Re: 7.3 php gd.so cannot load

[Kent Watsen]

> Ah, if you didn't reboot after doing that, then what you saw is expected.

Good to know. 


>> Is there a better way to install xshare73 and xbase73?
> 
> From the installer, usually.

I can’t do that, but point taken. 


Thank you Stu and Daniel!

Re: 7.3 php gd.so cannot load

[Kent Watsen]

> That should have /usr/X11R6/lib as well.

This makes me want to mention that I installed xshare73 and xbase73 after the 
installer completed, using these commands:
```
  (curl -s -O https://cdn.openbsd.org/pub/OpenBSD/7.3/amd64/xshare73.tgz && cd 
/ && tar xzvphf /root/xshare73.tgz)
  (curl -s -O https://cdn.openbsd.org/pub/OpenBSD/7.3/amd64/xbase73.tgz && cd / 
&& tar xzvphf /root/xbase73.tgz)
``` 


> Check the code running ldconfig in /etc/rc, maybe you can figure out
> what's failed?


Brilliant.  After manually running the snippet, ld cache now contains 
`/usr/lib:/usr/X11R6/lib`.

Is there a better way to install xshare73 and xbase73?


K.

Re: 7.3 php gd.so cannot load

[Kent Watsen]

> is /usr/X11R6/lib a real directory or have you moved it elsewhere
> and replaced with a symlink?

No symlink.  No mount either.


> did you get any errors after "creating runtime link editor directory
> cache" at boot? (check with dmesg -s)

None.  Here are the last 5 lines of `dmesg -s`:

```
creating runtime link editor directory cache.
preserving editor files.
starting network daemons: sshd smtpd sndiod.
starting local daemons: cron.
Wed Apr 12 14:33:31 EDT 2023
```


> how does ldconfig -r look?

Sorry, but you asked for it!  ;)
```
/var/run/ld.so.hints:
search directories: /usr/lib:/usr/local/lib
0:-lc.97.0 => /usr/lib/libc.so.97.0
1:-lcurses.14.0 => /usr/lib/libcurses.so.14.0
2:-lform.6.0 => /usr/lib/libform.so.6.0
3:-lfuse.2.0 => /usr/lib/libfuse.so.2.0
4:-lncursesw.14.0 => /usr/lib/libncursesw.so.14.0
5:-lrpcsvc.3.0 => /usr/lib/librpcsvc.so.3.0
6:-liberty.12.0 => /usr/lib/libiberty.so.12.0
7:-lpcap.9.0 => /usr/lib/libpcap.so.9.0
8:-lexpat.14.0 => /usr/lib/libexpat.so.14.0
9:-lskey.6.0 => /usr/lib/libskey.so.6.0
10:-lossaudio.4.0 => /usr/lib/libossaudio.so.4.0
11:-lperl.23.0 => /usr/lib/libperl.so.23.0
12:-ltls.26.2 => /usr/lib/libtls.so.26.2
13:-lusbhid.7.1 => /usr/lib/libusbhid.so.7.1
14:-lc++abi.6.0 => /usr/lib/libc++abi.so.6.0
15:-lLLVM.7.0 => /usr/lib/libLLVM.so.7.0
16:-lm.10.1 => /usr/lib/libm.so.10.1
17:-liconv.7.1 => /usr/local/lib/libiconv.so.7.1
18:-lpanel.6.0 => /usr/lib/libpanel.so.6.0
19:-lasprintf.1.1 => /usr/local/lib/libasprintf.so.1.1
20:-lcrypto.50.2 => /usr/lib/libcrypto.so.50.2
21:-lgmp.11.0 => /usr/local/lib/libgmp.so.11.0
22:-lsigsegv.1.0 => /usr/local/lib/libsigsegv.so.1.0
23:-lsndio.7.2 => /usr/lib/libsndio.so.7.2
24:-lcbor.2.0 => /usr/lib/libcbor.so.2.0
25:-lexecinfo.3.0 => /usr/lib/libexecinfo.so.3.0
26:-ljq.1.0 => /usr/local/lib/libjq.so.1.0
27:-lradius.1.0 => /usr/lib/libradius.so.1.0
28:-lutil.16.0 => /usr/lib/libutil.so.16.0
29:-llzma.2.2 => /usr/local/lib/liblzma.so.2.2
30:-lonig.8.0 => /usr/local/lib/libonig.so.8.0
31:-lcharset.1.1 => /usr/local/lib/libcharset.so.1.1
32:-lffi.2.0 => /usr/local/lib/libffi.so.2.0
33:-lxml2.18.0 => /usr/local/lib/libxml2.so.18.0
34:-lmpfr.2.2 => /usr/local/lib/libmpfr.so.2.2
35:-lgpg-error.3.24 => /usr/local/lib/libgpg-error.so.3.24
36:-lgcrypt.21.0 => /usr/local/lib/libgcrypt.so.21.0
37:-lkvm.17.0 => /usr/lib/libkvm.so.17.0
38:-lexslt.9.8 => /usr/local/lib/libexslt.so.9.8
39:-lxslt.4.0 => /usr/local/lib/libxslt.so.4.0
40:-lngtcp2_crypto_openssl.0.0 => 
/usr/local/lib/libngtcp2_crypto_openssl.so.0.0
41:-lagentx.1.1 => /usr/lib/libagentx.so.1.1
42:-lngtcp2.1.0 => /usr/local/lib/libngtcp2.so.1.0
43:-lc++.9.0 => /usr/lib/libc++.so.9.0
44:-lnghttp3.0.1 => /usr/local/lib/libnghttp3.so.0.1
45:-lpcre2-16.0.5 => /usr/local/lib/libpcre2-16.so.0.5
46:-lpcre2-32.0.5 => /usr/local/lib/libpcre2-32.so.0.5
47:-lpcre2-posix.1.0 => /usr/local/lib/libpcre2-posix.so.1.0
48:-lbz2.10.4 => /usr/local/lib/libbz2.so.10.4
49:-largon2.0.0 => /usr/local/lib/libargon2.so.0.0
50:-lpcre2-8.0.6 => /usr/local/lib/libpcre2-8.so.0.6
51:-ljpeg.70.0 => /usr/local/lib/libjpeg.so.70.0
52:-lformw.6.0 => /usr/lib/libformw.so.6.0
53:-lturbojpeg.0.1 => /usr/local/lib/libturbojpeg.so.0.1
54:-lpanelw.6.0 => /usr/lib/libpanelw.so.6.0
55:-ledit.5.2 => /usr/lib/libedit.so.5.2
56:-lnghttp2.0.21 => /usr/local/lib/libnghttp2.so.0.21
57:-lz.7.0 => /usr/lib/libz.so.7.0
58:-ltermlib.14.0 => /usr/lib/libtermlib.so.14.0
59:-lfido2.7.0 => /usr/lib/libfido2.so.7.0
60:-llz4.3.2 => /usr/local/lib/liblz4.so.3.2
61:-lintl.7.0 => /usr/local/lib/libintl.so.7.0
62:-lzstd.6.2 => /usr/local/lib/libzstd.so.6.2
63:-lsqlite3.37.22 => /usr/local/lib/libsqlite3.so.37.22
64:-lreadline.4.0 => /usr/lib/libreadline.so.4.0
65:-ltiff.42.0 => /usr/local/lib/libtiff.so.42.0
66:-lpython3.10.0.0 => /usr/local/lib/libpython3.10.so.0.0
67:-ltiffxx.42.0 => /usr/local/lib/libtiffxx.so.42.0
68:-lsodium.10.0 => /usr/local/lib/libsodium.so.10.0
69:-lcapstone.3.0 => /usr/local/lib/libcapstone.so.3.0
70:-lpng.18.0 => /usr/local/lib/libpng.so.18.0
71:-lpng16.18.0 => /usr/local/lib/libpng16.so.18.0
72:-lmenuw.6.0 => /usr/lib/libmenuw.so.6.0
73:-lpthread.27.0 => /usr/lib/libpthread.so.27.0
74:-lgif.9.0 => /usr/local/lib/libgif.so.9.0
75:-lssl.53.2 => /usr/lib/libssl.so.53.2
76:-levent.4.1 => /usr/lib/libevent.so.4.1
77:-lwebp.4.3 => /usr/local/lib/libwebp.so.4.3
78:-lwebpdecoder.2.1 => 

7.3 php gd.so cannot load

[Kent Watsen]

[I'm new to PHP, but I believe that this was an issue in 7.2 as well]

Both 'xbase' and 'xshare' are installed.

What got me started was trying to run a DokuWiki CLI command
```
# ./bin/plugin.php usermanager list  
PHP Warning:  PHP Startup: Unable to load dynamic library 'gd.so' (tried: 
/usr/local/lib/php-8.1/modules/gd.so (Cannot load specified object), 
/usr/local/lib/php-8.1/modules/gd.so.so (File not found)) in Unknown on line 0
✗ (user authentication not available)
```

Similar is seen when running FPM manually:
```
# /usr/local/sbin/php-fpm-8.1
[12-Apr-2023 15:57:30] NOTICE: PHP message: PHP Warning:  PHP Startup: Unable 
to load dynamic library 'gd.so' (tried: /usr/local/lib/php-8.1/modules/gd.so 
(Cannot load specified object), /usr/local/lib/php-8.1/modules/gd.so.so (File 
not found)) in Unknown on line 0
[12-Apr-2023 15:57:30] WARNING: Nothing matches the include pattern 
'/etc/php-fpm.d/*.conf' from /etc/php-fpm.conf at line 143.
```
FWIW, my `/etc/php-fpm.d/` directory is empty.


Checking if the DSO exists (yup, it's there):
```
# ls -l /usr/local/lib/php-8.1/modules/gd.so
-rw-r--r--  1 root  www  135320 Apr 11 16:50 
/usr/local/lib/php-8.1/modules/gd.so
```

Checking for link dependencies (huh?!):
```
# ldd /usr/local/lib/php-8.1/modules/gd.so
/usr/local/lib/php-8.1/modules/gd.so:
Cannot load specified object
/usr/local/lib/php-8.1/modules/gd.so: exit status 1
```

Running debug:
```
# env LD_DEBUG=1 php-8.1
  

