Re: ldap_add: Invalid syntax (21)

[Predrag Punosevac]

Predrag Punosevac wrote:

> Hi Misc,
> 
> I have been using ldapd from the base for almost 10 years. It appears
> that my ldif files are broken after upgrading to 7.3 release. I am
> having trouble adding users. Adding a private user groups still works
> as expected. Did any schema change for the 7.3 release?

> Cheers,
> Predrag

Somehow I managed to add an extra space where it was not supposed to be.
I apologize for the noise.

Predrag

ldap_add: Invalid syntax (21)

[Predrag Punosevac]

Hi Misc,

I have been using ldapd from the base for almost 10 years. It appears
that my ldif files are broken after upgrading to 7.3 release. I am
having trouble adding users. Adding a private user groups still works as
expected. Did any schema change for the 7.3 release?

Cheers,
Predrag

Re: Kerberos

[Predrag Punosevac]

On Sat, 30 Jul 2022, Michael Dinon wrote:

> Is it normal to have a Local Kerberos Realm configured on a brand new
> MacBook?

Wrong mailing list! You must have meant to send the question to 
freebsd-questi...@freebsd.org. That is where OS X users congregate.

Cheers,
Predrag

Re: Attempting to use Brother DCP-L2510D printer on BSD

[Predrag Punosevac]

# Message will be discarded unless file is saved
From: Predrag Punosevac 
# To:, Cc: and Bcc: support a ?single modifier: To?: exa, 
To: misc@openbsd.org
Cc: jor...@geoghegan.ca
Subject: Re: Attempting to use Brother DCP-L2510D printer on BSD


On 2/24/21 9:43 AM, Sylvain S wrote:
> Hello,
> 
> I see that, if I understand correctly, you have been
> able to make this printer work on ArchLinux from the
> officially provided RPM driver package.
> https://aur.archlinux.org/packages/brother-dcp-l2510d/
> 

The upstream for the driver is Brother corporation. Brother drivers are
not genuine open source drivers. They contain OS specific hidden binary
blobs. I am not talking about firmware which is injected into the
device. I am talking about OS side blob which is suppose to run on your
computer. I am not familiar with the model you have. Brother
manufactures great variety of printing devices many of which are
PostScrit, Printer Command Language PCL6 capable, or have built in CUPS
server and everything running on them.

I have one of those HL-5250DN. This is my printcap file

# Remote printer must use jetdirect since foomatic-rip doesn't speak LPD
rp|HL-5250DN:\
:lp=9100@192.168.3.15:\
:if=/etc/foomatic-rip/script_brother.sh:\
:sh:sd=/var/spool/output/brother:\
:lf=/var/log/lpd-errs:

predrag@oko$ more /etc/foomatic-rip/script_brother.sh 
#!/bin/sh

/usr/local/bin/a2ps -BRq --columns=1 -o - | \
/usr/local/bin/foomatic-rip -P HL-5250DN --ppd
/etc/foomatic-rip/direct/brother-hl-5250dn-postscript-brother.ppd


Works like a charm.



Cheers,
Predrag 


> May I ask, what kind of porting work did that require ?
> I have acquired this model from Brother and have not been
> successful at making it work/print yet.
> For reference, here is the thread on the French community forums
> https://forum.openbsd.fr.eu.org/showthread.php?tid=2846
> 
> I also note that the printer is absent from the foomatic
> database maintained by Fedora. This seems strange as a
> driver package is available for their distribution format,
> but perhaps I am missing something here ?
> https://src.fedoraproject.org/repo/extras/foomatic-db/
> 
> Finally, I notice from the documentation (to the mailing list's
attention) :
> 
> The Foomatic framework supports direct printing which does not rely on
CUPS (nor
> any spooler).
> 
> Complete documentation can be found at:
>
https://wiki.linuxfoundation.org/openprinting/database/nospoolerdocumentation
> 
> I would gladly do that, but am still clueless as of now
> 
> Thanks to anyone who would help
>

Re: Help with ssh(1) between OpenBSD and iSH/Alpine on iOS

[Predrag Punosevac]

Erling Westenvik wrote:

> Hi,
> Last year I discovered the iSH app, "The Linux shell for iOS"
> (https:/ish.app), "a project to get a Linux shell environment running
> locally on your iOS device, using a usermode x86 emulator". It's an
> Alpine Linux distribution with the Almquist shell (ash) as default.

Hi Erling, 

I have been using extensively Alpine Linux as a Xen Domain 0 since
BSDCan2016 due to Henning Brauer influence. There are no problems in ssh
communication among OpenBSD and Alpine Linux boxes.

xen1:~# more /etc/alpine-release 
3.13.1
xen1:~# uname -a
Linux xen1.int.autonlab.org 5.10.11-1-lts #2-Alpine SMP Fri, 29 Jan 2021
16:43:14 + x86_64 Linux
xen1:~# echo $SHELL
/bin/ash


xen1:~# ssh au...@lnms.int.autonlab.org
Host key fingerprint is
SHA256:FGVw4gkiFuoDdbDg4+U/ZzyZh/pXaI//4jai+eBHzSE
+---[ECDSA 256]---+
|. *oo . +o+  |
|.= + . o *   |
|oo..+|
|+ +. E . |
| + .S = .|
|  . . . ++ + |
| o Xo.+  |
|  * == = |
| ..==.=o+.   |
+[SHA256]-+
au...@lnms.int.autonlab.org's password: 
Last login: Sat Feb  6 23:31:44 2021 from 192.168.6.4
OpenBSD 6.8 (GENERIC.MP) #4: Mon Jan 11 10:35:56 MST 2021

Welcome to OpenBSD: The proactively secure Unix-like operating system.

Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code.  With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.

lnms$


lnms$ ssh au...@xen1.int.autonlab.org 
au...@xen1.int.autonlab.org's password: 
Welcome to Alpine!

The Alpine Wiki contains a large amount of how-to guides and general
information about administrating Alpine systems.
See .

You can setup the system with the command: setup-alpine

You may change this message by editing /etc/motd.

Cheers,
Predrag

> Nice, fun -- and useful! -- but one thing puzzles me and prevents me
> from utilizing the full potential of the app:
> 
> I can ssh FROM any OpenBSD box INTO iSH on my iPhone, and once
> authenticated I can ssh back from there to the OpenBSD box or to any
> other OpenBSD or Linux box, but! -- From iSH itself (ie. "directly"
> from my iPhone) I can only successfully ssh to Linux boxes; if I ssh
> from the phone itself to any OpenBSD box I'm getting authenticated and
> receive a full shell prompt but the moment I hit Enter the client
> drops the connection.
> 
> Summarized:
> 
> ssh FAILS from iSH > to OpenBSD
> ssh WORKS from iSH > to Linux
> ssh WORKS from OpenBSD > to iSH (and from iSH (back) to Linux/OpenBSD)
> 
> I guess there must be something obvious I'm missing but for the life
> of me I cannot figure out what. Any help is appreciated.
> 
> Not sure what logs, if any, I should supply. Running ssh -v[vv]
> (verbose) doesnt yield any difference between working and non-working
> connections, and it's the same with /var/log/auth.log as far as I can
> see.
> 
> Cheers,
> Erling

Re: Cisco AnyConnect Secure Mobility Client Alternatives with MFA?

[Predrag Punosevac]

> On Sun, 2021-01-31 at 21:41 +0300, somebody from mother Russia wrote:
> > Hello,
> > Our employer decided that AnyConnect Secure Mobility Client with 
> > multifactor Azure authentication is the only secure option to connect
> > to 
> > work. No alternatives, no discussions.
> > There are packages for Windows and Linux only.
> > Did anybody succeed in running vpn clients compatible with all that 
> > funny stuff?
> > 
> 
> Hi,
> 
> have you tried your luck with Openconnect? It's in packages. I've had
> luck with that at least on Linux side on my work laptop.

I have been using Openconnect for a while and with exception of the 6.8
release cycle it worked perfectly. At the beggining of the 6.8 release
cycle OpenBSD package was "broken". I am not sure if it was OpenBSD SSL
stack or the server side (Cisco black box) but I just tried again today
and there was no error.


oko# openconnect https://nrec.vpn.cmu.edu   
POST https://nrec.vpn.cmu.edu/
Connected to 128.2.5.164:443
SSL negotiation with nrec.vpn.cmu.edu
Connected to HTTPS on nrec.vpn.cmu.edu with ciphersuite
(TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)

oko# uname -a
OpenBSD oko.int.bagdala2.net 6.8 GENERIC.MP#4 amd64
oko# syspatch -l
001_bgpd
002_icmp6
003_tmux
004_wg
005_unwind
006_rpki
007_xmaplen
008_asn1
009_exit
010_smtpd
011_nd6
012_carp



> 
> --
> Kind regards,
> Ville

Re: Enhancing Privacy in 2020 attached screenshot

[Predrag Punosevac]

Arib Mason wrote:

> On Sat, Dec 19, 2020 at 2:01 PM Ashlen  wrote:
> > 
> > On 20/12/16 22:55, pipus wrote:
> > > haha Stuart.
> > > Always there to make a low IQ entrance :)
> > Ever hear of Dunning-Kruger, pipus?
> > 
> > https://lsa.umich.edu/psych/news-events/all-news/faculty-news/the-dunning-kruger-effect-shows-why-some-people-think-they-re-gr.html
> >  
> 
> First rule of Dunning-Kruger club is you don't know you're in
> Dunning-Kruger club.
> 

Russell's paradox!

> -- 
> Aaron Mason - Programmer, open source addict
> I've taken my software vows - for beta or for worse

Re: OpenBSD as a NAS

[Predrag Punosevac]

Ashton Fagg wrote:

> Hi all,
> 
> I'm currently in the process of provisioning a new NAS for home. It's
> replacing an older Synology unit that ticks me off in so many ways.
> 
> I am looking to hear other's experiences with using OpenBSD as a NAS -
> specifically in terms of reliability, and for suggestions on how to
> provision my storage.
> 

In my experience practical, answerable OpenBSD specific questions based
on actual problems that people face are more likely to get you an answer
on this mailing list than inviting subscribers to share their experience
and opinions. Here is my experience/opinion.

OpenBSD is super simple and most reliable OS I have personally dealt
with but the storage OS, it is not. Nevertheless some people are using
in that capacity and to paraphrase Nick's point if OpenBSD is your goto
OS, there is nothing wrong in storing and sharing a few files of OpenBSD
box instead of picking up and introducing another OS into your home
environment. 
 
Building a home NAS involves solving the following five sub-problems.

1. The choice of volume manager (HWRaid vs SoftRaid vs ZFS).
2. The choice of file system (legacy vs modern (ZFS, HAMMER, HAMMER2).
3. How are you going to share the files (NFS, SMB, GlusterFS)
4. How are you going to back up your NAS server (tape, disk, remote
machine)
5. Inquiry, monitoring, and alerting of your NAS server for data
integrity and performance.

> I have an LSI card (supported by the drivers in OpenBSD) that is
> currently flashed to IT mode, but it can of course flashed back to the
> IR firmware which lets it act as a hardware RAID controller.
> 

So we are now talking about the volume manager. I have not used HWRaid
on OpenBSD but I have used SoftRAID. 


oko# bioctl softraid0   
Volume  Status   Size Device  
softraid0 0 Online  2000396018176 sd3 RAID1 
  0 Online  2000396018176 0:0.0   noencl 
  1 Online  2000396018176 0:1.0   noencl 

At my place of employment I have used high end LSI HWRaid cards, I have
used Linux SoftRAID, and I am currently using ZFS (FreeBSD). I would not
recommend HWRaid cards to a home user. Between Linux SoftRAID and ZFS on
FreeBSD, ZFS wins hands down. That being said I neither have a need nor
a hardware good enough to use ZFS at home. 

Comparing to Linux SoftRAID, OpenBSD is super crude. Once upon a time I
accidently off lined one of the HDDs in RAID1 mirror. It took probably 2
days to rebuild 2TB mirror. The things might have improved. Look for the
posts of Karel Gardas who IIRC was one of the guys fiddling with
SoftRAID after the original creator Marco Peereboom left the project
probably 10 years ago. If you have more than a 1-2 TB of data I would be
very worried about using OpenBSD softraid. The best thing is to test
before your commit.  


> 
> My needs for the NAS are as follows: NFS and Samba share support,

That is item 3 on my list.  I have not run Samba server of OpenBSD box.
I have run NFSv3 server for educational purposes and I currently use
OpenBSD NFSv3 client. My needs are very limited so I am not sure if much
has changed since Matt Dillon of DragonFly BSD fame gave me a bit of
education 

http://lists.dragonflybsd.org/pipermail/users/2016-April/228719.html


> reasonable performance, some amount of tolerance to disk failure,
> reliable and trustworthy software and file system, ability to closely

This is item 2 on my list. OpenBSD doesn't have a "modern" file system
but that is also true for most other actively developed OSs with
exception of FreeBSD and DragonFly BSD. Note that I don't consider
Illumos kernel and OmniOS in particular activelly developed systems. ZFS
on Linux is PITA and on the NetBSD doesn't look much better. If you need
copy-on-write, check-sums, consistency and such your choice is pretty
much among ZFS, Hammer, and Hammer2. If you stick with OpenBSD's FFS2
start by looking for Solene Rapenne's posts and his blog

https://dataswamp.org/~solene/2017-03-17-integrity.html


> monitor disk/array health. By extension, it should also be as simple as
> possible.

That is item 5 on my list. 

In my experience bioctl is good enough for home users. YMMV. Start by
reading 

https://www.openbsd.org/papers/opencon06-bio.pdf

I wish somebody could point me to anything more recent. 

> 
> It might be nice to have it be able to host an iSCSI volume, but that's
> not essential.

I am confused now. You said you are building NAS. Now you are talking
about SAN. I would suggest you familiarize yourself with this paper
before going further

https://www.open-e.com/site_media/download/documents/Open-E-white-paper-EN-web.pdf


> 
> I don't care about bleeding edge performance, fancy web UIs or any other
> "shiny" stuff.
> 
> By my estimates, OpenBSD with softraid volumes should tick all of those
> boxes. The box will do nothing else besides be a file server. OpenBSD is
> my preferred OS nowadays, but I am open to something

Re: Advice on using intrusion detection

[Predrag Punosevac]

On 2020-11-20 17:15, Erik Lauritsen wrote:
> Is it recommended to run some kind of intrusion detection on an
> OpenBSD router/firewall?
> 

What do you mean by "some kind of intrusion detection" (IDS). At the
risk of sounding patronizing I would start by clarifying terminology.
I got confused by Nick's answer as he started talking about Intrusion
Prevention Systems when you asked about Intrusion Detection Systems. 

In layman's terms Intrusion Prevention Systems are trying to keep the
bad buys out before they get into your system. Intrusion Detection
Systems are postmortem tools. They are useful for detecting that your
system is compromised. Both IPS and IDS can be further roughly divided
into host (file) based systems or network based systems. Some tools are
easier to classify than other. For example it would seems logical to me
to classify OpenBSD packet filter (PF) as an example of a network
intrusion prevention system. On the another hand, log file monitoring
could be useful both for preventing but also for detecting intrusion so
the above classification is really blurry.

OpenBSD is all about prevention and exploit mitigation. Code simplicity,
correctness, and code audit are all examples of intrusion prevention
methods. They don't sound very sexy :-) If you are super new to OpenBSD
Peter just gave a really nice virtual talk which can be found on the net

https://home.nuug.no/~peter/openbsd_and_you/#12


Now going to your original question. What about Intrusion Detection
Systems? While as an OpenBSD user would like to think that I am a bit
ahead of guys using more complicated OSs, I am not delusional to assume
that my systems can't be compromised. There is a saying that the OS is
as secure as the person who configured it. In spite of using OpenBSD for
almost 15 years now including at work I frequently get amazed by my own
incompetence so I am 100% sure my systems are not super secure.
Therefore (and due to other contractual obligations) I do use Intrusion
Detection Systems.

The concept of IDS can be divided into two classes. These are Host IDS
(HIDS)
and Network (NIDS).

   IDS
/   \
 HIDS   NIDS
   Host IDS Network IDS
  Inspecting Host Inspecting Network



Host based intrusion detection HIDS for short. An example would be
Tripwire (not available on OpenBSD) or a free alternative security/aide.
Even better. OpenBSD comes with mtree(8) utility. It is dead easy to
turn on HIDS on your OpenBSD firewall. You can also check hack 58 (Use
mtree as a Built-in Tripwire).

https://www.oreilly.com/library/view/bsd-hacks/0596006799/

I would put Nick's rsync hack into this category.

> I suspect that any kind of system like Snort or Suricata will give a
> lot of false positives?o

These two fall into the category of Network Based Intrusion Detection
Systems. I would add to that group zeek (formerly known as Bro). 
I do run Suricata and I do run Zeek on OpenBSD. While turning them on is
trivial getting them to do anything useful (in particularly Zeek which
more of an infrastructure for building NIDS) is not for the faint of
heart. 

I also run OSSEC on OpenBSD which is oftenly misclassified as HIDS only.
Configured properly it is actually useful in monitoring all sorts of log
files including network logs so it is kind both HIPS and NIPS. An for
the record I do recommend running centralized login server. 

Intrusion Prevention and Intrusion Detection are active research areas
and I am not talking about superficial level. It is actual real research
on the cusp of computer science, mathematics, statistics, and few other
things people commonly refer these days as artificial intelligence,
machine learning, and statistical data mining. 

https://www-users.cs.umn.edu/~lazar027/intrusion_detection.htm

As my expertise is in applied dynamical systems (math-physics) I should
wrap up this email before too much garbage comes out of my mouth . I
have seen people giving a low level  Network System monitoring,
Intrusion detection presentations at various BSD conferences.

https://papers.freebsd.org/2017/vbsdcon/shirk-the_state_of_network_security_tools_on_bsd/

https://www.bsdcan.org/2004/papers/sguil.pdf

https://www.ibm.com/developerworks/library/se-intrusion/index.html

I did read a few low level books on the topic but I neither have
professional nor research interest in the topics. Here are two of those:

The Practice of Network Security Monitoring: Understanding Incident
Detection and Response

https://www.amazon.com/Practice-Network-Security-Monitoring-Understanding/dp/1593275099

Tao of Network Security Monitoring, The: Beyond Intrusion Detection

https://www.amazon.com/Tao-Network-Security-Monitoring-Intrusion/dp/0321246772
Cheers,
Predrag

Re: A new race condition in OpenVPN and Unbound services

[Predrag Punosevac]

Thanks to everyone replaying to this thread. I carefully re-reading as
kindly pointed out by Stefan. I ended up implementing this paragraph


Using an /etc/hostname.* file without persist-tun
-
OpenVPN normally re-creates the tun/tap interface at startup.
This has been reported to cause problems with some PF configurations
(especially with queueing), if you run into problems with this then
OpenVPN should be started from the hostname.* file, e.g.:

# cat << EOF > /etc/hostname.tun0
up
!LD_LIBRARY_PATH=/usr/local/lib:/usr/lib /usr/local/sbin/openvpn \
--daemon --config /etc/openvpn/server.conf
EOF


In a hindsight I should have done that before making a noise. I have had
at least two OpenVPN/OpenBSD servers servers (30-40 road warriors) for
the past eight years. I got spoiled by the painless upgrade process and
squeaked on the first sign that something worked tiny bit different than
previous release.

Best,
Predrag

A new race condition in OpenVPN and Unbound services

[Predrag Punosevac]

Hi Misc,

Has anybody else noticed a new race condition causing Unbound to fail
due to the fact that OpenVPN interface is not available. 

Since a few releases ago I have this in my rc.conf.local to start
openvpn server and unbound

openvpn_flags=--config /etc/openvpn/server.conf
pkg_scripts=sshguard collectd smartd openvpn
sensorsd_flags=
snmpd_flags=
syslogd_flags="-h"
unbound_flags=

Previously I was starting OpenVPN server via 
/etc/hostname.tun0 

file

up link0
!/usr/local/sbin/openvpn --daemon --config /etc/openvpn/server.conf

I noticed this morning after upgrading 2 of my OpenVPN servers that
unbound is failing to start because tun0 is not available on time. If I
go back to start OpenVPN server from /etc/hostname.tun0 file everything
works as expected.

Cheers,
Predrag

Re: Sound/audio onFirefox on 6.8

[Predrag Punosevac]

Mihai Popescu wrote:

> > ATI Radeon HD 5470 Audio
> 
> That should be the HDMI audio from the video card and as far as i know
> there is no support in OpenBSD for HDMI audio output.
> There lines from dmesg you need are:
> 
> azalia0 at pci0 dev 27 function 0 "Intel 3400 HD Audio" rev 0x06: apic 2
> int 22
> azalia0: codecs: Realtek/0x0887
> audio0 at azalia0

Good catch!!! Once upon a time OpenBSD didn't have a support for Intel
3400 HD Audio. I had that Intel 3400 HD Audio disabled in BIOS and I was
using an external audio card. That was a looong time ago. I completely
forgot that I trashed that audio card and just use built in audio. 

