Re: NSD: Could not tcp connect to X Operation timed out

2022-01-19 Thread Paul de Weerd
On Wed, Jan 19, 2022 at 11:31:07AM +, Laura Smith wrote:
| Hi
| 
| OpenBSD NSD slave is driving me nuts with the following message in the logs 
"Could not tcp connect to X Operation timed out".
| 
| The answer sounds obvious, but I can:
| 
| - Ping the IP
| - Do a "dig @$auth_server_ip $auth_domain"

Try "-t AXFR" and/or "+tcp"

Ping uses icmp and dig defaults to udp.  You can force tcp with "+tcp"
and you can do the transfer manually with "-t AXFR".

If both work, you may have multiple IPs configured, try with all of
them.

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: IPv6 autoconf with static IID?

2021-12-28 Thread Paul de Weerd
On Tue, Dec 28, 2021 at 12:35:07PM +0100, Mike Fischer wrote:
| So I guess the only way to get a stable IID with dynamic prefixes is
| to use the eui64 method? (Which is based on the MAC-address and
| leaks information.)

What information leak are you afraid of?  Someone else knowing the
MAC-address of your system?  You can fix that by changing the MAC
address of your interface (see the lladdr option in the ifconfig(8)
manpage at http://man.openbsd.org/ifconfig#lladdr for details)

Then you leak your "self chosen" MAC address - up to you to decide if
that's still a concern (but note that it's not really different from
"leaking" your IPv6 address in that case).

| My options for running an OpenBSD server using IPv6 thus seem to be:
| - Find a provider with static public IPv6 addresses (prefixes)

That would work, but means you have to change providers - is that
really what you want?  Could be a good message to your current ISP to
step up their IPv6 game.

| - Use dynamic IPv6 addresses (prefixes) and eui64 IIDs

Seems like the simplest way, especially using the lladdr option.

| - Use an IPv6 tunnel broker like tunnelbroker.net to tunnel a static
|   IPv6 address (prefix) through IPv4 (6in4 tunnel)

Seems less useful / efficient, if your provider offers native IPv6.

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: /etc/bsd.re-config - change a device?

2021-11-30 Thread Paul de Weerd
On Tue, Nov 30, 2021 at 08:46:34AM -, Stuart Henderson wrote:
| On 2021-11-29, Paul B. Henson  wrote:
| > I'm upgrading to OpenBSD 7 and I was happy to see the new support for
| > /etc/bsd.re-config to allow modified kernels to be automatically
| > rebuilt. However, one of the changes I need to make is updating the IRQ
| > on com2, as my bios assigns it a non-standard value 8-/.
| >
| > I can't figure out how to do that? Is it supported? When I put "change
| > com2" in /etc/bsd.re-config, config interactively asks me:
| >
| > change [n]
| >
| > I tried "change com2 y" and "change com2", then "y" on the next line,
| > but the first gave an error and the second still prompted interactively.
| >
| > Are the only changes supported by /etc/bsd.re-config those that don't
| > need further input?
| 
| Currently yes. jcs@ has a diff to change this but it needs review.

I believe this has been committed on November 20:

https://marc.info/?l=openbsd-cvs=163737802014911=2

However, that means that it won't work in OpenBSD 7.0, you will need
to run something newer (which, at the moment, means -current /
snapshots).

Cheers,

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: type checking/signalling shell and utilities?

2021-11-17 Thread Paul de Weerd
On Thu, Nov 18, 2021 at 01:38:14AM +1100, Reuben ua Bríġ wrote:
| > Date: Thu, 18 Nov 2021 01:30:25 +1100
| > From: Reuben ua Bríġ 
| > 
| > Does anyone know of any shell and utilities where, for example, if
| > 
| > -rf
| > 
| > is a file name, the rm utility will understand so, and not think it is
| > a controlling flag (ugh! in-band signalling)? One where an array of
| > strings can be past as a single argument? Etc? etc?
| 
| correction: is a file name expanded from a pattern, ...

Fix your pattern.  From "*" or "??f" to "./*" or "/path/to/??f".

Also, look at $* versus $@ in the ksh manpage.  First paragraph of
http://man.openbsd.org/ksh.1#Parameters

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: Kind of OT - camera/ software to run a long term timelapse camera

2021-11-15 Thread Paul de Weerd
Hi Steve,

On Mon, Nov 15, 2021 at 10:21:51AM -0800, Steve Williams wrote:
| Does anyone have recommendations to accomplish this?  It's just a
| hobby so I don't want to spend a huge amount of money on it.

One thing I've done in the past is to open up my laptop and point its
camera in the direction of the object of interest.  With fswebcam from
the portstree, I then took simple pictures from cron or using the
fswebcam option to do so (see the -l option) which I combined into a
timelapse video (the rise and fall of my sourdough starter - very
exciting).  I don't think there's a tool in base that takes pictures;
there's only video(1) which has the ability to record videos, as far
as I know, but I'm happy to be proven wrong here.

This should work equally well with any supported USB webcam.  Plug in
a camera, `pkg_add fswebcam; sysctl kern.video.record=1` as root and
check the fswebcam manpage.

Cheers,

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



copying id_ed25519_sk from USB-A yubikey to USB-C yubikey

2021-10-22 Thread Paul de Weerd
Hi all,

I've been happily using a yubikey together with an id_ed25519 SSH key
when logging in over SSH:

uhidev7 at uhub3 port 2 configuration 1 interface 1 "Yubico YubiKey 
OTP+FIDO+CCID" rev 2.00/5.27 addr 9

I would now like to migrate over to a new yubikey with a USB-C
connector, as my new personal laptop has no USB-A ports.  Digging
through the ssh-keygen manpage, I don't see an option to do this; it
seems you can only create new keys.

Is this indeed impossible, or am I looking at the wrong manpage?

Thanks,

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: nvme boot

2021-10-15 Thread Paul de Weerd
Hi Jan,

On Fri, Oct 15, 2021 at 05:05:01PM +0200, Jan Stary wrote:
| Does any of the OpenSBD-supported platforms boot off nvme storage?
| So far, I have been able to use nvme storage as a disk,
| but not boot from it; but my HW is far from recent.

Sure, I boot from nvme (actually, softraid crypto on nvme) on this AMD
EPYC system (see below for full dmesg):

despair# df -h / 
Filesystem SizeUsed   Avail Capacity  Mounted on
/dev/sd3a  989M   81.1M858M 9%/
despair# bioctl softraid0
Volume  Status   Size Device  
softraid0 0 Online   429499175424 sd3 CRYPTO
  0 Online   429499175424 0:0.0   noencl 
despair# dmesg | grep -e ^nvme0 -e ^scsibus1 -e ^sd0
nvme0 at pci1 dev 0 function 0 "Intel NVMe" rev 0x03: msix, NVMe 1.3
nvme0: INTEL SSDPEKNW512G8, firmware 004C, serial BTNH10651Y7T512A
scsibus1 at nvme0: 2 targets, initiator 0
sd0 at scsibus1 targ 1 lun 0: 
sd0: 488386MB, 512 bytes/sector, 1000215216 sectors

Just works (tm)

Cheers,

Paul

OpenBSD 7.0-beta (GENERIC.MP) #0: Mon Aug 30 13:21:08 CEST 2021
we...@builder.alm.weirdnet.nl:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 68587933696 (65410MB)
avail mem = 66493251584 (63412MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xdab19000 (51 entries)
bios0: vendor American Megatrends Inc. version "1.0c" date 06/30/2020
bios0: Supermicro Super Server
acpi0 at bios0: ACPI 6.1
acpi0: sleep states S0 S5
acpi0: tables DSDT FACP APIC FPDT FIDT SSDT SPMI SSDT MCFG SSDT CRAT CDIT BERT 
EINJ HEST HPET SSDT UEFI IVRS SSDT WSMT
acpi0: wakeup devices S0D0(S3) S0D1(S3) S0D2(S3) S0D3(S3) S1D0(S3) S1D1(S3) 
S1D2(S3) S1D3(S3)
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD EPYC 3201 8-Core Processor, 1500.27 MHz, 17-01-02
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu0: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 
8-way L2 cache
cpu0: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative
cpu0: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=1.1, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD EPYC 3201 8-Core Processor, 1500.00 MHz, 17-01-02
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu1: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 
8-way L2 cache
cpu1: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative
cpu1: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: AMD EPYC 3201 8-Core Processor, 1500.00 MHz, 17-01-02
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu2: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 
8-way L2 cache
cpu2: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative
cpu2: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: AMD EPYC 3201 8-Core Processor, 1500.00 MHz, 17-01-02
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu3: 64KB 

Re: Run a command on "last day of month"

2021-09-01 Thread Paul de Weerd
On Wed, Sep 01, 2021 at 04:39:54PM +0200, Adam Paulukanis wrote:
| On Wed, 1 Sept 2021 at 16:32, Christian Weisgerber  wrote:
| >
| > Goetz Schultz:
| >
| > > I would go the other way and check tomorrows date. If it is "01", then I
| > > know today is the last of this month:
| > >
| > > date --date="tomorrow" +%d
| > > 02
| >
| > That's not OpenBSD.
| >
| > $ date --date="tomorrow" +%d
| > date: unknown option -- -
| > usage: date [-aju] [-f pformat] [-r seconds]
| > [-z output_zone] [+format] [[cc]yy]mm]dd]HH]MM[.SS]]
| >
| 
| 
| Not sure if it is OpenBSD. I am on Darwin right now
| 
| $ date -v+1d +%d # if today is the last day of the month, tomorrow will be 
1st.

This will work on OpenBSD:

[ $(date -r $(($(date +%s) + 86400)) +%e) -eq 1 ] || exit 0


Although you'll have to be cautious with tricks like these to run this
only between 01:00 and 23:00 if your system runs with a timezone that
has daylight savings time.

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: resolvd recongizing unbound

2021-08-31 Thread Paul de Weerd
On Tue, Aug 31, 2021 at 03:31:18PM +0200, Jan Stary wrote:
| The running resolvd recognizes if unwind is running,
| and places 127.0.0.1 at the top of resolv.conf accordingly.
| 
| Could we have the same for unbound please?
| I run unbound insted of unwind to also serve some
| local names the machines around the office (beside resolution).
| 
| But resolvd only recognizes unwind, not unbound;
| so resolv.conf lists just the external (dhcp) nameservers
| who don't know my local names of course.
| 
| Or is there a reason resolvd only honors unwind
| but not unbound?

In this case, why would you not simply disable resolvd and put ::1 in
/etc/resolv.conf yourself?

resolvd is great for when the contents of resolv.conf change as you
move from network to network and you may want to use different
resolvers as you do.  But if you're using unbound on the local system,
why would you still run resolvd?

1. rcctl disable resolvd
2. echo ::1 > /etc/resolv.conf
3. ...
4. profit

Just because there's a shiny new tool, doesn't mean you MUST use it.

Cheers,

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: Can't figure out what's taking up space on /

2021-08-04 Thread Paul de Weerd
On Wed, Aug 04, 2021 at 12:56:57AM -0700, Greg Thomas wrote:
| I take it I'm dealing with filesystem corruption as Ali mentioned earlier?

Could be.  Boot the system in single user mode or the bsd.rd
installation kernel (at the boot prompt type either 'boot -s' or 'boot
bsd.rd').  Enter the shell and run `fsck /`.

However, my next guess is that you have some data stored "under" a
mountpoint somewhere.  Here's what I mean:

# mkdir /mnt/test
# du -sh install69.iso 
544Minstall69.iso
# cp install69.iso /mnt/test
# du -xsh /mnt
545M/mnt
# vnconfig vnd0 /mnt/test/install69.iso
# mount /dev/vnd0c /mnt/test/
# du -xsh /mnt
8.0K /mnt

Since du can't traverse the hierarchy that the install69.iso image has
been mounted over, it also cannot report on the diskspace used by
files in that hierarchy.

Again, boot into single user mode (or from bsd.rd) and figure this
out.

Cheers,

Paul 'WEiRD' de Weerd

| On Tue, Aug 3, 2021 at 11:10 PM Otto Moerbeek  wrote:
| 
| > On Tue, Aug 03, 2021 at 10:57:42PM -0700, Greg Thomas wrote:
| >
| > > I thought Paul's advice only applies if I was trying to figure it out
| > > before rebooting?  I'd already rebooted before sending my first email.
| >
| > OK, did the free space come back in df after reboot? If so, then it's
| > programs having open files that are unlinked for sure.
| >
| > -Otto
| >
| > >
| > >
| > >
| > > On Tue, Aug 3, 2021 at 10:40 PM Otto Moerbeek  wrote:
| > >
| > > > On Tue, Aug 03, 2021 at 12:39:54PM -0700, Greg Thomas wrote:
| > > >
| > > > > I'm definitely suffering from filesystem corruption on root.  I had
| > > > > rebooted last night with no change.
| > > > >
| > > > > I have no options for mounting root.
| > > > >
| > > > > grits# cat /etc/fstab
| > > > > 16a27b4b4549ce04.b none swap sw
| > > > > 16a27b4b4549ce04.a / ffs rw 1 1
| > > > > 16a27b4b4549ce04.k /home ffs rw,nodev,nosuid 1 2
| > > > > 16a27b4b4549ce04.d /tmp ffs rw,nodev,nosuid 1 2
| > > > > 16a27b4b4549ce04.f /usr ffs rw,nodev 1 2
| > > > > 16a27b4b4549ce04.g /usr/X11R6 ffs rw,nodev 1 2
| > > > > 16a27b4b4549ce04.h /usr/local ffs rw,wxallowed,nodev 1 2
| > > > > 16a27b4b4549ce04.j /usr/obj ffs rw,nodev,nosuid 1 2
| > > > > 16a27b4b4549ce04.i /usr/src ffs rw,nodev,nosuid 1 2
| > > > > 16a27b4b4549ce04.e /var ffs rw,nodev,nosuid 1 2
| > > > > /dev/sd1c /backup ffs rw,nodev,nosuid 1 2
| > > > >
| > > > > I need to upgrade so I can do that from scratch.  This is my backup
| > > > server
| > > > > so the configuration is pretty simple.
| > > > >
| > > > > Not sure fsck output helps here?
| > > > >
| > > > > grits# fsck /dev/sd0a
| > > > > ** /dev/rsd0a (NO WRITE)
| > > > > ** Last Mounted on /
| > > > > ** Root file system
| > > > > ** Phase 1 - Check Blocks and Sizes
| > > > > ** Phase 2 - Check Pathnames
| > > > > ** Phase 3 - Check Connectivity
| > > > > ** Phase 4 - Check Reference Counts
| > > > > ** Phase 5 - Check Cyl groups
| > > > > 12852 files, 469195 used, 35516 free (44 frags, 4434 blocks, 0.0%
| > > > > fragmentation)
| > > > >
| > > > > Anyway, I'll reinstall unless someone has more learning experiences
| > for
| > > > me.
| > > > >
| > > > > And thank you to Paul for giving a quick explanation of the
| > difference
| > > > > between df and du.
| > > > >
| > > > > Thanks all!
| > > >
| > > > fsck looks normal for a mounted filesystem.
| > > >
| > > > but did you try following Paul's advice to find an open file that has
| > > > no directory entry? That is not corruption, but explains why more
| > > > storage is in use than du shows.
| > > >
| > > > -Otto
| > > >
| > > > >
| > > > >
| > > > >
| > > > > On Tue, Aug 3, 2021 at 11:39 AM Ali Farzanrad <
| > ali_farzan...@riseup.net>
| > > > > wrote:
| > > > >
| > > > > > I also suspected that it is a filesystem corruption.
| > > > > > Do you have `async` mount option on your root?
| > > > > >
| > > > > > Sebastien Marie  wrote:
| > > > > > > On Tue, Aug 03, 2021 at 10:03:44AM +0200, Paul de Weerd wrote:
| > > > > > > > df shows you how much data you can write to an fs, while du
| > shows
| > > > the
| > > > > > > > disk usage 

Re: Can't figure out what's taking up space on /

2021-08-03 Thread Paul de Weerd
df shows you how much data you can write to an fs, while du shows the
disk usage of files it can find.  If it can't find a file (because
it's been deleted), it won't account for it.  But if it's been deleted
and still held open by some process, it would still consume disk
space.

So it looks like a process has a file open on the root filesystem that
has been deleted.  You're looking for a root-owned process that is
(probably) long-running.  My guess the file is in /dev/ (that's my
crystal ball talking though).

Easiest way out is generally to reboot - this stops all processes
(d0h), dus freeing up all the resources they had tied up, including
files that had been deleted from the filesystem.  But going through
your process list to see if you can spot something that may have done
this can be a good learning experience.  In general, base OpenBSD
daemons don't behave this way.

Cheers,

Paul 'WEiRD' de Weerd

On Tue, Aug 03, 2021 at 12:48:42AM -0700, Greg Thomas wrote:
| grits# df -h
| Filesystem SizeUsed   Avail Capacity  Mounted on
| /dev/sd0a  986M936M162K   100%/
| /dev/sd0k 57.7G   23.7G   31.1G43%/home
| /dev/sd0d  3.9G   10.0K3.7G 0%/tmp
| /dev/sd0f  5.8G1.1G4.4G21%/usr
| /dev/sd0g  986M234M702M25%/usr/X11R6
| /dev/sd0h 16.8G   35.5M   15.9G 0%/usr/local
| /dev/sd0j  5.8G2.0K5.5G 0%/usr/obj
| /dev/sd0i  1.9G2.0K1.8G 0%/usr/src
| /dev/sd0e 13.8G   18.8M   13.1G 0%/var
| /dev/sd1c  440G305G113G73%/backup
| 
| grits# du -xsh /
| 186M/
| 
| I just removed /bsd.sp to free up a little bit of space but I don't
| understand the discrepancy between df and du.  How do I troubleshoot
| further?
| 
| Thanks,
| Greg

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: Where to sleep to wait for lease

2021-07-29 Thread Paul de Weerd
Hi Leon,

On Wed, Jul 28, 2021 at 08:18:41PM +0200, Leon Fischer wrote:
| > no IP address found for vlan34:0
| > /etc/pf.conf:56: could not parse host specification
| > pfctl: Syntax error in config file: pf rules not loaded
| 
| Sleeping isn't needed if the address in pf.conf(5) is parenthesized:
| 
|   pass out to (vlan34:0)

You are right - that solves my issue, thanks for the reminder.

Interestingly enough, most other rules in my pf.conf use the
parenthesized interface name, can't recall why I didn't use that in
this instance.

I now have:

pass in on $extIF inet proto udp from  to ($extAddr) port $wgport

Where $extIF is 'vlan34' and $extAddr is 'vlan34:0'.

This is better than additional delays during boot.  Thanks again!

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Where to sleep to wait for lease

2021-07-28 Thread Paul de Weerd
Hi all,

I just upgraded my home gateway to the latest snapshot and had a few
issues due to dhcpleased not configuring a lease before things
progressed.  This is due to my v6 setup: I have tunneled IPv6 from
elsewhere that I statically configure over a wg(4) tunnel.  Of course,
that sets a default route (for v6) over the tunnel interface, so a
default route is present at boot.  Because of that, the sleep that was
recently added to /etc/rc doesn't trigger, so when pf loads it fails
because my rules reference a non-existing address:

no IP address found for vlan34:0
/etc/pf.conf:56: could not parse host specification
pfctl: Syntax error in config file: pf rules not loaded

(vlan34 is the autoconf interface)

Realizing this is a fringe case, I thought I should probably just
solve this locally with a more specific sleep (waiting for a v4
address on my upstream interface).  What is the recommended place to
add this sleep routing?  /etc/hostname.vlan34 seems obvious, but
perhaps there's a better place for it?

Thanks,

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: DHCP non-issues

2021-07-19 Thread Paul de Weerd
On Mon, Jul 19, 2021 at 01:59:18PM +0200, Paul de Weerd wrote:
| So far, I've found NFS and syslogd to need configuration changes or
| /etc/hosts entries to ensure they start properly.

As I was asked about this off-list, I went back and re-read my
message.  Apologies for not being more clear:

syslog:

If you configure a remote syslog server to receive messages from your
OpenBSD machine, there are two separate issues.  First, a hostname
will not resolve to an IP address if the network is not up yet
(because dhcpleased/slaacd are still waiting for a response from the
local dhcpd(8) or rad(8)).  This shows up as

syslogd[73481]: bad hostname "@udp4://tuna"

if your configuration has '@udp4://tuna' as a target.  The solution is
to create an entry in /etc/hosts.

However, now when the system boots, syslog will have a target IP
address to communicate with, but it still doesn't have an IP address
for itself.  So any traffic sent to the target is lost, until
dhcpleased configures an address on the autoconf interface.  This
results in, for example, the dmesg from the freshly booting machine
not ending up on the remote syslog host.

nfs client:

If your /etc/fstab contains NFS mounts to a remote host, the fact that
dhcpleased doesn't wait for a lease will mean that NFS mounts cannot
happen until a lease has been configured.  This shows up as "NFS
Portmap: RPC: Port mapper failure - RPC: Unable to send", and a delay
during boot that's significantly longer than the timeout from
dhclient.


