Re: puppet and cross-platform password hashes
On Fri, Feb 05, 2016 at 04:04:47PM +0100, Joerg Jung wrote:
> > On 05 Feb 2016, at 08:33, Peter N. M. Hansteen <pe...@bsdly.net> wrote:
> >
> > I'm assuming I'm not the first to encounter this -
> >
> > the scenario is a group of admins who have so far run mainly Linux and some
> Solaris,
> > and who have a fairly well developed Puppet setup for maintaining among
> other things
> > local users for admins to log in and fix, running sudo as required. For
> non-admin role
> > users, LDAP (AD) is considered good enough, but that's out of scope here.
> >
> > The interesting part is when we start introducing OpenBSD machines to the
> mix, and
> > creating users with the password hashes from Linux or Solaris fails,
> apparently because
> > the hashes are not bcrypt hashes.
> >
> > I see two obvious solutions to this. Either
> >
> > 1) skip password logins, require key logins for all local users (they're
> > admins after all), tackle any extra privilege needs via specific sudo or
> > doas config, or
> >
> > 2) maintain a separate set of user definitions with bcrypt hashes for the
> OpenBSD
> > boxes in the puppet setup. Then supplement as before with sudo or doas
> tricks.
> >
> > My next question is, what other workable options are there? When you found
> yourself
> > in a similar situation, introducing OpenBSD to an existing environment of
> other
> > unixes, what did you do? Are there other solutions out there, possibly with
> more
> > sophisticated approaches than the ones I've mentioned here?
>
> There is: 3) dynamically chose the pass hash string depending on OS.
> Last time I used puppet was with 2.x release, so I do not know the exact
> syntax,
> but something like this should work:
>
> @user {
> myuser:
> comment => “my user”,
> ensure = “present”,
> password => case $operatingsystem {
> OpenBSD: { “$2b$….” },
> RedHat: { “$6$...” },
> Solaris: { “...” }
>}
> }
>
> I do similar in Ansible, setting a dynamic variable “user_hash” to either
> “blowfish” or “sha512”
> depending on the OS, and the use this variable to choose the right hash string
> from an dict,
> which looks like this:
>
> users:
> root:
> blowfish: $2b$...
> sha512: $6$…
>
> …referencing it later (in loops), like this:
>
> user: name=root password=users[root][user_hash]
>
> > Good suggestions may merit a beverage of choice (within reason) at the
> first
> > possible opportunity.
> > --
> > Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> > "Remember to set the evil bit on all malicious network traffic"
> > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
+1 for Joerg's suggestion, he beat me to typing it but we do something
similar here. We have a "local_user" wrapper class that has some logic
built in to determine the proper password hash to apply based on the OS
and some other things.
--
Joshua Smith
Lead Systems Administrator WVNET
Montani Semper Liberi
Re: SNMP and PID file
You are running a pretty old ( 2 years) old version of openBSD. Perhaps it is a bug that has been fixed in a later release? On Thu, Mar 26, 2015 at 06:11:37PM +0100, Alex Naumov wrote: # /etc/rc.d/snmpd restart httpd2 (pid 29518) already running # uname -a OpenBSD name 5.2 GENERIC#278 i386 # ps aux | grep snmpd root 23284 0.0 0.1 556 980 ?? IsWed04PM0:00.00 snmpd: parent (snmpd) _snmpd 28300 0.0 0.1 676 1380 ?? I Wed04PM0:00.55 snmpd: snmp engine (snmpd) root 23789 0.0 0.0 592 4 p0 R+ 6:06PM0:00.00 grep snmpd (ksh) # ls -la /var/run/ total 192 drwxr-xr-x 3 root wheel512 Mar 25 16:59 . drwxr-xr-x 25 root wheel512 Mar 29 2014 .. -rw-r--r-- 1 root wheel 6 Nov 13 08:17 cron.pid -rw-r--r-- 1 root wheel 49152 Nov 13 08:17 dev.db -rw-r--r-- 1 root wheel 9124 Nov 13 08:17 dmesg.boot -rw-r--r-- 1 root wheel 5 Nov 13 08:17 inetd.pid -r--r--r-- 1 root wheel 12460 Nov 13 08:17 ld.so.hints drwxr-xr-x 2 root wheel512 Nov 13 08:17 rc.d -rw--- 1 root wheel 70 Nov 13 08:17 sendmail.pid srw-rw 1 root wheel 0 Mar 25 16:59 snmpd.sock -rw-r--r-- 1 root wheel 5 Nov 13 08:17 sshd.pid -rw-r--r-- 1 root wheel 6 Nov 13 08:17 syslog.pid -rw-rw-r-- 1 root utmp7200 Mar 26 18:04 utmp Please look at first command's output. It looks like a bug or something like this. Of course I can find a pid and than kill this process, but... On Wed, Mar 25, 2015 at 6:09 PM, Joshua Smith jsm...@mail.wvnet.edu wrote: /etc/rc.d/snmpd restart always worked for me to restart snmpd. On Wed, Mar 25, 2015 at 06:02:30PM +0100, Alex Naumov wrote: Hello, I just want to ask about snmpd(8). As I can see, snmpd don't create pid file in /var/run directory. Is it correct? How to reboot this daemon? There is just sock-file. Thank you, Alex -- Joshua Smith Montani Semper Liberi -- Joshua Smith Montani Semper Liberi
Re: Set PKG_PATH using Time Zone?
