Re: wireguard reconfiguration reliability

2024-03-21 Thread Kirill Miazine 




• Страхиња Радић [2024-03-21 16:31]:

On 24/03/20 08:15AM, Kirill Miazine wrote:

#!/bin/sh
ifconfig wg1 | \
 grep wgaip | \
 awk '{print $2} ' | \
 grep /32$ | \
 sed 's/\/32//' | \
 sort | while read x; do
   ping -w 1 -c 1 $x 2>&1
done


Just FYI, you don't need backslashes (\) here, as the command ending with a
pipe is an incomplete pipeline. ;-)



ah, thanks a lot, good to know!

in this case I added escaped newlines when posting, i have all on one 
line, but I think i could have scripts where a pipe is followed by 
escaped newline. have to check that one.


i see some scripts in /etc also use escaped newlines after pipes:

root@stable ~ # grep -r '| \\$' /etc/
/etc/daily: baksize=`disklabel $bakdisk 2>/dev/null | \
/etc/daily: rootsize=`disklabel $rootdisk 2>/dev/null | \
/etc/weekly:echo "${UPDATEDB} --fcodes=-" | \

Re: wireguard reconfiguration reliability

2024-03-21 Thread Kirill Miazine 
• Paul B. Henson [2024-03-20 15:43]:
> On Wed, Mar 20, 2024 at 09:56:06PM +0100, Kirill Miazine wrote:
> 
> > Like in this thread, I guess:
> > 
> > https://marc.info/?t=16964239631=1=2
> 
> Yes, that is likely the issue we're hitting. Seems last message is from
> 10/2023 and the issue wasn't resolved :(, so I guess it's a known
> problem with no solution on the horizon.
> 
> Next time I'll try your workaround of batching the commands up (ifconfig
> wg1 down; ifconfig wg1 delete; ifconfig wg1 destroy) rather than running
> one at a time and keep my fingers crossed I win the race condition :).

I could as well share how I reconfigure my wgpeers for wg1: I just
remove them all first and then re-add whatever is in /etc/hostname.wg1,
keeping the wg interface itself alone:

ifconfig wg1 -wgpeerall
grep ^wgpeer /etc/hostname.wg1|while read x;do ifconfig wg1 $x;done

> Thanks for the help...
> 

-- 
-- Kirill Miazine

Re: wireguard reconfiguration reliability

2024-03-20 Thread Kirill Miazine 

• Paul B. Henson [2024-03-20 21:14]:

On 3/20/2024 9:21 AM, Zack Newman wrote:


clients in rdomain(4) 0. Last week I ran ifconfig wg1 destroy, replaced
the wgkey and wgpsk for one of the three wgpeers in the second interface,
and ran sh /etc/netstart wg1. Once I did this, the server seemingly 
froze:


That's similar to what we see, although generally the entire server 
doesn't die, just the ifconfig command wedges and can't be killed, and 
the box can't be rebooted cleanly.


Like in this thread, I guess:

https://marc.info/?t=16964239631=1=2


Thanks for the feedback…

Re: wireguard reconfiguration reliability

2024-03-20 Thread Kirill Miazine 

• Paul B. Henson [2024-03-20 20:38]:

On 3/20/2024 1:44 AM, Kirill Miazine wrote:


actually I checked, and I do use wgpka on clients, but not on the
server -- I don't remember why I didn't...


In our case the server is on an Internet accessible address, whereas the 
clients are behind a NAT firewall. We also have keepalives enabled on 
the clients (to maintain their NAT mapping) but not on the server (as if 
the client isn't sending its keepalives the server isn't going to get 
through anyway).


this decribes my setup more or less, but some "clients" have stable, 
routable, reachable addresses.


A scenario where it stops but then works again as soon as traffic is 
sent does kind of sound like a firewall or NAT timeout issue?  We don't 
have that problem, if we leave it completely alone it generally works 
indefinitely with no issues. It's just when we try to modify the 
configuration that things sometimes go sideways.


what makes flow stop is e.g. if server is rebooted, then clients 
wouldn't re-connect. it could also be that flushing wgpeers and then 
re-adding them also made clients go away.


again, I haven't spent much time debugging and can't guarantee that 
described behaviour is what really is going on: I noticed the issue and 
that ping would seemingly resolve it, so I just added pings everywhere.