For the record, my clients here are all vmm(4) VMs running OpenBSD.
The NFS server and syslog target also run OpenBSD.

Cheers,

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: DHCP non-issues

2021-07-19 Thread Paul de Weerd
On Mon, Jul 19, 2021 at 01:42:41PM +0200, Christian Weisgerber wrote:
| Look guys, it's simple.
| 
| If you want IPv6 (SLAAC) autoconfiguration, you set "inet6 autoconf"
| for that interface.  slaacd(8) will then automatically handle things.
| 
| If you want IPv4 (DHCP) autoconfiguration, you set "inet autoconf"
| for that interface.  dhcpleased(8) will then automatically handle
| things.  If you require special DHCP options that dhcpleased(8)
| doesn't include, then you don't enable autoconfigurarion and run
| dhclient(8) instead, which can be extensively configured.
| 
| Both slaacd(8) and dhcpleased(8) pass nameserver information to
| resolvd(8), which adds those nameservers to /etc/resolv.conf unless
| unwind(8) is running.  If you don't want that to happen for some
| other reason, you turn off resolvd(8).

One thing of note though, is the fact that dhcpleased does its work in
the background.  This means that other services will start before you
get a lease.  In the past, dhclient(8) ran in the foreground, trying
to get a lease until some timeout expired.  *Usually*, that timeout
didn't trigger (at least, in my use cases).

So far, I've found NFS and syslogd to need configuration changes or
/etc/hosts entries to ensure they start properly.  One could argue
that in these cases, one shouldn't use DHCP and just use statically
configured addresses (especially in the case of syslog, where you lose
messages when the service starts before an address is configured, even
with your remote syslog host added to /etc/hosts)

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: Adding Password Protection to Single User Mode

2021-07-07 Thread Paul de Weerd
Hi Valdrin,

On Wed, Jul 07, 2021 at 06:44:46AM +, Valdrin MUJA wrote:
| Thanks for suggestions,
| I removed the "secure" from /etc/ttys but I can still use "boot -s"
| without password. Is this about console connection?

Please carefully read https://man.openbsd.org/ttys.5:

> secure   If on is also specified, allows users with a UID of 0 to
>  log in on this line.  If set for the console entry, then
>  init(8) will start a single-user shell without asking for
>  the superuser password.

That second sentence is very explicit.  You need to take the 'secure'
keyword out of the line for the 'console' entry.  The default is this:

[weerd@pom] $ grep ^console /etc/ttys
console "/usr/libexec/getty std.9600"   vt220   off secure

Cheers,

Paul 'WEiRD' de Weerd

| Updated ttys file;
| 
| # cat /etc/ttys  | grep 115200
| tty00   "/usr/libexec/getty std.115200" vt220    off
| ____
| From: Paul de Weerd 
| Sent: Tuesday, July 6, 2021 17:36
| To: Valdrin MUJA 
| Cc: misc@openbsd.org 
| Subject: Re: Adding Password Protection to Single User Mode
| 
| On Tue, Jul 06, 2021 at 12:27:03PM +, Valdrin MUJA wrote:
| | Hi Folks,
| |
| | I want to add a small password protection mechanism to
| | "boot -s" (single-user mode).
| |
| | Therefore, I'm working on /sys/stand/boot/boot.c, I've written
| |  some code in boot.c, and run "make", "make obj", "make install"
| |  in /sys/. However, I couldn't enable my update "boot" binary on startup.
| | On startup, the default boot program is working.
| |
| | How can I replace my updated boot program with the default one?
| |
| | P.S.: I've tried compile and install kernel and the result didn't change.
| 
| After building a new boot loader, you will need to use installboot(8)
| to actually install said code into the system.  Your `make install`
| merely placed the bootloader into the spot in the filesystem where
| installboot expects to find it, but won't do the special editing of
| the disk that installboot does.
| 
| (but also see the replies from others about ttys(5) to deal with your
| situation without potentially screwing up your entire system with a
| faulty bootloader)
| 
| Cheers,
| 
| Paul 'WEiRD' de Weerd
| 
| --
| >[<++>-]<+++.>+++[<-->-]<.>+++[<+
| +++>-]<.>++[<>-]<+.--.[-]
|  http://www.weirdnet.nl/

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: Adding Password Protection to Single User Mode

2021-07-06 Thread Paul de Weerd
On Tue, Jul 06, 2021 at 12:27:03PM +, Valdrin MUJA wrote:
| Hi Folks,
| 
| I want to add a small password protection mechanism to
| "boot -s" (single-user mode).
| 
| Therefore, I'm working on /sys/stand/boot/boot.c, I've written
|  some code in boot.c, and run "make", "make obj", "make install"
|  in /sys/. However, I couldn't enable my update "boot" binary on startup.
| On startup, the default boot program is working.
| 
| How can I replace my updated boot program with the default one?
| 
| P.S.: I've tried compile and install kernel and the result didn't change.

After building a new boot loader, you will need to use installboot(8)
to actually install said code into the system.  Your `make install`
merely placed the bootloader into the spot in the filesystem where
installboot expects to find it, but won't do the special editing of
the disk that installboot does.

(but also see the replies from others about ttys(5) to deal with your
situation without potentially screwing up your entire system with a
faulty bootloader)

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Automatically enable port forwarding on ssh session to ProxyJump target

2021-05-05 Thread Paul de Weerd
Hi all,

I'm using ProxyJump with SSH to connect to a bunch of systems behind a
jumphost:

Host jump
HostName bastion.example.tld
ProxyJump none
ControlPersist 3600
DynamicForward localhost:1080

Host *
ForwardAgent yes
ProxyJump jump
AddKeysToAgent confirm 43200
CanonicalDomains example.tld
CanonicalizeHostname yes
ServerAliveInterval 5
ServerAliveCountMax 12
ControlPath ~/.ssh/master-%r@%h:%p
ControlMaster auto

This works well: when I `ssh machine`, I get prompted for the
passphrase on my key which then gets loaded into my ssh-agent as SSH
first connects to the jump host.

Subsequently, I get asked to confirm usage of the key when ssh
connects to the target `machine` behind the jump host, and I get
logged in.

However, I would also like to use the DynamicForward to `jump` to
proxy HTTP(S) traffic.  To that end I do `ssh -O forward jump`, and
the DynamicForward is enabled.

Is there a way to tell SSH to automatically enable forwarding to the
jump host, so I don't have to `ssh -O forward jump` before using the
forwarded port?

Thanks,

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: [Ver3.6/3.9] Old version need help

2021-03-30 Thread Paul de Weerd
You really should move to a more recent version of the OS; OpenBSD
3.6 was released in 2004, almost 17 years ago.

However, the public mirror at ftp.eu.openbsd.org has older versions
available for download:

http://ftp.eu.openbsd.org/pub/OpenBSD/

And, once you've downloaded a release that you plan to run for all
eternity, you should probably make (several) copies of the
installation media that you used.

Alternatively, I could sell you original versions of the 3.6 and 3.9
media (at least 3.9 is still in shrink-wrap) for a collectors edition
price (proceeds to be donated to the OpenBSD foundation).

Cheers,

Paul 'WEiRD' de Weerd

On Tue, Mar 30, 2021 at 02:28:59PM +0800, cclai wrote:
| Hello,
| 
| I'm Hachi,
| Our company’s server uses the 3.6 and 3.9 version of the system, 
| Used for more than ten years,
| and there is a need to reinstall at present. 
| 
| I have tried the file installation on FTP and failed. 
| > Russia (Moscow) ftp://mirror.yandex.ru/pub/OpenBSD/
| > cd39.iso
| 
| So I hope that your organization can provide 
| an installation package "3.6 and 3.9 version" to solve the problem.
| 
| It would be of great help to us.
| Thank you very much.
| 
| Hachi

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: route -iface doesn't work

2021-03-08 Thread Paul de Weerd
Florian helped me off-list:

# route add 10.1.1.13 -iface -cloning 10.2.2.13

does the trick (if you do the same on the other end, of course).

I'm not really sure how this works, or what RTF_CLONING means other
than this comment from the manpage:

 -cloning  RTF_CLONING  generates a new route on use

So .. uhm .. magic! :-)

Anyway, thanks to Florian!

Paul

On Mon, Mar 08, 2021 at 05:10:16PM +0100, Paul de Weerd wrote:
| Hi all,
| 
| I'm probably missing something rather obvious, but I can't get route
| -iface to work.  According to the manpage:
| 
|  If the destination is directly reachable via an
|  interface requiring no intermediary system to act
|  as a gateway, the -iface modifier should be
|  specified; the gateway given is the address of this
|  host on the common network, indicating the
|  interface to be used for transmission.
| 
| I'm trying to get this to work on some 'real' system, but reproduced
| on a couple of VMs to rule out other factors.  I have two VMs on the
| same host, connected by the same veb(4).  Connectivity works if I use
| IP addresses in the same subnet (i.e. I can ping from 10.0.0.1/24 to
| 10.0.0.2/24 if that's what I configure).
| 
| On one side I have:
| 
| test1# ifconfig vio0 10.1.1.13/24
| test1# route add -iface 10.2.2.13 10.1.1.13
| add host 10.2.2.13: gateway 10.1.1.13
| 
| On the other side, I have:
| 
| test2# ifconfig vio0 10.2.2.13/24
| test2# route add -iface 10.1.1.13 10.2.2.13
| add host 10.1.1.13: gateway 10.2.2.13
| 
| However, pinging from test1 to test2 gives:
| 
| test1# ping -c 1 10.2.2.13
| PING 10.2.2.13 (10.2.2.13): 56 data bytes
| ping: sendmsg: Invalid argument
| ping: wrote 10.2.2.13 64 chars, ret=-1
| 
| --- 10.2.2.13 ping statistics ---
| 1 packets transmitted, 0 packets received, 100.0% packet loss
| 
| 
| Yet the route is there:
| 
| test1# route get 10.2.2.13
|route to: 10.2.2.13
| destination: 10.2.2.13
|mask: 255.255.255.255
|   interface: vio0
|  if address: 10.1.1.13
|priority: 8 (static)
|   flags: 
|  use   mtuexpire
|5 0 0 
| 
| 
| What am I doing wrong here?  The destination *is* directly reachable
| via an interface and the gateway given is the IP address of "this
| host" on the common network, just as required by the manpage.  At
| least, my read of it .. since it doesn't work, I'm probably
| misunderstanding something here.
| 
| I've enabled forwarding (net.inet.ip.forwarding=1) and disabled pf to
| test if they were causing grief, but neither helped.  Anyone have a
| cluebat for me?
| 
| Thanks,
| 
| Paul 'WEiRD' de Weerd
| 
| -- 
| >[<++>-]<+++.>+++[<-->-]<.>+++[<+
| +++>-]<.>++[<>-]<+.--.[-]
|  http://www.weirdnet.nl/ 
| 

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



route -iface doesn't work

2021-03-08 Thread Paul de Weerd
Hi all,

I'm probably missing something rather obvious, but I can't get route
-iface to work.  According to the manpage:

 If the destination is directly reachable via an
 interface requiring no intermediary system to act
 as a gateway, the -iface modifier should be
 specified; the gateway given is the address of this
 host on the common network, indicating the
 interface to be used for transmission.

I'm trying to get this to work on some 'real' system, but reproduced
on a couple of VMs to rule out other factors.  I have two VMs on the
same host, connected by the same veb(4).  Connectivity works if I use
IP addresses in the same subnet (i.e. I can ping from 10.0.0.1/24 to
10.0.0.2/24 if that's what I configure).

On one side I have:

test1# ifconfig vio0 10.1.1.13/24
test1# route add -iface 10.2.2.13 10.1.1.13
add host 10.2.2.13: gateway 10.1.1.13

On the other side, I have:

test2# ifconfig vio0 10.2.2.13/24
test2# route add -iface 10.1.1.13 10.2.2.13
add host 10.1.1.13: gateway 10.2.2.13

However, pinging from test1 to test2 gives:

test1# ping -c 1 10.2.2.13
PING 10.2.2.13 (10.2.2.13): 56 data bytes
ping: sendmsg: Invalid argument
ping: wrote 10.2.2.13 64 chars, ret=-1

--- 10.2.2.13 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss


Yet the route is there:

test1# route get 10.2.2.13
   route to: 10.2.2.13
destination: 10.2.2.13
   mask: 255.255.255.255
  interface: vio0
 if address: 10.1.1.13
   priority: 8 (static)
  flags: 
 use   mtuexpire
   5 0 0 


What am I doing wrong here?  The destination *is* directly reachable
via an interface and the gateway given is the IP address of "this
host" on the common network, just as required by the manpage.  At
least, my read of it .. since it doesn't work, I'm probably
misunderstanding something here.

I've enabled forwarding (net.inet.ip.forwarding=1) and disabled pf to
test if they were causing grief, but neither helped.  Anyone have a
cluebat for me?

Thanks,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: umount at boot possible?

2021-02-02 Thread Paul de Weerd
On Tue, Feb 02, 2021 at 01:30:28PM +0100, misc nick wrote:
| Hello
| 
| I have a separate disk that i was mounting as a nfs partition. That disk 
crashed (it was very old). Now that OpenBSD 6.7/i386 release system cannot boot 
because it can't mount the disk.
| Is it possible to umount the partition or somehow skip mounting it at boot 
time and continue booting from the disk that contains the OS?

Before loading the OpenBSD kernel, at the bootloader type `boot -s`.
This boots the system in single user mode.  Now you can manually mount
the root filesystem (`mount -u -w /`), and you can then fix your
/etc/fstab to exclude the broken disk.

Note that in single user mode, many userland tools are not available
if /usr is on a separate partition (which is a sane default).  You'll
have to fix /etc/fstab with tools like cat and ed, or mount /usr.

Once things are fixed, unmount everything that you manually mounted,
and remount the root filesystem read-only again (`mount -u -r /`).
Then exit the single user shell, the system should continue booting
from there.

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: rm: fts_read: No such file or directory

2021-01-14 Thread Paul de Weerd
Hi Otto,

Thanks for your reply.

On Thu, Jan 14, 2021 at 08:22:33AM +0100, Otto Moerbeek wrote:
| > Could there be some TOCTOU issue here somewhere?  Or some cache
| > misbehaviour?  Or is it really dying hardware?
| 
| My first bet would be some form of corruption. FLipped bits in e..g
| directories while operating normally cannot be seen by the
| clean/unclean flag in the superblock. That one only records if the
| filesystem was unmounted before reboot, shutdown or crash.

I understand that - but then why would the error clear on subsequent
runs of rm?

| The forced fsck might reveal more.

It did find some issues, and then was waiting for my input over night
(when the backup run mounted the filesystem and changed things).

** /dev/sd2a (ebb54a869d056df3.a)
** File system is already clean
** Last Mounted on /backup
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
ZERO LENGTH DIR I=57604332  OWNER=root MODE=40755
SIZE=0 MTIME=Jan 13 13:56 2021
CLEAR? [Fyn?] y

** Phase 5 - Check Cyl groups
FREE BLK COUNT(S) WRONG IN SUPERBLK
SALVAGE? [Fyn?] y

SUMMARY INFORMATION BAD
SALVAGE? [Fyn?] y

BLK(S) MISSING IN BIT MAPS
SALVAGE? [Fyn?] y

27766624 files, 396630326 used, 267754002 free (2016066 frags,
33217242 blocks, 0.3% fragmentation)

* FILE SYSTEM WAS MODIFIED *

I ran it once more after that, more issues were found:

** /dev/sd2a (ebb54a869d056df3.a)
** File system is already clean
** Last Mounted on /backup
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
** Phase 5 - Check Cyl groups
FREE BLK COUNT(S) WRONG IN SUPERBLK
SALVAGE? [Fyn?] y

SUMMARY INFORMATION BAD
SALVAGE? [Fyn?] y

BLK(S) MISSING IN BIT MAPS
SALVAGE? [Fyn?] y

27884252 files, 397169471 used, 267214857 free (1944825 frags,
33158754 blocks, 0.3% fragmentation)

* FILE SYSTEM WAS MODIFIED *

Until the third fsck came back clean:

** /dev/sd2a (ebb54a869d056df3.a)
** File system is already clean
** Last Mounted on /backup
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
** Phase 5 - Check Cyl groups
27884252 files, 397169471 used, 267214857 free (1944825 frags,
33158754 blocks, 0.3% fragmentation)
  136m19.01s real 4m00.56s user20m33.85s system


I'll write it off to those errors, but I still don't understand why
re-trying would fix these kinds of issues.

Thanks again, Otto!

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



rm: fts_read: No such file or directory

2021-01-13 Thread Paul de Weerd
Hi all,

While doing some clean-up on my backup filesystem (which extensively
uses hardlinks), I came across the error in Subject:

rm: fts_read: No such file or directory

Traversing the hierarchy I was trying to remove, I get similar
fts_read errors when I `ls` in certain places, but a repeated rm runs
to completion fine (the tree is gone afterwards).

There's nothing in dmesg suggesting filesystem corruption, the
filesystem unmounts and remounts cleanly, I'm running a forced fsck
now which says "** File system is already clean".  It's a rather large
filesystem with many inodes in use, so it'll take some time to
complete.  Also, it's on a softraid crypto device, if that matters:

sd2: 5231654MB, 512 bytes/sector, 10714427745 sectors

Reading fts_read(3) wasn't really enlightening as to why a directory
that's supposedly there, wouldn't be there anymore.  (note that I
wasn't running another rm in the same tree in parallel when I got
these errors - I did try to force the error by doing just that, but
that went through without a single error).

Could there be some TOCTOU issue here somewhere?  Or some cache
misbehaviour?  Or is it really dying hardware?

Paul 'WEiRD' de Weerd

OpenBSD 6.8-current (GENERIC.MP) #267: Sat Jan  9 19:23:55 MST 2021
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 34311208960 (32721MB)
avail mem = 33256046592 (31715MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe6690 (57 entries)
bios0: vendor Dell Inc. version "2.10.0" date 05/24/2018
bios0: Dell Inc. PowerEdge R210 II
acpi0 at bios0: ACPI 4.0
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP SPMI DMAR ASF! HPET APIC MCFG BOOT SSDT ASPT SSDT SSDT 
SPCR HEST ERST BERT EINJ
acpi0: wakeup devices P0P1(S4) GLAN(S0) EHC1(S4) EHC2(S4) XHC_(S4) RP01(S5) 
PXSX(S4) RP02(S5) PXSX(S4) RP03(S5) PXSX(S4) RP04(S5) PXSX(S4) RP05(S5) 
PXSX(S4) RP06(S5) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E31260L @ 2.40GHz, 2394.91 MHz, 06-2a-07
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Xeon(R) CPU E31260L @ 2.40GHz, 2394.58 MHz, 06-2a-07
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 1, core 0, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Xeon(R) CPU E31260L @ 2.40GHz, 2394.58 MHz, 06-2a-07
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 1, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Xeon(R) CPU E31260L @ 2.40GHz, 2394.58 MHz, 06-2a-07
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
cpu4 at mainbus0: apid 4 (application processor)
cpu4: Intel(R) Xeon(R) CPU E31260L @ 2.40GHz, 2394.58 MHz, 06-2a-07
cpu4: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu4: 256KB 64b/line 8-way L2 cache
cpu4: smt 0, core 2, package 0
cpu5 at mainbus0: apid 5 (application processor)
cpu5: Intel(R) Xeon(R) CPU E31260L @ 

Re: -current amd64 packages not updated? Impatient or broken?

2021-01-08 Thread Paul de Weerd
On Thu, Jan 07, 2021 at 09:30:13PM +0100, Christian Weisgerber wrote:
| Steve Williams:
| 
| > I hesitate to send this because perhaps I'm just too impatient, but then
| > again, perhaps not.  This is not critical/time sensitive.
| > 
| > I just thought I'd check if there a problem with the current packages folder
| > from the mirrors?
| 
| No, the amd64 package builds have been slightly delayed.

A good reminder that you are building these package snaps very often,
thanks to you (and all the other pkg builders and Theo and other base
snap builders) for providing us with with these very regular updates.

Cheers,

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: OpenBSD Monitor Sleep No Response

2020-12-21 Thread Paul de Weerd
On Mon, Dec 21, 2020 at 09:46:34AM -0500, ben wrote:
| Hello;
| 
| >You could try typing your password to see if it wakes up.
| 
| For whatever reason my keyboard shuts off as well, as in I can't type 
anything.
| I've tried entering my password, trying caps and num lock, and yet nothing
| seems to work.
| 
| >Last thought, maybe there's a relevant BIOS setting?
| 
| I've disabled everything that could be problematic in the BIOS, such as secure
| boot, and a bunch of other built in features which could cause problems.
| 
| Is there a way to just shut off the screensaver in OpenBSD? I've tried taking 
a
| look at the output of sysctl(8) and I couldn't find any relevant information.

You may want to have a look at https://man.openbsd.org/xset.1#s

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: openssl s_client gives "called a function you should not call"

2020-11-12 Thread Paul de Weerd
Hi Claus,

On Fri, Nov 13, 2020 at 06:42:28AM +0100, Claus Assmann wrote:
| On Thu, Nov 12, 2020, Paul de Weerd wrote:
| 
| > $ openssl s_client -starttls smtp -connect localhost:587
| 
| > RCPT TO: 
|   ^ = RENEGOTIATING
| 
| and the syntax is wrong too: NO space after colon, see the fine RFCs.

