06, 2015 at 10:44:01AM +0200, Joel Carnat wrote:
 Hi,
 
 I run several standard services (Web, Mail, DNS, b
 
 I was wondering what was the usual OpenBSD way for proactive/real-time 
 traffic monitoring and alerting.
 That is, which software to use that would, for example, read HTTPD logs and 
 alert if req/sec from same IP is over 50 ?
 
 Looking at the ports, I saw B+ snort B; but I was wondering if there were 
 lighter tools for such tasks.

I use net/nfsen.  This is a graphical front-end to net/nfdump, which
which uses netflow statistics from pflow(4).  I Duse alerts via Email,

I use the front-end for two reasons:  

1.  I can reach out to it if neeeded from behind the Great Corporate
Firewall (TM) at $DAYJOB.  (Access is protected by client
certificate installed in the browser.) 

2.  Graphic reports often help me understand traffic patterns over
time more clearly.  I can dig deeper, either through nfsen's 
analysis tools or via nfdump commands directly.

I don't know if this is The OpenBSD Way, but it does use pflow(4) 
statistics to captures traffic statistics across multiple 
systems.

Re: Possible fix for i217 problem

[Josh Grosse]

On Tue, Aug 04, 2015 at 07:16:48PM -0600, Theo de Raadt wrote:
  On Wed, Aug 05, 2015 at 02:04:28AM +0200, Hrvoje Popovski wrote:
   On 4.8.2015. 23:47, Stuart Henderson wrote:
On 2015/08/04 22:40, Stefan Fritsch wrote:
someone mentioned to me the i217-LM problems that were reported on 
misc 
end of May. It is possible that the patch below helps.

This fixes my Dell poweredge T20:
em0 at pci0 dev 25 function 0 Intel I217-LM rev 0x04: msi, address 
f8:b1:56:...

And doesn't break my X220:
em0 at pci0 dev 25 function 0 Intel 82579LM rev 0x04: msi, address 
f0:de:f1:...
  
  I have the same revionsl 82579LM on this new-to-me X220, and I just ran some
  tcpbench(1) tests through a vlan(4) with the patch.  Seems to be fine 
  though I was 
  only testing end-to-end with an Alix using vr(4), so only 100BaseT.
 
 the diff is unlikely to affect performance, specifically.  it will affect
 cable plugins, removals, other link layer decisions, etc.
 
OK, well, plug in/out ran through my ifstated(8) states properly, switching to 
the
rtwn(4) for egress, and switched back.  Suspend/resume seemed to behave as 
before,
also.

Re: Possible fix for i217 problem

[Josh Grosse]

On Wed, Aug 05, 2015 at 02:04:28AM +0200, Hrvoje Popovski wrote:
 On 4.8.2015. 23:47, Stuart Henderson wrote:
  On 2015/08/04 22:40, Stefan Fritsch wrote:
  someone mentioned to me the i217-LM problems that were reported on misc 
  end of May. It is possible that the patch below helps.
  
  This fixes my Dell poweredge T20:
  em0 at pci0 dev 25 function 0 Intel I217-LM rev 0x04: msi, address 
  f8:b1:56:...
  
  And doesn't break my X220:
  em0 at pci0 dev 25 function 0 Intel 82579LM rev 0x04: msi, address 
  f0:de:f1:...

I have the same revionsl 82579LM on this new-to-me X220, and I just ran some
tcpbench(1) tests through a vlan(4) with the patch.  Seems to be fine though I 
was 
only testing end-to-end with an Alix using vr(4), so only 100BaseT.

Re: dhclient.conf alias declarations?

[Josh Grosse]

On Mon, Jul 27, 2015 at 01:34:09PM +0300, Kimmo Paasiala wrote:
 ...I can live without the alias address, it would have been
 a convinient way to access the ADSL modem on the WAN side from inside
 the LAN network.

Perhaps you could add an ifconfig(8) command to rc.local(8) to set
the alias.

Or, you might be able to do what you desire with isc-dhcp-client.

Re: Intel Atom?

[Josh Grosse]

On 2015-07-27 11:22, Quartz wrote:

What's Intel Atom support like these days? I remember they used to be
a little weird. Are they handled pretty much like any other x86 chip
now or are some things still unsupported? Are they capable of handling
pf on a saturated 100-base-t connection? How about gig-e?