Best,
Predrag

Re: Sound/audio onFirefox on 6.8

[Predrag Punosevac]

Duncan Patton a Campbell wrote:

> doesn't work.  Works fine elsewhere.  Granted this is also
> a ten year old board.
> 
> following is dmesg.  Any ideas are apreciated.  
> 
> Thanks,
> 
> Dhu

According to your dmesg your audio device is

ATI Radeon HD 4200 HD Audio

I am using 

ATI Radeon HD 5470 Audio

and everything works normal. My dmesg is attached. I also have

oko# cat /etc/sysctl.conf
kern.audio.record=1

oko# cat /etc/mixerctl.conf
outputs.master=248,248
outputs.mix8=248,248
outputs.mix2=248,248

oko# ls -l audio*
crw-rw  1 root  _sndiop   42,   0 Oct 24 19:40 audio0
crw-rw  1 root  _sndiop   42,   1 Oct 19 00:37 audio1
crw-rw  1 root  _sndiop   42,   2 Oct 19 00:37 audio2
crw-rw  1 root  _sndiop   42,   3 Oct 19 00:37 audio3
crw-rw  1 root  _sndiop   42, 192 Oct 19 00:37 audioctl0
crw-rw  1 root  _sndiop   42, 193 Oct 19 00:37 audioctl1
crw-rw  1 root  _sndiop   42, 194 Oct 19 00:37 audioctl2
crw-rw  1 root  _sndiop   42, 195 Oct 19 00:37 audioctl3



OpenBSD 6.8 (RAMDISK_CD) #94: Sun Oct  4 18:21:11 MDT 2020
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
real mem = 17158766592 (16363MB)
avail mem = 16634720256 (15864MB)
random: boothowto does not indicate good seed
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xf0100 (38 entries)
bios0: vendor Award Software International, Inc. version "F8" date 02/11/2010
bios0: Gigabyte Technology Co., Ltd. P55M-UD2
acpi0 at bios0: ACPI 1.0
acpi0: tables DSDT FACP HPET MCFG EUDS TAMG APIC SSDT
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i7 CPU 860 @ 2.80GHz, 1199.32 MHz, 06-1e-05
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: apic clock running at 133MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE
cpu at mainbus0: not configured
cpu at mainbus0: not configured
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins, remapped
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 2 (PEX0)
acpiprt2 at acpi0: bus -1 (PEX1)
acpiprt3 at acpi0: bus -1 (PEX2)
acpiprt4 at acpi0: bus -1 (PEX3)
acpiprt5 at acpi0: bus 3 (PEX4)
acpiprt6 at acpi0: bus 4 (PEX5)
acpiprt7 at acpi0: bus -1 (PEX6)
acpiprt8 at acpi0: bus -1 (PEX7)
acpiprt9 at acpi0: bus 5 (HUB0)
"PNP0C0C" at acpi0 not configured
acpipci0 at acpi0 PCI0
acpicmos0 at acpi0
acpicpu at acpi0 not configured
cpu0: using IvyBridge MDS workaround
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core DMI" rev 0x11
ppb0 at pci0 dev 3 function 0 "Intel Core PCIE" rev 0x11: apic 2 int 16
pci1 at ppb0 bus 1
em0 at pci1 dev 0 function 0 "Intel 82571EB" rev 0x06: apic 2 int 16, address 
00:15:17:51:d1:ac
em1 at pci1 dev 0 function 1 "Intel 82571EB" rev 0x06: apic 2 int 17, address 
00:15:17:51:d1:ad
"Intel Core Management" rev 0x11 at pci0 dev 8 function 0 not configured
"Intel Core Scratch" rev 0x11 at pci0 dev 8 function 1 not configured
"Intel Core Control" rev 0x11 at pci0 dev 8 function 2 not configured
"Intel Core Misc" rev 0x11 at pci0 dev 8 function 3 not configured
"Intel Core QPI Link" rev 0x11 at pci0 dev 16 function 0 not configured
"Intel Core QPI Routing" rev 0x11 at pci0 dev 16 function 1 not configured
uhci0 at pci0 dev 26 function 0 "Intel 3400 USB" rev 0x06: apic 2 int 16
uhci1 at pci0 dev 26 function 1 "Intel 3400 USB" rev 0x06: apic 2 int 21
uhci2 at pci0 dev 26 function 2 "Intel 3400 USB" rev 0x06: apic 2 int 18
ehci0 at pci0 dev 26 function 7 "Intel 3400 USB" rev 0x06: apic 2 int 18
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 
addr 1
"Intel 3400 HD Audio" rev 0x06 at pci0 dev 27 function 0 not configured
ppb1 at pci0 dev 28 function 0 "Intel 3400 PCIE" rev 0x06: apic 2 int 16
pci2 at ppb1 bus 2
vga1 at pci2 dev 0 function 0 "ATI FirePro 2270" rev 0x00
wsdisplay1 at vga1 mux 1: console (80x25, vt100 emulation)
"ATI Radeon HD 5470 Audio" rev 0x00 at pci2 dev 0 function 1 not configured
ppb2 at pci0 dev 28 function 4 "Intel 3400 PCIE" rev 0x06: apic 2 int 16
pci3 at ppb2 bus 3
jmb0 at pci3 dev 0 function 0 "JMicron JMB363 IDE/SATA" rev 0x02
ahci0 at jmb0: apic 2 int 16, AHCI 1.0
scsibus0 at ahci0: 32 targets
jmb1 at pci3 dev 0 function 1 "JMicron JMB363 IDE/SATA" rev 0x02
pciide0 at jmb1: DMA, channel 0 wired to native-PCI, channel 1 wired to 
native-PCI
pciide0: using apic 2 int 17 for native-PCI interrupt
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 disabled (no drives)
ppb3 at pci0 dev 28 function 5 "Intel 3400 PCIE" rev 0x06: apic 2 int 17
pci4 at ppb3 bus 4
re0 at pci4 dev 0 function 0 "Realtek 8168" rev 0x03: RTL8168D/8111D (0x2800), 
apic 2 int 17, address 6c:f0:49:7d:e0:00
rgephy

Re: Digikam no longer finding cameras on 6.8.

[Predrag Punosevac]

Mario St-Gelais wrote:

> Anyone experiencing similar experience?  Since I moved to 6.8, my 
> cameras, Canon 7D and 5D are no longer found by Digikam.  Is there 
> something that changes?
> 
> 
> 17:00 marst@hotrod:~$ dmesg|grep Canon
> ugen2 at uhub0 port 6 "Canon Inc. Canon Digital Camera" rev 3.10/0.02
> addr 2

Did Digikam work as expected on 6.7?  The device nodes permissions have
changed between 6.6 and 6.7. I got bitten by the change

https://marc.info/?l=openbsd-misc&m=159165205529361&w=2

I would check the permission first before going further. Check if the
port was updated between the releases. See if you can compile the same
version which previously worked.

I have not used Digikam for probably 10-12 years now. Namely, I use an
old Epson all-in-one device as SD card reader. That thing is seen by
kernel as umass storage. Many cameras are also seen as umass storage so
you don't need Digicam. FYI my wife does have Canon 5D and I have never
used Digikam with it. 

Cheers,
Predrag

UNIX printing demystified

[Predrag Punosevac]

0.106) 5"
*ShortNickName: "Brother HL-5250DN BR-Script3"
*ModelName: "Brother HL-5250DN BR-Script3"
*NickName: "Brother HL-5250DN BR-Script3"
*1284DeviceID: "MFG:Brother;MDL:HL-5250DN
series;CMD:PJL,PCL,PCLXL,POSTSCRIPT;"

*% Basic Device Capabilities =
*LanguageLevel: "3"
*TTRasterizer: Type42
*ColorDevice: False
*DefaultColorSpace: Gray
*FileSystem: True
*?FileSystem:"
save 
/devname (%disk0%) def 
/ret false def 
0 1 7{ 
devname exch 48 add 5 exch put 
devname devstatus { 
0 ne {/ret true def}if 
pop pop pop pop pop pop pop 
}if 
}for 
ret {(True)}{(False)} ifelse = flush 
restore 
" 
*End

*Throughput: "28"
*FreeVM: "605"

*% Emulations and Protocols ==
*Protocols: PJL TBCP

*SuggestedJobTimeout: "0"
*SuggestedWaitTimeout: "300"
*PrintPSErrors: True


7. Could you give me some recommendation for a printer?

Sure. I like Brother monochromatic laser printers like this one.

https://www.amazon.com/Brother-HL-5250DN-Network-Printer-Duplex/dp/B000BQ535K

They speak PostScript or at least PCL6. They come with a built in CUPS
server (you will need to use CUPS on your OpenBSD desktop if you want to
print that way) but they also support DirectJet Protocol

oko# cat /etc/printcap
# Remote printer must use jetdirect since foomatic-rip doesn't speak LPD
rp|HL-5250DN:\
:lp=9100@192.168.3.15:\
:if=/etc/foomatic-rip/script_brother.sh:\
:sh:sd=/var/spool/output/brother:\
:lf=/var/log/lpd-errs:

oko# cat /etc/foomatic-rip/script_brother.sh
#!/bin/sh

/usr/local/bin/a2ps -BRq --columns=1 -o - | \
/usr/local/bin/foomatic-rip -P HL-5250DN --ppd \
/etc/foomatic-rip/direct/brother-hl-5250dn-postscript-brother.ppd


If you want to print Duplex don't forget to embed 


%!
<>setpagedevice

at the beginning of a PostScript file you are trying to print

Or for example using a2ps filter from Xpdf. 

predrag@oko$ head .xpdfrc
# Set the default PostScript file or command.
psFile "|a2ps -Prp -1 -s2"
psPaperSizeletter

# launch URLs in Firefox
urlCommand "firefox-esr '%s'"

# launch movie annotations in mplayer
movieCommand "/usr/local/bin/mplayer %s"


In "old good times" HP priters were the Gold standard. HP LaserJet 4
lasted me for 15 years and was still usable but getting a bit slow for
my work flow. 



8. Code contribution?

You read this post and you feel like you could contribute to UNIX
printing. Why not hack on the LPD itself. At some point Eric Faurot was
working on the new lpd server for OpenBSD

https://undeadly.org/cgi?action=article;sid=20180509184829


Why don't go step further and implement IPP protocol inside LPD? Who
need CUPS?



Most Kind Regards,
Predrag Punosevac

Re: Input Filter and LPD

[Predrag Punosevac]

Ian Darwin  wrote:

> > Just for the Internet Archive. This is fixed in 6.8 release. Printing
> > works as expected. CUPS is not needed around here.
> 
> Not to complain, but curious: can you send any combination of plain text,
> postscript and PDF via lpd? If so, what input filter(s) are you using?
> 
> Thanks!

Hi Ian,

Yes, I can! 

oko# cat /etc/printcap
# Remote printer must use jetdirect since foomatic-rip doesn't speak LPD
rp|HL-5250DN:\
:lp=9100@192.168.3.15:\
:if=/etc/foomatic-rip/script_brother.sh:\
:sh:sd=/var/spool/output/brother:\
:lf=/var/log/lpd-errs:

oko# cat /etc/foomatic-rip/script_brother.sh
#!/bin/sh

/usr/local/bin/a2ps -BRq --columns=1 -o - | \
/usr/local/bin/foomatic-rip -P HL-5250DN --ppd \
/etc/foomatic-rip/direct/brother-hl-5250dn-postscript-brother.ppd

predrag@oko$ head .xpdfrc
# Set the default PostScript file or command.
psFile "|a2ps -Prp -1 -s2"
psPaperSizeletter

# launch URLs in Firefox
urlCommand "firefox-esr '%s'"

# launch movie annotations in mplayer
movieCommand "/usr/local/bin/mplayer %s"

Best,
Predrag

Re: Input Filter and LPD

[Predrag Punosevac]

punoseva...@gmail.com (Predrag Punosevac), 2020.06.08 (Mon) 23:57 (CEST):
> It seems that there is another change on 6.7 perhaps among packages
> which broke printing for me. I am using built in LPD to print onto the
> network connected Brother HL-5250DN. I am getting row PostScript output
> on the printer instead of the document.

Just for the Internet Archive. This is fixed in 6.8 release. Printing
works as expected. CUPS is not needed around here.

Best,
Predrag

Re: Does DNS need TCP?

[Predrag Punosevac]

Nicolai  wrote :

> On Sun, Sep 20, 2020 at 12:43:41AM -0400, Predrag Punosevac wrote:
> 
> > For number of years I had in my /var/unbound/etc/unbound.conf line
> > 
> > do-tcp: no
> 
> > To make things worse I was blocking port TCP port 53. 
> 
> Just curious, why did you do that?

When I start using Unbound on OpenBSD it was not the part of the base.
There was not such a thing as the default unbound.conf file. I vividly
remember reading NLnet Labs Documentation three full days before
deciding on my defaults. Even once Unbound became the part of the base,
(IIRC 5.7) the defaults were not carved in stone. They changed quite a
bit over the time.

As of the port blocking unfortunately I am old enough to remember this
post 

http://cr.yp.to/djbdns/tcp.html#why

and the remark that TCP is only needed for records larger than 512
bytes. 

"You want to publish record sets larger than 512 bytes. (This is almost
always a mistake.)"

I had no need for TCP port 53 to be open. Until month and a half ago
things worked as expected and I have more important things to do than to
fix things which don't appear to be broken.

The following 

https://www.openbsd.org/faq/pf/

is also evolving. It has been almost 15 years since the OpenBSD became
my daily driver and I would swear (but I am not going to look through
Internet archive) that there was a time when UDP port 53 was the only
open domain service in the minimal working example.


> 
> On my authoritative servers roughly 1 in 1000 queries are over TCP, even
> though no answers are over 512 bytes.  Like most people, I don't use
> DNSSEC, and unlike most people, I do use DNSCurve.
> 

I try to stay away from a universal quantification (a professional
deformation).  I do use DNSSEC more or less since it became available. I
used it before the time it became default in unbound.conf file of
OpenBSD. That is an example of the OpenBSD unbound.conf default which
actually changed not so long time ago.



> I've seen "in the wild" authoritative servers that always set TC=1 but
> that's exceedingly rare and a bad idea for general use.
> 
> If you block 53/udp then your life will change for the worse a LOT
> faster than if you merely block 53/tcp, but both are used, and both
> should be allowed.  Blocking either will lead to downtime.
> 
> If you don't understand the defaults then leave them be.  Put your
> energy into fixing things that are visibly broken.
>

That is exactly the reason that I kept 53/tcp closed past it useful
shelf life. I actually have more interesting things to do than fixing
the stuff which are only marginally important for my life. 


> 
> Just a related PSA: please don't block ICMP either.  It's important,
> necessary, and good.

I am not blocking and I have never blocked it although I do have some
restrictions in place since I read the first edition of the book of PF. 
As you know the book is overdue for 4th edition. As you see the only
constant in life is change. 


Cheers,
Predrag

> 
> Nicolai

Is altroot a sysupgrade foe?

[Predrag Punosevac]

Hi Misc,

For number of years I had a very simple scheme to backup my OpenBSD
infrastructure servers running critical network services for our small
university lab. Namely, I would put a low profile usb flash drive and
use /altroot facility in the daily(8) scripts to backup root partition
to it as described in FAQ

https://www.openbsd.org/faq/faq14.html#altroot

I started doing that many years ago, before sysupgrade was available. It
worked like a charm. Once sysupgrade became available I noticed that it
would get confused by an extra disk in the server. My "solution" was to
remove usb drive before running sysupgrade and that worked OK until
Covid 19 when the physical access to my servers became more challenging.

I had a quick look at the sysupgrade.sh script

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/sysupgrade/sysupgrade.sh?rev=1.40&content-type=text/x-cvsweb-markup

and I have to admit that it is not clear to me how the target disk for
the installation is picked.  I completely understand that sysupgrade is
designed not to be configurable in order to be foolproof.

I am curios how the other people adapted their use of /altroot facility
in the era of sysupgrade. Obviously people who use full disk encryption
or RAID 1 are facing similar "issues". For me personally those are of
secondary importance as I always have the access to my laptop where the
disk is fully encrypted and I always have the access to my desktop where
softraid RAID 1 mirror is used for the OS.

Most Kind Regards,
Predrag Punosevac

Does DNS need TCP?

[Predrag Punosevac]

Hi Misc,

I have been a double as a system admin for our small university research
group for a number of years now but every now and then I get reminded of
my own ignorance. One of those moments happened a month and a half ago
when pkg management tools stopped working on all my FreeBSD file servers
and jail hosts. After waisting an hour, I got to the bottom of my
problem. Namely, my caching DNS Unbound resolvers (obviously running of
OpenBSD) which also serve my LAN and DMZ authoritatively could no longer
resolve 

pkg.freebsd.org.

After waisting another hour it became clear that authoritative DNS for 
pkg.freebsd.org no longer was serving using UDP protocol and was
expecting my DNS resolver to use TCP instead of UDP for name queries. 
For number of years I had in my /var/unbound/etc/unbound.conf line

do-tcp: no

even though I was aware that OpenBSD 6.7 is shipped with

do-tcp: yes

To make things worse I was blocking port TCP port 53. 

I am not much of a DNS expert but I was under impression that TCP was
only used for publishing record sets larger than 512 bytes. However, it
appears that I am mistaken.

https://serverfault.com/questions/181956/is-it-true-that-a-nameserver-have-to-answer-queries-over-tcp

That is not just a random garbage thread. The person whose answer was
accepted claims to be the author of RFC 5966. There is another
interesting post getting a lot of thumbs downs who is bringing back some
of old fights started by Daniel Bernstein.  

There is a second less illuminating thread 

https://serverfault.com/questions/404840/when-do-dns-queries-use-tcp-instead-of-udp

According to above threads it appears that DNSSEC validation requires
TCP port 53 and do-tcp: yes to work properly.

Could a kind soul who runs DNS for living point me to the documentation
which I can use to educate myself.


Most Kind Regards,
Predrag Punosevac

Re: Troubleshooting rsync

[Predrag Punosevac]

Greg Thomas  wrote:

> Hey all, I'm trying to use WSL on Windows 10 to backup to my OpenBSD server
> running 6.7 release.  It looks like Debian on WSL is using rsync version
> 3.1.2.  I tried both the rsync package and openrsync on OpenBSD with the
> same results.Basically rsync never exits and when I use four Vs for
> verbosity the last line is 'client_run waiting on..."   rsync locally works
> fine.
> 
> I'm not sure how to go about troubleshooting this further.  Any suggestions
> would be appreciated.
> 

Could you please show the output of the command syspatch -l ?  Could you
please confirm that you are doing rsync over ssh rather than using rsync
own protocol?

Based upon what I see this might be actually LibreSSL bug similar to the
one previously reported by me

https://marc.info/?l=openbsd-misc&m=159718134822470&w=2

It looks like SSL session is just not closing. Did rsync actually
transfer data?