Ah, good one.  Fortunately, most (all?) MTAs I've come across while
doing manual SMTP (admittedly, this is not my biggest hobby, so not
that many) are lenient enough to allow for the space.  But I'll keep
that in mind.

| openssl(1):
|  When used interactively (which means neither -quiet nor -ign_eof have  
|  been given), the session will be renegotiated if the line begins with an
|  R; if the line begins with a Q or if end of file is reached, the
|  connection will be closed down.

It's actually documented!  Would not have thought to look for this in
the manpage .. thank you for the pointer!

Cheers,

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: openssl s_client gives "called a function you should not call"

2020-11-12 Thread Paul de Weerd
Hi Janne,

On Fri, Nov 13, 2020 at 07:59:22AM +0100, Janne Johansson wrote:
| I think anything starting with capital R in that case (s_client) gets
| parsed as RENEGOTIATING.
| As for why openssl complains about it is unknown to me, but that gotcha is
| old at least.

Wow .. unexpected.  But thanks for the clue-by-4, using 'rcpt to:'
instead of 'RCPT TO:' allows me to deliver mail without a problem
using openssl s_client.

Cheers,

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



openssl s_client gives "called a function you should not call"

2020-11-12 Thread Paul de Weerd
While trying to debug my smtpd setup, I got the error "called a
function you should not call" from openssl s_client:

$ openssl s_client -starttls smtp -connect localhost:587

EHLO 
250- Hello  [127.0.0.1], pleased to meet you
250-8BITMIME
250-ENHANCEDSTATUSCODES
250-SIZE 36700160
250-DSN
250-AUTH PLAIN LOGIN
250 HELP
AUTH LOGIN
334 VXNlcm5hbWU6
Tm9wZSE=
334 UGFzc3dvcmQ6
cmVkYWN0ZWQ=
235 2.0.0 Authentication succeeded
MAIL FROM: 
250 2.0.0 Ok
RCPT TO: 
RENEGOTIATING
9754412775936:error:1404C042:SSL routines:ST_OK:called a function you should 
not call:/usr/src/lib/libssl/ssl_lib.c:2415:

Is this something openssl s_client doesn't support?  I notice that 
"RENEGOTIATING" only comes after sending the RCPT TO: command to the
server.  Futzing around with other commands before sending RCPT TO:
didn't get to RENEGOTIATING.  Am I doing something wrong?  Should I be
using some other tool?

Thanks for any insights!

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: uvn_flush: WARNING: changes to page may be lost

2020-11-12 Thread Paul de Weerd
On Thu, Nov 12, 2020 at 07:34:41PM +0100, Jurjen Oskam wrote:
| On Wed, Nov 11, 2020 at 05:54:36AM -0700, Todd C. Miller wrote:
| 
| > On Wed, 11 Nov 2020 10:20:41 +0100, Jan Stary wrote:
| 
| > >   uvn_flush: obj=0x0, offset=0x7c2.  error during pageout.
| > >   uvn_flush: WARNING: changes to page may be lost!
| 
| > This happens when /usr/libexec/reorder_kernel runs and your /usr
| > is full.  If you have upgraded the system multiple times there is
| 
| I ran into this earlier this year, and tried to figure out how a filesystem 
becoming
| full could result in kernel messages such as this. As there are no softupdates
| involved, I would have expected the kernel only to return a message about /usr
| being 100% full, and the (user space) kernel relinking to simply fail.
| 
| I wasn't able to figure out what was going on. Is the relinking special in 
some
| way? Or is it possible that other situations where a filesystem fills up can
| result in messages like this? (Not counting situations where softupdates are
| enabled)

>From the reply Mark sent me on June 9th[1]:

> What you're seeing is what happens when a program writes to a file by
> using mmap(2) and there is no disk space available when the kernel
> finally decides to write out the modified memory to disk.

There's plenty of space available in RAM, so you can create a file
that's bigger than the amount of space available on disk.  Then
trying to write it to disk will fail with the error you got.

Cheers,

Paul

[1]: https://marc.info/?l=openbsd-bugs=159170985316978=2

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: uvn_flush: WARNING: changes to page may be lost

2020-11-11 Thread Paul de Weerd
Hi Jan,

On Wed, Nov 11, 2020 at 10:20:41AM +0100, Jan Stary wrote:
|   uvn_flush: obj=0x0, offset=0x7c2.  error during pageout.
|   uvn_flush: WARNING: changes to page may be lost!

|   uid 0 on /usr: file system full

| Are the uvn and klog errors simply artifacts of the full /usr ?

Having experienced this myself, yes, this is /usr being full.  Kernel
relinking isn't working out.  Make sure /usr is bigger to prevent
issues like these.

https://marc.info/?l=openbsd-bugs=159171382418585=2

If you want to use sysupgrade, you'll have X sets installed every time
so increasing /usr's size (or adding a dedicated partition for
/usr/X11R6) can help.

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: Impact of 002_icmp6.patch

2020-10-30 Thread Paul de Weerd
On Fri, Oct 30, 2020 at 11:15:31AM +0100, js-openbsd-m...@webkeks.org wrote:
| What about link-local IPv6? That's active by default, isn't it?

It is not.  You need to enable IPv6 on an interface to get a
link-local address on it, only the loopback interface is special in
this sense that it gets ::1 (localhost) and fe80::1%lo0 (link-local
for the loopback interface) by just bringing it up.  This has been the
case since 23 June 2014 (5.6 was the first release with this change):

http://cvsweb.openbsd.org/src/sys/net/if.c?rev=1.291=text/x-cvsweb-markup

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: USB to 3.5mm jack audio adapter

2020-09-10 Thread Paul de Weerd
On Wed, Sep 09, 2020 at 09:36:01PM +0200, Alexandre Ratchov wrote:
| Try searching for "TRRS to USB adapter" then check in the detailed
| description that:
|   - it's an "external sound card" for computers (Windows/macOS supported)
|   - it requires no device driver (means it's USB class-compliant)
|   - supports 3.5mm "TRRS" headset jacks (what most phones use)

Thanks Alexandre, I did that and found one that looks like the thing
you are talking about.  Will give it a shot ;)


On Thu, Sep 10, 2020 at 09:47:43AM +1000, Stuart Longland wrote:
| On 9/9/20 11:49 pm, Paul de Weerd wrote:
| > I mean, I have a USB audio device that
| > has a 3.5mm jack, but that's output only (TRS, so no microphone).
| 
| Does that adaptor also have a separate microphone input?
| 
| You can buy adaptors that split the microphone and earpiece contacts out
| to separate 3.5mm jacks which would allow you to then connect your
| single 4-pole jack headset to a conventional USB audio dongle.

And thank you, Stuart; my uaudio(4) indeed has a separate mic-in.
I'll see if I can find one of these adapters too.

Cheers,

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



USB to 3.5mm jack audio adapter

2020-09-09 Thread Paul de Weerd
Hi all,

As I don't have a microphone to use with my azalia(4) sound card, and
my webcam only has audio input (no output), I can't use my current
hardware in firefox to do videoconferencing.  So I purchased (what I
thought was) a USB to audio adapter[1].  This one simply offers a
3.5mm jack connector that I would then plug my existing headphones
into for full duplex audio.

Unfortunately, it doesn't seem to be an actual uaudio(4) device:

uhidev0 at uhub0 port 1 configuration 1 interface 0 "Samsung Electronics 
Samsung Type-C to 3.5pi gender adapter" rev 2.01/1.33 addr 2
uhidev0: iclass 3/0, 2 report ids
uhid0 at uhidev0 reportid 1: input=0, output=63, feature=0
uhid1 at uhidev0 reportid 2: input=63, output=0, feature=0

Are there uaudio(4) devices that do provide full duplex (TRRS i.e. mic
plus speakers) behind a 3.5mm jack?  Anyone have experience with one
of these they can recommend?  I mean, I have a USB audio device that
has a 3.5mm jack, but that's output only (TRS, so no microphone).

Thanks,

Paul

[1]: 
https://www.samsung.com/us/mobile/mobile-accessories/phones/usb-c-headphone-jack-adapter-ee-uc10juwegus/

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: Running out of pty's

2020-08-27 Thread Paul de Weerd
On Thu, Aug 27, 2020 at 02:52:04PM +0200, Mischa wrote:
| Hi All,
| 
| I am managing a OpenBSD instance for a customer of mine who uploads camera 
images via sftp to be used in a single location.
| It looks like there are quite a number of camera’s uploading at once.
| I am seeing a lot of message like:
| 
| Aug 27 13:53:28 images sshd[68494]: error: do_exec_no_pty: fork: Resource 
temporarily unavailable
| Aug 27 13:53:43 images sshd[53989]: error: do_exec_no_pty: fork: Resource 
temporarily unavailable

For the archives .. you're not running out of pty's but. 

you can't fork.  That's another resource that's limited.  There's
a kernel limit (sysctl kern.maxproc), but there's also ulimits (those
you are more likely to hit, especially if it's all the same user).

| I have tried adding a bunch of pty’s and increased them,
| inadvertently from 62 to 620, but I guess I missed something. :/

You missed the 'fork' part.  Oh, and the "no_pty" part of the function
that was complaining: sftp can work without a pty (see
https://man.openbsd.org/ssh#T - sftp doesn't need a pseudo terminal
IIRC).

| Any insights someone can share?

Cheers,

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



sensor value last change time not updated?

2020-08-14 Thread Paul de Weerd
Hi all,

I'm trying to read temperature sensor values from my ugold(4) device.
Seems to work alright (I get the same temperature reading as sysctl(8)
returns for the sensor), but the 'sensor value last change time'
doesn't seem to be updated.

[weerd@pom] $ cat sensor_last_change.c  
#include 
#include 
#include 
#include 

int
main()
{
int mib[5];
size_t  sensorlen;
struct sensor   sensor;

mib[0] = CTL_HW;
mib[1] = HW_SENSORS;
mib[2] = 3; /* ugold0 on my machine */
mib[3] = SENSOR_TEMP;
mib[4] = 0;

sensorlen = sizeof(sensor);
sysctl(mib, 5, , , NULL, 0);
printf("%lld.%06ld: %.2f\n",
sensor.tv.tv_sec,
sensor.tv.tv_usec,
((sensor.value-27315)/100.0));

return 0;
}
[weerd@pom] $ make sensor_last_change   
cc -O2 -pipe   -MD -MP   -o sensor_last_change sensor_last_change.c 
[weerd@pom] $ ./sensor_last_change
0.00: 32.32
[weerd@pom] $ sysctl -n hw.sensors.ugold0.temp0
32.32 degC (inner)

The 'tv' member of struct sensor seems to always be 0.0.  Am I doing
something wrong?

Cluesticks very welcome...

Thanks,

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: ssh X forwarding and google-chrome

2020-07-02 Thread Paul de Weerd
Hi Gregory,

On Thu, Jul 02, 2020 at 05:33:20PM +0300, Gregory Edigarov wrote:
| Hello, everybody
| 
| does anybody know if there is any tricks?
| 
| In my office pc (currently linux) I have google-chrome installed,
| and I absolutely need to access it from home.
| 
| "ssh -Y  google-chrome" just shows an empty and blank
| window, no menu, no address bar.
| May be there is some command line flags I am not aware of?

If you absolutely must access something on one machine and ssh
forwarding doesn't work, you could look at VNC-solutions such as
x11vnc (available as a package on OpenBSD, probably also on your linux
distro of choice).

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: Filling a 4TB Disk with Random Data

2020-06-05 Thread Paul de Weerd
Hi Justin,

On Thu, Jun 04, 2020 at 08:39:24PM -0700, Justin Noor wrote:
| Thanks you @misc.
| 
| Using dd with a large block size will likely be the course of action.
| 
| I really need to refresh my memory on this stuff. This is not something we
| do, or need to do, everyday.
| 
| Paul your example shows:
| 
| bs=1048576
| 
| How did you choose that number? Could you have gone even bigger? Obviously
| it is a multiple of 512.

It's just 1m.  Yes, I could've gone bigger, but that wouldn't add
much.  1m is just my defaut so i can more easily tell how much has
been done upon SIGINFO, as the records are then 1m large.  So in my
sample output 30111 MB had been written.

| The disks in point are 4TB Western Digital Blues. They have 4096 sector
| sizes.

1m is of course a multiple of 4k :)

| I used a 16G USB stick as a sacrificial lamb to experiment with dd.
| Interestingly, there is no difference in time between 1m, 1k, and 1g. How
| is that possible? Obviously this will not be an accurate comparison of the
| WD disks, but it was still a good practice exercise.
| 
| Also Paul, to clarify a point you made, did you mean forget the random data
| step, and just encrypt the disks with softraid0 crypto? I think I like that
| idea because this is actually a traditional pre-encryption step. I don't
| agree with it, but I respect the decision. For our purposes, encryption
| only helps if the disks are off the machine, and someone is trying to
| access them. This automatically implies that they were stolen. The chances
| of disk theft around here are slim to none. We have no reason to worry
| about forensics either - we're not storing nuclear secrets.

Well, you didn't mention the why: what are you trying to accomplish by
overwriting your 4TB disk with random data?  If it is to prevent
others from accessing the data after you dispose of the disk then you
should be aware of the caveat I mentioned.

I get rid of old computers by overwriting the disk(s) and installing
the latest snapshot.  That's why I do this .. but it's not clear why
you want to do it.

Cheers,

Paul

| Thanks for your time
| 
| 
| On Mon, Jun 1, 2020 at 7:28 AM Paul de Weerd  wrote:
| 
| > On Mon, Jun 01, 2020 at 06:58:01AM -0700, Justin Noor wrote:
| > | Hi Misc,
| > |
| > | Has anyone ever filled a 4TB disk with random data and/or zeros with
| > | OpenBSD?
| >
| > I do this before disposing of old disks.  Have written random data to
| > several sizes of disk, not sure if I ever wiped a 4TB disk.
| >
| > | How long did it take? What did you use (dd, openssl)? Can you share the
| > | command that you used?
| >
| > It takes quite some time, but OpenBSD (at least on modern hardware)
| > can generate random numbers faster than you can write them to spinning
| > disks (may be different with those fast nvme(4) disks).
| >
| > I simply used dd, with a large block size:
| >
| > dd if=/dev/random of=/dev/sdXc bs=1048576
| >
| > And then you wait.  The time it takes really depends on two factors:
| > the size of the disk and the speed at which you write (whatever the
| > bottleneck).  If you start, you can send dd the 'INFO' signal (`pkill
| > -INFO dd` (or press Ctrl-T if your shell is set up for it with `stty
| > status ^T`))  This will give you output a bit like:
| >
| > 30111+0 records in
| > 30111+0 records out
| > 31573671936 bytes transferred in 178.307 secs (177074202 bytes/sec)
| >
| > Now take the size of the disk in bytes, divide it by that last number
| > and subtract the second number.  This is a reasonable ball-park
| > indication of time remaining.
| >
| > Note that if you're doing this because you want to prevent others from
| > reading back even small parts of your data, you are better of never
| > writing your data in plain text (e.g. using softraid(4)'s CRYPTO
| > discipline), or (if it's too late for that), to physically destroy the
| > storage medium.  Due to smart disks remapping your data in case of
| > 'broken' sectors, some old data can never be properly overwritten.
| >
| > Cheers,
| >
| > Paul 'WEiRD' de Weerd
| >
| > --
| > >[<++>-]<+++.>+++[<-->-]<.>+++[<+
| > +++>-]<.>++[<>-]<+.--.[-]
| >  http://www.weirdnet.nl/
| >

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: Filling a 4TB Disk with Random Data

2020-06-01 Thread Paul de Weerd
On Mon, Jun 01, 2020 at 06:58:01AM -0700, Justin Noor wrote:
| Hi Misc,
| 
| Has anyone ever filled a 4TB disk with random data and/or zeros with
| OpenBSD?

I do this before disposing of old disks.  Have written random data to
several sizes of disk, not sure if I ever wiped a 4TB disk.

| How long did it take? What did you use (dd, openssl)? Can you share the
| command that you used?

It takes quite some time, but OpenBSD (at least on modern hardware)
can generate random numbers faster than you can write them to spinning
disks (may be different with those fast nvme(4) disks).

I simply used dd, with a large block size:

dd if=/dev/random of=/dev/sdXc bs=1048576

And then you wait.  The time it takes really depends on two factors:
the size of the disk and the speed at which you write (whatever the
bottleneck).  If you start, you can send dd the 'INFO' signal (`pkill
-INFO dd` (or press Ctrl-T if your shell is set up for it with `stty
status ^T`))  This will give you output a bit like:

30111+0 records in
30111+0 records out
31573671936 bytes transferred in 178.307 secs (177074202 bytes/sec)

Now take the size of the disk in bytes, divide it by that last number
and subtract the second number.  This is a reasonable ball-park
indication of time remaining.

Note that if you're doing this because you want to prevent others from
reading back even small parts of your data, you are better of never
writing your data in plain text (e.g. using softraid(4)'s CRYPTO
discipline), or (if it's too late for that), to physically destroy the
storage medium.  Due to smart disks remapping your data in case of
'broken' sectors, some old data can never be properly overwritten.

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: booting from a SD card on APU2: ERR R

2020-04-22 Thread Paul de Weerd
On Wed, Apr 22, 2020 at 11:54:22PM +0200, Jan Stary wrote:
| Booting from Hard Disk...
| Using drive 0, partition 3.
| Loading
| ERR R

These "ERR x" error codes are documented in biosboot(8)[1].  They're
brief because the biosboot program is quite space constrained.  In
this particular case, "ERR R", the documentation says:

>ERR RRead error.  The BIOS returned an error indication when biosboot
> attempted to read a disk sector.  This might be any media error,
> including bad sectors (common on floppy disks), and invalid
> sectors (can occur with bad geometry translations).
>
> If this error occurs during an LBA boot (no ‘;’ after
> “Loading”), then a CHS boot may succeed.  To do this, you should
> reboot, then hold down either Shift key before biosboot starts.
> You should see a ‘!’ before “Loading” as confirmation that your
> override was accepted.

So that's also something you may want to try.  Although the suggestion
to try more recent firmware from Leslie is generally a good first
step.

Cheers,

Paul 'WEiRD' de Weerd

[1]: http://man.openbsd.org/biosboot#DIAGNOSTICS

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: ssh-agent confirmation for use by default

2020-04-07 Thread Paul de Weerd
On Tue, Apr 07, 2020 at 12:48:34PM -, Stuart Henderson wrote:
| > After a discussion at work, I started looking at enabling confirmation
| > before authentication through ssh-agent by default.  When logging in
| > through xdm, the default Xsession runs `ssh-add < /dev/null` (see line
| > 36 in /etc/X11/xdm/Xsession).  My keys are loaded and I can log in to
| > remote hosts.  On some machines, I skip loading the keys or unload
| > them after logging in and then load or re-add them using ssh-add -c,
| > so I am asked for confirmation every time the agent is used.
| 
| ITYM /etc/X11/xenodm/Xsession :-)

Yeah, was pointed out to me offline as well; finger memory, sorry!

| I had a similar problem (I wanted some extra keys added by default).
| Xsession is in the xetc set, so it can be modified without being
| overwritten in a standard upgrade, you just need to sysmerge it
| sometimes.

Hmm, that's an excellent point; I'll do that.

| I have a different related problem as well, I would like to add *some*
| keys with -c and others without (i.e. confirm for connecting to more
| important hosts), but don't really want to have to run ssh-add twice
| (i.e. ask for the passphrase twice).

Actually, that would be even nicer.  I guess that would mean an option
on the actual key file (the *private* part).

Anyway, your suggestion of "sucking it up" during sysmerge time
(which, in the case of the system Xsession file, doesn't change often
anyway), works for my most prominent use cases .. thank you for the
clue-by-four.

Cheers,

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



ssh-agent confirmation for use by default

2020-04-06 Thread Paul de Weerd
Hi all,

After a discussion at work, I started looking at enabling confirmation
before authentication through ssh-agent by default.  When logging in
through xdm, the default Xsession runs `ssh-add < /dev/null` (see line
36 in /etc/X11/xdm/Xsession).  My keys are loaded and I can log in to
remote hosts.  On some machines, I skip loading the keys or unload
them after logging in and then load or re-add them using ssh-add -c,
so I am asked for confirmation every time the agent is used.

However, I would like this to be the default on my machines.  Is there
an easy way to achieve this without carrying a local diff?  I checked
the ssh-keygen manpage to see if there are any key-options that force
this, but couldn't find anything (the options are generally to limit
what happens on the remote end).  ssh-add allows for it (obviously),
but then you need a change to the command line, and that's in a system
file: I don't want to propose that as a diff, as I don't think this
makes sense in all cases (I have other machines where I wouldn't want
this to happen by default).

How are others doing this?

Thanks,

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: pkg_outdated binary?