There's a huge range of Atom processors.  Some are 32-bit only single-
core, there are models which are 64-bit capable and multi-core.  There 
are

 a wide range of clock speeds, cache sizes, and bus speeds.

http://ark.intel.com/products/family/29035/Intel-Atom-Processor#@All

I have an Asus 1005HA netbook with an Atom N270.  As it's a workstation,
I can't speak to router performance.  But the processor: single-core,
32-bit only, has always appaered to be a normal x86. I just can't 
disable

HT in the BIOS.

I don't have a recent dmesg available as I don't have the device with
me at the moment.  Here's an excerpt from one I'd sent to misc@ a couple
of years ago that I just grabbed from marc.info.  This one is GENERIC,
I normally use GENERIC.MP -- though to be honest, I do not perceive
a performance delta between the two.


OpenBSD 5.4-current (GENERIC) #93: Fri Oct 25 09:18:15 MDT 2013
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Atom(TM) CPU N270 @ 1.60GHz (GenuineIntel 686-class) 
1.60 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI 
\
,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,SSE3,DTES64,MWAIT,DS-CPL,EST,TM2,SSSE3,xTPR,PDCM, 
\

MOVBE,LAHF,PERF real mem  = 1064497152 (1015MB)

Re: dhclient.conf alias declarations?

[Josh Grosse]

On 2015-07-26 19:12, Kimmo Paasiala wrote:

Hello,

I'm in the process of migrating my router/firewall system from FreeBSD
to OpenBSD and I came across a minor problem. I want to have a static
alias address on an interface that is otherwise configured with DHCP.
What I had in FreeBSD was this entry in /etc/dhclient.conf:

alias {
interface vr0;
fixed-address 192.168.1.200;
option subnet-mask 255.255.255.0;
}

This seems to be silently ignored on OpenBSD 5.7 and the dhclient.conf
manual page makes no mention of alias declarations. How am I supposed
to achieve the same effect?

-Kimmo


Perhaps something like this in your /etc/hostname.vr0 instead would work
for you?

dhcp
!ifconfig vr0 alias 192.168.1.200/32

Re: tor not working in 5.8 #1024

[Josh Grosse]

On 2015-07-15 15:05, Theo de Raadt wrote:

PIE and ASLR other security features are either turned off on i386, in
compatibility modes, or are dialled down versions. It's not just about
a small speed difference, there are big security differences between
the architectures.


That is false.


OpenBSD adds most of the security features for amd64 first, or in its
strongest iteration for amd64 anyway. So, while i386 isn't poisonous,
you should really use amd64 if you are able to.


That is also false.

In fact, sparc64 has tended to be the leading architecture in the last
decade.  amd64 only caught up with kernel-side W^X in the last year,
while sparc64 had all the machine-dependent management correct, and
was only missing some machine-independent tuning.


Since theo@ said I could, I think I'll continue to use my 32-bit-only
x86 CPUs until a compelling reason arises to replace them.  Those are
likely to be network bandwidth requirements in the long term for my AMD
Geodes, and imminent non-CPU hardware failures on an old Intel Atom 
netbook.


It won't be because of of something in another architecture that grabs
my attenti.Ooh, Shiny!!!

Re: tor not working in 5.8 #1024

[Josh Grosse]

On 2015-07-15 11:52, Chris Cappuccio replied to Michael McConville.
First, a quick reply to Michael:


Michael McConville [mmcco...@sccs.swarthmore.edu] wrote:


Someone correct me if I'm wrong, but it seems that the days of i386
images being reasonable to run on amd64 hardware are coming to an end.
i386 support appears to be a fading priority for most projects and the
subset of amd64 features used is growing quickly.


I still have several OpenBSD/i386 machines, and they work very well.

In the years to come, long after they are eventually replaced, I assume
that OpenBSD may still have i386 in the active pantheon, for testing the
robustness of its multi-architecture code base, if nothing else.

On 2015-07-15 11:52, Chris Cappuccio wrote:


I've never even ran across one of these very early 64-bit Intel chips
without N^X (those are the primary ones that you'd want to run i386 
on).