loading: libfreetype.so.30.2 required by /usr/local/lib/php-8.1/modules/gd.so
dlopen: failed to open libfreetype.so.30.2
unload_shlib called on /usr/local/lib/php-8.1/modules/gd.so
unload_shlib unloading on /usr/local/lib/php-8.1/modules/gd.so
dlopen: /usr/local/lib/php-8.1/modules/gd.so: done (failed).

```

Looking for "libfreetype.so.30.2":
```
# find /usr -name libfreetype.so.30.2
/usr/X11R6/lib/libfreetype.so.30.2
```

Checking for link dependencies (looks fine):
```
# ldd /usr/X11R6/lib/libfreetype.so.30.2
/usr/X11R6/lib/libfreetype.so.30.2:
StartEnd  Type  Open Ref GrpRef Name
0e61e844c000 0e61e851d000 dlib  10   0  
/usr/X11R6/lib/libfreetype.so.30.2
0e6202607000 0e6202625000 rlib  01   0  
/usr/lib/libz.so.7.0
```

Any suggestions?

Thanks!
Kent

Re: make: don't know how to make /usr/lib/crt0.o (prerequisite of: httpd)

[Kent Watsen]

> Does /usr/lib/crt0.o exist? If it doesn't did tar complete successfully?

I’ve since scrubbed that install, but I did check before for the file and noted 
that it was not present.  Interestingly, the file is in the TGZ, so something 
happened…

$ tar -tzvf comp70.tgz | grep /usr/lib/crt0.o 
-r--r--r--  0 root   bin  2544 Sep 30 16:00 ./usr/lib/crt0.o


> Maybe try:
> 
> # tar -C / -xzphf comp70.tgz || echo "somethings broken"
> 
> You may have run out of disk space or something similar and just didn't 
> notice. Thats my best guess.

It was a 4GB partition, so unlikely an out of disk issue.  That said, there’s a 
chance that the extraction terminated prematurely for other reasons, which your 
suggestion would help catch - thanks for the suggestion!



Kent

Re: make: don't know how to make /usr/lib/crt0.o (prerequisite of: httpd)

[Kent Watsen]

> As you're the one in possession of the system with the nonstandard
> configuration you're the best person to figure out what's different
> between that and a normally installed system.

My bad, I thought it was supported to install filesets this way, but I don’t 
see this approach discussed on openbsd.org  now.


> It does seem an unusual requirement to have a system which cannot have
> comp sets, but that is still ok to fetch a file from the internet and
> untar it as root without verifying the signify(1) signature and hash.

Point.  I already have SHA256 in the directory, so easy to add.


> Had you considered building the binary on a non production system
> instead?

I did, but since it worked with 6.9 before, figured I’d try that route first.


Thanks,
Kent

Re: make: don't know how to make /usr/lib/crt0.o (prerequisite of: httpd)

[Kent Watsen]

Thanks Theo. 

No debate about needing comp, only how it's installed…or maybe I misunderstand 
what you mean by “the script”?

Cheers,
Kent


> On Oct 31, 2021, at 3:38 PM, Theo de Raadt  wrote:
> 
> From the script
> 
> make obj && make && make install
> 
> Which uses the whole toolchain.
> 
> You need comp.  You don't have a choice.
> 
> Kent Watsen  wrote:
> 
>> The “httpd-plus” [1] patch installs just find when a fresh 7.0 install 
>> selects packages "base", "bsd", "bsd.rd", "bsd.mp", “comp”, and “man”.
>> 
>> However, when a fresh 7.0 install selects all the same packages except 
>> “comp”, and then subsequently adds the “comp” package via the command:
>> 
>>(cd /root && curl -s -O 
>> https://cdn.openbsd.org/pub/OpenBSD/7.0/amd64/comp70.tgz && cd / && tar 
>> xzvphf /root/comp70.tgz)
>> 
>> The installation of the "httpd-plus" patch fails with the following snippet:
>> 
>>   
>>Building and installing httpd-plus binary and manpage ...
>>/usr/src/usr.sbin/httpd/obj -> /usr/obj/usr.sbin/httpd
>>make: don't know how to make /usr/lib/crt0.o (prerequisite of: httpd)
>>Stop in /usr/src/usr.sbin/httpd
>>Restoring original sources ... Done.
>>Installing httpd-plus failed (exitcode: 2).
>> 
>> This logic worked on 6.9, what’s the difference?  Why can’t /usr/lib/crt0.o 
>> be found or made?  How to get past this error without needing to install the 
>> “comp” package during installation?
>> 
>> PS: I don’t want “comp” on the production system. After installing 
>> “httpd-plus”, I run the following command to remove it: (cd /root && for i 
>> in `tar -tzvf /root/comp70.tgz | awk '{print $NF}'`; do rm -rf $i; done) && 
>> rm /root/comp70.tgz
>> 
>> [1] https://github.com/mpfr/httpd-plus/tree/7.0-stable
>> 
>> Thanks,
>> Kent
>> 
>> 

make: don't know how to make /usr/lib/crt0.o (prerequisite of: httpd)

[Kent Watsen]

The “httpd-plus” [1] patch installs just find when a fresh 7.0 install selects 
packages "base", "bsd", "bsd.rd", "bsd.mp", “comp”, and “man”.

However, when a fresh 7.0 install selects all the same packages except “comp”, 
and then subsequently adds the “comp” package via the command:

(cd /root && curl -s -O 
https://cdn.openbsd.org/pub/OpenBSD/7.0/amd64/comp70.tgz && cd / && tar xzvphf 
/root/comp70.tgz)

The installation of the "httpd-plus" patch fails with the following snippet:

   
Building and installing httpd-plus binary and manpage ...
/usr/src/usr.sbin/httpd/obj -> /usr/obj/usr.sbin/httpd
make: don't know how to make /usr/lib/crt0.o (prerequisite of: httpd)
Stop in /usr/src/usr.sbin/httpd
Restoring original sources ... Done.
Installing httpd-plus failed (exitcode: 2).

This logic worked on 6.9, what’s the difference?  Why can’t /usr/lib/crt0.o be 
found or made?  How to get past this error without needing to install the 
“comp” package during installation?

PS: I don’t want “comp” on the production system. After installing 
“httpd-plus”, I run the following command to remove it: (cd /root && for i in 
`tar -tzvf /root/comp70.tgz | awk '{print $NF}'`; do rm -rf $i; done) && rm 
/root/comp70.tgz

[1] https://github.com/mpfr/httpd-plus/tree/7.0-stable

Thanks,
Kent

Re: `jq` won't chroot?

[Kent Watsen]

Thanks Theo!


> It seems you copied libjq and libonig into usr/local/lib in the chroot.
> By default, ld.so only looks for shared objects in /usr/lib, so it can't
> find them.
> 
> # env LD_LIBRARY_PATH=/usr/lib:/usr/local/lib chroot /var/www 
> /usr/local/bin/jq --version
> 
> should work.

Indeed it did.  Shorter:

env LD_LIBRARY_PATH='/usr/local/lib:$LD_LIBRARY_PATH' /usr/local/bin/jq 
--version


> Chrooting to / works because rc(8) runs ldconfig(8) to add
> /usr/local/lib and /usr/X11R6/lib if they're present.
> 
> You can copy all the libraries into /var/www/usr/lib, you can set
> LD_LIBRARY_PATH=/usr/local/lib:/usr/, or you can run ldconfig in the
> chroot.
> 
> Read ld.so(1) and ldconfig(8)for more details.

Yes, setting `ldconfig -n /usr/local/lib` is a more sticky option.  

The `env` approach seems best when just one `jq` command, whereas the 
`ldconfig` approach seems better when there is more than one `jq` command...


Thanks!

K.

Re: `jq` won't chroot?

[Kent Watsen]

Easy button for putting all the dependency files into the chroot:

# for f in `ldd /usr/local/bin/jq  | grep '0' | awk '{print $7}'`; do  
d=`dirname $f | sed 's#^/##’`   
 
mkdir -p /var/www/$d
 
cp $f /var/www/$d/  
 
done

K.


> On Jul 16, 2021, at 6:24 PM, Kent Watsen  wrote:
> 
> I’ve spent a few hours on this and am lost.  I have plenty experience moving 
> executables into a chroot environments, but `jq` is proving to be 
> exceptionally difficult.
> 
> The executable is found when chrooted to ‘/‘ but not ' /var/www’.  Yes, of 
> course I copied all the files referenced from `ldd` into the chroot, and set 
> their file permissions to 777 (and likewise all the parent directories):
> 
> # pkg_add jq
> 
> # chroot / /usr/local/bin/jq --version 
> jq-1.6
> 
> *** COPY `ldd /usr/local/bin/jq` DEPENDENCIES INTO  /var/www/ HERE ***
> 
> # chroot /var/www /usr/local/bin/jq --version  
> ld.so: jq: can't load library 'libonig.so.7.1’
> Killed
> 
> Any ideas?
> 
> K.
> 

`jq` won't chroot?

[Kent Watsen]

I’ve spent a few hours on this and am lost.  I have plenty experience moving 
executables into a chroot environments, but `jq` is proving to be exceptionally 
difficult.

The executable is found when chrooted to ‘/‘ but not ' /var/www’.  Yes, of 
course I copied all the files referenced from `ldd` into the chroot, and set 
their file permissions to 777 (and likewise all the parent directories):

# pkg_add jq

# chroot / /usr/local/bin/jq --version 
jq-1.6

*** COPY `ldd /usr/local/bin/jq` DEPENDENCIES INTO  /var/www/ HERE ***

# chroot /var/www /usr/local/bin/jq --version  
ld.so: jq: can't load library 'libonig.so.7.1’


Any ideas?

K.

Re: am and nfsv3

[Kent Watsen]

>> Does openbsd amd use NFSv3 ?
>> 
>> Thanks in advance.
>> 
> 
> No, NFSv2, according to a recent post on this list.


This is incorrect; mount_nfs(8) clearly indicates support for v2 and v3 (the 
default).

The recent debate is has been around if to support v4.  For instance:


https://www.reddit.com/r/openbsd/comments/9r07ju/nfs_v4_support_and_pnfs/ 


And

http://openbsd-archive.7691.n7.nabble.com/nfsv4-td18690.html 


K.

Re: default authentication-failed page

[Kent Watsen]

[My previous message was clobbered by the mailer because, I think, it contained 
some non-ASCII characters]


>> Perfect, but I’m hesitant to use without long-term viability.
> 
> Since I have no plans to give up OpenBSD, you shouldn't worry
> too much about this.

Fair, and one could fork your repo if need be...

I've installed https-plus now and the issue resolved perfectly.  Thank you.


>> Any plan for merging into base?
> 
> I don't have that in my hand.

Fingers crossed.


K.

Re: default authentication-failed page

[Kent Watsen]

Hi Matthias,

Perfect, but I’m hesitant to use without long-term viability.  Any plan for 
merging into base?

PS: nice project…and your other repos too!

K.



> On Jun 19, 2021, at 3:27 AM, Matthias Pressfreund  wrote:
> 
> Have you tried this?
> 
> https://github.com/mpfr/httpd-plus#custom-error-documents
> 
> 
> 
> On 2021-06-19 07:26, Kent Watsen wrote:
>> This is incredibly basic, but after reading httpd.conf(5) and random web 
>> searches, I’ve been unable to determine how to customize the default failed 
>> login page (from the "authenticate” directive in httpd.conf) to be something 
>> other than:
>> 
>> 
>>  401 Unauthorized
>> 
>>  OpenBSD httpd
>> 
>> 
>> I'm guessing this means that it cannot be customized, but would be thrilled 
>> if someone knew a way.
>> 
>> K.
>> 

default authentication-failed page

[Kent Watsen]

This is incredibly basic, but after reading httpd.conf(5) and random web 
searches, I’ve been unable to determine how to customize the default failed 
login page (from the "authenticate” directive in httpd.conf) to be something 
other than:


401 Unauthorized

OpenBSD httpd


I guessing this means that it cannot be customized, but would be thrilled if 
someone knew a way.

K.

Re: Unconsistent two-level write speed bouncing on softraid RAID1 SSD's

[Kent Watsen]

>> The Crucial BX500 SSD uses SMR technology, which is best used for 
>> infrequent-write applications.  
>> For general-purpose, and especially NAS, applications, CMR technology should 
>> be used. 
> 
> hmm, does SMR stand for something other than "shingled magnetic recording"
> related to storage? that only relates to HD not SSD.

You're right.

I was confused because I was recently burned by both SMR-based and MX500-based 
issues recently, and hence conflated them after a quick "BX500 SMR" search 
seemed to return hits.

I recall now that the MX500 SSDs were really quite amazing, but I couldn't use 
them because they don't report ATA TRIM in a way that is understood by the LSI 
HBAs I have.

K.

 

Re: Unconsistent two-level write speed bouncing on softraid RAID1 SSD's

[Kent Watsen]

The Crucial BX500 SSD uses SMR technology, which is best used for 
infrequent-write applications.  

For general-purpose, and especially NAS, applications, CMR technology should be 
used. 

K. 

> On Jun 10, 2021, at 6:20 AM, Xavier Sanchez  wrote:
> 
> Hi ! not so surprising news: hardware is the problem
> 
> I managed to get one of the two disks apart yesterday and I figured out
> that those disks was in cause. (both of them)
> 
> Written from my laptop directly to the device and 
> - good and constant read speed
> - bouncing 7MB/s to high write speed
> 
> I did looked at the serial number, they're the same.
> 
> Manufacturer's support suggests that if there's no trim, write speed
> may be impacted ( but so much ? ) and told to let the disk idle for 6
> to 8 hours so the internal garbage collector could clean it.
> 
> I tried that with no luck as well.
> 
> Read somewhere that issuing a security erase could also help. So I
> tried issuing the following:
> 
> # atactl sd0c secsetpass user high  
> User password:   
> Retype user password:
> atactl: ATA device returned error register 0 
> 
> But any sec* command returned:
> atactl: ATA device returned error register 0
> 
> even after a coldboot ( non-frozen ), despite the devices supports the
> Security Mode feature set
> 
> - Am I attempting to issue the security erase the wrong way ?
> 
> To me it was 0) check if not frozen 2) set user pass 3) issue security
> erase command with password.
> 
> # atactl sd0c  
> Model: CT480BX500SSD1, Rev:  M6CR022, Serial #: 2030E408CA88
> Device type: ATA, fixed
> Cylinders: 16383, heads: 16, sec/track: 63, total sectors: 937703088
> Device capabilities:
>ATA standby timer values
>IORDY operation
>IORDY disabling
> Device supports the following standards:
> ATA-3 ATA-4 ATA-5 ATA-6 ATA-7 ATA-8 ATA-9 ATA-10 
> Master password revision code 0xfffe
> Device supports the following command sets:
>NOP command
>READ BUFFER command
>WRITE BUFFER command
>Host Protected Area feature set
>Read look-ahead
>Write cache
>Power Management feature set
>Security Mode feature set
>SMART feature set
>Flush Cache Ext command
>Flush Cache command
>48bit address feature set
>Advanced Power Management feature set
>DOWNLOAD MICROCODE command
> Device has enabled the following command sets/features:
>NOP command
>READ BUFFER command
>WRITE BUFFER command
>Host Protected Area feature set
>Read look-ahead
>Write cache
>Power Management feature set
>SMART feature set
>Flush Cache Ext command
>Flush Cache command
>48bit address feature set
>DOWNLOAD MICROCODE command
> 
> 
>> On Wed, 2021-06-09 at 03:45 +0200, xavie...@mailoo.org wrote:
>> Hello, There's a strange write speed bounce behavior on my SATA
>> softraid