2020-03-09 Thread Paul de Weerd
Hi Luke,

On Mon, Mar 09, 2020 at 01:55:18PM -0600, Luke A. Call wrote:
| Hi. I see a manual page for pkg_outdated, online and on my 6.6 stable 
| machine, but no binary, or result from "type pkg_outdated", even with,
| as root: 
|   cd /
|   find . -iname "*outdated*" 2>&1 | less
| ...though that did find some perl things.
| 

Check out the ports tree and try again.  More specifically, look in
/usr/ports/infrastructure/bin

There's a number of tools there that are of use when porting,
pkg_outdated is one such tool.  It requires the ports tree to operate
(it compares installed packages with versions found in the ports tree)
and as such is only available in the ports tree itself.

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: heads up: amd64 snap

2020-03-09 Thread Paul de Weerd
On Mon, Mar 09, 2020 at 07:28:10PM +0100, Paul de Weerd wrote:
| Indeed it did :)  My machine would not POST anymore (Dell Optiplex
| 9020; dmesg at the end)

I meant: dmesg in the follow-up e-mail...


OpenBSD 6.6-current (GENERIC.MP) #38: Sat Mar  7 19:58:17 MST 2020
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 34243903488 (32657MB)
avail mem = 33193492480 (31655MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xec410 (88 entries)
bios0: vendor Dell Inc. version "A22" date 02/01/2018
bios0: Dell Inc. OptiPlex 9020
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT SLIC LPIT SSDT SSDT SSDT HPET SSDT MCFG SSDT 
ASF! DMAR
acpi0: wakeup devices UAR1(S3) RP01(S4) PXSX(S4) PXSX(S4) PXSX(S4) RP05(S4) 
PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) GLAN(S4) EHC1(S3) EHC2(S3) XHC_(S4) 
HDEF(S4) PEG0(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz, 3691.95 MHz, 06-3c-03
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz, 3691.47 MHz, 06-3c-03
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz, 3691.47 MHz, 06-3c-03
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz, 3691.47 MHz, 06-3c-03
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 0, core 3, package 0
ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins
acpihpet0 at acpi0: 14318179 Hz
acpimcfg0 at acpi0
acpimcfg0: addr 0xf800, bus 0-63
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (RP01)
acpiprt2 at acpi0: bus 2 (RP05)
acpiprt3 at acpi0: bus -1 (PEG0)
acpiprt4 at acpi0: bus -1 (PEG1)
acpiprt5 at acpi0: bus -1 (PEG2)
acpiec0 at acpi0: not present
acpicpu0 at acpi0: C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS
acpicpu2 at acpi0: C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS
acpicpu3 at acpi0: C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS
acpitz0 at acpi0: critical temperature is 105 degC
acpitz1 at acpi0: critical temperature is 105 degC
acpipci0 at acpi0 PCI0: 0x0010 0x0011 0x
acpicmos0 at acpi0
acpibtn0 at acpi0: PWRB
"PNP0C14" at acpi0 not configured
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD1F
cpu0: using VERW MDS workaround (except on vmm entry)
cpu0: Enhanced SpeedStep 3691 MHz: speeds: 3401, 3400, 3200, 3000, 2800, 2700, 
2500, 2300, 2100, 1900, 1700, 1500, 1400, 1200, 1000, 800 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core 4G Host" rev 0x06
inteldrm0 at pci0 dev 2 function 0 "Intel HD Graphics 4600" r

Re: heads up: amd64 snap

2020-03-09 Thread Paul de Weerd
On Mon, Mar 09, 2020 at 06:47:10PM +0100, Sebastien Marie wrote:
| On Mon, Mar 09, 2020 at 04:51:00PM +, Anthony Campbell wrote:
| > On 09 Mar 2020, Otto Moerbeek wrote:
| > > On Mon, Mar 09, 2020 at 03:56:53PM +, Anthony Campbell wrote:
| > > 
| > > > This discussion is very interesting. The same thing happened to me
| > > > on 6 March, when after completing the upgrade my Dell Optiplex 3020
| > > > refused to boot. I assumed it was a hardware failure and spent the
| > > > next three days bringing up an older Acer n460 which the Dell had
| > > > replaced.
| 
| yes, it looks like a hardware failure.

Indeed it did :)  My machine would not POST anymore (Dell Optiplex
9020; dmesg at the end)

| in my case, 4 hosts with the same motherboard model failed at the same time (I
| ran sysupgrade via ansible), so hardware failure was a bit excluded.

I only have this one machine that showed the behaviour.  Several VMs,
my gateway and my laptop worked fine so I didn't really tie it to the
bootloader changes (especially since the machine didn't POST).  I
couldn't boot from any other medium as long as the boot disk (an SSD)
was connected; my conclusion was that a failed SSD prevented the
system from POSTing (something I've seen in the past with failed
HDDs).

| > > > I don't have the facility at present to put the disk in another
| > > > machine so it looks like I'm stuck. 
| 
| I agree it could be difficult. If the disk is plugged, bios stuck. If the disk
| is unplugged, bios is fine, but you can't modify the disk data.
| 
| As sthen@ said, you could try to change bios setting to make the bios to not
| look at the disk. I dunno if it would work or not.

I played around with that a little bit, but didn't get to a working
machine.

| Alternatively, if you disk support hotplugging (sata disk should), try to
| connect the disk after the bios started could help. If so, I would try to plug
| it as soon as possible after bios init.

That was a bit of a scary option for me :)

| Depending your configuration, you could also try to use USB/SATA or USB/IDE
| adapter (depending your disk), in order to plug the disk after bios init. For
| me, I had problem with this method too: when my sata disk is plugged in sata
| connector it is showed with 512 bytes/sector, whereas with USB/SATA connector 
it
| showed with 4096 bytes/sector and so disklabel is incoherent.

In the end, after reading Otto's mail about reverting his changes, I
connected the SSD from my not-booting machine to my laptop and
upgraded the snapshot on it.  That allowed my desktop machine to boot
properly again.

I've seen Otto's commit message from earlier today, so I will test out
the next snap on my machine tomorrow.  At least now I know not to jump
to conclusions about failing hardware :)

Thanks to Otto for his work on this area; looking forward to running
my machine on all-ffs2.

Cheers,

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: Full disk encryption including /boot, excluding bootloader?

2020-02-17 Thread Paul de Weerd
On Tue, Feb 18, 2020 at 05:12:25AM +, Frank Beuth wrote:
| Yes, it's a cool way to combine things to get unexpected functionality.
| I haven't dug into the bootloader much... is there a reasonably easy way
| to get the USB-stick-bootloader to boot the hard drive partition by
| default?

Best way to dig into the bootloader is by starting at its fine manpage
which you can read online at http://man.openbsd.org/man8/amd64/boot.8

The quick answer is `echo 'boot sr0a:/bsd' > /etc/boot.conf` (on the
USB-stick's root filesystem).

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: Detecting DoH using PF

2020-02-17 Thread Paul de Weerd
Hi Erik,

On Mon, Feb 17, 2020 at 06:07:59PM +, Erik Lauritsen wrote:
| Hi,
| 
| Is a DNS over HTTPS recognizable somehow so that it can be fingerprinted
| and redirected or blocked using pf?

I haven't studied this in close detail, but since it's just a "normal"
(albeit generally small) HTTPS request, I doubt they can be easily
fingerprinted.  But I wonder: what is your interest?

My concern is not users using safe (encrypted) transports for their
DNS lookups, but users unwittingly sending their data to certain large
companies.  To that end I've populated a table in pf with IP addresses
from https://en.wikipedia.org/wiki/Public_recursive_name_server and
simply have

block out log from any to 

to prevent anyone on the local network from accessing them.  Some of
them are more popular than others but it works well enough:

# pfctl -vvt openrecursor -T show | awk '/\[/ {p+=$4; b+=$6} END {print p, b}'
14672 1100046

so 14672 packets / 1100046 bytes blocked to these open recursors.
Note that the rule blocks both DoH as well as 'normal' DNS or DoT
requests.

| I am thinking about the ability of PF to detect when requests are coming from
| a windows machine for example.

OS fingerprinting looks at TCP characteristics; DoH requests are
inside an encrypted transport and (probably) hard to discern from
'normal' HTTPS traffic.

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: Full disk encryption including /boot, excluding bootloader?

2020-02-17 Thread Paul de Weerd
On Mon, Feb 17, 2020 at 01:35:38PM +, Frank Beuth wrote:
| > | This way the evil maid would have nothing to tamper with.
| > 
| > Note that with this approach, a default OpenBSD install to your
| > machine will still install a bootloader on the physical disk inside
| > your machine.  It's then on you to NOT use that.
| 
| That's a heck of a hack!

Not sure how you mean that - I don't think it's that much of a hack,
mostly an interesting side-effect of how the bootloader works in
general.  Taken in combination with a "normal" install to removable
media, you get basically exactly what you want at no additional cost.

Note that you don't have to do a full (or even minimal) install, if
all you really want is use the bootloader on the removable media.
It's just the easiest way to prepare it that I know of.  Besides, if
you do a 'normal' install, you have a convenient 'live' or 'rescue'
system to carry around with you whenever you go: I've got one of these
on my keychain :)

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: Full disk encryption including /boot, excluding bootloader?

2020-02-17 Thread Paul de Weerd
On Mon, Feb 17, 2020 at 08:50:14AM +, Frank Beuth wrote:
| > > How do you do this on OpenBSD?
| > @frank: https://www.openbsd.org/faq/faq14.html#softraidFDEkeydisk
| 
| That's telling me how to use a keydisk -- how to put the softraid FDE
| encryption key material on a USB disk.
| 
| If an evil made came by and got access to my machine, they would still
| be able to tamper with the bootloader code to harvest the FDE password
| when I returned.
| 
| I want to put the whole bootloader (including the code used to decrypt
| the softraid-FDE-encrypted root-partition-containing media) on a USB
| disk.

But you can already do this.  If your machine supports booting from
USB, you can do a minimal install to a USB stick (using FDE, if you
want).  Now you have a portable OpenBSD environment you can boot on
any system capable of booting from USB (and supporting the same kernel
architecture).

What you can also do with this USB stick is use its bootloader to boot
the OS stored on the disk inside your machine (FDE encrypted or not).

I've used this to fix up installs gone sour on my machines in the
past.  Works a treat.  I don't use it to prevent the evil maid case
you describe though, but I think it would work just fine.

| This way the evil maid would have nothing to tamper with.

Note that with this approach, a default OpenBSD install to your
machine will still install a bootloader on the physical disk inside
your machine.  It's then on you to NOT use that.

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: using first alias as masquerading ip on pf.conf

2020-02-12 Thread Paul de Weerd
On Wed, Feb 12, 2020 at 12:09:12PM +0100, Federico Donati wrote:
| Hi all,
| 
| I have a couple of firewalls with carp configured and I need them to
| reach the Internet even when they are in BACKUP state.
| I'm managing pf via Ansible/GIT, so I'd like to keep the
| configuration of pf.conf standard and simple as much as possible.
| 
| Usually, I use the notation "nat-to ($interface)" to let pf use the
| correct ip, but in this case I've BGP configured and the provider
| forces me to use a complex configuration with an alias on the
| external interface, like this:
| 
| # ifconfig vlan835
| vlan835: flags=8943 mtu 1500
|   lladdr b0:26:28:1e:e6:6e
|   index 13 priority 0 llprio 3
|   encap: vnetid 835 parent trunk0 txprio packet rxprio outer
|   groups: vlan egress
|   media: Ethernet autoselect
|   status: active
|   inet 1.1.1.1 netmask 0xfff0 broadcast 1.1.1.255
|   inet 2.2.2.2 netmask 0xfff0 broadcast 2.2.2.255

Surely the provider doesn't force 1.1.1.1 to be the "primary" and
2.2.2.2 to the be alias?  How could they tell the difference?

| So, 1.1.1.1 is the "transit ip" for the BGP, the one we must use to
| talk with the provider's router and that I can't use as masquerading
| ip.
| 
| The ip 2.2.2.2 is the one that I should use to mask my traffic to
| the Internet, and is different on each firewall.
| 
| Is there a way to tell pf to use the first alias of interface to
| mask the traffic? Something like "nat-to (vlan835:1)"...

Could you make 1.1.1.1 the alias and 2.2.2.2 the primary address?
Then your NAT rule could simply use (vlan835:0).

Alternatively, you could refer to a hostname that you then specify in
/etc/hosts (with a different address on each host).

As far as I know, there's no way to refer to the 'first alias'.  What
is the 'first alias' anyway?  The first one you configured?  Or the
last one?  Since you're using the '(interface)' specification (with
the parentheses), you're using dynamically changing addresses .. what
does that mean in the context of 'first alias'?

| I would like to keep things simple and avoid to use the include
| directive, if possible.

I tend to dislike the whole IP address "aliases" thing more and more
recently... :)

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: IPsec and MTU / fragmentation

2020-02-10 Thread Paul de Weerd
On Mon, Feb 10, 2020 at 12:15:37PM +0100, Simen Stavdal wrote:
| True, but issue was related to downloading over http, which is over tcp.
| So, if http is your only concern I would go for this option.
| 
| Most clients are configured with an MTU of their physical NIC capabilities,
| and sometimes even with jumbo support.
| MTU is a property of the OS in both ends, while MSS is a property of the
| packets that can be adjusted in-flight.
| 
| So, if you want to fix the MTU, you will have to configure that on the
| conversation parters and not in pf.
| So, while we agree on the principals, how do you suggest MTU is changed?

One interesting option that I recently discovered thanks to florian@
is the 'mtu'[1] setting in /etc/rad.conf on your IPv6 router.  By
lowering the MTU, packets had a smaller MSS, which aligned with the
MTU of the IPv6 tunnel I was using in that situation.  This, in turn,
allowed me to use software my bank has provided for my mobile device
over IPv6 without a problem.

Admittedly, after learning that this worked, I switched back to
scrubbing the MSS in pf.conf for this particular bank, and I've told
them to either stop filering ICMPv6 Packet Too Large errors or
restrict the MSS to a lower value on their end (as they said they were
doing) to fix this for all their users.  The effect of using 'mtu' in
rad(8) is a lower configured MTU on your SLAAC enabled clients,
affecting also IPv4 (and local IPv6) traffic.

Cheers,

Paul 'WEiRD' de Weerd

[1]: http://man.openbsd.org/rad.conf#mtu

| Statically configured on each host? DHCP option?
| 
| Cheers,
| Simon.
| 
| On Mon, 10 Feb 2020 at 12:06, Janne Johansson  wrote:
| 
| > Den mån 10 feb. 2020 kl 11:58 skrev Simen Stavdal :
| >
| >> Hi Lucas,
| >> Have you tried to manipulate the mss during conversation setup?
| >> This is done with the max-mss directive in pf.conf.
| >> Basically, it takes the three way handshake, and overrides the MSS value
| >> in
| >> the handshake to something lower than the default.
| >>
| >
| > This might fix the http/ssh issues one might see, because both of those
| > run over TCP, but MSS fixups will not correct large UDP or icmp packets, or
| > any other non-TCP protocol one might run over that ipsec, so making sure
| > the traffic is below the MTU should be the end goal, not fixing 90% with
| > pf.
| >
| > --
| > May the most significant bit of your life be positive.
| >

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: FreeBSD daemon(8)-like command for OpenBSD

2020-01-28 Thread Paul de Weerd
Hi Patrick,

On Tue, Jan 28, 2020 at 09:29:20AM +0100, Patrick Kristiansen wrote:
| Hi Ingo
| 
| Thank you for your reply.
| 
| I can't say I disagree with your and the OpenBSD team's attitude about
| bug-free daemons. But I am just a lowly application programmer, and
| sometimes I introduce horrible bugs that make our systems crash. In many
| cases it will be preferable to just start the process again (and, of
| course, fix the bug) for the purposes of keeping our business running.
| 
| But another use for daemon(8) is for its ability to detach the child
| process from the controlling terminal and furthermore redirect its
| stdout/stderr to syslog. Is there some mechanism to do that from the
| shell? Perhaps a combination of nohup and starting a background job?

What I do to run a "normal" (non-daemon) program like a daemon, is to
start it in tmux.  To have this start during system startup, I have an
@reboot cronjob:

--
[weerd@cube] $ cat ~/bin/conlog
#!/bin/sh
# conlog: start a tmux session with cu logging to a file
##

# Can be used with the following @reboot cron line to start at boot:
#
# @reboot   /home/weerd/bin/conlog

PATH=/bin:/usr/bin

LOG="/home/weerd/data/conlog/log.`date +%s`"

mkdir -p `dirname ${LOG}`
tmux new -d "script -c 'cu -l cuaU0 -s 115200' ${LOG}"
--

At reboot, this will start a new (detached) tmux session that launches
cu (under script) to log the serial console output from another
OpenBSD machine.  I can attach the tmux session and interact with the
console of that machine if necessary.

For the purpose of restarting crashing programs, you could do
something similar: run your program in a tmux session (convenient to
attach to when you want to look at its stdout/stderr output) and
script something to restart when it errors out.  You could then also
send yourself e-mail to alert you to the restart.

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: interface modifiers :network and :0 picking different subnets for IPv6

2020-01-28 Thread Paul de Weerd
Hi Richard,

On Tue, Jan 28, 2020 at 04:42:02PM +1300, richard.n.proc...@gmail.com wrote:
| Does the patch below help?

It does!  Great, thank you!

(tested on my test vm as that has a source tree checked out)

[weerd@test1] $ echo 'block in on vio0 proto { tcp, udp } from vio0:network to 
! vio0:0 port domain' | pfctl -nvf -
block drop in on vio0 inet proto tcp from 192.168.34.0/24 to ! 192.168.34.157 
port = 53
block drop in on vio0 inet proto udp from 192.168.34.0/24 to ! 192.168.34.157 
port = 53
block drop in on vio0 inet6 proto tcp from 2a02:898:28:200::/64 to ! 
fe80::fce1:bbff:fed1:c6d9 port = 53
block drop in on vio0 inet6 proto udp from 2a02:898:28:200::/64 to ! 
fe80::fce1:bbff:fed1:c6d9 port = 53
[weerd@test1] $ echo 'block in on vio0 proto { tcp, udp } from vio0:network to 
! vio0:0 port domain' | obj/pfctl -nvf -
block drop in on vio0 inet proto tcp from 192.168.34.0/24 to ! 192.168.34.157 
port = 53
block drop in on vio0 inet proto udp from 192.168.34.0/24 to ! 192.168.34.157 
port = 53
block drop in on vio0 inet6 proto tcp from 2a02:898:28:200::/64 to ! 
2a02:898:28:200:4706:3e7a:afb9:5137 port = 53
block drop in on vio0 inet6 proto udp from 2a02:898:28:200::/64 to ! 
2a02:898:28:200:4706:3e7a:afb9:5137 port = 53

Looks great and would be perfect to have in I think.  One rule to
concisely describe the behaviour I want :)

Thanks again!

Paul

| I think you have found an oversight in the original implementation of 
| ':0', which defines a non-alias as the first defined address (of the given 
| address family) [0]. The patch makes ':0' skip link-local addresses, 
| matching the behaviour of ':network'.
| 
| best, 
| Richard. 
| 
| [0] sbin/pfctl/pfctl_parser.c 1.186 ifa_lookup()
| 
| Index: sbin/pfctl/pfctl_parser.c
| ===
| RCS file: /cvs/src/sbin/pfctl/pfctl_parser.c,v
| retrieving revision 1.342
| diff -u -p -u -p -r1.342 pfctl_parser.c
| --- sbin/pfctl/pfctl_parser.c 17 Oct 2019 21:54:28 -  1.342
| +++ sbin/pfctl/pfctl_parser.c 28 Jan 2020 03:11:27 -
| @@ -1546,6 +1546,8 @@ ifa_lookup(const char *ifa_name, int fla
|   continue;
|   if ((flags & PFI_AFLAG_NETWORK) && p->ifindex > 0)
|   continue;
| + if ((flags & PFI_AFLAG_NOALIAS) && p->ifindex > 0)
| + continue;
|   if (last_if == NULL || strcmp(last_if, p->ifname))
|   got4 = got6 = 0;
|   last_if = p->ifname;

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



interface modifiers :network and :0 picking different subnets for IPv6

2020-01-27 Thread Paul de Weerd
Hi all,

Following up from my previous (PEBKAC) issue[1], I kept working on my
ruleset.  I found, what I believe to be, another issue.  Here's the
reduced ruleset that reproduces the problem:

[root@ferrari] # cat pf.tmp
IntIF=em1
# only allow DNS to the unbound instance listening on em1 (v4 and v6)
block in on $IntIF proto { tcp, udp } from $IntIF:network to ! $IntIF:0 port 
domain
[root@ferrari] # pfctl -nvf pf.tmp
IntIF = "em1"
block drop in on em1 inet6 proto tcp from 2a02:898:28:300::/64 to ! 
fe80::2e0:67ff:fe15:cc6d port = 53
block drop in on em1 inet6 proto udp from 2a02:898:28:300::/64 to ! 
fe80::2e0:67ff:fe15:cc6d port = 53
block drop in on em1 inet proto tcp from 192.168.150.0/24 to ! 192.168.150.1 
port = 53
block drop in on em1 inet proto udp from 192.168.150.0/24 to ! 192.168.150.1 
port = 53

The problem is in the IPv6 rules.  Here "em1:network" expands to the
global unicast network configured on the interface but "em1:0" expands
to the link-local address.  This doesn't really make sense to me.  If
both would expand to the link-local version, that would be unfortunate
but understandable.  I'm hoping to have both expand to the global
unicast version ("from 2a02:898:28:300::/64 to ! 2a02:898:28:300::1").