Even my oldest 64-bit Pentium 4 chips claim NX support. The story goes
that Intel didn't want to copy AMD's NX support but implement it
differently. Microsoft told Intel they would only support one
implementation and AMD's was it.


I believe I have one in inventory -- it is currently not in use, and is
powered off.  If memory serves the OS last installed on it was i386, due
due to the warning in the FAQ.

Re: Microsoft Now OpenBSD Foundation Gold Contributor

[Josh Grosse]

On 2015-07-08 13:04, Jorge Gabriel Lopez Paramount wrote:


I would like to say only this: if people to not want big companies
meddling with OpenBSD as it has been happening with Linux better its
users support it.


Jorge,

Its users should support it, yes.  True. And many of us do.  However,
the statement might not be completely accurate.  To the best of my 
knowledge:


1.  Contributors do not influence technical direction, instead, the
funds are allocated based on Project need.  This is per the
description at http://www.openbsdfoundation.org/donations.html and
the description at http://www.openbsd.org/donations.html

2.  Any code contribution requires the approval of multiple Project
members -- developers with commit authority -- in order to be committed,
and all commits are subject to Project review.

3.  All code commits are done publicly, via CVS.  That's per stated
policy in http://www.openbsd.org/goals.html and is also pursuant to the
Open in the Project's name.

Yes, it is possible for a financial contributor to influence 
development.

Specifically, hardware support may be influenced by contributing sample
hardware to an interested developer.  I have also heard that certain
beverages may have a minor influential effect.*

---

* I would consider this a social contribution rather than a financial 
one.

Though, some single malt scotches have reached a price where one may
require both Financial Advisers and Investment Counselors in order to
obtain them.**

** Yes, Macallan 18, I'm looking at you.

Re: Cannot run Snort

[Josh Grosse]

On Mon, Jun 29, 2015 at 09:14:40AM +0800, Wong Peter wrote:
 Dear All,
 
 OpenBSD 5.7
 Arch: i386
 Snort Version:2.9.7.3

This is not the -release (or -stable) version of net/snort,
which is 2.9.7.0.  The version you mention, 2.9.7.3 was 
committed a month *after* 5.7 was released.  

 Installed from packages

You are using -current packages with a -release, which is not 
supported.  Please read FAQ 15.4.1.

 Start by typing snort. Thanks.

If you are starting snort manually, and not using the rc.subr(8)
script included with the package to start the NIDS daemon, you must
either use the -c option to point to /etc/snort/snort.conf to
use snort as an NIDS or you must use the --daq-dir option on 
your command line to use snort manually.

http://marc.info/?l=openbsd-miscm=136155094825083w=2

Re: openssh client alive not default

[Josh Grosse]

On Sat, Jun 27, 2015 at 05:10:54PM -0700, jungle Boogie wrote:
 Hello All,
 
 I know fewer defaults the better for all, but if there a reason
 TCPKeepAlive in openssh is disabled along with the clientalive option?
 Is it just too risky and/or unneeded?

Well, Mr. Boogie, TCPKeepAlive is enabled and ClientAliveInterval is 0,
which is disabled, in both 5.7 and -current, if I'm reading the source 
file correctly.

And, according to sshd_config(5), It is important to note that the 
use of client alive messages is very different from TCPKeepAliveThe 
client alive messages are sent through the encrypted channel and 
therefore will not be spoofable.  The TCP keepalive option enabled by 
TCPKeepAlive is spoofable.  

 How do you folks manage ssh sessions not dying? Do you enable these
 options every time you install openssh on a new machine? Is there a
 better option?

The man page continues with, The client alive mechanism 
is valuable when the client or server depend on knowing when a 
connection has become inactive.

I don't adjust the defaults for these.  I use some terrible 
WiFi connections and occaisionally have to reconnect.  If I need
to keep a shell running in the event of an unintentional 
disconnect --- or an intentional one -- I use tmux(1).
I can reconnect and continue operating one or more shells
without any operational impact.

Re: # sign

[Josh Grosse]

On 2015-06-17 13:58, Terry Tyson wrote:

On 6/17/2015 12:52 PM, Max Power wrote:

Hi guys!
In Enghlish_US way, you have no certainties.
# symbol, I've always named 'hash',
but from recent research I found which is also named:
number, pound, octothorpe, octothorp, octothorn...

which is the exact name for it? (In computer way naturally...)