Best,
Predrag


> ethant@NIHILANON:/mnt/c/Users/ethant$ rsync -r
> --rsync-path=/usr/bin/openrsync -e /mnt/c/Windows/System32/OpenSSH/ss
> h.exe /mnt/c/Users/ethant/Downloads ethant@192.168.0.61:/home/ethant/
> cmd=/mnt/c/Windows/System32/OpenSSH/ssh.exe machine=192.168.0.61
> user=ethant path=/home/ethant/
> cmd[0]=/mnt/c/Windows/System32/OpenSSH/ssh.exe cmd[1]=-l cmd[2]=ethant
> cmd[3]=192.168.0.61 cmd[4]=/usr/bin/openrsync cmd[5]=--server
> cmd[6]=-re.iLsfxC cmd[7]=. cmd[8]=/home/ethant/
> opening connection using: /mnt/c/Windows/System32/OpenSSH/ssh.exe -l ethant
> 192.168.0.61 /usr/bin/openrsync --server -re.iLsfxC . /home/ethant/  (9
> args)
> msg checking charset: UTF-8
> (Client) Protocol versions: remote=27, negotiated=27
> /usr/src/usr.bin/rsync/server.c:99: server detected client version 31,
> server version 27, seed -1979080380
> building file list ... /usr/src/usr.bin/rsync/server.c:128: server starting
> receiver
> 
> [sender] make_file(Downloads,*,0)
> [sender] pushing local filters for /mnt/c/Users/ethant/Downloads/
> [sender] make_file(Downloads/desktop.ini,*,2)
> [sender] popping local filters
> done
> [sender] flist start=0, used=2, low=0, high=1
> [sender] i=0 /mnt/c/Users/ethant Downloads/ mode=040777 len=512 flags=5
> [sender] i=1 /mnt/c/Users/ethant Downloads/desktop.ini mode=0100777 len=282
> flags=0
> send_file_list done
> [sender] flist_eof=1
> file list sent
> send_files starting
> /usr/src/usr.bin/rsync/flist.c:739: Downloads: received file metadata: size
> 512, mtime 1599280175, mode 40777, rdev (0, 0)
> /usr/src/usr.bin/rsync/flist.c:739: Downloads/desktop.ini: received file
> metadata: size 282, mtime 1599125537, mode 100777, rdev (0, 0)
> /usr/src/usr.bin/rsync/flist.c:765: received file metadata list: 2
> /usr/src/usr.bin/rsync/flist.c:169: Downloads: top-level
> /usr/src/usr.bin/rsync/receiver.c:233: /home/ethant/: receiver destination
> /usr/src/usr.bin/rsync/receiver.c:329: /home/ethant/: ready for phase 1 data
> /usr/src/usr.bin/rsync/uploader.c:544: Downloads: updating directory
> /usr/src/usr.bin/rsync/uploader.c:949: i=0, offs=700, msz=282, blk.len=700,
> blk.rem=282
> send_files(1, /mnt/c/Users/ethant/Downloads/desktop.ini)
> /usr/src/usr.bin/rsync/uploader.c:957: Downloads/desktop.ini: mapped 282 B
> with 1 blocks
> /usr/src/usr.bin/rsync/uploader.c:848: uploader: finished
> count=1 n=700 rem=282
> chunk[0] len=282 offset=0 sum1=d0fa3006
> send_files mapped /mnt/c/Users/ethant/Downloads/desktop.ini of size 282
> calling match_sums /mnt/c/Users/ethant/Downloads/desktop.ini
> Downloads/desktop.ini
> built hash table
> hash search b=700 len=282
> sum=d0fa3006 k=282
> hash search s->blength=700 len=282 count=1
> potential match at 0 i=0 sum=d0fa3006
> match at 0 last_match=0 j=0 len=282 n=0
> done hash search
> sending file_sum
> false_alarms=0 hash_hits=1 matches=1
> sender finished /mnt/c/Users/ethant/Downloads/desktop.ini
> send_files phase=1
> /usr/src/usr.bin/rsync/downloader.c:435: Downloads/desktop.ini: temporary:
> Downloads/.desktop.ini.M0XjFWs8af
> /usr/src/usr.bin/rsync/downloader.c:514: Downloads/.desktop.ini.M0XjFWs8af:
> copied 282 B
> /usr/src/usr.bin/rsync/receiver.c:99: Downloads/desktop.ini: updated
> permissions
> send files finished
> /usr/src/usr.bin/rsync/downloader.c:321: downloader: phase complete
> /usr/src/usr.bin/rsync/receiver.c:404: /home/ethant/: receiver ready for
> phase 2 data
> total: matches=1  hash_hits=1  false_alarms=0 data=0
> /usr/src/usr.bin/rsync/receiver.c:453: receiver finished updating
> client_run waiting on 3218

How to split install.wim

[Predrag Punosevac]

Hi All,

I am using my desktop 

predrag@oko$ uname -a
OpenBSD oko.int.bagdala2.net 6.7 GENERIC.MP#5 amd64

to create a bootable Windows 10 USB flash drive. It is a paid job
although I would not be surprised that my consent to do it, is
consistent with the early signs of dementia. I just wasted a few hours
of my life to find out that install.wim is too large to be written on
Fat32 file system as described in this article

https://www.zdnet.com/article/windows-10-installer-files-too-big-for-usb-flash-drive-heres-the-fix/

I need to split it in two before I can write it to a bootable USB.  Has
anybody done this on an OpenBSD machine? It seems that the library for
manipulation of Windows Imaging exists

https://wimlib.net/

but I can't find anything in the ports tree. 

https://openports.pl/

And just for the curios you will not be able to mount Windows ISO image
using mount_udf

This thread is right on money

https://marc.info/?l=openbsd-misc&m=139271029815043&w=2

You will have to use 

7z e Win10_2004_English_x64.iso

command to extract the files from the iso image provided by Microsoft.

Best,
Predrag

Re: 019_libssl.patch regression

[Predrag Punosevac]

Theo Buehler  wrote:

> On Tue, Aug 11, 2020 at 05:26:22PM -0400, Predrag Punosevac wrote:
> > This is a regression report for 019_libssl.patch
> > After applying libssl binary patch to 6.7 release s-nail-14.9.19 can no
> > longer close STARTTLS IPMI session with Gmail server. I recompiled
> > s-nail and rebooted the machine. After reverting the patch s-nail works
> > as expected. Interestingly enough I can only see this with Gmail
> > servers.  019_libssl.patch doesn't break Hotmail IPMI connection. Patch
> > does break SMTP session with Gmail server in the same fashion as IPMI.
> > It just doesn't terminate cleanly. I don't know enough about the subject
> > to look further into the problem but I am 100% sure this is LibreSSL
> > bug.
> 
> Thanks for the report. Could you give this patch a spin on a -stable
> system, that is, on top of the 019_libssl patch?
> 
> Index: lib/libssl/tls13_legacy.c
> ===
> RCS file: /var/cvs/src/lib/libssl/tls13_legacy.c,v
> retrieving revision 1.3.4.2
> diff -u -p -r1.3.4.2 tls13_legacy.c
> --- lib/libssl/tls13_legacy.c 10 Aug 2020 18:59:47 -  1.3.4.2
> +++ lib/libssl/tls13_legacy.c 12 Aug 2020 18:46:12 -
> @@ -497,6 +497,7 @@ tls13_legacy_shutdown(SSL *ssl)
>   if ((ret = tls13_record_layer_send_pending(ctx->rl)) !=
>   TLS13_IO_SUCCESS)
>   return tls13_legacy_return_code(ssl, ret);
> + ctx->close_notify_sent = 1;
 ^
Right on the money! That did the trick. The patch works for me. Theo
thank you so much for patching this so quickly. Thank you Steffen for
figuring out the problem from my initial report. 

Cheers,
Predrag




>   } else if (!ctx->close_notify_recv) {
>   /*
>* If there is no application data pending, attempt to read more

Re: Adding more syspatch platform.

[Predrag Punosevac]

Theo de Raadt  wrote:

> 
> No, it is a question of which additional platform, you avoided that
> didn't you
> 

octeon is the only one I can think of. arm64 binary patches are
available for few releases already. The binary patches might be the
least of the troubles on that platform.

https://marc.info/?l=openbsd-misc&m=157716525114361&w=2

Predrag





>
> if you name one that less than 100 people use, then well come on
> 
> 
> 
> 
> 
> Daniel Ouellet  wrote:
> 
> > Just a general question as I got to really love syspatch and sysupgrade
> > to the point that oppose to before, now my platforms are pretty much
> > always up to date and patch in just a few days after patches are release
> > or even in some cases the same day.
> > 
> > To add more platform, I guess that mean man power right, or is that an
> > hardware issue?
> > 
> > Not a complain at all, I love where we are, just a real generic question
> > and if that's a hardware issue, I think there is more then that, I would
> > be happy to contribute some if that help.
> > 
> > If more then that, I apologies for the question.
> > 
> > Many thanks for all you do! Greatly appreciated!
> > 
> > Daniel
> > 

019_libssl.patch regression

[Predrag Punosevac]

This is a regression report for 019_libssl.patch

predrag@oko$ uname -a
OpenBSD oko.int.bagdala2.net 6.7 GENERIC.MP#5 amd64
predrag@oko$ syspatch -l
001_wscons
002_rpki
003_ssh
004_libssl
005_unbound
006_smtpd_sockaddr
007_perl
008_hid
009_asr
010_x509
011_shmget
012_tty
013_tty
014_iked
015_rpki
016_ximcp
017_dix
018_ximcp
019_libssl


After applying libssl binary patch to 6.7 release s-nail-14.9.19 can no
longer close STARTTLS IPMI session with Gmail server. I recompiled
s-nail and rebooted the machine. After reverting the patch s-nail works
as expected. Interestingly enough I can only see this with Gmail
servers.  019_libssl.patch doesn't break Hotmail IPMI connection. Patch
does break SMTP session with Gmail server in the same fashion as IPMI.
It just doesn't terminate cleanly. I don't know enough about the subject
to look further into the problem but I am 100% sure this is LibreSSL
bug.

Best,
Predrag

Re: Julia on OpenBSD?

[Predrag Punosevac]

> On July 13 2018 Predrag Punosevac wrote:
> 
> > Hello,
> >
> > has anyone any experience with running Julia (language)
> > on OpenBSD? How difficult was it to set it up? (It isn't
> > in the Ports.)
> >
> >
> 
> As somebody already pointed out bcallah@ was looking more into it but
> last time I looked (1-2 years ago) it would be a major undertaking both
> by upstream and the porter. 
> 
> Even on RHEL which is the most widely used OS for scientific computing
> Julia has to be compiled from the source.
> 
> What are you trying to do with Julia? If you are just trying to do
> science it is probably a bad choice. Jeff Bezanson came here to Carnegie
> Mellon University to give a talk 2 years ago and I was not too
> impressed (arguably I am more interested in science than in computer
> language design). They had immense momentum 5-6 years ago but I think
> the enthusiasm is dissipating at least among scientist.
> 

I am resurrecting this old thread as I evolved from a Julia sceptic to a
Julia user. The language has matured nicely. In my experience, Julia
wins hands down over Python for any scientific computing beyond pure
numerical linear algebra (2d double-precision floating point only data
structure) where MATLAB has an upper edge due to the more mature
debugger and profiler. An example would be

https://diffeq.sciml.ai/latest/index.html

written by Chris Rackauckas which should win Wilkinson prize. In
comparison, Python ODE solvers are a joke. 

In a lieu of the fact that Patrick Wildt just imported LLVM 10.0.0 into
-current, has anybody with a proper skill set looked recently how
difficult would be to port Julia to OpenBSD? Feel free to take the
thread of the mailing list.

Best,
Predrag Punosevac

P.S. If you care primarily for scientific computing like I do then this
is an excellent intro

https://www.sas.upenn.edu/~jesusfv/Chapter_HPC_8_Julia.pdf

also some baby code

https://www.sas.upenn.edu/~jesusfv/Julia_tutorial_script_April_2019.txt

and a mandatory cheat sheet

https://juliadocs.github.io/Julia-Cheat-Sheet/


>
> Cheers,
> Predrag

Re: ssh X forwarding and google-chrome

[Predrag Punosevac]

Gregory Edigarov wrote:

> Hello, everybody
> 
> does anybody know if there is any tricks?
> 
> In my office pc (currently linux) I have google-chrome installed, and I 
> absolutely need to access it from home.
> 
> "ssh -Y  google-chrome" just shows an empty and blank window, 
> no menu, no address bar.
> May be there is some command line flags I am not aware of?
> 
> Thank you.


Unless you have 1 Gigabit or higher ssh -Y will be sluggish. Just use 

x11/x2goclient

https://openports.pl/path/x11/x2goclient

if you can install x2goserver on your work desktop. It is an
insecure Perl wrapper around NX NoMachine protocol which is just
cleverly compressed ssh -Y. NoMachine used to be free for up to 2
clients but no longer. 

Cheers,
Predrag

P.S. You should never use ssh -X (insecure X tunneling on non-local
networks).

Re: Input Filter and LPD

[Predrag Punosevac]

Marcus MERIGHI  wrote:

> punoseva...@gmail.com (Predrag Punosevac), 2020.06.08 (Mon) 23:57 (CEST):
> > It seems that there is another change on 6.7 perhaps among packages
> > which broke printing for me. I am using built in LPD to print onto the
> > network connected Brother HL-5250DN. I am getting row PostScript output
> > on the printer instead of the document.
> 
> I think I've seen the same. Though I could still print simple text
> files, like "cat foo.txt | lpr". 

Hi Marcus,

Thanks for confirming the issue. I am 95% sure that this is related to 
the upgrade of 

cups-filters

package.

Namely, there are two packages involved with my printing setup. 

a2ps and cups-filters

a2ps has not been changed since 6.6 relase and it is still the same old 

a2ps-4.14p15

However, cups-filters is significantly "upgraded". OpenBSD 6.6 was
shipped with cups-filters-1.25.6. OpenBSD 6.7 was shipped with
cups-filters-1.27.4p0. Looking through internet archive and the commit log 

https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/print/cups-filters/Makefile

cups-filters-1.27 branch was nothing but the trouble. I am not sure why
upstream quickly ditched cups-filters-1.26. When I say trouble I really
mean it. This thing broke printing on CentOS and Ubuntu not just on
OpenBSD. 


I upgraded my package to cups-filters-1.27.5 and that didn't fix the
problems for me. I tried yesterday to go back to the last 1.25 version

cups-filters-1.25.13

I was unable to compile program quickly. It requires more work. I am
surprised to find out that I am the first one reporting the issue as I
would expect more people to use LPD than CUPS.

I fixed cups-filter package probably would be worth of stable binary
package effort.


Best,
Predrag



> Printing PDFs from xournal failed, with raw PS output as you describe. 
> 
> The machine is currently not available, probably online this afternoon, 
> will post the configs then. 
> 
> I guess you want to avoid it, but cups still works on that machine.
> 
> Marcus

Re: sane-backends permission problems

[Predrag Punosevac]

Maurice McCarthy  wrote:

> Add your user to the operator group.
> Regards

Hi Maurice,

My user is already in the operator group and for that matter in wheel
group. However, your email made me poke little bit more into this issue.
These are the changes that coused the "problem" for me personally.

On 6.6 stable 

OpenBSD atlas.int.autonlab.org 6.6 GENERIC.MP#0 amd64

atlas# ls -l /dev/usb0 
crw-rw  1 root  wheel   61,   0 Oct 22  2019 /dev/usb0

atlas# ls -l /dev/ugen0*
crw-rw  1 root  wheel   63,   0 Oct 22  2019 /dev/ugen0.00
crw-rw  1 root  wheel   63,   1 Oct 22  2019 /dev/ugen0.01
crw-rw  1 root  wheel   63,   2 Oct 22  2019 /dev/ugen0.02
crw-rw  1 root  wheel   63,   3 Oct 22  2019 /dev/ugen0.03
crw-rw  1 root  wheel   63,   4 Oct 22  2019 /dev/ugen0.04
crw-rw  1 root  wheel   63,   5 Oct 22  2019 /dev/ugen0.05
crw-rw  1 root  wheel   63,   6 Oct 22  2019 /dev/ugen0.06
crw-rw  1 root  wheel   63,   7 Oct 22  2019 /dev/ugen0.07
crw-rw  1 root  wheel   63,   8 Oct 22  2019 /dev/ugen0.08
crw-rw  1 root  wheel   63,   9 Oct 22  2019 /dev/ugen0.09
crw-rw  1 root  wheel   63,  10 Oct 22  2019 /dev/ugen0.10
crw-rw  1 root  wheel   63,  11 Oct 22  2019 /dev/ugen0.11
crw-rw  1 root  wheel   63,  12 Oct 22  2019 /dev/ugen0.12
crw-rw  1 root  wheel   63,  13 Oct 22  2019 /dev/ugen0.13
crw-rw  1 root  wheel   63,  14 Oct 22  2019 /dev/ugen0.14
crw-rw  1 root  wheel   63,  15 Oct 22  2019 /dev/ugen0.15



On 6.7 stable

minix# ls -l /dev/usb0  
crw-r-  1 root  wheel   61,   0 Jun  8 22:16 /dev/usb0

minix# ls -l /dev/ugen0*
crw---  1 root  wheel   63,   0 Jun  8 22:16 /dev/ugen0.00
crw---  1 root  wheel   63,   1 Jun  8 22:16 /dev/ugen0.01
crw---  1 root  wheel   63,   2 Jun  8 22:16 /dev/ugen0.02
crw---  1 root  wheel   63,   3 Jun  8 22:16 /dev/ugen0.03
crw---  1 root  wheel   63,   4 Jun  8 22:16 /dev/ugen0.04
crw---  1 root  wheel   63,   5 Jun  8 22:16 /dev/ugen0.05
crw---  1 root  wheel   63,   6 Jun  8 22:16 /dev/ugen0.06
crw---  1 root  wheel   63,   7 Jun  8 22:16 /dev/ugen0.07
crw---  1 root  wheel   63,   8 Jun  8 22:16 /dev/ugen0.08
crw---  1 root  wheel   63,   9 Jun  8 22:16 /dev/ugen0.09
crw---  1 root  wheel   63,  10 Jun  8 22:16 /dev/ugen0.10
crw---  1 root  wheel   63,  11 Jun  8 22:16 /dev/ugen0.11
crw---  1 root  wheel   63,  12 Jun  8 22:16 /dev/ugen0.12
crw---  1 root  wheel   63,  13 Jun  8 22:16 /dev/ugen0.13
crw---  1 root  wheel   63,  14 Jun  8 22:16 /dev/ugen0.14
crw---  1 root  wheel   63,  15 Jun  8 22:16 /dev/ugen0.15


The device nodes' permissions have changed. I am too busy to go now
through CVS commits to pin point the date and the reason.

Cheers,
Predrag

Re: sane-backends permission problems

[Predrag Punosevac]

Predrag Punosevac wrote:

> Hi Misc,
> 
> I am trying for the first time to scan a document on
> 
> predrag@oko$ uname -a
> OpenBSD oko.int.bagdala2.net 6.7 GENERIC.MP#2 amd64
> 
> Can somebody familiar with the changes in permissions between releases
> and 6.6 and 6.7 help me out how to enable scanning for a non root user
> This is what I am talking about
> 
> predrag@oko$ scanimage -L
> 
> No scanners were identified. If you were expecting something different,
> check that the scanner is plugged in, turned on and detected by the
> sane-find-scanner tool (if appropriate). Please read the documentation
> which came with this software (README, FAQ, manpages).
> 
> 
> now as a root
> 
> predrag@oko$ doas scanimage -L
> doas (pred...@oko.int.bagdala2.net) password: 
> device `snapscan:libusb:000:003' is a EPSON EPSON Scanner flatbed
> scanner
> 
> 
> I can confirm that the scanning works as expected on 6.7 minus
> permission problem. Actually even changing permission on /dev/ugen* from
> current 600 to 660 (as it was on 6.6) would not allow me to use XSane
> for scanning.
> 
> Cheers,
> Predrag

Solved per pkg-readme of course :-)

predrag@oko$ pwd   
/usr/local/share/doc/pkg-readmes
predrag@oko$ cat sane-backends 
$OpenBSD: README,v 1.17 2019/12/14 13:02:28 ajacoutot Exp $

+---
| Running sane-backends on OpenBSD
+---

First read /usr/local/share/doc/sane-backends/PROBLEMS.

USB
===
Since USB scanning will be handled by libusb, you need to allow
the user access to the corresponding USB endpoint. To do so, find
where your scanner is attached to using:
$ usbdevs -v
then change the ownerships accordingly.

e.g.
  
Controller /dev/usb0:
  
<...>
  
addr 05: 03f0:4812 HP, Officejet 7500 E910
  
 high speed, self powered, config 1, rev 1.00, iSerialNumber
MY2793100Q05JB
 driver: umass0
  
 driver: ugen1
  

  
# chown  /dev/ugen1.* /dev/usb0

To preserve your changes after a system update, use rc.local(8).
Alternatively, hotplugd(8) attach/detach scripts can automate this.

You can grant multiple users direct access to the scanner by adding them
to the
_saned group and allowing access to its ugen(4) device.
e.g. chgrp _saned /dev/ugen1.* && chmod 660 /dev/ugen1.*

Input Filter and LPD

[Predrag Punosevac]

It seems that there is another change on 6.7 perhaps among packages
which broke printing for me. I am using built in LPD to print onto the
network connected Brother HL-5250DN. I am getting row PostScript output
on the printer instead of the document.

This is the relevant printcap entry

rp|HL-5250DN:\
:lp=9100@192.168.3.15:\
:if=/etc/foomatic-rip/script_brother.sh:\
:sh:sd=/var/spool/output/brother:\
:lf=/var/log/lpd-errs:

Note that I am using jetdirect protocol since foomatic-rip doesn't speak
LPD.

This is my magic input filter (if) script which was needed after the
support for LPD was removed from foomatic-rip

#!/bin/sh

/usr/local/bin/a2ps -BRq --columns=1 -o - | \
/usr/local/bin/foomatic-rip -P HL-5250DN --ppd \
/etc/foomatic-rip/direct/brother-hl-5250dn-postscript-brother.ppd

and this is the relevant /usr/local/share/doc/pkg-readmes/cups-filters
paragraph

Input filter script
---
Non-postscript files must be converted before being sent to
foomatic-rip(1). Several packages can be used for that, a2ps being the
most complete.
Note that a2ps(1) requires external helper tools for converting files.
They can be configured under /etc/a2ps{,-site}.cfg. By default,
converting images requires the ImageMagick package.

Here's a sample converter script:

---8<---
#!/bin/sh

/usr/local/bin/a2ps -BRq --columns=1 -o - | \
/usr/local/bin/foomatic-rip -P samsung-ml2850d
---8<---

Additional options can be passed to foomatic-rip(1).
e.g.
- to print in duplex mode: -o duplex
- to set the page size to letter: -o pagesize=letter

Default options can be set by editing the PPD file.

To use the above script as an input filter for lpd(8), see the next
sections (make sure the script is executable).

lpd(8): USB printer printcap(5) example
---
lp|samsung|Samsung-ML-2850D:\
:lp=/dev/ulpt0:\
:if=/path/to/script.sh:\
:sd=/var/spool/output:\
:lf=/var/log/lpd-errs:\
:sh:

lpd(8): network printer printcap(5) example
---
rp|samsung|Samsung-ML-2850D:\
:lp=9100@1.2.3.4:\
:if=/path/to/script.sh:\
:sd=/var/spool/output:\
:lf=/var/log/lpd-errs:\
:sh:
(where 1.2.3.4 is the printer IP address and 9100 the printer stream
port)

foomatic-rip(1) does *not* speak LPD (port 515).
If the printer does not support raw printing over port 9100, it must be
setup locally on a print server (see above for an example using USB)
then accessed over LPD by the clients (there is no need to setup any
print filter on the clients since it will run on the print server).


What am I missing?