>> RAID1 SSD (Crucial BX500 480GB 3D NAND). Sequential writes starts
>> high
>> (~450MB/s with dd and a bs of 1M) then after about 30s to 1:30 minute
>> it
>> falls to a low ~7MB/s for one minute, then bounce back to the high
>> speed
>> of 450MB/s and so forth.
>> 
>> Maybe the problem come from my Crucial BX500 480GB 3D NAND SATA 2.5-
>> inch
>> SSD which are new. But I'm not 100% sure what's happening really.
>> Maybe
>> this would help someone facing a similar situation with this
>> particular
>> high / low write speed bounces. I also tried with a second softraid
>> on
>> the same machine but with spinning USB disks. No problems so far, the
>> write speed is constant. Read speed are fine and constant on SSD as
>> well.
>> 
>> Please let me know if there something I should try to workaroud or
>> identify this
>> problem.
>> 
>> Reproduction scenario:
>> 
>> note: The test I made to show you used the default 512B block size
>> with dd (so
>> the high speed is limited to ~130MB/s and the low speed remains
>> around 7MB/s)
>> 
>> - disabled pf and system logs
>> - dd if=/dev/zero of=testfile # on /home
>> - iostat -w1 sd0 sd1 sd6 # chunk0 chunk1 softraid_volume
>> 
>> See iostat: for results
>> 
>> mount:
>> /dev/sd6a on / type ffs (local, softdep)
>> /dev/sd6h on /home type ffs (local, nodev, nosuid, softdep)
>> /dev/sd6e on /tmp type ffs (local, nodev, nosuid, softdep)
>> /dev/sd6f on /usr type ffs (local, nodev, softdep)
>> /dev/sd6g on /var type ffs (local, nodev, nosuid, softdep)
>> 
>> disklabel:
>> # /dev/rsd0c:
>> type: SCSI
>> disk: SCSI disk
>> label: CT480BX500SSD1
>> duid: 808fe38d1751a671
>> flags:
>> bytes/sector: 512
>> sectors/track: 63
>> tracks/cylinder: 255
>> sectors/cylinder: 16065
>> cylinders: 58369
>> total sectors: 937703088
>> boundstart: 64noatimenoatime
>> boundend: 937697985
>> drivedata: 0
>> 
>> 16 partitions:
>> # size offset fstype [fsize bsize cpg]
>> a: 937697921 64 RAID

Re: Using relayd as a reverse proxy for multiple local servers

[Kent Watsen]

I did this too, because I have:

   1) a single external IP
   2) multiple internal HTTP-based services
   3) a port-based firewall policy

This whole issue would disappear, and remove a single point of failure 
(relayd), if my firewall directed inbound traffic based on URLs (for port 80) 
and SNI (for port 443).  Alas, I’m not there yet, and this setup has been 
working okay for me for a couple years now.  

My biggest complaint is that, if one internal site is down (e.g., 'www'), 
`relayd` will direct traffic to that site to another (‘blog’), which may seem 
innocent, but could be a real problem if, e.g., the external IP is shared by 
multiple domains and traffic to 'www.domain1.com' gets mapped to 
‘www.domain2.com’.  I’ve never really looked into solving the issue, as it’s 
easier to restart the downed service, but would be thrilled if someone could 
explain how to fix it.

A redacted version of my /etc/relayd.conf follows.  But note that I also have 
`httpd` running on this machine, listening for inbound port 80 requests, in 
order to 1) handle ACME requests and 2) redirect all port 80 requests to port 
443.  Both configs follow.

PS: there are many ways to skin the cat.  For example, you’re running different 
httpd instances on ports versus my running them on different VMs.  Also, how we 
approach handling port 80 and ACME requests.  Still, hopefully seeing my config 
helps.

K.


 /etc/httpd.conf 

# This rule is used to redirect all (except ACME) external
# HTTP/80 requests to the HTTPS/443 equivalent.
#
# Note that `relayd` (/etc/relayd.conf) terminates *all*
# external HTTPS/443 requests and forward them to
# the appropriate HTTP/80 server

server "default" {
  listen on egress port 80
  location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
  }
  location "*" {
block return 301 "https://$HTTP_HOST$REQUEST_URI;
  }
}


 /etc/relayd.conf 

# this is the ONLY machine that accepts inbound connections to
# :443 
#
# it uses the certificate maintained by Let's Encrypt (acme-client)
#
# it fowards the request to the correct :80
# via inspecting the "Host" HTTP header field's value

# define some variables
www_example_net="10.0.1.X"
blog_example_net=“10.0.1.Y"
git_example_net=“10.0.1.Z”
 
# make a table out of each
table  { $www_example_net }
table  { $blog_example_net }
table  { $git_example_net }

# http protocol-specific rules
http protocol "my_http_protocol_config" {
match request header "Host" value "www.example.net" forward to 

match request header "Host" value "blog.example.net" forward to 

match request header "Host" value "git.example.net" forward to 


match response header remove "Server"

# is this supposed to be "request" or "response"? (I see both in the 
forums!)
match request header set "Connection" value "close"
match response header set "Connection" value "close"

tcp { nodelay, sack }

tls keypair example.net
}

# handle inbound port 443 traffic
relay "my_relay" {
listen on egress port 443 tls
protocol my_http_protocol_config
forward to  port 80 check tcp
forward to  port 80 check tcp
forward to  port 80 check tcp
}

kernel size over time

[Kent Watsen]

I used to be able to install OpenBSD on a 1G disk (sets: -x* -g* -c*) and 256M 
ram, but no more….now a 1280M disk + 384M ram is needed.

After a little sleuthing, the primary reason seems to be that the size of 
/usr/share/relink/kernel/GENERIC/ has been growing:

Rel  Size
 
6.4  217M
6.5  223M
6.6  339M
6.7  
6.8  465M
6.9  469M

Not that it really matters, but does anyone know why the kernel has grown this 
much over the releases?

K.

Re: Hi, general question about cryptography...

[Kent Watsen]

[My SMTP-client is garbling my mail again!  Just changed it to always send 
plain-text! Sorry for the noise :sigh:]

OT, but that’s a signature and doesn’t imply that the content has been 
encrypted.  I suggest you ask your friend about it.

K.


> On Apr 23, 2021, at 6:52 PM, Kent Watsen  wrote:
> 
> OT, but thatb
> 
> K.
> 
> 
> 
>> On Apr 22, 2021, at 8:35 PM, Braden Speer  wrote:
>> 
>> I had a friend make me backups of some pretty important information, and for 
>> some reason I can't get my head around it...
>> It seems there was a passphrase associated with the files which I recall, 
>> but honestly the format I'm not certain how to access, mind you this is a 
>> question to OpenBSD because it is known for it's particular interest in 
>> cryptography, yet the files are somehow attributed to Windows XP - just to 
>> put it out there, I have no idea what to do... here's a screenshot about a 
>> file and it's attributes, hopefully someone can help me out.
>> 
>> In the main properties window it says this,
>> 
>> Name of Signer:
>> Microsoft Windows Component Publisher
>> 
>> Digest Algorithm:
>> sha1
>> 
>> Then this slew of information, in the attached image...
>> 
>> I just need directions unto how to decrypt the information, and a program, 
>> or OpenBSD commands, which I might need to do so.
>> 
>> Thank you so much,
>> -Braden.
>> 
>> 
> 

Re: Hi, general question about cryptography...

[Kent Watsen]

OT, but that’s a signature and doesn’t imply that the content has been 
encrypted.  I suggest you ask your friend about it.

K.



> On Apr 22, 2021, at 8:35 PM, Braden Speer  wrote:
> 
> I had a friend make me backups of some pretty important information, and for 
> some reason I can't get my head around it...
> It seems there was a passphrase associated with the files which I recall, but 
> honestly the format I'm not certain how to access, mind you this is a 
> question to OpenBSD because it is known for it's particular interest in 
> cryptography, yet the files are somehow attributed to Windows XP - just to 
> put it out there, I have no idea what to do... here's a screenshot about a 
> file and it's attributes, hopefully someone can help me out.
> 
> In the main properties window it says this,
> 
> Name of Signer:
> Microsoft Windows Component Publisher
> 
> Digest Algorithm:
> sha1
> 
> Then this slew of information, in the attached image...
> 
> I just need directions unto how to decrypt the information, and a program, or 
> OpenBSD commands, which I might need to do so.
> 
> Thank you so much,
> -Braden.
> 
> 

Re: default Offset to 1MB boundaries for improved SSD (and Raid Virtual Disk) partition alignment

[Kent Watsen]

[My previous message was somewhat garbled when reflected back at me.  It looks 
better in the archives here: 
https://marc.info/?l=openbsd-misc=161902769301731=2.  I’m resending as 
plain-text to see if the problem is on my end.]


I’m running OpenBSD on top of bHyve using virtual disks allocated out of ZFS 
pools.  While not the same setup, some concepts carry over...

I have two types of pools:

  1) an “expensive" pool for fast random IO:
- this pool is made up stripes of SSD-based vdevs.
- ZFS is configured to use a 16K recordsize for this pool.
- good for small files (guest OS, DBs, web/mail/dns files, etc.)
- When ZFS is told to use the SSD, it starts the partition
   on sector 256 (not the default sector 34) to ensure good
   SSD NAND alignment.

  2) a less-expensive pool for large sequential IO:
- this pool is a single RAIDZ2-based vdev using spinning rust.
- ZFS is configured to use a 1M recordsize for this pool.
- good for large files (movies, high-res images, backups, etc.)

Virtual disks are exposed to the OpenBSD guests from both pools.  The guest’s 
root-disk is always allocated from pool #1.  Typically, a second 
application-specific disk is also allocated from pool #1 (e.g., /var/www/sites 
on a web server, /home on a mail server, etc.).  Only in special circumstances 
(e.g., a media server) is a disk allocated from pool #2. 

This arrangement steps around needing to read/write 1M blocks for each small 
file access, and also the possibility that a guest accessing a given block will 
span more than a single physical block.

Can VMWare virtual disks be configured similarly?

K.

Re: default Offset to 1MB boundaries for improved SSD (and Raid Virtual Disk) partition alignment

[Kent Watsen]

I’m running OpenBSD on top of bHyve using virtual disks allocated out of ZFS 
pools.  While not the same setup, some concepts carry over…

I have two types of pools:

  1) an “expensive" pool for fast random IO:
- this pool is made up stripes of SSD-based vdevs.
- ZFS is configured to use a 16K recordsize for this pool.
- good for small files (guest OS, DBs, web/mail/dns files, etc.)
- When ZFS is told to use the SSD, it starts the partition
   on sector 256 (not the default sector 34) to ensure good
   SSD NAND alignment.

  2) a less-expensive pool for large sequential IO:
- this pool is a single RAIDZ2-based vdev using spinning rust.
- ZFS is configured to use a 1M recordsize for this pool.
- good for large files (movies, high-res images, backups, etc.)

Virtual disks are exposed to the OpenBSD guests from both pools.  The guest’s 
root-disk is always allocated from pool #1.  Typically, a second 
application-specific disk is also allocated from pool #1 (e.g., /var/www/sites 
on a web server, /home on a mail server, etc.).  Only in special circumstances 
(e.g., a media server) is a disk allocated from pool #2. 

This arrangement steps around needing to read/write 1M blocks for each small 
file access, and also the possibility that a guest accessing a given block will 
span more than a single physical block.

Can VMWare virtual disks be configured similarly?

K.


> On Apr 21, 2021, at 12:35 PM, Tom Smyth  wrote:
> 
> Christian, Otto, Thanks for your feedback on this one
> 
> Ill research it further,
> but NTFS has 4K, 8K 32K and 64K Allocation units on the
> filessystem and for Microsoft  windows running Exchange or Database workloads
> they were recommending alignment of the NTFS partitions
> on the 1MB offset also.
> 
> From Otto's, explanation (Thanks) of 1/16  blocks would potentially
> cross a boundary  of the
> storage subsystem,
> 6.25% of reads(or writes)  could result in a double Read ( or double write)
> 
> of course the write issue is a bigger problem for the SSDs..
> 
> I can configure the partitions how I want ,for now anyway,
> 
> Ill do a little digging on FFS and FFS2 and see how the filesystem
> database (or table)
> is structured...
> 
> Thanks for the feedback it is very helpful to me
> 
> All the best,
> 
> Tom Smyth
> 
> 
> 
> On Wed, 21 Apr 2021 at 15:25, Christian Weisgerber  wrote:
>> 
>> Tom Smyth:
>> 
>>> if you were to have a 1MB file or  a database that needed to read 1MB
>>> of data,  i
>>> f the partitions are not aligned then
>>> your underlying storage system need to load 2 chunks  or write 2
>>> chunks for 1 MB of data, written,
>> 
>> You seem to assume that FFS2 would align a 1MB file on an 1MB border
>> within the filesystem.  That is not case.  That 1MB file will be
>> aligned on a blocksize border (16/32/64 kB, depending on filesystem
>> size).  Aligning the partition on n*blocksize has no effect on this.
>> 
>> --
>> Christian "naddy" Weisgerber  na...@mips.inka.de
> 
> 
> 
> -- 
> Kindest regards,
> Tom Smyth.
> 

Boot 6.8 MP hangs after install

[Kent Watsen]

I've been running a bunch of VMs on KVM/Qemu for close to 12 years now.  Every 
year or so, I upgrade a few of them...to keep them "fresh".   Now I'm trying to 
replace a VM having two CPUs that is has been running 6.5 since for about the 
last year.  My general strategy is to fresh install into a second VM that 
becomes operational at the last minute.

I'm running into an issue that I've discovered thru testing occurs in 6.6, 6.7, 
and 6.8.  The issue is that the reboot after install hangs on a line that says 
"root on wd0a (8be0ca9d19d7f68f.a) swap on wd0b dump on wd0b".  If I power-off 
the VM, reconfigure the VM to have just one CPU, and boot it again (the same MP 
kernel), then OpenBSD comes up completely.  So, it's not the MP kernel 
(bsd.mp), but the presence of the second CPU?

FWIW, I'm able to install/run a VM running 6.8 no problem when NOT using the MP 
kernel (i.e., I provision just one CPU to the VM before installing OpenBSD).

Heads up: I am running a somewhat old hypervisor: "QEMU emulator version 0.14.1 
(qemu-kvm-devel), Copyright (c) 2003-2008 Fabrice Bellard".

Below is the `dmesg` output for:
  1) a 6.5 MP install, running with two CPUs.
  2) a 6.8 MP install, but running with just one CPU.