On Thu, Mar 26, 2015 at 06:55:50PM +, L.R. D.S. wrote: Is really boring write the package repository everytime we install. Why not set the repository using the Time Zone as a reference? For example, if you set Japan as your zone, then run export PKG_PATH=http://www.ftp.ne.jp/OpenBSD/'uname -r'/packages/'uname -m'/ What about regions which contain multiple mirrors? -- Joshua Smith Montani Semper Liberi
Re: SNMP and PID file
/etc/rc.d/snmpd restart always worked for me to restart snmpd. On Wed, Mar 25, 2015 at 06:02:30PM +0100, Alex Naumov wrote: Hello, I just want to ask about snmpd(8). As I can see, snmpd don't create pid file in /var/run directory. Is it correct? How to reboot this daemon? There is just sock-file. Thank you, Alex -- Joshua Smith Montani Semper Liberi
Re: Autoinstall without PXE.
--
Joshua Smith
Lead Systems Administrator WVNET
Montani Semper Liberi
Sent from my iPhone.
On Mar 13, 2015, at 11:39 PM, dan mclaughlin thev...@openmailbox.org wrote:
On Sat, 14 Mar 2015 02:27:56 + Raf Czlonka rczlo...@gmail.com wrote:
On Fri, Mar 13, 2015 at 09:02:23PM GMT, Joshua Smith wrote:
Hello misc@,
Hi Joshua,
Looking around the man pages for 5.6 and -current it doesn't seem like
it, but is it possible to perform an autoinstall/autoupgrade with out
utilizing pxe and an http server.
I would like to put the autoinstall/autoupgrade file on a usbkey or
embed it on a custom cd.
Well, probably not the way you have in mind (i.e. full autoinstall) as
you still have to point the installer to the {install,upgrade}.conf
manually: i.e. choose (A) for autoinstall, it'll then fail, escape to
shell, mount the disk with your config file, go back to the installer
and point it to the file - the rest of the installation/upgrade is then
fully automatic.
I use a 3-line (that includes a keyboard layout) 'upgrade.conf' to
upgrade to new snapshots.
Regards,
Raf
there is a better way using rdsetroot to actually put the *.conf files in the
bsd.rd kernel itself. it was discussed previously here:
https://marc.info/?l=openbsd-miscm=141552533922277w=2
Thanks!
This is exactly what I am looking for.
IMHO being able to provide autoupgrade in / of the existing system would be a
great addition.
Autoinstall without PXE.
