Re: Acme-client error getting validation data when updating LetsEncrypt certs on 7.5
The location { … } block in the port 80 server is non-functional because all
requests are redirected to HTTPS. Add a `pass` to make it functional. Note: If
you do then you don’t need the corresponding location { … } block in the port
443 server any more.
Also, instead of:
> block return 301 "https://www-server.example.com$REQUEST_URI“
you could write:
block return 301 "https://$HTTP_HOST$REQUEST_URI;
server "www-server.example.com" {
listen on * port 80
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
pass
}
block return 301 "https://$HTTP_HOST$REQUEST_URI;
}
But those are just optimisations that don’t address your issue.
To start debugging the issue put a small test file into your /var/www/acme
directory and test access using e.g. curl:
# echo 'test'>/var/www/acme/test
Preferably from a different host:
$ curl --url 'http://www-server.example.com/.well-known/acme-challenge/test'
HTH
Mike
PS. see more comments below…
> Am 15.04.2024 um 15:02 schrieb rea...@catastrophe.net:
>
> I started seeing an error where acme-client is not able to renew
> Lets Encrypt certificates. I've tried on several different servers
> but they all display the same error: "Error getting validation data"
>
> Is anyone else seeing the same behavior?
>
> Here are my configurations; these have been working for a couple years
> now. Thanks in advance for any assistance.
>
>
> $ uname -a
> OpenBSD www-server 7.5 GENERIC#79 amd64
>
> acme-client configuration
> -
>
> authority letsencrypt {
>api url "https://acme-v02.api.letsencrypt.org/directory;
>account key "/etc/acme/letsencrypt-privkey.pem"
> }
>
> authority letsencrypt-staging {
>api url "https://acme-staging-v02.api.letsencrypt.org/directory;
>account key "/etc/acme/letsencrypt-staging-privkey.pem"
> }
>
> domain www-server.example.com {
> domain key "/etc/ssl/private/www-server.example.com.key.pem"
> domain full chain certificate
> "/etc/ssl/certs/www-server.example.com.chain.pem"
>sign with letsencrypt
> }
>
>
> httpd configuration
> ---
>
> server "www-server.example.com" {
> listen on * tls port 443
> tls {
>certificate "/etc/ssl/certs/www-server.example.com.chain.pem"
>key "/etc/ssl/private/www-server.example.com.key.pem"
>protocols "TLSv1.3,TLSv1.2"
> }
> hsts {
>max-age 31536000
>preload
>subdomains
> }
> log style combined
> log { access "access.log", error "error.log" }
> directory auto index
> root "/htdocs/www"
> location "/.well-known/acme-challenge/*" {
>root "/acme"
>request strip 2
> }
> }
>
> server "www-server.example.com" {
> listen on * port 80
> location "/.well-known/acme-challenge/*" {
>root "/acme"
>request strip 2
> }
> block return 301 "https://www-server.example.com$REQUEST_URI;
> }
>
>
> directory permissions for acme-client verification
> --
>
> # find /var/www/htdocs/www/.well-known/ -ls
> 518754 drwxr-xr-x3 w3admin staff 512 Mar 16 2022
> /var/www/htdocs/www/.well-known/
> 518764 drwxr-xr-x2 w3admin staff 512 Mar 16 2022
> /var/www/htdocs/www/.well-known/acme-challenge
These directories are irrelevant. You want to look at: /var/www/acme as your
location { … } block reroutes /.well-known/acme-challenge to /acme (in the
/var/www chroot(2) environment).
/var/www/acme is there by default and it should have 755 root:daemon
permissions.
>
>
> output of running the client manually
> -
>
> # acme-client -v www-server.example.com
> acme-client: /etc/ssl/certs/www-server.example.com.chain.pem: certificate
> renewable: 29 days left
> acme-client: https://acme-v02.api.letsencrypt.org/directory: directories
> acme-client: acme-v02.api.letsencrypt.org: DNS: 172.65.32.248
> acme-client: acme-v02.api.letsencrypt.org: DNS:
> 2606:4700:60:0:f53d:5624:85c7:3a2c
> acme-client: dochngreq:
> https://acme-v02.api.letsencrypt.org/acme/authz-v3/338785251177
> acme-client: challenge, token: iG6ptUbu8wblA1NcB36yC7PRi1-h-lXoMx4MAOn0CoE,
> uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/338785251177/Efb4Qg,
> status: 0
> acme-client: /var/www/acme/iG6ptUbu8wblA1NcB36yC7PRi1-h-lXoMx4MAOn0CoE:
> created
> acme-client:
> https://acme-v02.api.letsencrypt.org/acme/chall-v3/338785251177/Efb4Qg:
> challenge
> acme-client: order.status 0
> acme-client: dochngreq:
> https://acme-v02.api.letsencrypt.org/acme/authz-v3/338785251177
> acme-client: challenge, token: iG6ptUbu8wblA1NcB36yC7PRi1-h-lXoMx4MAOn0CoE,
> uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/338785251177/Efb4Qg,
> status: -1
> acme-client: order.status -1
> acme-client: dochngreq:
> https://acme-v02.api.letsencrypt.org/acme/authz-v3/338785251177
> acme-client: 203.0.113.51: Fetching
>
Re: New postfix-3.8.20221007p12 broken TLS for Gmail servers?
> Am 03.02.2024 um 03:44 schrieb Brian Conway : > >> Why do you run such an outdated postfix snapshot? > > That is the latest version that is supported/available in packages-stable: > > https://cdn.openbsd.org/pub/OpenBSD/7.4/packages-stable/amd64/ While we have not encountered the TLS issue with Gmail (see below) we are in the same boat otherwise. postfix-3.8.20221007 seemed like the newest version a while back and so we are running that version. Going back to 3.7.9 seems like it may be a partial step backwards. Meanwhile Postfix 3.8.5 (along with versions 3.7.10, 3.6.14, 3.5.24) seem to have become a stable releases [1| but alas there are no OpenBSD ports for these versions yet. So instead of directing people to the older stable release version 3.7.9 maybe a better plan would be to eventually create a port for 3.8.5? BTW: On OpenBSD 7.4-stable amd64 using postfix-3.8.20221007p12 I was able to send and receive emails to/from Gmail without problems. So maybe Mark has some sort of configuration issue? Note however that we are not using the -sasl2-mysql flavor of the port so that might make a difference? Mike [1] https://www.postfix.org/announcements/postfix-3.8.5.html
Re: Script doesn't stop opensearch
> Am 04.01.2024 um 00:06 schrieb Mik J : > > However when I want to stop the process > # /etc/rc.d/opensearch stop > Nothing happens try: # rcctl stop opensearch You are not supposed to ever call the /etc/rc.d/* scripts directly. HTH Mike
Re: OpenBSD_one_site_web_hosting_software_recommendation
Yep, WordPress is doable. I’ve never used Joomla, so I can’t say for sure. One thing to note is that OpenBSD httpd does not have the .htaccess mechanism. So sites relying on Apache httpd .htaccess features might need some thought. OTOH there is a port for Apache httpd… HTH Mike > Am 09.11.2023 um 12:58 schrieb Peter N. M. Hansteen : > > On Thu, Nov 09, 2023 at 12:38:27PM +0100, soko.tica wrote: >> I have a task to launch from scratch one site web hosting google cloud >> instance. >> >> I know OpenBSD does have httpd web server, but I couldn't have found >> neither wordpress nor joomla software neither in packages nor in ports (7.4 >> -stable). >> >> Is there a possibility to launch wordpress or joomla on such an instance on >> OpenBSD? Which manpages should I read? > > You're probably right that those systems do not come pre-packaged for OpenBSD. > > But simple web search on "wordpress on openbsd httpd" and "joomla on openbsd > httpd" > yields enough seemingly relevant hits that I strongly suspect both are doable. > > I have not tried either myself, though. > > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. >
Re: mount softdep — does it improve the situation for unexpected shutdowns?
Thanks! End of discussion ;-) (Except for a potential update of the man page.) Mike > Am 05.11.2023 um 19:39 schrieb Martin Schröder : > > Am So., 5. Nov. 2023 um 19:33 Uhr schrieb Mike Fischer > : >> However the default /etc/fstab does not make use of it. > >> From the 7.4 release notes: > -- > Make the softdep mount(8) option a no-op. Softdep was a > significant impediment to improving the vfs layer. > -- > > Methinks the man page could mention that. > > Best >Martin >
mount softdep — does it improve the situation for unexpected shutdowns?
OpenBSD 7.4 amd64 I have just noticed that mount(8) has a softdep option for FFS file systems. And I saw this: https://en.wikipedia.org/wiki/Soft_updates where OpenBSD is mentioned. However the default /etc/fstab does not make use of it. We have been discussing how to deal with unexpected system crashes/loss of power/etc. and found that with a probability of significantly greater than zero such an event will cause inconsistent file systems, sometimes irreparable, with data loss or worse with lurking modified files that may be noticed much later. So I’d like to know if adding the softdep option for the FFS file systems in /etc/fstab would improve the situation? Is anyone using this? Is there a reason it is not used by default? I realise that no solution will be 100%. Backups, snapshots from a powered down machine (in the case of VMs), etc. will still be required. But at least improving the odds of surviving an unexpected reboot without file system sync would help, unless there are drawbacks I am not aware of. I did see https://marc.info/?l=openbsd-misc=157537250901987=2 are the comments there still valid (for VMs using SSD storage)? Personally I would not mind a bit of memory usage and speed impact in exchange for a more robust system. Thanks! Mike
Re: What could cause high CPU load averages (no actual CPU usage)?
> Am 25.10.2023 um 17:57 schrieb Theo de Raadt : > > Mike Fischer wrote: > >>> Am 25.10.2023 um 17:29 schrieb Theo de Raadt : >>> >>> Mike Fischer wrote: >>> >>>> True. But like I said, this was noticed because of the sudden increase on >>>> the same (OpenBSD) machine without any obvious reason. >>> >>> The reason is obvious. >>> >>> You installed a completely different system. >> >> No, there is a misunderstanding here. I have not been comparing OpenBSD load >> averages to those on any other OS. > > No, it is *your misunderstanding* > > We put no effort into maintaining stability of this damn number. Ok, I realise that load average may too irrelevant a measurement to take seriously. I admit that I thought this value was somewhat consistent in the context of a single running machine, but maybe I was wrong. > We changed a lot of kernel scheduling code *without giving a damn about the > stability of this number* Fine, but you are not changing my running Kernel, are you? Or are you saying that the load average does not carry *any* inherent information and is utterly useless? That would almost imply that this is a (poor) sort of random number generator. OTOH years of monitoring this value (amongst many other measurements) on OpenBSD seems to indicate some correlation to what the machine is doing. But I get what you are saying: no guarantees. > It is a different system. To reiterate: I am measuring load averages on OpenBSD 7.4. On a running system I notice a sudden jump in the value which persists for several hours. That gets my attention because I can see no reason for this jump. So I’m trying to figure out the cause. Please note that I am not going on the assumption that there is a bug or that something needs to be changed/fixed in OpenBSD. The jump may have had perfectly valid reasons. Or it may have been random with a low probability. But given all of the feedback from this thread I’ll deprecate this part of my monitoring and switch to monitoring actual CPU activity (as reported by e.g. vmstat) in the hopes that these values are more accurate/consistent and that they better reflect the workload of the machine. Thanks everyone! Mike
Re: What could cause high CPU load averages (no actual CPU usage)?
> Am 25.10.2023 um 19:01 schrieb Janne Johansson : > > > I process that is started every 5 seconds and exits after 10ms > > computation can cause the load to go up by 1. It just matters if it runs > > during the sampling time or not. This is why the load avarage is not > > accurate, it is an indication and if the value is below the number of CPUs > > you may well see quantization errors. > > > > So yes, maybe there is something going on but even top -s .1 -I will have a > > hard time to show it to you. It may be too h interestingsmall of a blib to > > spot. > > Ah, interesting. Any idea on how to measure/catch something like that? How > would one find such a process? > > If you have such a process (and see "load 1.0" in top) you don't have a load > problem on this computer, so "finding" it becomes irrational. > > This means that you are chasing a symptom but where you lack an actual > problem. If your cpu is busy 10ms every 5 seconds it is basically idle, and > the small percentage you see is totally within measurement error margins. But > load is a very bad measurement tool as previously stated in this thread. No, the actual value is not an issue. The jump in values was what triggered my need to explore this. And yes, the machine in question does not have much actual workload normally. Mike
Re: What could cause high CPU load averages (no actual CPU usage)?
> Am 25.10.2023 um 17:59 schrieb Claudio Jeker : > > I process that is started every 5 seconds and exits after 10ms > computation can cause the load to go up by 1. It just matters if it runs > during the sampling time or not. This is why the load avarage is not > accurate, it is an indication and if the value is below the number of CPUs > you may well see quantization errors. > > So yes, maybe there is something going on but even top -s .1 -I will have a > hard time to show it to you. It may be too h interestingsmall of a blib to > spot. Ah, interesting. Any idea on how to measure/catch something like that? How would one find such a process? Thanks! Mike
Re: What could cause high CPU load averages (no actual CPU usage)?
> Am 25.10.2023 um 17:29 schrieb Theo de Raadt : > > Mike Fischer wrote: > >> True. But like I said, this was noticed because of the sudden increase on >> the same (OpenBSD) machine without any obvious reason. > > The reason is obvious. > > You installed a completely different system. No, there is a misunderstanding here. I have not been comparing OpenBSD load averages to those on any other OS. I have been comparing load averages on the same machine on the same running OpenBSD 7.4 to previous values on the exact same running machine. (I don’t give a hoot about how other OSes calculate similar values. That is irrelevant to my issue.) I just want to figure out what would cause a mostly constant increase in load average for several hours without any apparent reason. Thanks! Mike
Re: What could cause high CPU load averages (no actual CPU usage)?
> Am 25.10.2023 um 17:07 schrieb Theo de Raadt : > > Claudio Jeker wrote: > >> On Wed, Oct 25, 2023 at 11:57:54AM +0200, Mike Fischer wrote: >>> I have been observing occasional bouts of high load averages on several >>> servers I administer and I am trying to find the cause. (I monitor these >>> machines so that I can implement corrective measures in case of any >>> malicious or abnormal activity. I think this is benign, but I’d still >>> like to find the cause.) >>> >>> Once the high load average starts, only a reboot seems to (temporarily) >>> return the values to their normal levels. >>> >>> The actual CPU usage (as measured by vmstat) stays low even if the load >>> average is elevated. >>> >>> The servers are VMs running on a VMWare host (ESXi). This was seen with >>> OpenBSD 7.3 and 7.4 amd64. >>> >>> I can not determine anything inside the VM that causes this. There seems >>> to be no correlation to pfstat(8) graphs, log entries, known events, or >>> anything else I can determine. restarting all of the rc.d services never >>> made any difference. >>> >>> Could this be caused by something on the VMWare host machine? (The host >>> seems to be operating at limit regarding RAM for example. But the VM is >>> only using the normal percentage of its allocated RAM — way below 100% >>> and very constant usage, no swap.) >>> >>> How can I further debug this, keeping in mind that these are production >>> machines and experimentation is limited to benign things that don’t >>> cause outages. >>> >> >> What is high? A high CPU load for me is in the order of 70+. >> Please remember the CPU load avarage is a horrible leftover from tenex >> days. The system just counts how many processes are runnable but it is a >> very bad indicator of actual CPU load. > > Furthermore, every operating system counts this in a different way. > You might think there is only one way to count it. Not at all. True. But like I said, this was noticed because of the sudden increase on the same (OpenBSD) machine without any obvious reason. I am not implying that the value of 0.7 is in any way critical. Just that an increase from a long time load average of 0.0x to 0.7x is noteworthy. I have no issue when the load increases when a machine is handling requests or doing something I know about. But then the load should drop back to normal levels once the task is finished. That did not happen in the cases I’m trying to figure out. Thanks! Mike
Re: What could cause high CPU load averages (no actual CPU usage)?
> Am 25.10.2023 um 14:32 schrieb Dave Voutila : > > > Mike Fischer writes: > >> I have been observing occasional bouts of high load averages on >> several servers I administer and I am trying to find the cause. (I >> monitor these machines so that I can implement corrective measures in >> case of any malicious or abnormal activity. I think this is benign, >> but I’d still like to find the cause.) >> >> Once the high load average starts, only a reboot seems to (temporarily) >> return the values to their normal levels. >> >> The actual CPU usage (as measured by vmstat) stays low even if the load >> average is elevated. >> >> The servers are VMs running on a VMWare host (ESXi). This was seen with >> OpenBSD 7.3 and 7.4 amd64. >> >> I can not determine anything inside the VM that causes this. There >> seems to be no correlation to pfstat(8) graphs, log entries, known >> events, or anything else I can determine. restarting all of the rc.d >> services never made any difference. >> >> Could this be caused by something on the VMWare host machine? (The >> host seems to be operating at limit regarding RAM for example. But the >> VM is only using the normal percentage of its allocated RAM — way >> below 100% and very constant usage, no swap.) >> >> How can I further debug this, keeping in mind that these are production >> machines and experimentation is limited to benign things that don’t cause >> outages. >> > > Can you share a dmesg of one of the 7.4 vm? The output of `vmstat -iz` > might help narrow it down to a stuck interrupt. Also, try running > systat(1) and observe things as they happen. dmesg follows. But the high load went away on the two affected machines. On one machine I did a reboot after installing the syspatches released today, on the other, which I left untouched on purpose, the load normalised by itself after almost a day. A third machine was not affected this time. So vmstat will probably not show anything interesting now: The rebooted machine: # vmstat -iz interrupt total rate irq96/acpi0 00 irq97/pciide0 123004 10 irq98/pciide0 00 irq114/em0 1188429 irq99/ppb2 00 irq100/ppb3 00 irq101/ppb4 00 irq102/ppb5 00 irq103/ppb6 00 irq104/ppb7 00 irq105/ppb8 00 irq106/ppb9 00 irq107/ppb1000 irq108/ppb1100 irq109/ppb1200 irq110/ppb1300 irq111/ppb1400 irq115/ppb1500 irq116/ppb1600 irq117/ppb1700 irq118/ppb1800 irq119/ppb1900 irq120/ppb2000 irq121/ppb2100 irq122/ppb2200 irq123/ppb2300 irq124/ppb2400 irq125/ppb2500 irq126/ppb2600 irq127/ppb2700 irq128/ppb2800 irq129/ppb2900 irq130/ppb3000 irq131/ppb3100 irq132/ppb3200 irq133/ppb3300 irq144/pckbc0 00 irq145/pckbc0 00 irq0/clock4894675 398 irq0/ipi 378105 30 Total 5514626 448 # The affected machine that I didn’t reboot: # vmstat -iz interrupt total rate irq96/acpi0 00 irq97/pciide0 2653816 21 irq98/pciide0 00 irq114/em02383849 19 irq99/ppb2 00 irq100/ppb3 00 irq101/ppb4 00 irq102/ppb5 00 irq103/ppb6 00 irq104/ppb7 00 irq105/ppb8 00 irq106/ppb9 00 irq107/ppb1000 irq108/ppb1100 irq109/ppb12
What could cause high CPU load averages (no actual CPU usage)?
I have been observing occasional bouts of high load averages on several servers I administer and I am trying to find the cause. (I monitor these machines so that I can implement corrective measures in case of any malicious or abnormal activity. I think this is benign, but I’d still like to find the cause.) Once the high load average starts, only a reboot seems to (temporarily) return the values to their normal levels. The actual CPU usage (as measured by vmstat) stays low even if the load average is elevated. The servers are VMs running on a VMWare host (ESXi). This was seen with OpenBSD 7.3 and 7.4 amd64. I can not determine anything inside the VM that causes this. There seems to be no correlation to pfstat(8) graphs, log entries, known events, or anything else I can determine. restarting all of the rc.d services never made any difference. Could this be caused by something on the VMWare host machine? (The host seems to be operating at limit regarding RAM for example. But the VM is only using the normal percentage of its allocated RAM — way below 100% and very constant usage, no swap.) How can I further debug this, keeping in mind that these are production machines and experimentation is limited to benign things that don’t cause outages. Thanks! Mike
Re: Dokuwiki
> Am 08.09.2023 um 00:38 schrieb latin...@vcn.bc.ca:
>
> Hello
>
> Does somebody can help? OpenBSD 7.3 Dokuwiki
> # ps ax |grep dokuwiki
> 27461 p0 S+p 0:00.01 grep dokuwiki
DokuWiki is not a process. So the above does not make any sense.