  3) There's also a diff between the two above.

Any thoughts on what may have changed, starting in 6.6 and continuing to 6.8, 
that would cause bsd.mp to hang when a second CPU is present?

Thanks,
K.



#
# dmesg output for a 6.5 MP install, running with two CPUs 
#

OpenBSD 6.5 (GENERIC.MP) #3: Sat Apr 13 14:48:43 MDT 2019
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 251645952 (239MB)
avail mem = 234508288 (223MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xec0 (11 entries)
bios0: vendor Bochs version "Bochs" date 01/01/2007
bios0: Bochs Bochs
acpi0 at bios0: rev 0
acpi0: sleep states S3 S4 S5
acpi0: tables DSDT FACP SSDT APIC HPET
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: QEMU Virtual CPU version 0.14.1, 7599.32 MHz, 06-02-03
cpu0: 
FPU,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,CX16,POPCNT,HV,NXE,LONG,LAHF,ABM,SSE4A,PERF
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 
16-way L2 cache
cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 1390MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: QEMU Virtual CPU version 0.14.1, 2515.09 MHz, 06-02-03
cpu1: 
FPU,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,CX16,POPCNT,HV,NXE,LONG,LAHF,ABM,SSE4A,PERF
cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 
16-way L2 cache
cpu1: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu1: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 24 pins, remapped
acpihpet0 at acpi0: counter not incrementing
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C1(@1 halt!)
acpicpu1 at acpi0: C1(@1 halt!)
"ACPI0006" at acpi0 not configured
acpipci0 at acpi0 PCI0: _OSC failed
acpicmos0 at acpi0
"ACPI0007" at acpi0 not configured
"ACPI0007" at acpi0 not configured
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0 
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA48, 1024MB, 2097152 sectors
wd0(pciide0:0:0): using PIO mode 4, DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0:  ATAPI 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 2 int 10
iic0 at piixpm0
iic0: addr 0x18 00=69 01=8f 02=8f 03=8f 04=8f 05=8f 06=8f 07=8f 08=8f 09=c1 
0a=e6 3e=69 48=69 4a=69 4e=69 fc=69 fe=69 words 00= 01= 02= 03= 
04= 05= 06= 07=
iic0: addr 0x19 3e=69 48=69 4a=69 4e=69 fc=69 fe=69 words 00= 01= 
02= 03= 04= 05= 06= 07=
iic0: addr 0x1a 00=69 01=8f 02=8f 03=8f 04=8f 05=8f 06=8f 07=8f 08=8f 09=c1 
0a=e6 3e=69 48=69 4a=69 4e=69 fc=69 fe=69 words 00= 01= 02= 03= 
04= 05= 06= 07=
iic0: addr 0x1b 3e=69 48=69 4a=69 4e=69 fc=69 fe=69 words 00= 01= 
02= 03= 04= 05= 06= 07=
iic0: addr 0x1c 0f=06 3e=69 48=69 4a=69 4e=69 fc=69 fe=69 words 00= 01= 
02= 

Re: running git server with "smart http" protocol

[Kent Watsen]

For posterity, the issue was that the `git` command itself needs to be in the 
jail also.  This is not written down anywhere.  I only determined it after 
reading the source code for `git-http-backend`.

This is my init script now:

# cd /var/www
# for c in git git-http-backend git-upload-pack git-receive-pack ; do
for f in `ldd /usr/local/libexec/git/$c  | grep '/usr/' | grep 
-v ':' | awk '{print $7}'`; do
d=`dirname $f | sed 's#^/##'`
mkdir -p $d
cp $f $d
done
done

Also, regarding the rewrite rules mentioned before, they are only needed if 
wanting to discriminate between `git` and web requests pointing to the same URL.

Kent

Re: running git server with "smart http" protocol

[Kent Watsen]

Regarding the rewrite rules below, `man git-http-backend` is instructive
...though it would be better if updated for OpenBSD's native `httpd`  ;)

K.


> 6) set /etc/httpd.conf
> 
>  server "default" {
>  listen on 0.0.0.0 port 80
> 
>  # these two rules are trying to match 
> https://git-scm.com/docs/git-http-backend 
> ,
>  # but I suspect that I botched them...
>  location match 
> "^.*\.git/objects/([0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx))$" {
>request rewrite "/usr/local/libexec/git/git-http-backend/%1"
>  }
>  location match 
> "^.*\.git/(HEAD|info/refs|objects/info/.*|git-(upload|receive)-pack)$" {
>request rewrite "/usr/local/libexec/git/git-http-backend/%1"
>  }
> 
>  location "/docs/*" { 
>  fastcgi {
>  socket "/run/slowcgi.sock"
>  param DOCUMENT_ROOT "/"
>  param GIT_HTTP_EXPORT_ALL ""
>  param GIT_PROJECT_ROOT "/git-repos"
>  param SCRIPT_FILENAME 
> "/usr/local/libexec/git/git-http-backend"
>  }
>  }
>  }

running git server with "smart http" protocol

[Kent Watsen]

TL;DR;  The current issue is this error:

error: cannot run upload-pack: No such file or directory


Steps:

1) OpenBSD 6.5 fresh install

2) pkg_add git

3) make /var/www/dev/null

   # mkdir dev
   # mknod dev/null c 2 2
   # chmod 666 dev/null

4) put `git-http-backend` into jail

   # for f in `ldd /usr/local/libexec/git/git-http-backend | grep '/usr/' | 
grep -v ':' | awk '{print $7}'`; do
 d=`dirname $f | sed 's#^/##'`
 mkdir -p $d
 cp $f $d
  done

5) put `git-upload-pack` into jail

   # for f in `ldd /usr/local/libexec/git/git-upload-pack  | grep '/usr/' | 
grep -v ':' | awk '{print $7}'`; do
 d=`dirname $f | sed 's#^/##'`
 mkdir -p $d
 cp $f $d
  done

6) set /etc/httpd.conf

  server "default" {
  listen on 0.0.0.0 port 80

  # these two rules are trying to match 
https://git-scm.com/docs/git-http-backend 
,
  # but I suspect that I botched them...
  location match 
"^.*\.git/objects/([0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx))$" {
request rewrite "/usr/local/libexec/git/git-http-backend/%1"
  }
  location match 
"^.*\.git/(HEAD|info/refs|objects/info/.*|git-(upload|receive)-pack)$" {
request rewrite "/usr/local/libexec/git/git-http-backend/%1"
  }

  location "/docs/*" { 
  fastcgi {
  socket "/run/slowcgi.sock"
  param DOCUMENT_ROOT "/"
  param GIT_HTTP_EXPORT_ALL ""
  param GIT_PROJECT_ROOT "/git-repos"
  param SCRIPT_FILENAME 
"/usr/local/libexec/git/git-http-backend"
  }
  }
  }

7) create "docs" repo:

  # mkdir git-repos
  # git init --bare git-repos/docs
  # cd git-repos/docs/; git update-server-info; cd -

8) In one window:

  # httpd -d -vv

9) In another window:

  # slowcgi -d

10) In a 3rd window:

  # git clone http://127.0.0.1/docs 
  Cloning into 'docs'...
  fatal: Could not read from remote repository.

  Please make sure you have the correct access rights
  and the repository exists.

11) Observe output in the `httpd` window:

  error: cannot run upload-pack: No such file or directory

  default 127.0.0.1 - - [17/Jan/2020:11:36:35 -0500] "GET 
/docs/info/refs?service=git-upload-pack HTTP/1.1" 200 0
  server default, client 1 (1 active), 127.0.0.1:47830 -> 127.0.0.1, closed

Notables here:

# ls -l git-repos/docs/info/refs

 
-rw-r--r--  1 root  daemon  0 Jan 17 11:50 git-repos/docs/info/refs

# file git-repos/docs/info/refs   
git-repos/docs/info/refs: empty

(but, from experience, I know that this is a text file, not something 
that might take an HTTP query parameter)

12) Observe output in the `slowcgi` window:

  slowcgi: inflight incremented, now 1  
   
  slowcgi: version: 1   
   
  slowcgi: type:1   
   
  slowcgi: requestId:   1  
  slowcgi: contentLength:   8   
  slowcgi: paddingLength:   0   

   
  slowcgi: reserved:0
  slowcgi: role 1
  slowcgi: flags0
  slowcgi: version: 1
  slowcgi: type:4
  slowcgi: requestId:   1
  slowcgi: contentLength:   729
  slowcgi: paddingLength:   0   

   
  slowcgi: reserved:0
  slowcgi: env[0], PATH_INFO=/docs/info/refs
  slowcgi: env[1], SCRIPT_NAME=
  slowcgi: env[2], SCRIPT_FILENAME=/
  slowcgi: env[3], QUERY_STRING=service=git-upload-pack
  slowcgi: env[4], DOCUMENT_ROOT=/htdocs
  slowcgi: env[5], DOCUMENT_URI=/docs/info/refs
  slowcgi: env[6], GATEWAY_INTERFACE=CGI/1.1

   
  slowcgi: env[7], HTTP_ACCEPT=*/*
  slowcgi: env[8], HTTP_ACCEPT_ENCODING=deflate, gzip
  slowcgi: env[9], HTTP_HOST=127.0.0.1
  slowcgi: env[10], 

Re: When will be created a great desktop experience for OpenBSD?

[Kent Watsen]

Probably not what the OP is looking for, but `tmux` is my current "window 
manager" of choice  ;)

K.



> On May 7, 2019, at 2:01 PM, Otto Moerbeek  wrote:
> 
> On Tue, May 07, 2019 at 02:01:34AM -0300, Clark Block wrote:
> 
>> In 2019 still there is not a great desktop experience for NetBSD. However,
>> the new "OS108" is seeking to improve this with a NetBSD operating system
>> paired with the MATE desktop environment.
>> So, OS108, a derivative of NetBSD, has just been released:
>> https://os108.org/?ez_cid=CLIENT_ID(AMP_ECID_EZOIC)
>> 
>> When will be created a great desktop experience for OpenBSD?
> 
> Sigh,
> 
> We make what we think is good. If you think otherwise, you're free to
> create whatever from what we produce. We even include all kind of
> tools and packaged software to build something with OpenBSD as a base.
> 
> Go do it instead of trying to tell us what to do.
> 
>   -Otto
> 

`man 2 sysctl` issue

[Kent Watsen]

`man 2 sysctl` shows:


KERN_SEMINFO_SEMMNI (kern.seminfo.semni)
The maximum number of semaphore identifiers allowed.

KERN_SEMINFO_SEMMNU (kern.seminfo.semnu)
The maximum number of semaphore undo structures allowed
in the system.


But when using sysctl(8) or /etc/sysctl.conf, a couple variables need an extra 
'm':
  
semni --> semmni
semnu --> semmnu

Is this intentional?

Kent

Re: pip install (python3) requires some development libraries

[Kent Watsen]

> You are bypassing [OpenBSD] packages by using pip

True, but it's not "me" so much as the open source moinmoin wiki project.
I think, perhaps, on purpose, because it's a pure-Python release that uses
`virtualenv` (and `tox`, for devs) to maximize portability (it runs on all Unix
and Windows).


> so package manager is irrelevant
> here. I think it is a bad choice to do this though because if libldap or
> or some other libraries on the system are updated, your local installation
> of py-ldap may break.
> 
> Anyway, if you need to do this, OpenBSD compilers intentionally do not
> include /usr/local/lib / /usr/local/include in the default lib/header
> search path - you need to pass them via LDFLAGS/CPPFLAGS or another
> method. This is normal for building anything using libraries from
> packages.

Grok.


> The easiest way: update to OpenBSD -current where there is a newer
> version of py-ldap / py3-ldap in packages (we had to patch dependent
> ports to cope with API changes in py-ldap).

I tried installing `py-ldap` (and a bunch of other dependent packages) at
first, but saw that the moinmoin installer was `pip` installing all the packages
again inside the virtualenv, but see below...


> General recommendation even if you are installing python things from
> outside packages, is to use packages for any compiled extensions. Here's
> a nice example of the approach, using virtualenv to install netbox.
> https://blog.jasper.la/setting-up-netbox-on-openbsd.html

Ah ha, thanks for the link!   The "--system-site-packages" parameter should
sidestep the need to `pip install` that which is better installed via OpenBSD
packages.  Now I just need to get the moinmoin wiki devs to consider using
it, which may be tricky, due to the cross-platform nature of the project.


> If you need things which aren't already in packages (or are too old)
> then write a port or update (and test existing dependent ports) and send
> it to ports@.

Will do.


Thanks,
Kent

Re: pip install (python3) requires some development libraries

[Kent Watsen]

[CC-ing Remi, "python2.7" package maintainer]
[Stuart, already CC-ed, is maintainer of the "openldap-client" package]

The subject line of this email says "python3", but the same issue occurs
with python2.7 (this on OpenBSD 6.4).

I filed an report for the broken `pip install python-ldap` issue (technically a
`python setup.py build` issue) on GitHub here:

https://github.com/python-ldap/python-ldap/issues/273 


They claim it's an OpenBSD's issue:

It's either a problem with OpenBSD, compiler settings, OpenBSD's
package manager, or Python on OpenBSD. The build system should
pick up default locations for headers and libraries.

/usr/local/include/lber.h comes from the "openldap-client" package but, as
the report below shows, the `cc` flags are passing "/usr/local/include/python*",
where '*' in "2.7" in my case and "3.6m" below.

So who's right?  Is this a "python-ldap" package issue or an OpenBSD issue?

FWIW, I am able to install python-ldap using Stuart's instructions below, but
doing so is inconvenient when the dependency comes when trying to `pip
install` an even higher-level Python package.

Thanks,
Kent



> On Aug 27, 2018, at 9:09 AM, Stuart Henderson  wrote:
> 
> On 2018/08/27 15:43, Максим wrote:
>> I manually downloaded the python-ldap-3.1.0.tar.gz archive (this packet is a 
>> dependency
>> which gives that error).
>> 
>> unpacked it and ran python setup.py build.
>> The same error:
>> "running build
>> running build_py
>> running egg_info
>> writing Lib/python_ldap.egg-info/PKG-INFO
>> writing dependency_links to Lib/python_ldap.egg-info/dependency_links.txt
>> writing requirements to Lib/python_ldap.egg-info/requires.txt
>> writing top-level names to Lib/python_ldap.egg-info/top_level.txt
>> reading manifest file 'Lib/python_ldap.egg-info/SOURCES.txt'
>> reading manifest template 'MANIFEST.in'
>> no previously-included directories found matching 'Doc/.build'
>> writing manifest file 'Lib/python_ldap.egg-info/SOURCES.txt'
>> running build_ext
>> building '_ldap' extension
>> cc -pthread -Wno-unused-result -Wsign-compare -Wunreachable-code -DNDEBUG
>> -O2 -pipe -fPIC -O2 -pipe -O2 -pipe -fPIC -DHAVE_SASL -DHAVE_TLS 
>> -DHAVE_LIBLDAP_R
>> -DHAVE_LIBLDAP_R -DLDAPMODULE_VERSION=3.1.0 -DLDAPMODULE_AUTHOR=python-ldap 
>> project
>> -DLDAPMODULE_LICENSE=Python style -IModules 
>> -I/home/misa/REQUEST_TRACKER/rt/include
>> -I/usr/local/include/python3.6m -c Modules/LDAPObject.c
>> -o build/temp.openbsd-6.4-amd64-3.6/Modules/
>> LDAPObject.o 
>>   
>> In file included from Modules/LDAPObject.c:8:
>> Modules/constants.h:7:10: fatal error: 'lber.h' file not found
>> #include "lber.h"
>>  ^~~~
>> 1 error generated.
>> error: command 'cc' failed with exit status 1
>>  
>> As already noticed THERE IS a file lber.h on my system.
>> The thing is it is no seen by the installer
>>  
>> I run pip3 inside a virtualenv.
>> Without using a venv I have the same result
> 
> For python-ldap 3.1.0 you will need to add the following to setup.cfg in
> the [_ldap] section.
> 