Predrag

sane-backends permission problems

[Predrag Punosevac]

Hi Misc,

I am trying for the first time to scan a document on

predrag@oko$ uname -a
OpenBSD oko.int.bagdala2.net 6.7 GENERIC.MP#2 amd64

Can somebody familiar with the changes in permissions between releases
and 6.6 and 6.7 help me out how to enable scanning for a non root user
This is what I am talking about

predrag@oko$ scanimage -L

No scanners were identified. If you were expecting something different,
check that the scanner is plugged in, turned on and detected by the
sane-find-scanner tool (if appropriate). Please read the documentation
which came with this software (README, FAQ, manpages).


now as a root

predrag@oko$ doas scanimage -L
doas (pred...@oko.int.bagdala2.net) password: 
device `snapscan:libusb:000:003' is a EPSON EPSON Scanner flatbed
scanner


I can confirm that the scanning works as expected on 6.7 minus
permission problem. Actually even changing permission on /dev/ugen* from
current 600 to 660 (as it was on 6.6) would not allow me to use XSane
for scanning.

Cheers,
Predrag

OpenSMTP relaying to multiple mail servers

[Predrag Punosevac]

Hi Misc,

I have a very noob question. Is it possible to configure OpenSMTP to use
multiple relay servers? 

I would like to be able to do the following.

mail -r someb...@gmail.com miscATopenbsd

should relay through smtp.gmail.com

mail -r someb...@hotmail.com miscATopenbsd

should relay through smtp-mail.outlook.com

I have seen an article 

https://www.admin-magazine.com/Articles/OpenSMTPD-makes-mail-server-configuration-easy/(offset)/3

but the configuration syntax is old. I tried to configure filter using
new syntax to no avail. I do know how to configure OpenSMTP to relay
email per minimal working example provided with man pages. I am trying
to abuse OpenSMTP to improve my MUA mail(1) experience.

Cheers,
Predrag

Re: Ansible network_cli module broke

[Predrag Punosevac]

John Doe  wrote:

> Installed the ansible pkg via pkg_add. I cannot get the ansible
> network_cli
> module to work in OpenBSD. Tried in version 6.6 and also 6.7 and both
> hang
> at "using connection plugin network_cli". It never times out, hangs here
> forever.
> 
> I copied my ansible configuration files over to a fedora OS and the
> ansible-playbook works successfully. Has anyone used OpenBSD as an
> ansible
> control node to manage network devices via SSH? Below is the output I
> receive.

I am not sure what do you mean by network devices. I do use OpenBSD as
an ansible control node to manage a smallish cluster of about 70
servers. I do not use ansible to manage my switches, UPSs, and PDUs.
I will be the first one to confess that I am not an ansible expert. Thus
I had to have a quick look at the relevant documentation and the module
you are asking about.

https://docs.ansible.com/ansible/latest/network/index.html

https://docs.ansible.com/ansible/latest/plugins/connection/network_cli.html

I have never used the module in question but a quick read reveals that
it is community supported module. I read that sentence as Ubuntu
specific (best case scenario Linux specific) module. I would dig deeper
into documentation before expecting that thing to work. You might need
to do some extra configuration steps as the things on OpenBSD are not
located on the same location as on the Red Hat for example.

Best,
Predrag





> 
> openbsd#  ansible-playbook - -u username -k -e
> ansible_network_os=ios
> test.yml
> 
> TASK [ios_config]
> **
>  task path: /etc/ansible/test.yml:6
>  <192.168.1.1> attempting to start connection
>  <192.168.1.1.1> using connection plugin network_cli

Re: openvpn setup tutorial

[Predrag Punosevac]

man Chan  wrote:

> Hello,
> After a couple of days surfing the internet to get some notes to setup
> the openvpn, I got lost as I don't know how to start the job.   Can
> anyone show me some pointer to study openvpn and setup step by step ?
> 

What is an OpenBSD specific question/problem you are trying to
communicate to OpenBSD community?

If you need a paid OpenBSD consultant they are listed on the project
main website

https://www.openbsd.org/support.html

If you need documentation how to set OpenVPN server you can find it on
the project website

https://openvpn.net/vpn-server-resources/

or buy and study one of many books written about OpenVPN. 

https://www.amazon.com/s?k=OpenVPN&ref=nb_sb_noss_2

OpenBSD specific bits can be found in its usual location (pkg readme
files)

https://openports.pl/path/net/openvpn

As a side note OpenBSD is an excellent OS choice for a OpenVPN server. I
run several OpenVPN servers on OpenBSD in production with few hundred
clients. They are rock stable. 

Best,
Predrag

> Thanks.
> Clarence

Re: collectd graphs

[Predrag Punosevac]

Levai, Daniel  wrote:

> Hi everyone!
> 
> I noticed facette became broken in 6.7. Do you guys use any neat tool to
> graph collectd RRDs? Preferably in ports or at most something
> git-pullable but with no outside deps (relative to base or ports).
> 
> Thanks for the input!
> 
> Dani

Hi Dani,

Before I replay to your question just as a side note. This is not really
OpenBSD related question so please feel free to send me a private email
if you want to discuss this further instead of bothering everyone.

The lack of decent front-end is really achilles tendon of Collectd. Even
the website 

https://collectd.org/wiki/index.php/List_of_front-ends

is grossly outdated. The net/librenms port 

https://openports.pl/path/net/librenms

is your best bet. LibreNMS is SNMP-based network monitoring system
written in PHP and requires MySQL database. It is a fork of Observium.

https://www.observium.org/

While Observium/LibreNMS primary focus is on monitoring SNMP capable
devices both can can integrate with Collectd to show graphs drawn from
Collectd modules in the web interface.

https://docs.observium.org/collectd/

I use Observium running of Ubuntu 16.04 to monitor a smallish
infrastructure consisting of about 100 devices. I monitor through SNMP
pretty much everything you can think of: batteries on UPSs, electric
consumption of GPU computing nodes via switched PDUs monitoring, managed
switches, servers, named it. In addition to SNMP polling, I also run
Collectd on all my production servers (about 70 Open/Free BSD
infrastructure and Red Hat computing nodes) and push RRDs to the
centralized Observium server. Observium automatically build incredibly
pretty and informative graphs from RRDs. You don't need to build your
own dashboards like with Grafana (IIRC facette requires to build your
own dashboards and it is not even very good). On Red Hat where Collectd
IPMI plugin actually works you also get those nice IPMI graphs.

I tried to run LibreNMS of OpenBSD kernel on bare metal. It was just too
sluggish and web interface was not really usable comparing to Observium
on Ubuntu. I never really bothered to troubleshoot the problem. It could
be that LibreNMS at that time was just not polished enough (they were
much more agressive in adding features than Observium free community
edition). It could be the file system performance. I tried using both
SSD and spinning drives but no big difference. I tried memcached and few
other things. If you search through misc archive with keyword LibreNMS
you will see bunch of my posts and developers/users who were trying to
help. 

Observium is officially(per alpha male Adam Armstrong) is designed to
run only designed to run on Ubuntu or Debian and my experience confirms
that. My Observiu/Ubuntu runs as DomU on Alpine Linux Xen Dom0 instance.
I do use raw SSD block devices as a storage. Network interface is 1
Gigabit and even though I have 10 Gigabit card and 10 Gigabit network I
didn't bother to upgrade.  


Before I wrap up this long email I would like to bring to your attention
another option. Instead of directly drawing Collectd RRDs you can use
carbon or gmond plugin 

https://collectd.org/wiki/index.php/Plugin:Carbon
https://collectd.org/wiki/index.php/Plugin:gmond

to feed collectd into Graphite or Ganglia. I vaguely remember playing
with Graphite plugin but I lost enthusiasm after realizing that I will
have to build by custom dashboards. Jason Dixon who wrote a book on
Monitoring with Graphite should be luring around here so he might be
able to pitch a bit. I never tried running Ganglia on OpenBSD as it is
not in official ports tree.

Just as a final note, if you are doing this to monitor few devices in
your home lab you are way above your head. While all I said is trivial I
would have never done it if somebody was not paying for it. There are
far simpler ways to accomplish above on a small home network.

Best,
Predrag

Re: yubikey: user failed: password too short.

[Predrag Punosevac]

Just for the Internet archive. After using Quick option
yubikey-personalization-gui and writing configuration into slot 2 I was
able to use yubikey to log into 6.6 stable. I think that my problem was
flaky USB slot and making sure pressing capacitive 'button' on the
Yubikey correct length of time.

Thanks everyone for the help!
Predrag

Smartphone Alternatives

[Predrag Punosevac]

Hi,

I would firstly like to apologize to developers as the question I am
about to ask has little to do with OpenBSD. However, in my experience
the number of security conscious people lurking on this mailing list is
such that I could not resist.

Long story short one of my virtual servers (running Red Hat) got hacked
by cryptomining folks. I noticed 100% load on CPUs coming out of a cron
job and traced everything to a cryptomining scripts. Sure enough there
was an ssh-key .ssh/authorized_keys which was not suppose to be there.
Incidentally, I had to turn off Duo 2-factor authentication as one of my
users insisted on having GUI access via X2go-client. 

I am not much of a security expert so my instinct is that account was
compromised by scooping account information from a browser cash or my
"smart" phone while reading email from Office 365. I have log files and
I am going through them. Browser cash problem hopefully will be offset
now when I have 2-factor enabled for Office 365 email and using only
browser on my locked down OpenBSD desktop. 

However, that still leaves me with a damn Android smartphone. I already
deleted/disabled email clients but the more I look the more I feel
stupid for having that crap. I am looking now at purchasing something
like Nokia 106. Note that I use one of USA T-Mobile plans and my current
smartphone works well across the globe. It looks like Nokia 106 doesn't
work in Europe. 

I would appreciate any advises, comments, suggestions on the choice of
mobile device for basic phone calls and texting. It would be painful to
carry around a small laptop for web browsing, maps, and few other
useful things but it looks like I am heading there. 

Thanks for your help.

Predrag Punosevac

yubikey: user failed: password too short.

[Predrag Punosevac]

Hi Misc,

I am playing with yubikey on

predrag@oko$ uname -a
OpenBSD oko.int.bagdala2.net 6.6 GENERIC.MP#4 amd64


The idea is to use yubikey as a challenge for a console login. I tried
first to configure /etc/login.conf just to use yubikey

auth-defaults:auth=yubikey:

However, I see 

oko# tail -3 authlog 
Feb 15 23:29:15 oko yubikey: user predrag failed: password too short.
Feb 15 23:29:15 oko yubikey: user predrag: reject
Feb 15 23:43:09 oko su: predrag to root on /dev/ttyC0


I used advanced mode in yubikey-personalization-gui and generated public
key of lenght 16 instead of default 6. No avail. Then I realized that 

010: SECURITY FIX: December 4, 2019   All architectures
libc's authentication layer performed insufficient username validation.

Is it possible to use yubikey for console authentication or does above
patch disables it completely? 

Most Kind Regards,
Predrag Punosevac

Re: strange dmesg

[Predrag Punosevac]

Justin Noor wrote:

> I have the same output on a Protecli firewall device (it's not in
> production yet) running 6.6 stable, and have yet to figure out what it
> is.
> I'm planning to spend some time on it next week. It's a brand new device
> and there were no errors during installation.
> 
> Specs:
> 
>- Intel Dual Core Celeron J1800, 64 bit, 2.4GHz, 2MB L2 Cache
>- 2 Intel Gigabit Ethernet NIC ports
>- 2GB DDR3 RAM, 250GB Samsung Evo 860 mSATA SSD

Protecli are super picky about RAM and SSD drives. I have had one in
production for almost three years now. No problems. Please see dmesg


OpenBSD 6.6 (GENERIC.MP) #4: Wed Jan 15 10:55:43 MST 2020

r...@syspatch-66-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4165738496 (3972MB)
avail mem = 4026773504 (3840MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xebea0 (51 entries)
bios0: vendor American Megatrends Inc. version "5.6.5" date 08/15/2016
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT TCPA MCFG HPET SSDT SSDT SSDT UEFI SSDT 
TPM2
acpi0: wakeup devices EHC1(S4) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) CPU J1900 @ 1.99GHz, 2000.33 MHz, 06-37-08
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu0: 1MB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 83MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3.3, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Celeron(R) CPU J1900 @ 1.99GHz, 2000.01 MHz, 06-37-08
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu1: 1MB 64b/line 16-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Celeron(R) CPU J1900 @ 1.99GHz, 2000.02 MHz, 06-37-08
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu2: 1MB 64b/line 16-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Celeron(R) CPU J1900 @ 1.99GHz, 2000.01 MHz, 06-37-08
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu3: 1MB 64b/line 16-way L2 cache
cpu3: smt 0, core 3, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 87 pins
acpimcfg0 at acpi0
acpimcfg0: addr 0xe000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (RP01)
acpiprt2 at acpi0: bus 2 (RP02)
acpiprt3 at acpi0: bus 3 (RP03)
acpiprt4 at acpi0: bus 4 (RP04)
acpiec0 at acpi0: not present
acpicpu0 at acpi0: C3(10@1500 mwait.1@0x52), C2(10@500 mwait.1@0x51), C1(1000@1 
mwait.1), PSS
acpicpu1 at acpi0: C3(10@1500 mwait.1@0x52), C2(10@500 mwait.1@0x51), C1(1000@1 
mwait.1), PSS
acpicpu2 at acpi0: C3(10@1500 mwait.1@0x52), C2(10@500 mwait.1@0x51), C1(1000@1 
mwait.1), PSS
acpicpu3 at acpi0: C3(10@1500 mwait.1@0x52), C2(10@500 mwait.1@0x51), C1(1000@1 
mwait.1), PSS
acpipwrres0 at acpi0: PLPE
acpipwrres1 at acpi0: PLPE
acpipwrres2 at acpi0: USBC, resource for EHC1, OTG1
acpicmos0 at acpi0
acpipci0 at acpi0 PCI0: 0x0010 0x0011 0x
"DMA0F28" at acpi0 not configured
acpibtn0 at acpi0: SLPB
"INT33BD" at acpi0 not configured
"MSFT0101" at acpi0 not configured
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD1F
cpu0: using VERW MDS workaround
cpu0: Enhanced SpeedStep 2000 MHz: speeds: 1993, 1992, 1909, 1826, 1743, 1660, 
1577, 1494, 1411, 1328 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Bay Trail Host" rev 0x0e
inteldrm0 at pci0 dev 2 function 0 "Intel Bay Trail Video" rev 0x0e
drm0 at inteldrm0
inteldrm0: msi
ahci0 at pci0 dev 19 function 0 "Intel B

Re: OpenBSD's extremely poor network/disk performance

[Predrag Punosevac]

On Thu, Jan 9, 2020 at 3:25 PM Hamd  wrote:

> Joe, are you a joke? Please stop insulting me, this is not
> my/your_personal_fancy_forum.
>
> This will be my last post here in misc.
>
> Default setups, no config. changes.
> Just patches installed.
> Same hardware.
>
> FreeBSD:
> freebsd@test:~ # time sh -c "dd if=/dev/zero of=test.tmp bs=4k count=5
> && sync"
> 5+0 records in
> 5+0 records out
> 20480 bytes transferred in 0.239590 secs (854792500 bytes/sec)
> 0.000u 0.195s 0:00.25 76.0% 22+198k 0+1568io 0pf+0w
>
> Result: *854.79 MB/s disk speed*
>
> freebsd@test:~ # uname -a
> FreeBSD test.local 12.1-RELEASE-p1 FreeBSD 12.1-RELEASE-p1 GENERIC  amd64
>
> OpenBSD:
> test$ time sh -c "dd if=/dev/zero of=test.tmp bs=4k count=5 && sync"
> 5+0 records in
> 5+0 records out
> 20480 bytes transferred in 12.303 secs (16645247 bytes/sec)
> 0m12.32s real 0m00.13s user 0m01.28s system
>
> Result: *16.64 MB/s disk speed*
>
> test$ uname -a
> OpenBSD test.local 6.6 GENERIC#3 amd64
>
>

This thread should have never gone beyond original malicious post. I am
posting this just for the archiving purpose.


101.69 MB/s on the RAID1. 10 year old desktop hardware and slow plater
datacenter HDDs. 8 GB of low quality consumer RAM.


oko# bioctl softraid0 
Volume  Status   Size Device  
softraid0 0 Online  2000396018176 sd3 RAID1 
  0 Online  2000396018176 0:0.0   noencl 
  1 Online  2000396018176 0:1.0   noencl 
oko# time sh -c "dd if=/dev/zero of=test.tmp bs=4k count=5 && sync"
5+0 records in
5+0 records out
20480 bytes transferred in 2.013 secs (101690032 bytes/sec)
0m02.17s real 0m00.16s user 0m01.13s system
oko# uname -a
OpenBSD oko.int.bagdala2.net 6.6 GENERIC.MP#3 amd64


Small Office FreeBSD file server ZFS mirror 161.15 MB/s

root@hera:/tmp # zpool list
NAME  SIZE  ALLOC   FREE  CKPOINT  EXPANDSZ   FRAGCAP  DEDUP
HEALTH  ALTROOT
storage  3.62T   537G  3.10T- - 0%14%  1.00x
ONLINE  -
zroot57.5G  9.20G  48.3G- -11%16%  1.00x
ONLINE  -
root@hera:/tmp # cd /tmp
root@hera:/tmp # uname -a
FreeBSD hera.int.autonsys.com 11.3-RELEASE-p5 FreeBSD 11.3-RELEASE-p5
#0: Tue Nov 12 08:59:04 UTC 2019
r...@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
root@hera:/tmp # time sh -c "dd if=/dev/zero of=test.tmp bs=4k
count=5 && sync"
5+0 records in
5+0 records out
20480 bytes transferred in 1.270828 secs (161154799 bytes/sec)
0.031u 1.468s 0:01.59 93.7% 26+171k 10+5io 0pf+0w


Large file server 128 GB of RAM and 24 cores on ZFS mirror 542.8 MB/s

root@uranus:/tmp # time sh -c "dd if=/dev/zero of=test.tmp bs=4k
count=5 && sync"
5+0 records in
5+0 records out
20480 bytes transferred in 0.377304 secs (542797946 bytes/sec)
0.000u 0.930s 0:01.04 89.4% 15+169k 11+5io 0pf+0w


The same file server raidz2 pool 643.36 MB/s

root@uranus:/data0 # time sh -c "dd if=/dev/zero of=test.tmp bs=4k
count=5 && sync"
5+0 records in
5+0 records out
20480 bytes transferred in 0.318328 secs (643361055 bytes/sec)
0.007u 0.812s 0:02.36 34.3% 16+173k 11+5io 0pf+0w


My home DragonFly file server HAMMER 1 42.52 MB/s

Intel(R) Celeron(R) CPU 1037U @ 1.80GHz 8 GB of lowest grade consumer
RAM

dfly# time sh -c "dd if=/dev/zero of=test.tmp bs=4k count=5 && sync"
5+0 records in
5+0 records out
20480 bytes transferred in 4.816742 secs (42518366 bytes/sec)
0.021u 1.372s 0:05.22 26.6% 11+67k 0+6346io 0pf+0w
dfly# uname -a
DragonFly dfly.int.bagdala2.net 5.6-RELEASE DragonFly v5.6.2-RELEASE
#26: Sun Aug 11 16:04:07 EDT 2019
r...@dfly.int.bagdala2.net:/usr/obj/usr/src/sys/X86_64_GENERIC  x86_64



Here is your Linux Red Hat to be precies. Just look the spec of the
machine. That is 764 GB of RAM and 88 cores. SGI XFS file system circa
1990s as Linux has no other usable file system.

root@lov5$ free -h
  totalusedfree  shared  buff/cache
available
Mem:   754G286G411G1.5G 56G
 464G
Swap:  4.0G4.0G 19M
root@lov5$ uname -a
Linux lov5.int.autonlab.org 3.10.0-1062.4.1.el7.x86_64 #1 SMP Fri Oct 18
09:31:31 EDT 2019 x86_64 x86_64 x86_64 GNU/Linux
root@lov5$ more /etc/redhat-release 
Springdale Linux release 7.7 (Verona)
root@lov5$ time sh -c "dd if=/dev/zero of=test.tmp bs=4k count=5 &&
sync"
5+0 records in
5+0 records out
20480 bytes (205 MB) copied, 0.317884 s, 644 MB/s

real0m2.232s
user0m0.079s
sys 0m0.279s


Best,
Predrag

Re: Ubiquiti EdgeRouter 4 U-Boot md5sum

[Predrag Punosevac]

Predrag Punosevac wrote:

> Just want to document in the case people are searching for this. OpenBSD
> 6.6 has no problems booting of the USB and running on Ubiquiti
> EdgeRouter 4 (tested only USB installation as I didn't want to nuke 4GB
> eMMC flash storage). However, in spite of having 
> 
> check_md5sum=no 
> 
> option in U-Boot env, bootloader is checking md5sum and automatic boot
> fails. The version of U-Boot shipped with my device is 2013.07. I am out
> of fuel tonight and have no clue how to fix the problem. Any suggestions
> would be appreciated.
> 
> Best,
> Predrag
> 
> P.S. I am aware of this write up
> 
> https://openwrt.org/toh/ubiquiti/edgerouter.lite
> 
> but I have not encountered md5sum problems on ER Lite while running
> OpenBSD. I will have to check U-Boot settings on working devices next
> time I have physical access to hardware.