Hello misc@, Looking around the man pages for 5.6 and -current it doesn't seem like it, but is it possible to perform an autoinstall/autoupgrade with out utilizing pxe and an http server. I would like to put the autoinstall/autoupgrade file on a usbkey or embed it on a custom cd. Thanks, -- Joshua Smith Lead Systems Administrator WVNET Montani Semper Liberi
Re: IPSEC/IKED flows only being created on one end
On Mar 7, 2015, at 10:39 PM, Josh Grosse j...@jggimi.homeip.net wrote: On Sat, Mar 07, 2015 at 08:29:43PM -0500, Joshua Smith wrote: Hello misc@, I am working on setting up site to site ipsec VPN between a few locations all with openbsd 5.6 stable gateways at them using iked. Since I've never done any of this before I am starting with a basic host to host setup using pre shared keys in my lab. I am running into an issue where the flows are only getting created on one end of the setup. Here are the details: HOST 1: ip address 172.16.204.139 iked.conf: ikev2 test active esp from 172.16.204.139 to 172.16.204.140 psk test HOST 2: ip address 172.16.204.139 iked.conf: ikev2 test esp from 172.15.204.140 to 172.16.204.139 psk test Hi there. Don't use PSKs with iked(8) and 5.6. Use certs, or use -current. http://marc.info/?l=openbsd-miscm=141562487120440w=2 Hi Josh, Thanks for pointing this out to me. Seems my search-too wasn't strong enough o dig that out. I'll give it another go with RSA in the morning. That might be the best way to go for my small setup instead of deploying a CA anyhow. Guess that just gives me another option to weigh. -- Joshua Smith Montani Semper Liberi Sent from my iPhone
IPSEC/IKED flows only being created on one end
Hello misc@, I am working on setting up site to site ipsec VPN between a few locations all with openbsd 5.6 stable gateways at them using iked. Since I've never done any of this before I am starting with a basic host to host setup using pre shared keys in my lab. I am running into an issue where the flows are only getting created on one end of the setup. Here are the details: HOST 1: ip address 172.16.204.139 iked.conf: ikev2 test active esp from 172.16.204.139 to 172.16.204.140 psk test HOST 2: ip address 172.16.204.139 iked.conf: ikev2 test esp from 172.15.204.140 to 172.16.204.139 psk test I then run /etc/rc.d/iked -f start on host 2. followed by the same command on host 1. after a few seconds I execute the ipsecctl -s all command on each host. on host 1 the out put is: FLOWS: flow esp out from ::/0 to ::/0 type deny SAD: No entries While on host 2 the output is: FLOWS: flow esp in from 172.16.204.139 to 172.16.204.140 peer 172.16.204.139 srcid FQDN/gwb.localdomain dstid FQDN/gwa.localdomain type use flow esp out from 172.16.204.140 to 172.16.204.139 peer 172.16.204.139 srcid FQDN/gwb.localdomain dstid FQDN/gwa.localdomain type require flow esp out from ::/0 to ::/0 type deny SAD: esp tunnel from 172.16.204.139 to 172.16.204.140 spi 0x0982384f auth hmac-sha2-256 enc aes-256 esp tunnel from 172.16.204.140 to 172.16.204.139 spi 0x78b6bb97 auth hmac-sha2-256 enc aes-256 If I reverse which host is the active the results flip flop. That is the flows are always created on the passive side. I expect similar flows should be created on each side or am I missing something completely here? Can someone please point me in the right direction? Also I can include a dmeag if needed. Thanks, -- Joshua Smith Montani Semper Liberi
Re: PRG airport in misc
Just curious how this airport database came to be and why is it included in the base system. It struck me as kind of unusual but perhaps there is something of historical significance I am missing with regards to its inclusion. -- Josh Smith Sent from my iPhone. On Jan 4, 2015, at 1:30 PM, Zeljko Jovanovic zelj...@tesla.rcub.bg.ac.rs wrote: On 04.01.2015. 14:22, Reyk Floeter wrote: Thanks, done. Index: airport Speaking of changed airport names, I expected to see: BEG:Surcin, Belgrade, Yugoslavia but it was apparently never entered at all. The current name is: BEG:Nikola Tesla, Belgrade, Serbia and there are another few missing: INI:Constantine the Great, Nis, Serbia ZZE:Ponikve, Uzice, Serbia KVO:Morava, Kraljevo, Serbia These two: TIV:Tivat, Yugoslavia TGD:Golubovci, Podgorica, Yugoslavia should be changed to: TIV:Tivat, Montenegro TGD:Golubovci, Podgorica, Montenegro
Re: rtadvd on OpenBSD 5.6 with Comcast cable connection