Thanks for the data point…

Re: wireguard reconfiguration reliability

2024-03-20 Thread Kirill Miazine 
• Lorenz (xha) [2024-03-20 09:29]:
[...]
> > I've seen some issues too, but has not identified a reproducible pattern.
> > What I've seen, however, is that WG packets start flowing when the other end
> > of the connection pings back, so in my setup with a central VPN server I
> > make it ping all the peers' WG IP adress periodically:
> > 
> > #!/bin/sh
> > ifconfig wg1 | \
> > grep wgaip | \
> > awk '{print $2} ' | \
> > grep /32$ | \
> > sed 's/\/32//' | \
> > sort | while read x; do
> >   ping -w 1 -c 1 $x 2>&1
> > done
> > 
> > and then each peer also pings the server's WG IP periodically.
> 
> i think that this is a different issue than the one paul has. are
> you aware that the "wgpka" option exists? (documented in ifconfig(8)).
> that might solve your problem.

could be a different issue FWIW.

yes, I am aware of and use wgpka, and yet the workaround still was
necessary.

Re: wireguard reconfiguration reliability

2024-03-20 Thread Kirill Miazine 

Hi there

• Paul B. Henson [2024-03-20 05:40]:

We're using wireguard to set up VPN connections from various systems
deployed on-prem at customer sites to central openbsd boxes to route
internal traffic between the remote boxes and the internal network.

After a fresh reboot with a given configuration, everything works great.
The problem we have is when we later add or remove a remote system and
try to reconfigure the wireguard interface on the central servers.

Sometimes the new system just won't work, or oddly the new system works
fine but an existing system that was working breaks 8-/. When that
happens, we generally have to reboot it, at which point everything
works.


I've seen some issues too, but has not identified a reproducible 
pattern. What I've seen, however, is that WG packets start flowing when 
the other end of the connection pings back, so in my setup with a 
central VPN server I make it ping all the peers' WG IP adress periodically:


#!/bin/sh
ifconfig wg1 | \
grep wgaip | \
awk '{print $2} ' | \
grep /32$ | \
sed 's/\/32//' | \
sort | while read x; do
  ping -w 1 -c 1 $x 2>&1
done

and then each peer also pings the server's WG IP periodically.


Occasionally ifconfig on the wg interface just wedges completely. When
that happens, it won't reboot cleaning, we have to hard reset it.


I've seen lockups upon destroying wg interface, but not during normal 
operations (i.e. leaving wg alone).



Has anyone else seen this type of behavior? I'm not sure how common it
is to have regular ongoing changes to wireguard like we are doing, so it
might not pop up often.

Thanks much...

Re: -current firefox segfault: pledge "", syscall 289

2024-01-26 Thread Kirill Miazine 
here's how I can reproduce it here -- just by opening 
https://domene.shop/login page and waiting some seconds:


$ firefox https://domene.shop/login
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Crash Annotation GraphicsCriticalError: |[C0][GFX1-]: 
CompositorBridgeChild receives IPC close with reason=AbnormalShutdown 
(t=5.06002) [GFX1-]: CompositorBridgeChild receives IPC close with 
reason=AbnormalShutdown

Exiting due to channel error.
Abort trap (core dumped)

should mention that this is inside Xvnc, and vnc logs has additional 
error line:


PCRE2 library was built without JIT support

maybe Xvnc -- or PCRE -- are somehow contributing here

• Kirill Miazine [2024-01-26 16:23]:

Most recent package on amd64 snapshot from yesterday:

OpenBSD 7.4-current (GENERIC.MP) #1625: Thu Jan 25 09:16:39 MST 2024

gdb says

[...]
#0  shmget () at /tmp/-:2
2   /tmp/-: No such file or directory.
 in /tmp/-

-current firefox segfault: pledge "", syscall 289

2024-01-26 Thread Kirill Miazine 
Most recent package on amd64 snapshot from yesterday:

OpenBSD 7.4-current (GENERIC.MP) #1625: Thu Jan 25 09:16:39 MST 2024

gdb says

[...]
#0  shmget () at /tmp/-:2
2   /tmp/-: No such file or directory.
in /tmp/-

Re: How to access Xauthority for VNC Server

2024-01-03 Thread Kirill Miazine 
Hello there

• Adam Retter [2024-01-02 23:14]:
> Apologies but I am a little bit unclear about how X authfiles should
> work in OpenBSD.
> 
> I have started with a fresh OpenBSD 7.4 install, and I opted to
> install the X Window System. My goal is to be able to export my
> display over VNC as I have no access to the mouse and keyboard of the
> machine.
> 
> I have installed the VNC Server software by running as root - pkg_add tigervnc
> 
> To be able to run the VNC Server, it needs access to the X Authority
> file. I want to ideally run the VNC Server under a non-root account. I
> have found an authority file under /etc/X11/xenodm/authdir/authfiles/
> however its name seems to be randomly decided each time xenodm is
> started during System boot. For example at present it is
> /etc/X11/xenodm/authdir/authfiles/A:0-r4dlnM but that will change if
> the system is rebooted.
> 
> To run the VNC Server, I think I need to execute something like the
> following command:
> 
> XAUTHORITY=/etc/X11/xenodm/authdir/authfiles/A:0-r4dlnM x0vncserver
> -display :0 -PasswordFile ~/.vnc/passwd
> 
> It is not clear to me how I can set this up so that x0vncserver can
> access the correctly named auth file each time the machine restarts,
> and also under which account it would be considered best practice to
> run x0vncserver... Should I run it under my user account, the `_x11`
> account, or an account created just for that purpose?
> Ideally the VNC Server would start during system startup also.
> 
> I also note that the auth files such as
> /etc/X11/xenodm/authdir/authfiles/A:0-r4dlnM are owned by the `_x11`
> account and group, and are only readable by the owner (mode 0600).
> 
> Please advise on the best way to set this up?

You might want to look at Xvnc rather than x0vncserver. Xvnc is started
by vncserver, which you can run as your normal user.

> Kind regards. Adam.

Here's a setup that used to work at some point, it could give you some
ideas. Note how vncserver is started in the user's tmux session -- this
way I can attach to it and see what is going on.

To run at startup, you could either add a line to rc.local, or (ab)use
crontab's @reboot facility.

In /etc/rc.local

echo -n ' VNC'
su -l  -c '/home//bin/runxvnc.sh 2>&1' >/dev/null &

Then in /home//bin/runxvnc.sh

#!/bin/sh
tmux new-session -d -s Xvnc \
  /usr/local/bin/vncserver :2 \
-geometry 1920x1080 \
-depth 32 \
-fg \
-xstartup ~/.vnc/xstartup \
  -interface 127.0.0.1 \
  -rfbport 5901 \
  -rfbauth ~/.vnc/passwd \
  -alwaysshared

And in ~/.vnc/xstartup

#!/bin/sh
unset SESSION_MANAGER
unset DBUS_SESSION_BUS_ADDRESS
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
export LC_CTYPE="en_US.UTF-8"
/usr/local/bin/startxfce4


> -- 
> Adam Retter
> 
> skype: adam.retter
> tweet: adamretter
> http://www.adamretter.org.uk
> 

-- 
-- Kirill Miazine

Re: OpenBSD 7.2 on VPS, routing via IPv6 gateway outside of interface prefix

2022-11-08 Thread Kirill Miazine 
• Michal Šmucr [2022-11-08 01:30]:
> >
> > I'm sorry, I wasn't thinking very well.
> >
> > Have you tried using fe80::1%vio0 as the default IPv6 gateway?
> >
> 
> No need to be sorry, I am grateful for any ideas :)

Maybe you will find some further ideas in dmesg or /var/log/messages?

Re: OpenBSD 7.2 on VPS, routing via IPv6 gateway outside of interface prefix

2022-11-07 Thread Kirill Miazine 
• Michal Šmucr [2022-11-08 00:09]:
> Thank you very much for the reply, Kirill.
> 
> > > try with
> > >
> > > route add -inet6 2001:db8:efef::1 -llinfo -link -static -iface vio0
> >
> > ... that is, try the above before you try to add 2001:db8:efef::1 as
> > default gateway.
> 
> I already tested something similar in my previous attempts with flags
> and link, but it also didn't work.

I'm sorry, I wasn't thinking very well.

Have you tried using fe80::1%vio0 as the default IPv6 gateway?

Re: OpenBSD 7.2 on VPS, routing via IPv6 gateway outside of interface prefix

2022-11-07 Thread Kirill Miazine 
• Kirill Miazine [2022-11-07 13:36]:
[...]
> > $ ifconfig vio0 inet6 2001:db8:efef::d9e:18d2:b761:0/121
> > $ route add -inet6 default 2001:db8:efef::1
> > add net default: gateway 2001:db8:efef::1: Network is unreachable
> 
> try with
> 
> route add -inet6 2001:db8:efef::1 -llinfo -link -static -iface vio0

... that is, try the above before you try to add 2001:db8:efef::1 as
default gateway.