> The error.log at /www/log is full of this messages and dokuwiki stop working:
>
> Access to the script '/dokuwiki' has been denied (see
> security.limit_extensions)
…
> Access to the script '/dokuwiki' has been denied (see
> security.limit_extensions)
>
> Thanks for your attention.
You need to show us the relevant server {} block in your /etc/httpd.conf
(assuming that you are using httpd(8) as the web server).
The actual error message refers to the php-fpm setting, see
https://www.php.net/manual/en/install.fpm.configuration.php#security-limit-extensions.
But feeding the path /dokuwiki to php-fpm does not make any sense, so the root
cause is somewhere else.
Also you may want to take a look at https://www.dokuwiki.org/install:openbsd
for some additional hints.
This is what a working httpd.conf could look like:
(You may want to replace the server name with an FQDN or add an alias setting.
You would also need a port 80 host to redirect to https and to handle ACME
certificate verification. But that is all standard web server stuff, not
specific to DokuWiki.)
server "default" {
listen on $my_ipv6 tls port 443
tls {
certificate "/etc/ssl/acme/fullchain.pem"
key "/etc/ssl/acme/private/privkey.pem"
}
log style combined
root "/dokuwiki"
directory index doku.php
connection max request body 2097152 # Default is 2M for
upload_max_filesize and 8M for post_max_size.
location "/*.inc" { block }
location "/*.ht*" { block }
location "/data/*" { block }
location "/conf/*" { block }
location "/bin/*" { block }
location "/inc/*" { block }
location "/vendor/*" { block }
location "*.php" {
fastcgi socket "/run/php-fpm.sock"
}
}
Mike
Re: Dokuwiki
> Am 23.08.2023 um 19:16 schrieb latin...@vcn.bc.ca: > I found the error, it is not OpenBSD, the first page after installation is > in English, but if i change language to es, the link does not go to the > wiki; it goes to the information web page. > > Thanks. Too little information to follow that. But I’m glad your initial issue seems to be fixed. @Stuart: > Am 23.08.2023 um 13:37 schrieb Stuart Henderson : > > That would be a bug in the port, I'll fix it. Thanks. I just verified that this issue exists in dokuwiki-2022.07.31ap0 and in dokuwiki-2023.04.04 in snapshots. If you are touching this port, snapshots contains dokuwiki-2023.04.04, but Dokuwiki 2023-04-04a has been released a while ago. Mike
Re: Dokuwiki
> Am 23.08.2023 um 00:45 schrieb latin...@vcn.bc.ca:
>
> Hello
>
> I have installed dokuwiki on OBSD 7.3, but i can not run install.php from
> my Browser.
>
> php 8.1 is running.
>
> Permissions after installation:
>
> ls -la /var/www/dokuwiki/
> total 240
> drwxr-xr-x 8 root daemon512 Aug 22 22:20 .
> drwxr-xr-x 13 root daemon512 Aug 22 09:32 ..
> -rw-r--r-- 1 root daemon 1688 Aug 22 22:20 .htaccess
> -rw-r--r-- 1 root bin 1688 Sep 3 2022 .htaccess.dist
> -rw-r--r-- 1 root bin 18092 Sep 3 2022 COPYING
> -rw-r--r-- 1 root bin 308 Sep 3 2022 README
> -rw-r--r-- 1 root bin 918 Sep 3 2022 SECURITY.md
> -rw-r--r-- 1 root bin19 Sep 3 2022 VERSION
> drwxr-xr-x 2 root daemon512 Aug 22 22:20 bin
> -rw-r--r-- 1 root bin 1356 Sep 3 2022 composer.json
> -rw-r--r-- 1 root bin 22553 Sep 3 2022 composer.lock
> drwxr-xr-x 2 www daemon512 Aug 22 22:20 conf
> drwxr-xr-x 13 www daemon512 Aug 22 22:20 data
> -rw-r--r-- 1 root bin 3644 Sep 3 2022 doku.php
> -rw-r--r-- 1 root bin 20010 Sep 3 2022 feed.php
> drwxr-xr-x 22 root daemon 1536 Aug 22 22:20 inc
> -rw-r--r-- 1 root bin 2537 Sep 3 2022 index.php
> -rwxr-xr-x 1 root bin 20741 Sep 3 2022 install.php
> drwxr-xr-x 8 root daemon512 Aug 22 22:20 lib
> drwxr-xr-x 11 root daemon512 Aug 22 22:20 vendor
>
> Browser message:
>
> DokuWiki Setup Error
>
> The logdir ('log') at ./data/log is not found, isn't accessible or
> writable. You should check your config and permission settings. Or maybe
> you want to run the installer?
>
>
> What could be wrong please?
For DokuWiki to be able to run the install.php script the web browser (or more
precisely PHP as running from the web browser) needs to have certain
permissions.
Generally the web browser (and PHP) will run as user www. So in order for the
./data/log directory to be used permissions need to allow the creation files
and directories therein. The default package install currently does this
however:
2 drwxr-xr-x 2 root daemon512 Jul 26 00:52 log/
Just chown www ./data/log and it should work.
See also: https://www.dokuwiki.org/install:permissions
HTH
Mike
Re: Maintaining multiple PHP-FPM versions on the same host
I’ll answer both of your replies here. But please note that Stuart provided the feedback I needed so from my point of view this issue is closed. > Am 10.07.2023 um 14:30 schrieb Daniele B. : > > However, I passed a small amount of time with 5.6 and 7.3 from source loading > together. > In both cases I was using init.d scritps, that I can pass you. init.d is not an OpenBSD thing. And my issue is not running multiple versions of PHP but configuring things so they don’t break when updates are installed. > Take it AS-IS, I do not want to recommend BSD subsystems or show off something > that is not part of my baggage. Indeed, for any system suggestion there is a > big truppen here, > not certenly myself. Not sure I understand your English here. But my question was posted on an OpenBSD mailing list, so solutions for other OSes are not really helpful. > Jul 10, 2023 13:57:15 Daniele B. : > >> Problem arising in reading you is at its origins, in plain italian "a >> monte".. ;) I don’t speak Italian. So I don’t get your comment. But if you are implying that maybe I should not be using OpenBSD because of a specific issue with php-fpm and the rc(8) mechanism, I don’t agree. >> >> - PHP 8 is enough retrocompatible with any version you mention, and should >> take in a >> certain amount of benefits in performance gain and bug fixing; So will you fix all of the (3rd party) code that may have issues for me? Theory and dogmatic concepts are fine. But there is also real life™. And there are other reasons for wanting to use older versions of PHP as well. For example compatibility testing. That said, sure PHP 8.2 is great for new projects. And I am using it where it makes sense. >> - PHP-FPM should be enough configurable and versatile to support huge amount >> of requests; Not relevant to the issue. A PHP-FPM process can only handle one version of PHP. My issue is with maintaining multiple PHP-FPM versions as stated in the subject. >> - multi webservers could be nice to have probably for some sorts of load >> balancing only, >> (having a reversed proxy is something often questionable); Just because you can’t think of a reason to use multiple web servers, that does not mean others can’t have valid reasons. And I fail to see what would be gained by using a reverse proxy to somehow mitigate the imagined reasons for your premise. It only adds complexity and has its own issues. And this is completely irrelevant to my issue. >> - multi webservers are surely a huge angle hole in your "resource room". What is an »angle hole«? And what do you mean by »resource room«. I’m sorry, but your version of English is often littered with what seem to be phrases and literal translations from your native language that make no sense in English. So whatever you think multiple web servers surly are, it is not relevant to my issue (see subject of this email). >> >> I do not know, are you maybe building your machine for testing purpose? Yes I do have legitmate reasons for wanting to run multiple versions of PHP in parallel. Testing is one reason. Compatibility is another. Not that it matters for the issue at hand. None of your comments address the issue I am having. On-topic comments to the list are generally welcome. But in this case I think Stuart has already provided the feedback I needed. Mike >> >> -- Daniele Bonini
Maintaining multiple PHP-FPM versions on the same host
Hi! I’m trying to figure out the best way to maintain multiple php-fpm setups at the same time and ran into a somewhat annoying issue. I’m not sure how many other users might have a similar situation? If this something too non-standard, let me know and I’ll shut up ;-) Background == The server supports multiple versions of PHP for websites using php-fpm. There are also multiple web servers running at the same time (on different IP/port combinations obviously). Specifically OpenBSD httpd and Apache httpd from ports. OpenBSD httpd runs in its normal chroot(2) environment. Apache httpd does not use chroot(2). This requires corresponding setups for php-fpm as well. Using e.g. a non-chroot(2) php-fpm with OpenBSD httpd does not work. Each php-fpm variant uses its own socket. So changing the PHP version for a web server (or even for just certain paths on that server) is as easy as pointing to the correct socket for the FastCGI mechanism of the web server. Setup = All available PHP Versions are supported and configured. I.e. 7.4, 8.0, 8.1 and 8.2 for OpenBSD 7.3. I have adjusted /etc/php-7.4.ini, /etc/php-8.0.ini, etc. as required I have created and modified /etc/php-fpm-7.4cr.conf, /etc/php-fpm-7.4ncr.conf, /etc/php-fpm-8.0cr.conf, /etc/php-fpm-8.0ncr.conf, etc. The default /etc/php-fpm.conf is not actively used. I have copied the /etc/rc.d/phpXX_fpm files and modified them to: - use the appropriate /etc/php-fpm.conf (/etc/php-fpm-7.4cr.conf, /etc/php-fpm-7.4ncr.conf, /etc/php-fpm-8.0cr.conf, /etc/php-fpm-8.0ncr.conf, etc.) - use the appropriate /etc/php.ini (/etc/php-7.4.ini, /etc/php-8.0.ini, /etc/php-8.1.ini and /etc/php-8.2.ini) - adjust the pexp to match the php-fpm.conf in addition to "php-fpm-7.4: master process", e.g. "php-fpm-7.4: master process .*/etc/php-fpm-7.4cr.conf.*", etc. Thus I have: /etc/rc.d/php74cr_fpm /etc/rc.d/php74ncr_fpm /etc/rc.d/php80cr_fpm /etc/rc.d/php80ncr_fpm /etc/rc.d/php81cr_fpm /etc/rc.d/php81ncr_fpm /etc/rc.d/php82cr_fpm /etc/rc.d/php82ncr_fpm And all of these have been enabled using `rcctl enable php74cr_fpm php74ncr_fpm php80cr_fpm php80ncr_fpm php81cr_fpm php81ncr_fpm php82cr_fpm php82ncr_fpm` and of course started using `rcctl start …`. For example: # cat /etc/rc.d/php82cr_fpm #!/bin/ksh daemon="/usr/local/sbin/php-fpm-8.2" daemon_flags="-c /etc/php-8.2-cr.ini -y /etc/php-fpm-82cr.conf" . /etc/rc.d/rc.subr pexp="php-fpm-8.2: master process .*/etc/php-fpm-82cr.conf.*" rc_reload=NO rc_cmd $1 # (Note: I know this could be further reduced to just one master process for each version with a chroot(2) and a non-chroot(2) pool defined in the single php-fpm.conf for each PHP version. But that is irrelevant to the issue at hand.) Issue = `rcctl ls started` lists php74_fpm, php80_fpm, php81_fpm and php82_fpm as started even though they are neither enabled nor started! The reason this happens is the pexp which is too general. E.g. for php74_fpm it is pexp="php-fpm-7.4: master process .*" Modifying this to e.g. pexp="php-fpm-7.4: master process .*/etc/php-fpm.conf.*" solves the problem. BUT: /etc/rc.d/php74_fpm will be overwritten when the php-7.4 port ist updated. (Same for the other versions of course.) So my change is lost and has to be reapplied. If I forget about this then at a later time I’ll become confused by the output of `rcctl ls started`. Questions = 1) Is there a better, update-proof way to solve this problem? 2) Would it make sense to include the more specific pexp in the PHP ports? (I don’t think doing so would hurt the default use case, but maybe I’m overlooking something?) OpenBSD 7.3, amd64 Thanks! Mike
Re: dhcpleased losing route
You are still getting a 5 minute lease. So that seems to be normal for your provider? (Maybe they only have a very limited pool of IPv4 addresses and want to be able to reuse them ASAP? Might explain why the initial DHCP:OFFER took so long as well.) But you don’t show what happens when the lease is to be renewed in your dump. That is where you received the NAK on OpenBSD which caused your machine to temporarily loose the IP, the gateway and the name servers. Does your provider offer IPv6? You may be better off using that. > Am 11.05.2023 um 05:08 schrieb David Diggles : > > Ok here's the Apple pcap for a working implementation. > > tcpdump -r airport.dhcp.pcap > > tcpdump: WARNING: snaplen raised from 116 to 1500 > 12:26:04.010316 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x5fc12750 > secs:28 vend-rfc1048 DHCP:DISCOVER LT:86400 HN:"x" PR:SM+TZ+DG+DN+NS+HN+WNS > MSZ:1500 CID:1.32.201.208.21.60.163 [tos 0x10] > 12:26:27.806275 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0xb4e0b61a > vend-rfc1048 DHCP:DISCOVER LT:86400 HN:"x" PR:SM+TZ+DG+DN+NS+HN+WNS MSZ:1500 > CID:1.32.201.208.21.60.163 [tos 0x10] > 12:26:33.010312 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0xb4e0b61a > secs:6 vend-rfc1048 DHCP:DISCOVER LT:86400 HN:"x" PR:SM+TZ+DG+DN+NS+HN+WNS > MSZ:1500 CID:1.32.201.208.21.60.163 [tos 0x10] > 12:26:44.010312 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0xb4e0b61a > secs:17 vend-rfc1048 DHCP:DISCOVER LT:86400 HN:"x" PR:SM+TZ+DG+DN+NS+HN+WNS > MSZ:1500 CID:1.32.201.208.21.60.163 [tos 0x10] > 12:26:49.707196 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x5886fe16 > vend-rfc1048 DHCP:DISCOVER LT:86400 HN:"x" PR:SM+TZ+DG+DN+NS+HN+WNS MSZ:1500 > CID:1.32.201.208.21.60.163 [tos 0x10] > 12:26:55.010311 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x5886fe16 > secs:6 vend-rfc1048 DHCP:DISCOVER LT:86400 HN:"x" PR:SM+TZ+DG+DN+NS+HN+WNS > MSZ:1500 CID:1.32.201.208.21.60.163 [tos 0x10] > 12:27:03.010312 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x5886fe16 > secs:14 vend-rfc1048 DHCP:DISCOVER LT:86400 HN:"x" PR:SM+TZ+DG+DN+NS+HN+WNS > MSZ:1500 CID:1.32.201.208.21.60.163 [tos 0x10] > 12:27:12.010312 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x5886fe16 > secs:23 vend-rfc1048 DHCP:DISCOVER LT:86400 HN:"x" PR:SM+TZ+DG+DN+NS+HN+WNS > MSZ:1500 CID:1.32.201.208.21.60.163 [tos 0x10] > 12:27:57.010496 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x34861165 > vend-rfc1048 DHCP:DISCOVER LT:86400 HN:"x" PR:SM+TZ+DG+DN+NS+HN+WNS MSZ:1500 > CID:1.32.201.208.21.60.163 [tos 0x10] > 12:27:57.227277 202.63.66.1.bootps > 255.255.255.255.bootpc: xid:0x34861165 > flags:0x8000 Y:202.63.67.36 S:172.21.116.42 ether 20:c9:d0:15:3c:a3 > vend-rfc1048 DHCP:OFFER SM:255.255.254.0 DG:202.63.66.1 > NS:119.40.106.35,119.40.106.36 NTP:125.253.59.254 LT:600 SID:202.63.66.1 > MSZ:1500 CID:1.32.201.208.21.60.163 [tos 0xc0] > 12:27:57.228177 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x34861165 > vend-rfc1048 DHCP:REQUEST SID:202.63.66.1 LT:86400 RQ:202.63.67.36 HN:"x" > PR:SM+TZ+DG+DN+NS+HN+WNS MSZ:1500 CID:1.32.201.208.21.60.163 [tos 0x10] > 12:27:58.075046 202.63.66.1.bootps > 255.255.255.255.bootpc: xid:0x34861165 > flags:0x8000 Y:202.63.67.36 S:172.21.116.42 ether 20:c9:d0:15:3c:a3 > vend-rfc1048 DHCP:ACK SM:255.255.254.0 DG:202.63.66.1 > NS:119.40.106.35,119.40.106.36 NTP:125.253.59.254 LT:600 SID:202.63.66.1 > MSZ:1500 CID:1.32.201.208.21.60.163 [tos 0xc0] > > On Thu, May 11, 2023 at 12:20:48AM +0200, Sebastian Benoit wrote: >> i think that putput does not help mmuch because it does not show the DHCP >> packet contents. >> >> You could write the capture to a file with "-w filename" and then copy the >> file to the OpenBSD box for printing with "-r filename". Or send the raw >> pcap file. >> >> /B. -- Mike Fischer fisc...@lavielle.com
Re: dhcpleased losing route
What does `# dhcpleasectl -l cnmac2` output on the machine you are using? Mine (OpenBSD 7.3 amd64 vm on the LAN) looks like this (anonymised): root@vm2:~# dhcpleasectl -l vio0 vio0 [Bound] inet 192.168.x.220 netmask 255.255.255.0 default gateway 192.168.x.1 nameservers 192.168.x.1 lease 24 hours < what is your lease time? dhcp server 192.168.x.1 root@vm2:~# I suspect your lease time is much higher than 5 min. An ISP issuing leases as short as 5 min. would be highly unusual. You could try running dhcpleased manually like this to see details about what is going on: # dhcpleased -vv -d (But you’d need to stop the processes started by rc(8) first. E.g.: `# rcctl stop dhcpleased`. Don’t forget to `# rcctl start dhcpleased` when you are done with the testing.) Does the interface go down and up for some reason every 5 minutes? That might cause dhcpleased(8) to renew the lease. HTH Mike > Am 10.05.2023 um 07:28 schrieb Otto Moerbeek : > > On Wed, May 10, 2023 at 01:17:05PM +1000, David Diggles wrote: > >> >> Just to update, I've added the following to dhclient.conf but >> it's still renewing every 5 minutes (approximately) and the >> default route is disappearing for a couple of seconds. :( >> >> send dhcp-lease-time 86400; > > dhcpleased does not use dhclient.conf, it used dhcpleased.conf, which > does not have a way to influence the lease time requested (if that is a > thing). > > -Otto >> >> On Wed, May 10, 2023 at 01:00:00PM +1000, David Diggles wrote: >>> My ISP provides connection via DHCP. >>> >>> Every 5 minutes or so when dhcpleased is renewing the lease, >>> my default route disappears for a few seconds. >>> >>> Definitely I'll be looking at requesting a longer lease by >>> putting a setting in /etc/dhclient.conf but is there any way >>> I can stop the default route disappearing with each renew event? >>> >>> The route didn't disappear when I tested with NetBSD and Linux. >>> >>> This seems like I'm missing a setting in dhclient.conf to make >>> the default route sticky? I can't see any obvious answers in >>> the man page for dhclient.conf unfortunately. >>> >>> (IP fudged log snippet below) >>> >>> May 10 12:23:21 openbsd-gateway dhcpleased[77979]: deleting nameservers >>> x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) >>> May 10 12:23:21 openbsd-gateway dhcpleased[77979]: deleting x.x.x.30 from >>> cnmac2 (lease from x.x.x.1) >>> May 10 12:23:23 openbsd-gateway dhcpleased[77979]: adding x.x.x.30 to >>> cnmac2 (lease from x.x.x.1) >>> May 10 12:23:23 openbsd-gateway dhcpleased[77979]: adding nameservers >>> x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) >>> May 10 12:28:23 openbsd-gateway dhcpleased[77979]: deleting nameservers >>> x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) >>> May 10 12:28:23 openbsd-gateway dhcpleased[77979]: deleting x.x.x.30 from >>> cnmac2 (lease from x.x.x.1) >>> May 10 12:28:25 openbsd-gateway dhcpleased[77979]: adding x.x.x.30 to >>> cnmac2 (lease from x.x.x.1) >>> May 10 12:28:25 openbsd-gateway dhcpleased[77979]: adding nameservers >>> x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) >>> May 10 12:33:26 openbsd-gateway dhcpleased[77979]: deleting nameservers >>> x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) >>> May 10 12:33:26 openbsd-gateway dhcpleased[77979]: deleting x.x.x.30 from >>> cnmac2 (lease from x.x.x.1) >>> May 10 12:33:28 openbsd-gateway dhcpleased[77979]: adding x.x.x.30 to >>> cnmac2 (lease from x.x.x.1) >>> May 10 12:33:28 openbsd-gateway dhcpleased[77979]: adding nameservers >>> x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) >>> May 10 12:38:28 openbsd-gateway dhcpleased[77979]: deleting nameservers >>> x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) >>> May 10 12:38:28 openbsd-gateway dhcpleased[77979]: deleting x.x.x.30 from >>> cnmac2 (lease from x.x.x.1) >>> May 10 12:38:30 openbsd-gateway dhcpleased[77979]: adding x.x.x.30 to >>> cnmac2 (lease from x.x.x.1) >>> May 10 12:38:30 openbsd-gateway dhcpleased[77979]: adding nameservers >>> x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) >>> >> -- Mike Fischer fisc...@lavielle.com
Re: pkg_info -Q confusion
> Am 15.04.2023 um 23:44 schrieb Antun Matanović : > >> I'm generally interested in what is available for the exact machine I am >> running on. > > You could use `pkg_info -a -Q` which searches all the repositories. >> From the pkg_info man page: > -Q substring > Show the names of all packages in the first repository of the > package search path containing the substring in the stems of > their package names. A stem is a package name with all version > and flavor suffixes removed; see pkg_add(1) for more details on > stems. If -a is also specified, show the names of all matching > packages in all repositories instead. So simple and so perfect! Thanks for that hint. I’ll still keep pkglocate around for more complicated partial name searches but for most of my use cases pkg_info -aQ name is exactly what I need. Mike
Re: pkg_info -Q confusion
> Am 14.04.2023 um 18:24 schrieb Allan Streib :
>
> On Fri, Apr 14, 2023, at 05:50, Stuart Henderson wrote:
>> I never found pkg_info -Q to be a useful tool.