Why is pfctl picking different addresses for these two modifiers?

This is the interface configuration:

[root@ferrari] # ifconfig em1
em1: flags=808843 mtu 1500
lladdr 00:e0:67:15:cc:6d
description: LAN
index 2 priority 0 llprio 3
groups: lan
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
inet6 fe80::2e0:67ff:fe15:cc6d%em1 prefixlen 64 scopeid 0x2
inet6 2a02:898:28:300::1 prefixlen 64
inet6 2a02:898:28:300::2 prefixlen 128
inet 192.168.150.1 netmask 0xff00 broadcast 192.168.150.255
inet 192.168.150.2 netmask 0x

Is there a way to tell pf to use the global unicast address for em1:0
other than hardcoding the address in the ruleset?

Cheers,

Paul 'WEiRD' de Weerd

[1]: https://marc.info/?l=openbsd-misc=157994923220390=2

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: combining macro with interface modifiers in pf.conf

2020-01-25 Thread Paul de Weerd
Hi Philipp,

On Sat, Jan 25, 2020 at 12:06:49PM +0100, Philipp Buehler wrote:
| 
| Hey Paul,
| 
| Am 25.01.2020 11:43 schrieb Paul de Weerd:
| > block in on $IntIF inet proto { tcp, udp } from $IntIF:network to !
| > $IntIF:0 port domain
| > block in on $IntIF inet6 proto { tcp, udp } from $IntIF:network to !
| > $IntIF:0 port domain
| 
| I just tested this with "IntIF=vio0" and works on 6.6-stable.
| 
| Is there more in the story, like concat macros, quotes in quotes or
| others along that?

Thanks for your reply, you helped me find the answer.  I obviously
should've published my full ruleset.

[weerd@pom] $ printf "IntIF=\"em0\"\nblock inet from \$IntIF:network to 
\$IntIF:0\n" | pfctl -nvf -
IntIF = "em0"
block drop inet from 192.168.0.0/24 to 192.168.0.149
[weerd@pom] $ printf "IntIF=\" em0 \"\nblock inet from \$IntIF:network to 
\$IntIF:0\n" | pfctl -nvf -
IntIF = " em0 "
stdin:2: syntax error

I have (by now 'had') spaces in my macros, so IntIF gets expanded
quite literally to the value I gave it with spaces (as it should).  As
usual, PEBKAC.

Again, thank you for the clue-by-4.  Everything works as it should and
I have been properly educated.

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



combining macro with interface modifiers in pf.conf

2020-01-25 Thread Paul de Weerd
Hi all,

I'm rewriting some pf.conf rulesets and thought to use interface
modifiers to make them more generic.  Here's an example of what I came
up with:

block in on $IntIF inet proto { tcp, udp } from $IntIF:network to ! $IntIF:0 
port domain
block in on $IntIF inet6 proto { tcp, udp } from $IntIF:network to ! $IntIF:0 
port domain

These rules force users to use the local recursor for DNS lookups.
However, pfctl complains about syntax errors on both lines.  Replacing
the $IntIF:network and $IntIF:0 with em1:network and em1:0 solves the
syntax errors.  From pf.conf(5), it's not quite clear to me that it
isn't allowed to combine macros with interface modifiers.  On macros
it says:

> Macros can be defined that will later be expanded in context.  Macro
> names must start with a letter, digit, or underscore, and may
> contain any of those characters.  Macro names may not be reserved
> words (for example pass, in, out).  Macros are not expanded inside
> quotes.

and on modifiers:

> Interface names, interface group names, and self can have modifiers
> appended:

To me that suggests you can combine a macro with a modifier.  Am I
missing something obvious?  Is there a way to achieve this?

Thanks,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 


OpenBSD 6.6-current (GENERIC.MP) #603: Mon Jan 13 13:21:42 MST 2020
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8478527488 (8085MB)
avail mem = 8209100800 (7828MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xec120 (49 entries)
bios0: vendor American Megatrends Inc. version "5.11" date 07/20/2018
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S5
acpi0: tables DSDT FACP APIC FPDT FIDT MCFG SSDT SSDT SSDT UEFI LPIT CSRT
acpi0: wakeup devices SIO1(S0) BRC1(S0) XHC1(S4) HDEF(S4) RP01(S4) PXSX(S4) 
RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) CPU J3060 @ 1.60GHz, 1600.39 MHz, 06-4c-04
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu0: 1MB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 80MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3.3, IBE
cpu1 at mainbus0: apid 4 (application processor)
cpu1: Intel(R) Celeron(R) CPU J3060 @ 1.60GHz, 1600.03 MHz, 06-4c-04
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu1: 1MB 64b/line 16-way L2 cache
cpu1: smt 0, core 2, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 115 pins
acpimcfg0 at acpi0
acpimcfg0: addr 0xe000, bus 0-255
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (RP01)
acpiprt2 at acpi0: bus 2 (RP02)
acpiprt3 at acpi0: bus -1 (RP03)
acpiprt4 at acpi0: bus -1 (RP04)
acpiec0 at acpi0: not present
acpicpu0 at acpi0: C3(10@1000 mwait.1@0x64), C2(10@500 mwait.1@0x58), C1(1000@1 
mwait.1), PSS
acpicpu1 at acpi0: C3(10@1000 mwait.1@0x64), C2(10@500 mwait.1@0x58), C1(1000@1 
mwait.1), PSS
acpipwrres0 at acpi0: ID3C, resource for ISP3
acpipwrres1 at acpi0: CLK0, resource for CAMD
acpipwrres2 at acpi0: CLK0, resource for CAM1
acpipwrres3 at acpi0: CLK1, resource for CAM2, CAM3
acpipwrres4 at acpi0: USBC, resource for XHC1
acpipwrres5 at acpi0: FN00, resource for FAN0
acpitz0 at acpi0: critical temperature is 95 degC
acpicmos0 at acpi0
acpipci0 at acpi0 PCI0: 0x0004 0x0011 0x0001
extent `acpipci0 pcibus' (0x0 - 0xff), flags=0
extent `acpipci0 pciio' (0x0 - 0x), flags=0
 0x70 - 0x77
 0xcf8 - 0xcff
 0x1 - 0x
extent `acpipci0 pcimem' (0x0 - 0x), flags=0
 0x0 - 0x9
 0x10 - 0xafff
 0xe000 - 0x
"BCM2E64" at acpi0 not configured
"BCM4752" at acpi0 not configured
"SMO91D0" at acpi0 not configured
"INTCF1C" at acpi0 not configured
acpibtn0 at acpi0: SLPB
"PNP0C0B" at acpi0 not configured
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD1F
cpu0: using VERW MDS workaround
cpu0: Enhanced SpeedStep 1600 MHz: speeds: 1601, 1600, 1520, 1440, 1360, 1280, 
1200, 1120, 1040, 960, 880, 800, 720, 640, 560, 480 MHz

Re: dig -p 5353 foo.bar core dumped

2020-01-21 Thread Paul de Weerd
On Tue, Jan 21, 2020 at 11:25:33AM -0800, Jordan Geoghegan wrote:
| dig doesnt core dump for me, it just prints this warning: ";; Error,
| only port 53 supported". I wonder why the error isnt being printed
| for OP.

Interesting.  Are you on -current?  I updated to the latest snapshot
yesterday and get this:

[weerd@pom] $ dig -p 1234 foo.bar @127.0.0.1
Abort trap 
[weerd@pom] $ dmesg | tail -n1
dig[69548]: pledge "dns", syscall 28

You may be doing something similar yet different?

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: dig -p 5353 foo.bar core dumped

2020-01-21 Thread Paul de Weerd
On Tue, Jan 21, 2020 at 06:58:02PM +0100, Dieter Rauschenberger wrote:
| Hi misc,
| 
| on my intranet i have unbound and nsd running, both on the same
| machine. unbount is listening on port 53, nsd is listening on port
| 5353 on 127.0.0.1. If i run
| 
| dig @127.0.0.1 -p 53 foo.bar
| 
| everything is fine. But if I want to query nsd direct with
| 
| dig @127.0.0.1 -p 5353 foo.bar
| 
| dig core dumps and I can read the following line in /var/log/messages:

That's pledge, as the below kernel message explains.

| Jan 21 18:42:44 ws /bsd: dig[59239]: pledge "dns", syscall 28

Dig is only allowed to do port 53.  This can be worked around by using
dig from the bind port, or with a patch to dig that allows you to use
other ports when -p is given on the command line.

However, I'd recommend running nsd on port 53 on 127.0.0.1; there it
doesn't interfere with unbound (assuming that's not listening on
127.0.0.1).  Alternatively, you can easily add a second IP address on
your loopback interface (::2) and have nsd listen there.

| The issue can be easily reporduced with any other port. No need to
| have a nsd running.

That's because it has nothing to do with nsd but with dig.  Dig has
promised not to use ports other than 53, and then when you do use
ports other than 53, the kernel terminates the process.

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: dhcpd and unbound on a small LAN

2020-01-06 Thread Paul de Weerd
On Mon, Jan 06, 2020 at 09:33:44AM -0500, Steve Litt wrote:
| On Mon, 06 Jan 2020 14:03:20 +0100
| "Boudewijn Dijkstra"  wrote:
| 
| 
| > Another way is to configure the DHCP server to give alice the same
| > address every time.
| > 
| > host alice {
| >  hardware ethernet 00:19:b9:e0:2f:de;
| >  fixed-address 192.168.0.68;
| > }
| 
| I need something like that for my situation. Two questions:
| 
| 1) Does the preceding setup prevent anyone with a different mac address
| from getting 192.168.0.68?

That specific snippet of DHCP configuration does not prevent dhcpd
from handing it out to other machines (with different macs).  It
depends on the rest of your configuration and on whether this machine
is currently alive with that address on your network.

If you have configured a range for dynamic allocation that covers the
assigned fixed-address, then that fixed-address may be assigned to
another machine.  This may result in problems for host alice when it
boots.  The easy solution is to not do that: don't have your
statically assigned addresses overlap with the dynamic range.

| 2) Is there a way I can set it up so ONLY specific mac addresses can
| get a dhcp lease from my server?***  I'd like to keep the man on the
| street from getting a lease: If I don't know the person and machine
| ahead of time, I don't want them getting a lease.

If you want to only allow specific MACs, then you'll need to specify
the MAC addresses in the configuration file, and assign each one an
address, so you'll need to pre-assign IPs to MACs.

| *** I presume one way is to set aside just enough IP addresses to cover
| known mac addresses. I was wondering if there's a way that involves
| less arithmetic.

Not sure what arithmetic you're referring to specifically: simply
enumerate all machines by MAC and give each one a static lease
('fixed-address') in your /etc/dhcpd.conf, much like the host 'alice'
in the sample Boudewijn showed you.  Leave out a dynamic 'range' for
unknown clients, and you're done.  This is what I have done in the
past on my private home network.

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: How to setup date on startup with ntpd on OpenBSD 6.6

2019-11-21 Thread Paul de Weerd
On Thu, Nov 21, 2019 at 03:48:44PM +0500, dmitry.sensei wrote:
| Hi!
| 
| Since "-s" key had been deleted how I can setup time on startup?

>From ntpd(8):

> ntpd makes efforts to verify and correct the time at boot if
> constraints are configured and satisfied or if trusted servers or
> sensors return results, and if the clock is not being moved backwards.

So you should configure a constraint[1] or a trusted[2] server or
sensor.  Then, at boot, ntpd will take care of correcting the clock if
it's off by too much.  See ntpd.conf(5) for details.

This was documented in an e-mail to tech@ by Theo two weeks ago,
there's an undeadly.org article[3] with his post and references to the
various commits that play a part here.

Cheers,

Paul 'WEiRD' de Weerd

[1]: http://man.openbsd.org/ntpd.conf#CONSTRAINTS
[2]: http://man.openbsd.org/ntpd.conf#sensor
[3]: http://undeadly.org/cgi?action=article;sid=2019075815

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: wrong pkg_add url after sysupgrade

2019-10-09 Thread Paul de Weerd
On Wed, Oct 09, 2019 at 01:40:42PM +, shadrock uhuru wrote:
| after trying sysupgrade for the first time on my laptop running snapshots
| running the following command returns no such dir.
| 
| doas pkg_add -u
| https://ftp.OpenBSD.org/pub/OpenBSD/6.6/packages/amd64/: no such dir
| pkg_info p5-finance
| https://ftp.OpenBSD.org/pub/OpenBSD/6.6/packages/amd64/: no such dir
| 
| my /etc/installurl has
| cat /etc/installurl
| https://ftp.OpenBSD.org/pub/OpenBSD
| 
| does this need editing
| if so what url should i use ?

Same url, different command: pkg_add -u -Dsnap

Twice a year there's a brief window where snapshots have the name of
the upcoming release.  During that time, you must add -Dsnap to
pkg_add.  It doesn't hurt to have -Dsnap when you're running something
-current or -beta, so if you always run snaps, best to train you
muscle memory to do -Dsnap always :)

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: How can I remove sets installed by sysupgrade?

2019-09-17 Thread Paul de Weerd
On Tue, Sep 17, 2019 at 03:14:22PM +0200, Marc Espie wrote:
| On Tue, Sep 17, 2019 at 01:48:19PM +0200, Paul de Weerd wrote:
| > On Tue, Sep 17, 2019 at 01:27:23PM +0200, Marc Espie wrote:
| > | > By having each set install a specific file in a well-known location.
| > | > Before sysupgrade I wrote my own script to upgrade machines, this uses
| > | > /var/db/sets/{base,comp,game,man,xbase,xfont,xserve,xshare} to
| > | > determine what has been installed and upgrade only those sets.
| > | 
| > | We actually know what file belongs to which set.
| > | see /usr/lib/locate/src.db
| > 
| > This doesn't list files from x-sets.
| 
| ... there's obviously the corresponding database for x in xbase, duh

Right.  Wasn't aware of that one, but doesn't really make it easier:

So, if /usr/lib/locate/src.db exists, we can see if the files that it
knows about can be found on the local filesystem and then per set pick
a file to check for existence.  And if /usr/X11R6/lib/locate/xorg.db
exists, we can do the same for the x-sets.

What if I chose to only install xfont, to use the TTF fonts with my
webserver?  Then I don't have the xorg.db locate database but would
still have a working system, but now you're not upgrading xfont?

The "file to set"-mapping isn't very convenient to determine which sets
were installed and have to be upgraded.  Having each set contain one
small (empty?) file in a known location would make this trivial at a
very small cost.

But I repeat: the argument that not installing all sets gives you a
'non standard' system suggests that this approach isn't viable.

Cheers,

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: How can I remove sets installed by sysupgrade?

2019-09-17 Thread Paul de Weerd
On Tue, Sep 17, 2019 at 01:27:23PM +0200, Marc Espie wrote:
| > By having each set install a specific file in a well-known location.
| > Before sysupgrade I wrote my own script to upgrade machines, this uses
| > /var/db/sets/{base,comp,game,man,xbase,xfont,xserve,xshare} to
| > determine what has been installed and upgrade only those sets.
| 
| We actually know what file belongs to which set.
| see /usr/lib/locate/src.db

This doesn't list files from x-sets.

Cheers,

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: How can I remove sets installed by sysupgrade?

2019-09-17 Thread Paul de Weerd
On Tue, Sep 17, 2019 at 09:39:00AM +0100, cho...@jtan.com wrote:
| Marc Espie writes:
| > On Tue, Sep 17, 2019 at 09:01:47AM +0100, cho...@jtan.com wrote:
| > > Marc Espie writes:
| > > > I'm a bit surprised nobody looked at instrumenting what sets are 
actually
| > > > installed on a machine during install/manual upgrade and cloning that 
| > > > into sysupgrade to avoid this kind of surprise...
| > > 
| > > I mentioned the possibility wrt. syspatch but it was rejected in favour
| > > of expecting users to run a default system or, in effect, become
| > > developers. Not a stance I entirely agree with but which nevertheless
| > > has its merits.
| >
| > But sysupgrade is a much "simpler" mechanism than syspatch.
| >
| > More importantly,
| > - sysupgrade is definitely about the sets
| > - if you have a non default installation, syspatch happens *at user level*
| > so you have every opportunity to figure out what's going on.
| > Where sysupgrade ? reboot the machine, see your disks overflow. Boom machine
| > kaput.
| 
| The problem boils down to: how does sysupgrade, or any other tool, know
| which sets have been installed?

By having each set install a specific file in a well-known location.
Before sysupgrade I wrote my own script to upgrade machines, this uses
/var/db/sets/{base,comp,game,man,xbase,xfont,xserve,xshare} to
determine what has been installed and upgrade only those sets.

However, the argument that not installing all sets gives you a 'non
standard' system suggests that this approach isn't viable.

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: vmd eating lots of memory

2019-07-26 Thread Paul de Weerd
Just confirmed I can reproduce this on the latest snapshot (both on
host and VMs) on my home workstation:

OpenBSD 6.5-current (GENERIC.MP) #143: Fri Jul 26 00:37:38 MDT 2019

If I use the host to send traffic with tcpbench, traffic rate peaks
around 1Gbit/s (1055.923 Mbps, according to tcpbench), and memory
consumption is growing at a rate that seems to correlate to the
bandwidth used by the tcpbench traffic.

The test is simply `tcpbench -s -p X` on the VM and `tcpbench -p
X vm` on the host.

Paul

On Thu, Jul 25, 2019 at 09:54:22PM +0200, Paul de Weerd wrote:
| A little more follow-up on this vmd-memory-leak issue.
| 
| Comparing the two VMs I have running, I started to stress parts where
| these two hosts differ.  The testvm hardly does any traffic, while the
| undeadly vm sees quite a few visitors on a daily basis, so networking
| may be part of the leak.
| 
| Running tcpbench against this machine (averaging at ~250Mbit/s)
| results in vmd growing by about 80MB to 100MB per minute.  Running
| tcpbench against the testvm has similar results.
| 
| The undeadly VM also has a second disk configured (on slower storage),
| but putting load on that didn't significantly change the memory
| consumption (above the 'expected' growth that I've been seeing).
| 
| The growth during daily(8) runs still confuses me, as that doesn't do
| anything network-related...
| 
| Paul
| 
| On Sat, Jul 20, 2019 at 04:23:27PM +0200, Paul de Weerd wrote:
| | Hi all,
| | 
| | I'm running two vmd(8) VMs:
| | 
| | [weerd@despair] $ cat /etc/vm.conf 
| | vm "undeadly" {
| | owner root
| | memory 2G
| | disk /home/vmm/undeadly.dsk
| | disk /storage/vmm/undeadly.dsk
| | interface switch "vmmswitch" lladdr "fe:e1:bb:02:6b:bf"
| | }
| | 
| | vm "testvm" {
| | owner root
| | memory 2G
| | disk /home/vmm/testvm.dsk
| | interface switch "vmmswitch" lladdr "fe:e1:bb:02:6b:be"
| | }
| | 
| | switch "vmmswitch" {
| | enable
| | interface bridge0
| | }
| | 
| | Both machines have been up since boot of the host machine:
| | 
| | [weerd@despair] $ vmctl status
| |ID   PID VCPUS  MAXMEM  CURMEM TTYOWNERSTATE NAME
| | 2 23133 12.0G1.1G   ttyp1 root  running testvm
| | 1 42094 12.0G1.5G   ttyp0 root  running undeadly
| | [weerd@despair] $ uptime
| |  4:11PM  up 43 days, 57 mins, 12 users, load averages: 0.02, 0.07, 0.07
| | [weerd@despair] $ ssh undeadly uptime
| |  4:11PM  up 43 days, 57 mins, 2 users, load averages: 0.28, 0.12, 0.10
| | [weerd@despair] $ ssh testvm uptime   
| |  4:11PM  up 43 days, 57 mins, 0 users, load averages: 0.00, 0.00, 0.00
| | 
| | However, the undeadly VM consumes signficantly more memory that the
| | other VM:
| | 
| | [weerd@despair] $ ps wwwaux | grep -e vm[d] -e [P]ID
| | USER   PID %CPU %MEM   VSZ   RSS TT  STAT  STARTED   TIME COMMAND
| | _vmd 42094  3.7 57.9 28769236 19398792 ??  Ip 7Jun19  4741:37.66 
vmd: undeadly (vmd)
| | _vmd  4567  0.0  0.0  1384  1384 ??  Isp7Jun190:00.01 vmd: vmm 
(vmd)
| | root 84392  0.0  0.0  1564  1436 ??  Isp7Jun190:00.02 
/usr/sbin/vmd
| | _vmd 55269  0.0  0.0  1304  1468 ??  Isp7Jun190:00.01 vmd: 
control (vmd)
| | root 51181  0.0  0.0  1236   928 ??  Is 7Jun190:00.01 vmd: priv 
(vmd)
| | _vmd 23133  0.0  0.2 2100100 70272 ??  Ip 7Jun19  1886:16.18 vmd: 
testvm (vmd)
| | 
| | All systems run snaps from around the same time:
| | 
| | [weerd@despair] $ sysctl kern.version
| | kern.version=OpenBSD 6.5-current (GENERIC.MP) #6: Tue Jun  4 15:05:10 MDT 
2019
| | dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
| | 
| | [weerd@despair] $ ssh undeadly sysctl kern.version
| | kern.version=OpenBSD 6.5-current (GENERIC) #7: Fri Jun  7 00:45:34 MDT 2019
| | dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
| | 
| | [weerd@despair] $ ssh testvm sysctl kern.version
| | kern.version=OpenBSD 6.5-current (GENERIC) #6: Tue Jun  4 14:57:43 MDT 2019
| | dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
| | 
| | So it looks like there's a memory leak, either only for busy VMs or it
| | shows more for busier VMs.  Has anyone seen anything similar on their
| | vmm VMs?
| | 
| | I'll reboot the undeadly VM for now, as other processes are getting
| | killed for out of memory reasons (bgpd, in my case; see end of below
| | dmesg of host machine 'despair').
| | 
| | Paul
| | 
| | --- despair dmesg 
| | OpenBSD 6.5-current (GENERIC.MP) #6: Tue Jun  4 15:05:10 MDT 2019
| | dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
| | real mem = 34332733440 (32742MB)
| | avail mem = 33282105344 (31740MB)
| | mpath0 at root
| | scsibus0 at mpath0: 256 targets
| | mainbus0 at root
|

Re: vmd eating lots of memory

2019-07-26 Thread Paul de Weerd
Hi Bryan,

On Fri, Jul 26, 2019 at 04:02:10PM +0900, Bryan Linton wrote:
| On 2019-07-25 13:01:28, Mike Larkin  wrote:
| > On Thu, Jul 25, 2019 at 09:54:22PM +0200, Paul de Weerd wrote:
| > > A little more follow-up on this vmd-memory-leak issue.
| > > 
| > > Comparing the two VMs I have running, I started to stress parts where
| > > these two hosts differ.  The testvm hardly does any traffic, while the
| > > undeadly vm sees quite a few visitors on a daily basis, so networking
| > > may be part of the leak.
| > > 
| > > Running tcpbench against this machine (averaging at ~250Mbit/s)
| > > results in vmd growing by about 80MB to 100MB per minute.  Running
| > > tcpbench against the testvm has similar results.
| > > 
| > > The undeadly VM also has a second disk configured (on slower storage),
| > > but putting load on that didn't significantly change the memory
| > > consumption (above the 'expected' growth that I've been seeing).
| > > 
| > > The growth during daily(8) runs still confuses me, as that doesn't do
| > > anything network-related...
| > > 
| > > Paul
| > > 
| > 
| > I'll try to look for leaks in that area then. Thanks for the report.
| > 
| > -ml
| > 
| 
| To Paul, is it related to disk activity on the VM?  I.e. Does
| doing lots of I/O on the system cause memory usage to increase?