-- 
-- Kirill Miazine

Re: OpenBSD 7.2 on VPS, routing via IPv6 gateway outside of interface prefix

2022-11-07 Thread Kirill Miazine 
• Michal Šmucr [2022-11-07 13:02]:
[...]
> Hello to all,
> 
> I'm looking for possible opinions or advice regarding IPv6 setup at new VPS.
> Probably the most common approach is a VPS provider gives you /64
> prefix length with gateway within the subnet.
> Works everywhere, it's also the smallest usable prefix length for use
> with SLAAC.
> However in this case, the VPS has /121 prefix length and its gateway
> is outside of the subnet.
> Something like this:
> VPS IP: 2001:db8:efef::d9e:18d2:b761:0/121
> GW: 2001:db8:efef::1/48
[...]
> On OpenBSD I tried..
> 
> $ ifconfig vio0 inet6 2001:db8:efef::d9e:18d2:b761:0/121
> $ route add -inet6 default 2001:db8:efef::1
> add net default: gateway 2001:db8:efef::1: Network is unreachable

try with

route add -inet6 2001:db8:efef::1 -llinfo -link -static -iface vio0

> Well, that sounds logical. So I tried to tell how to reach the gateway first.
> It should be directly accessible, so after few failed attempts and
> digging in man page
> I thought the -iface modifier with the local address of the interface
> as destination should do the trick.
> $ route add -inet6 2001:db8:efef::1 2001:db8:efef::d9e:18d2:b761:0 -iface
> $ ping6 2001:db8:efef::1
> PING 2001:db8:efef::1 (2001:db8:efef::1): 56 data bytes
> ping6: sendmsg: Invalid argument
> 
> ehh.. no dice
> I tried a couple of other things, like adding an additional network
> route to /48 prefix, and experimenting with some additional flags,
> when adding. But it never worked.
> 
> Is it impossible to achieve?
> Like without the equivalent of Linux noprefixroute option, there will
> always be an already automatically declared offending route.
> Or do I have some mistakes there?
> 
> Thank you,
> 
> Michal
> 

-- 
-- Kirill Miazine

use 307 for redirect in the example httpd.conf

2022-01-27 Thread Kirill Miazine 
Hi, list

Currently, /etc/examples/httpd.conf uses HTTP 302 to do a redirect.

According to
https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/302, "even if
the specification requires the method (and the body) not to be altered
when the redirection is performed, not all user-agents conform here
- you can still find this type of bugged software out there. It is
therefore recommended to set the 302 code only as a response for GET or
HEAD methods and to use 307 Temporary Redirect instead, as the method
change is explicitly prohibited in that case."

The only difference between 307 and 302 is that 307 guarantees that the
method and the body will not be changed when the redirected request is
made. With 302, some old clients were incorrectly changing the method to
GET: the behavior with non-GET methods and 302 is then unpredictable on
the Web, whereas the behavior with 307 is predictable. For GET requests,
their behavior is identical.

Wouldn't it be better to use 307 in the example httpd.conf?

-- 
    -- Kirill Miazine

6.6-beta - startup suspends until display is connected

2019-09-22 Thread Kirill Miazine 
Hi, list

On my box running snapshots I'm obsering following: startup suspends
until display is connected. I've connected displays via HDMI and DP.

I couldn't identify for sure where this happens, but looks like the
hang comes after disks are mounted. Once display is connected, kbd is
set and dhclient is run. Again, it's difficult to tell exactly, as it
takes a moment or two for the picture to appear.

On 6.5 (and before) it could run headless without issues. In fact,
I have a similar box with 6.5 acting as file server in my parents' home.

Any ideas where I could look further to debug?

dmesg below:

OpenBSD 6.6-beta (GENERIC.MP) #315: Wed Sep 18 19:01:31 MDT 2019
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8223297536 (7842MB)
avail mem = 7961391104 (7592MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xed9d0 (17 entries)
bios0: vendor American Megatrends Inc. version "P1.70" date 02/27/2018
bios0: ASRock N3150-NUC
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT AAFT MCFG SSDT SSDT SSDT UEFI SSDT TPM2 
LPIT CSRT
acpi0: wakeup devices XHC1(S4) HDEF(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) 
RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) PWRB(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) CPU N3150 @ 1.60GHz, 1600.37 MHz, 06-4c-03
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu0: 1MB 64b/line 16-way L2 cache
tsc_timecounter_init: TSC skew=0 observed drift=0
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 79MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3.3, IBE
cpu1 at mainbus0: apid 2 (application processor)
TSC skew=0
cpu1: Intel(R) Celeron(R) CPU N3150 @ 1.60GHz, 1600.00 MHz, 06-4c-03
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu1: 1MB 64b/line 16-way L2 cache
tsc_timecounter_init: TSC skew=0 observed drift=0
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
TSC skew=-100
cpu2: Intel(R) Celeron(R) CPU N3150 @ 1.60GHz, 1600.00 MHz, 06-4c-03
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu2: 1MB 64b/line 16-way L2 cache
tsc_timecounter_init: TSC skew=-100 observed drift=0
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
TSC skew=70
cpu3: Intel(R) Celeron(R) CPU N3150 @ 1.60GHz, 1600.00 MHz, 06-4c-03
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu3: 1MB 64b/line 16-way L2 cache
tsc_timecounter_init: TSC skew=70 observed drift=0
cpu3: smt 0, core 3, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 115 pins
acpimcfg0 at acpi0
acpimcfg0: addr 0xe000, bus 0-255
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (RP01)
acpiprt2 at acpi0: bus 2 (RP02)
acpiprt3 at acpi0: bus -1 (RP03)
acpiprt4 at acpi0: bus -1 (RP04)
acpiec0 at acpi0: not present
acpicpu0 at acpi0: C3(10@1000 mwait.1@0x64), C2(10@500 mwait.1@0x58), C1(1000@1 
mwait.1), PSS
acpicpu1 at acpi0: C3(10@1000 mwait.1@0x64), C2(10@500 mwait.1@0x58), C1(1000@1 
mwait.1), PSS
acpicpu2 at acpi0: C3(10@1000 mwait.1@0x64), C2(10@500 mwait.1@0x58), C1(1000@1 
mwait.1), PSS
acpicpu3 at acpi0: C3(10@1000 mwait.1@0x64), C2(10@500 mwait.1@0x58), C1(1000@1 
mwait.1), PSS
acpipwrres0 at acpi0: CLK0, resource for CAMD
acpipwrres1 at acpi0: CLK0, resource for CAM1
acpipwrres2 at acpi0: CLK1, resource for CAM2, CAM3
acpipwrres3 at acpi0: USBC, resource for XHC1
acpicmos0 at acpi0
acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001
"NTN0530" at acpi0 not configured
"BCM2E64" at acpi0 not configured
"BCM4752" at acpi0 not configured
"SMO91D0" at acpi0 not configured
"INT33F7" at acpi0

Re: Performance issues as KVM guest?

2018-01-11 Thread Kirill Miazine 
* Kent Watsen [2018-01-11 17:38]:
[...]
> > > Since my hosting provider https://www.bytemark.co.uk/cloud-hosting/
> > > patched for Meltdown last weekend I'm seeing significant performance
> > > issues with an OpenBSD virtual instance there. It seems okay after a
> > > fresh reboot but then progressively returns to being very slow: for
> > > example "sleep 1" may take four seconds, then five, six, seven, then
> > > rather more. Curiously it does tend to be an integral multiplier.
> > > 
> > > I wondered, is anybody else seeing significant performance problems with
> > > OpenBSD (or other BSDs) virtual instances since Meltdown patching? Is
> > > there anything to tweak at my end or am I reliant on the provider?
> > > 
> > > -- Mark
> > > 
> > There are a ton of threads talking about this issue, and it's not meltdown
> > specific. Please search the archives.
> > 
> > -ml
> > 
[...]
> Also, Mark, could you say some more about the issue.  For instance, how long
> after a reboot does it take until you start to notice the issue, and how
> quickly does it get worse?

I'm another customer of Bytemark experiencing the same issue. I'm taking
care of one VM there and I'm primarly noticing it in two situations:
sleep() takes a long time (e.g. sleep(1) might take up to 40 seconds)
and the clock slows down.

Right now, 9 hours after reboot, the clock on VM is 3 hours behind real
clock. And sleep(1) takes 13 secs:

km@buildfarm ~ $ time sleep 1
0m13.85s real 0m00.00s user 0m00.01s system

This all started after the host was patched and VM rebooted.

Bytemark guys are looking at the issue and doing their own debugging.
Here're findings so far:

I spun a few OpenBSD VMs up and left them overnight - looks like the
clock isn't drifting but there's still the 'time sleep 1' issue.
My testing results seemed to concur with User_4574's, virtio was slowing
down only a few minutes after a fresh install whereas compatibility
    would stick at 1s, jump to 2s, etc. 
   
> 
> Thanks,
> Kent
> 

-- 
-- Kirill Miazine <k...@krot.org>

Re: Xen based VPS / OpenBSD 6.2 / OpenVPN 2.4.4 => Slow download speed after upgrade