Thanks for reply.


Computer way?  Which computer?

If you mean ASCII representation, # would be 0010 0011.
If instead you prefer EBCDIC, # would be 0111 1011.


hash



Wikipedia says that he use of hash for this sign may have come
from Baudot, which predated both ASCII and EBCDIC.

Re: Boot problem custom Kernel 5.7

[Josh Grosse]

On 2015-06-09 13:34, Oliver wrote:

On Tue, 09 Jun 2015, Theo de Raadt wrote:


 entry point at 0x1000160 [7205c766, 3404, 24448b12, 1080a304]
 == At this point the system reboots. No further messages.

Your kernel is probably too large.  A limitation in the bootblocks.

Do you mean the kernel with the ramdisk or without? What would be the
best way to workaround this limit? Decrease ramdisk size?
Remove driver/options from the kernel?


Back when I was building live CDs/DVDs, I used GENERIC or GENERIC.MP
kernels with cd0a as the root filesystem, and MFS mounted /etc, /var,
/root, /tmp, /home, and /dev.  Read-only filesystems on media were all
CD9660.

I ran into cdboot(8) issues with very large /usr/local filesystems
(e.g. KDE and Gnome).  My simple circumvention was to vnconfig(8)
/usr/local from an .iso image file after boot completed.

Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?

[Josh Grosse]

On Mon, Jun 01, 2015 at 04:45:01AM -0400, dan mclaughlin wrote:
 On Sun, 31 May 2015 22:20:17 -0500 Okupandolared kan...@darkmail.mx wrote:
  does not exist,
  
  so I can copy /usr/bin/whoami to /var/www/usr/bin/whoami?
  
  that try ls and /bin/ls and /var/www/bin/ls
  
  and it does not work,
  /bin/ls exist
  /var/www/bin/ls exist
  
  thanks
  
  On 05/31/15 19:43, Zi Loff wrote:
   On Sun, May 31, 2015 at 09:35:36PM -0500, Okupandolared wrote:
   -BEGIN PGP SIGNED MESSAGE-
   Hash: SHA256
  
   I like received variables POST and send to KSH script.
  
   But it seems that in OpenBSD 5.6 and php-fpm.
  
   exec() and exec_shell() not working.
  
   Could anyone help me?
  
   This link explain in detail what I've tried.
  
   http://serverfault.com/questions/695703/php-fpm-does-not-work-me-exec-or-shell-exec
  
   thanks
   
   If the server is chrooted at /var/www then /usr/bin/whoami (from the
   server's point of view) actually means /var/www/usr/bin/whoami (from
   your point of view). Does that file exist?
  
 
 have you tried to copy /bin/sh to /var/www/bin/sh?
 
Also, in a chrooted filesystem, every dynamically linked executable needs access
 to ld.so and its shared libraries.  Which means /var/www/usr/lib and 
/var/www/usr/libexec will need files populated -- every binary file should be
checked wiht ldd(1) to ensure required libraries are made available.
shared libraries.  Each program should 

Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?

[Josh Grosse]

Corrected for typos.  What I'd just Emailed was without any coffee...

On Mon, Jun 01, 2015 at 06:05:28AM -0400, Josh Grosse wrote:

 Also, in a chrooted filesystem, every dynamically linked executable needs 
 access
  to ld.so and its shared libraries.  Which means /var/www/usr/lib and 
 /var/www/usr/libexec will need files populated -- every binary file should be
 checked with ldd(1) to ensure required libraries are made available.

Re: booting OpenBSD with grub

[Josh Grosse]

On Wed, May 27, 2015 at 07:48:49AM -0400, cobalt wrote:
 any idea on the the proper way to get grub to boot openbsd:
 
 set root=(hd1,4) is what i have, but i am missing something and i do not
 know what.
 
 any thoughts would help.
 
 regards.
 
 gilles

I have an old netbook with sysutils/grub installed.  That's v1, and
I provision the chainloader.  Here's my menu.lst: 

default 0
timeout 5

title OpenBSD
root (hd0,3)
chainloader +1

title WinXP
root (hd0,0)
chainloader +1

WXP is retained for a few select applications: firmware installation
on peripherals, WebRTC applications ... and that's it.