It does not, I specifically tried that (also because the VM with this
issue has two disks, one of them on slower media) but I didn't notice
a difference.

| Can you test it with a snapshot/kernel dated May 7th or earlier?

Not easily on the undeadly production environment.  But I'm building
a test environment at home that I may be able to use for this.

| I CCed both of you into a bug report I just submitted to bugs@
| because I thought it may possibly be related.
| 
|   https://marc.info/?l=openbsd-bugs=156412299418191=2

Yep, saw that.  I can definitely try reverting that diff on my test
environment later today.

| In brief, I'm seeing large amounts of memory being consumed
| followed by a system hang when files are copied to a vnd(4)
| device.
| 
| I don't see it with regular disk I/O, only with vnds.
| 
| If the VMs are using/accessing memory in a similar way to the
| method that vnd(4) does, it might explain why the daily(8) runs
| are causing the memory usage to increase.

I can't really comment on that as I'm not familiar with the
implementation of these parts of the kernel.

| If this is an unrelated issue, then I apologize for the noise.  I
| figured it better to CC both of you in so you could evaluate it on
| your own rather than for me to do nothing.

Cheers,

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: vmd eating lots of memory

2019-07-25 Thread Paul de Weerd
A little more follow-up on this vmd-memory-leak issue.

Comparing the two VMs I have running, I started to stress parts where
these two hosts differ.  The testvm hardly does any traffic, while the
undeadly vm sees quite a few visitors on a daily basis, so networking
may be part of the leak.

Running tcpbench against this machine (averaging at ~250Mbit/s)
results in vmd growing by about 80MB to 100MB per minute.  Running
tcpbench against the testvm has similar results.

The undeadly VM also has a second disk configured (on slower storage),
but putting load on that didn't significantly change the memory
consumption (above the 'expected' growth that I've been seeing).

The growth during daily(8) runs still confuses me, as that doesn't do
anything network-related...

Paul

On Sat, Jul 20, 2019 at 04:23:27PM +0200, Paul de Weerd wrote:
| Hi all,
| 
| I'm running two vmd(8) VMs:
| 
| [weerd@despair] $ cat /etc/vm.conf 
| vm "undeadly" {
| owner root
| memory 2G
| disk /home/vmm/undeadly.dsk
| disk /storage/vmm/undeadly.dsk
| interface switch "vmmswitch" lladdr "fe:e1:bb:02:6b:bf"
| }
| 
| vm "testvm" {
| owner root
| memory 2G
| disk /home/vmm/testvm.dsk
| interface switch "vmmswitch" lladdr "fe:e1:bb:02:6b:be"
| }
| 
| switch "vmmswitch" {
| enable
| interface bridge0
| }
| 
| Both machines have been up since boot of the host machine:
| 
| [weerd@despair] $ vmctl status
|ID   PID VCPUS  MAXMEM  CURMEM TTYOWNERSTATE NAME
| 2 23133 12.0G1.1G   ttyp1 root  running testvm
| 1 42094 12.0G1.5G   ttyp0 root  running undeadly
| [weerd@despair] $ uptime
|  4:11PM  up 43 days, 57 mins, 12 users, load averages: 0.02, 0.07, 0.07
| [weerd@despair] $ ssh undeadly uptime
|  4:11PM  up 43 days, 57 mins, 2 users, load averages: 0.28, 0.12, 0.10
| [weerd@despair] $ ssh testvm uptime   
|  4:11PM  up 43 days, 57 mins, 0 users, load averages: 0.00, 0.00, 0.00
| 
| However, the undeadly VM consumes signficantly more memory that the
| other VM:
| 
| [weerd@despair] $ ps wwwaux | grep -e vm[d] -e [P]ID
| USER   PID %CPU %MEM   VSZ   RSS TT  STAT  STARTED   TIME COMMAND
| _vmd 42094  3.7 57.9 28769236 19398792 ??  Ip 7Jun19  4741:37.66 vmd: 
undeadly (vmd)
| _vmd  4567  0.0  0.0  1384  1384 ??  Isp7Jun190:00.01 vmd: vmm 
(vmd)
| root 84392  0.0  0.0  1564  1436 ??  Isp7Jun190:00.02 
/usr/sbin/vmd
| _vmd 55269  0.0  0.0  1304  1468 ??  Isp7Jun190:00.01 vmd: 
control (vmd)
| root 51181  0.0  0.0  1236   928 ??  Is 7Jun190:00.01 vmd: priv 
(vmd)
| _vmd 23133  0.0  0.2 2100100 70272 ??  Ip 7Jun19  1886:16.18 vmd: 
testvm (vmd)
| 
| All systems run snaps from around the same time:
| 
| [weerd@despair] $ sysctl kern.version
| kern.version=OpenBSD 6.5-current (GENERIC.MP) #6: Tue Jun  4 15:05:10 MDT 2019
| dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
| 
| [weerd@despair] $ ssh undeadly sysctl kern.version
| kern.version=OpenBSD 6.5-current (GENERIC) #7: Fri Jun  7 00:45:34 MDT 2019
| dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
| 
| [weerd@despair] $ ssh testvm sysctl kern.version
| kern.version=OpenBSD 6.5-current (GENERIC) #6: Tue Jun  4 14:57:43 MDT 2019
| dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
| 
| So it looks like there's a memory leak, either only for busy VMs or it
| shows more for busier VMs.  Has anyone seen anything similar on their
| vmm VMs?
| 
| I'll reboot the undeadly VM for now, as other processes are getting
| killed for out of memory reasons (bgpd, in my case; see end of below
| dmesg of host machine 'despair').
| 
| Paul
| 
| --- despair dmesg 
| OpenBSD 6.5-current (GENERIC.MP) #6: Tue Jun  4 15:05:10 MDT 2019
| dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
| real mem = 34332733440 (32742MB)
| avail mem = 33282105344 (31740MB)
| mpath0 at root
| scsibus0 at mpath0: 256 targets
| mainbus0 at root
| bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe66d0 (57 entries)
| bios0: vendor Dell Inc. version "1.2.3" date 07/21/2011
| bios0: Dell Inc. PowerEdge R210 II
| acpi0 at bios0: rev 2
| acpi0: sleep states S0 S4 S5
| acpi0: tables DSDT FACP SPMI ASF! HPET APIC MCFG BOOT SSDT ASPT SSDT SSDT 
SPCR DMAR HEST ERST BERT EINJ
| acpi0: wakeup devices P0P1(S4) GLAN(S0) EHC1(S4) EHC2(S4) PXSX(S4) RP01(S5) 
PXSX(S4) RP02(S5) PXSX(S4) RP03(S5) PXSX(S4) RP04(S5) PXSX(S4) RP05(S5) 
PXSX(S4) RP06(S5) [...]
| acpitimer0 at acpi0: 3579545 Hz, 24 bits
| acpihpet0 at acpi0: 14318179 Hz
| acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
| cpu0 at mainbus0: apid 0 (boot processor)
| cpu0: Intel(R) Xeon(R) CPU E31260L @ 2.40GHz, 2400.39 MHz, 06-2a-07
| cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8

Re: vmd eating lots of memory

2019-07-21 Thread Paul de Weerd
On Sun, Jul 21, 2019 at 10:46:06AM +0200, Paul de Weerd wrote:
| on both VMs and host.  If the problem was there too, it didn't affect
| anything else on the system until I upgraded.

Forgot to make explicit: the other vm remains at a constant memory
footprint; also while running /etc/daily

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: vmd eating lots of memory

2019-07-21 Thread Paul de Weerd
Hi Mike,

On Sat, Jul 20, 2019 at 10:23:02AM -0700, Mike Larkin wrote:
| Did this just start happening? Nothing relevant has changed in vmd(8) recently
| that would cause this, from what I remember.

Prior to this kernel version, I was running

OpenBSD 6.5 (GENERIC.MP) #847: Tue Apr  9 09:12:46 MDT 2019

on both VMs and host.  If the problem was there too, it didn't affect
anything else on the system until I upgraded.

Now that I've found this, I started measuring a bit more.  It looks
like the vmd for undeadly consumes about 8 to 10 MB per hour
(approximately 2MB per 15 minutes, my sample interval).  It varies
quite a bit, and there's a bit spike around when /etc/daily runs of
340 MB and 74 MB.

I'm attaching my samples so far, they're epoch + the VSZ column from
ps for the vmd process per line.

Is there anything else I can collect that can help debug this?

Thanks,

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 
1563659689 2207536
1563659712 2207568
1563660312 2210584
1563660912 2213136
1563661512 2215732
1563662112 2218504
1563662713 2220980
1563663313 2223704
1563663913 2226748
1563664513 2228976
1563665113 2231824
1563665713 2572920
1563666313 2647712
1563666913 2650232
1563667514 2653052
1563668114 2655504
1563668714 2658308
1563669314 2661260
1563669914 2663836
1563670514 2666324
1563671114 2668944
1563671714 2671452
1563672314 2673780
1563672914 2676392
1563673514 2678700
1563674114 2680980
1563674714 2683788
1563675314 2685924
1563675914 2688648
1563676514 2691404
1563677114 2693676
1563677715 2695844
1563678315 2697920
1563678915 2699868
1563679515 2701944
1563680115 2703868
1563680715 2705668
1563681315 2707488
1563681915 2709712
1563682515 2711472
1563683115 2713196
1563683715 2715432
1563684315 2717280
1563684915 2719156
1563685515 2721528
1563686115 2723672
1563686715 2725828
1563687315 2727812
1563687915 2729848
1563688515 2731488
1563689116 2735600
1563689716 2737380
1563690316 2739648
1563690916 2742280
1563691516 2744240
1563692116 2746120
1563692716 2748192
1563693316 2750148
1563693916 2752156
1563694516 2754424
1563695116 2757576
1563695716 2760144
1563696316 2762860
1563696916 2764992
1563697516 2767408
1563698116 2769756
1563698716 2771680


vmd eating lots of memory

2019-07-20 Thread Paul de Weerd
Hi all,

I'm running two vmd(8) VMs:

[weerd@despair] $ cat /etc/vm.conf 
vm "undeadly" {
owner root
memory 2G
disk /home/vmm/undeadly.dsk
disk /storage/vmm/undeadly.dsk
interface switch "vmmswitch" lladdr "fe:e1:bb:02:6b:bf"
}

vm "testvm" {
owner root
memory 2G
disk /home/vmm/testvm.dsk
interface switch "vmmswitch" lladdr "fe:e1:bb:02:6b:be"
}

switch "vmmswitch" {
enable
interface bridge0
}

Both machines have been up since boot of the host machine:

[weerd@despair] $ vmctl status
   ID   PID VCPUS  MAXMEM  CURMEM TTYOWNERSTATE NAME
2 23133 12.0G1.1G   ttyp1 root  running testvm
1 42094 12.0G1.5G   ttyp0 root  running undeadly
[weerd@despair] $ uptime
 4:11PM  up 43 days, 57 mins, 12 users, load averages: 0.02, 0.07, 0.07
[weerd@despair] $ ssh undeadly uptime
 4:11PM  up 43 days, 57 mins, 2 users, load averages: 0.28, 0.12, 0.10
[weerd@despair] $ ssh testvm uptime   
 4:11PM  up 43 days, 57 mins, 0 users, load averages: 0.00, 0.00, 0.00

However, the undeadly VM consumes signficantly more memory that the
other VM:

[weerd@despair] $ ps wwwaux | grep -e vm[d] -e [P]ID
USER   PID %CPU %MEM   VSZ   RSS TT  STAT  STARTED   TIME COMMAND
_vmd 42094  3.7 57.9 28769236 19398792 ??  Ip 7Jun19  4741:37.66 vmd: 
undeadly (vmd)
_vmd  4567  0.0  0.0  1384  1384 ??  Isp7Jun190:00.01 vmd: vmm (vmd)
root 84392  0.0  0.0  1564  1436 ??  Isp7Jun190:00.02 /usr/sbin/vmd
_vmd 55269  0.0  0.0  1304  1468 ??  Isp7Jun190:00.01 vmd: control 
(vmd)
root 51181  0.0  0.0  1236   928 ??  Is 7Jun190:00.01 vmd: priv 
(vmd)
_vmd 23133  0.0  0.2 2100100 70272 ??  Ip 7Jun19  1886:16.18 vmd: 
testvm (vmd)

All systems run snaps from around the same time:

[weerd@despair] $ sysctl kern.version
kern.version=OpenBSD 6.5-current (GENERIC.MP) #6: Tue Jun  4 15:05:10 MDT 2019
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

[weerd@despair] $ ssh undeadly sysctl kern.version
kern.version=OpenBSD 6.5-current (GENERIC) #7: Fri Jun  7 00:45:34 MDT 2019
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC

[weerd@despair] $ ssh testvm sysctl kern.version
kern.version=OpenBSD 6.5-current (GENERIC) #6: Tue Jun  4 14:57:43 MDT 2019
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC

So it looks like there's a memory leak, either only for busy VMs or it
shows more for busier VMs.  Has anyone seen anything similar on their
vmm VMs?

I'll reboot the undeadly VM for now, as other processes are getting
killed for out of memory reasons (bgpd, in my case; see end of below
dmesg of host machine 'despair').

Paul

--- despair dmesg 
OpenBSD 6.5-current (GENERIC.MP) #6: Tue Jun  4 15:05:10 MDT 2019
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 34332733440 (32742MB)
avail mem = 33282105344 (31740MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe66d0 (57 entries)
bios0: vendor Dell Inc. version "1.2.3" date 07/21/2011
bios0: Dell Inc. PowerEdge R210 II
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP SPMI ASF! HPET APIC MCFG BOOT SSDT ASPT SSDT SSDT SPCR 
DMAR HEST ERST BERT EINJ
acpi0: wakeup devices P0P1(S4) GLAN(S0) EHC1(S4) EHC2(S4) PXSX(S4) RP01(S5) 
PXSX(S4) RP02(S5) PXSX(S4) RP03(S5) PXSX(S4) RP04(S5) PXSX(S4) RP05(S5) 
PXSX(S4) RP06(S5) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E31260L @ 2.40GHz, 2400.39 MHz, 06-2a-07
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 100MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Xeon(R) CPU E31260L @ 2.40GHz, 2400.02 MHz, 06-2a-07
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 1, core 0, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: 

Re: Newer snapshots on ALIX

2019-06-21 Thread Paul de Weerd
Hi Claudio, others,

First of, let me apologize for the severe lack of details in my
previous post.  I thought to quickly check if anyone else had seen
what I'm seeing.

I've gone to my archive of snapshots and extracted all the pxeboot's
from every snapshot I have, a total 1972 snapshot over the last 4+
years.  I found 91 different pxe bootloaders, so at most 7 attempts to
find the breaking one :)  As I only have an archive of amd64
installers, I used the amd64 pxeboot (even though ALIX is an i386
platform, the bootloader from amd64 has worked fine - and I did verify
the i386 pxeboot from 6.5 and the latest snapshot have the same
behaviour).

My method was using the pxeboot loader to boot bsd.rd from the local
storage.  The only change I made between reboots was installing a
different version of pxeboot on my tftp server.

With a reasonable starting guess, I brought it down to 5 attempts.
First to fail is the pxeboot from the snapshot dated 2019-04-10 at
18:10:42, kernel build number 817.  This shows some extra information
during boot though:

>> OpenBSD/amd64 PXEBOOT 3.43
boot> boot hd0a:/bsd.rd
booting hd0a:/bsd.rd: 3107327+1352704+3362824+0+458752 
[363419+98+289008+28303]=0x8cc8a0
64 bit entry point at 0x2000d4
entry = 0x2000d4
kern_pml4 = 0
kern_pml3 = 0
kern_pml2 = 1
kern_pml1 = 0
end of bootstrap page tables = 0xa

The pxeboot from the snapshot before that (kernel build time
2019-04-10 at 11:52:59, with kernel build number 816) shows:

>> OpenBSD/amd64 PXEBOOT 3.42
boot> boot hd0a:/bsd.rd
booting hd0a:/bsd.rd: 3107327+1352704+3362824+0+458752 
[363419+98+289008+28303]=0x8cc8a0
entry point at 0x2000d4

Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2018 OpenBSD. All rights reserved.  https://www.OpenBSD.org

The next (different) pxeboot from the snapshot with the kernel built
on 2019-04-12 at 20:40:53 (kernel build number 0) gets stuck at the
`entry point at 0x2000d4` again:

>> OpenBSD/amd64 PXEBOOT 3.43
boot> boot hd0a:/bsd.rd
booting hd0a:/bsd.rd: 3107327+1352704+3362824+0+458752 
[363419+98+289008+28303]=0x8cc8a0
entry point at 0x2000d4



So, I was looking at commits to the boot code at or shortly after
april 10.  The only one I see is this one, where Florian brings
sys/stand/boot/boot.c to version 1.48:

--
Modified files:
sys/stand/boot : boot.c

Log message:
Unbreak "boot bsd.up" line in /etc/boot.conf
Found the hard way by Raf Czlonka (rczlonka AT gmail), thanks!
OK deraadt
--

But I don't see how Florian's change could break things this way.
I'll try a revert, but it's going to take a bit of time to configure
my build environment and to figure out how to make the pxe bootloader.
If anyone has any suggestions in the mean time, I'm eager to hear
them.

Thanks,

Paul

On Wed, Jun 19, 2019 at 08:55:06AM +0200, Claudio Jeker wrote:
| On Wed, Jun 19, 2019 at 08:37:28AM +0200, Paul de Weerd wrote:
| > Morning folks,
| > 
| > I ran into a problem after upgrading my ALIX to a more recent snapshot
| > in that it won't boot anymore.  It gets to "entry point 0x2d0" and
| > then stops.  I tried using the PXE bootloader to load the local kernel
| > from disk (both bsd and bsd.rd) and to load kernels from tftp, but all
| > fails in similar ways with the entry point being the last output.
| > 
| > I grabbed another ALIX to test, but I'm afraid I screwed that one up
| > and now that one doesn't boot either anymore.  This is probably user
| > error, but now I'd like to confirm: has anyone successfully upgraded
| > their ALIX to a recent snapshot?
| > 
| > It could be that my hardware is dying on me (I should find my piggy
| > bank for some nickels), so confirmation that this still works for
| > others is appreciated.
| > 
| 
| There were some boot(8) changes so try some older pxeboot from 6.4, 6.5 or
| the snapshot archive to see when the breakage was introduced.