2017-10-31 Thread Kirill Miazine 
enSource Platform Device" rev 0x01 at pci0 dev 2 function 0 not
> configured
> vga1 at pci0 dev 3 function 0 "Cirrus Logic CL-GD5446" rev 0x00
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> re0 at pci0 dev 4 function 0 "Realtek 8139" rev 0x20: RTL8139C+
> (0x7480), apic 1 int 32, address 00:50:56:34:10:49
> rlphy0 at re0 phy 0: RTL internal PHY
> isa0 at pcib0
> isadma0 at isa0
> fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
> fd0 at fdc0 drive 1: density unknown
> com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> pckbc0 at isa0 port 0x60/5 irq 1 irq 12
> pckbd0 at pckbc0 (kbd slot)
> wskbd0 at pckbd0: console keyboard, using wsdisplay0
> pms0 at pckbc0 (aux slot)
> wsmouse0 at pms0 mux 0
> pcppi0 at isa0 port 0x61
> spkr0 at pcppi0
> npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
> usb0 at uhci0: USB revision 1.0
> uhub0 at usb0 configuration 1 interface 0 "Intel UHCI root hub" rev
> 1.00/1.00 addr 1
> nvram: invalid checksum
> uhidev0 at uhub0 port 1 configuration 1 interface 0 "QEMU QEMU USB
> Tablet" rev 2.00/0.00 addr 2
> uhidev0: iclass 3/0
> ums0 at uhidev0: 3 buttons, Z dir
> wsmouse1 at ums0 mux 0
> vscsi0 at root
> scsibus2 at vscsi0: 256 targets
> softraid0 at root
> scsibus3 at softraid0: 256 targets
> root on wd0a (244889b124e5edd0.a) swap on wd0b dump on wd0b
> clock: unknown CMOS layout
> 
> 
> * [4] https://www.openbsd.org/62.html - search for "Generic network
> stack improvements"
> 

-- 
-- Kirill Miazine <k...@krot.org>

Re: multiple relays in smtpd.conf

2017-08-02 Thread Kirill Miazine 
* Eric Faurot [2017-08-02 13:24]:
> On Wed, Aug 02, 2017 at 11:44:47AM +0200, Christian Gut wrote:
>> Hi List,
>>
>> is it possible to have multiple relays (you might want to say smart hosts) 
>> in smtpd?
>>
>> I currently use the following line:
>>
>> accept from local for any relay via smarthost.example.org 
>> 
>>
>> Now I would like to have multiple smart hosts in there for backup reasons, 
>> if one of the smart hosts is in maintainance. Is something like this 
>> possible?
>>
>> accept from local for any relay via { smarthost1.example.org 
>> , smarthost2.example.org 
>>  }
>>
>> Kind Regards,
>> Christian
>>
> It's not possible at the moment.  There is ongoing work to support this 
> feature,
> along with other improvements. But it's quite a big change, and we can't give 
> an
> ETA right now.

what about defining a new name in DNS containing addresses of all
smarthosts as a workaround for the OP for now?

> Eric.
>

Re: Recommendation on OpenBSD host

2017-07-26 Thread Kirill Miazine 
* i3j...@airmail.cc [2017-07-26 01:01]:
> Hey list. I need a server to host a very simple website.
> I've been looking for a OpenBSD host that offers 'full' control
> over the machine though SSH. Anyone has recommendations?
> My needs: simple low traffic httpd(8) website (no javascript),
> even a Core2Duo, 2GB of RAM and a HDD with space to install
> base system (without Xenocara, of course) would be enough.
> I can't do it on some random laptop because I need it to be
> anonymous (it will have sensitive journalistic information[*]).
> Ideally that accept cryptocoins (dashcoin or plain bitcoin) and
> from a country like Romania or Iceland, because of their historic
> free-speech protection (again, *ideally*).
> I see the people from Libreboot have a project to build a host,
> but I don't think they support OpenBSD yet and I think they never
> will... because of Stallmanism BS ("closed firmware == blob").

Host1.no will let you run OpenBSD in a VM. They accept bitcoins and have
several "sensitive" clients (one is very well-known). Host1 also have
a "cloud" platform called cloud1.no, it runs on rather old Xen, but
thanks to great efforts of Mike B, OpenBSD works fine there as well.
Installation is not straightforward, though, but it is doable... Host1
will also let you rent a dedicated box, if you need it.

Or you could get a cheap 55 EUR dedicated box at Blix
(https://www.blix.com/servers), who is also great, but Blix won't accept
BTC AFAIC.

Host1 and Blix are based in Norway.

Re: httpd and URL rewriting

2017-07-06 Thread Kirill Miazine 
* Scott Vanderbilt [2017-07-06 09:25]:
> I am investigating the feasibility of migrating aRESTful webapp currently
> hosted on nginx and6.1-currentto use httpd. Naturally, such an application
> requires a URL-rewriting facility.

Does it really *require* URL rewriting?