http://marc.info/?l=openbsd-miscm=141703607321548w=2 -- Josh Smith KD8HRX Email/jabber: juice...@gmail.com Sent from my iPhone. On Dec 31, 2014, at 2:01 PM, Aaron Riekenberg aaron.riekenb...@gmail.com wrote: I have an OpenBSD 5.6 box that I'm using as a router and firewall for my local LAN, using both ipv4 and ipv6. Things are mostly working, but I'm seeing some possibly broken/annoying behavior from rtadvd. First some background information: My box has 2 ethernet interfaces: em0 is the external connection, and em1 is the local LAN. Comcast provides ipv6 router advertisements and uses dhcpv6 to provide a /128 address (used by em0) and a /64 prefix delegation used by my local LAN. I'm using wide-dhcpv6 to assign addresses to my em0 and em1 and this all works fine. I have the issue that if net.inet6.ip6.forwarding=1, the kernel is not able to automatically configure the default ipv6 route based on router advertisements, even with the new inet6 autoconf parameter ( http://permalink.gmane.org/gmane.os.openbsd.misc/217825). To work around this, I temporarily ran rtsold, figured out the ipv6 address of Comcast's router, and added it to /etc/mygate. This works fine, and I am no longer running rtsold. Now I run rtadvd em1 to send router advertisements to the local LAN. I have no /etc/rtadvd.conf file, so I am using the default configuration. This again works fine, and hosts on my local LAN automatically get an ipv6 address and route (yay!). But all is not quite perfect. If I look at /var/log/daemon, I see lots and lots of messages from rtadvd like this: Dec 31 12:44:21 server rtadvd[28960]: received RA from fe80::224:14ff:fe63:cae2 on non-advertising interface(em0) Dec 31 12:44:54 server last message repeated 11 times Dec 31 12:46:56 server last message repeated 40 times Dec 31 12:51:32 server last message repeated 90 times This is saying rtadvd received a router advertisement from Comcast's router (fe80::224:14ff:fe63:cae2). Comcast's router apparently sends on of these every 3 seconds - this is the rate at which syslog is filling with these messages. I can disable logging for rtadvd in syslog.conf, but this is annoying. There are potentially many others like me with Comcast or other ipv6 connections that want to run rtadvd on the internal interface and will receive router advertisements on the external interface. Thoughts/questions: * Why is rtadvd logging router advertisements on em0 when I am specifying em1 as the only interface it should be using? Wouldn't it be better to just silently ignore router advertisements from non-configured interfaces? * What will happen when/if we can have net.inet6.ip6.forwarding=1 and inet6 autoconf for my external interface? Will rtadvd still receive router advertisements for the external interface and complain about them?
Re: simple way to block one word domains?
Does ndots:0 in your resolv.conf not achieve what you want? -- Josh Smith KD8HRX Email/jabber: juice...@gmail.com Phone: 304.237.9369(c) Sent from my iPhone. On Dec 9, 2014, at 11:01 AM, Ted Unangst t...@tedunangst.com wrote: Curious if anyone knows a simple way to prevent resolution of one word hostnames. Either via resolv.conf or unbound.conf. For example: athens:~ host android android has address 127.0.53.53 android mail is handled by 10 your-dns-needs-immediate-attention.android. I do not like this. athens:~ host bobo Host bobo not found: 3(NXDOMAIN) This is much better. athens:~ host com This isn't great either. I realize this is how DNS works, but I also think it's something I should be able to fix at a local level. The fact that anything and everything can now be a TLD is pretty sneaky. If a DNS lookup has only a single part, I would like to restrict it to the search domain.
Re: Missing A DNS record for openbsd.org ?
On Mar 1, 2014, at 3:21 AM, Hugo Villeneuve h...@eintr.net wrote: On Fri, Feb 28, 2014 at 05:10:13PM +0100, Marko Cupa?? wrote: On Fri, 28 Feb 2014 10:48:13 -0500 Ted Unangst t...@tedunangst.com wrote: openbsd.org does not have an A record. This should not affect you. This is strange. I think I was able to access www.openbsd.org via http on openbsd.org as well. It is common for modern browser to automatically try www.CURRENTDOMAINTRIED when CURRENTDOMAINTRIED doesn't have a A or address. It's a browser feature. And a terrible idea IMHO. openbsd.org doesn't have a CNAME record. CNAME record are dangerous. Cannes themselves are not dangerous, however when being used for the root of a domain is _usually_ a bad idea just for the reasons you mentioned below. They invalidate every other DNS record type associated with that entry. (That's why you usually add a A record to a domain name so that all the SOA, NS, MX records don't get affected.) Regards, - Josh Smith KD8HRX
Re: Missing A DNS record for openbsd.org ?