> library_dirs = /usr/local/lib
> include_dirs = /usr/local/include /usr/local/include/sasl
> 
> 

Re: identifying software and licenses used in base install

[Kent Watsen]

FWIW, the permission I seek is from my Legal department.  They want to 
ensure that 1) we don't use software having unacceptable licenses or in 
unacceptable ways, and 2) that the terms of all the copyrights are 
adhered to (e.g., reproducing attribution statements, etc.).


At this point, it appears that I'm going to need to use a script to 
analyze the entire source tree in order to generate a report. 
Fortunately, a colleague has such a script for FreeBSD that I hope to 
adapt.  I'll see if I can send the result here as well.


While I'm installing just a subset of src.tar.gz (base62, etc62, and 
man62), it appears from the responses here that it's not possible to 
isolate the source code for those parts.  I guess I'll run the script 
over the entire this and see what happens.


Thanks again,
Kent

identifying software and licenses used in base install

[Kent Watsen]

I'm throwing together a quick proof-of-concept thingy to give to a 
customer and thought it might be  fun to use OpenBSD as the OS for the 
VM image.   Unfortunately, the not so fun part of it is that I'm 
required to get permission to use/distribute this open source software, 
which entails needing to identify all the internal software components 
and licenses used.  I thought this was going to be easy, but it's 
proving to be anything but...


My system only has the following installed: bsd, bsd.rd, bsd.mp, base62, 
etc62, and man62.


Is there, by chance, such a breakdown available for these already? Since 
OpenBSD is distributed in binary form, is there a copyright attributions 
listing somewhere to satisfy the "must reproduce the above copyright" 
clause, or do you just point to the also-distributed source for all that?


In lieu of that, it seems that a script could analyze the source code - 
everything is contained in sys.tar.gz (the kernel) and src.tar.gz 
(userland), right?


For the kernel, I'd like to think that it's all BSD, but `grep -R 
'"GPL"' *` shows 39 files having the "GPL" string.  Looking at these, it 
appears that they are all dual-licensed.  I didn't check if there are 
any other licenses in the kernel, but is it safe to say that, if there 
are, they are all dual-licensed and therefore the net-net is that the 
kernel is all BSD?


For the userland, first, is there an easy way to isolate the sub-parts 
of src.tar.gz that contribute to base62, etc62, and man62?  Next, is 
there an easy way to identify the unique packages/projects that are 
included?  - this in hope that it might be easier to identify the 
licenses at the project-level than the file-level.  Any thoughts for how 
to make this go easy?


I'm beginning to think that this might be more trouble than it's worth, 
and that I might be better off having the customer download/install 
OpenBSD  themselves, and then run something like an Ansible script to 
install/configure the demo...


Thanks,
Kent

Re: Performance issues as KVM guest?

[Kent Watsen]

On 1/10/18 1:53 PM, Mike Larkin wrote:

On Wed, Jan 10, 2018 at 03:51:19PM +, Mark Carroll wrote:

Since my hosting provider https://www.bytemark.co.uk/cloud-hosting/
patched for Meltdown last weekend I'm seeing significant performance
issues with an OpenBSD virtual instance there. It seems okay after a
fresh reboot but then progressively returns to being very slow: for
example "sleep 1" may take four seconds, then five, six, seven, then
rather more. Curiously it does tend to be an integral multiplier.

I wondered, is anybody else seeing significant performance problems with
OpenBSD (or other BSDs) virtual instances since Meltdown patching? Is
there anything to tweak at my end or am I reliant on the provider?

-- Mark


There are a ton of threads talking about this issue, and it's not meltdown
specific. Please search the archives.

-ml



Really? I just searched the last two years of list email for subject 
lines having substrings "virt", "kvm", "perf", and "slow", and didn't 
see anything on this specific issue.   Can you provide a link, or the 
name of the thread, or some keywords?


Also, Mark, could you say some more about the issue.  For instance, how 
long after a reboot does it take until you start to notice the issue, 
and how quickly does it get worse?


Thanks,
Kent

pfctl -f /etc/pf.conf fails on boot when DNS-resolved symbolic names are used

[Kent Watsen]

Precondition: /etc/pf.conf contains scr_addr/dst_addr set to FQDNs

On boot, the consoles shows error about not being able to load pf.conf
because it can't resolve the symbolic names.

http://www.openbsd.org/faq/faq6.html#Setup.activate says:

    "... if you had specified a DNS-resolved symbolic name in any of
     the files, you would probably find it worked as expected after
     reconfigure, but on initial boot, your external resolver may
     not be available, so the configuration will fail."

but I thought that the statement might be limited to `netstat`, and
/etc/rc runs `netstat` before loading the firewall rules.  So I'm not
sure why it's not working...

Anybody run into this before?  - is the fix to add all the symbolic
names to /etc/hosts?

Thanks,
Kent

Re: responding to buttonpress ACPI event sent by KVM/Qemu (same behavior in v5.2)

[Kent Watsen]

On 11/24/12 1:54 PM, Matthew Weigel wrote:

On 11/24/2012 12:38 PM, Tomas Bodzar wrote:


some of you may remember a posting of mine here from March, 2012, in which I
mentioned that the ACPI buttonpress event is not being correctly transmitted
form a debian 6 host to an OpenBSD v5.1 guest.

In the meantime I've installed a OBSD v5.2 system which exhibits exactly the
same behavior -- the guest hangs (freezes) instantly and totally.

I've seen similar posts in the past which yielded replies mostly to the effect
of OpenBSD's implementation is clean, Linux must be the bad guy.

I'm not interested in assigning blame, or seeing it assigned. I'd simply like to
see the problem solved, somehow.

Would a developer be willing to have a look, if I set up a v5.2 sandbox on the
debian host?

I would guess that they might also like to see some evidence that this
problem had been reported to the Qemu and libvirt developers, in the
interest of being not interested in assigning blame.


Resurrecting this thread, since I also got a total freeze in Qemu/KVM 
after sending ACPI shutdown using OpenBSD 5.3.


Testing, I also tried 5.3 in VirtualBox and VMWare, both gave clean 
shutdown.  This makes me suspect KVM is at fault...


QEMU/KVM (echo system_powerdown | nc -U /tmp/test1.monitor ) 
--- total freeze

VirtualBox (ACPI shutdown) -- clean shutdown
VMWare Fusion (Shutdown) -- clean shutdown

FWIW, I'm using an illumos/omnios host on AMD hardware.

Kent

Re: Using TrinityDesktop to replace KDE3

[Kent Watsen]

 Are there many users of KDE on OpenBSD? I thought OpenBSD is mostly 
GNOME :-)


On the few systems I install X on, I use FVWM and like it

K.

typo in faq/upgrade49.html

[Kent Watsen]

s/which we have not been dealt with so far/which have not been dealt 
with so far/



BTW, the Final steps section would be clearer if the text between the 
title Final Steps and section 1a were put into a section called 1. 
Merging locally changed files, which then has the two existing 
subsections '1a' and '1b'.

Re: 4.9 firewalls

[Kent Watsen]

On 5/11/11 9:14 AM, David Gwynne wrote:

anyone replaced firewalls with 4.9 boxes yet? noticed a difference?

   

A drop in replacement for me - works great!

Re: use DUIDs rather than device names in fstab?

[Kent Watsen]

Maybe you should tell us what happened and what you were expecting.


I saw the check-in which stated that it was being turned on to see what 
response there is, which is all I'm doing...


When installing on a system only having IDE-based drives, I was 
expecting to not be prompted, since I don't believe it's easy for the 
boot drive change location.  But I realize now that some flash card 
adapters present themselves as an IDE device, which makes them as 
portable as my USB pen drive.


I withdraw my comment, all is good here.

use DUIDs rather than device names in fstab?

[Kent Watsen]

My first install was onto a USB pen drive and I thought this was brilliant.

My second install was onto a fusion-based virtual machine and I was like 
WTF?


I suppose that the installer can't tell if a sd root disk is swappable 
or not, but certainly it should know that wd is not - right?  - or maybe 
my premise is off, aren't DUIDs only useful for jump drives?


~ Kent

Re: issues with acer aspire one (now tested with -current)

[Kent Watsen]

 On 04/21/11 05:50, Jacob Meuser wrote:

no.  azalia(4) supports the HD audio interface on ich.  see azalia(4).

there's perhaps a gpio that controls eapd or somesuch.

can you please send the output of '# pcidump -x 0:27:0' ?  thanks for
including a dmesg.


# pcidump -x 0:27:0
 0:27:0: Intel 82801GB HD Audio
0x: 27d88086 0016 04030002 0010
0x0010: 5824   
0x0020:    03491025
0x0030:  0050  010b


Thanks for showing interest.

issues with acer aspire one

[Kent Watsen]

I've always wanted a netbook for OpenBSD.  The form factor reminds me of
the TS1000, my first computer.  I picked up this refurbished Acer Aspire
One (D255-1268) for just $229, and have 7 days (5 more now) to return it
to the store.  So far it's running OpenBSD pretty well, but I found some
issues that I'm hoping to resolve:

1. screen blacks out during boot
2. no sound
3. cf reader won't mount
4. can't disable power button
5. resume didn't resume after long wait
6. can't re-enable wi-fi disabling via Fn-F3
7. Fn-F4 (Zz) doesn't put computer to sleep

On a positive note, many things do work: bsd.mp, machdep.lidsuspend,
wi-fi, x-windows, sleep/resume, function keys (disable wi-fi radio,
switch to external screen, disable trackpad, mute sound, control volume,
and control screen brightness), and usb-based cdrom and flash drives). I
have not tested the web cam, the built-in ethernet nic, or the Windows
7 that shipped with the system (haven't even booted it as I'm still
decided it to return this machine for another)

Note: full `dmesg` output is at bottom.

1. screen blacks out during boot


The screen apparently blanks out while OpenBSD is booting.  What's weird
is that I'm looking at the screen in very bright light, I can still see
the blue lines scrolling - so it seems that the LCD backlight is being
disabled momentarily.

This is completely reproduce-able on my machine and I recall the same
happening on another Aspire One model at the store.  In case it matters,
in both cases I'm booting OpenBSD off a USB pen drive...

This is the last line I see before the backlight turns off:

uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1

This is the first line I see when the backlight turns back on:

npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16

So, comparing to the `dmesg` below, the following messages are posted
while the backlight is off:

usb3 at uhci2: USB revision 1.0
uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4 Intel UHCI root hub rev 1.00/1.00 addr 1
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0

2. no sound
--

azalia0 at pci0 dev 27 function 0 Intel 82801GB HD Audio rev 0x02: apic
4 int 19 (irq 11)
azalia0: codecs: Realtek ALC272
audio0 at azalia0

As seen above, the device is found, and I've double-checked that sound is
not muted and that the volume turned all the way up.   Note: the function
keys work - that is, they correctly modify the mute and gain values
in the output below (even though I can't hear anything)

I know the speaker works because I was able to use it after booting the
Parted Magic CD (linux) and running the Test Audio application, which
produced the normal beep pattern.  It detected the audio device as Intel
Corp N10/ICH 7 Family HD Audio Controller (rev 02).  

Should OpenBSD should be using the auich driver, which is reported to
support ICH7?  - how can I get OpenBSD to use a different driver?

# audioctl
name=HD-Audio
version=1.0
config=azalia0
encodings=slinear_le:16:2:1,slinear_le:20:4:1,slinear_le:24:4:1
properties=full_duplex,independent
full_duplex=0
fullduplex=0
blocksize=9600
hiwat=6
lowat=4
output_muted=0
monitor_gain=0
mode=
play.rate=48000
play.sample_rate=48000
play.channels=2
play.precision=16
play.bps=2
play.msb=1
play.encoding=slinear_le
play.gain=255
play.balance=32
play.port=0x0
play.avail_ports=0x0
play.seek=0
play.samples=0
play.eof=0
play.pause=0
play.error=0
play.waiting=0
play.open=0
play.active=0
play.buffer_size=65536
play.block_size=9600
play.errors=0
record.rate=48000
record.sample_rate=48000
record.channels=2
record.precision=16
record.bps=2
record.msb=1
record.encoding=slinear_le
record.gain=120
record.balance=32
record.port=0x0
record.avail_ports=0x0
record.seek=0
record.samples=0
record.eof=0
record.pause=0
record.error=0
record.waiting=0
record.open=0
record.active=0
record.buffer_size=65536
record.block_size=9600
record.errors=0

# mixerctl   
inputs.dac-0:1=192,192
inputs.dac-4:5=192,192
inputs.dac-2:3=126,126
record.adc-2:3_mute=off
record.adc-2:3=120,120
record.adc-0:1_mute=off
record.adc-0:1=120,120
inputs.mix_source=mic2
inputs.mix_mic2=120,120
inputs.mix2_source=dac-0:1,mix
inputs.mix3_source=dac-4:5,mix
inputs.mix4_source=dac-2:3,mix
outputs.spkr_source=mix3
outputs.spkr_mute=off
outputs.spkr_dir=output
outputs.spkr_boost=off
outputs.spkr_eapd=on
outputs.mic2_source=mix4
outputs.mic2_mute=off
inputs.mic2=85,85
outputs.mic2_dir=input-vr80
outputs.hp_source=mix2
outputs.hp_mute=off
outputs.hp_boost=off
record.adc-0:1_source=mic2,mix,mic
record.adc-2:3_source=mic2,mix
outputs.mic2_sense=unplugged
outputs.hp_sense=unplugged
outputs.spkr_muters=mic2,hp

Re: issues with acer aspire one (now tested with -current)

[Kent Watsen]

A couple listers suggested trying -current, so here it is again on a 4.9 
snapshot dated 201104119 (summary: no change, all issues still present)



1. screen blacks out during boot


Still blacks out, but the location changed.  This is the last line I see before 
the backlight turns off:

ahci0 at pci0 dev 31 function 2 Intel 82801GR AHCI rev 0x02: apic 4 int 
17 (irq 10), AHCI 1.1


And this is the first line I see when the backlight turns back on:

ahci0: PHY offline on port 1

This is interesting for two reasons: 1) unlike before, there are no lines 
between and 2) there's no overlap in the lines from before (weird)



2. no sound
---
Still no sound

Like reported lasted time, this may be due to the 'azalia' driver being used instead of the 'auich' 
driver.  I deduced this before since sound worked under Linux where the audio device as Intel 
Corp N10/ICH 7 Family HD Audio Controller (rev 02).  So, if ICH7 is needed, then 
that implies it should be the 'auich' driver, right?



3. cf reader won't mount

Still mounts as ugen0



4. can't disable power button
-
Still can't disable power button from initiating a shutdown
  - really, I don't know how - something in /etc/apm/ ?



5. resume didn't resume after long wait
---
Can't reproduce (mentioned before)



6. can't re-enable wi-fi disabling via Fn-F3

Still can't re-enable radio after disabling



7. Fn-F4 (Zz) doesn't put computer to sleep
-
This button is still completely unresponsive



New dmesg
-
OpenBSD 4.9-current (GENERIC.MP) #73: Tue Apr 19 13:34:15 MDT 2011
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
RTC BIOS diagnostic error 80clock_battery
cpu0: Intel(R) Atom(TM) CPU N550 @ 1.50GHz (GenuineIntel 686-class) 1.50 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE
real mem  = 1061335040 (1012MB)
avail mem = 1033809920 (985MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 10/07/10, SMBIOS rev. 2.6 @ 0xe80b0 (36 
entries)
bios0: vendor Acer version V3.08(DDR3) date 10/07/2010
bios0: Acer AOD255
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP HPET APIC MCFG SLIC BOOT SSDT WDAT
acpi0: wakeup devices UHC1(S3) UHC2(S3) UHC3(S3) UHC4(S3) ECHI(S3) EXP1(S4) 
EXP2(S0) EXP3(S4) EXP4(S4) AZAL(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 166MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Atom(TM) CPU N550 @ 1.50GHz (GenuineIntel 686-class) 1.50 GHz
cpu1: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Atom(TM) CPU N550 @ 1.50GHz (GenuineIntel 686-class) 1.50 GHz
cpu2: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Atom(TM) CPU N550 @ 1.50GHz (GenuineIntel 686-class) 1.50 GHz
cpu3: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE
ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 4
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (EXP1)
acpiprt2 at acpi0: bus 2 (EXP2)
acpiprt3 at acpi0: bus -1 (EXP3)
acpiprt4 at acpi0: bus -1 (EXP4)
acpiec0 at acpi0
acpicpu0 at acpi0: C3, C2, C1, PSS
acpicpu1 at acpi0: C3, C2, C1, PSS
acpicpu2 at acpi0: C3, C2, C1, PSS
acpicpu3 at acpi0: C3, C2, C1, PSS
acpipwrres0 at acpi0: FN00
acpitz0 at acpi0: critical temperature 100 degC
acpibtn0 at acpi0: PWRB
acpibtn1 at acpi0: SLPB
acpibtn2 at acpi0: LID0
acpibat0 at acpi0: BAT0 model 13848633228217409 type Lion oem SANYO 
acpiac0 at acpi0: AC unit online
acpivideo0 at acpi0: OVGA
acpivout0 at acpivideo0: DD02
bios0: ROM list: 0xc/0xda00!
cpu0: Enhanced SpeedStep 1497 MHz: speeds: 1500, 1000 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel Pineview DMI rev 0x02
vga1 at pci0 dev 2 function 0 Intel Pineview Video rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
intagp0 at vga1
agp0 at intagp0: aperture at 0x4000, size 0x1000
inteldrm0 at vga1: apic 4 int 16 (irq 11)
drm0 at 

fdisk(8) missing from sparc64 install48.iso?

[Kent Watsen]

|

Welcome to the OpenBSD/sparc64 4.8 installation program.
(I)nstall, (U)pgrade or (S)hell? S

# fdisk
sh: fdisk: not found

# ls /sbin/fdisk
ls: /sbin/fdisk: No such file or directory

# ls /sbin
bioctl  dmesg   initmount_udf   restore
chown   fsckmknod   newfs   route
dhclientfsck_ffsmount   pingrtsol
dhclient-script haltmount_cd9660ping6   sysctl
disklabel   ifconfigmount_ffs   reboot  umount


Is it missing?


|

Re: fdisk(8) missing from sparc64 install48.iso?

[Kent Watsen]

it's not there, nor should it be.  sparc* does not use fdisk.


That's what I had read, but my other Netra T1 running 4.6 has it - and I 
used it when configuring RAIDFrame (raid(4))...why is it there?  - why 
did it work?


Now I'm giving softraid(4) a go and these instructions 
(http://jpiasetz.tumblr.com/post/483365684/software-raid-on-openbsd-using-softraid) 
start by using fdisk(8).


This is the first time I've ever had to drop to Shell during install, 
and so figured it was missing...

Re: SSH getting blocked on PF after 30 seconds (OpenBSD 4.7)

[Kent Watsen]

I had an issue like this a couple years ago.  Turned out that the 
Solaris box I was SSH-ing into had NWAM misconfigured, which was causing 
it to periodically reset connections.  It looked like a PF issue because 
what I saw was PF blocking a session it had previously accepted, but the 
reality was that it had already removed that session from its table.


K.


On 2/9/11 1:58 PM, a b wrote:

Hello list,


At the top of my pf.conf, I have the following :

pass in quick
inet fromadmin_nets  to any queue q_admin

And right at the bottom :

block
in log quick toserver_interfaces

I can establish an SSH connection with
no problem.   But consistently after
about 30 seconds, my session hangs.

In
the logs I get :

rule 144/(match) block in on vlan5: 10.10.10.10.53675
11.11.11.11.22: . ack
1277 win 65535nop,nop,timestamp 20097852 1792825903
(DF) [tos 0x10]

Where rule 144 is the block rule mentioned above.

I have
tried the following more specific pass rule above the previous admin rule
:
pass in quick inet proto tcp fromadmin_nets  to any port ssh flags S/SAFR
keep
state queue q_admin


But that makes no difference.


What am I doing
wrong ?

Tim

openbsd not blob free?

[Kent Watsen]

There is a discussion on the osol-discuss mailing list this morning where
it's pointed out that OpenBSD source tree has a blob in it:

http://osdir.com/ml/opensolaris-discuss/2010-05/msg00095.html

The location of the blob in the tree is here:

http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/microcode/afb/microcode.h?rev=1.1;content-type=text%2Fplain

A posting from Alan Coopersmith from last December:

http://lists.freedesktop.org/archives/x-packagers/2009-December/91.html

The only official OpenBSD position statement I could find is on the 3.9
lyrics page:

http://www.openbsd.org/lyrics.html#39

Where it says  OpenBSD remains blob-free  - not true?

Re: how to fresh raidframe install on an already raidframe system?

[Kent Watsen]

Jurgen/Pete - thanks for your replies, but it seems that I wasn't clear 
- my question is how to do fresh-install of OpenBSD with the new kernel 
discovering and trying to use the old RAID partition.  I ultimately 
solved this problem by rebooting using the old kernel and running 
`raidctl -A no raid0`.  This way the new kernel doesn't try the 
automatically mount the old RAID partition anymore...


BTW, I'm wondering if I'm wrong about SoftRAID - can it now contain the 
root partition like RAIDframe?  - looking at softraid(4), I don't see 
anything like `raidctl -A root dev` and I thought I read Marco saying 
that it's planned but a thing called life keeps getting in the way: 
(http://www.mail-archive.com/misc@openbsd.org/msg69397.html)


Thanks,
Kent

how to fresh raidframe install on an already raidframe system?

[Kent Watsen]

Hi,

I have a Netra T1 (sparc64) running 3.9 with raidframe on root.  Being 
such an old system, I decided to do a fresh install, so I boot the 4.6 
cdrom and install the system on the first disk (sd0).  Rebooting again 
brings the 4.6 up fine so I compile and install a new raidframe-enabled 
kernel.  Rebooting again produces many core dumps - `uname -a` says 4.6, 
but the filesystem is from the old 3.9 raid - the new raidframe kernel 
must have found the raid set on the 2nd disk.  Physically ejecting the 
second disk (sd1) and rebooting gives a clean boot, but now, of course, 
I don't have the second disk to install the raid set on...


What do other people do?  - rewrite the disklabel on the second disk so 
raidframe won't try to use the 2nd disk? - put a new/temporary 
/etc/raid0.conf file to configure raidframe to ignore the 2nd disk?  Is 
it even possible to compile/install 4.6 on top of a raidframe set 
avoiding the need to reconfigure it at all?


PS: I looked into softraid for a while, as its recommended in FAQ 14, 
before realizing that it didn't support raid on the root disk.  This was 
especially confusing as its man page lists softraid0 at root while not 
specifically saying that it doesn't support raiding the /root disk.  
Maybe the FAQ and man page could be more clear on these points?



Thanks,
Kent

Re: why is pf reseting this ssh connection?

[Kent Watsen]

Todd Alan Smith wrote:

This only happens with SSH connections? Are the rulesets identical
between the two machines? Also, why are you still running 4.2? As I'm
sure you know, there have been many improvements to pf since that
release.

No, I also see it happening with every TCP-based protocol and port I've 
tried (telnet, ftp, and iscsi)


BTW, a more appropriate subject line would have been why is pf blocking 
a connection after having already accepting it


Yes, I know I should upgrade, especially since I bought the CDs, but I 
haven't had the time yet - though this issue may force me to upgrade...




P.S. Maybe send your dmesg(s) and ruleset(s) with your next reply.


OK, see below, for the following:
 - uname on firewall
 - dmesg on firewall
 - ifconfig -a on firewall
 - ruleset on firewall


Also, so this makes more sense, here is a small network diagram


vlan4 trunk,tagged-vlans
10.0.4.6  managed --  carped -- internet
10.0.4.5  switch   - firewalls -- feed
||
||vlan1
|+ 10.0.1.24
+- 10.0.1.22




P.P.S. Part of my brain keeps thinking, Flaky NIC?


I was thinking the same thing - so far I:
 - moved the 10.0.1.24 ethernet cable to another port in my switch
 - moved the 10.0.1.24 ethernet cable to another port on the host machine
 - failed the firewall over to it's CARP peer (also running 4.2)
 - tried a different client computer (10.0.4.5) instead of (10.0.4.6)




-UNAME-
# uname -a
OpenBSD fw2.watsen.net 4.2 GENERIC.RAID#0 sparc64


-DMESG-
# dmesg
console is /p...@1f,0/p...@1,1/i...@7/ser...@0,3f8
Copyright (c) 1982, 1986, 1989, 1991, 1993
   The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2007 OpenBSD. All rights reserved.  
http://www.OpenBSD.org


OpenBSD 4.2 (GENERIC.RAID) #0: Fri Dec 28 22:26:28 EST 2007
   r...@fw1.watsen.net:/usr/src/sys/arch/sparc64/compile/GENERIC.RAID
real mem = 536870912 (512MB)
avail mem = 507109376 (483MB)
mainbus0 at root: Netra T1 200 (UltraSPARC-IIe 500MHz)
cpu0 at mainbus0: SUNW,UltraSPARC-IIe (rev 1.4) @ 500 MHz, version 0 FPU
cpu0: physical 16K instruction (32 b/l), 16K data (32 b/l), 256K 
external (64 b/l)

psycho0 at mainbus0: SUNW,sabre, impl 0, version 0, ign 7c0
psycho0: bus range 0-2, PCI bus 0
psycho0: dvma map c000-dfff, iotdb 962000-9e2000
pci0 at psycho0
ppb0 at pci0 dev 1 function 1 Sun Simba PCI-PCI rev 0x13
pci1 at ppb0 bus 1
ebus0 at pci1 dev 12 function 0 Sun RIO EBus rev 0x01
flashprom at ebus0 addr 0-f not configured
clock1 at ebus0 addr 0-1fff: mk48t59
SUNW,lomh at ebus0 addr 20-23 ipl 42 not configured
Acer Labs M7101 Power rev 0x00 at pci1 dev 3 function 0 not configured
ebus1 at pci1 dev 7 function 0 Acer Labs M1533 ISA rev 0x00
power0 at ebus1 addr 2000-2007 ipl 37
com0 at ebus1 addr 3f8-3ff ipl 43: ns16550a, 16 byte fifo
com0: console
com1 at ebus1 addr 2e8-2ef ipl 43: ns16550a, 16 byte fifo
gem0 at pci1 dev 12 function 1 Sun ERI Ether rev 0x01: ivec 0x7c6, 
address 00:03:ba:0f:2c:d3
ukphy0 at gem0 phy 1: Generic IEEE 802.3u media interface, rev. 1: OUI 
0x0010dd, model 0x0002
ohci0 at pci1 dev 12 function 3 Sun USB rev 0x01: ivec 0x7e4, version 
1.0, legacy support
pciide0 at pci1 dev 13 function 0 Acer Labs M5229 UDMA IDE rev 0xc3: 
DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI

pciide0: using ivec 0x7cc for native-PCI interrupt
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: TEAC, CD-224E, 1.7A SCSI0 5/cdrom removable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 disabled (no drives)
gem1 at pci1 dev 5 function 1 Sun ERI Ether rev 0x01: ivec 0x7dc, 
address 00:03:ba:0f:2c:d4
ukphy1 at gem1 phy 1: Generic IEEE 802.3u media interface, rev. 1: OUI 
0x0010dd, model 0x0002
ohci1 at pci1 dev 5 function 3 Sun USB rev 0x01: ivec 0x7e6, version 
1.0, legacy support

usb0 at ohci0: USB revision 1.0
uhub0 at usb0: Sun OHCI root hub, rev 1.00/1.00, addr 1
usb1 at ohci1: USB revision 1.0
uhub1 at usb1: Sun OHCI root hub, rev 1.00/1.00, addr 1
ppb1 at pci0 dev 1 function 0 Sun Simba PCI-PCI rev 0x13
pci2 at ppb1 bus 2
siop0 at pci2 dev 8 function 0 Symbios Logic 53c896 rev 0x07: ivec 
0x7e0, using 8K of on-board RAM

scsibus1 at siop0: 16 targets
sd0 at scsibus1 targ 0 lun 0: IBM, DNES-309170Y, SA60 SCSI3 0/direct fixed
sd0: 8683MB, 11474 cyl, 5 head, 309 sec, 512 bytes/sec, 17783301 sec total
sd1 at scsibus1 targ 1 lun 0: IBM, DNES-309170Y, SA60 SCSI3 0/direct fixed
sd1: 8683MB, 11474 cyl, 5 head, 309 sec, 512 bytes/sec, 17783301 sec total
siop1 at pci2 dev 8 function 1 Symbios Logic 53c896 rev 0x07: ivec 
0x7e0, using 8K of on-board RAM

scsibus2 at siop1: 16 targets
em0 at pci2 dev 5 function 0 Intel PRO/1000MT (82545EM) rev 0x01: ivec 
0x7d5, address 00:07:e9:1a:19:62

pcons at mainbus0 not 

Re: why is pf reseting this ssh connection?

[Kent Watsen]

I'm still having this reset problem. 

Looking at the logs below, the reset seems to coming from the session
being blocked (the last log), but why would PF block the session when it
accepted the session about 70 seconds before (the first 2 logs)?

Since Ethereal shows that the SSH client is not trying to establish a new
session, it seems that PF must have lost-track that it had already
accepted this session...

What is really weird is that it only happens when SSH-ing to this host
(10.0.1.24), connections to a host (10.0.1.22) right next to it on the
same subnet stay up all the time

Again, this is with OBSD 4.2

Any ideas?

Thanks,
Kent

Kent Watsen wrote:

  I'm consistently getting a RST packet, but I can't figure out why?

  # tcpdump -nettti pflog0
  tcpdump: listening on pflog0, link-type PFLOG
  Nov 14 11:42:20.408301 rule 62/(match) pass in on vlan4:
  10.0.4.6.53255  10.0.1.24.22: [|tcp] (DF)
  Nov 14 11:42:20.408407 rule 34/(match) pass out on vlan1:
  10.0.4.6.53255  10.0.1.24.22: [|tcp] (DF)