> Perusing the httpd.conf(5) and httpd(8) man pages, this list's archive, and
> Google, I see nothing that indicates this is possible. Of course, I know you
> can redirect from within httpd, but that's obviously not thesort of behavior
> an app like this requires.
> 
> I am encouraged by reyk@'s post to tech on 20 June 2015 wherein he says
> "Here is a diff that adds pattern matching to httpd, allowing rewrites with
> redirects." But that last bit is kind of ambiguous about whether rewrites
> independent of redirects can be achieved.
> 
> Might anyone knowwhether this can be accomplished and how?

Below is working config for https://uptime.is/. You can put uptime
percentage after the slash, it it will work without redirect. In
addition, I made some redirects from common names to percents.
Config:

[...]
location "/" {
fastcgi
root "/htdocs/uptime/simple.cgi"
}
location match "^/%d+[,%.]?%d*$" {
fastcgi
root "/htdocs/uptime/simple.cgi"
}
location "/three-nines" {
block return 302 "/99.9"
    }
    [...]

The CGI script inspects the environment variable PATH_INFO.

> Many thanks.

-- 
-- Kirill Miazine <k...@krot.org>

Re: tlsv1 alert decrypt error

2017-03-02 Thread Kirill Miazine 

* Kirill Miazine [2017-03-02 16:46]:

* Kirill Miazine [2017-03-02 13:28]:

Hi, list

Recently I've noticed a number of error messages in my Exim mail log:

 TLS error on connection from mx1.slc.paypal.com (mx0.slc.paypal.com) 
[173.0.84.226] \
 (SSL_accept): error:1403741B:SSL routines:ACCEPT_SR_KEY_EXCH:tlsv1 alert 
decrypt error
 TLS client disconnected cleanly (rejected our certificate?)


[...]

The system is a couple of days old snapshot. The system used to run 6.0
until recently, I was tempted to upgrade now that DNSSEC support in the
resolver has appeared.


the Norwegian Unix User Group's server skapet has a snapshot dated 4th
February 2017 and has also seen traces of the issue:

16:38 < pitrh> 2017-03-02 02:09:50 TLS error on connection from 
mx0.phx.paypal.com
  [66.211.168.230] (SSL_accept): error:14FFF41B:SSL 
routines:SSL_internal:tlsv1
  alert decrypt error
[...]
16:38 < pitrh> 2017-02-24 14:00:44 TLS error on connection from 
(mailbanderolepub.com)
  [81.56.249.123] (SSL_accept): error:14FFF41B:SSL 
routines:SSL_internal:tlsv1
  alert decrypt error


This is related to LibreSSL: I've rebuilt Exim with OpenSSL from the
openssl-1.0.2k package and forced an email from PayPal (another 10 EUR
to the foundation). The email arrived just fine...

Received: from mx0.slc.paypal.com ([173.0.84.225])
   by mail.krot.org with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
   (Exim 4.89_RC7)
   (envelope-from <serv...@paypal.com>)
   id 1cjZnX-000Gru-TS
   for k...@krot.org; Fri, 03 Mar 2017 00:06:12 +0100

--
   -- Kirill Miazine <k...@krot.org>

Re: tlsv1 alert decrypt error

2017-03-02 Thread Kirill Miazine 

* Kirill Miazine [2017-03-02 13:28]:

Hi, list

Recently I've noticed a number of error messages in my Exim mail log:

  TLS error on connection from mx1.slc.paypal.com (mx0.slc.paypal.com) 
[173.0.84.226] \
  (SSL_accept): error:1403741B:SSL routines:ACCEPT_SR_KEY_EXCH:tlsv1 alert 
decrypt error
  TLS client disconnected cleanly (rejected our certificate?)


[...]

The system is a couple of days old snapshot. The system used to run 6.0
until recently, I was tempted to upgrade now that DNSSEC support in the
resolver has appeared.


the Norwegian Unix User Group's server skapet has a snapshot dated 4th
February 2017 and has also seen traces of the issue:

16:38 < pitrh> 2017-03-02 02:09:50 TLS error on connection from 
mx0.phx.paypal.com
   [66.211.168.230] (SSL_accept): error:14FFF41B:SSL 
routines:SSL_internal:tlsv1
   alert decrypt error
[...]
16:38 < pitrh> 2017-02-24 14:00:44 TLS error on connection from 
(mailbanderolepub.com)
   [81.56.249.123] (SSL_accept): error:14FFF41B:SSL 
routines:SSL_internal:tlsv1
   alert decrypt error


dmesg follows:

[...]

tlsv1 alert decrypt error

2017-03-02 Thread Kirill Miazine 

Hi, list

Recently I've noticed a number of error messages in my Exim mail log:

   TLS error on connection from mx1.slc.paypal.com (mx0.slc.paypal.com) 
[173.0.84.226] \
   (SSL_accept): error:1403741B:SSL routines:ACCEPT_SR_KEY_EXCH:tlsv1 alert 
decrypt error
   TLS client disconnected cleanly (rejected our certificate?)