Theo, Perhaps you misunderstood what I said. I have no gripe or issue with the openbsd project. It's unarguable that having a CNAME record at the apex of a domain can lead to issues. I'm sure someone as intelligent and accomplished as yourself can find the relevant documentation. I could care less if openbsd.org has an A record; www.openbsd.org is an A record, cname or any other type of record; or if the two domain names resolve to the same place or not. I was simply expanding on the technical point that openbsd.org should not be a cname. Thanks, -- Josh Smith KD8HRX Email/jabber: juice...@gmail.com Phone: 304.237.9369(c) Sent from my iPhone. On Mar 1, 2014, at 8:20 AM, Theo de Raadt dera...@cvs.openbsd.org wrote: Cannes themselves are not dangerous, however when being used for the root of a domain is _usually_ a bad idea just for the reasons you mentioned below. If you start your own successfull project, you also can develop your own set of reasons for doing any of a variety of operational things at any point in time. In that situation, you would probably want to be left in piece. You seem to have a rather over-extented sense of entitlement towards telling me that I'm doing it wrong. I hope it makes you feel really good.
Re: Request for Funding our Electricity
+1 for the subscription idea. Not that it completely solves the problem at hand. But a great (IMHO) idea. -- Josh Smith KD8HRX Email/jabber: juice...@gmail.com Phone: 304.237.9369(c) Sent from my iPhone. On Jan 16, 2014, at 2:34 PM, Jan Lambertz jd.arb...@googlemail.com wrote: I like the subscription idea. I'd love to have every release without actually doing the shopping every time. This could at least make a bit of safe money. I believe, making a company sending 20k$ every year to openbsd could be quite difficult. Why should they do this ? What do they get ? Why is that better than spending that money in new hardware or buying fancy whiteboards in managers office ? I know what they would get, but they dont. How do we make a company to know about the benefit of openbsd? They never heard of it. They wont ever use it because they dont get a 24/7 support contract from a big consulting company for it. They dont know about openbsd and most dont care. That might not be the opinion of most people on this list but it is the opinion of most people not on this list [the ones with money].
Cisco UCS blade dregs
We recently took delivery of several different Cisco UCS blades at my $dayjob. If any devs are interested let me know and I'll grab them. Thanks, -- Josh Smith kD8HRX email/jabber: juice...@gmail.com Phone: 304.237.9369(c) Sent from my iPad
VPN
Do any of you all have any experience setting up site to site vpn's using openBSD on one side and openwrt devices on the other? Does anyone know if this is possible? Thanks, Josh
Re: pf + wii
Check to make sure you are not scrubbing, scrub can cause some awful problems with multiplayer games. Thanks, Josh On Dec 24, 2007 3:34 AM, Lord Sporkton [EMAIL PROTECTED] wrote: On 23/12/2007, scott [EMAIL PROTECTED] wrote: 1. use # tcpdump -eni pflog0 2. if that's not revealing then post its output AND the whole pf.conf file. 3. in the mean time, consider rdr PASS on $IF_RR proto udp from $REMOTE_IP to ($IF_RR) - $HOST_WII where PASS is in lower case inside the pf.conf (UCASE here for emphasis only) /S -Original Message- From: slug bait [EMAIL PROTECTED] To: misc@openbsd.org Subject: pf + wii Date: Sun, 23 Dec 2007 23:10:38 -0500 # tcpdump -ni sis1 udp i could be wrong but here is my 2 cents: ive seen something like this related to upnp, i would venture to guess your 2 friends have routers which support upnp and so far as i know openbsd does not support upnp. I would suggest either consulting the guitar hero manual or a tcpdump for the required ports for this game and try a static pat translation to your public ip. upnp allows the wii to request certain ports from the nat device be opened for it, in this case it sounds like you wii needs certain ports open to allow the server to connect to it, normally upnp would take care of it dynamically, but you dont have upnp, so you have to static assign the pat. Lawrence
Re: BIND reverse lookup