>>
>> Try pkglocate instead ("pkg_add pkglocatedb" first) which allows
>> searching on an index that is built from : - as a
>> result it lets you do a substring match on package names, not just
>> on filenames.
>
> Also, as mentioned in packages(7) man page, there is a site at
> https://openports.pl/ that can be used, though obviously that requires
> internet access so may not be appropriate for all cases. I tend to
> use it a lot, personally.
It does not seem to differentiate between different OpenBSD versions or
architectures though?
I’m generally interested in what is available for the exact machine I am
running on. But I guess at least knowing that there is a port for some version
on some platform might be helpful — at least the inverse means I can stop
looking now ;-)
But still thanks for reminding me of this site. I had forgotten about that.
Mike
Re: pkg_info -Q confusion
Inline…
> Am 14.04.2023 um 12:50 schrieb Stuart Henderson :
>
> On 2023-04-14, Mike Fischer wrote:
>> Usually when looking for a port to install I use `pkg_info -Q name` to
>> search for the the port.
>>
>> Strangely this does not completely work for PHP on OpenBSD 7.3:
>>
>> `pkg_info -Q php` does not list PHP 7.4.33 and related ports which are
>> clearly available.
>>
>> It seems that -Q only finds ports in packages-stable/, not packages/?
>>
>> pkg_info(1) does not seem to mention this limitation (or I have missed it).
>
> That's what is meant by "in the first repository of the package search
> path" but it's not very obvious.
Ah, I see. Indeed I didn’t realise that was meant by the statement.
> If PKG_PATH is not set and you're on a release version, the
> pkg_add-based tools (including pkg_info) construct one starting with
> the packages-stable directory, in order that -stable updates are
> preferred over release packages. This is (mostly) described in
> pkg_add(1).
>
> You can search just the release packages with
>
> PKG_PATH=http://cdn.openbsd.org/pub/OpenBSD/%v/packages/%a/ pkg_info -Q php
Ok, thanks. Not very comfortable but at least a possibility.
>
>> Is this working as intended?
>
> Yes though it's a little unfriendly.
Yep!
>
>> Is there a better way to look for available packages?
>
> I never found pkg_info -Q to be a useful tool.
Up to now I never had an issue. But I never noticed this limitation before. (I
did notice the lack of being able to search for partial package names but I
have gotten used to that.)
> Try pkglocate instead ("pkg_add pkglocatedb" first) which allows
> searching on an index that is built from : - as a
> result it lets you do a substring match on package names, not just
> on filenames.
>
> For a package which includes many files you'll get a lot of output
> lines, so something like "pkglocate moo | cut -d: -f1 | uniq" maybe
> useful, or "pkglocate moo | grep ^moo".
>
> And if you're looking for the package containing a particular
> binary, "pkglocate bin/moo" cuts out a lot of the useless stuff.
Very helpful!
Thanks Stuart!
Mike
pkg_info -Q confusion
Usually when looking for a port to install I use `pkg_info -Q name` to search for the the port. Strangely this does not completely work for PHP on OpenBSD 7.3: `pkg_info -Q php` does not list PHP 7.4.33 and related ports which are clearly available. It seems that -Q only finds ports in packages-stable/, not packages/? pkg_info(1) does not seem to mention this limitation (or I have missed it). Is this working as intended? Is there a better way to look for available packages? Thanks! Mike
Re: acme-client fails to renew certificate
Well as long as you always use the sane challenge directory /var/www/acme/ then
I would first simplify this by only defining one server block for all port 80
access:
server "www.example.com“ {
listen on $www_v4 port 80
listen on $www_v6_a port 80
alias "example.com"
block return 301 "https://$HTTP_HOST$REQUEST_URI;
location "/.well-known/acme-challenge/*" {
pass
# /var/www/acme
root "/acme"
request strip 2
}
}
You can do the same for the port 443 servers unless you want there to be some
difference between https://www.example.com and https://example.com. Less typing
and less places to make mistakes.
As you are getting 404 errors you where probably missing the pass in the
challenge location.
Did you actually test the challenge?
Place a small text file into the challenge dir:
# echo 'Test' > /var/www/acme/test
The use something like curl to see what happens when you try to access this
file:
curl --head --url 'http://www.example.com/.well-known/acme-challenge/test'
and
curl --head --url 'http://example.com/.well-known/acme-challenge/test'
You may also need to specify the challenge dir in /etc/acme-client.conf but
/var/www/acme seems to be the default so you are probably good:
domain www.example.com {
alternative names { example.com }
domain key "/etc/ssl/private/www.example.com.key.pem“
domain full chain certificate "/etc/ssl/certs/www.example.com.chain.pem“
sign with letsencrypt
challengedir "/var/www/acme"
}
HTH
Mike
> Am 12.04.2023 um 15:36 schrieb rea...@catastrophe.net:
>
> I started having some problems with cert renewal using acme-client after
> upgrading to 7.3 (not really sure 7.3 has anything to do with the following,
> however). I've verified that nothing has changed and that httpd is listening
> correctly, etc.
>
> When I run acme-client and watch for any changes to
> /var/www/htdocs/example.org/.well-known/acme-client I never see any files
> being written to that directory (which is likely leading to the 404). Is
> the client supposed to write a temporary file for remote validation?
>
> Does anyone see any issues with the configurations that follow the output
> which may have any errors?
>
> Thanks in advance.
>
>
> # acme-client -v www.example.com
> acme-client: /etc/ssl/certs/www.example.com.chain.pem: certificate renewable:
> 29 days left
> acme-client: https://acme-v02.api.letsencrypt.org/directory: directories
> acme-client: acme-v02.api.letsencrypt.org: DNS: 172.65.32.248
> acme-client: acme-v02.api.letsencrypt.org: DNS:
> 2606:4700:60:0:f53d:5624:85c7:3a2c
> acme-client: dochngreq:
> https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728127
> acme-client: challenge, token: 2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk,
> uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728127/CSJfMg,
> status: 0
> acme-client: /var/www/acme/2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk:
> created
> acme-client: dochngreq:
> https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728137
> acme-client: challenge, token: 8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8,
> uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728137/sCRFpw,
> status: 0
> acme-client: /var/www/acme/8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8:
> created
> acme-client:
> https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728127/CSJfMg:
> challenge
> acme-client:
> https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728137/sCRFpw:
> challenge
> acme-client: order.status 0
> acme-client: dochngreq:
> https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728127
> acme-client: challenge, token: 2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk,
> uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728127/CSJfMg,
> status: -1
> acme-client: dochngreq:
> https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728137
> acme-client: challenge, token: 8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8,
> uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728137/sCRFpw,
> status: -1
> acme-client: order.status -1
> acme-client: dochngreq:
> https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728127
> acme-client: 2600:fee:bee::e:8:0: Invalid response from
> https://www.example.com/.well-known/acme-challenge/2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk:
> 404
> acme-client: dochngreq:
> https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728137
> acme-client: 2600:fee:bee::e:8:0: Invalid response from
> https://www.example.com/.well-known/acme-challenge/8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8:
> 404
> acme-client: bad exit: netproc(16493): 1
>
>
> ### The www directory exists for the acme-challenge exists:
>
> # ls -ld /var/www/htdocs/example.com/.well-known/acme-challenge/
> drwxr-xr-x 2 username staff 512 Apr 12 08:08
> /var/www/htdocs/example.com/.well-known/acme-challenge/
>
>
> ### Relevant portions of my httpd.conf
>
> www_v4="x.y.10.10"
>
Re: how tail waits for file to appear again?
> Am 17.02.2023 um 06:23 schrieb Maksim Rodin : > > Hello, > Sorry if I chose the wrong place to ask such a question. > I have been learning C for a couple of months and along with reading > "C Primer Plus" by Stephen Prata and doing some exercises from it I took > a hard (for me) task to replicate a tail program in its simplest form. > I was able to reproduce watching for new data and truncation of the > file using kqueue but I do not quite understand how the original tail > watches when the file appears again after deletion or renaming. > By reading the original tail sources downloaded from OpenBSD mirror I > see that this is done by calling tfreopen function which seems to use a > "for" loop to (continuously?) stat(2) the file name till stat(2) successfully > returns and it does not seem to load a CPU as a simple continuous "for" > loop would do. No, the for loop in line 362 of forward.c (https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/tail/forward.c?annotate=1.33) iterates over the files. Note that tail allows you to monitor more than one file at a time, see tail(1). > Can someone explain how it is done? tfreopen is called in line 224 of the same file inside a while(1) loop. At the top of this loop kevent is called (L191). See kevent(2) for details on how that works. That is the real _magic_ here ;-) tfqueue sets up the event mechanism for a single file so you may want to look at that as well. > May be there is a better way to watch for the file to appear correctly? The way tail(1) does this seems pretty optimal to me. > Is inserting a sleep(3) in a loop an appropriate way? You could do this, but it’s less optimal than using kqueue/kevent because sleep(3) will wait longer than necessary in some cases and wake up sooner than required in others. It is basically a way to do polling which is always worse than event driven code. > > Below is the function how it is done in tail: It would have been better to cite the file name and line numbers, very easy with https://cvsweb.openbsd.org as I did above. There is also a mirror of the repo on Github, which also makes this sort of thing very easy: https://github.com/openbsd. E.g.: https://github.com/openbsd/src/blob/master/usr.bin/tail/forward.c#L224 The links to the repositories are right on the https://www.openbsd.org home page, so not hard to find at all. HTH Mike PS. Note that I am not an expert on kqueue/kevent programming. So followups for details on these functions would probably need to be answered by someone else.
After upgrade to 7.2 snmpd fails
I have just upgraded a VM from OpenBSD 7.1 to 7.2. Looks good so far except for snmpd which suddenly fails shortly after starting up: >From /var/log/daemon: Jan 21 22:59:56 wo snmpd[86168]: legacy backend: Registering 1.3.6.1.6.3.15.1.1.6.0(instance) context() priority(1) timeout(1.50s) Jan 21 22:59:56 wo snmpd[86168]: snmpe 800075cb818a66d65d090777dbde2ea8611db68b0dd4cb21735926a9cf61f331: ready Jan 21 22:59:56 wo snmpd[86168]: AgentX(2456705172): Connection reset by peer Jan 21 22:59:56 wo snmpd[86168]: snmpe: AgentX(2456705172): disappeared unexpected Note: On another similar machine this problem did not happen. Any idea what is happening or how to fix this? Some more details: My /etc/snmpd.conf is very simple and unchanged form the working 7.1 setup (private data redacted): # # Macros: # # For now only allow access from this host: ext_addr="xx.xx.xx.xx" # # Global Configuration: # listen on $ext_addr # Only allow read access and use a non-standard community string read-only community "redacted" #read-write disabled # Define some information about this host: #system contact "" system description "redacted web server" system location "VM @ redacted" system name "WO" # Use SNMPv3 with authentication and encryption: seclevel enc # # User Configuration # user "redacted1" authkey "redacted" auth hmac-sha384 enckey "redacted" enc aes user "redacted2" authkey "redacted" auth hmac-sha1 enckey "redacted" enc aes # # EOF. # After sysupgrade I followed https://www.openbsd.org/faq/upgrade72.html and did a final reboot afterwards. dmesg: OpenBSD 7.2 (GENERIC.MP) #6: Sat Jan 21 01:03:04 MST 2023 r...@syspatch-72-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4277010432 (4078MB) avail mem = 4129988608 (3938MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (242 entries) bios0: vendor Phoenix Technologies LTD version "6.00" date 12/12/2018 bios0: VMware, Inc. VMware Virtual Platform acpi0 at bios0: ACPI 4.0 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3) S8F0(S3) S16F(S3) S18F(S3) S22F(S3) S23F(S3) S24F(S3) S25F(S3) PE40(S3) S1F0(S3) PE50(S3) S1F0(S3) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz, 2100.05 MHz, 06-3a-00 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,SSSE3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,ARAT,MELTDOWN cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 256KB 64b/line 8-way L2 cache, 20MB 64b/line 20-way L3 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 66MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz, 2100.19 MHz, 06-3a-00 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,SSSE3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,ARAT,MELTDOWN cpu1: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 256KB 64b/line 8-way L2 cache, 20MB 64b/line 20-way L3 cache cpu1: smt 0, core 0, package 2 ioapic0 at mainbus0: apid 1 pa 0xfec0, version 11, 24 pins acpimcfg0 at acpi0 acpimcfg0: addr 0xf000, bus 0-127 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001 acpicmos0 at acpi0 "PNP0A05" at acpi0 not configured acpiac0 at acpi0: AC unit online acpicpu0 at acpi0: C1(@1 halt!) acpicpu1 at acpi0: C1(@1 halt!) cpu0: using VERW MDS workaround pvbus0 at mainbus0: VMware vmt0 at pvbus0 pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01 ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01 pci1 at ppb0 bus 1 pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08 pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 64-sector PIO, LBA48, 256000MB, 524288000 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus1 at atapiscsi0: 2 targets cd0 at scsibus1 targ 0 lun 0: removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x08: SMBus disabled "VMware VMCI" rev 0x10 at pci0 dev 7 function 7
Re: After upgrade to 7.2 snmpd fails
Nevermind! # userdel _rtadvd # groupdel _rtadvd # groupadd -g 92 _agentx Solved the problem. Apparently I failed to follow the instructions in https://www.openbsd.org/faq/upgrade64.html when I did that upgrade ;-) Sorry for the noise! Mike > Am 21.01.2023 um 23:59 schrieb Mike Fischer : > > Ok, I think I have figured out the root cause: > > Group _agentx (gid 92) does not exist! > > Instead I have: > # cat /etc/passwd|grep _rtadvd > _rtadvd:*:92:92:IPv6 Router Advertisement Daemon:/var/empty:/sbin/nologin > # cat /etc/group|grep _rtadvd > _rtadvd:*:92: > # > > Any idea which port installs this? > > I don’t recall installing any IPv6 routing related ports but possibly some > dependency might have pulled something in? I don’t see anything obvious in > the list of installed ports: > # pkg_info -a > apache-httpd-2.4.54 apache HTTP server > apr-1.7.0 Apache Portable Runtime > apr-util-1.6.1p4companion library to APR > argon2-20190702 C implementation of Argon2 - password hashing function > brotli-1.0.9p0 generic lossless compressor > bzip2-1.0.8p0 block-sorting file compressor, unencumbered > colorls-6.9 ls(1) that can use color to display file attributes > curl-7.87.0 transfer files with FTP, HTTP, HTTPS, etc. > cvsps-2.1p2 generate patchsets from CVS repositories > db-4.6.21p7v0 Berkeley DB package, revision 4 > dokuwiki-2022.07.31a standards compliant, simple to use Wiki > dovecot-2.3.19.1p0v0 compact IMAP/POP3 server > emacs-28.2-no_x11 GNU editor: extensible, customizable, self-documenting > femail-1.0p1simple SMTP client > femail-chroot-1.0p3 simple SMTP client for chrooted web servers > gd-2.3.3library for dynamic creation of images > gettext-runtime-0.21p1 GNU gettext runtime libraries and programs > giflib-5.2.1tools and library routines for working with GIF images > git-2.37.3 distributed version control system > glib2-2.72.4p2 general-purpose utility library > gmake-4.3 GNU make > gmp-6.2.1p0 library for arbitrary precision arithmetic > gnupg-2.2.39GNU privacy guard - a free PGP replacement > gnutls-3.7.7GNU Transport Layer Security library > icu4c-71.1v0International Components for Unicode > iftop-1.0pre4p3 display bandwidth usage on an interface > intel-firmware-20221108v0 microcode update binaries for Intel CPUs > iperf-2.0.12p0 tool for measuring maximum TCP and UDP bandwidth > jansson-2.14library for manipulating JSON data > jpeg-2.1.3v0SIMD-accelerated JPEG codec replacement of libjpeg > libassuan-2.5.5 IPC library used by GnuPG and gpgme > libexttextcat-3.4.6 UTF-8 aware language guessing library > libffi-3.4.2Foreign Function Interface > libgcrypt-1.10.1p0 crypto library based on code used in GnuPG > libgpg-error-1.45 error codes for GnuPG related software > libiconv-1.17 character set conversion library > libidn-1.41 internationalized string handling > libidn2-2.3.0p0 implementation of IDNA2008 internationalized domain names > libksba-1.6.3 X.509 library > libnettle-3.8.1 cryptographic library > libpsl-0.21.1 public suffix list library > libsecret-0.20.5p0 library for storing and retrieving passwords and secrets > libsodium-1.0.18p1 library for network communications and cryptography > libstemmer-2.1.0stemming algorithms for text processing > libtasn1-4.19.0 Abstract Syntax Notation One structure parser library > libunbound-1.16.3 validating DNS resolver library > libunistring-0.9.7 manipulate Unicode strings > libusb1-1.0.23p2library for USB device access from userspace > libwebp-1.2.4 Google WebP image format conversion tool > libxml-2.10.3 XML parsing library > libzip-1.8.0p0 library for reading, creating and modifying zip archives > lz4-1.9.4 fast BSD-licensed data compression > lzo2-2.10p2 portable speedy lossless data compression library > mariadb-client-10.9.3v1 multithreaded SQL database (client) > mariadb-server-10.9.3v1 multithreaded SQL database (server) > net-snmp-5.9.3p2extendable SNMP implementation > nghttp2-1.49.0 library for HTTP/2 > npth-1.6new GNU Portable Threads Library > oniguruma-6.9.8 regular expressions library > p11-kit-0.24.1 library for loading and enumerating PKCS#11 modules > p5-Archive-Zip-1.68 perl interface to ZIP files > p5-B-Hooks-EndOfScope-0.26 execute code after a scope finished compilation > p5-BSD-Resource-1.2911p0 BSD process resource limit and priority functions > p5-CGI-4.53 Handle Common Gateway Interface requests and responses > p5-Class-Data-Inheritable-0.09 inheritable, over
Re: After upgrade to 7.2 snmpd fails
age-DeprecationManager-0.17p0 manage deprecation warnings for your distribution p5-Package-Stash-0.39 routines for manipulating stashes p5-Package-Stash-XS-0.29p0 faster and more correct implementation of Package::Stash p5-Params-Util-1.102 utility to make parameter checking easier p5-Params-Validate-1.30 validate method/function parameters p5-Params-ValidationCompiler-0.30p0 build an optimized subroutine parameter validator p5-PlRPC-0.2020p0 module for writing rpc servers and clients p5-Ref-Util-0.204p0 utility functions for checking references p5-Ref-Util-XS-0.117p0 utility functions for checking references (XS version) p5-Role-Tiny-2.002004 minimalist role composition tool p5-SQL-Statement-1.414 SQL parsing and processing engine p5-Socket6-0.29p0 Perl defines relating to AF_INET6 sockets p5-Sort-Naturally-1.03p0 sort lexically, but sort numeral parts numerically p5-Specio-0.47 type constraints and coercions for Perl p5-Sub-Exporter-0.988 sophisticated exporter for custom-built routines p5-Sub-Exporter-Progressive-0.001013p0 only use Sub::Exporter if you need it p5-Sub-Identify-0.14p0 retrieve names of code references p5-Sub-Install-0.928p0 helper for installing code into packages p5-Sub-Name-0.26p0 (re)name a sub p5-Sub-Quote-2.006006p0 efficient generation of subroutines via string eval p5-Throwable-1.000 role for classes that can be thrown p5-Time-TimeDate-2.33 library for parsing and formatting dates and times p5-Try-Tiny-0.31minimal try/catch with proper preservation of $@ p5-URI-5.12 library to parse Uniform Resource Identifiers p5-Variable-Magic-0.62p0 associate user-defined magic to variables from Perl p5-WWW-RobotRules-6.02p0 database of robots.txt-derived permissions p5-libwww-6.64 library for WWW access in Perl p5-namespace-autoclean-0.29p0 keep imports out of your namespace p5-namespace-clean-0.27p0 keep imports and functions out of your namespace p5-strictures-2.06 turn on strict and make most warnings fatal pcre-8.44 perl-compatible regular expression library pcre2-10.37 perl-compatible regular expression library, version 2 pear-1.10.19p2 base classes for common PHP tasks pear-utils-1.10.19p2 utilities for managing pear extensions pfstat-2.5p5packet filter statistics visualization pftop-0.7p19curses-based real time state and rule display for pf php-7.4.33 server-side HTML-embedded scripting language php-8.0.27 server-side HTML-embedded scripting language php-apache-7.4.33 php module for Apache httpd php-curl-7.4.33 curl URL library extensions for php php-curl-8.0.27 curl URL library extensions for php php-gd-7.4.33 image manipulation extensions for php php-gd-8.0.27 image manipulation extensions for php php-mysqli-7.4.33 mysql database access extensions for php php-mysqli-8.0.27 mysql database access extensions for php php-snmp-7.4.33 snmp protocol extensions for php php-snmp-8.0.27 snmp protocol extensions for php php-zip-7.4.33 zip functions for php php-zip-8.0.27 zip functions for php phpMyAdmin-5.2.0tool to handle the administration of MySQL over the web pinentry-1.2.1 PIN or passphrase entry dialog (ncurses interface) png-1.6.37p0library for manipulating PNG images postfix-3.8.20220816p0 fast, secure sendmail replacement python-3.9.16 interpreted object-oriented programming language quirks-6.42 exceptions to pkg_add rules and cache re2c-3.0C-based regular expression scanner generator rsync-3.2.5pl0 mirroring/synchronization over low bandwidth links screen-4.9.0multi-screen window manager snappy-1.1.9fast compression/decompression library sqlite3-3.39.3 embedded SQL implementation sshguard-2.4.2 protect against brute force attacks on sshd and others symon-2.88p6active host monitoring tool tiff-4.4.0p2tools and library routines for working with TIFF images unzip-6.0p16extract, list & test files in a ZIP archive vnstat-2.6v0network traffic monitor vnstati-2.6v0 image output support for vnstat wget-1.21.3 retrieve files from the web via HTTP, HTTPS and FTP wp-cli-2.6.0p0 command line tool for wordpress xz-5.2.5p2 LZMA compression and decompression tools zip-3.0p1 create/update ZIP files compatible with PKZip(tm) zstd-1.5.2 zstandard fast real-time compression algorithm # Thanks! Mike > Am 21.01.2023 um 23:21 schrieb Mike Fischer : > > I have just upgraded a VM from OpenBSD 7.1 to 7.2. > > Looks good so far except for snmpd which suddenly fails shortly after > starting up: > From /var/log/daemon: > Jan 21 22:59:56 wo snmpd[86168]: legacy backend: Registering > 1.3.6.1.6.3.15.1.1.6.0(instance) context() priority(1) timeout(1.50s) > Jan 21 22:59:56 wo snmpd[86168]: snmpe > 800075cb818a66d65d090777dbde2ea8611db68b0dd4cb21735926a9cf61f331: ready > Jan 21 22:59:56 wo snmpd[8
Re: Documentation of wsconsctl keyboard.map format?