(PayPal is trying to deliver a receipt for my monthly donation to the
OpenBSD Foundation, which is on the 1st day month.)

I managed to get a packet dump for the error (different host, not
paypal, but same error): https://beebox.krot.org/port25dump.tgz

The system is a couple of days old snapshot. The system used to run 6.0
until recently, I was tempted to upgrade now that DNSSEC support in the
resolver has appeared.

Any clues on what might be wrong here?

dmesg follows:

OpenBSD 6.0-current (GENERIC.MP) #201: Tue Feb 28 09:58:00 MST 2017
   dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 1056808960 (1007MB)
avail mem = 1020166144 (972MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf6a10 (9 entries)
bios0: vendor SeaBIOS version "rel-1.9.1-0-gb3ef39f-prebuilt.qemu-project.org" 
date 04/01/2014
bios0: QEMU Standard PC (i440FX + PIIX, 1996)
acpi0 at bios0: rev 0
acpi0: sleep states S3 S4 S5
acpi0: tables DSDT FACP APIC HPET
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Westmere E56xx/L56xx/X56xx (Nehalem-C), 2200.32 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,x2APIC,POPCNT,AES,HV,NXE,LONG,LAHF,ARAT
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 
16-way L2 cache
cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 1000MHz
ioapic0 at mainbus0: apid 0 pa 0xfec0, version 11, 24 pins
acpihpet0 at acpi0: 1 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C1(@1 halt!)
"ACPI0006" at acpi0 not configured
"PNP0303" at acpi0 not configured
"PNP0F13" at acpi0 not configured
"PNP0700" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"QEMU0002" at acpi0 not configured
"PNP0A06" at acpi0 not configured
pvbus0 at mainbus0: KVM
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0 
wired to compatibility, channel 1 wired to compatibility
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 disabled (no drives)
uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: apic 0 int 11
piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 0 int 9
iic0 at piixpm0
vga1 at pci0 dev 2 function 0 "Bochs VGA" rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
virtio0 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00
vio0 at virtio0: address 52:54:00:eb:1d:ce
virtio0: msix shared
eap0 at pci0 dev 4 function 0 "Ensoniq AudioPCI" rev 0x00: apic 0 int 11
audio0 at eap0
midi0 at eap0: 
virtio1 at pci0 dev 5 function 0 "Qumranet Virtio Storage" rev 0x00
vioblk0 at virtio1
scsibus1 at vioblk0: 2 targets
sd0 at scsibus1 targ 0 lun 0:  SCSI3 0/direct fixed
sd0: 51200MB, 512 bytes/sector, 104857600 sectors
virtio1: msix shared
virtio2 at pci0 dev 6 function 0 "Qumranet Virtio Storage" rev 0x00
vioblk1 at virtio2
scsibus2 at vioblk1: 2 targets
sd1 at scsibus2 targ 0 lun 0:  SCSI3 0/direct fixed
sd1: 2097152MB, 512 bytes/sector, 4294967296 sectors
virtio2: msix shared
virtio3 at pci0 dev 7 function 0 "Qumranet Virtio Memory" rev 0x00
viomb0 at virtio3
virtio3: apic 0 int 11
isa0 at pcib0
isadma0 at isa0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 1: density unknown
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 
addr 1
vmm at mainbus0 not configured
uhidev0 at uhub0 port 1 configuration 1 interface 0 "QEMU QEMU USB Tablet" rev 
2.00/0.00 addr 2
uhidev0: iclass 3/0
ums0 at uhidev0: 3 buttons, Z dir
wsmouse1 at ums0 mux 0
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
root on sd0a (84faadf7d7f0d9a3.a) swap on sd0b dump on sd0b

RES_USE_EDNS0 and RES_USE_DNSSEC in libc resolver

2017-01-22 Thread Kirill Miazine 

Hi, list

Having spent several hours trying to find out whether RES_USE_DNSSEC actually 
does
anything on OpenBSD, I have to ask for help...

I'm actually debugging DNSSEC in Exim, which sets both RES_USE_EDNS0 and
RES_USE_DNSSEC options, sends queries to a local resolver that does
validations (I can confirm this with dig), but when res_search() is run,
the responses come without AD/DO set... I thought that this is strange.
So I dived into src/lib/libc/asr code (I started elsewhere, but my
searches took me there) and it looks like neither RES_USE_EDNS0 nor
RES_USE_DNSSEC does anything.

Is that right conclusion?

--
   -- Kirill Miazine <k...@krot.org>