Duh, just for the people like myself who are mailing lists search
challenged

https://marc.info/?l=openbsd-misc&m=153893065620089&w=2

Ubiquiti EdgeRouter 4 U-Boot md5sum

[Predrag Punosevac]

Just want to document in the case people are searching for this. OpenBSD
6.6 has no problems booting of the USB and running on Ubiquiti
EdgeRouter 4 (tested only USB installation as I didn't want to nuke 4GB
eMMC flash storage). However, in spite of having 

check_md5sum=no 

option in U-Boot env, bootloader is checking md5sum and automatic boot
fails. The version of U-Boot shipped with my device is 2013.07. I am out
of fuel tonight and have no clue how to fix the problem. Any suggestions
would be appreciated.

Best,
Predrag

P.S. I am aware of this write up

https://openwrt.org/toh/ubiquiti/edgerouter.lite

but I have not encountered md5sum problems on ER Lite while running
OpenBSD. I will have to check U-Boot settings on working devices next
time I have physical access to hardware.

Re: Following patch or stable branch on Octeon

[Predrag Punosevac]

On 2019-12-21, Stuart Henderson  wrote:
> On 2019-12-21, Predrag Punosevac  wrote:
> > I run bunch of EdgeRouter Lite in production and I just scored
> > EdgeRouter 4. I was wondering what people do to keep their ER machines
> > patched or even possibly following stable? Shamefully  I have to admit
> > that up until now I just run release on ER Lite as it is only used as a
> > simple office firewall.  The fact that ER 4 has a bit more muscle made
> > me think that I could perhaps try to apply patches at least for the
> > things which don't require full kernel rebuild.
> 
> I don't have Octeon boards but if I did I'd either run -current, or run
> "cvs up" of a -stable tree from cron and build the relevant parts when
> things change.
> 
> > What about packages now the mips64 port is gone?
> 
> Hmm? Packages are there (and built quite often for -current now that
> it's done on the Rhino Labs boards).

   ^^

Hi Sten,

This is exactly the information I was looking for. I apologize for porly
wording my original email. I was under impression that original octeon
(mips64) packages were built on SGI hardware which is no longer
supported so I was curios about new build machines. I am fully aware
that mips64 packages are available for 6.6 even though I try to stick
for most part with tools from the base.

Best,
Predrag

Following patch or stable branch on Octeon

[Predrag Punosevac]

Hi Misc,

I run bunch of EdgeRouter Lite in production and I just scored
EdgeRouter 4. I was wondering what people do to keep their ER machines
patched or even possibly following stable? Shamefully  I have to admit
that up until now I just run release on ER Lite as it is only used as a
simple office firewall.  The fact that ER 4 has a bit more muscle made
me think that I could perhaps try to apply patches at least for the
things which don't require full kernel rebuild.

I am curios what machines are used by project to build Octeon binaries? 
What about packages now the mips64 port is gone?

I also noticed that Octeon 6.6 install documentation mostly speaks about
ER Lite. ER 4 is super easy to boot from the built in USB. I am still
debating weather to use USB storage or onboard 4GB eMMC flash storage. I
installed 6.6 on USB but I am getting md5 checksum error when I try to
reboot the device. Setting boot parameters manually works OK. I will try
with new USB device and try to fiddle boot parameters a bit but it could
be that I am hitting USB related bugs or that U-boot prefers onboard
flash storage.

Best,
Predrag

Re: Home NAS

[Predrag Punosevac]

Milun Rajkovic wrote:

> Pardon my ignorance and lack of deeper knowledge regarding the matter,
> but since when is XFS not even considered for such uses?
> 

Since 2005 if you are Solaris guy. Since 2008 if you are ZFS on FreeBSD
or Hammer 1 DragonFly guy. XFS is indeed the most stable and reliable
file system for Linux and in principle there is nothing wrong with using
XFS on the top of hardware or software RAID if you don't care about data
integrity, self-healing, COW, snapshots, replication and similar things.
If you put LVM2 between the RAID and XFS you could theoretically get
snapshots of logical volumes and perhaps even restore something. However
LVM2 snapshots are expensive and not really practical contrary to Red
Hat PR debarment claims. Hopefully some of old Irix SGI who are lurking
on this mailing list could tell you more things I don't know or I forgot
since my old Irix days.

Pozdrav,
Pedja


> Cheers
> Milun

Re: Home NAS

[Predrag Punosevac]

Patrick Marchand  wrote:

> Hello,
> 
> On 11/15, Predrag Punosevac wrote:
> > Patrick Marchand wrote:
> > > I'll be playing around with DragonflyBSD Hammer2 (and multiple offsite
> > > backups) for a home NAS over the next few weeks. I'll probably do a
> > > presentation about the experience at the Montreal BSD user group
> > > afterwards. It does not require as many ressources as ZFS or BTRFS,
> > > but offers many similar features.
> > >
> >
> > Been there, done that!
> Cool ! I might ping you off-list with questions when I get to it.
> 

Any time. Either this private email or at my work predr...@cs.cmu.edu
I wish I was a bit closer to Montreal to come to your monthly meeting. I
love Quebec and Montreal in particular. 


> > H2 lacks built in backup mechanism. I was hoping that H2 will get some
> > kind "hammer mirror-copy" of H1, or "zfs send/receive". My server is
> > still on H1 and I really enjoy being able to continuously back it up.
> > That's the only thing I am missing in H2. On the positive note H2 did
> > get support for boot environment manager last year.
> >
> > https://github.com/newnix/dfbeadm
> >
> > Also DF jails are stuck in 2004 or something like that. I like their
> > NFSv3.
> I'm not planning on using jails much, instead I'll be using the
> DFly NFS with OpenBSD to experiment with virtualization.
> 


I am not sure that I am following. How is DF NFS server related to
OpenBSD (if I understand correctly) virtualization. Are you trying to
store OpenBSD vmm images on the NFS share exported from a DF server?
That is a really, really bad idea. 


https://marc.info/?l=dragonfly-users&m=140384130921709&w=2


> > DragonFly which gets it software RAID discipline through old
> > unmaintained FreeBSD natacontrol utility. Hardware RAID cards are not
> > frequently tested and community seems to be keen on treating DF as a
> > desktop OS rather than a storage workhorse. Having said that HDD are
> > cheap this days and home users probably don't need anything bigger than
> > a 12TB mirror.
> I dont store much anyways, so I'll see as I go.
> 

12 TB is the sweet spot when it comes GB/dollar for platter HDDs. 

Predrag

> Regards

Re: Home NAS

[Predrag Punosevac]

Paolo Aglialoro wrote:

> A fundamental element missing from the 1st mail is on which hardware should
> run your software-defined NAS and for which use.
> 
> I exclude you are talking about several nodes, on which you can run Ceph or
> GlusterFS filesystems.
> 

"Ceph & Gluster are WILDLY different solutions to different problems."

https://www.reddit.com/r/sysadmin/comments/9onemk/ceph_vs_glusterfs/

OP is taking about home NAS. That pretty much means that the files will
be accessed by SSHFS, NFS, or CIFS. Note that OmniOS has a kernel
implementation of CIFS unlike FreeBSD. GlusterFS just like SSHFS, NFS,
or CIFS allows access to files from multiple hosts sharing via a
computer network with some added dough. Those files still have to be
stored on the HW/Soft RAID on the top of some file system UFS, H1/2,
ZFS, XFS.  I am only aware of the native Linux GlusterFS client. For all
practical purposes you will be using NFS client.  Deciding between
GlusterFS vs NFS is not an easy thing

https://www.catalyst.net.nz/blog/our-glusterfs-experiences

Quite a few US national laboratories and super computing centers use
GlusterFS typically Red Hat (or clones) servers. Red Hat has officially
support only XFS storage. However most people use ZFS as a backend. ZFS
is a third party kernel module on Linux which is very adverse to such
modules. It is major pain in the rear end to run comparing to Illumos or
FreeBSD but I know lot of big shops who are doing exactly that.
Personally if I had to design such a large network-attached distributed
storage file system I would use non-Linux ZFS for a backend which will
be mounted via iSCSI on Red Hat (or clone) GlusterFS servers. FreeBSD
iSCSI implementation used to be PITA and an afterthought. Illumis has an
excellent iSCSI implementation but I understand why most people will be
apprehensive about deploying anything Illumos based.

I have no idea how is any of this related to OpenBSD or for that matter
any BSD since initial FreeBSD port of GlusterFS is obsolete not upgraded
for many years.


> Is it a single full size multi-disk server planned for intensive activity?
> In this case don't reinvent the wheel, you got:
> - FreeNAS
> - napp-it (over solaris/omnios/openindiana)
> - Nexenta

This is a really bad advise! As somebody who foolishly  built a few
FreeNAS based sites and dismantled many more as paid jobs I could not
agree more with this blog post

https://smbitjournal.com/tag/freenas/


Again this has nothing to do with OpenBSD.

OpenBSD file server with soft RAID1 mirror (for high availability and
redundancy) will be more than adequate for most home users. It is super
simple and sysutils/bitrot is sufficient protection from slow decay. 


Predrag


> Just don't forget to substitute whatever raid SAS controller with an IT
> mode enabled one (e.g. LSI 2308) in order to really benefit of ZFS.
> 
> Is it for home use? Why not considering some low consumption hardware? If
> you want multidisk RAID just buy a qnap/synology.
> 
> If one disk is enough, buy Odroid HC2 which mounts 3.5" SATA disks, where a
> 6TB one fits perfectly. Dunno if OpenBSD may install on it (armhf v7 arch),
> but for sure either armbian or openmediavault are good choices to run on,
> having full 1Gb/s throughput and consuming even less current than some
> famous brand NAS, like the ones named before.
> 
> This said, if the aim of the project is just having fun creating a NAS from
> scratch on casual hardware running OpenBSD for the sake of it, I shut my
> mouth.
> 
> Have phun!

Re: Home NAS

[Predrag Punosevac]

Jan Betlach wrote: 


> - FFS seems to be reliable and stable enough for my purpose. ZFS is too 
> complicated and bloated (of course it has its advantages), however major 
> factor for me has been that it is not possible to encrypt ZFS natively 
> on FreeBSD as of now.

Illumos distro OmniOS CE 

https://omniosce.org/

has support for native encryption since r151032

https://github.com/omniosorg/omnios-build/blob/r151032/doc/ReleaseNotes.md

Patrick Marchand wrote:

> Hi,
>
> 
> I'll be playing around with DragonflyBSD Hammer2 (and multiple offsite
> backups) for a home NAS over the next few weeks. I'll probably do a
> presentation about the experience at the Montreal BSD user group
> afterwards. It does not require as many ressources as ZFS or BTRFS,
> but offers many similar features.
> 

Been there, done that! 


dfly# uname -a
DragonFly dfly.int.bagdala2.net 5.6-RELEASE DragonFly v5.6.2-RELEASE
#26: Sun Aug 11 16:04:07 EDT 2019
r...@dfly.int.bagdala2.net:/usr/obj/usr/src/sys/X86_64_GENERIC  x86_64

# DeviceMountpoint  FStype  Options Dump
Pass#
/dev/serno/B620550018.s1a   /boot   ufs rw
  1   1
# /dev/serno/B620550018.s1b noneswapsw
  0   0
# Next line adds swapcache on the separate HDD instead of original swap
commented out above
/dev/serno/451762B0E46228230099.s1b noneswap
sw  0   0
/dev/serno/B620550018.s1d   /   hammer  rw
  1   1
/pfs/var/varnullrw  0
0
/pfs/tmp/tmpnullrw  0
0
/pfs/home   /home   nullrw  0
0
/pfs/usr.obj/usr/objnullrw  0
0
/pfs/var.crash  /var/crash  nullrw  0
0
/pfs/var.tmp/var/tmpnullrw  0
0
proc/proc       procfs  rw  0
0


# Added by Predrag Punosevac
/dev/serno/ZDS01176.s1a /data   hammer  rw  2
2
/dev/serno/5QG00WTH.s1a /mirror hammer  rw  2
2
# /dev/serno/5QG00XF0.s1e   /test-hammer2   hammer2 rw
2   2


# Mount pseudo file systems from the master drive which is used as a
backup for my desktop
/data/pfs/backups /data/backups nullrw  0
0
/data/pfs/nfs /data/nfs nullrw  0
0


H2 lacks built in backup mechanism. I was hoping that H2 will get some
kind "hammer mirror-copy" of H1, or "zfs send/receive". My server is
still on H1 and I really enjoy being able to continuously back it up.
That's the only thing I am missing in H2. On the positive note H2 did
get support for boot environment manager last year.

https://github.com/newnix/dfbeadm

Also DF jails are stuck in 2004 or something like that. I like their
NFSv3. DragonFly which gets it software RAID discipline through old
unmaintained FreeBSD natacontrol utility. Hardware RAID cards are not
frequently tested and community seems to be keen on treating DF as a
desktop OS rather than a storage workhorse. Having said that HDD are
cheap this days and home users probably don't need anything bigger than
a 12TB mirror. 


Zhi-Qiang Lei wrote:

> 1. FreeBSD was my first consideration because of ZFS, but as far as I
> know, ZFS doesn't work well with RAID controller, 

Of course not. ZFS is a volume manager and file system in one. How would
ZFS detect errors and do self-healing if it relies on the HW Raid
controller to get the info about block devices?

> and neither FreeBSD
> nor OpenBSD has a driver for the B120i array controller on the
> mainboard (HP is to be blamed). I could use AHCI mode instead RAID
> which also suits ZFS of FreeBSD, yet there is a notorious fan noise
> issue of that approach.
> 

That is not a genuine HWRaid card. That is a build in software
raid. You should not be using that crap. 


> 2. A HP P222 array controller works right out of the box on
> OpenBSD, maybe FreeBSD as well but the combination of ZFS and RAID
> controller seems weird to me. 
> 

FreeBSD has a better support for HWRaid cards than OpenBSD. I am talking
about serious HWRaid cards like former LSI Controllers. Only Areca used
to fully support OpenBSD. Also FreeBSD UFS journaling is more advanced
than OpenBSD journaling. However unless you put H1 on H2 on the top of
hardware RAID you will not get COW, snapshots, history, and all other
stuff with any version of UFS. 

I know people on this list who prefer HWRaid and also know people on
this list who prefer softward (including ZFS).


> 3. OpenBSD is actually out of my expectation. CIFS and NFS is just
> easy to setup. The most fabulous thing to me is the full disk
> encryption. I had a disk failure and the array controller was burnt
&g

Re: Is there an easier way to browse ports?

[Predrag Punosevac]

On Thu, Nov 07, 2019 at 08:03:54AM -0600, Adam Thompson wrote:
> Oh, ok... Do you recall an example offhand?  (I haven't noticed systemic
> problems with either, but then I'm hardly a ports expert!)
> Thanks,
> -Adam

Hi Adam,

Here is a quick example for you

http://openports.se/search.php?so=gitea

vs

https://openports.pl/search?file=gitea&descr=&path=&pkgname=&category=&maintainer=

Often times entire categories will be empty on http://openports.se.

Cheers,
Predrag

Re: Tools for writers

[Predrag Punosevac]

On 2019-11-02 11:00, Oliver Leaver-Smith wrote:

> Hello,
> 
> What tools do people find useful for writing on OpenBSD? By writing I
> mean long form such as novels and technical books, including plot and
> character development, outlining, and formatting for publishing (not all
> the same application necessarily)
> 

For writing you need a text editor. I like nvi 1.79

/usr/bin/vi 

due to its predictability as I agree that Vim sucks

http://www.galexander.org/vim_sucks.html

nvi is in the base :-) Unfortunately yacc was "depreciated" on Linux in
favor of bison so good luck compiling nvi. I have never been able to
pull that one on Red Hat 7. 

Now typesetting is whole another story. In old good times a writter will
bring her/his manuscript to a publishing company where qualified
individuals would apply typographic rules, enforce standards, and do
graphics design before sending things to the typesetter. IMHO
letterpress is still the gold standard and nothing comes close to it.
However people moved to phototype first and digital to cut the cost.
Cutting cost came with the price. Quality sucks but I guess if you have
never had a letterpress book in your hands you will not know it.

I am guessing you want a computerized solution but you are not a
typesetter nor designer and you need some assistance to impose format on
the text. Essentially you have two classes of solutions.

1. You will need to use some kind logical markup and enter the mixture
of text and commands. In this case typography is embedded into the
source file.

2. You want some super clever program to do typesetting for you.

You are in luck my friend. If you chose solution one all four
typesetting systems in existence are ported and can be found in OpenBSD
ports. I am listing them in the chronological order.

a. Troff (Please see GNU Troff aka. Groff from the ports)
b. TeX (LaTeX is just a set of macros but you can also use key-value
driven ConTeXt)
c. Lout 
d. To typeset music use LilyPond. 


If you chose second option there is only one solution I am aware of. It
is Brian K. Reid Scribe. Brian used to work here at Carnegie Mellon
University many years before my time. After failing to make millions he
essentially left his code to his assistant and  my good friend/co-worker
Dale Moore who still has a working copy. I am not sure if we can get
Scribe to the ports three but for private use should be Ok. I can check
with Dale on Monday.

>
> I have found a number which boast Linux support, but not really anything
> that stands out which supports OpenBSD (aside from the obvious LaTeX et
> al.)
> 

I am not sure what you have found out but I will tell you a little
secret. No matter what you chose these days your publisher if you have
one will convert your document into XML as it is the most convenient
format for electronic safekeeping. 

Just to complete this little write up. I am not oblivious to GUI word
processors (which typically store things in Rich Text Format (RTF), a
Microsoft take onto the TeX). The only problem with them is that they
don't change the fact that people who don't know typographic rules can't
become experts on typography just because they can drug text with the
mouse and click left and right. That is why I personally use LaTeX
(typography built in packages) instead of key-value driven ConTeXt. If
you must use word processor you are again in luck with OpenBSD. OpenBSD
still has the first open source office suite in its ports tree (Siag)
and while I still use SIAG spreadsheet my exposure to Pathetic Writer
(PW) is only rudimentary. I heard a good things about Ted from people
who like RTF 

Finally I have tried a numerous lightweight markup languages but only
found txt2tags to be useful. Keep in mind that using txt2tags+htmldoc to
produce pdf document will produce horrible document as there is no line
breaking algorithm equivalent of famous TeX algorithm. Getting nicer
output from txt2tags will inevitable lead to embedding so much LaTeX
code into your txt2tags that you will start wondering why are you using
txt2tags to begin with.


Cheers,
Predrag


Cheers,
Predrag


> Mich appreciated
> 
>  ~ols
> --
> Oliver Leaver-Smith
> +44(0)114-360-1337
> TZ=Europe/London

Re: LDAP tls: handshake failure

[Predrag Punosevac]

Martijn van Duren wrote:

> On 10/24/19 2:25 PM, Claudio Jeker wrote:
> > 
> > OK claudio@
> > 
> I'll commit this soon-ish based on claudio's OK, but if at all
> possible I would like to ask the people affected by this to test this
> and see if this solves their problem.

I did this on the pair of LDAP servers atlas and titan to make sure I
can reproduce results.

atlas# uname -a
OpenBSD atlas.int.autonlab.org 6.6 GENERIC.MP#0 amd64
atlas# syspatch -l
001_bpf
002_ber
003_bgpd
atlas# rcctl restart ldapd
ldapd(ok)
ldapd(ok)
atlas# ldapvi -ZZ
ldap_start_tls_s: Protocol error (2)


# Getting source code 

atlas# cvs -qd anon...@anoncvs.ca.openbsd.org:/cvs checkout -rOPENBSD_6_6 -P src
atlas# cvs -q up -Pd -rOPENBSD_6_6

atlas# make clean
atlas# make obj
atlas# make
atlas# make install

#atlas rcctl restart ldapd
ldapd(ok)
ldapd(ok)
atlas# ldapvi -ZZ
ldap_start_tls_s: Protocol error (2)

Upon close inspection I see that cvs is pulling the revision 1.31.2.1 

https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ldapd/ldape.c?r1=1.33
which is the same as the binary patch I already installed.


Manually fetching revision 1.33 which I am guessing is going to current.
and rebuilding the daemon 

ldapvi -ZZ

is now sucessful.