> Am 27.11.2022 um 19:48 schrieb Vlad Meșco : > > On Fri, Nov 25, 2022 at 03:32:20AM +0100, Mike Fischer wrote: >> >>> Am 24.11.2022 um 15:07 schrieb u...@disroot.org: >>> >>> Hello! >>> >>> I would like to find some supporting documentation too, if anything is >>> available, but for certain other reasons >>> (https://github.com/letoram/arcan/issues/263). Basically, this "desktop >>> engine" has problems with figuring out my keyboard layouts, and I want to >>> figure out why. This might've been more appropriate to post in ports@ but >>> this thread catched my eye, so I'm here. It would be nice to be able to >>> determine what keycodes correspond to what symbols in console, to figure >>> out what goes wrong in the process of how Arcan determines my keyboard >>> layout. Any help appreciated! >> >> I’m not sure this will help with your issue but here is what I have been >> able to figure out so far: >> >> >> One thing that helped me a bit (though I have not solved this issue yet) was >> the definition of the keycodes in the USB HID standards. I found this link >> where presumably the codes sent by USB keyboards are defined: >> https://gist.github.com/MightyPork/6da26e382a7ad91b5496ee55fdc73db2 >> Or see https://www.usb.org/sites/default/files/documents/hut1_12v2.pdf table >> 12 on page 53 for something more official. >> You will still need to figure out which keycodes a specific keyboard will >> send for certain keys, as there is some ambiguity with regard to the >> labeling of keys, especially for non-us localizations. For example some of >> the Apple keyboards have a modifier key. I don’t see that mentioned in >> the USB spec. Maybe the keyboard handles this internally but that is simply >> guessing at the moment. >> >> The usable entity names are somewhat defined (you need to chop off the >> prefix of the names) in source code: >> /src/sys/dev/wscons/wsksymdef.h >> Additionally Vlad Meșco mentioned that arbitrary Unicode values can be >> specified using e.g. unknown_50082 (for U+C3A2?) instead of a known entity. >> I have not tested this yet. >> >> The actual predefined keyboard maps are compiled into OpenBSD drivers: >> /src/sys/dev/pckbc/wskbdmap_mfii.c >> /src/sys/dev/usb/ukbdmap.c (which seems to be derived from wskbdmap_mfii.c) >> >> >> Note: All of the OpenBSD source files can be found at: >> https://cvsweb.openbsd.org >> >> >> That doesn’t explain the syntax of keyboard.map though. >> >> And I have analyzed the de keyboard.encoding somewhat and found it to be >> quite different from the way macOS treats German Apple USB keyboards. >> >> ... >> >> But apparently the 4 columns in the keycode entries are: >> >> Note: On non-Apple keyboards may be labeled as . Apple >> labels both and as and does not generally >> differentiate between the two. >> >> Adding the very obscure: >> wsconsctl keyboard.map+="keycode 226 = Cmd2 Mode_switch Multi_key" >> (modified from the example Vlad Meșco mentioned to match the >> keycode from the USB spec) finally yielded the expected result: >> <7>: 7 (expected, ok) >> <7>: / (expected, ok) >> <7>: | (expected, ok) >> <7>: \ (expected, ok) >> <7>: | (expected, ok) >> <7>: \ (expected, ok) >> >> I can use this but I don’t understand how it works. :-( >> >> ... >> >> More enlightened but still puzzled… >> Mike >> Hi Vlad, thanks and sorry for the late reply. I was dealing with other things and getting the Apple keyboard working like I expect is more of a hobby project… > Hey Mike, > > You can look at /usr/src/sbin/wsconsctl/map.parse.y Good idea! I’ll take a look. One thing I did notice was that the keysym examples I saw in the (sparse) documentation did not work. For example: # wsconsctl keyboard.map+="keysym Alt_L = Alt_R" wsconsctl: keysym Alt_L not found # Actually none of the keyboard.map versions I have seen so far use keysym. > As mentioned earlier, the keysyms and commands and groups are listed in > /usr/src/sys/dev/wscons/wsksymdef.h . Around line 485 you get into > modifiers, function keys, and command keys. I saw that. Most of the modifier keys are self-explanatory. However I have no idea what #define KS_Multi_key0xf109 #define KS_Mode_switch 0xf10a mean? And they are used in the keyboard maps for the definitions of the Alt keys: keycode 230 = Cmd2 Mode_switch Multi
Re: Documentation of wsconsctl keyboard.map format?
> Am 24.11.2022 um 15:07 schrieb u...@disroot.org:
>
> Hello!
>
> I would like to find some supporting documentation too, if anything is
> available, but for certain other reasons
> (https://github.com/letoram/arcan/issues/263). Basically, this "desktop
> engine" has problems with figuring out my keyboard layouts, and I want to
> figure out why. This might've been more appropriate to post in ports@ but
> this thread catched my eye, so I'm here. It would be nice to be able to
> determine what keycodes correspond to what symbols in console, to figure out
> what goes wrong in the process of how Arcan determines my keyboard layout.
> Any help appreciated!
I’m not sure this will help with your issue but here is what I have been able
to figure out so far:
One thing that helped me a bit (though I have not solved this issue yet) was
the definition of the keycodes in the USB HID standards. I found this link
where presumably the codes sent by USB keyboards are defined:
https://gist.github.com/MightyPork/6da26e382a7ad91b5496ee55fdc73db2
Or see https://www.usb.org/sites/default/files/documents/hut1_12v2.pdf table 12
on page 53 for something more official.
You will still need to figure out which keycodes a specific keyboard will send
for certain keys, as there is some ambiguity with regard to the labeling of
keys, especially for non-us localizations. For example some of the Apple
keyboards have a modifier key. I don’t see that mentioned in the USB spec.
Maybe the keyboard handles this internally but that is simply guessing at the
moment.
The usable entity names are somewhat defined (you need to chop off the prefix
of the names) in source code:
/src/sys/dev/wscons/wsksymdef.h
Additionally Vlad Meșco mentioned that arbitrary Unicode values can be
specified using e.g. unknown_50082 (for U+C3A2?) instead of a known entity. I
have not tested this yet.
The actual predefined keyboard maps are compiled into OpenBSD drivers:
/src/sys/dev/pckbc/wskbdmap_mfii.c
/src/sys/dev/usb/ukbdmap.c (which seems to be derived from wskbdmap_mfii.c)
Note: All of the OpenBSD source files can be found at:
https://cvsweb.openbsd.org
That doesn’t explain the syntax of keyboard.map though.
And I have analyzed the de keyboard.encoding somewhat and found it to be quite
different from the way macOS treats German Apple USB keyboards.
As a small experiment I tried to redefine the 7 key:
wsconsctl keyboard.encoding=de
wsconsctl keyboard.map+="keycode 36 = 7 slash bar backslash"
Note 1: The default definition for de is "keycode 36 = 7 slash braceleft
braceleft“
However the actual mapping seems to be:
<7>: 7 (expected, ok)
<7>: / (expected, ok)
<7>: · (a small middle dot, and deleting with backspace doesn’t work)
<7>: ¯ (some weird glyph with just a short horizontal line at
the top, and deleting with backspace doesn’t work)
<7>: { (expected, ok)
<7>: { (expected, ok)
Note 2: On macOS the actual mappings are:
<7>: 7
<7>: / (slash)
<7>: | (bar)
<7>: \ (backslash)
And it does not matter whether or is used for .
But this does not yield all of the expected results:
<7>: 7 (expected, ok)
<7>: / (expected, ok)
<7>: · (a small middle dot, and deleting with backspace doesn’t work)
<7>: ¯ (some weird glyph with just a short horizontal line at
the top, and deleting with backspace doesn’t work)
<7>: | (expected, ok)
<7>: \ (expected, ok)
The key still does weird things.
But apparently the 4 columns in the keycode entries are:
Note: On non-Apple keyboards may be labeled as . Apple
labels both and as and does not generally
differentiate between the two.
Adding the very obscure:
wsconsctl keyboard.map+="keycode 226 = Cmd2 Mode_switch Multi_key"
(modified from the example Vlad Meșco mentioned to match the keycode
from the USB spec) finally yielded the expected result:
<7>: 7 (expected, ok)
<7>: / (expected, ok)
<7>: | (expected, ok)
<7>: \ (expected, ok)
<7>: | (expected, ok)
<7>: \ (expected, ok)
I can use this but I don’t understand how it works. :-(
Putting this into /etc/wsconsctl.conf gives me a persistent modification that
is one step close to my goal:
# cat /etc/wsconsctl.conf
# Start out with a German keyboard layout:
keyboard.encoding=de
# Make the modifier key behave the same as the key:
keyboard.map+="keycode 226 = Cmd2 Mode_switch Multi_key"
# Redefine the <7> key to match macOS:
keyboard.map+="keycode 36 = 7 slash bar backslash"
#
More enlightened but still puzzled…
Mike
Re: Documentation of wsconsctl keyboard.map format?
> Am 23.11.2022 um 11:43 schrieb Vlad Meșco : > > On Wed, Nov 23, 2022 at 06:57:17AM +, Jason McIntyre wrote: >> On Wed, Nov 23, 2022 at 12:21:26AM +0100, Mike Fischer wrote: >>> Hi! >>> >>> I???m trying to use a German Apple Mac keyboard with OpenBSD 7.2 and I???d >>> like to match the mapping to that of macOS. >>> >>> `wsconsctl keyboard.encoding=de` helps, but several mappings are >>> different/missing. For example the pipe character | should be alt-7 but >>> isn???t. Mostly the alt-combinations are missing or wrong. >>> >>> So I thought I could use keyboard.map settings to correct this. But I >>> can???t find any documentation of the format ??? very unusual for OpenBSD. >>> >>> Did I miss something? >>> >>> Can someone point me to the documentation please? >>> >>> Thanks! >>> >>> Mike >>> >> >> hi. >> >> maybe you are looking for wsksymdef.h: >> >>WSCONSCTL(8) System Manager's Manual WSCONSCTL(8) >> >> ... >> >> Modify the current keyboard encoding so that, when the Caps >> Lock key is pressed, the same encoding sequence as Left >> Control is sent. For a full list of keysyms, and keycodes, >> refer to the /usr/include/dev/wscons/wsksymdef.h file. >> >> # wsconsctl keyboard.map+="keysym Caps_Lock = >> Control_L" >> >> jmc >> > > Hey, > > If it helps, here's my wsconsctl.conf to add some Romanian keyboard > bindings in the console for keys which are behind AltGr. Note, I've > intentionally made some Romanian specific unicode characters output > a literal `?' since they're not very usable in wscons. > > You can either use symbolic names (from wsksymdef.h) or use stuff like > `unknown_51355' to give it a U+code point in decimal form. For German, > you probably have everything you need in wsksymdef.h. Note, the format > is also very similar to xkb; originally I thought they were the same > (they aren't 100% the same). > > >keyboard.encoding=us >keyboard.map+="keysym Caps_Lock = Control_L" >mouse.tp.tapping=3 >mouse.reverse_scrolling=1 >keyboard.map+="keysym Caps_Lock = Control_L“ Duplicate? >keyboard.map+="keycode 184 = Cmd2 Mode_switch Multi_key“ I don’t think I understand what this actually does? First of all none of my ‚keyboard.map's have a keycode 184. I tried keyboard.encoding=us, keyboard.encoding=de, keyboard.encoding=fr, keyboard.encoding=fr.apple. Second, if the columns normally represent levels (or layers), how does that work here? Plain 184 is Cmd2; 184 + some modifier is Mode_switch; and 184 + some other modifier is Multi_key (whatever that is supposed to mean)? ># use ? for unicode that causes mojibake >keyboard.map+="keycode 26 = question question bracketleft braceleft" >keyboard.map+="keycode 27 = question question bracketright braceright" >keyboard.map+="keycode 39 = question question semicolon colon" >keyboard.map+="keycode 40 = question question apostrophe quotedbl" >keyboard.map+="keycode 41 = question question grave asciitilde" # 3byte > UTF-8, don't bother >keyboard.map+="keycode 43 = question question backslash bar" >keyboard.map+="keycode 51 = comma semicolon less question" >keyboard.map+="keycode 52 = period colon greater question" > > A more proper example for e.g. keycode 26: > >keyboard.map+="keycode 26 = abreve Abreve bracketleft braceleft" > > Or for keys that don't have a symbolic name: > >keyboard.map+="keycode 43 = unknown_50082 unknown_50050 backslash bar" > > I started from US which is 90% there, and the first thing is to add > right Alt as `Mode_switch', otherwise it's just (left) Alt (which I > think just sets the MSB, IDK; you want AltGr/Mode_switch if you want to > map specific characters). > > Which keycode is what? I don't know. I dumped the hu layout as a > reference with `doas wsconsctl keyboard.map > hu.map' and looked at what > was done for that crazy layout, and started from there. > > Cheers, > Vlad Thanks, that helps somewhat. It still is strange to have to resort to experiments to figure things out instead of having them documented on OpenBSD. By xkb do you mean xkeyboard-config(7)? I have looked at the man page but I honestly can’t see much similarity to the keyboard.map syntax. I also looked at setxkbmap(1) and xkbcomp(1) but they where no help either. I don’t normally use X for anything so I am not very familiar with all of the associated settings. https://www.x.org/wiki/XKB/ did seem to explain some relevant concepts though. For example the concept of levels which probably translates to the columns used in the keycode statements? But where are the definitions of which modifier (or combination thereof) selects which column? I gather the built-in maps for e.g. us, de, fr.apple, etc. are actually compiled into some code, not config files somwhere on disk? Thanks! Mike
Re: Documentation of wsconsctl keyboard.map format?
> Am 23.11.2022 um 07:57 schrieb Jason McIntyre : > > On Wed, Nov 23, 2022 at 12:21:26AM +0100, Mike Fischer wrote: >> Hi! >> >> I???m trying to use a German Apple Mac keyboard with OpenBSD 7.2 and I???d >> like to match the mapping to that of macOS. >> >> `wsconsctl keyboard.encoding=de` helps, but several mappings are >> different/missing. For example the pipe character | should be alt-7 but >> isn???t. Mostly the alt-combinations are missing or wrong. >> >> So I thought I could use keyboard.map settings to correct this. But I >> can???t find any documentation of the format ??? very unusual for OpenBSD. >> >> Did I miss something? >> >> Can someone point me to the documentation please? >> >> Thanks! >> >> Mike >> > > hi. > > maybe you are looking for wsksymdef.h: > >WSCONSCTL(8)System Manager's Manual WSCONSCTL(8) > > ... > >Modify the current keyboard encoding so that, when the Caps >Lock key is pressed, the same encoding sequence as Left >Control is sent. For a full list of keysyms, and keycodes, >refer to the /usr/include/dev/wscons/wsksymdef.h file. > > # wsconsctl keyboard.map+="keysym Caps_Lock = > Control_L" > > jmc Yes, I did look at the source but wasn’t sure about the implications. I gather that removing the KS_ or K*_L*_ prefix from the defines yields the entities I can use for wsconsctl. Ok, that helps somewhat. I’m still confused about the 2-4 columns in the keycode = <1> <2> <3> <4> syntax. No documentation insight for that, AFAICT. The first 2 seem to be . But what are the last two columns? `wsconsctl keyboard.map` does not seem to show show all keycodes. For the de layout the first entry is 'keycode 4 = a A‘. What about keycode 1-3 (or 0-3 depending on where the values start)? Maybe that is normal because keyboards don’t actually use all keycodes? Who knows? And some Apple keyboards also have an key which acts as a modifier. I don’t see that mentioned anywhere. Or is that the KS_Mode_switch? Thanks for your help! Mike
Documentation of wsconsctl keyboard.map format?