  Nov 14 11:42:20.550409 rule 43/(match) pass in on vlan1:
  10.0.1.24.36875  10.0.2.2.53:[|domain] (DF)
  Nov 14 11:42:20.550514 rule 47/(match) pass out on vlan2:
  10.0.1.24.36875  10.0.2.2.53:[|domain] (DF)
  Nov 14 11:42:21.754224 rule 57/(match) pass in on vlan3:
  10.0.3.104.123  17.151.16.21.123: v4 client strat 3 poll 6 prec -20
  Nov 14 11:42:53.614950 rule 47/(match) pass out on vlan2:
  96.253.91.225.4814  10.0.2.2.53:[|domain]
  Nov 14 11:42:57.672970 rule 0/(match) block in on vlan1:
  10.0.1.20.2001  255.255.255.255.37: udp 0
  Nov 14 11:43:06.344155 rule 0/(match) block in on vlan3: [|ip6]
  Nov 14 11:43:25.756063 rule 57/(match) pass in on vlan3:
  10.0.3.104.123  17.151.16.21.123: v4 client strat 3 poll 6 prec -20
  Nov 14 11:43:38.740956 rule 0/(match) block in on vlan4:
  10.0.4.6.53255  10.0.1.24.22: [|tcp] (DF) [tos 0x10]
  ^C

  Note: I pressed return in the SSH shell at 11:43:38

  Running Ethereal on 10.0.4.6, I can see the SSH packet from
  10.0.4.6:53255 -- 10.0.1.24:22 followed immediately by a RST packet
  from 10.0.1.24:22 -- 10.0.4.6:53255

  The thing that confuses me is that:
  - 10.0.4.6 has no trouble maintaining SSH connection to another hosts
  in the 10.0.1.0\24 network
  - other hosts in the 10.0.1.0\24 network have no trouble maintaining
  SSH connection with 10.0.1.24

  # pfctl -vvs rules
  @0 scrub in on gem0 all fragment reassemble
  [ Evaluations: 1893945 Packets: 22091 Bytes: 10427870 States:
  0 ]
  [ Inserted: uid 0 pid 26797 ]
  @0 block return log all
  [ Evaluations: 5467 Packets: 946 Bytes: 67688 States:
  0 ]
  [ Inserted: uid 0 pid 26797 ]
  snip
  @34 pass out log quick on vlan1 inet proto tcp from 10.0.4.6 to
  10.0.1.0/24 port = ssh flags S/SA keep state
  [ Evaluations: 82 Packets: 1430 Bytes: 193425 States:
  1 ]
  [ Inserted: uid 0 pid 26797 ]
  snip
  @62 pass in log quick on vlan4 inet from 10.0.4.0/24 to any flags
  S/SA
  keep state
  [ Evaluations: 635 Packets: 22817 Bytes: 13187743 States:
  4 ]
  [ Inserted: uid 0 pid 26797 ]
  snip

  Any ideas?

  PS: I'm running OpenBSD 4.2 - CARP is configured, but the other
  machine
  is powered down

  Thanks,
  Kent

why is pf reseting this ssh connection?

[Kent Watsen]

I'm consistently getting a RST packet, but I can't figure out why?

# tcpdump -nettti pflog0 
tcpdump: listening on pflog0, link-type PFLOG
Nov 14 11:42:20.408301 rule 62/(match) pass in on vlan4: 10.0.4.6.53255 
10.0.1.24.22: [|tcp] (DF)
Nov 14 11:42:20.408407 rule 34/(match) pass out on vlan1: 10.0.4.6.53255
 10.0.1.24.22: [|tcp] (DF)
Nov 14 11:42:20.550409 rule 43/(match) pass in on vlan1: 10.0.1.24.36875
 10.0.2.2.53:[|domain] (DF)
Nov 14 11:42:20.550514 rule 47/(match) pass out on vlan2: 10.0.1.24.36875
 10.0.2.2.53:[|domain] (DF)
Nov 14 11:42:21.754224 rule 57/(match) pass in on vlan3: 10.0.3.104.123 
17.151.16.21.123: v4 client strat 3 poll 6 prec -20
Nov 14 11:42:53.614950 rule 47/(match) pass out on vlan2:
96.253.91.225.4814  10.0.2.2.53:[|domain]
Nov 14 11:42:57.672970 rule 0/(match) block in on vlan1: 10.0.1.20.2001 
255.255.255.255.37: udp 0
Nov 14 11:43:06.344155 rule 0/(match) block in on vlan3: [|ip6]
Nov 14 11:43:25.756063 rule 57/(match) pass in on vlan3: 10.0.3.104.123 
17.151.16.21.123: v4 client strat 3 poll 6 prec -20
Nov 14 11:43:38.740956 rule 0/(match) block in on vlan4: 10.0.4.6.53255 
10.0.1.24.22: [|tcp] (DF) [tos 0x10]
^C

Note: I pressed return in the SSH shell at 11:43:38

Running Ethereal on 10.0.4.6, I can see the SSH packet from
10.0.4.6:53255 -- 10.0.1.24:22 followed immediately by a RST packet from
10.0.1.24:22 -- 10.0.4.6:53255

The thing that confuses me is that:
- 10.0.4.6 has no trouble maintaining SSH connection to another hosts in
the 10.0.1.0\24 network
- other hosts in the 10.0.1.0\24 network have no trouble maintaining SSH
connection with 10.0.1.24

# pfctl -vvs rules  
@0 scrub in on gem0 all fragment reassemble
[ Evaluations: 1893945   Packets: 22091 Bytes: 10427870States:
0 ]
[ Inserted: uid 0 pid 26797 ]
@0 block return log all
[ Evaluations: 5467  Packets: 946   Bytes: 67688   States:
0 ]
[ Inserted: uid 0 pid 26797 ]
snip
@34 pass out log quick on vlan1 inet proto tcp from 10.0.4.6 to
10.0.1.0/24 port = ssh flags S/SA keep state
[ Evaluations: 82Packets: 1430  Bytes: 193425  States:
1 ]
[ Inserted: uid 0 pid 26797 ]
snip
@62 pass in log quick on vlan4 inet from 10.0.4.0/24 to any flags S/SA
keep state
[ Evaluations: 635   Packets: 22817 Bytes: 13187743States:
4 ]
[ Inserted: uid 0 pid 26797 ]
snip

Any ideas?

PS: I'm running OpenBSD 4.2 - CARP is configured, but the other machine
is powered down

Thanks,
Kent

Re: OpenBSD as Xen domU

[Kent Watsen]

[Picking up on this old thread]

Question for those of you running OpenBSD HVM DomUs, does your IO 
performance suck?

Description:

I have OpenBSD 4.3 DomU running HVM mode with 1x vcpu on top on 
OpenSolaris b97 xVM Dom0, which pins down 2x vcpus (box is a quad-core 
1.9GHz opteron with 8GB mem).  Like John (below), I also pass 
model=ne2k_pci as part of the vif.   The system is reasonably 
responsive over console when not doing any IO, especially disk, when the 
performance tanks.  To put this in perspective, when I was installing 
OpenBSD, it took 30+ mins for it to install the packages and thats not 
including any of the X packages!  Likewise, a simple file-copy test gave 
me these results:

Copy large file from Desktop to Dom (using `scp`) :
Dom0:   ~27136KB/s   (opensolaris b97)
DomU:  ~322KB/s   (openbsd 4.3, hvm)   

Copy large file from Dom to Desktop (using `scp`):
Dom0:  ~28441KB/s   (opensolaris b97)
DomU: ~662KB/s   (openbsd 4.3, hvm)


Finally, running `bonnie++` on the Dom0 in DomU gives:

_*Bonnie++ on Dom0*_

Version 1.03d -- Sequential Output ----- Sequential 
Input -----Random-
  -Per Char-  --Block--  -Rewrite-   --Per Char--   
--Block----Seeks--
Machine   SizeK/sec %CP   K/sec %CP  K/sec %CP K/sec %CP
K/sec %CPK/sec %CP
san8G 67051  85   166574 59  126454 63 71058  96
362940 761645   11


   -- Sequential Create -- Random 
Create 
   -Create--  --Read---  -Delete---Create--  
--Read---  -Delete--
 files K/sec %CP  K/sec %CP  K/sec %CPK/sec %CP  K/sec 
%CP  K/sec %CP
   16  15815  99  + +++  22903  9915222  99  + 
+++  22339  99



_*Bonnie++ in zvol-backed DomU  (openbsd 4.3, hvm)*_

Version 1.03  -- Sequential Output ----- Sequential 
Input -----Random-
  -Per Char-  --Block--  -Rewrite-   --Per Char--   
--Block----Seeks--
Machine   SizeK/sec %CP   K/sec %CP  K/sec %CP K/sec %CP
K/sec %CPK/sec %CP
puffy 300M  451   0 295   0184   0   976   4 
1521   2 26.8   1


   -- Sequential Create -- Random 
Create 
   -Create--  --Read---  -Delete---Create--  
--Read---  -Delete--
 files K/sec %CP  K/sec %CP  K/sec %CPK/sec %CP  K/sec 
%CP  K/sec %CP
   16  8   1  + +++ 16   18   1  + 
+++ 10  0


I have already posted these results to the xVM mailing list and they 
said that they have never seen the HVM performance this bad before 
(where 30Mb/s is the norm) and also offered:

If this was just disk or net then I'd suspect that the device
emulation simply didn't match up well with the OpenBSD driver, but
given that you're seeing both as slow it may well be a broader
problem.


BTW, my networking performance is also not great - its about ~7 Mb/s - 
over GE interfaces using Cat5e.  This is also slow as running the same 
`iperf` test when openbsd is on the bare-metal gives ~534 Mb/s.  Just 
the same, 7 Mb/s is way faster than my disk I/O (~0.5 Mb/s avg).

So, for those of you running OpenBSD HVM DomUs,  does your IO 
performance suck this bad too?

Thanks,
Kent



John Jackson wrote:
 OpenBSD as DomU works using hardware virtualization for me.  There's
 the occasional lockup that I haven't looked into too much.  You can
 launch vncviewer to get a console.  My working config is at the bottom.

 John

 On Wed, Feb 06, 2008 at 11:55:05PM +0100, Julien Cabillot wrote:
   
 It's work but I had really bad performances with the network (timeout on
 the interface re).
 Dmesg: http://www.openbsd-france.org/ml/archives/msg02494.html

 

 I found that setting the vif interface to 'model=ne2k_pci' helps with 
 the timeouts.

   
 On jeu, 2008-02-07 at 00:29 +0200, NetOne - Doichin Dokov wrote:
 
 I'm looking to replace a Linux domU with a BSD one, preferably OpenBSD.
 Anyone any success running stable OpenBSD (FreeBSD would also suffice)
 as domU in a Xen system? If so, willing to share config / how-to /
 experience?

 Kind regards,
 Doichin
   

 Here's a working Xen config:
 =
 import os, re
 arch = os.uname()[4]
 if re.search('64', arch):
 arch_libdir = 'lib64'
 else:
 arch_libdir = 'lib'
 kernel = /usr/lib/xen/boot/hvmloader
 builder='hvm'
 memory = 256
 name = obsd
 pae=0
 vif = [ 'type=ioemu, mac=00:16:3e:7d:be:ef, model=ne2k_pci' ]
 disk = [ 
 'file:/disk/homer.disk,hda,w','file:/disk/obsd42_amd64.iso,ioemu:hdc:cdrom,r' 
 ]
 device_model = '/usr/' + arch_libdir + '/xen/bin/qemu-dm'
 boot='cd'
 sdl=0
 vnc=1
 vncviewer=0
 nographic=0
 stdvga=0
 serial='pty'
 ne2000=1
 audio=0
 localtime=1
 

iperf results not good: 31% system, 69% interrupt, 0% idle!

[Kent Watsen]

I just installed a Netgear GA311 (re) into a 500MHz Netra T1 running 4.2 
(sparc64)


Running `iperf -s` on it shows only 187 Mbits/sec, which surprised me 
because other iperf-targets plugged into same switch show ~600 Mbits/sec


Looking at `top` shows why: 31% system, 69% interrupt, 0% idle  and the 
iperf process 25% CPU


What is going on? - is the re driver not good?

Thanks!
Kent

Re: carped trunk or trunked carp or what?

[Kent Watsen]

Johan Fredin wrote:
Yep, two boxes with one cable each to the switch. Both with a bunch of 
vlans and carp interfaces on top of that.


This is from one of the machines:

snip

Hey, thanks a lot, I got it working, but it isn't stable - in fact, I 
really only had one successful fail-over... 

When I `shutdown -h -p now` my MASTER, a session I had running through 
the firewall continued working (yeah!) [PS: this with carp on vlans on 
trunk as described yesterday].  But when I powered-up my MASTER box, not 
only did the session I have running thru the firewall hang, but I also 
couldn't run new sessions through the firewall until I reset the switch 
(a Dell PowerConnect 5224).  I'm guessing that this is an issue with the 
switch, but I haven't been able to find it yet...  (any ideas?)


Question:  when rebooting the MASTER, does it reclaim being the MASTER 
*after* pfsync has a chance to synchronize the state tables?  If not, 
then what do people do to bring the MASTERs back online?  - temporarily 
configuration the MASTER's advskew settings so that its higher than the 
BACKUPs and hence will *not* become the MASTER right away?  Does it make 
sense to have both systems always set advskew to 128 on boot and then 
always plan to lower the advskew for the MASTER?


Thanks,
Kent

carped trunk or trunked carp or what?

[Kent Watsen]

I'm trying to setup CARP for my gateway.  Both my gateways have 6 interfaces
   - one for uplink to ISP
   - one for CARP/pfsync
   - four that are trunked and then have vlans running on top of

My current setup looks some like this:


   hme0  \
   hme1   \  /- vlan0
   --- trunk0 - vlan1
   hme2   /  \- valn2
   hme3  /


In order to introduce CARP, which of the following setup's should I be 
looking into?



   hme0 --- carp0 \
   hme1 --- carp1  \  /- vlan0
--- trunk0 - vlan1
   hme2 --- carp2  /  \- valn2
   hme3 --- carp3 /


OR

   hme0  \
   hme1   \ /- vlan0
   --- trunk0 --- carp0 -- vlan1
   hme2   / \- valn2
   hme3  /


OR

   hme0  \
   hme1   \  /- vlan0 --- carp0
   --- trunk0 - vlan1 --- carp1
   hme2   /  \- valn2 --- carp2
   hme3  /



The first of these choices makes the most sense to me, because it keeps 
CARP close to the physical interface, but netstart has a comment in it 
saying that trunk needs to come up first...


Any ideas?

Thanks,
Kent

Re: carped trunk or trunked carp or what?

[Kent Watsen]

Johan Fredin wrote:

On 08-01-30 17:50, Kent Watsen wrote:

   hme0  \
   hme1   \  /- vlan0 --- carp0
   --- trunk0 - vlan1 --- carp1
   hme2   /  \- valn2 --- carp2
   hme3  /


I say this is the way to go. You can consider trunk0 a physical 
interface (consisting of four underlaying interfaces). Since you 
probably want to have different IP networks on the different vlans you 
add carp on top of the vlans.
At first this seems foreign, but it does make sense that carp would be 
layered on top of that which has ip addresses, the vlans, as neither the 
physical nor the trunk interfaces have ip addresses - they are just up



I've set up boxes this way, but without the trunk.
And it was completely transparent to your switch?  - you had both carped 
boxes plugged into the same switch?



Thanks,
Kent

Re: vlan trunking with a powerconnect 5224

[Kent Watsen]

On a lark I just executed `ifconfig trunk0 up` and now my trunk is 
working!  And, to make it come up automatically, I just added the single 
line up to hostname.trunk0...


BTW, the trunk interface is not documented in hostname.if(5)

Thanks anyways,
Kent




Kent Watsen wrote:


Looking at the output from `ifconfig` (see below), I notice that the 
trunk0 doesn't show that its UP - why wouldn't it be up?


Thanks,
Kent

Re: vlan trunking with a powerconnect 5224

[Kent Watsen]

Looking at the output from `ifconfig` (see below), I notice that the 
trunk0 doesn't show that its UP - why wouldn't it be up?


Thanks,
Kent


# ifconfig
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33168
   groups: lo
   inet 127.0.0.1 netmask 0xff00
   inet6 ::1 prefixlen 128
   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
gem0: flags=8863UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST mtu 1500
   lladdr 00:03:ba:0f:34:09
   groups: egress
   media: Ethernet autoselect (100baseTX full-duplex)
   status: active
   inet xx.xxx.xxx.x netmask 0xff00 broadcast 96.231.191.255   
 [public ip masked]

   inet6 fe80::203:baff:fe0f:3409%gem0 prefixlen 64 scopeid 0x1
gem1: flags=8822BROADCAST,NOTRAILERS,SIMPLEX,MULTICAST mtu 1500
   lladdr 00:03:ba:0f:34:0a
   media: Ethernet autoselect (100baseTX full-duplex)
   status: active
hme0: 
flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST 
mtu 1500

   lladdr 08:00:20:f2:e3:d4
   trunk: trunkdev trunk0
   media: Ethernet autoselect (100baseTX full-duplex)