So for me personally version 1.33 of ldape.c works. This is the
difference between 1.31.2.1 which can be obtained as a binary patch and
the version 1.33

atlas# diff ldape.c.v.1.31.2.1 ldape.c.v.1.33
1c1
< /*$OpenBSD: ldape.c,v 1.31.2.1 2019/10/27 20:05:13 tb Exp $ */
---
> /*$OpenBSD: ldape.c,v 1.33 2019/10/26 17:52:55 martijn Exp $ */
301d300
<   struct ber_element  *ext_val = NULL;
310c309
<   if (ober_scanf_elements(req->op, "{se", &oid, &ext_val) != 0)
---
>   if (ober_scanf_elements(req->op, "{s", &oid) != 0)
314c313
<   req->op = ext_val;
---
>   req->op = req->op->be_sub->be_next;


Cheers,
Predrag

Re: LDAP tls: handshake failure

[Predrag Punosevac]

Kapetanakis Giannis wrote:

> On 23/10/2019 19:14, Predrag Punosevac wrote:
> > Hi Misc,
> >
> > I just upgraded a LDAP server from 6.5 to 6.6 running authorization and
> > authentication services for a 100 some member university research group.
> > It appears TLS handshake is broken. This worked perfectly on 6.5 and
> > earlier.
> >
> > titan# uname -a
> > OpenBSD titan.int.autonlab.org 6.6 GENERIC.MP#372 amd64
> >
> > I am using LDAP daemon from the base
> >
> > titan# more /etc/ldapd.conf
> > #   $OpenBSD: ldapd.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $
> >
> > schema "/etc/ldap/core.schema"
> > schema "/etc/ldap/inetorgperson.schema"
> > schema "/etc/ldap/nis.schema"
> >
> > listen on lo0 tls certificate titan
> > listen on em0 tls certificate titan
> > listen on "/var/run/ldapi"
> >
> > namespace "dc=autonlab,dc=org" {
> > rootdn  "cn=admin,dc=autonlab,dc=org"
> > rootpw  "{SSHA}secret"
> > index   sn
> > index   givenName
> > index   cn
> > index   mail
> > }
> >
> >
> > Server certificate is regenerated and signed by my own certification of
> > authority which is on the different machine. I used easy-rsa just like
> > for one of my OpenBSD server.
> >
> >
> > This is the configuration of openldap-client on the LDAP server itself
> > which is used to modify database
> >
> > titan# pkg_info |grep openldap
> > openldap-client-2.4.48 open-source LDAP software (client)
> > openldap-server-2.4.48 open-source LDAP software (server)
> >
> > titan# more ldap.conf
> > BASEdc=autonlab,dc=org
> > URI ldap://titan.int.autonlab.org:389
> >
> > SIZELIMIT   12
> > TIMELIMIT   15
> > DEREF   never
> >
> > SSL START_TLS
> > TLS_REQCERT demand
> >
> > TLS_CACERT  /etc/ldap/certs/ca.crt
> > TLS_CERT/etc/ldap/certs/titan.crt
> > TLS_CACERTDIR   /etc/ldap/certs
> > TLS_CIPHER_SUITE
> > ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL
> > TLS_PROTOCOL_MIN 3.3
> >
> > I didn't change DNS settings and I even have 
> >
> > titan# more /etc/hosts
> > 127.0.0.1   localhost
> > ::1 localhost
> > 192.168.6.1 titan.int.autonlab.org titan
> >
> >
> > I would appreciate any clues.
> >
> > Cheers,
> > Predrag Punosevac
> >
> >
> >
> 
> ldapsearch -d9 might give some hint.
> 
> openssl s_client -connect titan.int.autonlab.org:389 -starttls ldap
> 
> might also give something.

Thank you so much for this hints. This is what I have done. I have
rebuilt a LDAP server using 6.5 

deimos# uname -a
OpenBSD deimos.int.autonlab.org 6.5 GENERIC.MP#5 amd64

with identical configuration to nonfunctional server

titan# uname -a
OpenBSD titan.int.autonlab.org 6.6 GENERIC.MP#372 amd64

on the fully functional server I see

deimos# ldapsearch -d9 -ZZ -D "cn=admin,dc=autonlab,dc=org"  -W 
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP deimos.int.autonlab.org:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.6.253:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect: 
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0xea5c2f97080 msgid 1
wait4msg ld 0xea5c2f97080 msgid 1 (infinite timeout)
wait4msg continue ld 0xea5c2f97080 msgid 1 all 1
** ld 0xea5c2f97080 Connections:
* host: deimos.int.autonlab.org  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed Oct 23 23:16:25 2019


** ld 0xea5c2f97080 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0xea5c2f97080 request count 1 (abandoned 0)
** ld 0xea5c2f97080 Response Queue:
   Empty
  ld 0xea5c2f97080 response count 0
ldap_chkResponseList ld 0xea5c2f97080 msgid 1 all 1
ldap_chkResponseList returns ld 0xea5c2f97080 NULL
ldap_int_select
read1msg: ld 0xea5c2f97080 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 36 contents:
read1msg: ld 0xea5c2f97080 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0xea5c2f97080 0 new referrals
read1msg:  mark request completed, ld 0xea5c2f97080 msgid 1
request done: ld 0xea5c2f97080 msgid 1
res_errno: 0, res_error: <>, res_matched

LDAP tls: handshake failure

[Predrag Punosevac]

Hi Misc,

I just upgraded a LDAP server from 6.5 to 6.6 running authorization and
authentication services for a 100 some member university research group.
It appears TLS handshake is broken. This worked perfectly on 6.5 and
earlier.

titan# uname -a
OpenBSD titan.int.autonlab.org 6.6 GENERIC.MP#372 amd64

I am using LDAP daemon from the base

titan# more /etc/ldapd.conf
#   $OpenBSD: ldapd.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $

schema "/etc/ldap/core.schema"
schema "/etc/ldap/inetorgperson.schema"
schema "/etc/ldap/nis.schema"

listen on lo0 tls certificate titan
listen on em0 tls certificate titan
listen on "/var/run/ldapi"

namespace "dc=autonlab,dc=org" {
rootdn  "cn=admin,dc=autonlab,dc=org"
rootpw  "{SSHA}secret"
index   sn
index   givenName
index   cn
index   mail
}


Server certificate is regenerated and signed by my own certification of
authority which is on the different machine. I used easy-rsa just like
for one of my OpenBSD server.


This is the configuration of openldap-client on the LDAP server itself
which is used to modify database

titan# pkg_info |grep openldap
openldap-client-2.4.48 open-source LDAP software (client)
openldap-server-2.4.48 open-source LDAP software (server)

titan# more ldap.conf
BASEdc=autonlab,dc=org
URI ldap://titan.int.autonlab.org:389

SIZELIMIT   12
TIMELIMIT   15
DEREF   never

SSL START_TLS
TLS_REQCERT demand

TLS_CACERT  /etc/ldap/certs/ca.crt
TLS_CERT/etc/ldap/certs/titan.crt
TLS_CACERTDIR   /etc/ldap/certs
TLS_CIPHER_SUITE
ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL
TLS_PROTOCOL_MIN 3.3

I didn't change DNS settings and I even have 

titan# more /etc/hosts
127.0.0.1   localhost
::1 localhost
192.168.6.1 titan.int.autonlab.org titan


I would appreciate any clues.

Cheers,
Predrag Punosevac

Re: experience with supermicro based Network Devices for 1Gb/s Ipsec throughput

[Predrag Punosevac]

On 2019-10-01, Lyndon Nerenberg  wrote:

> Hello All,
> 
> doing a project for a large client and I would like to know if anyone
> has
> any issues running.
> supermicro  with SOC CPUS  models
> SYS-5019A-FTN4
> SYS-5018A-FTN4

As reported previosly by others make sure you have a good warranty as
the chipset will fail randomly. I still have 4 of those but all of them
have been replaced at least once or twice under the warranty.

> SYS-1018D-FRN8T
> SYS-5018D-FN8T

I have two SYS-5018D-FN4T. One of them works flawlessly. However one of
them needs cold boot to work properly as the one of two 10Gigabit
interfaces shuts down due to the "overheating issue" as I reported by me

https://marc.info/?l=openbsd-misc&m=155789695701876&w=2

also seen by others

https://tinkertry.com/how-to-work-around-intermittent-intel-x557-network-outages-on-12-core-xeon-d

Cheers,
Predrag

> SYS-5018A-FTN4
> 
> or if there are other Atom / xeon embedded processor /systems that you
> would recommend,
> 
> we are running Pcengines APU2s in the branch offices... but I want more
> Umph
> in the data centres that the tunnels will all be terminating into ...
> 
> All suggestions welcome.. including boards / lan chipsets to avoid
> Thanks
> 
> 
> 
> -- 
> Kindest regards,
> Tom Smyth.

Re: wrong memory stats with collectd

[Predrag Punosevac]

Hi, 

I think I can confirm what you see on the bare metal system running 6.5
with 16GB of RAM.  I use Observium to display statistics from all my
servers including dozen or so OpenBSD servers. I see that the numbers
recovered by SNMP walk from OpenBSD servers are consistent with vmstat
numbers. However when I try to override default collectd.conf and report
absolute number and percentage besides memory used I don't get a
meaningful number.  Stuart Henderson @sthen is port maintainer and knows
infinitely more about collectd than I. I hope he pitches in on the
issue.

Cheers,
Predrag

Re: Kerberos SSH routing tables problem

[Predrag Punosevac]

On 2019-08-02, Stuart Henderson wrote:

> On 2019-07-29, Predrag Punosevac  wrote:
> > Hi Misc,
> >
> > I am using Edgerouter lite as a firewall/DNS cashing resolver for one of
> > our remote location
> >
> > ubnt1# uname -mrsv
> > OpenBSD 6.5 GENERIC.MP#0 octeon
> >
> > The desktops behind the firewall have to use Kerberised SSH to perform
> > some work on one of .mil servers. I opened egress ports kerberos,
> > klogin, kshell TCP protocol as well as kerberos UDP. After the work is
> > finished and desktops are "logged out" routing tables (dns) are in a bad
> > state on the firewall. A simple
> >
> > pfctl -F all -f /etc/pf.conf
> >
> > fixes the problem and desktops can again do DNS resolving and surfing
> > the Internet. 
> >
> > Could somebody give me a head start how to go about further trouble
> > shooting and fixing the problem? Obviously flashing states is not very
> > convenient.
> >
> > Most Kind Regards,
> > Predrag Punosevac
> >
> >
> 

Hi Sthen,

I apologize for long silence. I got busy with other stuff and this got
put onto the back burner. 

> Can you go into some more details about what the "bad state" is?
> 

Please forgive me for repating some things from my original email. After
rereading it I realized that I sounded like a mentally disturb
individual.

As I mentioned in my original email my folks are using Kerberised SSH to
log into some .mil computing nodes. OpenBSD 6.5 release running of
Edgerouter lite provides PF/Unbound DNS caching resolver to our office
computers. In order to reach .mil server I opened in egress direction
bunch of kerberos related ports. Thing worked like a charm. Then one day
somebody start complaining that after the Kerberized ssh session with
.mil server is closed they no longer can connect to the Internet.
Original problem report was complaining about non reachable DNS resolver
on my firewall but after further investigation I tracked down problem to
state of PF tables.

To make things more convoluted I discovered that actually problem was
not caused per se by Kerberized SSH session but a .mil homemade
application called ilauncher session. iluncher provides a web interface
similar to CUPS http://localhost:631 which is used to manage/connect
access to bunch of scientific related software packages (Jupyter
Notebooks, RStudio, etc) in a "user friendly" way. After the ilauncher
session is finished my firewall refuses any network connection to the
workstation from which ilauncher was run. The only remedy is to clear
all tables. Note that I always see that three tables are cleared when I
do

pfctl -F Tables

After that everything works as expected. Right now 

ubnt1# pfctl -s Tables

lists no tables while on my home network with similar firewall rules I
see three tables. 

minix# pfctl -s Tables  
__automatic_1c228804_0
bruteforce
sshguard


This is our office pf.conf file. I am planning to reproduce one more
time problem but this time to start flashing tables one by one until I
see which one is related to that ilauncher thing. 


ext_if="cnmac0"
int_if="cnmac1"
dmz_if="cnmac2"
lan_net = "{192.168.1.0/24}"

broken = "{224.0.0.22, 127.0.0.0/8, 172.16.0.0/12, \
  10.0.0.0/8,  169.254.0.0/16, 192.0.2.0/24, 192.168.100.0/24 \
198.51.100.0/24, 203.0.113.0/24, \
0.0.0.0/8,   240.0.0.0/4, 255.255.255.255/32}"
table  persist
table  persist


tcp_services = "{ssh, submission, imaps, http, https, 30041, 8080, \
kerberos, klogin, kshell}"
udp_services= "{domain, ntp, kerberos}"


set block-policy return
set limit states 10
set loginterface $ext_if
set optimization normal
set ruleset-optimization basic
set skip on lo
set state-policy floating
set timeout interval 10
set timeout frag 30
set timeout src.track 0
set state-defaults pflow


match in all scrub (no-df max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)


block quick from 
block in quick on $ext_if proto tcp from  \
to any port ssh label "ssh bruteforce"
antispoof quick for { $int_if $ext_if }


block drop in quick on egress from {$broken, no-route} to any
block drop in quick from urpf-failed to any
block drop in quick on ! lo0 proto tcp to port 6000:6010

block all


pass inet proto icmp all icmp-type { echoreq, unreach }
pass out on $ext_if inet proto udp to any port $udp_services
pass out on $ext_if inet proto tcp to any port $tcp_services

pass log on $ext_if inet proto tcp from any to any port {ssh} \
flags S/SA keep state \
(max-src-conn 100, max-src-conn-rate 15/5, \
 overload  flush global)

pass inet proto tcp from {$lan_net} to any port $tcp_services
pass inet proto udp from {$lan_net} to any po

Kerberos SSH routing tables problem

[Predrag Punosevac]

Hi Misc,

I am using Edgerouter lite as a firewall/DNS cashing resolver for one of
our remote location

ubnt1# uname -mrsv
OpenBSD 6.5 GENERIC.MP#0 octeon

The desktops behind the firewall have to use Kerberised SSH to perform
some work on one of .mil servers. I opened egress ports kerberos,
klogin, kshell TCP protocol as well as kerberos UDP. After the work is
finished and desktops are "logged out" routing tables (dns) are in a bad
state on the firewall. A simple

pfctl -F all -f /etc/pf.conf

fixes the problem and desktops can again do DNS resolving and surfing
the Internet. 

Could somebody give me a head start how to go about further trouble
shooting and fixing the problem? Obviously flashing states is not very
convenient.

Most Kind Regards,
Predrag Punosevac

SSH config file rdist

[Predrag Punosevac]

Hi Misc,

I got inspired by this answer 

https://marc.info/?l=openbsd-misc&m=156405651502000&w=2

and decided to try to use rdist to sync few files on bunch of my OpenBSD
servers. Everything works as advertised

https://man.openbsd.org/rdist

with caveats.

I noticed that having a space between -o and remove instead of 

install -oremove,chknfs ;

per example in the man pages causes files not to sync. That is of course
not a big deal but it seems undocumented.

However when calling rdist from a command line 

rdist -D 

with an existing /etc/Distfile I noticed that my private ssh key from 

/root/.ssh/

was not read unless it was named id_rsa. I did call rdist -D as a root
and I have a valid working and well tested  

/root/.ssh/config 

file. To make matters worse if the destination host sshd listens on a
non-default port I don't see the way to specify port to be used by rdist
when calling ssh. I don't see anything in log files. Is there anything I
can do short of reading rdist code to understand how to force rdist to
read a ssh config file. I am guessing I could play with /etc/ssh/* files
on the local and destination hosts. 

Most Kind Regards,
Predrag Punosevac

syspatch Octeon and arm64 alternatives

[Predrag Punosevac]

Hi Misc,

Are there any plans to build syspathes for Octeon platform in the
future? Octeon platform has matured nicely since the introduction in
2013 and is becoming my goto platform for SOHO environments. Apart of
the lack of hardware clocks the main nuisance is the lack of binary
patches. 


I know that arm64 is vigorously developed and I do have few ROCK64
boards but is there a consumer grade network hardware built on the top
of arm64? Can one run OpenBSD on something like SG-1100

https://www.netgate.com/solutions/pfsense/sg-1100.html

and how does it compare to edgerouter 4

https://www.ui.com/edgemax/edgerouter-4/

Thanks,
Predrag

Hackathon Report: Eric Faurot on e-mail and printing

[Predrag Punosevac]

Hi misc,

I was following with a bit of amusement recent thread 

https://marc.info/?t=15629982761&r=1&w=2

as a signal-to-noise ratio is typically higher on misc@openbsd than most
non-developer mailing lists I am subscribed to. 

At some point it occurred to me that Eric Faurot was working on the new
lpd server

https://undeadly.org/cgi?action=article;sid=20180509184829

which is showing a bit its age but it is still head and shoulder easier
to use than CUPS in the most SOHO environments at least until
foomatic-rip was intensionally broken by upstream. 

Can somebody give to people like me who don't follow closely changes in
the source code an update on the status of new lpd server? I do
understand that in the lieu of the fact that most hardware these days
comes network ready and with build in CUPS server incentive to work on
lpd might not be as high as a decade or two ago.

Most Kind Regards,
Predrag Punosevac

Re: OpenBSD runs only in RAM from a USB Flash Drive

[Predrag Punosevac]

> 30 May, 2019
> 
> Greetings OpenBSD aficionados,
> 
> As a newbie to OpenBSD, I am delighted to have the chance to interact 
> with the OpenBSD Mailing Lists community.
> Since I am about to install OpenBSD 6.5 (amd64) on a USB Flash Drive for
> 
> the first time, I was wondering if anyone has a solution to the 
> following conundrum.
> 
> In order to minimize wear on the USB Flash memory, is there a way to 
> command OpenBSD to always run in RAM, and at shutdown to either save or 
> not save the session to the USB Flash Drive.
> 

Chris Cappuccio created flashrd

https://www.nmedia.net/flashrd/flashrd-faq.html

I am not sure how useful it is these days as tmpfs was disabled in the
Fall of 2016 

https://marc.info/?l=openbsd-misc&m=146980890627188&w=2

You also have 

https://stable.rcesoftware.com/resflash/


Once upon a time people used Flashboot

https://www.mindrot.org/projects/flashboot/


Honestly even SMART capable SSDs are so cheap these days that the only
reason I can see you running OpenBSD from a USB Flash drive is to use
something like Ubiquiti Networks EdgeRouter LITE. I do use Octeon port
of OpenBSD on multiple firewalls around our lab but it is all generic
kernel

https://www.openbsd.org/octeon.html

and I am not very concern that the USB will fail due to the excessive
read and write.

Cheers,
Predrag


> For instance, Precise Puppy Linux 5.7.1 has a package called Puppy Event
> 
> Manager. Since Precise Puppy is programmed to run in RAM, you can select
> 
> the 'Save Session' tab and enter the span of minutes for everything in 
> RAM to be saved to the Precise Puppy SaveFile.
> 
> Best of all, you can enter 0 minutes to only do a save at shutdown. 
> Perfect for minimizing wear on a USB Flash Drive.
> 
> Please accept my apologies if this issue has already been solved. My 
> search so far in sites like https://marc.info has come up empty.
> 
> I thank you for your support.
> 
> Best regards,
> Hugh
> 

Re: ix0: CRITICAL: EXTERNAL PHY OVER TEMP!!

[Predrag Punosevac]

Stuart Henderson wrote:

> On 2019-05-15, Predrag Punosevac  wrote:
> > Hi,
> >
> > I am having an issue with a single 10 Gigabit interface on one of
> Intel
> > Xeon D-1541 network servers. Namely after the reboot the interface
> > appears to be down even with a static route
> >
> > phobos# ifconfig ix0
> > ix0: flags=8843 mtu 1500
> > lladdr ac:1f:6b:19:f7:72
> > index 1 priority 0 llprio 3
> > groups: egress
> > media: Ethernet autoselect
> > status: no carrier
> > inet 128.2.204.160 netmask 0xfc00 broadcast 128.2.207.255
> >
> > The only thing I can see is 
> >
> > ix0: CRITICAL: EXTERNAL PHY OVER TEMP!!  PHY will downshift to lower
> pow
> > er state!
> 
> Looking at the driver it looks like this is a high temperature alarm
> coming from the transceiver (PHY) passed on by the nic. The driver
> attempts to powers down the PHY in this condition, presumably to try to
> avoid damage.
> 
> Is the cooling in this system working correctly?
> 
> Do you still see it if you power it off for a while and let it cool
> down?
> 
> (10GBase-T is relatively power hungry.)


Hi Sten,

The network interface does come after a cold reboot (complete power off
not just reboot command). I replaced network cable and made sure that
university network guys don't have some of DHCP server "enterprise
features" on. Breaking into UEFI is not very useful but I am logged into
IPMI to a two identical SuperMicro X10SDV-TLN4F servers. One of them has
that problematic 

ix0 at pci3 dev 0 function 0 "Intel X552/X557-AT" rev 0x00: msi

interface

The only difference I see is that problematic server run 4 Celsius
degrees warmer (75 instead of 71) but according to the limits I should be
ok up until 95.

Little more search reveals that I am not the only one who got hit with
this thing 

https://tinkertry.com/how-to-work-around-intermittent-intel-x557-network-outages-on-12-core-xeon-d

I will have to think through before I decide what to do. 

Thanks for heads up. 
Predrag

P.S. I was ready to fire up Linux live CD in order to try to reproduce
the problem and see if the Intel guys have pushed some changes into the
Linux version of the driver which is not shared with this community.

ix0: CRITICAL: EXTERNAL PHY OVER TEMP!!

[Predrag Punosevac]

Hi,

I am having an issue with a single 10 Gigabit interface on one of Intel
Xeon D-1541 network servers. Namely after the reboot the interface
appears to be down even with a static route

phobos# ifconfig ix0
ix0: flags=8843 mtu 1500
lladdr ac:1f:6b:19:f7:72
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect
status: no carrier
inet 128.2.204.160 netmask 0xfc00 broadcast 128.2.207.255

The only thing I can see is 

ix0: CRITICAL: EXTERNAL PHY OVER TEMP!!  PHY will downshift to lower pow
er state!

both in dmesg included at the end of this email as well in log files.
This appears to be a line from a driver code commited few years ago by 
Mike Belopuhov

http://openbsd-archive.7691.n7.nabble.com/Intel-10GbE-ix-driver-update-Looking-for-tests-td308300.html

The server had uptime of about a week before tonigh reboot so I have no
resons to believe that the cable CAT 6 is bad but I will replace it
tomorrow. I don't own the network equipment but I have many servers
connected to the same university switch server rack including identical 
Xeon D-1541 machines and all appear to work flawlessly.