-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Newer snapshots on ALIX

2019-06-19 Thread Paul de Weerd
Morning folks,

I ran into a problem after upgrading my ALIX to a more recent snapshot
in that it won't boot anymore.  It gets to "entry point 0x2d0" and
then stops.  I tried using the PXE bootloader to load the local kernel
from disk (both bsd and bsd.rd) and to load kernels from tftp, but all
fails in similar ways with the entry point being the last output.

I grabbed another ALIX to test, but I'm afraid I screwed that one up
and now that one doesn't boot either anymore.  This is probably user
error, but now I'd like to confirm: has anyone successfully upgraded
their ALIX to a recent snapshot?

It could be that my hardware is dying on me (I should find my piggy
bank for some nickels), so confirmation that this still works for
others is appreciated.

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: "ucode too large"

2019-06-07 Thread Paul de Weerd
Hi Claudio, Jonathan,

Thank you both for the diff - it has fixed the 'ucode too large'
problem (this machine uses biosboot, not UEFI), and has made a
difference in dmesg:

cpu[01] both gained flags MD_CLEAR,TSXFA,L1DF,SSBD

And a further down this changed:

-cpu0: using Skylake AVX MDS workaround
+cpu0: using VERW MDS workaround (except on vmm entry)

-vmm0 at mainbus0: VMX/EPT (using slow L1TF mitigation)
+vmm0 at mainbus0: VMX/EPT

Full dmesg below.

Thanks!

Paul

OpenBSD 6.5-current (GENERIC.MP) #6: Tue Jun  4 15:05:10 MDT 2019
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 34263703552 (32676MB)
avail mem = 33215160320 (31676MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x8d717000 (86 entries)
bios0: vendor American Megatrends Inc. version "5.12" date 05/28/2018
acpi0 at bios0: rev 2
acpi0: sleep states S0 S5
acpi0: tables DSDT FACP APIC FPDT MCFG SSDT FIDT SSDT HPET SSDT SSDT UEFI SSDT 
LPIT WSMT SSDT SSDT SSDT SSDT DBGP DBG2 SPCR DMAR ASF!
acpi0: wakeup devices PS2K(S0) PS2M(S0) PXSX(S0) RP09(S0) PXSX(S0) RP10(S0) 
PXSX(S0) RP11(S0) PXSX(S0) RP12(S0) PXSX(S0) RP13(S0) PXSX(S0) RP01(S0) 
PXSX(S0) RP02(S0) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 2395.13 MHz, 06-8e-09
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 24MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 2394.43 MHz, 06-8e-09
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 120 pins
acpimcfg0 at acpi0
acpimcfg0: addr 0xe000, bus 0-255
acpihpet0 at acpi0: 2399 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEG0)
acpiprt2 at acpi0: bus -1 (PEG1)
acpiprt3 at acpi0: bus -1 (PEG2)
acpiprt4 at acpi0: bus -1 (RP09)
acpiprt5 at acpi0: bus -1 (RP10)
acpiprt6 at acpi0: bus -1 (RP11)
acpiprt7 at acpi0: bus -1 (RP12)
acpiprt8 at acpi0: bus -1 (RP13)
acpiprt9 at acpi0: bus 1 (RP01)
acpiprt10 at acpi0: bus 2 (RP02)
acpiprt11 at acpi0: bus 3 (RP03)
acpiprt12 at acpi0: bus 4 (RP04)
acpiprt13 at acpi0: bus 5 (RP05)
acpiprt14 at acpi0: bus 6 (RP06)
acpiprt15 at acpi0: bus -1 (RP07)
acpiprt16 at acpi0: bus -1 (RP08)
acpiprt17 at acpi0: bus -1 (RP17)
acpiprt18 at acpi0: bus -1 (RP18)
acpiprt19 at acpi0: bus -1 (RP19)
acpiprt20 at acpi0: bus -1 (RP20)
acpiprt21 at acpi0: bus -1 (RP21)
acpiprt22 at acpi0: bus -1 (RP22)
acpiprt23 at acpi0: bus -1 (RP23)
acpiprt24 at acpi0: bus -1 (RP24)
acpiprt25 at acpi0: bus -1 (RP14)
acpiprt26 at acpi0: bus -1 (RP15)
acpiprt27 at acpi0: bus -1 (RP16)
acpiec0 at acpi0: not present
acpicpu0 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33), 
C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33), 
C1(1000@1 mwait.1), PSS
acpipwrres0 at acpi0: WRST
acpipwrres1 at acpi0: WRST
acpipwrres2 at acpi0: WRST
acpipwrres3 at acpi0: WRST
acpipwrres4 at acpi0: WRST
acpipwrres5 at acpi0: WRST
acpipwrres6 at acpi0: WRST
acpipwrres7 at acpi0: WRST
acpipwrres8 at acpi0: WRST
acpipwrres9 at acpi0: WRST
acpipwrres10 at acpi0: WRST
acpipwrres11 at acpi0: WRST
acpipwrres12 at acpi0: WRST
acpipwrres13 at acpi0: WRST
acpipwrres14 at acpi0: WRST
acpipwrres15 at acpi0: WRST
acpipwrres16 at acpi0: WRST
acpipwrres17 at acpi0: WRST
acpipwrres18 at acpi0: WRST
acpipwrres19 at acpi0: WRST
acpipwrres20 at acpi0: FN00, resource for FAN0
acpipwrres21 at acpi0: FN01, resource for FAN1
acpipwrres22 at acpi0: FN02, resource for FAN2
acpipwrres23 at acpi0: FN03, resource for FAN3
acpipwrres24 at acpi0: FN04, resource for FAN4
acpitz0 at acpi0: critical temperature is 119 degC
acpitz1 at 

"ucode too large"

2019-06-07 Thread Paul de Weerd
I've just replaced my home gateway with a brandless machine with an
i5-7200U.  While preparing, I noticed the message "ucode too large"
scrolling by on the serial console, just before the kernel starts.

The dmesg shows cpu0 as mode 06-8e-09:

cpu0: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 2395.19 MHz, 06-8e-09

While /etc/firmware/intel/06-8e-09 is the biggest file in that
directory (at 193kB), so this probably has something to do with that
and the MDS "fun".

Machine works fine as far as I can tell (typing this mail over an SSH
session through it).

Cheers,

Paul 'WEiRD' de Weerd

OpenBSD 6.5-current (GENERIC.MP) #6: Tue Jun  4 15:05:10 MDT 2019
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 34263703552 (32676MB)
avail mem = 33215164416 (31676MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x8d717000 (86 entries)
bios0: vendor American Megatrends Inc. version "5.12" date 05/28/2018
acpi0 at bios0: rev 2
acpi0: sleep states S0 S5
acpi0: tables DSDT FACP APIC FPDT MCFG SSDT FIDT SSDT HPET SSDT SSDT UEFI SSDT 
LPIT WSMT SSDT SSDT SSDT SSDT DBGP DBG2 SPCR DMAR ASF!
acpi0: wakeup devices PS2K(S0) PS2M(S0) PXSX(S0) RP09(S0) PXSX(S0) RP10(S0) 
PXSX(S0) RP11(S0) PXSX(S0) RP12(S0) PXSX(S0) RP13(S0) PXSX(S0) RP01(S0) 
PXSX(S0) RP02(S0) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 2395.19 MHz, 06-8e-09
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 24MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 2394.44 MHz, 06-8e-09
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 120 pins
acpimcfg0 at acpi0
acpimcfg0: addr 0xe000, bus 0-255
acpihpet0 at acpi0: 2399 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEG0)
acpiprt2 at acpi0: bus -1 (PEG1)
acpiprt3 at acpi0: bus -1 (PEG2)
acpiprt4 at acpi0: bus -1 (RP09)
acpiprt5 at acpi0: bus -1 (RP10)
acpiprt6 at acpi0: bus -1 (RP11)
acpiprt7 at acpi0: bus -1 (RP12)
acpiprt8 at acpi0: bus -1 (RP13)
acpiprt9 at acpi0: bus 1 (RP01)
acpiprt10 at acpi0: bus 2 (RP02)
acpiprt11 at acpi0: bus 3 (RP03)
acpiprt12 at acpi0: bus 4 (RP04)
acpiprt13 at acpi0: bus 5 (RP05)
acpiprt14 at acpi0: bus 6 (RP06)
acpiprt15 at acpi0: bus -1 (RP07)
acpiprt16 at acpi0: bus -1 (RP08)
acpiprt17 at acpi0: bus -1 (RP17)
acpiprt18 at acpi0: bus -1 (RP18)
acpiprt19 at acpi0: bus -1 (RP19)
acpiprt20 at acpi0: bus -1 (RP20)
acpiprt21 at acpi0: bus -1 (RP21)
acpiprt22 at acpi0: bus -1 (RP22)
acpiprt23 at acpi0: bus -1 (RP23)
acpiprt24 at acpi0: bus -1 (RP24)
acpiprt25 at acpi0: bus -1 (RP14)
acpiprt26 at acpi0: bus -1 (RP15)
acpiprt27 at acpi0: bus -1 (RP16)
acpiec0 at acpi0: not present
acpicpu0 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33), 
C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33), 
C1(1000@1 mwait.1), PSS
acpipwrres0 at acpi0: WRST
acpipwrres1 at acpi0: WRST
acpipwrres2 at acpi0: WRST
acpipwrres3 at acpi0: WRST
acpipwrres4 at acpi0: WRST
acpipwrres5 at acpi0: WRST
acpipwrres6 at acpi0: WRST
acpipwrres7 at acpi0: WRST
acpipwrres8 at acpi0: WRST
acpipwrres9 at acpi0: WRST
acpipwrres10 at acpi0: WRST
acpipwrres11 at acpi0: WRST
acpipwrres12 at acpi0: WRST
acpipwrres13 at acpi0: WRST
acpipwrres14 at acpi0: WRST
acpipwrres15 at acpi0: WRST
acpipwrres16 at acpi0: WRST
acpipwrres17 at acpi0: WRST
acpipwrres18 at acpi0: WRST
acpipwrres19 at acpi0: WRST
acpipwrres20 at acpi0: FN00, resource for FAN0
acpipwrres21 at acpi0: FN01, resource for FAN1
acpipwrres22 at acpi0: FN02, resource for FAN2
acpipwrres23 at acpi0: FN03, resource for FAN3
acpipwrres24 at acpi0: FN04, resource 

Re: Activating second crypted (or other raid) device

2019-05-06 Thread Paul de Weerd
On Sun, May 05, 2019 at 05:41:38PM -0400, trondd wrote:
| It's really not that big of a deal to call 'fsck' and 'mount' yourself in
| rc.local.

It's not, but it would be nice if this could be done automatically
somehow, for services that start at boot (e.g. httpd) that need data
on other softraid crypto devices.

Doing an `rcctl restart httpd` in /etc/rc.local right after the fsck
and mount seems a bit silly.

| Unless you have system data on /srv (which would be it's own inconsistency
| with a standard system) needed during rc.

How about a huge /var/www or /var/ that's not on
your primary softraid crypto device?

| In fstab, I set the RAID partition to noauto and disable automatic fsck. 
| Then in rc.local call 'bioctl blah && fsck UUID.partition && mount /srv'
| 
| I use a password so it's interative for me and I see if anything goes
| wrong.  Log a message with 'logger' or send an email or whatever if
| something fails for your situation.  Then you're done dealing with this.

I use the -p option to bioctl in a hotplugd(8) attach script to
automatically mount partitions on hot-plugged (USB) disks that use
softraid crypto.  Having a way to do this for extra disks at boot is
something I've briefly looked at in the past but didn't find a nice
solution for.  Maybe Matthew finds something interesting :)

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: 6.5 auto_install fails due to custom /var/tmp?

2019-04-30 Thread Paul de Weerd
On Tue, Apr 30, 2019 at 01:29:47PM -0700, Lyndon Nerenberg wrote:
| > Sadly, no :-(
| >
| > But I should be able to accomplish what I need using rc.firsttime and
| > a tiny bit of hackery.
| 
| Sadly, no :-(
| 
| What I was aiming for was to have the newly installed machines come
| up with a 2GB MFS /tmp and a ~20GB /var/tmp.  But MFS /tmp really
| needs help in the system boot scripts.

Why?  I've been running with MFS /tmp for *years* on several machines.

This indeed required some changes when /var/tmp was changed into a
symlink to /tmp, but that was really no issue at all.

There's very little difference between a /tmp on disk and a /tmp in
RAM (through mfs): both get mounted during boot at the same time.

[weerd@pom] $ grep /tmp /etc/fstab
swap /tmp mfs rw,nodev,noatime,async,nosuid,-s=8388608
[weerd@pom] $ df -h /tmp
Filesystem SizeUsed   Avail Capacity  Mounted on
mfs:12547  3.9G227M3.5G 6%/tmp

| The critical part for us is that /var/tmp not overwhelm /var, and
| we can get that with the current scheme by sizing /tmp accordingly.

Having /var/tmp not overwhelm /var is accomplished by having /var/tmp
symlink to /tmp (assuming /var and /tmp are on separate filesystems).
If you need more room in /var/tmp then you want to assign to your MFS
/tmp, then you need a different solution - but that's probably
something that can also be solved in a different way (don't use
/var/tmp for temporary storage, but another (dedicated) location for
whatever needs to write so much there).

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: Good options for SAS HBA or SATA expansion cards?

2019-04-12 Thread Paul de Weerd
On Fri, Apr 12, 2019 at 10:29:33AM -0400, Allan Streib wrote:
| Paul de Weerd  writes:
| 
| > Not exactly what you're looking for, but I have a startech.com 2 Port
| > SATA 6Gbps PCI Express eSATA controller card [1].  I use this to
| > (occasionally) connect an external disk shelve (using a port
| > multiplier) to my machine.
| 
| Incidentally, does OpenBSD support hot-plugging external drive on eSATA
| ports?

Not that I'm aware of.  I've never tried (or had the need, with my
specific setup).

| I had a similar StarTech card and it worked fine if the external drive
| was attached and powered up at boot but did not recognize it if attached
| later. But was probably around 6.1 release if not older the last time I
| tried that.

I don't think anything has changed in this regard, nothing that has
been committed suggested adding support for hot swapping (e)SATA
devices.

Cheers,

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: Good options for SAS HBA or SATA expansion cards?

2019-04-12 Thread Paul de Weerd
Hi John,

On Thu, Apr 11, 2019 at 07:50:36AM +, John Long wrote:
| Can anybody recommend some good 2 or 4 port SATA (internal) expansion
| cards or a SAS HBA that works well with OpenBSD?

Not exactly what you're looking for, but I have a startech.com 2 Port
SATA 6Gbps PCI Express eSATA controller card [1].  I use this to
(occasionally) connect an external disk shelve (using a port
multiplier) to my machine.  OpenBSD detects this as:

ahci0 at pci2 dev 0 function 0 vendor "Marvell", unknown product 0x9128 rev 
0x20: msi, AHCI 1.2
ahci0: port 7: 1.5Gb/s
scsibus1 at ahci0: 32 targets

So despite being an "unknown product", it's supported by ahci(4) and I
have successfully accessed disks behind it.  The product page says
this uses the Marvell 88SE9128.

This vendor has similar products with internal ports using the same
Marvell chip.  Those may be of use to you.

Cheers,

Paul 'WEiRD' de Weerd

[1]: 
https://www.startech.com/Cards-Adapters/HDD-Controllers/SATA-Cards/2-Port-SATA-6-Gbps-PCI-Express-eSATA-Controller-Card~PEXESAT32#

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: Reading suggestions for running graphical X based Linux applications on OpenBSD using a Virtual Machine?

2019-03-17 Thread Paul de Weerd
On Sun, Mar 17, 2019 at 12:37:04PM -0400, Z Ero wrote:
| This should be possible, correct? I understand that vmd does not
| currently support VGA output inside the VM but but I should be able to
| run a headless Linux instance in a VM image hosted on OpenBSD vmm and
| then pipe the graphical output over the virtual network interface to a
| display on the OpenBSD host system. For example if I want to run the
| Linux version of Mathematica this way that should be possible,
| correct? Does anybody know of a configuration tutorial in this area?

After setting up the VM, you could ssh(1) in with the -X or -Y option
to enable X11 forwarding.  See http://man.openbsd.org/ssh#X  Then
running a program that speaks X will work.  At least, it does for me
(but then I run only OpenBSD vm's under OpenBSD).

Make sure to configure sshd in your VM to allow for forwarded X11.
See the section X11Forwarding in sshd_config(5) over at
http://man.openbsd.org/sshd_config#X11Forwarding

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: Creation of fifth dev/tun fails

2019-03-16 Thread Paul de Weerd
On Sat, Mar 16, 2019 at 12:46:36PM +0100, Florian wrote:
| Good afternoon,
| 
| I tried to add a fifth tun interface. ifconfig tun4 create creates a new
| interface visible via ifconfig, however there is no device node under
| dev. Is there a limitation of tun devices? I was able to create tun0 to
| tun3 without any issues.

cd /dev && doas sh MAKEDEV tun4

Cheers,

Paul 'WEiRD' de Weerd

| Thank you for you help.
| 
| Kind regards,
| 
| Florian
| 
| 

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: chflags error message

2019-01-23 Thread Paul de Weerd
Hi Marcus,

[redirecting to misc@, this is not a bug and all is working as
intended]

By the time your recursive chflags gets to pkg_add, it will already
have the flag.  Note that these flags are per inode, and several files
under /usr/sbin have the same inode:

[weerd@despair] $ cd /usr/sbin; ls -li | grep 134232
134232 -r-xr-xr-x   7 root  bin 1473 Oct 27 03:48 fw_update
134232 -r-xr-xr-x   7 root  bin 1473 Oct 27 03:48 pkg_add
134232 -r-xr-xr-x   7 root  bin 1473 Oct 27 03:48 pkg_check
134232 -r-xr-xr-x   7 root  bin 1473 Oct 27 03:48 pkg_create
134232 -r-xr-xr-x   7 root  bin 1473 Oct 27 03:48 pkg_delete
134232 -r-xr-xr-x   7 root  bin 1473 Oct 27 03:48 pkg_info
134232 -r-xr-xr-x   7 root  bin 1473 Oct 27 03:48 pkg_sign

The recursive operation doesn't pay attention to this implementation
detail, so it first runs chflags against fw_update.  Then when it
finds pkg_add, it'll try to run chflags against it, but now it already
has the flag, so it gives you an error.

You will probably have seen multiple errors while running your
recursive chflags operation.  Same deal there.


Note that running chflags on files in your /usr/sbin directory will
be a problem come upgrade time.  You'll need to remove the flag before
you can upgrade.

Cheers,

Paul 'WEiRD' de Weerd

On Wed, Jan 23, 2019 at 12:46:43PM +, Marcus Pedersén wrote:
| Hi,
| 
| OpenBSD 6.4
| 
| I have a strange behavior on chflags.
| 
| If I run:
| 
| chflags schg /usr/sbin/pkg_add
| 
| This works fine and the schg flag is set.
| 
| 
| But if I run it recusively, as in:
| 
| chflags -R schg /usr/sbin/
| 
| I get the following error on pkg_add and a number of other files:
| 
| chflags: /usr/sbin/pkg_add: Operation is not permitted
| 
| 
| Still the schg flag is set.
| 
| 
| How come I get an error when running recurively but not when I run it on the 
same single file?
| 
| 
| I hope this will help you and if I have posted to the wrong address I 
apologize!!
| 
| Please, tell me where to post this if it is wrong!
| 
| 
| Best regards
| 
| Marcus Pedersén
| 
| ---
| När du skickar e-post till SLU så innebär detta att SLU behandlar dina 
personuppgifter. För att läsa mer om hur detta går till, klicka här 

| E-mailing SLU will result in SLU processing your personal data. For more 
information on how this is done, click here 


-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: IPv6 Multicast Listener Discovery - Listing and Disabling Group Membership

2018-12-18 Thread Paul de Weerd
On Tue, Dec 18, 2018 at 07:13:28PM +, Stuart Henderson wrote:
| On 2018-12-17, Fernando Gont  wrote:
| > On 1/10/18 17:18, Aham Brahmasmi wrote:
| >> Hello misc,
| >> 
| >> Running 6.4-beta from approximately a week ago.
| >> 
| >> 1) How to determine the IPv6 multicast groups which have been joined by
| >> a particular interface?
| >
| > Use ifmcstat
| >
| > But you need to install the corresponding package first.
| >
| > Thanks,
| 
| ifmcstat hasn't worked since 2013, nobody fixed it after a round of
| kernel changes to multicast.

And the port was removed by danj as a result 2 months ago, after
having been marked BROKEN for nearly five years.  In those five years,
nobody complained (at least, not to me), so aparently it wasn't a big
loss :)

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: Unexpected connection with `ifconfig join`

2018-11-02 Thread Paul de Weerd
On Fri, Nov 02, 2018 at 09:43:56AM -0600, Theo de Raadt wrote:
| Evil, as in pure evil?  OK, make a promise you will not use ANY open
| networks for the entire next year, or perhaps your entire life forward.
| Say it here, now, and stick to it. Otherwise it is just rhetoric.