Also, if you're going to be administering DNS you might want to consider picking up a copy of the venerable DNS and BIND. -Josh On Dec 16, 2007 11:54 AM, Darren Spruell [EMAIL PROTECTED] wrote: On Dec 16, 2007 8:33 AM, mufurcz [EMAIL PROTECTED] wrote: Greetings, New DNS server setup, suppose to be authoritative for the `transylvania.org.au` zone but reverse lookup is not working - as it suppose to work. # dig transylvania.org.au - ; DiG 9.3.4 transylvania.org.au ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 5537 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 That query failed to return an answer; your forward lookup zone doesn't appear to be functioning correctly either. # dig 192.168.1.199 (selena.transylvania.org.au is the DNS server) That's not the way you use dig to query for a reverse DNS record on an IP address. Read the dig(1) manual page, or use one of two possible syntax: $ dig -x a.b.c.d $ dig ptr d.c.b.a.in-addr.arpa ;; QUESTION SECTION: ;192.168.1.199. IN A And here's why - you're trying to look up the A record for the IP address, rather than the PTR record. So, what I am doing wrong? I'd say at first glance you don't have your zone files and/or named.conf configured correctly. The example configs provided under /var/named/ should get you started quickly. You may want to refer to the BIND administrator's manual at http://www.isc.org/index.pl?/sw/bind/index.php. Refer later to http://www.cymru.com/Documents/secure-bind-template.html for tips on securing your BIND configuration to help the rest of us out. -- Darren Spruell [EMAIL PROTECTED]
Re: Getting envolved
Users who can no invest the effort learn enough to use a simple interface do not deserve a reliable operating system. They deserve windows, and they deserve pop up buttong in their browsers that they click ok blindly for everything. I couldn't agree more, people expect that they will have to take some time to learn to ride a bike, operate a car, cook a new dish, and etc. But by god their computer better just work. I started out life as a pc tech at a large company, i can't tell you the number of times i've heard but i don't want to learn how to do it or i just can't understand computers or I shouldn't have to learn how to do it, it should be eaiser and we weren't talking about developing a diff for the kernel then rebuilding the entire base system from source, it was typically something simple like changing the background color in a power point presentation. -Josh On 14 Dec 2007 10:14:37 +0100, Artur Grabowski [EMAIL PROTECTED] wrote: Mathieu Stumpf [EMAIL PROTECTED] writes: I disagree. A complex interface implies a lot of code. a lot of code leads to unreliablity, either through bugs or detracting valuable developer time from more important things A simple interface (well designed) imples less code, which leads to reliability. So, you mean a more intuitive software is necessary more complex? Can't we make a simple but intuitive interface without a lot of code? Well? Can you? Try. Let us know how it went. Users who can no invest the effort learn enough to use a simple interface do not deserve a reliable operating system. They deserve windows, and they deserve pop up buttong in their browsers that they click ok blindly for everything. -Bob Do you apply this reasoning to anything in life or do you reserve this kind of eugenics only to IT? :) It's reality. //art
Re: Hardware recommendations for OpenBSD carp router/firewall machines
i don't do pf/carp on them, but ibm x3550's are awesome general purpose servers and I do not see why they would not be excellent pf boxes. On Dec 7, 2007 2:13 PM, Bob Beck [EMAIL PROTECTED] wrote: * Matthew Dempsky [EMAIL PROTECTED] [2007-12-06 15:54]: Does anyone have recommendations on server hardware for setting up a redundant OpenBSD firewall? Right now our network handles several million HTTP requests per day, and we expect that to continue growing. I expect a simple pair of Dell rackmounted servers should handle this easily, but I thought I'd solicit feedback from the firewall experts on misc@ first. :-) I run an awful lot of simple pairs of Dell Rackmounted servers. (as well as hp, ibm. etc.) I've done this with dell 950's, 1650, 1750, 1850, and 1435's - lately I buy 1435's... So I'd be in agreement on that one. -Bob
Re: changing active slice at boot