I am not a network engineer so I am quite bewildered by the whole
situation. Any hints? 

Predrag




OpenBSD 6.5 (GENERIC.MP) #0: Wed Apr 24 23:38:54 CEST 2019

r...@syspatch-65-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 17055797248 (16265MB)
avail mem = 16529260544 (15763MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xed9b0 (39 entries)
bios0: vendor American Megatrends Inc. version "1.2" date 04/21/2017
bios0: Silicon Mechanics 1U_SoC_D-1541
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT SPMI MCFG UEFI DBG2 HPET WDDT SSDT SSDT 
SSDT PRAD DMAR HEST BERT ERST EINJ
acpi0: wakeup devices IP2P(S4) EHC1(S4) EHC2(S4) RP01(S4) RP02(S4) RP03(S4) 
RP04(S4) RP05(S4) RP06(S4) RP07(S4) RP08(S4) BR1A(S4) BR1B(S4) BR2A(S4) 
BR2B(S4) BR2C(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU D-1541 @ 2.10GHz, 2100.25 MHz, 06-56-03
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,PQM,RDSEED,ADX,SMAP,PT,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 100MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU D-1541 @ 2.10GHz, 2100.01 MHz, 06-56-03
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,PQM,RDSEED,ADX,SMAP,PT,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Xeon(R) CPU D-1541 @ 2.10GHz, 2100.01 MHz, 06-56-03
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,PQM,RDSEED,ADX,SMAP,PT,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Xeon(R) CPU D-1541 @ 2.10GHz, 2100.01 MHz, 06-56-03
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,PQM,RDSEED,ADX,SMAP,PT,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 0, core 3, package 0
cpu4 at mainbus0: apid 8 (application processor)
cpu4: Intel(R) Xeon(R) CPU D-1541 @ 2.10GHz, 2100.01 MHz, 06-56-03
cpu4: 
FPU,VME

Re: Upgrade procedure (6.4 -> 6.5)

[Predrag Punosevac]

Strahil Nikolov wrote:

> 
> On May 3, 2019 10:49:55 PM GMT+03:00, Nick Holland 
>  \
> wrote:
> > On 5/2/19 1:52 AM, Consus wrote:
> > > Hi,
> > > 
> > > I've upgraded my systems from 6.4 to 6.5 without a glitch, but I see
> > > that /etc/networks and some other files (like malloc.conf.5) are
> > still
> > > present, although there is no use for them in the new release.
> > > 
> > > Is there a reason why these files are not listed in "FIles to
> > remove"?
> > > Is there a way to track them? It's not like something gonna break,
> > but
> > > old configuration files (and manual pages) lying around can make
> > > someone's life harder during the debug session.
> > 
> > There is no promise that an upgraded machine will be file-for-file
> > identical to a fresh install.  Here is the list of problems this might
> > cause you, as you can see, it's a long list and quite horrible:
> > 
> > * If you use the same hw for 20 years, you might run out of disk space?
> > 
> > Ok, not very long and not very horrible.
> > 
> > You are trying to solve a non-problem.  And sometimes, 'specially on an
> > upgraded machine, it's great to see how things WERE when the machine
> > was
> > set up.  If you really care, go ahead, delete stuff.
> > 
> > Nick.
> 
> Hi All,
> 
> As I linux guy (my experience in openBSD can be easily measured in days)
> I can share the view  of less experienced user that was planing  to
> upgrade from 6.4 to 6.5 and that eneded with a full reinstall.
> 

I just upgraded 18 servers running mission critical network
infrastructure and services for a research group of 150 people.
Everything went without a glitch. Some of the servers have been
continuously upgraded since OpenBSD 5.4. That is a solid 5 years which
is a typical lifespan of a production server. 

Just as a comparison, I am still afraid to upgrade dozen or so file
servers and jail hosts running FreeBSD 11.2 to 12.0 in-spite of root on
the ZFS mirror and beadm. I typically wait at least year and a half
after initial release of Red Hat to do fresh re-installation of our
computing nodes. Red Hat as you know doesn't support upgrade between the
major releases. Ubuntu (deep learning guys love that crap) upgrade from
16.04 to 18.04 should not be attempted on the production server. On the
top of it network stack on Ubuntu 18.04 is completely broken (at lease
running as Xen DomU. I was too afraid to try on our AWS instances).


> I tried to update a VM (stock setup) with a 10 GB disk from 6.4 to 6.5
> and thus it seemed that booting from the 6.5 DVD will do the trick.
> Sadly the installer never checked the avalable space , but just started
> to do it's stuff until reporting that not enough space is available.
> 
> Why did the installer allow installation despite the available space is
> low ( even windows checks available space :) )???
> 
> Why should the end-user delete old unnecessary/problematic files ?


Because Theo's misplaced his crystal ball and without it, it's
impossible for him to tell which of your files are old and unnecessary
and which once are your local modifications and important data files. 


> Usually we do have package management system to take care of that (or at
> least to rename those files in case we really need them).
> 
> For me, system upgrade is a very complicated  and  error prone
> procedure.
> 

Just move on. Stick to what you know and feel comfortable working with.

Cheers,
Predrag

> P.S.: No offence here, just sharing my thoughts.
> 
> Best Regards,
> Strahil Nikolov

Re: [6.5] Cups + Gutenprint: file rastertogutenprint not found

[Predrag Punosevac]

Stephane HUC wrote:
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> Hi, (just FYI)
> 
> After upgrading OpenBSD from 6.4 to 6.5, I had this problem to print.
> The Webadmin of Cups informs me with this message:
> 
> "/usr/local/libexec/cups/filter/rastertogutenprint.5.2 not found!"
> 
> On the parameters about my printer, (an MFP Epson BX525WD on my local
> network), I change with the new version of Gutenprint's driver. (v5.3.x)
Did you notice that you changed the driver into v5.3 but Webadmin
complains about missing rastertogutenprint.5.2..That doesn't make sense
at all. I would expect that Webadmin complain about missing
rastertogutenprint.5.3. Did you check if you do have
rastertogutenprint.5.3 on your system? Did you check if
rastertogutenprint.5.3 is in CVS source Gutenprint 5.3 which you just
installed. 

Anything in the log files? What is the username you are using for CUPS?
I neither use CUPS nor Gutenprint but searching for similar problems as
yours turns a dozen or so leads. 

IMHO ports list might be a better suitable for further discussion if
this turns out to be the case of the missing file from a package
(happened before due to the upstream).

Cheers,
Predrag


> .
> 
> And, that's run correctly!
> 
> 
> - -- 
> ~ " Fully Basic System Distinguish Life! " ~ " Libre as a BSD " +=<<<
> - 
> Stephane HUC as PengouinBSD or CIOTBSD
> b...@stephane-huc.net
> -BEGIN PGP SIGNATURE-
> 
> iHUEARYKAB0WIQScTRXz7kMlZfGpDZMTq98t3AMG7wUCXMYQ0gAKCRATq98t3AMG
> 78/hAQDHE2kdDyXuuXxpuAbrgPkoVd32HjhmFC05zF56YsJvFAD+L5Q4oxzBIull
> qbouLJ8o1tOcdgbtTo1gZDhfC6NVggk=
> =izfF
> -END PGP SIGNATURE-
> 
> 

Re: Laser printer setup help (and/or recommendation)

[Predrag Punosevac]

> Moises Simon wrote:
> 
> Hi, I need some help to setup or buy new printer.
> 
> I have been trying to make a Brother DCP-L2530DW working on OpenBSD.
> 

A quick look into "Open" Printing 

https://www.openprinting.org/printers

doesn't show any info on the device you have. However, DCP-L2540DW, 
DCP-L2550DW, and DCP-L2560DW are listed but the info is of the very low
quality provided by users. For example

https://www.openprinting.org/printer/Brother/Brother-DCP-L2550DW

I have a bad feeling that that is one of those cheap one-in-all devices 
for which Linux "open" source driver is provided by the manufacturer.
Those so-called "open" drivers have a hidden binary blob component. 





> I have tried:
> 
> * Send ps files to the printer `cat file.ps > /dev/ulpt0`
> * Filter plain-text (and ps) with a2ps,foomatic-rip and the oem
> provided ppd.
> 
> But all this just "print" blank pages, and not always.
> 
> Since its seems this printer its not very OpenBSD friendly I'm searching 
> for another one with Postscript and/or PCL support (which should be 
> easier to setup)
> 
> I want a monochrome laser printer to connect via usb to my server and 
> set it up with lpd(8) (better if it has multifunction capabilities).
> 


# Remote printer must use jetdirect since foomatic-rip doesn't speak LPD
rp|HL-5250DN:\
:lp=9100@192.168.3.15:\
:if=/etc/foomatic-rip/script_brother.sh:\
:sh:sd=/var/spool/output/brother:\
:lf=/var/log/lpd-errs:

predrag@oko$ more /etc/foomatic-rip/script_brother.sh
#!/bin/sh

/usr/local/bin/a2ps -BRq --columns=1 -o - | \
/usr/local/bin/foomatic-rip -P HL-5250DN --ppd
/etc/foomatic-rip/direct/brother-hl-5250dn-postscript-brother.ppd


Make sure you read /usr/local/share/doc/pkg-readmes/cups-filters

Linux guys have broken foomatic-rip few years ago which requires little
hack these days to work with a Berkeley lpd spooling system. It is
counter intuitive but you will need to install cups-filters package to
get foomatic-rip.

5250dn is a bit old now but HL-L5100DN which I bought two years ago for
my lab works equally well on OpenBSD. 


> Any Postscript printer should be compatible and easy to setup? Even if 
> it's not on `foomatic-ppdfile -A | grep Postscript`
> 
> What have I to consider regarding scanner support?
> 

Note that most scanners these days are capable of scanning to umass
storage devices or directly to email so they are OS agnostic. OpenBSD
scanner support is provided by sane-backends just like on Linux with the
caveat that the drivers with hidden binary blobs (epkowa-epson comes to
mind) will not work. 

oko# uname -a
OpenBSD oko.int.bagdala2.net 6.4 GENERIC.MP#9 amd64
oko# sane-find-scanner 

  # sane-find-scanner will now attempt to detect your scanner. If the
  # result is different from what you expected, first make sure your
  # scanner is powered up and properly connected to your computer.

  # No SCSI scanners found. If you expected something different, make
sure that
  # you have loaded a kernel SCSI driver for your SCSI adapter.

found USB scanner (vendor=0x04b8 [EPSON], product=0x011f [EPSON
Scanner]) at libusb:000:003
  # Your USB scanner was (probably) detected. It may or may not be
supported by
  # SANE. Try scanimage -L and read the backend's manpage.

  # Not checking for parallel port scanners.

  # Most Scanners connected to the parallel port or other proprietary
ports
  # can't be detected by this program.

Make sure you do the homework 

http://www.sane-project.org/sane-mfgs.html

The one I am listing above is very old but high quality (for old
negatives and photos) scanner. I have few others. I picked on the
garbage two years ago EPSON WorkForce 845 which doesn't require binary
firmware like the one above and scannes out of the box. Unfortunately
the inkjet color printer on WorkForce 845 is paperweight on OpenBSD but
my kids were printing from smart phones. 

I hope this helps.

Cheers,
Predrag


> Do you have any recommendations on the 100-200 price range.
> 
> Thanks

Re: Are there open source firewall distributions which are built on top of OpenBSD?

[Predrag Punosevac]

Turritopsis Dohrnii Teo En Ming wrote on Tue, Mar 12, 2019 at 02:31:47PM +:

> Are there open source firewall distributions which are built on top
> of OpenBSD,

https://securityrouter.org/wiki/Main_Page

Once upon a time there was a ComixWall

https://undeadly.org/cgi?action=article;sid=20080112215331

but it died

https://marc.info/?l=openbsd-misc&m=126037728930452&w=2

Cheers,
Predrag

demystifying trap

[Predrag Punosevac]

Could one of peple with some rudimental knowledge of kernel interals
tell me what am I seeing here

Jan 12 13:42:37 oko /bsd: trap [mmonit-bin]89524/427284 type 6: sp
122488ae75d0 not inside 7f7fffbf4000-7f7f4000


I was trying to run MMonit binaries on my desktop.

https://mmonit.com/download/

Most Kind Regards,
Predrag

P.S. predrag@oko$ uname -a
OpenBSD oko.int.bagdala2.net 6.4 GENERIC.MP#3 amd64

Re: SSH server immediately closes connection

[Predrag Punosevac]

On 12/14/18 00:27,

wrote:
> Hello,
> I've got a PC running OpenBSD current.
> After the latest upgrade I cannot ssh to it.
>
> When I run "ssh 10.26.5.70"
> I get this:
> "Connection to 10.26.5.70 closed by remote host.
>  Connection to 10.26.5.70 closed."
> As an SSH client I use another OpenBSD box and a Linux machine
> with the same result.
> When I run "ssh -vvv 10.26.5.70"
> the last messages are:
> 
> "debug3: receive packet: type 52
> debug1: Authentication succeeded (publickey).
> Authenticated to 10.26.5.70 ([10.26.5.70]:22).
> debug1: channel 0: new [client-session]
> debug3: ssh_session2_open: channel_new: 0
> debug2: channel 0: send open
> debug3: send packet: type 90
> debug1: Requesting no-more-sessi...@openssh.com
> debug3: send packet: type 80
> debug1: Entering interactive session.
> debug1: pledge: network
> debug3: send packet: type 1
> debug1: channel 0: free: client-session, nchannels 1
> debug3: channel 0: status: The following connections are open:
>   #0 client-session (t3 nr0 i0/0 o0/0 e[write]/0 fd 4/5/6 sock -1 cc -1)
> 
> debug3: fd 1 is not O_NONBLOCK
> Connection to 10.26.5.70 closed by remote host.
> Connection to 10.26.5.70 closed.
> Transferred: sent 2644, received 1932 bytes, in 0.0 seconds
> Bytes per second: sent 1085498.2, received 793185.5
> debug1: Exit status -1"
> 
> 
> No errors in /var/log/daemon
> No errors in /var/log/authlog
> 
> The result doesn't depend on the user which I use to login.

I have seen SSH server immediately closing connection in the following
setting: 

I run Alpine Linux as a XEN dom0 host in production on several
moderately large physical machines (256 GB of RAM, 44 cores, and a dozen
or so DomU guests on the dedicated block devices). By default Dom0
instance of Alpine is provision with 256 MB of RAM regardless of the RAM
size of the physical host. That amount of RAM is typically sufficient
for hypervisor itself + one or two micro instances. Once you try to spin
a larger DomU instance SSH server running on Dom0 host will reproducibly
close connection when you try to ssh to it due to the insufficient RAM.

First time I got bitten by this behavior it took me a long time to
understand what was happening. Namely, I typically provision at least
4GB of RAM for Dom0 host in /boot/extlinux.conf. However that file gets
overwritten with the default options every time one runs

apk update
apk upgrade

As soon as one reboots the box after the update (new /boot/extlinux.conf
unedited is used with 256MB of RAM for Dom0) SSH server on Dom0
starts to close connection.

I have no idea about your set up (if your SSH server runs on the
physical or virtual host) and my experience might seems completely
unrelated to your question at first. However it would be worth looking
at the RAM consumption of your SSH server when it starts misbehaving. It
sounded like the set up you currently have worked before you upgraded to
current. That might have been the case and the current misbehavior might
have been trigger by new higher RAM requirement of the OpenBSD 6.4
current. 

It also occurred to me that you might be using non amd64 image like the
one needed for EdgeRouter Lite (which I like to use for our remote
offices). The EdgeRouters I have come with 512MB of RAM.  It is very
plausible that if you run something like IPsec (site-to-site) tunnel or
non-caching web proxy from such box you are running out of RAM and that
manifests in SSH server closing on you. In my experience 6.4 runs like a
champ on EdgeRouters in the role of pure firewall.


Most Kind Regards,
Predrag

OT: OpenBSD NFS Performance

[Predrag Punosevac]

Jordan Geoghegan wrote:
> On 11/17/18 10:53, Predrag Punosevac wrote:
> > On Sat, Nov 17, 2018 at 01:35:05AM +0100, Willi Rauffer wrote:
> >
> >> Hello,
> >>
> >> we want to make one logical volume out of several physical volumes,
> but there is no \
> >> LVM (Logical Volume Manager) in OpenBSD!
> >> Will there be a LVM in OpenBSD in the future?
> >>
> >> Thanks...Willi Rauffer, UNOBank.org
> > P.S. OpenBSD's NFSv3 server and client implementation is pretty slow
> so
> > that begs the question how you are going to access that data pool.
> >
> I have an OpenBSD 6.3 NFS server, and it is able to achieve gigabit line
> 
> speed no problem. I've transferred hundreds of terrabytes through that
> thing and it hasn't let me down once. Most of the NFS clients 
> connected to it are CentOS 7 machines, and after a bit of fiddling, 
> line speed was achieved without issue.

I can believe that as the NFS read performance is primarily
client-driven.

> The OpenBSD NFS client does seem to be a a tad slow though, and much
> fiddling was required to get anywhere close to line speed with it.

As I already said NFS read performance is primarily client-driven.
Setting the read-ahead (for example, mount_nfs -a 4) is the biggest
performance driver for reads. Unsurprisingly OpenBSD defaults to -a 1.

predrag@oko$ more /etc/fstab|grep nfs
192.168.3.2:/data/nfs/hammer nfs rw,noatime,-a=4 0 0

Most of what I know about the topics was initiated by this wonderful
post of Matt Dillon

https://marc.info/?l=openbsd-misc&m=146130062830832&w=2

I would be very interested to learn what you have done to get OpenBSD
NFS client speed close to 1 Gigabit (although at work I only use 10
Gigabit or InfiniBand gear so even 1 Gigabit is only of interest for my
home setup).

Cheers,
Predrag

P.S. Just for the record I would much rather see WAPBL ported and fully
functional on OpenBSD than NFS performance improvment or even HAMMER2.
WAPBL would actually make a real difference for my firewall/embedded
OpenBSD deployments. HAMMER2 would be nice to have on my OpenBSD laptop
but I can leave without it. 

Re: Missing LVM (Logical Volume Manager)

[Predrag Punosevac]

On Sat, Nov 17, 2018 at 01:35:05AM +0100, Willi Rauffer wrote:

> Hello,
> 
> we want to make one logical volume out of several physical volumes, but there 
> is no \
> LVM (Logical Volume Manager) in OpenBSD! 
> Will there be a LVM in OpenBSD in the future?
> 
> Thanks...Willi Rauffer, UNOBank.org

There are people on this mailing list infinitely more knowledgeable and
experienced than I both with Linux and BSDs so they will correct me
claims if necessary. 

In my experience using LVM2 (LVM is depreciated) to create software RIAD
even on Linux (I have the most experience with RHEL) is a bad idea
unless you belive at the RedHat PR BS. Most people myself included if
they have to use softraid on Linux prefer to do it from mdadm (softraid
discipline for Linux and then perhaps put LVM on the top of it although
I fail to see the purpose). In the lieu of the lack of modern file
system on Linux (Btrfs is a vaporware and ZFS is an external kernel
module which lags many version numbers behind Solaris and FreeBSD) some
PR guys from RedHat started even advertising LVM2 snapshots as a real
snapshots. That is pure BS as they are very expensive operation and for
all practical purposes useless on the legacy file system XFS which is
really the only really stable FS on Linux. If you are storing your data
on Linux you should be using Hardware RAID and XFS. 

Not having LVM2 on OpenBSD is a feature not a bug!  Dragon Fly BSD has
partial not really functional implementation of LVM that I am quite
familiar with. IIRC NetBSD has LVM2 implementation but it is hard to me
to say usefulness of it as I have never used. 

As somebody mentioned. OpenBSD softraid can be used to manage logical
volumes

oko# bioctl softraid0
Volume  Status   Size Device  
softraid0 0 Online  2000396018176 sd3 RAID1 
  0 Online  2000396018176 0:0.0   noencl 
  1 Online  2000396018176 0:1.0   noencl 

but it is quite crude and it will take you more than a week to rebuild
simple 10 TB mirror. IMHO softraid is far more useful for drive
encryption on your laptop for example than for data storage. I don't
have any experience with Hardware RAID cards on OpenBSD (Areca should
have really good support) which I do prefer over softraid (but not over
ZFS). However OpenBSD lacks modern file system (read HAMMER or HAMMER2)
to take advantage of such set up.


Best,
Predrag  

P.S. OpenBSD's NFSv3 server and client implementation is pretty slow so
that begs the question how you are going to access that data pool. 

Few ldapd questions

[Predrag Punosevac]

Hi Misc,

I have been using ldapd for the past five years for centralized user
authorization and authentication for a growing university research
group. Secured connections are provided using STARTTLS even thought all
queries are done on the private network. More recently I did some more
reading and forced all openldap-clients to use FIPS approved algorithms
for higher security protection

https://csrc.nist.gov/csrc/media/publications/fips/140/2/final/documents/fips1402annexa.pdf

Things appear to be working like a charm. However I am a bit confused
about doing two things with ldapd. 

By reading man pages

https://man.openbsd.org/ldapd.conf.5

it seems to me that able to deny anonymous reads from the machines with
valid certificate of authority of my LDAP server by adding some kind
filter rules. However, I am unable to find any ldapd examples. 
Secondly is there a way for ldapd to deny access to client machines
which don't present valid client certificates and keys?