That's easy.  The first time in years that I connected to an open
network was at EuroBSDCon 2018 in Bucharest, where my OpenBSD laptop
(which I started using 'join' on recently) connected to a network
that I'd never seen before without me realizing it.  First time in
YEARS: it's not rhetoric.  I switched back to configuring nwid
manually for the duration of the event.

I don't use open wireless networks, and for all of 2019 I won't use
any open networks either.  I recommend anyone else to do the same.

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: Unexpected connection with `ifconfig join`

2018-11-02 Thread Paul de Weerd
On Fri, Nov 02, 2018 at 10:15:47AM +0100, Stefan Sperling wrote:
| On Thu, Nov 01, 2018 at 04:01:51PM -0400, AB wrote:
| > I've run into a strange problem using ifconfig's new join statements.
| > I have two join lines in /etc/hostname.iwn0, with no nwid statement.
| > When both of these APs are out of range, it connects to a third,
| > unmentioned (open) AP.  This is a network I've manually joined before,
| > but do not want to join automatically.
| 
| Our plan is to address this in -current soon.
| 
| But it won't be changed for 6.4. Some people expect what you expect (open
| networks are opt-in) some people expect the opposite (open networks are
| opt-out). There's no default behaviour we could choose to satisfy everyone.
| So -current will get a toggle...

Hmm.  Open networks are evil.  Those of us who are security conscious
may be OK connecting to open networks and protecting our traffic with
higher layer encryption (VPN / SSH / TLS etc), but the majority of
users need (technological) help to protect their devices.

Even WEP is better than open networks: clients with a configuration
like OpenBSD's join will auto-connect to "known" networks.  They
broadcast the full set of known networks, looking for them frequently
while their wifi nic is on and not connected.  It's trivial to then
configure a network with a matching SSID and have such clients connect
to you, allowing you to capture all their traffic.

But auto connecting to just any open network is just plain evil in
that respect: no concious action (like plugging in a cable) is
necessary, your traffic can be captured without the user even being
aware.

Again, if you are fully aware of all of these things, then by all
means auto-connect to any open network.  But John or Jane Doe the
random user is NOT aware of these things, and their traffic is now
snooped without them even realizing it.

All this to say: if you must implement such a toggle (I wish you
wouldn't .. let the user manually configure an open network to connect
to if they must), please default to behaviour that is safe for the
user - DO NOT auto connect to unknown networks.

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: pf.conf: identifying a specific user from dhcpd-table

2018-10-10 Thread Paul de Weerd
On Wed, Oct 10, 2018 at 10:17:21AM -0500, Edgar Pettijohn wrote:
| When looking for pf info I generally just Google Peter Hansteen.

So is Peter misnamed, should he be called Peter Fansteen, or is pf(4)
misnamed, should it be ph(4)?

*confused*

Paul 'WEiRD' de Weerd

SCNR

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: Clarification about mfs/tmpfs on /tmp

2018-10-10 Thread Paul de Weerd
On Wed, Oct 10, 2018 at 10:20:32AM +0200, Felix Maschek wrote:
| 
| On 10/9/18 11:46 PM, Alexander Hall wrote:
| > On a sidenote, 777 is not the proper permissions for /tmp.
| 
| 
| What is the proper permission for /tmp?

1777 (you need to enable the sticky bit on the directory, see
sticky(8) for more information)

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: Virtual interfaces with own MACs

2018-09-26 Thread Paul de Weerd
On Wed, Sep 26, 2018 at 01:54:40PM +0200, Per-Olov Sjöholm wrote:
| Hi
| 
| I want to receive 2 IPs that are mine from the ISP (I have to supply 2 MACs) 
over DHCP. They have a problem letting me add them permanent without dhcp as 
their snooping blocks my connection if not using dhcp. 
| 
| I want to use just one physical interface as I do not have more 10Gbit 
interfaces to spare. Also I want to use fake virtual MAC so I can switch 
hardware without contacting the ISP.
| 
| Is it possible in OpenBSD to create sub interfaces with different MACs on 
them and use dhcp for both? How?

Something similar can be done with a bridge(4), your ISP-interface and
two vether(4) interfaces.

/etc/hostname.ix3
up

/etc/hostname.bridge0
up
add ix3
add vether0
add vether1

/etc/hostname.vether0
up
lladdr yo:ur:ma:ca:dd:re:ss:he:re
dhclient

/etc/hostname.vether1
up
lladdr yo:ur:ma:ca:dd:re:ss:he:re
dhclient


Note that I haven't tried this .. may need some tweaking.

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: Downloadable CIDR network calculator

2018-09-11 Thread Paul de Weerd
On Tue, Sep 11, 2018 at 03:34:40PM -0400, Steve Litt wrote:
| > Also, sthen, since it is 2018 .. you shouldn't be using eui64
| > addressing anymore ;-)
| 
| I'm confused. Was I using eui addressing in the IPV4 version? If I
| shouldn't use eui, what *should* I use instead? My understanding from
| 10 minutes of reading is that eui is a way of auto-setting IP addresses
| within the subnet, based on Mac addresses, which are presumed unique
| within the subnet.

I was just pulling Stuart's leg.  His example IPv6 address was an
EUI-64 address, a 'trick' where your IPv6 address containts the MAC
address of your network interface (48 bits) with one bit changed plus
16 bits of "ff:fe" in the middle.

These days, slaacd(8) configures SOII (Semantically Opaque Interface
Identifiers, see RFC 7217 for details) addresses by default.  It's the
new kool-aid, you should drink it! :)

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: Downloadable CIDR network calculator

2018-09-11 Thread Paul de Weerd
On Tue, Sep 11, 2018 at 12:32:26PM -0400, Steve Litt wrote:
| > $ python3 cidr_calc.py.txt
| > 2a02:8011:7003:1:fab1:56ff:feac:3276/64
| > 
| > IP address (2a02:8011:7003:1:fab1:56ff:feac:3276) not numeric.
| > USAGE: subnet_calc  ipaddr/maskbits
| >  EXAMPLE: subnet_calc  192.168.100.128/28
| 
| Yes, it's IPV4 only.
| 
| If lots of people want it, I might make it work for IPV6 too.

Well, if you're taking feature requests .. then please add me to the
list for 'want v6 support' too.  It's 2018 after all :)

Also, sthen, since it is 2018 .. you shouldn't be using eui64
addressing anymore ;-)

Cheers!

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: Deploy Django app - strategy?

2018-08-26 Thread Paul de Weerd
Use python3 -m venv /path/to/venv to create a virtualenv using python3
and be done with it.  That will use a symlink to the actual python3
binary in /usr/local, so no issues with the lack of wxallowed on /var.
However, you'll have to deal with the chroot implications there...

What webserver are you using?  You could stick things in a separate
partition under /var/www that's mounted with wxallowed.

Good luck...

Paul 'WEiRD' de Weerd

On Sun, Aug 26, 2018 at 07:56:14PM +0100, Chris Narkiewicz wrote:
| I'm deploying a Django app on OpenBSD 6.3 and I'm strugging to
| wrap my head around the best practices here.
| 
| On Linux we just bootstrap virtualenv in home directory and start
| uwsgi (or altenative), but on OpenBSD it seems to be a bit more
| complicated:
| 
| core# mkdir /var/www/app
| core# cd /var/www/app/
| 
| core# virtualenv-3 -p python3 env
| 
| Running virtualenv with interpreter /usr/local/bin/python3
| Using base prefix '/usr/local'
| New python executable in /var/www/app/env/bin/python3
| Also creating executable in /var/www/app/env/bin/python
| ERROR: The executable /var/www/app/env/bin/python3 could not be run:
| [Errno 13] Permission denied: '/var/www/app/env/bin/python3'
| 
| Well, that makes perfect sense for me, since we're running
| some binary not in bin directory, but what is the recommended
| way of deploying the app in such situation?
| 
| I'm running on vultr, which provides a non-default disk layout:
| 
| core# mount
| /dev/sd0a on / type ffs (local)
| /dev/sd0d on /usr/local type ffs (local, nodev, wxallowed)
| 
| Thanks for any suggestions.
| 

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: ISDN Card /PRI Card support on OpenBSD

2018-07-11 Thread Paul de Weerd
Hi Tom,

With the answers you already got, I think it's obvious that the
american continents were deprived of this fine technology .. their
envy is showing ;)  However, there's one possibility:

There used to be external ISDN "modems" (not really modulating or
demodulating anything, but that's what marketing people called them so
people would understand what these were in the same sense as regular
modems were).  These would simply connect to your serial port and
provide you with a dial up interface that you could use.  With some AT
commands, these could be made to connect to the internet (if I recall
correctly, they could even emulate a real 'modem' for old-fashioned
dial-up).

Eicon was the brand, DIVA the model of one particular example I've
actually had the "pleasure" of working with.  You can still find
references on the web.  The web 1.0, that is.

Now if you could get those to work using ppp, I have no clue.  But I
think it's your best bet if you want to use your ISDN connectivity on
OpenBSD in 2018 (which you don't).

Cheers,

Paul

On Wed, Jul 11, 2018 at 04:17:09PM +0100, Tom Smyth wrote:
| Hello all,
| 
| this is an odd one but I have a client that needs to
| migrate some legacy services
| Is there support for ISDN type interfaces in OpenBSD ?
| 
| man / apropos shows nothing
| 
| or is there a package that would add ISDN support
| (although I didnt see a package containing isdn or ISDN
| in packages)
| is ISDN support available under a different name by any chance
| 
| Thanks
| 
| Tom Smyth
| 

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: hostname.cdce0 not modifying MAC

2018-06-30 Thread Paul de Weerd
OpenBSD doesn't auto-connect on insert like that.  You must configure
this yourself.  Look at hotplugd(8) manpage.

This is a good thing, btw.  Look up poisontap for details.

Paul 'WEiRD' de Weerd

On Sat, Jun 30, 2018 at 05:23:17PM +0200, Kollar Arpad wrote:
| Hello, 
| 
| I have the latest snapshot and 
| 
| cat /etc/hostname.cdce0
| up lladdr xx:xx:xx:xx:xx:xx
| 
| 
| xx -> MAC, but censored. 
| 
| How come I have to do a "sh /etc/netstart cdce0" to make OpenBSD modify the 
MAC address in the ifconfig output when I plug out/in the USB Gbit ethernet 
device? 
| 
| Because of this (when plug out/in) the MAC address isn't updated for the 
cdce0 device, and thus the pppoe0 doesn't connects, because my ISP has MAC 
filtering and only allowed the one in the hostname.cdce0 file. 
| 
| If the USB Gbit ethernet device is plugged out/in, shouldn't it have the MAC 
configured in its hostname.cdce0 file, without me have to manually run the 
netstart? Or what am I missing? 
| 
| Thanks!
| 

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: dhclient expects IPv4 address in dhclient.conf

2018-05-03 Thread Paul de Weerd
On Thu, May 03, 2018 at 10:44:18AM +0200, Marc Peters wrote:
| On Thu, May 03, 2018 at 10:31:27AM +0200, Janne Johansson wrote:
| >Since manpage doesn't mention v6 namespace at all, I'd wager you would
| >have to
| >run something else to pick up v6 resolvers.
| 
| Yeah, that's right. Maybe, i stick to v4 resolvers for now or add it by
| hand, when i reboot it.

Stick a v6 recursor in /etc/resolv.conf.tail.  When dhclient updates
/etc/resolv.conf, it'll append the contents of /etc/resolv.conf.tail
to it and you will have your v6 resolver availble that way.  You could
even ignore the v4 nameserver and use your manually configured
nameservers only.  See resolv.conf(5).

The only thing I don't think is possible with base tools is having
your v6 recursor listed *before* the dhcp offered recursor.

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: Wake-on-LAN from suspended state

2018-04-26 Thread Paul de Weerd
Hi Erling,

On Thu, Apr 26, 2018 at 12:31:27AM +0200, Erling Westenvik wrote:
| In this context, em(4) refers to the OpenBSD driver (man em), not the
| actual physical device. Many em-devices support WoL at BIOS-level and
| machines with such setup will cold boot successfully. Resuming from
| suspend/hibernate is an altogheter different affair. It works partly on
| an em-machine I have. At least for the first zzz/arp cycle.

Hmm?  So you're saying you *can* resume a suspended machine through
WoL to its em(4) interface?

| I'm wondering: are there any OpenBSD drivers that support WoL at all? 

re(4) has this bit:

> The re driver additionally supports Wake on LAN (WoL).  See arp(8)
> and ifconfig(8) for more details.

Maybe other NIC drivers support it too, I didn't check them all.  Just
remembered that Stefan Sperling (stsp@) added it there a looong long
time ago.  Just checked: 7 years ago!

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/share/man/man4/re.4?rev=1.45=text/x-cvsweb-markup

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: Wake-on-LAN from suspended state

2018-04-26 Thread Paul de Weerd
Hi George,

On Wed, Apr 25, 2018 at 05:33:15PM +0100, geo...@t-t-l.co.uk wrote:
| I see the same apparent lack of support but I've been using wol happily with
| em on both 6.2 and 6.3 i386 ...  I use it to wake up a box shutdown with
| "halt -p".

Yes, as I mentioned in my original mail, that works fine for me too:
when the machine is powered off (as in your case with `halt -p`), I
can wake up the machine just fine with WoL.

| I don't remember doing anything clever and I can't see anything related in
| any config files.

My challenge is waking the machine with WoL after suspending it
through `zzz`.  To that end, as has been pointed out by a few people
on the list, you'd have to put 'wol' in the relevant hostname.if(5)
file (see the ifconfig manpage for details).  But, since the driver
for Intel gigabit network cards (em(4)) doesn't support this option,
it doesn't work.

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: Wake-on-LAN from suspended state

2018-04-25 Thread Paul de Weerd
On Wed, Apr 25, 2018 at 02:27:44AM -0400, Jiri B wrote:
| On Tue, Apr 24, 2018 at 10:11:44PM +0200, Paul de Weerd wrote:
| > [...]
| > em0 at pci0 dev 25 function 0 "Intel I217-LM" rev 0x04: msi, address 
b8:ca:3a:93:03:e8
| 
| IIUC em does not support WOL. Am I right?

Thanks Jiri, Daniel and one person who responded off-list.  I had
missed the ifconfig wol option, this does exactly what I want:

wol Enable Wake on LAN (WoL).  When enabled, reception of a
WoL frame will cause the network card to power up the
system from standby or suspend mode.  WoL frames are sent
using arp(8).


But indeed, as Jiri suggests, it seems that em(4) doesn't support WOL:

[weerd@pom] $ doas ifconfig em0 wol
ifconfig: SIOCSIFXFLAGS: Not supported

Thanks for all the replies!

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Wake-on-LAN from suspended state

2018-04-24 Thread Paul de Weerd
Hi all,

I've been playing with WoL recently and found that my desktop machine
(a Dell Optiplex 9020) can be woken up from another OpenBSD machine on
the same network with `doas arp -W ${MAC} em1` (where ${MAC} is the
mac address of my desktop machine).  As I'm using softraid full disk
encryption, this doesn't help too much - I still need to be present to
unlock the crypto volume manually.

Figured I try waking the machine up from sleep mode.  This machine
suspends fine with zzz, and also wakes perfectly from sleep by pushing
the power button (included dmesg contains one suspend / resume cycle).
However, in suspended state, I can't wake up the machine with the
magic packet.

Reading up on the topic of WoL shows a field full of rabbit holes.
Does anyone know if it is possible at all to do this with OpenBSD?
I'm guessing the NIC should be left in a state that allows it to wake
the rest of the machine when entering suspend - perhaps that's not
done on purpose because it's not wanted.  Can anyone shed some light
on this matter?

Thanks,

Paul 'WEiRD' de Weerd

OpenBSD 6.3-current (GENERIC.MP) #8: Sun Apr 22 00:40:30 MDT 2018
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 34243903488 (32657MB)
avail mem = 33198944256 (31660MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xec410 (88 entries)
bios0: vendor Dell Inc. version "A21" date 12/27/2017
bios0: Dell Inc. OptiPlex 9020
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT SLIC LPIT SSDT SSDT SSDT HPET SSDT MCFG SSDT 
ASF! DMAR
acpi0: wakeup devices UAR1(S3) PXSX(S4) RP01(S4) PXSX(S4) PXSX(S4) PXSX(S4) 
RP05(S4) PXSX(S4) PXSX(S4) PXSX(S4) GLAN(S4) EHC1(S3) EHC2(S3) XHC_(S4) 
HDEF(S4) PEG0(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz, 3691.98 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz, 3691.46 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz, 3691.46 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz, 3691.46 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 0, core 3, package 0
cpu4 at mainbus0: apid 1 (application processor)
cpu4: Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz, 3691.46 MHz
cpu4: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu4: 256KB 64b/line 8-way L2 cache
cpu4: smt 1, core 0, package 0
cpu5 at mainbus0: apid 3 (application processor)
cpu5: Intel(R) Core(TM) 

Re: kernel relink segfaults on ALIX

2018-04-19 Thread Paul de Weerd
On Thu, Apr 19, 2018 at 06:53:26AM -0500, Z Ero wrote:
| Is the feature documented in the manual pages...thanks...if this really works.

OpenBSD doesn't normally document how to disable security features.
Generally, security features cannot be disabled.  In this case you
can because of the way it's implemented.

Please make sure you write "make_me_less_secure_please" to the file
though and chant the same phrase every day at noon (in your
/etc/localtime timezone) for each day you run in this state; this is
an important part of stopping the kernel relinking...

Paul 'WEiRD' de Weerd

| On Thu, Apr 19, 2018 at 4:29 AM, Paul de Weerd <we...@weirdnet.nl> wrote:
| > On Thu, Apr 19, 2018 at 04:15:50AM -0500, Z Ero wrote:
| > | Coincidently I just logged in to write the misc  list about relinking
| > | on boot. Is it possible to disable it? What about just relinking on
| > | the first boot after install? So then every kernel image is different
| > | but not re-randomized each boot! There are some low memory / slow CPU
| > | embedded systems like Alix / Soekris where the benefit, in my opinion,
| > | of re-linking every single boot is not worth the cost. That said
| > | granted these systems should not be rebooted frequently anyway once in
| > | production during normal use. I had a soekris recently that performed
| > | well for the task I needed it for but that I chose to install OpenBSD
| > | version 5.8 on...because I did not want to put up with the
| > | relinking...I would have rather used 6.2...would it be possible to
| > | give users a "switch" to turn off relinking if they want without
| > | recompiling the kernel...please forgive my ignorance (or flame
| > | away...) if this already exists.
| >
| > echo make_me_less_secure_please | doas tee /var/db/kernel.SHA256
| >
| > Going back to an older release to *avoid* security features in newer
| > versions... wow.  You do realise that this kernel relinking thing is
| > not the only improvement that's made in the more than two years since
| > 5.8, right?
| >
| > Paul 'WEiRD' de Weerd
| >
| > --
| >>[<++>-]<+++.>+++[<-->-]<.>+++[<+
| > +++>-]<.>++[<>-]<+.--.[-]
| >  http://www.weirdnet.nl/

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: kernel relink segfaults on ALIX

2018-04-19 Thread Paul de Weerd
On Thu, Apr 19, 2018 at 04:15:50AM -0500, Z Ero wrote:
| Coincidently I just logged in to write the misc  list about relinking
| on boot. Is it possible to disable it? What about just relinking on
| the first boot after install? So then every kernel image is different
| but not re-randomized each boot! There are some low memory / slow CPU
| embedded systems like Alix / Soekris where the benefit, in my opinion,
| of re-linking every single boot is not worth the cost. That said
| granted these systems should not be rebooted frequently anyway once in
| production during normal use. I had a soekris recently that performed
| well for the task I needed it for but that I chose to install OpenBSD
| version 5.8 on...because I did not want to put up with the
| relinking...I would have rather used 6.2...would it be possible to
| give users a "switch" to turn off relinking if they want without
| recompiling the kernel...please forgive my ignorance (or flame
| away...) if this already exists.

echo make_me_less_secure_please | doas tee /var/db/kernel.SHA256

Going back to an older release to *avoid* security features in newer
versions... wow.  You do realise that this kernel relinking thing is
not the only improvement that's made in the more than two years since
5.8, right?

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Re: Beg for Atheros wifi driver

2018-04-16 Thread Paul de Weerd
On Mon, Apr 16, 2018 at 01:05:37PM +1000, Stuart Longland wrote:
| On 16/04/18 08:08, Manuel Solis wrote:
| > Sorry for that, i havent figure it out, maybe i should reinstall windows to
| > get the info
| >  My bad.
| 
| Does `lspci` work on OpenBSD?  Failing that, boot a Linux LiveCD and run
| `lspci` there, it'll tell you the chipset; `dmesg` might give you some
| more clues.

No need to run Linux to run lspci, it's available through the pciutils
packages (doas pkg_add pciutils).  But base OpenBSD has pcidump(8),
which gives quite similar info.

| `lsusb` if it's a USB wifi chip.

Or try usbdevs(8), also in base OpenBSD.

Your operating system of choice comes with a pretty complete toolset.

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



  1   2   3   4   5   6   7   8   >