Hi! I’m trying to use a German Apple Mac keyboard with OpenBSD 7.2 and I’d like to match the mapping to that of macOS. `wsconsctl keyboard.encoding=de` helps, but several mappings are different/missing. For example the pipe character | should be alt-7 but isn’t. Mostly the alt-combinations are missing or wrong. So I thought I could use keyboard.map settings to correct this. But I can’t find any documentation of the format — very unusual for OpenBSD. Did I miss something? Can someone point me to the documentation please? Thanks! Mike
Re: 7.2 and iwm/amdgpu Firmware?
at root scsibus2 at vscsi0: 256 targets softraid0 at root scsibus3 at softraid0: 256 targets root on sd0a (ce453c5ec57e555c.a) swap on sd0b dump on sd0b iwm0: hw rev 0x210, fw ver 17.3216344376.0, address 5c:e4:2a:07:34:9c [drm] failed to load ucode RLC_RESTORE_LIST_CNTL(0x11) [drm] psp gfx command LOAD_IP_FW(0x6) failed and response status is (0x300F) [drm] failed to load ucode RLC_RESTORE_LIST_GPM_MEM(0x12) [drm] psp gfx command LOAD_IP_FW(0x6) failed and response status is (0x000F) [drm] failed to load ucode RLC_RESTORE_LIST_SRM_MEM(0x13) [drm] psp gfx command LOAD_IP_FW(0x6) failed and response status is (0x000F) amdgpu0: RAVEN2 3 CU rev 0x09 amdgpu0: 1024x768, 32bpp wsdisplay0 at amdgpu0 mux 1: console (std, vt100 emulation) wsdisplay0: screen 1-5 added (std, vt100 emulation) == Thanks! Mike > Am 11.11.2022 um 00:35 schrieb Mike Fischer : > > On a newly installed Mini PC (NiPoGi AM02) I noticed the following messages > in dmesg: > iwm0: could not read firmware iwm-7265-17 (error 2) > iwm0: failed to load init firmware > > and: > drm:pid0:amdgpu_device_parse_gpu_info_fw *ERROR* Failed to load gpu_info > firmware "amdgpu/raven2_gpu_info.bin" > drm:pid0:amdgpu_attachhook *ERROR* Fatal error during GPU init > > > I checked iwm(4) and it referred to fw_update(8). > > # fw_update -vvv > Detect firmware ... found. > Trying 94.142.241.170... > Requesting http://firmware.openbsd.org/firmware/7.2/SHA256.sig > 100% > || >150 00:00 > 150 bytes received in 0.00 seconds (856.59 KB/s) > Unable to find firmware for amdgpu > fw_update: added none; updated none; kept none > # > > Looking at http://firmware.openbsd.org/firmware/7.2/ there is no firmware > there. (http://firmware.openbsd.org/firmware/7.1/ contains stuff, so this > seems odd.) > > This is an AMD Ryzen 3 3200U processor with onboard Radeon Vega graphics. > > dmesg: > == > OpenBSD 7.2 (GENERIC.MP) #0: Wed Oct 26 12:01:47 MDT 2022 > > r...@syspatch-72-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 6349602816 (6055MB) > avail mem = 6139764736 (5855MB) > random: good seed from bootblocks > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 3.2 @ 0xde3db000 (43 entries) > bios0: vendor American Megatrends Inc. version "V1.16_P2C10M3_AMILogo" date > 05/30/2022 > bios0: Default string AM02 > acpi0 at bios0: ACPI 6.0 > acpi0: sleep states S0 S3 S4 S5 > acpi0: tables DSDT FACP APIC FPDT FIDT SSDT MSDM MCFG HPET UEFI VFCT TPM2 > IVRS SSDT CRAT CDIT SSDT SSDT SSDT WSMT SSDT > acpi0: wakeup devices GPP0(S4) GPP1(S4) GPP2(S4) GPP3(S4) GPP4(S4) GPP5(S4) > GPP6(S4) GP17(S4) XHC0(S3) XHC1(S3) GP18(S4) > acpitimer0 at acpi0: 3579545 Hz, 32 bits > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: AMD Ryzen 3 3200U with Radeon Vega Mobile Gfx, 2395.68 MHz, 17-18-01 > cpu0: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES > cpu0: 32KB 64b/line 8-way D-cache, 64KB 64b/line 4-way I-cache, 512KB > 64b/line 8-way L2 cache, 4MB 64b/line 16-way L3 cache > cpu0: smt 0, core 0, package 0 > mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges > cpu0: apic clock running at 24MHz > cpu0: mwait min=64, max=64, C-substates=1.1, IBE > cpu1 at mainbus0: apid 1 (application processor) > cpu1: AMD Ryzen 3 3200U with Radeon Vega Mobile Gfx, 2395.51 MHz, 17-18-01 > cpu1: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES > cpu1: 32KB 64b/line 8-way D-cache, 64KB 64b/line 4-way I-cache, 512KB > 64b/line 8-way L2 cache, 4MB 64b/line 16-way L3 cache > cpu1: smt 1, core 0, package 0 > cpu2 at mainbus0: apid 2 (application processor) > cpu2: AMD Ryzen 3 3200U with Radeon Vega Mobile Gfx, 2395.51 MHz, 17-18-01 > cpu2: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,
7.2 and iwm/amdgpu Firmware?
On a newly installed Mini PC (NiPoGi AM02) I noticed the following messages in dmesg: iwm0: could not read firmware iwm-7265-17 (error 2) iwm0: failed to load init firmware and: drm:pid0:amdgpu_device_parse_gpu_info_fw *ERROR* Failed to load gpu_info firmware "amdgpu/raven2_gpu_info.bin" drm:pid0:amdgpu_attachhook *ERROR* Fatal error during GPU init I checked iwm(4) and it referred to fw_update(8). # fw_update -vvv Detect firmware ... found. Trying 94.142.241.170... Requesting http://firmware.openbsd.org/firmware/7.2/SHA256.sig 100% || 150 00:00 150 bytes received in 0.00 seconds (856.59 KB/s) Unable to find firmware for amdgpu fw_update: added none; updated none; kept none # Looking at http://firmware.openbsd.org/firmware/7.2/ there is no firmware there. (http://firmware.openbsd.org/firmware/7.1/ contains stuff, so this seems odd.) This is an AMD Ryzen 3 3200U processor with onboard Radeon Vega graphics. dmesg: == OpenBSD 7.2 (GENERIC.MP) #0: Wed Oct 26 12:01:47 MDT 2022 r...@syspatch-72-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 6349602816 (6055MB) avail mem = 6139764736 (5855MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.2 @ 0xde3db000 (43 entries) bios0: vendor American Megatrends Inc. version "V1.16_P2C10M3_AMILogo" date 05/30/2022 bios0: Default string AM02 acpi0 at bios0: ACPI 6.0 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC FPDT FIDT SSDT MSDM MCFG HPET UEFI VFCT TPM2 IVRS SSDT CRAT CDIT SSDT SSDT SSDT WSMT SSDT acpi0: wakeup devices GPP0(S4) GPP1(S4) GPP2(S4) GPP3(S4) GPP4(S4) GPP5(S4) GPP6(S4) GP17(S4) XHC0(S3) XHC1(S3) GP18(S4) acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Ryzen 3 3200U with Radeon Vega Mobile Gfx, 2395.68 MHz, 17-18-01 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu0: 32KB 64b/line 8-way D-cache, 64KB 64b/line 4-way I-cache, 512KB 64b/line 8-way L2 cache, 4MB 64b/line 16-way L3 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 24MHz cpu0: mwait min=64, max=64, C-substates=1.1, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD Ryzen 3 3200U with Radeon Vega Mobile Gfx, 2395.51 MHz, 17-18-01 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu1: 32KB 64b/line 8-way D-cache, 64KB 64b/line 4-way I-cache, 512KB 64b/line 8-way L2 cache, 4MB 64b/line 16-way L3 cache cpu1: smt 1, core 0, package 0 cpu2 at mainbus0: apid 2 (application processor) cpu2: AMD Ryzen 3 3200U with Radeon Vega Mobile Gfx, 2395.51 MHz, 17-18-01 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu2: 32KB 64b/line 8-way D-cache, 64KB 64b/line 4-way I-cache, 512KB 64b/line 8-way L2 cache, 4MB 64b/line 16-way L3 cache cpu2: smt 0, core 1, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: AMD Ryzen 3 3200U with Radeon Vega Mobile Gfx, 2395.51 MHz, 17-18-01 cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu3: 32KB 64b/line 8-way D-cache, 64KB 64b/line 4-way I-cache, 512KB 64b/line 8-way L2 cache, 4MB 64b/line 16-way L3 cache cpu3: smt 1, core 1, package 0 ioapic0 at mainbus0: apid 5 pa 0xfec0,
Re: PHP not updated on some machines
> Am 06.10.2022 um 21:30 schrieb Stuart Henderson : > > In cases where the CDN or mirror does appear to be all in sync then > we might be looking at a problem with pkg_add or with the packages > themselves. For either of those cases it would help to collect > output from "pkg_add -u -vv" under script(1) and reporting. While doing this I noticed that the the issue had resolved itself. Same on two other machines this was happening on. So I guess this was probably some sort of cache issue on the CDN. Thanks! Mike
PHP not updated on some machines
I have some local VMs running OpenBSD 7.1 stable, amd64 as well as some remote VMs running the same. When I did pkg_add -u today two of my three local machines updated PHP to versions 7.4.32, 8.0.24 and 8.1.11 as expected. However the remote machines and a very basic local machine, while seeing the exact same quirks version, did not update PHP. quirks-5.5 signed on 2022-10-06T09:54:45Z pkg_info -d php-7.4.32, etc. shows correct info on the affected machines though. I have never encountered such strange behavior before. I kind of suspect some weird cache issue but I don’t understand the underpinnings of pkg_add enough to figure this out. Does pkg_add use some sort of local cache that I could clear? Any clues on what could cause this and how to resolve this issue? All machines have: # cat /etc/installurl https://cdn.openbsd.org/pub/OpenBSD # Manually trying to install/update PHP like this worked: # pkg_add php-7.4.32 quirks-5.5 signed on 2022-10-06T09:54:45Z php-7.4.30->7.4.32: ok Read shared items: ok New and changed readme(s): /usr/local/share/doc/pkg-readmes/php-7.4 --- -php-7.4.30 --- You should also run rm -f /etc/php-7.4.sample/* You should also run rm -f /etc/php-fpm.d/* # php-7.4 -v PHP 7.4.32 (cli) (built: Oct 5 2022 08:55:36) ( NTS ) Copyright (c) The PHP Group Zend Engine v3.4.0, Copyright (c) Zend Technologies # So why would pkg_add -u fail where pkg_add php-7.4.32 works? And why only on some of the machines? Thanks Mike
Re: httpd error.log
Hi Paul!
> Am 02.09.2022 um 14:52 schrieb Paul Pace :
>
> On 2022-09-01 13:20, Mike Fischer wrote:
>>> Am 01.09.2022 um 21:49 schrieb latin...@vcn.bc.ca:
>>>>> Am 01.09.2022 um 11:13 schrieb latin...@vcn.bc.ca:
>>>>> historia.agroena.org
>>>> Right, try something like this and watch the error.log:
>>>> curl --url 'https://historia.agroena.org/i-dont-exist.php' >/dev/null
>>>> HTH
>>>> Mike
>>> ok now:
>>> first i stop http rcctl stop httpd, then deleted error.log; and rcctl
>>> restart http! It is working correctly.
>>> thanks Mike
>> Not sure how that (or my advice for a test) would help, but I’m glad it did
>> :-)
>>> PS:
>>> Dokuwiki was working ok, but after the test, the browser says "file not
>>> found" and i am not able to access install.php! i did first # rcctl enable
>>> php74_fpm and rcctl start php74_fpm the httpd.con says root "www/dokuwiki"
>>> directly using consultores.ca/install.php!
>> root "www/dokuwiki" does not sound right. Are you using the standard
>> /var/www/dokuwiki directory for DW? If so it should be:
>> root "/dokuwiki"
>> Here is a similar setup I am using with DW from ports (Hogfather):
>> server "wiki.example.com" {
>> listen on $my_ipv6 tls port 443
>> tls {
>> certificate "/etc/ssl/acme/fullchain.pem"
>> key "/etc/ssl/acme/private/privkey.pem"
>> }
>> log style combined
>> authenticate "Private area" with "/conf/htpasswd-admin"
>> root "/dokuwiki"
>> directory index doku.php
>> connection max request body 2097152 # Default is 2M for
>> upload_max_filesize and 8M for post_max_size.
>> location "*.php" {
>> fastcgi socket "/run/php-fpm.sock"
>> }
>> location "/*.inc" { block }
>> location "/*.ht*" { block }
>> location "/data/*" { block }
>> location "/conf/*" { block }
>> location "/bin/*" { block }
>> location "/inc/*" { block }
>> location "/vendor/*" { block }
>
> The DokuWiki security page[1] states:
>
> The following directories should not be accessible from the web:
>
>data
>conf
>bin
>inc (isn't dangerous when accessible, though)
>vendor (leaks info about your environment)
>
>
> And httpd.conf(5)[2] states:
>
>> In case of multiple location statements in the same context, the first
>> matching location statement will be put into effect, while all later ones
>> will be ignored. Therefore it is advisable to match for more specific paths
>> first and for generic ones later on.
>
> In regards to the current configuration, I believe the matches that pass
> should be last and matches that block directories should be listed first. Or,
> alternatively, and better, would be to figure out exactly which .php files
> are required for the package to run, then make a location rule for each file
> (unless someone can figure out how to make something the equivalent of a
> logical or statement (regex: (this|that)) in a single location or location
> match block to have each of the required .php files pass.
>
> When I read the configuration, it appears in the reverse order of what is
> recommended by DokuWiki, so in the above configuration a request for:
>
> https://wiki.example.com/data/acl.auth.php
>
> will be passed to php-fpm.sock because that will be matched by the first
> location. I have no idea the damage to be done with this or other files, but
> it is against the security guidance of the project.
>
> It seems like the correct order should be to have the following order of
> locations:
>
> location "/*.inc" { block }
> location "/*.ht*" { block }
> location "/data/*" { block }
> location "/conf/*" { block }
> location "/bin/*" { block }
> location "/inc/*" { block }
> location "/vendor/*" { block }
> location "*.php" {
> fastcgi socket "/run/php-fpm.sock"
> }
>
> However, I have not tested this.
I just did test this and you are absolutely correct! Thanks for pointing that
out. I had missed this in httpd.conf(5). I’ll change all of my configs
accordingly.
Mike
Re: httpd error.log
> Am 01.09.2022 um 11:05 schrieb Mischa :
>
> Those are indeed reasons for it to present the error.
> In my experience this also happens when a non-existent PHP script is
> requested, as the match is on *.php.
I tried to create a testing setup to verify this, but I keep getting „Access
denied“ or log entries such as "Access to the script '/test' has been denied
(see security.limit_extensions)“ instead of „Primary script unknown“ if I
request non-existant .php paths.
As I am still getting spurious „Primary script unknown“ entries I’ll try
monitoring using:
tail -f /var/www/logs/error.log /var/www/logs/access.log
to see which requests led to these entries.
(Having timestamps in error.log would make this so much easier!)
Mike
>
> Mischa
>
> On 2022-09-01 10:41, Mike Fischer wrote:
>> This happens when PHP-FPM can’t find the script to execute.
>> One reason could be that you fiddled with the settings and let PHP-FPM run
>> without chroot(2), while httpd(8) is running with chroot(2).
>> But it might also be a misconfiguration of in httpd.conf. Not sure about all
>> of the potential reasons but I occasionally see this error as well on a
>> setup which should be configured correctly. I have not checked wether some
>> spurious external HTTP requests could be causing this.
>> My httpd.conf basically looks like this:
>> server "servername.example.com" {
>>…
>>location "*.php" {
>>fastcgi socket "/run/php-fpm.sock"
>>}
>> }
>> It’s a bit sad that these logs don’t contain timestamps. Makes matching
>> against access logs harder.
>> HTH
>> Mike
>>> Am 01.09.2022 um 10:12 schrieb latin...@vcn.bc.ca:
>>> Hello
>>> OBSD 7.1 amd64, vultr vm:
>>> This is my httpd error.log, does somebody know what is happening please?
>>> Primary script unknown
>>> Primary script unknown
>>> Primary script unknown
>>> Primary script unknown
>>> Primary script unknown
>>> Primary script unknown
>>> Primary script unknown
>>> Primary script unknown
>>> Primary script unknown
>>> Primary script unknown
>>> Primary script unknown
>>> Primary script unknown
>>> Primary script unknown
>>> Primary script unknown
>>> Primary script unknown
Re: httpd error.log
> Am 01.09.2022 um 21:49 schrieb latin...@vcn.bc.ca:
>
>>
>>> Am 01.09.2022 um 11:13 schrieb latin...@vcn.bc.ca:
>>>
>>> historia.agroena.org
>>
>> Right, try something like this and watch the error.log:
>>
>> curl --url 'https://historia.agroena.org/i-dont-exist.php' >/dev/null
>>
>> HTH
>> Mike
>>
>
> ok now:
>
> first i stop http rcctl stop httpd, then deleted error.log; and rcctl
> restart http! It is working correctly.
> thanks Mike
Not sure how that (or my advice for a test) would help, but I’m glad it did :-)
> PS:
> Dokuwiki was working ok, but after the test, the browser says "file not
> found" and i am not able to access install.php! i did first # rcctl enable
> php74_fpm and rcctl start php74_fpm the httpd.con says root "www/dokuwiki"
> directly using consultores.ca/install.php!
root "www/dokuwiki" does not sound right. Are you using the standard
/var/www/dokuwiki directory for DW? If so it should be:
root "/dokuwiki"
Here is a similar setup I am using with DW from ports (Hogfather):
server "wiki.example.com" {
listen on $my_ipv6 tls port 443
tls {
certificate "/etc/ssl/acme/fullchain.pem"
key "/etc/ssl/acme/private/privkey.pem"
}
log style combined
authenticate "Private area" with "/conf/htpasswd-admin"
root "/dokuwiki"
directory index doku.php
connection max request body 2097152 # Default is 2M for
upload_max_filesize and 8M for post_max_size.
location "*.php" {
fastcgi socket "/run/php-fpm.sock"
}
location "/*.inc" { block }
location "/*.ht*" { block }
location "/data/*" { block }
location "/conf/*" { block }
location "/bin/*" { block }
location "/inc/*" { block }
location "/vendor/*" { block }
}
You can leave out the authenticate line if you don’t want HTTP Basic
authentication (on top of DokuWiki authentication). This is running with
php74_fpm but I also have instances of DW manually updated to Igor running with
php80_fpm. php81_fpm is probably fine as well for Igor but I have not tested
that yet. For Hogfather (from ports) you need php74_fpm.
Notes for Igor: Some plugins are still a WIP. You’ll see some PHP Warnings in
logs and I needed to manually patch a few things in DW and some of the plugins
I am using. In most cases I have opened issues upstream an some of them are
already fixed in master. So some post-Igor release will see those fixes. For
the plugins the process seems slower as they are less actively maintained.
HTH
Mike
Re: httpd error.log
> Am 01.09.2022 um 11:13 schrieb latin...@vcn.bc.ca: > > historia.agroena.org Right, try something like this and watch the error.log: curl --url 'https://historia.agroena.org/i-dont-exist.php' >/dev/null HTH Mike
Re: httpd error.log
This happens when PHP-FPM can’t find the script to execute.
One reason could be that you fiddled with the settings and let PHP-FPM run
without chroot(2), while httpd(8) is running with chroot(2).
But it might also be a misconfiguration of in httpd.conf. Not sure about all of
the potential reasons but I occasionally see this error as well on a setup
which should be configured correctly. I have not checked wether some spurious
external HTTP requests could be causing this.
My httpd.conf basically looks like this:
server "servername.example.com" {
…
location "*.php" {
fastcgi socket "/run/php-fpm.sock"
}
}
It’s a bit sad that these logs don’t contain timestamps. Makes matching against
access logs harder.
HTH
Mike
> Am 01.09.2022 um 10:12 schrieb latin...@vcn.bc.ca:
>
> Hello
>
> OBSD 7.1 amd64, vultr vm:
> This is my httpd error.log, does somebody know what is happening please?