   status: active
   inet6 fe80::a00:20ff:fef2:e3d4%hme0 prefixlen 64 scopeid 0x3
hme1: 
flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST 
mtu 1500

   lladdr 08:00:20:f2:e3:d4
   trunk: trunkdev trunk0
   media: Ethernet autoselect (100baseTX full-duplex)
   status: active
   inet6 fe80::a00:20ff:fef2:e3d5%hme1 prefixlen 64 scopeid 0x4
hme2: 
flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST 
mtu 1500

   lladdr 08:00:20:f2:e3:d4
   trunk: trunkdev trunk0
   media: Ethernet autoselect (100baseTX full-duplex)
   status: active
   inet6 fe80::a00:20ff:fef2:e3d6%hme2 prefixlen 64 scopeid 0x5
hme3: 
flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST 
mtu 1500

   lladdr 08:00:20:f2:e3:d4
   trunk: trunkdev trunk0
   media: Ethernet autoselect (100baseTX full-duplex)
   status: active
   inet6 fe80::a00:20ff:fef2:e3d7%hme3 prefixlen 64 scopeid 0x6
enc0: flags=0 mtu 1536
trunk0: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500
   lladdr 08:00:20:f2:e3:d4
   trunk: trunkproto roundrobin
   trunkport hme3 active
   trunkport hme2 active
   trunkport hme1 active
   trunkport hme0 master,active
   groups: trunk
   media: Ethernet autoselect
   status: active
vlan2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
   lladdr 08:00:20:f2:e3:d4
   vlan: 2 priority: 0 parent interface: trunk0
   groups: vlan
   inet 10.0.2.1 netmask 0xff00 broadcast 10.0.2.255
   inet6 fe80::a00:20ff:fef2:e3d4%vlan2 prefixlen 64 scopeid 0xa
vlan3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
   lladdr 08:00:20:f2:e3:d4
   vlan: 3 priority: 0 parent interface: trunk0
   groups: vlan
   inet 10.0.3.1 netmask 0xff00 broadcast 10.0.3.255
   inet6 fe80::a00:20ff:fef2:e3d4%vlan3 prefixlen 64 scopeid 0xb
pflog0: flags=141UP,RUNNING,PROMISC mtu 33168
   groups: pflog

vlan trunking with a powerconnect 5224

[Kent Watsen]

I successfully have two vlans running over one physical interface 
connected to my managed switch (a PowerConnect 5224), but I can't get 
the same two vlans to work when running over a trunk interface spanning 
four physical interfaces.



Before:  (this works, but only uses one physical interface)
-
   # cat hostname.gem0
   inet xx.xxx.xxx.x 255.255.255.0 NONE   [public ip masked]

   # cat hostname.hme0
   up

   # cat hostname.vlan2
   inet 10.0.2.1 255.255.255.0 NONE vlan 2 vlandev hme0

   # cat hostname.vlan3
   inet 10.0.3.1 255.255.255.0 NONE vlan 3 vlandev hme0



After: (this doesn't work)

   # cat hostname.gem0
   inet xx.xxx.xxx.x 255.255.255.0 NONE   [public ip masked]

   # cat hostname.hme0
   up

   # cat hostname.hme1
   up

   # cat hostname.hme2
   up

   # cat hostname.hme3
   up

   # cat hostname.trunk0
   trunkproto roundrobin trunkport hme0 trunkport hme1 trunkport hme2 
trunkport hme3


   # cat hostname.vlan2
   inet 10.0.2.1 255.255.255.0 NONE vlan 2 vlandev trunk0

   # cat hostname.vlan3
   inet 10.0.3.1 255.255.255.0 NONE vlan 3 vlandev trunk0



Assuming all looks good above, the changes I made on the switch were:
   - create a bogus vlan (id )
   - make the four ports untagged members of vlan id 
   - remove the four ports as members of vlan id 1
   - make the four ports be members of trunk 1
   - make trunk 1 tagged member of vlans 2 and vlan 3


But no traffic gets through.  For instance, ssh-ing through the firewall 
and switch to target results in Network is unreachable during which 
pflog shows a match for pass out on vlan2;  `tcpdump -n -i trunk0` 
shows nothing;  `tcpdump -n -i vlan2` shows nothing; heck, even `tcpdump 
-n -i hme0` shows nothing.  Likewise,  `tcpdump` on the target shows no 
traffic.


Any ideas?


Thanks,
Kent

Re: cant properly set up kernel to have root and swap on a RAIDframe device

[Kent Watsen]

Boris Goldberg wrote:

Hello misc,

  I've  been  booting my system from RAIDframe partitions for a long while.
Small  partition  for kernel(s), raidctl -A root raid0 - and I have root on
raid0a and swap on raid0b.
  But with 4.2 I'm getting swapmount: no device error from the kernel and
savecore:  no  core  dump  (no  dumpdev) later. However, root is still on
raid0a (but no swap).
snip
  



I just set up RAIDframe for the first time using 4.2 following the 
instructions located here:


   http://www.eclectica.ca/howto/openbsd-software-raid-howto.php

When I booted into the raided system, I noticed the following output:

   snip
   Kernelized RAIDframe activated
   cd0(atapiscsi0:0:0): Check Condition (error 0x70) on opcode 0x0
   SENSE KEY: Not Ready
ASC/ASCQ: Medium Not Present
   siop0: target 0 now using tagged 16 bit 40.0 MHz 31 REQ/ACK offset xfers
   siop0: target 1 now using tagged 16 bit 40.0 MHz 31 REQ/ACK offset xfers
   raid0 at root: (RAID Level 1) total number of sectors is 16732160 
(8170 MB) as root
   raid0 at root: (RAID Level 1) total number of sectors is 16732160 
(8170 MB) as root

   bootpath: /[EMAIL PROTECTED],0/[EMAIL PROTECTED],0/[EMAIL 
PROTECTED],0/[EMAIL PROTECTED],0
   swapmount: no device
   raid0: Device already configured!
   raidctl: ioctl (RAIDFRAME_CONFIGURE) failed
   raid0: Parity status: clean
   Automatic boot in progress: starting file system checks.
   /dev/rraid0a: file system is clean; not checking
   setting tty flags
   starting network
   starting system logger
   starting initial daemons: ntpd.
   savecore: no core dump (no dumpdev)
   snip

which shows both the swapmount: no device and savecore: no core dump 
(no dumpdev) issues Boris reported.


Here are my disklabel and fstab


  # disklabel raid0 | tail -4
  #size   offset  fstype [fsize bsize  cpg]
a: 156835840  4.2BSD   2048 163841
b:  1048576 15683584swap   
c: 167321600  unused  0 0 

  # cat 
/etc/fstab  
  /dev/raid0a / ffs rw 1 1



Note: prior to booting in the raid set, I'd get : root on sd0a swap on 
sd0b dump on sd0b


Thanks,
Kent

Re: openbsd router hardware

[Kent Watsen]

While not quite meeting your requirements, I don't think you can beat 
the value of a Netra T1.  I got two 500Mhz 512MB 64-bit Sparc boxes off 
eBay for $50 each.  They come with two 100 Mbs ports, to which I added 
Sun Quad Fast Ethernet 4-port pci adapter for $12 each off eBay.  While 
having a fan, it is relatively quite - the whole box runs at 20 watts.  
So, for about ~$220 (including shipping), I have two CARPed 6-port PF 
boxes.  As a bonus, I feel that the Netra T1s using a Sparc processor  
is safer - as most exploits target x86...


Cheers,
Kent


Joerg Zinke wrote:

Hi,

I'm looking for hardware to install an openbsd based dsl-router.
I already searched the list archives and looked at WRAP and Soekris,
but it seems that they do not match my requirements:

- fanless
- as small as possible
- at least 2, better 3 ethernet ports
- a wlan-card (as access point in hostap mode)
- mainboard and other hardware should work with openbsd of course,
  would be nice to see output from hw.sensors*
- storage should have at least 10GB, I think this leads to a real
  ide/sata-disk (maybe 2.5)
- vga-output (because I have no other machine with a serial port to do
  the installation)
- lcd-display (something that is supported by lcdproc, which seems to
  work fine on openbsd)

Not a requirement, but nice-to-have: usb-2.0 port(s).

Does anyone know a company or vendor which builds such an
(openbsd-)ready system fulfilling the above requirements?

Or did I need to start buying all pieces (maybe mini-itx based?) and
assembly them on my own?

Any hints?

Regards,

Joerg

Re: Real men don't attack straw men

[Kent Watsen]

Benjamin M. A'Lee wrote:

They're not required to make their changes available. They're required
to acknowledge your copyright, but your licence does not require
proprietary developers to release changes at all and it does not require
GPL developers to release changes under your choice of licence.

  
As I understand it, if a GPL developer wants to extend a BSD licensed 
file, they only have two legal choices:


 - release the modified file with just the BSD license (no additional 
GPL license)

 - release the unmodified file and a separate GPL-licensed patch

Note that I purposely exclude two cases, because they are illegal:

 - release the modified file with only GPL license
 - release the modified file with BSD license and additional GPL license

The reason why the first of these is illegal should be obvious.  The 
reason why the second of these is illegal is because, by adding the GPL 
license to the same file, it applies to the BSD-licensed text, which is 
in contradiction to the BSD license.  To be clear, the BSD license 
allows binary distribution without source disclosure while the GPL 
license does not.  Thus, by adding the GPL license to a BSD licensed 
file, it is taking away BSD-granted rights.


Can anyone confirm this understanding?

Regards,
Kent

Re: OpenBSD firewalls as virtual machine ?

[Kent Watsen]

Some commercial firewalls (i.e. Juniper/NetScreen ScreenOS-based gear) 
have been offering virtual-systems for years now.  I think the negative 
comments received here may be appropriate when sharing the system with 
non-secure guest OSs, but it seems that it might be alright if its 
nothing but firewalls


Cheers,
Kent


Josh wrote:

Hello there.

We have a bunch of obsd firewalls, 8 at the moment, all working nice 
and so forth. But we
need to add about another 4 in there for new connections and networks, 
which means more

machines to find room for.

So basically I have been asked to investigate running all these 
firewalls in two big boxes, with lots
of NIC's, with a bunch of openbsd vritual machines on them. One main 
box for the primary firewalls,

one for the secondary. Each virtual machine getting its own physical NIC.

Personally I dont really like the idea, I can see things going wrong, 
lots of stuff balancing on a

guest os and box.

Can someone please inform me if this is a really bad idea or not, 
ideally with some nice reasoning?



Cheers,
   Josh

Re: OpenBSD todo list?

[Kent Watsen]

Christmas in April?  ;)  A couple requests I recall seeing (*cough* 
posting *cough*):


 - enable chroot-ed apps to dump core (this is an easy one)
 - enable openbsd to run as a para-virtualized Xen guest (this is more 
involved)


Kent


Shawn Nock wrote:
A quick search of the archive and google didn't turn anything up, so 
I'll ask here.


Is there (if not could there be) a document that describes portions of 
the tree that particularly need attention? I am looking for a way to 
contribute and without a little direction the task seems daunting. The 
FreeBSD folks recently started maintaining such a todo list. It seems 
to have worked out fairly well for them. I realize that those in a 
position to put together such a list are also the ones not likely to 
have the time, but I believe this could prove useful (I assume there 
are more like me who are new and/or haven't found a comfort zone/focus 
yet).


Cheers,
Shawn

Re: OpenBSD's 10th birthday -- how about a present?

[Kent Watsen]

STeve Andre' wrote:


On Tuesday 18 October 2005 21:07, Paul Greene wrote:
 


STeve Andre' wrote:
   


 Seeing all sorts of good wishes to the project, but I haven't
seen any gifts, yet. ;-)

 I just paypaled $25 to the project, as a birthday present.  Given
what we all get from this OS, OpenBSD deserves something.

 Can I get 10 others to make some kind of donation?  It doesn't
have to be a lot...

--STeve Andre'
 


Well, I finally got out the credit card and actually paid for some CD's.

Does that count?

Paul
   



Sure it does.  It helps the project.  Thank you.

So, four people donating money and one buying a CD set.

...Do I hear more?

--STeve Andre'

 

Been buying the CD since 2.6 - but get the shirt only when I can see 
myself wearing it  ;)


Kent

core dumps disabled after chroot?

[Kent Watsen]

Hi,

I want to chroot an application I'm developing, but I still want 
coredumps...

_dump.c_
#include stdlib.h
int main() {
abort();
}


# gcc dump.c -o dump  
# ./dump
Abort trap (core dumped)
# chroot ./ ./dump
Abort trap[note that no core was dumped!]


Anybody?
Kent

Re: core dumps disabled after chroot?

[Kent Watsen]

Theo de Raadt wrote:

I want to chroot an application I'm developing, but I still want 
coredumps...


   _dump.c_
   #include stdlib.h
   int main() {
   abort();
   }


   # gcc dump.c -o dump  
   # ./dump

   Abort trap (core dumped)
   # chroot ./ ./dump
   Abort trap[note that no core was dumped!]
   



At the moment there is no solution for this.  Coredumps cannot happen
in those processes.

 

Really?  By at the moment, do you mean to suggest that this might be 
made to work?  I tried to look up what POSIX defines, but google results 
aren't very helpful these days.  I tested on RedHat 8 and it does dump 
core after chroot...


If I may try to make a case for enabling dumps after chroot, please 
consider that the intent of chroot is the increase security by 
preventing a compromised app from accessing the file-system outside.  
But the app was compromised in the first place by exploiting a bug in 
the code (i.e. buffer overrun) and bugs are many times fixed through 
stacktrace analysis.  Especially with 3.8's new memory-management 
(mmap'ed guard pages, etc.) and the fact that OBSD's user-base is 
paranoid enough to chroot as much as possible - I would think that dumps 
after chroot would be helpful...


BTW, I not only want to use chroot to secure my application, but also to 
aids in software deployment - that is, the installer prompts the user 
where to install (which will become the chroot) - not only does this 
free up my logic from having to figure out where it was installed using 
path manipulation (it can always assume / for its file access needs), 
but I can also have multiple instances installed - as the global 
filesystem's namespace is no longer an issue.  [I guess in a way, this 
is some of what has motivated the development of FreeBSD's jailNG, 
UserModeLinux, and Vmware's ESX/GSX servers...]


I am aware that root can bust out of a chroot and so dropping perms via 
setuid() and its variants is fairly common.  I also know that setuid() 
disables cores [a policy I disagree with for the same reasons], but I 
have found a way to get around that using a combination of fork() and 
execv() - so my only remaining issue is with chrooted processes not 
dumping core...



Kent