man 8 daily etc/daily This script is run daily. It currently does the following: ... Creates a backup root file system which is updated daily. This only happens if the following conditions are met: 1. The environment variable ROOTBACKUP must be set. For ex- ample, the following can be added to root's crontab(5): ROOTBACKUP=1 2. The mount directory /altroot must exist, and there must be an /etc/fstab entry specifying `xx' for the mount options, e.g. /dev/wd0j /altroot ffs xx 0 0 ... Thanks, Josh On 11/6/07, Frans Haarman [EMAIL PROTECTED] wrote: Just wondering... Has anyone ever thought of having 2 openbsd installations to boot from ? This way I could upgrade the installation on one slice/disk and boot from it! Then if the kernel would crash/reboot the other slice would be used for booting. So at boot time the active slice is changed, after booting its changed back if there are no troubles! Perhaps this is an ugly work around to most, but it might save my life when a system refuses to boot the active slice.. Most of this can be prevented with remote consoles or ILO stuff I guess! What do you think ? FUD ? ;)
Re: BIND
the named(8) man page is quiet excellent, if it doesn't cover what you need, try googling for some bind stuff, most of the hits you get will be for Linux, but the named.conf examples are in all likelihood still relevant. Thanks, Josh On 10/22/07, Regie H. Saberon [EMAIL PROTECTED] wrote: Thanks for quick response, I want to set-up a Primary Domain Name Server, so that I hosts my own domain. Is there any good wiki that I can follow? -Original Message- From: Paul de Weerd [mailto:[EMAIL PROTECTED] Sent: Monday, October 22, 2007 7:13 PM To: Regie H. Saberon Cc: misc@openbsd.org Subject: Re: BIND [redirecting to [EMAIL PROTECTED] On Mon, Oct 22, 2007 at 07:10:11PM +0800, Regie H. Saberon wrote: | Hi to all, I just want to ask if BIND is already chrooted on OBSD 4.1? from named(8) : When invoked without arguments, named will fork into two processes for privilege separation.chroot() to /var/named, read the default configurationfile /var/named/etc/named.conf, read any initial data, and lis- ten for queries. The privileged process will communicate with the child and bind to privileged ports on its behalf. See CAVEATS section below. | Can someone give me a good wiki about OpenBSD as Domain Name Server. Again, try named(8). What is it that you want, exactly ? Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
Re: Help! I'm having Linux foisted on me! (PF queuing woes)
Slightly OT, so feel free to move this to a new thread, but exactly what would you use ifbound states to achieve? Thanks, Josh On 10/20/07, Henning Brauer [EMAIL PROTECTED] wrote: * Joe Gibbens [EMAIL PROTECTED] [2007-10-20 02:03]: As Sebastian pointed out, you will need to do some state manipulation to apply your traffic flows to an up and down queue. You can also do this by setting your state-policy to be if-bound. it is 'advice' like this that makes me wanna remove ifbound states completely. they have nothing to do with it. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Help! I'm having Linux foisted on me! (PF queuing woes)
Out of curiosity what are these two extremely rare cases? Thanks, -Josh On 10/20/07, Henning Brauer [EMAIL PROTECTED] wrote: * Joshua Smith [EMAIL PROTECTED] [2007-10-20 13:05]: Slightly OT, so feel free to move this to a new thread, but exactly what would you use ifbound states to achieve? there are two extremely rare cases I am aware of, so the general rule is: YOU DON'T. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Porting OpenBSD to OLPC XO laptops.
Maybe I've missed something but what makes it impossible to write a device driver for the Wireless chipset? -Josh On 9/26/07, Paul de Weerd [EMAIL PROTECTED] wrote: [diverted to [EMAIL PROTECTED] On Wed, Sep 26, 2007 at 08:08:41AM -0700, big one wrote: | OLPC (One Laptop Per Child) had released XO AMD Geode LX Laptops | using G1G1 (Buy 2 Get 1). One laptop will be sent to the buyer and the | 2nd laptop will be sent to a child in a poor, developing country. | | According to Mr Theo de Raadt from OpenBSD, it is impossible to | write device driver for Wireless chipset inside XO. | | According to OLPC developer team: | 1. There is no standard BIOS inside XO laptops. | 2. There is no VGA/EGA/CGA video mode. | | Is it possible to port OpenBSD to XO Laptops without | activating/using the wireless chipset? | Thank you Why not buy some and send them to interested developers. Buy 2 Send 1 to an OpenBSD developer ;) Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
Since location mails seem to be the thing for the past couple of days....
Anyone in or around Morgantown, WV USA? Thanks, Josh