> Primary script unknown
> Primary script unknown
> Primary script unknown
> Primary script unknown
> Primary script unknown
> Primary script unknown
> Primary script unknown
> Primary script unknown
> Primary script unknown
> Primary script unknown
> Primary script unknown
> Primary script unknown
> Primary script unknown
> Primary script unknown
> Primary script unknown
Re: How to compact partitions (disklabel)?
> Am 13.06.2022 um 10:21 schrieb Stuart Henderson : > > On 2022-06-13, Mike Fischer wrote: >> After solving a recent problem on a VM where the /usr/local was full I was >> left with a disklabel that had a hole of unused space in it (see below for >> details). I was wondering if there is a way to compact the partitions, i.e. >> move the partitions following the deleted one up to fill the hole, >> potentially leaving corresponding free space at the end. >> >> I’d prefer to not have to use dd(1) on the raw device to move the data? I’d >> hope for something that is smart enough to adjust the disklabel after moving >> the bytes. Wishful thinking? > > There's no good way to do this. My preference would be to attach a new > virtual disk, partition either manually or according to current auto > defaults for the larger disk, dump|restore and run installboot, then > remove the old virtual disk. Ok, thanks! I thought I missed something ;-) > >> 16 partitions: >> #size offset fstype [fsize bsize cpg] >> f: 5056800 8025952 4.2BSD 2048 16384 12960 # /usr > > You might find this a little tight too after some updates. # df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/sd0a 615M108M476M18%/ /dev/sd0k 3.7G798M2.7G22%/home /dev/sd0d 863M8.0K820M 0%/tmp /dev/sd0f 2.3G1.7G555M76%/usr /dev/sd0g 648M299M317M48%/usr/X11R6 /dev/sd0l 4.8G2.2G2.4G48%/usr/local /dev/sd0j 5.2G2.0K4.9G 0%/usr/obj /dev/sd0i 1.4G968M402M71%/usr/src /dev/sd0e 1.3G425M806M35%/var # 24% (555M) free seems ok for now, but thanks for the heads-up. Mike
How to compact partitions (disklabel)?
Hi! After solving a recent problem on a VM where the /usr/local was full I was left with a disklabel that had a hole of unused space in it (see below for details). I was wondering if there is a way to compact the partitions, i.e. move the partitions following the deleted one up to fill the hole, potentially leaving corresponding free space at the end. I’d prefer to not have to use dd(1) on the raw device to move the data? I’d hope for something that is smart enough to adjust the disklabel after moving the bytes. Wishful thinking? Details: Partition sd0h, ≈2.42 GB in size, containing /usr/local was full on a 20 GB virtual disk in VMWare Fusion, used for OpenBSD 7.1 stable, amd64. The partitions where originally created using the defaults in OpenBSD 6.8 IIRC. I enlarged the virtual disk in VMWare by 5 GB to 25 GB and then in single user mode I added a new sd0l partition using disklabel(8), created a file system on it, mounted the new file system and used dump(8)/restore(8) to copy the data. Then I modified /etc/fstab to use sd0l instead of sd0h and rebooted. Lastly I used disklabel(8) to delete sd0h. This left the aforementioned hole of unused data on disk. (For completeness sake I also adjusted the MBR using fdisk(8) to make the OpenBSD partition reflect the new size. But I’m not sure if that was even required. Seemed to work fine without that change.) The current disklabel looks like this: # disklabel sd0 # /dev/rsd0c: type: SCSI disk: SCSI disk label: VMware Virtual S duid: e592eaa53f566380 flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 255 sectors/cylinder: 16065 cylinders: 2610 total sectors: 52428800 boundstart: 64 boundend: 52428800 drivedata: 0 16 partitions: #size offset fstype [fsize bsize cpg] a: 1299584 64 4.2BSD 2048 16384 10153 # / b: 2148640 1299648swap# none c: 524288000 unused d: 1833600 3448288 4.2BSD 2048 16384 12960 # /tmp e: 2744064 5281888 4.2BSD 2048 16384 12960 # /var f: 5056800 8025952 4.2BSD 2048 16384 12960 # /usr g: 1381856 13082752 4.2BSD 2048 16384 10710 # /usr/X11R6 i: 3059360 19538944 4.2BSD 2048 16384 12960 # /usr/src j: 11279680 22598304 4.2BSD 2048 16384 12960 # /usr/obj k: 8051648 33877984 4.2BSD 2048 16384 12960 # /home l: 10499168 41929632 4.2BSD 2048 16384 12960 # /usr/local # So partitions i through l would need to move. Thanks! Mike
Re: Running multiple instances of pflogd
> Am 02.06.2022 um 22:42 schrieb Pantelis Roditis :
>
> Hi everyone,
>
> I recently started running multiple pflogd instances and noticed that
> /etc/rc.d/pflogd killed/restarted every running instance.
> The same happened from newsyslog rotations as well.
I think the issue is more general. It applies whenever multiple instances of
any service are needed.
I have a similar issue with php_fpm which I am using in multiple PHP versions
and with different settings (chroot(2) for httpd(8) or without chroot(2) for
Apache httpd).
I some cases the fix may be a more specific pexp. However this depends, as you
have noted, on what parameters the executable is called with and whether they
are sufficient to differentiate between the running service instances.
In general running multiple instances of the same service does not seem to be
supported out of the box by OpenBSD and specifically by the rc(8)
infrastructure. It can be made to work in some cases but it feels kind of like
a hack.
>
> After suggestions by brynet, sthen and ajacoutot (thank you guys)
> I updated pexp to use a combination of `[running]` and `daemon_flags`
>
> pexp="pflogd: \[running\]${daemon_flags:+ ${daemon_flags}}“
I used a similar solution for php_fpm, differentiating on the names of the
different config files used for the alternate versions of the service (which
are specified using rcctl set flags ….
An alternate solution would require duplicating the binaries under different
names. But that becomes a maintenance nightmare when there are updates. Note:
Symlinks don’t work for this. And using hard links may also have issues if the
inode changes when updating.
>
> However, the default pflogd does not start with any flags set, so in
> order to make this work I had to either set the flags for pflogd
>
> rcctl set pflogd flags -s 160 -i pflog0 -f /var/log/pflog
>
> or add something like this to /etc/rc.d/pflogd
>
> : ${daemon_flags:="-s 160 -i pflog0 -f /var/log/pflog"}
> pexp="pflogd: \[running\]${daemon_flags:+ ${daemon_flags}}"
>
> It was suggested by stehn that a diff may worth submitting, but i dont
> know which of the two options is preferred, if any
>
> In the first case we have to set flags for pflogd which no other base
> daemon does at the moment, other than maybe amd_master?
>
> In the second case we set default flags inside the rc script and this
> introduces an unnecessary dependency to update this script whenever the
> default flags or their order changes.
>
> These changes are only needed for when someone needs to run more than
> one instance of pflogd, in which case they will have to copy the
> default /etc/rc.d/pflogd and/or modify it anyways (e.g. for the interface
> name in rc_pre).
Right! So the choices are:
1) Leave /etc/rc.d/ as is, and only run modified duplicates.
2) Modify /etc/rc.d/ to ensure a unique pexp when dealing with
multiple instances, but you still need to create modified duplicates for the
additional instances.
My choice would be (1). It does not change the things installed by the base
system or from packages. Whenever something is updated, manual checks and
potentially adjustments may be required anyway. Seems a bit cleaner that way.
Less dependencies on the defaults.
Note: For the general case you also need to watch out for configured (or
compiled-in) resources, such as sockets, network ports, log files, config
files, etc.
>
> The diff for the script follows, suggestions/ideas are more than welcome
>
> diff --git etc/rc.d/pflogd etc/rc.d/pflogd
> index 963616775..620d2daef 100644
> --- etc/rc.d/pflogd
> +++ etc/rc.d/pflogd
> @@ -6,7 +6,9 @@ daemon="/sbin/pflogd"
>
> . /etc/rc.d/rc.subr
>
> -pexp="pflogd: \[priv\]"
> +: ${daemon_flags:="-s 160 -i pflog0 -f /var/log/pflog"}
> +
> +pexp="pflogd: \[running\]${daemon_flags:+ ${daemon_flags}}"
>
> rc_pre() {
>
>if pfctl -si | grep -q Enabled; then
That would be similar to option (2) which I would not prefer.
Just my 2¢…
Mike
Re: Capturing redirected packets?
> Am 10.02.2022 um 19:01 schrieb Stuart Henderson : > > On 2022-02-10, Mike Fischer wrote: >>> The redirection to an address on the local machine is just internal to >>> the machine; those would only show a second time in tcpdump if they were >>> being sent to another machine. >> >> Ok, thanks. So there is no way to trace rdr-to (other than possibly doing >> low level kernel debugging)? > > See pflog(4) - "match log(matches)" is very useful for tracking through > fiddly rulesets. Indeed, and tcpdump -v helps as well as I found out. I shows the original destination as well as the redirected one: tcpdump -n -e -ttt -l -i pflog0 -v 'port 80 or 8080' >>> Normally if you have two addresses on the same lan you'd configure them >>> as aliases on the one interface, this seems a bit of a non-standard >>> config. >> >> Yes I know. The reason for trying this was that having two >> inet6 autoconf interfaces on the same LAN has issues. And alias >> was not an option due to dynamic IPv6 prefixes. (See this >> thread: https://marc.info/?l=openbsd-misc=164412170710420=2 >> and a suggestion by Brian Brombacher in >> https://marc.info/?l=openbsd-misc=164418424619191=2 that I wanted to >> give a try.) >> >> Non-standard or not, it works ;-) Though the headers seen by the web >> server show the redirected IP and port and not the ones originally asked >> for by the client. Not surprising but something the site developer needs >> to be aware of. And HTTP was only an easy to use example. For other >> services this limitation may have more severe consequences. > > Ah yes I do remember reading this, but I couldn't figure out a use case > for doing it that way :) I'm not a fan of non-standard configs where > avoidable, they're usually the ones which get broken when things are > changed. Granted, in a normal hosting environment with static IPs this is generally not relevant. For those of us testing things at home or in some small office environments there is a use case. > btw for "only the prefix is listed not the complete IPv6 addresses" -> > see netstat's -v flag. Cool, thanks! Mike
Re: Capturing redirected packets?
> Am 10.02.2022 um 09:55 schrieb Stuart Henderson : > > On 2022-02-08, Mike Fischer wrote: >> Hi! >> >> I have PF rules redirecting packets to an IP on one interface (rdomain 1) to >> the IP of another interface (rdomain 0): >> >> pass in log on rdomain 1 inet proto tcp to $ipv4b port 80 rdr-to $ipv4a port >> 8080 rtable 0 >> pass in log on rdomain 1 inet6 proto tcp to $ipv6b port 80 rdr-to $ipv6a >> port 8080 rtable 0 >> >> These rules work for IPv4 but initially not for IPv6. (That problem is now >> solved.) I was trying to figure out why and started using tcpdump(8). >> >> em0 has the IPs: ipv4a and ipv6a. >> em1 is in rdomain 1 and has the IPs: ipv4b and ipv6b. >> Both are connected to the same LAN. >> >> httpd(8) is configured to listen on ipv4a:80, ipv6a:80 with one (virtual) >> server and on ipv4a:8080, ipv6a:8080 with another, each serving a very >> simple index.html file that shows which server is responding. >> >> To debug I started: >> # tcpdump -n -e -ttt -l -i em0 'port 80 or 8080‘ >> >> # tcpdump -n -e -ttt -l -i em1 'port 80 or 8080‘ >> >> (Both in separate terminal windows at the same time.) >> >> Now from a second machine I access the web server: >> $ curl --url 'http://‘ >> Works fine, I see traffic in the tcpdump(8) for em0. >> >> $ curl --url 'http://‘ >> Works fine, I see traffic in the tcpdump(8) for em1 but not for em0. >> >> $ curl --url 'http://[]‘ >> Works fine, I see traffic in the tcpdump(8) for em0. >> >> $ curl --url 'http://[]‘ >> Timeout! I see traffic in the tcpdump(8) for em1 but not for em0. >> This was the one I was ultimately trying to debug but as the trace on the >> IPv4 version doesn’t work as expected I was momentarily at a loss. >> I have since solved the actual problem by setting: >> # sysctl net.inet6.ip6.forwarding=1 >> But I still don’t see the redirected traffic in the tcpdump(8) for em0. >> >> >> I don’t understand the second and fourth results. Why does the tcpdump(8) >> for em0 not show the redirected packets? >> >> I am likely missing something obvious here. How can I capture the redirected >> packets? > > The redirection to an address on the local machine is just internal to > the machine; those would only show a second time in tcpdump if they were > being sent to another machine. Ok, thanks. So there is no way to trace rdr-to (other than possibly doing low level kernel debugging)? > Normally if you have two addresses on the same lan you'd configure them > as aliases on the one interface, this seems a bit of a non-standard > config. Yes I know. The reason for trying this was that having two inet6 autoconf interfaces on the same LAN has issues. And alias was not an option due to dynamic IPv6 prefixes. (See this thread: https://marc.info/?l=openbsd-misc=164412170710420=2 and a suggestion by Brian Brombacher in https://marc.info/?l=openbsd-misc=164418424619191=2 that I wanted to give a try.) Non-standard or not, it works ;-) Though the headers seen by the web server show the redirected IP and port and not the ones originally asked for by the client. Not surprising but something the site developer needs to be aware of. And HTTP was only an easy to use example. For other services this limitation may have more severe consequences. Thanks! Mike
Capturing redirected packets?
Hi! I have PF rules redirecting packets to an IP on one interface (rdomain 1) to the IP of another interface (rdomain 0): pass in log on rdomain 1 inet proto tcp to $ipv4b port 80 rdr-to $ipv4a port 8080 rtable 0 pass in log on rdomain 1 inet6 proto tcp to $ipv6b port 80 rdr-to $ipv6a port 8080 rtable 0 These rules work for IPv4 but initially not for IPv6. (That problem is now solved.) I was trying to figure out why and started using tcpdump(8). em0 has the IPs: ipv4a and ipv6a. em1 is in rdomain 1 and has the IPs: ipv4b and ipv6b. Both are connected to the same LAN. httpd(8) is configured to listen on ipv4a:80, ipv6a:80 with one (virtual) server and on ipv4a:8080, ipv6a:8080 with another, each serving a very simple index.html file that shows which server is responding. To debug I started: # tcpdump -n -e -ttt -l -i em0 'port 80 or 8080‘ # tcpdump -n -e -ttt -l -i em1 'port 80 or 8080‘ (Both in separate terminal windows at the same time.) Now from a second machine I access the web server: $ curl --url 'http://‘ Works fine, I see traffic in the tcpdump(8) for em0. $ curl --url 'http://‘ Works fine, I see traffic in the tcpdump(8) for em1 but not for em0. $ curl --url 'http://[]‘ Works fine, I see traffic in the tcpdump(8) for em0. $ curl --url 'http://[]‘ Timeout! I see traffic in the tcpdump(8) for em1 but not for em0. This was the one I was ultimately trying to debug but as the trace on the IPv4 version doesn’t work as expected I was momentarily at a loss. I have since solved the actual problem by setting: # sysctl net.inet6.ip6.forwarding=1 But I still don’t see the redirected traffic in the tcpdump(8) for em0. I don’t understand the second and fourth results. Why does the tcpdump(8) for em0 not show the redirected packets? I am likely missing something obvious here. How can I capture the redirected packets? Thanks! Mike
Re: httpd.conf: 2 interfaces, 2 listen, IPv6, only one server works
Matt & Łukasz, > Am 07.02.2022 um 19:23 schrieb Łukasz Moskała : > > Actually the request is: > > GET / HTTP/1.1 > Host: example.com > > Host header is REQUIRED by HTTP/1.1 specification: > https://datatracker.ietf.org/doc/html/rfc2616#section-14.23 > > HTTPS also sends host header, but SNI is still used to choose correct > certificate. > Am 07.02.2022 um 18:15 schrieb Matthew Ernisse : > > On Mon, Feb 07, 2022 at 05:23:03PM +0100, Mike Fischer said: >> >> Not quite true. I do use DNS and for practical applications I also >> use HTTPS and SNI. But DNS is secondary and sometimes adds another >> layer of complexity. Also SNI is not available for services not >> secured by SSL/TLS to my knowledge. E.g. in my example for a web >> server on port 80 the hostname comes into play only to resolve the >> IP. The actual request would be "GET / HTTP/1.1" — no hostname in >> sight. > > FWIW, the assertion about HTTP is incorrect here. HTTP 1.1 defines the Host > header which is mandatory in requests which and has been used for decades to > provide name based virtual hosting sharing an IP address. > > https://datatracker.ietf.org/doc/html/rfc2616/#section-14.23 > > In practice DNS isn't even needed, an entry in your client's hosts(5) file > has been sufficient. > > —Matt You are both correct! I hadn’t realized the header was mandatory for HTTP/1.1. Thanks for pointing that out. (I wonder if curl(8) adds that header automatically? Though that is off topic for this thread…) Mike
Re: httpd.conf: 2 interfaces, 2 listen, IPv6, only one server works
> Am 06.02.2022 um 22:48 schrieb Brian Brombacher : > > At this point I would reconfigure httpd to use two separate ports (80, 81) > for each site, or two local IP addresses (::1, ::2, I wouldn’t personally do > this, I would go multi port), and then use PF rules to forward the (em0) port > 80 as usual and then (em1) port 80 I would forward to rdomain 0, port 81 > (example port). You mean: have only one instance of httpd listen on IPs in rdomain 0 for different ports and use PF to forward packets for IPs in rdomain 1 to these IP/port combinations in rdomain 0? I’ll give that a try in the next few days… > All of this is beyond the scope of a normal setup. I would usually just do > as described by others and rely on hostname rather than IP for httpd to > process requests. If for some reason this isn’t feasible, I’d be curious why. This is mainly for learning. In a production setup I’d agree that this seems much too complicated. Also generally HTTPS would be used which allows for SNI to choose the virtual hosts. For services other than HTTPS that might be more difficult. There might be actual use cases for this in home/small office settings though. >> On Feb 6, 2022, at 4:51 PM, Brian Brombacher wrote: > From your posts I know why you don’t want to use hostnames. Not quite true. I do use DNS and for practical applications I also use HTTPS and SNI. But DNS is secondary and sometimes adds another layer of complexity. Also SNI is not available for services not secured by SSL/TLS to my knowledge. E.g. in my example for a web server on port 80 the hostname comes into play only to resolve the IP. The actual request would be "GET / HTTP/1.1" — no hostname in sight. > I can see utility in using different IPs for different sites if you don’t > want to advertise that the sites are related by their IP. Yes, though in truth having the same prefix would be unavoidable and would let an outsider know that the services are related in some way. It would leave open whether the services are using the same host though. Like I wrote this is mainly for learning at the moment. I am somewhat amazed at the subtle differences between IPv4 and IPv6. IPv6 is obviously not just IPv4 with more address space. My approach is to figure out how things work and what is possible, then for practical applications decide whether a particular solution is too complicated to maintain or to set up, or too fragile to be of long term use. As for privacy my aim is to be able to leak as little information as possible to reduce any attack surface. Naturally when hosting a service on the public Internet the service itself is exposed. That can’t be helped. But anything not directly related to the service should IMHO stay hidden as much as possible. Thanks! Mike
Re: httpd.conf: 2 interfaces, 2 listen, IPv6, only one server works
> Am 06.02.2022 um 21:13 schrieb Brian Brombacher :
>
>>> You can work around it by putting both interfaces in diffrent rdomains,
>>> then running two httpd instances, one in rdomain with first IP, second in
>>> rdomain with second IP.
>>
>
> This will work. You can use PF rules to cross rdomains if you require.
Thanks for that info!
rdomains are a new concept for me. From what I currently understand after
reading rdomain(4) I don’t get why I would need to run two instances of my
service, e.g. httpd(8) to use rdomains? Is a process somehow tied to an rdomain?
And while the PF mechanism to cross rdomains might be needed in some setups I
don’t see where it would help in my scenario? I want to use my service mainly
from outside the host. (Though for local access I would understand the need to
configure some PF rules.)
I tried the following:
Starting state: em0 and em1 each configured for IPv4 and IPv6, the later using
autoconf
em0:
…
inet 192.168.0.10 netmask 0xff00 broadcast 192.168.0.255
inet6 fe80::20c:29ff:fd9c:4b7%em0 prefixlen 64 scopeid 0x1
inet6 2001:db8::20c:29ff:fd9c:4b7 prefixlen 64 autoconf pltime 978
vltime 6912
…
em1:
…
inet 192.168.0.20 netmask 0xff00 broadcast 192.168.0.255
inet6 fe80::20c:29ff:fd9c:4c1%em0 prefixlen 64 scopeid 0x1
inet6 2001:db8::20c:29ff:fd9c:4c1 prefixlen 64 autoconf pltime 978
vltime 6912
…
# netstat -R
Rdomain 0
Interfaces: lo0 em0 em1 enc0 pflog0
Routing table: 0
#
Change #1:
# ifconfig em1 rdomain 1
New state:
em0: (same as above)
…
inet 192.168.0.10 netmask 0xff00 broadcast 192.168.0.255
inet6 fe80::20c:29ff:fd9c:4b7%em0 prefixlen 64 scopeid 0x1
inet6 2001:db8::20c:29ff:fd9c:4b7 prefixlen 64 autoconf pltime 978
vltime 6912
…
em1: (no IPs)
…
…
# netstat -R
Rdomain 0
Interfaces: lo0 em0 enc0 pflog0
Routing table: 0
Rdomain 1
Interfaces: em1 lo1
Routing table: 1
#
Change #2: Re-add the IPs:
# ifconfig em1 inet 192.168.0.20 netmask 255.255.255.0 broadcast 192.168.0.255
# ifconfig em1 inet6 autoconf -temporary -soii
New state: IPs on em1 are now set as in the original state, em1 is in rdomain 1.
So far so good!
After restarting httpd it failed with message: "parent: send server: Can't
assign requested address“ in /var/log messages
Ok, so there seems to be a reason for needing another instance of httpd. But
how would that work? What would I have to do to get that second instance to
listen on IPs from rdomain 1?
I have tried setting up a copy of /usr/sbin/httpd (actually a symbolic link
using the name /root/bin/httpd_em1) and I have created a new /etc/httpd.2.conf
with only the em1 related content. I have also duplicated /etc/rc.d/httpd to
/etc/rc.d/httpd_em1 and changed daemon='/root/bin/httpd_em1' (the path to my
symbolic link) and daemon_flags="${daemon_flags} -f /etc/httpd.2.conf"
No joy! rcctl start httpd_em1 results in the same message in /var/log/messages.
Thanks for any pointers you can give me.
Mike
Re: httpd.conf: 2 interfaces, 2 listen, IPv6, only one server works
Hi Łukasz,
> Am 06.02.2022 um 12:08 schrieb Łukasz Moskała :
>
> W dniu 6.02.2022 o 05:28, Mike Fischer pisze:
>> OpenBSD 7.0 stable amf64
>> My host has two ethernet interfaces, em0 and em1.
>> Note: The host is a VM with two virtual interfaces.
>> Both interfaces are configured like this for IPv6 in the /etc/hostname.em0
>> and /etc/hostname.em1 files:
>> inet6 autoconf -temporary -soii
>> They are connected to the same LAN and each produces a unique IPv6 address
>> using the same prefix and an EUI64 interface identifier as expected*.
>> $ ifconfig em0|grep inet6|grep -vE '(fe80:| fd|temporary|deprecated)'
>> inet6 2001:db8::20c:29ff:fd9c:4b7 prefixlen 64 autoconf pltime 1070
>> vltime 7043
>> $ ifconfig em1|grep inet6|grep -vE '(fe80:| fd|temporary|deprecated)‘
>> inet6 2001:db8::20c:29ff:fd9c:4c1 prefixlen 64 autoconf pltime 1032
>> vltime 7005
>> DNS records have been set up*:
>> $ dig +short a.example.com
>> 2001:db8::20c:29ff:fd9c:4b7
>> $ dig +short b.example.com
>> 2001:db8::20c:29ff:fd9c:4c1
>> $
>> My httpd.conf looks like this*:
>> ipa = "2001:db8::20c:29ff:fd9c:4b7"
>> ipb = "2001:db8::20c:29ff:fd9c:4c1"
>> server "a.example.com" {
>> listen on $ipa port 80
>> directory index index.html
>> location "/*" {
>> root "/htdocs/a"
>> }
>> }
>> server "b.example.com" {
>> listen on $ipb port 80
>> directory index index.html
>> location "/*" {
>> root "/htdocs/b"
>> }
>> }
>> /var/www/htdocs/a/index.html and /var/www/htdocs/b/index.html exist and each
>> contains a minimal HTML page.
>> httpd -n sees no problem.
>> rcctl start httpd works fine.
>> However trying to access http://a.example.com or
>> http://[2001:db8::20c:29ff:fd9c:4b7] gets a timeout.
>> Accessing http://b.example.com or http://[2001:db8::20c:29ff:fd9c:4c1] works
>> fine.
>> Trying to find the cause I checked:
>> $ netstat -an|grep LISTEN
>> …
>> tcp6 0 0 2001:db8::.80*.*LISTEN
>> tcp6 0 0 2001:db8::.80*.*LISTEN
>> …
>> $
>> Which seems weird because only the prefix is listed not the complete IPv6
>> addresses.
>> Am I seeing a bug or is my expectation that both servers (virtual hosts)
>> work wrong?
>> *) Hostnames and IPs anonymized.
>> Thanks!
>> Mike
>
> "They are connected to the same LAN"
> This is most likely your problem. Having two IPs on two interfaces in the
> same subnet will usually cause problems. Most likely you also have two
> default routes.
Yes, you are right. There are 2 default routes for IPv6.
Not sure why IPv6 works like this but that’s what I’m trying to learn. I am
using this machine as a test bed for figuring out IPv6. My expectation was that
IPv6 would work just like IPv4 in this scenario.
Note: For IPv4 the same setup works fine, yielding a web server that serves
both a.example.com and b.example.com on different IPs. The expectation would be
that replies would be send through the same interface the request came in on.
IPv4 has the drawback that I only have 1 public IPv4 address. So I need to
differentiate bei port number on the Internet side of my router to map to the
correct LAN IP.
So I learned something here, which was my goal. Thanks!
> You can work around it by putting both interfaces in diffrent rdomains, then
> running two httpd instances, one in rdomain with first IP, second in rdomain
> with second IP.
I’ll look into this (more as a way to learn more about how this works than to
actually fill a pressing need). Thanks for the idea.
> Or, assign both IPs statically to em0 (one with prefix /64, second with
> prefix /128), then remove em1 - I'm 99% sure this will solve your problem.
Yes. But in my experimental setup this would not be practical because the IPv6
prefix is dynamic. Assigning a static IPv6 address will cease to work when the
prefix changes, at least for connections from the Internet. There are issues
with the setup of port forwarding on my router as well. I thought I could get
around all of these issues by using the second interface.
For this experiment the goal was get a single host to serve two websites on
separate IPv6 addresses. All this in a LAN setting where the public IPv6 prefix
is dynamic. Getting it to work short term is easy using static IPs. But
ensuring it will work across prefix changes is more complicated. I do have a
script that triggers on prefix changes and could be used to adjust the static
IPs and the httpd.conf as needed. I don’t much like that solution though.
Thanks for your reply!
Mike
httpd.conf: 2 interfaces, 2 listen, IPv6, only one server works
OpenBSD 7.0 stable amf64
My host has two ethernet interfaces, em0 and em1.
Note: The host is a VM with two virtual interfaces.
Both interfaces are configured like this for IPv6 in the /etc/hostname.em0 and
/etc/hostname.em1 files:
inet6 autoconf -temporary -soii
They are connected to the same LAN and each produces a unique IPv6 address
using the same prefix and an EUI64 interface identifier as expected*.
$ ifconfig em0|grep inet6|grep -vE '(fe80:| fd|temporary|deprecated)'
inet6 2001:db8::20c:29ff:fd9c:4b7 prefixlen 64 autoconf pltime 1070
vltime 7043
$ ifconfig em1|grep inet6|grep -vE '(fe80:| fd|temporary|deprecated)‘
inet6 2001:db8::20c:29ff:fd9c:4c1 prefixlen 64 autoconf pltime 1032
vltime 7005
DNS records have been set up*:
$ dig +short a.example.com
2001:db8::20c:29ff:fd9c:4b7
$ dig +short b.example.com
2001:db8::20c:29ff:fd9c:4c1
$
My httpd.conf looks like this*:
ipa = "2001:db8::20c:29ff:fd9c:4b7"
ipb = "2001:db8::20c:29ff:fd9c:4c1"
server "a.example.com" {
listen on $ipa port 80
directory index index.html
location "/*" {
root "/htdocs/a"
}
}
server "b.example.com" {
listen on $ipb port 80
directory index index.html
location "/*" {
root "/htdocs/b"
}
}
/var/www/htdocs/a/index.html and /var/www/htdocs/b/index.html exist and each
contains a minimal HTML page.
httpd -n sees no problem.
rcctl start httpd works fine.
However trying to access http://a.example.com or
http://[2001:db8::20c:29ff:fd9c:4b7] gets a timeout.
Accessing http://b.example.com or http://[2001:db8::20c:29ff:fd9c:4c1] works
fine.
Trying to find the cause I checked:
$ netstat -an|grep LISTEN
…
tcp6 0 0 2001:db8::.80*.*LISTEN
tcp6 0 0 2001:db8::.80*.*LISTEN
…
$
Which seems weird because only the prefix is listed not the complete IPv6
addresses.
Am I seeing a bug or is my expectation that both servers (virtual hosts) work
wrong?
*) Hostnames and IPs anonymized.
Thanks!
Mike
Re: Networking error or bad System configuration.
> Am 31.01.2022 um 23:38 schrieb latin...@vcn.bc.ca: > >> Some things to consider: >> >> - Have you established whether the IPs configured inside your host are >> actually reachable from the outside? (And whether they reach your host and >> not something else?) >> You could check this using SSH which you say is working. Can you connect >> using both IPv4 and IPv6? > > Thank you Mike: > The server works well with ipv4, both ssh and console. Console access is nice to have but probably irrelevant for solving your network issues. Have you tried SSH via IPv6 like I suggested? > What i sow, is that in hours, the ipv6 changed and became unavailable; but > now i can reach the server ipv4 ipv6. the old server. Huh? That does not make any sense. > At this point i decide to destroy this server and configure it since the > beginning, because my mail was rejected by the cause that mail was passing > for a different server, causing that every one were not able to do and get > rdns. > > The other reason to destroy it, is that ssh connection was intermittent; > impossible to work on it! That sounds seriously messed up. >> - Are you using pf(4) in any non-default setup? > > No > >> >> - According to their website Vultr has a firewall which you can configure. >> Have you allowed incoming traffic to your services? > > No, i prefer pf If I understood the Vultr website correctly you don’t get a choice. You get the Vultr Firewall and you can additionally use pf(4) if you want. Of course you could configure the Vultr Firewall do be mostly transparent (except for things they always block), but apparently you have not done that. >> - According to their website Vultr allows you to configure the reverse DNS >> entries for your host. Currently your cited IPs seem to have only default >> reverse entries. > > What do you mean "default entries"? I configure it myself, adding dkim, > and dmarc entries. $ dig +short -x 8.9.36.198 198.36.9.8.in-addr.arpa. $ dig +short -x 2001:19f0:5:f8c:5400:3ff:fea5:c615 c.8.f.0.5.0.0.0.0.f.9.1.1.0.0.2.ip6.arpa. $ I would have expected the answer to be "agroena.org." in both cases. If you did configure reverse DNS for these IPs it didn’t work. > - According to their website Vultr blocks port 25 traffic. You will need >> to ask them to allow this for your mail server. > > Yes, they open port 25 for me. Ok. But no one is listening on the port as evidenced by the nmap scans. >> - You seem to indicate that resolving DNS is not working correctly? You >> need to get that fixed. > > Yes, i have not touched dns, i only reinstall the server; because, this is > a testing serve and i would like to know, if really there were MiM or > sometjing else. Did you test DNS resolution on the host? Without working DNS resolution you might as well give up now as your services will require that to work. > Oh man, this is the new server, were i am going to have only: Opensmtp, > and Dovecot; to define why the web testers say that e-mail are coming from > a server with out rdns. For now, nothing is installed and configured. > Thanks so much to try nmap. Forget about your services for now. You need to get the basic network setup working first. I already gave you my recommendations. You don’t have to follow them of course but then I have nothing else to help you with. Good luck! Mike > - I did a a quick nmap scan of your host: >> $ nmap agroena.org >> Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-31 13:13 CET >> Nmap scan report for agroena.org (8.9.36.198) >> Host is up (0.11s latency). >> Other addresses for agroena.org (not scanned): >> 2001:19f0:5:f8c:5400:3ff:fea5:c615 >> rDNS record for 8.9.36.198: 198.36.9.8.in-addr.arpa >> Not shown: 995 closed ports >> PORT STATESERVICE >> 22/tcp open ssh >> 135/tcp filtered msrpc >> 139/tcp filtered netbios-ssn >> 445/tcp filtered microsoft-ds >> 1688/tcp filtered nsjtp-data >> >> Nmap done: 1 IP address (1 host up) scanned in 16.34 seconds >> $ nmap -6 agroena.org >> Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-31 13:13 CET >> Nmap scan report for agroena.org (2001:19f0:5:f8c:5400:3ff:fea5:c615) >> Host is up (0.100s latency). >> Other addresses for agroena.org (not scanned): 8.9.36.198 >> rDNS record for 2001:19f0:5:f8c:5400:3ff:fea5:c615: >> c.8.f.0.5.0.0.0.0.f.9.1.1.0.0.2.ip6.arpa >> Not shown: 996 closed ports >> PORT STATESERVICE >> 22/tcp open ssh >> 139/tcp filtered netbios-ssn >> 445/tcp filtered microsoft-ds >> 1688/tcp filtered nsjtp-data >> >> Nmap done: 1 IP address (1 host up) scanned in 17.26 seconds >> $ >> >> That does not show a working mail server (or web/ftp server). In fact only >> SSH seems to be working. And it shows that reverse DNS is not set up other >> than a default entry. >> >> >> Things that may help others evaluate whether your host is configured >> correctly w.r.t. network settings: >> $ cat /etc/hostname.* >> $ cat /etc/resolv.conf >> $ ifconfig -a >> #
Re: Networking error or bad System configuration.
Some things to consider: - Have you established whether the IPs configured inside your host are actually reachable from the outside? (And whether they reach your host and not something else?) You could check this using SSH which you say is working. Can you connect using both IPv4 and IPv6? - Are you using pf(4) in any non-default setup? - According to their website Vultr has a firewall which you can configure. Have you allowed incoming traffic to your services? - According to their website Vultr allows you to configure the reverse DNS entries for your host. Currently your cited IPs seem to have only default reverse entries. - According to their website Vultr blocks port 25 traffic. You will need to ask them to allow this for your mail server. - You seem to indicate that resolving DNS is not working correctly? You need to get that fixed. - I did a a quick nmap scan of your host: $ nmap agroena.org Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-31 13:13 CET Nmap scan report for agroena.org (8.9.36.198) Host is up (0.11s latency). Other addresses for agroena.org (not scanned): 2001:19f0:5:f8c:5400:3ff:fea5:c615 rDNS record for 8.9.36.198: 198.36.9.8.in-addr.arpa Not shown: 995 closed ports PORT STATESERVICE 22/tcp open ssh 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 1688/tcp filtered nsjtp-data Nmap done: 1 IP address (1 host up) scanned in 16.34 seconds $ nmap -6 agroena.org Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-31 13:13 CET Nmap scan report for agroena.org (2001:19f0:5:f8c:5400:3ff:fea5:c615) Host is up (0.100s latency). Other addresses for agroena.org (not scanned): 8.9.36.198 rDNS record for 2001:19f0:5:f8c:5400:3ff:fea5:c615: c.8.f.0.5.0.0.0.0.f.9.1.1.0.0.2.ip6.arpa Not shown: 996 closed ports PORT STATESERVICE 22/tcp open ssh 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 1688/tcp filtered nsjtp-data Nmap done: 1 IP address (1 host up) scanned in 17.26 seconds $ That does not show a working mail server (or web/ftp server). In fact only SSH seems to be working. And it shows that reverse DNS is not set up other than a default entry. Things that may help others evaluate whether your host is configured correctly w.r.t. network settings: $ cat /etc/hostname.* $ cat /etc/resolv.conf $ ifconfig -a # netstat -an|grep LISTEN $ ping dns.google.com $ ping6 dns.google.com # rcctl ls started # cat /etc/pf.conf (if you have modified the pf(4) configuration) But: Even if your host is perfectly configured, if the Vultr setup prevents packets from moving to or from your host it will not work. HTH Mike > Am 30.01.2022 um 15:17 schrieb latin...@vcn.bc.ca: > > Openbsd 7.0 at Vultr: > > I have a new server at Vultr, everything was working correctly; except > mail rdns; e-mails were rejected by receiver. > > The problem began because the ipv6 assigned was wrong ifconfig gave me a > different ip at the beginning and they did the change. > > they changed the ipv6 to original and i configured the server with httpd, > smtpd, dovecot, dkimsign, icecast and ftp correctly, all them were > working. > > They are insisting that the error is in the configuration system, and i > think that the error is because the IPs pass for another Vultr server that > is not configured for rdns. > > Please, how might discover an error in the system or configuration? How to > identify it? and of course, how to repair it if it is in my hands? > > # ifconfig vio0 > vio0: flags=8843 mtu 1500 > lladdr 56:00:03:a5:c6:15 > index 1 priority 0 llprio 3 > groups: egress > media: Ethernet autoselect > status: active > inet 8.9.36.198 netmask 0xff00 broadcast 8.9.36.255 > inet6 fe80::5400:3ff:fea5:c615%vio0 prefixlen 64 scopeid 0x1 > inet6 2001:19f0:5:f8c:5400:3ff:fea5:c615 prefixlen 64 > > # host agroena.org > ;; connection timed out; no servers could be reached > > > > # ping6 2001:19f0:5:f8c:5400:3ff:fea5:c615 > PING 2001:19f0:5:f8c:5400:3ff:fea5:c615 > (2001:19f0:5:f8c:5400:3ff:fea5:c615): 56 data bytes > 64 bytes from 2001:19f0:5:f8c:5400:3ff:fea5:c615: icmp_seq=0 hlim=64 > time=0.182 ms > 64 bytes from 2001:19f0:5:f8c:5400:3ff:fea5:c615: icmp_seq=1 hlim=64 > time=0.082 ms > > # dig agroena.org > > ; <<>> dig 9.10.8-P1 <<>> agroena.org > ;; global options: +cmd > ;; connection timed out; no servers could be reached > > # ping agroena.org > PING agroena.org (8.9.36.198): 56 data bytes > 64 bytes from 8.9.36.198: icmp_seq=0 ttl=255 time=0.108 ms > 64 bytes from 8.9.36.198: icmp_seq=1 ttl=255 time=0.054 ms > 64 bytes from 8.9.36.198: icmp_seq=2 ttl=255 time=0.056 ms > > I do not have idea, what files should i show you. > > Thanks for your attention. > > PD: > Actually i can access the server using ssh and console. > >
Re: OpenSMTPd: Unable to use TLS/SSL over IPv6
Hi Leo, > Am 11.01.2022 um 19:10 schrieb Leo Unglaub : > > Hey friends, > i am running OpenBSD 7.0 with all patches applied. Some weeks ago i noticed a > very strange issue with my OpenSMTPd instance. People are unable to use TLS > when connecting via IPv6. This is not just my observation, some people on > misc@ told me so as well. > > I talked to gilles@ in private and he could confirm the issue, but he thinks > its not related to OpenSMTPd itsef and might be even an OpenBSD (LibreSSL) > issue itself. gilles@ told me to post this to the ML because it might be a > little bit more complicated. > > Here are some basics from the System. I am using the real hostname and IP > addresses so every one can look at the problem directly. > > The Server is configured to use both IPv4 and IPv6: > >> $ cat /etc/hostname.vio0 >>inet >> 116.202.103.165 255.255.255.255 >> inet6 2a01:4f8:c010:3301::dead:beef 64 -soii >> !route add -inet 172.31.1.1 -llinfo -link -static -iface vio0 >> !route add -inet default 172.31.1.1 > > I confimed it via ifconfig: > >> $ ifconfig vio0 vio0: >> flags=408843 mtu 1500 >>lladdr 96:00:00:31:1f:b5 >>index 1 priority 0 llprio 3 >>groups: egress >>media: Ethernet autoselect >>status: active >>inet 116.202.103.165 netmask 0x >>inet6 fe80::9400:ff:fe31:1fb5%vio0 prefixlen 64 scopeid 0x1 >>inet6 2a01:4f8:c010:3301::dead:beef prefixlen 64 > > I also can use ping and ping6 to reach other servers and the server can be > reached over IPv4 and IPv6. So this seams to work. You can test the SSL connection (from a host that supports OpenSSL and IPv6) as follows: $ openssl s_client -connect [2a01:4f8:c010:3301::dead:beef]:25 -starttls smtp https://www.hardenize.com/report/storm-peaks.northrend.azeroth.wow-data.net/1641931125 HTH Mike
Re: IPv6 autoconf with static IID?
Ok, ignore my previous mail. The solution is to use -soii: # ifconfig em0 autoconf eui64 -soii lladdr f2:b6:71:e6:11:7e This makes the non temporary public and ULA addresses use the EUI-64 IID based on the lladdr. Thanks! Mike > Am 29.12.2021 um 19:37 schrieb Mike Fischer : > > On Tue, Dec 28, 2021, at 21:05, Mike Fischer wrote: >>> Am 28.12.2021 um 13:09 schrieb Paul de Weerd : >>> Seems like the simplest way, especially using the lladdr option. >> Yes, I’ll give that a try. > > Ok, I have tried the following: > > Remove my current IPv6 configuration from em0: > # ifconfig em0 -inet6 > Test the new configuration: > # ifconfig em0 inet6 autoconf eui64 lladdr f2:b6:71:e6:11:7e > > This results in: > - The interface em0 has the expected lladr of f2:b6:71:e6:11:7e > - The link local IPv6 address is: fe80::f0b6:71ff:fee6:117e (using the > modified EUI-64 version of the lladdr) as expected > - The public IPv4 IPs use my current prefix and a random IID, no relation to > the lladdr: 2001:db8::eb7f:1267:44d0:45a4 (*) > - The ULA addresses behave the same as the public ones, i.e. the IID has not > relation to the lladdr. > > Why is (one of) the public addresses not using the EUI-64 method of > generation the IID? > > I realize that autoconf generates the SOII addresses with random IIDs. But > shouldn’t the eui64 option also create an IP with the modified EUI-64 as the > IID? > > ifconfig(8) states: > eui64 Fill the interface index (the lowermost 64 bits of an IPv6 address) > automatically. > > Which is kind of a bland statement anyway. It should IMHO reference that a > modified EUI-64 is used. But it does not say that this is only true for the > link local address. > > > If have tried changing the order of the parameters, but it makes no > difference: > ifconfig em0 inet6 autoconf lladdr f2:b6:71:e6:11:7e eui64 > ifconfig em0 inet6 lladdr f2:b6:71:e6:11:7e eui64 autoconf > > I have also tried to do this without the lladdr parameter, same results just > with a different lladdr. > > If I leave out the autoconf parameter I only get a link local address. > > > *) I have substituted 2001:db8:: for the real public prefix here. > > > Thanks! > > Mike
Re: IPv6 autoconf with static IID?
On Tue, Dec 28, 2021, at 21:05, Mike Fischer wrote: >> Am 28.12.2021 um 13:09 schrieb Paul de Weerd : >> Seems like the simplest way, especially using the lladdr option. > Yes, I’ll give that a try. Ok, I have tried the following: Remove my current IPv6 configuration from em0: # ifconfig em0 -inet6 Test the new configuration: # ifconfig em0 inet6 autoconf eui64 lladdr f2:b6:71:e6:11:7e This results in: - The interface em0 has the expected lladr of f2:b6:71:e6:11:7e - The link local IPv6 address is: fe80::f0b6:71ff:fee6:117e (using the modified EUI-64 version of the lladdr) as expected - The public IPv4 IPs use my current prefix and a random IID, no relation to the lladdr: 2001:db8::eb7f:1267:44d0:45a4 (*) - The ULA addresses behave the same as the public ones, i.e. the IID has not relation to the lladdr. Why is (one of) the public addresses not using the EUI-64 method of generation the IID? I realize that autoconf generates the SOII addresses with random IIDs. But shouldn’t the eui64 option also create an IP with the modified EUI-64 as the IID? ifconfig(8) states: eui64 Fill the interface index (the lowermost 64 bits of an IPv6 address) automatically. Which is kind of a bland statement anyway. It should IMHO reference that a modified EUI-64 is used. But it does not say that this is only true for the link local address. If have tried changing the order of the parameters, but it makes no difference: ifconfig em0 inet6 autoconf lladdr f2:b6:71:e6:11:7e eui64 ifconfig em0 inet6 lladdr f2:b6:71:e6:11:7e eui64 autoconf I have also tried to do this without the lladdr parameter, same results just with a different lladdr. If I leave out the autoconf parameter I only get a link local address. *) I have substituted 2001:db8:: for the real public prefix here. Thanks! Mike
Re: IPv6 autoconf with static IID?
Hi Thomas! Am 28.12.2021 um 16:24 schrieb Thomas Bohl : > > Hello, > >> My Internet connection is using dynamic IPv6 prefixes. I want to configure a >> local (OpenBSD) machine so its public IPv6 address adjusts to changes in the >> network prefix but keeps a static Interface Identifier (IID). I’d also like >> to be able to configure the IID manually. >> Essentially this would be a server running on the LAN but with a public IPv6 >> address, reachable from the Internet. > > I wrote a script that runs every minute via cron and detects a public IPv6 > network change. On a detected change you could run for example > > ifconfig $interface inet6 alias $newIPv6Net:1:2:3:4 > update-dyndns-whatever > > (You configure what $interface is, and $newIPv6Net is the new network > prefix.) So you always (minus up to a minute) have a working :1:2:3:4 > interface identifier. > > I use the script since four years, but only now decided to publish it. I hope > it is self-explanatory and that my English comments make sense. > > https://aloof.de/f/IPv6Aliases-en.sh > https://aloof.de/f/IPv6Aliases-de.sh Thanks! You have obviously put a lot of thought into this script and solved a number of potential issues. A couple of observations: - »grep -v '^fd00‘« to remove ULA addresses is not correct. For example the ULA I am using at home starts with fd28:… - Also you are taking separate steps to filter link-local and ULA addresses. Solution to both issues: replace »grep -v '^fd00' | grep -v '^fe80‘« with »grep -vE '^(fe80|fd)‘« At first I thought that using route(8) is overly complicated. But it nicely solves the problem of extracting the prefix which would be much more difficult using ifconfig(8). Mike
Re: IPv6 autoconf with static IID?
Hi Diana! > Am 28.12.2021 um 15:58 schrieb deich...@placebonol.com: > > I'm still interested in why you are concerned about "leaking" the MAC address? Well, knowing the vendor of an interface might lead an attacker to exploit known security issues relevant to that vendor. While I deem the risk with OpenBSD to be very low, in the case of a hypervisor generating the MAC, knowing which one might make the target more interesting. > Changing the MAC with laddr will still leak the MAC but now it will be the > one you created. Yes, I’ll be trying this method shortly. > If you do decide to change the MAC to a long defunct NIC manufacturer. That > is what I do for fun. Some of my 10G interfaces use Western Digital OUI, > from 10base-2 era. Good idea! :-) I checked the IEEE registry and determined that currently no prefix of 0xF2, 0xF6, 0xFA or 0xFE is allocated. So combining such a prefix with 5 bytes from /dev/random should work as well. I have read somewhere that two bits might need to/should have a fixed value in the first octet: 0bxx10. But I couldn’t find any reference yet. Thus the above values to be on the safe side. Still have to make sure no two interfaces on the same network segment use the same MAC though, but the odds are pretty good. Mike > > G.day > diana > KI5PGJ > > On December 28, 2021 6:05:54 AM MST, Mike Fischer > wrote: >> >>> Am 28.12.2021 um 13:09 schrieb Paul de Weerd : >>> >>> On Tue, Dec 28, 2021 at 12:35:07PM +0100, Mike Fischer wrote: >>> | So I guess the only way to get a stable IID with dynamic prefixes is >>> | to use the eui64 method? (Which is based on the MAC-address and >>> | leaks information.) >>> >>> What information leak are you afraid of? Someone else knowing the >>> MAC-address of your system? You can fix that by changing the MAC >>> address of your interface (see the lladdr option in the ifconfig(8) >>> manpage at http://man.openbsd.org/ifconfig#lladdr for details) >> >> Interesting! I hadn’t thought of that. >> > SNIP >> >> My thoughts exactly. >> >> >> Thanks for your input! >> >> Mike
Re: IPv6 autoconf with static IID?
> Am 28.12.2021 um 13:09 schrieb Paul de Weerd : > > On Tue, Dec 28, 2021 at 12:35:07PM +0100, Mike Fischer wrote: > | So I guess the only way to get a stable IID with dynamic prefixes is > | to use the eui64 method? (Which is based on the MAC-address and > | leaks information.) > > What information leak are you afraid of? Someone else knowing the > MAC-address of your system? You can fix that by changing the MAC > address of your interface (see the lladdr option in the ifconfig(8) > manpage at http://man.openbsd.org/ifconfig#lladdr for details) Interesting! I hadn’t thought of that. > | My options for running an OpenBSD server using IPv6 thus seem to be: > | - Find a provider with static public IPv6 addresses (prefixes) > > That would work, but means you have to change providers - is that > really what you want? Could be a good message to your current ISP to > step up their IPv6 game. It’s more a question of whether I am willing to pay at least 50% more than I’m paying now for a professional (business) plan instead of a typical (private) home plan just for the privilege of getting static IPs. As this is mostly for experimenting and testing I can’t really justify the extra cost. It would be nice if they offered a (reasonably paid) option to add static IPs to their private plans though. > > | - Use dynamic IPv6 addresses (prefixes) and eui64 IIDs > > Seems like the simplest way, especially using the lladdr option. Yes, I’ll give that a try. > | - Use an IPv6 tunnel broker like tunnelbroker.net to tunnel a static > | IPv6 address (prefix) through IPv4 (6in4 tunnel) > > Seems less useful / efficient, if your provider offers native IPv6. My thoughts exactly. Thanks for your input! Mike
Re: IPv6 autoconf with static IID?
Thanks Stuart! > Am 28.12.2021 um 10:01 schrieb Stuart Henderson : > > On 2021-12-27, Mike Fischer wrote: >> After reading man pages for slaacd(8), hostname.if(5) and ifconfig(8) the >> only way to combine a static IID with a dynamic prefix seems to be the eui64 >> option: >> inet6 autoconf eui64 >> >> However this limits the IID to a fixed value based on the MAC-address of the >> interface and potentially leaks information about the vendor of the >> interface to the Internet. >> >> Is there a way to combine "inet6 autoconf" with an arbitrary manually >> defined IID? > > Not directly to a specific IID, but OpenBSD uses RFC 7217 by default > rather than a MAC-address-based identifier. After rereading RFC 7217 my take is that the IID generated by this method will change whenever the prefix changes (see section 4. Design Goals). That is not what I want because it would require reconfiguration of the IID-based forwarding rules on my router whenever the prefix and thus the IID changes. So I guess the only way to get a stable IID with dynamic prefixes is to use the eui64 method? (Which is based on the MAC-address and leaks information.) My options for running an OpenBSD server using IPv6 thus seem to be: - Find a provider with static public IPv6 addresses (prefixes) - Use dynamic IPv6 addresses (prefixes) and eui64 IIDs - Use an IPv6 tunnel broker like tunnelbroker.net to tunnel a static IPv6 address (prefix) through IPv4 (6in4 tunnel) Sounds like a missing feature in slaacd(8) then, unless someone can explain why combining a dynamic IPv6 prefix with a manually configured static IID for a server would be a bad idea. Anyway, many thanks for your reply! Mike
IPv6 autoconf with static IID?
Hi! Maybe I’m completely off track with my idea, so please let me know if that is the case. I’ve done some reading and experimenting with IPv6 but wouldn’t consider myself an expert yet. Goal: = My Internet connection is using dynamic IPv6 prefixes. I want to configure a local (OpenBSD) machine so its public IPv6 address adjusts to changes in the network prefix but keeps a static Interface Identifier (IID). I’d also like to be able to configure the IID manually. Essentially this would be a server running on the LAN but with a public IPv6 address, reachable from the Internet. Details: My Internet provider allocates a dynamic, public IPv6 /64 prefix to my router. The IID of the router is based on the MAC-address of its outside interface (EUI64) and doesn’t change. I’ll call this combination of /64 prefix and IID the "IPv6 address of the router". My Internet provider additionally allocates a dynamic, public IPv6 /56 prefix to my router. Traffic to addresses from this range are routed to the IPv6 address of the router. The router in turn communicates a /64 prefix based on this /56 prefix and a fixed 8-bit value to my LAN devices. Effectively the LAN devices operate with a dynamic, public /64 prefix. My router also allows configuration of LAN devices/ports that are reachable from the Internet. This forwarding configuration is based on the IID of the device for IPv6. Without such a forwarding rule, no Internet traffic can open a connection to any LAN device. So for an IPv6 service on the LAN to be reachable from the Internet, the following criteria must be met: - A forwarding rule must exist on the router that matches the port and IID of the LAN device. Packets from the Internet are routed to the public IPv6 address of the router. The forwarding rule sets up routing to the LAN device. - The LAN device must have an IPv6 address matching the current /64 prefix and the IID configured for the forwarding settings on the router. - A service must listen on the port and IPv6 address on the LAN device. (pf(4) must allow the traffic of course.) - (Optional) A DNS entry could point to the IPv6 address. This probably requires some form of DDNS to adjust the DNS record when the IPv6 prefix changes. Keeping this updated is a separate problem not relevant for my question. Note: When I use the term "its IPv6 address" I realize that this is generally only one of a number of IPv6 addresses in use on an interface at any given time. Basically I am referencing the address returned by: ifconfig em0|grep 'inet6'|grep -vE ' fe80:| fd|deprecated|temporary' I.e. no link-local, ULA, temporary or deprecated addresses. Also note that there is no DHCPv6 server in my configuration. Question/Problem: = After reading man pages for slaacd(8), hostname.if(5) and ifconfig(8) the only way to combine a static IID with a dynamic prefix seems to be the eui64 option: inet6 autoconf eui64 However this limits the IID to a fixed value based on the MAC-address of the interface and potentially leaks information about the vendor of the interface to the Internet. Is there a way to combine "inet6 autoconf" with an arbitrary manually defined IID? Example: So let’s say I want to use 0123:4567:89ab:cdef as the IID and the current prefix is 2001:db8:0:4201::/64 then how would I specify this in a way that allows slaacd(8) to generate an address using the current /64 prefix and this IID to form 2001:db8::4201:123:4567:89ab:cdef/128? When the prefix changes to e.g. 2001:db8:0:2a01::/64 I want the address of the interface to change to 2001:db8::2a01:123:4567:89ab:cdef/128. I may be showing my ignorance here but it seems to me that combining dynamic IPv6 prefixes with manually chosen IIDs should be possible? This question pertains to OpenBSD 7.0 stable on amd64 with all patches applied in case that makes a difference. Thanks! Regards, Mike
Re: PHP 7.4: SSL routines:CONNECT_CR_CERT:certificate verify failed
Hi Leo, Am 23.12.2021 um 00:51 schrieb Leo Unglaub : > >> openssl s_client -tls1_2 -connect mail.foobar.com:587 >> openssl s_client -tls1_3 -connect mail.foobar.com:587 (both 1.2 and 1.3 work) Kind of strange that this works. Port 587 (submission) is usually set up to use STARTTLS, just like port 25 (smtp) so you would need specify -starttls smtp an an option to openssl s_client. Port 465 (submissions, formerly known as smtps) would work with mandatory TLS if the server supports that. Are you sure you are testing correctly? I would expect these to work: $ openssl s_client -connect mail.foobar.com:587 -starttls smtp
Re: IPv6: how to trigger script when address prefix changes?
Hi Daniel! I didn’t know about ifstated(8) but reading the man page I get the impression that it only triggers on up/down events. And for other things it relies on polling, e.g. sending a ping packet somewhere every 10 seconds to test reachability. The route monitor command seems somewhat more promising. Though I don’t know if it works event based internally or not. I have tested this as follows: I have a ULA prefix configured on my router. Yes I know, for a small network that is not really required. So my router actually advertises 2 prefixes to my clients: - The one from my provider (/56 changed to /64) - My ULA prefix, also expanded to a /64 prefix. Testing a provider prefix change is impractical because it happens fairly infrequently and I suspect they tear down the whole PPPoE session and have my router reconnect. (That would probably have side effects as outlined in RFC 8978 which would complicate matters.) So I decided to use changes to the ULA prefix to test this in a somewhat controlled way. 1) Start `route monitor` 2) Run `ifconfig em0|grep inet6` to get a baseline 3) Modify my ULA prefix on the router 4) Check the output of the `route monitor` command 5) Run `ifconfig em0|grep inet6` to get differences Results: - Indeed, when the ULA changes, `route monitor` on my host produces output. - The non-temporary IP using the old prefix still existed and was not marked in any way other than having very slightly lower pltime and vltime attributes (5s difference on ≈ 1 and 2 hours). - A new IPv6 address using the new prefix was added to the interface. Note that the IID was completely new, probably caused by the autoconf setting. Also, my test script configured in /etc/hostname.em0 as "!/root/bin/if_log.sh \$if“ does not trigger which confirms my theory that this only runs when /etc/netstart is executed. Which does not happen for prefix changes. The output of `route monitor` itself does not seem to be easily parseable for what I need. But that is secondary. At least I have a potential trigger mechanism. OTOH the route(8) command needs to kept running and I’m not so sure that is a great idea. Maybe polling myself would be easier after all? I repeated the experiment by changing the ULA prefix back to its original value. This again yielded `route monitor` output and the pltime/vltime differences where reversed while keeping all IPs. So provisionally my algorithm could look like this: - Wait for output from `route monitor`… (I would need to figure out, how to generate events from this output stream.) - Then run `ifconfig em0|grep inet6|grep -vE '(temporary|fe80:|deprecated|inet6 fd)‘|grep autoconf` which will yield all candidate IPs I’m interested in. - Figure out the correct one (by comparing the pltime/vltime values if there is more than one IP) - Extract the IPv6 IP from the line - Do my actions (update DNS, pf(4) table, etc.) using the IP. For some actions I might need to keep state in the form of the old IP to remove it. Anyway, thanks for your suggestions. Mike > Am 07.10.2021 um 04:34 schrieb Daniel Jakots : > > On Thu, 7 Oct 2021 02:52:13 +0200, Mike Fischer > wrote: > >> Would a IPv6 address prefix change be something the hotplug(4) / >> hotplugd(8) mechanism would see? > > It would rather be ifstated(8), but I don't think so. I've never looked > into this, but if I were, I would check the route(8) monitor command: > https://man.openbsd.org/route#monitor
IPv6: how to trigger script when address prefix changes?
Hi! I have a need to update DNS records, and potentially pf(4) rules or tables when a public routable IPv6 address of my host changes. Such a change is expected whenever slaacd receives a change in the advertised IPv6 address prefix(es) from the router(s). Other than regularly polling the interface for its IPv6 addresses and comparing to a previously saved state, is there some way to get notified actively when such a change happens? (I am not a friend of polling as it wastes cpu cycles and on average comes with a delay of half the polling interval. slaacd already knows that a change is happening so why not let it tell my script?) Note that I am not concerned about the temporary IPv6 addresses generated by RFC 8981 privacy settings. Just any addresses using a fixed/static Interface Identifier (IID), either manually configured, EUI-64 or randomly generated. In other words this is about incoming traffic from the Internet to services running on my host, not host initiated outgoing traffic. If changes to temporary addresses also trigger my script, I could live with that but I don’t need this information. >From reading the documentation, scripts configured in hostname.if(5) using the >! syntax do not seem to work for this, as they seem to be triggered >only when /etc/netstart is executed? (This is not documented anywhere I could >find.) Would a IPv6 address prefix change be something the hotplug(4) / hotplugd(8) mechanism would see? Can someone enlighten me please? Thanks! Mike