Thanks for your help.
Predrag

Re: unbound-checkconf "Killed" on openbsd 6.4 amd64 when loading large local cache

[Predrag Punosevac]

Tom Smyth wrote:

> Hello all,
> unbound-checkconf "Killed" when cheking a large local zone config file
> rcctl start unbound fails because of the above command failing
> 
> background
> 
> we were migrating our dns filtering from one platform to openbsd
> so we have a basic unbound configuration file that loads another
> configuration file that contains zones for an educational institution
> to filter inappropiate sites for kids.
> the zone file is located below (89M)
> http://5.134.89.24/unboundlocalzone.conf
> the above file was loaded into /var/unbound/etc/
> and then was included in the unbound.conf file using the include
> directive
> include: /var/unbound/etc/unboundlocalzone.conf
> 
> when I run unbound-checkconf it runs for about 30 seconds and then
> i see a "Killed" message on  the commandline
> 

I just run unbound-checkconf with your local zone file and I can't
reproduce your report 

oko# uname -a
OpenBSD oko.bagdala2.net 6.4 GENERIC.MP#364 amd64

oko# ls -l 
total 183368
-rw-r--r--  1 root  wheel 2366 Oct 24 23:03 unbound.conf
-rw-r--r--  1 _unbound  _unbound  93821046 Oct 24 23:00 unboundlocalzone.conf

oko# head -10 unboundlocalzone.conf
 
server:
local-zone: "0gratisporno.ontheweb.nl" redirect
local-data: "0gratisporno.ontheweb.nl A 5.134.89.24"
local-zone: "0sexe.free.fr" redirect
local-data: "0sexe.free.fr A 5.134.89.24"
local-zone: "0nwebcamnow.com" redirect
local-data: "0nwebcamnow.com A 5.134.89.24"
local-zone: ".1.free.fr" redirect
local-data: ".1.free.fr A 5.134.89.24"
local-zone: "69.com" redirect



oko# grep "include" unbound.conf
 
include: "/var/unbound/etc/unboundlocalzone.conf"

oko# unbound-checkconf
unbound-checkconf: no errors in /var/unbound/etc/unbound.conf


It did take good 30-45 seconds for my machine to parse the file. However
I was NOT able to start the unbound with your zone file due to the time
out error.

oko# rcctl start unbound  
unbound(timeout)


I have four cores and 16 GB of RAM on this machine. I can try
tomorrow at work on much more powerful machine with 64 GB of RAM. 

Cheers,
Predrag




> rcctl start unbound fails after about the same time and it woudl appear
> that the rcctl script calls unbound-checkconf  before starting the
> unbound
> 
> however running unbound or nohup unbound works fine..
> to load that local zone into memory it takes about  4G of Ram,
> 
> /var/log/messages is clear
> /var/log/daemon is clear
> 
> 
> 
> 
> 
> -- 
> Kindest regards,
> Tom Smyth

Re: Cloud-Storage & OpenBSD

[Predrag Punosevac]

> On Sep 2, 2018, at 10:43 AM, Kurtis  wrote:
> 
> Hey all,
> 
> I'm just wondering if anyone has any suggestions with any Online File
> Backup Synchronization services?
> 
> I used Dropbox for a long time but decided to drop it in favor of
> pCloud. It's about time to do another annual subscription so I'm
> looking at options.
> 
> I use the same service for backing up photos from my phone, backing up
> documents from computers, and syncing files between multiple machines
> (Mac, Windows, and Linux, Android).
> 
> Specifically, I'm looking for a service that is compatible with the
> major operating systems but also has a good client for OpenBSD.
> 
> Bonus feature would be the ability to share the service with my family
> using different accounts.
> 
> The ability to generate credentials that can only access certain folders
> would be  _really_ cool. For example, my machines could generate
> reports and store them in my sync'd service so I could simplify
> viewing them from any machine.
> 
> Thanks!

sysutils/tarsnap
sysutils/borgbackup
sysutils/duplicity 


Maybe also 

www/nextcloud
www/owncloud


Dain Bentley wrote:

> Rclone and a storage provider of choice

I don't see it in ports. 

https://rclone.org/downloads/

seems to be the link to binary blob. Could you give me the link to
source code?


Cheers,
Predrag

Re: Best way to serve files to Windows?

[Predrag Punosevac]

John Long writes:

> Hi,
>
> I have minidlna working fine on OpenBSD. However this doens't help with
> Roon media software since they don't have anything for OpenBSD,
> unsurprisingly. Roon doesn't want to support dlna.
>
> I have my Windows foobar2000 appliance roped-off from my LAN because I
> don't trust Windows boxes on my network. So I would like to set up some
> way to serve the files to Windows from OpenBSD. I guess that is
> CIFS/SAMBA?
>
> Is this secure over the network? I have not done this before and I
> don't know what's involved. Is there an approved CIFS implementation to
> use?
>
> Thanks,
>
> /jl

sshfs

This is the Windows client which works well for my lab members who like
to use Windows.

https://www.nsoftware.com/netdrive/sftp/

Re: Julia on OpenBSD?

[Predrag Punosevac]

On July 13 2018 Rudolf Sykora wrote:

> Hello,
>
> has anyone any experience with running Julia (language)
> on OpenBSD? How difficult was it to set it up? (It isn't
> in the Ports.)
>
>

As somebody already pointed out bcallah@ was looking more into it but
last time I looked (1-2 years ago) it would be a major undertaking both
by upstream and the porter. 

Even on RHEL which is the most widely used OS for scientific computing
Julia has to be compiled from the source.

What are you trying to do with Julia? If you are just trying to do
science it is probably a bad choice. Jeff Bezanson came here to Carnegie
Mellon University to give a talk 2 years ago and I was not too
impressed (arguably I am more interested in science than in computer
language design). They had immense momentum 5-6 years ago but I think
the enthusiasm is dissipating at least among scientist.

Cheers,
Predrag

Re: nvi and unicode

[Predrag Punosevac]

On July 13 2018 Thuban wrote:
> 
> Default vi (nvi) in OpenBSD doesn't handle correctly most of UTF-8
> sings such as "", "?? " or so. One need to install
> nvi package to do so.
> Is it planned to replace the vi binary in the future?
> Is there any reason I can't think to keep this vi version?
> 
> Regards.
> -- 
> thuban

If you read

https://en.wikipedia.org/wiki/Nvi

you should have noticed the following paragraph

"BSD projects continue to use nvi version 1.79 due to licensing
differences between Berkeley Database 1.85 and the later versions by
Sleepycat Software."

So the answer is no. nvi in the base of OpenBSD is further cleaned from
bugs beyond once upon a time common code. bcallah@ could shed more light
on the work on nvi from the base. Obviously if you need UTF-8 support
you have a choice of using package or two switching to DragonFly BSD
which has nvi2 in its base.

Cheers,
Predrag 

arm64 recommendation Pine64 or Rock64

[Predrag Punosevac]

Hi Misc,

I am soliciting opinions about the arm64 board which I would like to buy
for a project. I am debating between Pine64 Pine 64 which has Allwinner
A64/H5 processor

https://www.pine64.org/?product=pine-a64-lts

or much newer model Pine64 Rock64 with Rockchip RK3328 processor

https://www.pine64.org/?product=rock64-media-board-computer

I eliminated Raspberry Pi 3 early on due to the proprietary firmware and
lack of storage drivers.

It seems like  Rock64 with Rockchip RK3328 is clear winner of the two.
Can somebody confirm that OpenBSD 6.3 current runs smoothly and that I
can install OS on MicroSD Card. I am in particularly keen on building an
embedded computer which will use  Arduino UNO a microcontroller
motherboard(s) to pool DHT22 AM2302 Digital Temperature And Humidity
Measurement Sensor as well as HC-SR501 Human Sensor Module Pyroelectric
Infrared. I see arduino-1.0.2p6v0.tgz among aarch64 packages so I am
guessing somebody has already tried this. Any feed back on developing
Arduino sketches from arm64 board?

Best,
Predrag

Automounting with amd

[Predrag Punosevac]

Hi misc,

I have a question about amd daemon. I recently rebuilt the main file
server for our university lab and decided to use separate ZFS datasets
for user home directories. Our main file server runs 11.1-RELEASE-p11.
That creates a bit of a problem as each home directory has to be a
separate NFS mount. For more detailed description I will refer you to
the summary I wrote a while ago

https://forums.freebsd.org/threads/nested-children-zfs-datasets-and-nfs-exports-for-recursive-mount.63411/

Long story short unlike few startups for which I originally implemented
the setup our shell gateways run OpenBSD (clients over there were RHEL
machines and you guessed I used autofs daemon to mount home directories
per request instead of /etc/fstab). 

I am trying to accomplish the same on OpenBSD but I am going nowhere so
far. 

lop1# uname -a
OpenBSD lop1.int.autonlab.org 6.3 GENERIC.MP#4 amd64

lop1# more /etc/amd/master 
/home   amd.home

lop1# more /etc/amd/amd.home
/defaults 
type:=host;sublink:=${key};opts:=rw,noatime,-a=4,vers=3,proto=tcp,nosuid,nodev
*
rhost:=gaia.int.autonlab.org;rfs:=/storage/zfsauton2/home/ewinston

I do launch daemon as 

amd -a /zfsauton2

but I get amd:38887 on /zfsauton2/home type nfs (v2, udp, intr,
timeo=100, retrans=101)

version 2 of NFS protocol which tells me that none of my configuration
files has been read. 

What I would like to accomplish is have one line per user and create on
the fly mount point on /zfsauton2/home which does exist on OpenBSD
client and then mount remote file system to it. Is that possible with
amd? If not I will just write a script and create fake user directories
on the shell gateway instead of mounting over a hundred remote NFS
directories.

Best,
Predrag

Logging to Elasticsearch with syslog-ng

[Predrag Punosevac]

Hi Misc,

I am revisiting the idea of storing log files in Elasticsearch DB for
quick search, analytics, and visualization  (Kibana). I would like to
keep my current OpenBSD syslog-ng centralized logging server and just
write logs into ElasticsearchDB instead of flat files. Looks like
Elastricsearch runs happily on OpenBSD 

http://openports.se/textproc/elasticsearch

just like Kibana

http://openports.se/www/kibana

I was wondering if the syslog-ng version in ports 3.12.1 (the latest
release seems to be 3.15.1) supports Java plugin needed to send logs
from syslog-ng to Elasticsearch. It looks like 3.12.1 is high enough
version which supports syslog-ng-incubator which was not the case last
time

https://marc.info/?l=openbsd-misc&m=143249546020820&w=2

However I don't see incubator in ports

https://github.com/balabit/syslog-ng-incubator

To be frank by looking quickly through incubator GitHub pages it is not
even clear to me that Java module currently necessary to send things to
Elasticsearch is even the part of the incubator. I stumbled somewhere on
Balabit official documentation which recommends Linux (binary blob
plugins) as the syslog-ng server OS for that very reason.

I do see that Balabit is contemplating writing a native Elasticsearch
destination driver per Google Summer of Code

https://github.com/balabit/syslog-ng/wiki/GSoC-2018-Proposal-:-ElasticSearch-destination:-native(C)-REST-API

Can anybody who is more informed than I on the topic shed some light
onto this topic?

Best,
Predrag

ed viewing trailing spaces

[Predrag Punosevac]

Hi Misc,

I just got Michael Lucas' Ed Mastery. While reading through the book I
tried few things and I realized that viewing trailing spaces on OpenBSD
6.3 doesn't work the way described in man pages, Michael's book, and
other OSs (I tired Red Hat 7.5, FreeBSD 11.1p10, DFBSD 5.2.1)

Namely command 

,l

doesn't allow me to see trailing spaces. I would expect to see a dollar
sign at the end of the line.

Am I missing something obvious here. I like probably most of you use ed
only when trying to edit something in the single user mode so I don't
recall using this particular command before.

Cheers,
Predrag

P.S. It is nice to see that after Jacek Artymiak, Michael took a shot
and wrote this short book on Ed. The book is nice read and so far my
main complaint with it is the lack of the summary of all Ed commands
which is actually present in man pages as well as in this GNU manual
(obviously different version of the editor)

https://www.gnu.org/software/ed/manual/ed_manual.html

New lpd server

[Predrag Punosevac]

Where can I learn more about the work on the new lpd server aside of
reading the code? I learnt about it from the OpenBSD Journal

https://undeadly.org/cgi?action=article;sid=20180509184829


Thank you!
Predrag

CVE-2018-8897

[Predrag Punosevac]

Does this

https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-8897

affect 6.3 stable?

Best,
Predrag

SMTP client added to -current

[Predrag Punosevac]

Recently I an interesting article on OpenBSD Journal

https://undeadly.org/cgi?action=article;sid=20180427124425

I had a question which is not addressed by man pages

https://man.openbsd.org/smtp.1

but I guess Eric and other developer familiar with code were busy
hacking new cool things.

I was wondering if somebody could give me some insight into how is the
new SMTP client related to OpenSMTPD? I would think one could create a
"new" SMTP client by a straight forward surgery on OpenSMTPD. How does
the new SMTP client compare to DragonFly Mail Agent (dma)? As most
machines these days just need to send an e-mail to the relaying SMTP
server are there plans to make new SMTP client default instead of full
blown OpenSMTPD.

Thank you,

Predrag

Re: 4-ports router under $150

[Predrag Punosevac]

On 04/07/18 14:59, Anatoli wrote:
> Hi All!
>
> I'm looking for a modest 4-5 ports router under $150 that works well 
> with OpenBSD. I don't need WiFi, USB or console port, and the 
> throughput don't need to exceed 100Mbps. The ideal device would be 
> EdgeRouter X (compact, 5 ports, $50) but I know it's not supported at 
> this moment and probably never will be.
>
> EdgeRouter (ER) Lite only has 3 ports and the switch ports (eth2-4) of

> ERPOE-5 are not yet supported.
>
> ER-4 would be great, but the 4th port is SFP, I'd need to by an SFP 
> NIC for one of my devices and I'm not sure it's supported as the 
> octeon page says ER PRO SFP ports are not supported yet. Also it's a 
> bit expensive ($190).
>
> Banana Pi R2 would be great too, but I couldn't find if it's supported

> by OpenBSD (it has MediaTek MT7623N, Quad-core ARM Cortex-A7).
>
> Are there 4-5 port devices that are known to work well with OpenBSD?
>
> Thanks,
> Anatoli
>

This is slightly over your price range but I have a bunch of these
deployed in few startups.

https://www.amazon.com/Firewall-Micro-Appliance-Gigabit-Barebone/dp/B01GIVQI3M
This one looks even better but it is more expensive. 

https://www.amazon.com/Firewall-Appliance-Gigabit-AES-NI-Barebone/dp/B072ZTCNLK
I don't have any of those models. 

I do have EdgeRouter Lite  Ubiquiti Networks but it has 3 ports in
total. 

Predrag

P.S. I would really like to hear from OpenBSD users who own one of these
devices

https://www.openbsd.org/armv7.html

Re: is there foomatic-rip for lpd on openBSD 6.3?

[Predrag Punosevac]

On Mon, Apr 09, 2018 at 04:52:36PM +0200, Rudolf Sykora wrote:
> > Hello,
> > 
> > I want to print from openBSD 6.3. I tried to use lpd and found
> > some information on the web about setting up /etc/printcap.

Around here we actually read man pages and pkg-readmes

predrag@oko$ uname -a
OpenBSD oko.bagdala2.net 6.3 GENERIC.MP#107 amd64

Please check for foomatic-rip filters explanation which was
intensionally broken by upstream for LPD spooling 

/usr/local/share/doc/pkg-readmes/cups-filters-1.20.1

You should also try to find your answer by searching first 

misc@openbsd and ports@openbsd

Here is my post which would have answered your question.

https://marc.info/?l=openbsd-ports&m=141490031517069&w=2


> > Many texts use the foomatic-rip program. I can't find one
> > in ports. Is there anything instead? What's the recommended
> > way to set up printing?
> 
> i've been using cups and works.

Most of OpenBSD guys I personally know are big believers in KISS
principle. Answering original question with a suggestion that a simple
functionality available from the base should be replaced with a very
complicated external program is a bad advise.

Predrag



> 
> > 
> > Thanks for any comments
> > Ruda

Re: Relinking unique kernel failed after syspatch

[Predrag Punosevac]

Leo Unglaub wrote:

> Hello,
> today I wanted to apply the latest patches on our servers. They all 
> worked fine, only on one server where i was missing some previous 
> patches as well it got an error from syspatch.
> 
> > # syspatch
>
> > Get/Verify syspatch62-005_ahopts.tgz 100% \
> >
> |**|
> \
> > 703 KB00:00 Installing patch 005_ahopts
> > Get/Verify syspatch62-006_prevhdr... 100% \
> >
> |**|
> \
> > 783 KB00:00 Installing patch 006_prevhdr
> > Get/Verify syspatch62-007_etherip... 100% \
> >
> |**|
> \
> > 1030 KB00:00 Installing patch 007_etherip
> > Get/Verify syspatch62-008_unbound... 100% \
> >
> |**|
> \
> > 1294 KB00:00 Installing patch 008_unbound
> > Get/Verify syspatch62-009_meltdow... 100% \
> >
> |**|
> \
> > 40344 KB00:13 Installing patch 009_meltdown
> > Get/Verify syspatch62-010_ahauth.tgz 100% \
> >
> |**|
> \
> > 1095 KB00:00 Installing patch 010_ahauth
> > Relinking to create unique kernel... failed!
> 
> I looked into /usr/share/compile/GENERIC.MP/relink.log but the only 
> thing in there is:
> 
> > (SHA256) /bsd: FAILED
> 


https://marc.info/?l=openbsd-misc&m=151245106222333&w=2

Re: pfstat and queueing

[Predrag Punosevac]

Stuart Henderson wrote:

> It can already be monitored to some extent, base snmpd does already
> support a number of things in OPENBSD-PF-MIB, but not queues yet.

Any chance that you share with us how you plot the data you recover with
snmpwalk from those MIBs. I would be most interested in
LibreNMS/Observium. Also how difficult would be to write PF plugin for
PF? Somebody apparently tried


https://github.com/darinkes/collectd-pf
https://collectd.org/wiki/index.php/Plugin:PF

Any hints?

Best,
Predrag

Re: acme-client No registration exists matching provided key

[Predrag Punosevac]

Jordan Geoghegan  wrote:

> Hi,
> 
> I recently dealt with this issue as well and the solution was quite 
> silly. The problem is that acme-client is failing due to the agreement 
> url being out of date; there is a new agreement v1.2. acme-client has 
> been patched in current I believe to fix this issue and automatically 
> update the agreement url. For now, just change your config to list the 
> latest agreement url: 
> "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf";
> 
> Hope this helps,
> 
> Jordan

Thank you so much for this prompt replay. I already signed certificate
using certbot as we were hitting deadline. However, this is going to be
very useful going forward with renewals. 

Best,
Predrag

> 
> 
> 
> 
> On 02/01/18 17:16, Predrag Punosevac wrote:
> > Hi Misc,
> >
> > I have done this half dozen times in the past but I am having helluva
> > time using acme-client to sign certificate for a domain. Any clues?
> > Please see below machine, acme-client.conf and httpd.conf files
> >
> > # uname -a
> > OpenBSD mcba.autonlab.org 6.2 GENERIC.MP#2 amd64
> >
> > # more /etc/acme-client.conf
> >   
> > #
> > # $OpenBSD: acme-client.conf,v 1.4 2017/03/22 11:14:14 benno Exp $
> > #
> > authority letsencrypt {
> >  agreement url
> > "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf";
> >  api url "https://acme-v01.api.letsencrypt.org/directory";
> >  account key "/etc/acme/letsencrypt-privkey.pem"
> > }
> >
> > authority letsencrypt-staging {
> >  agreement url
> > "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf";
> >  api url "https://acme-staging.api.letsencrypt.org/directory";
> >  account key "/etc/acme/letsencrypt-staging-privkey.pem"
> > }
> >
> > domain mcba.autonlab.org {
> > #   alternative names { secure.mcba.autonlab.org }
> >  domain key "/etc/ssl/acme/private/mcba.autonlab.org.key"
> >  domain certificate "/etc/ssl/acme/mcba.autonlab.org.crt"
> >  domain full chain certificate
> > "/etc/ssl/acme/mcba.autonlab.org.fullchain.pem"
> >  sign with letsencrypt
> > }
> >
> >
> >
> > # more /etc/httpd.conf
> >   
> > # $OpenBSD: httpd.conf,v 1.17 2017/04/16 08:50:49 ajacoutot Exp $
> >
> > #
> > # Macros
> > #
> > ext_addr="*"
> >
> > #
> > # Global Options
> > #
> > # prefork 3
> >
> > #
> > # Servers
> > #
> >
> > # A name-based "virtual" server on the same address
> > # server "mcba.autonlab.org" {
> > server "mcba.autonlab.org" {
> >  listen on $ext_addr port 80
> >
> >  location "/.well-known/acme-challenge/*" {
> >  root "/acme"
> >  root strip 2
> >  }
> > #   block return 301 "https://$SERVER_NAME$REQUEST_URI";
> > }
> >
> > # An HTTPS server using SSL/TLS
> > # server "mcba.autonlab.org" {
> > #   listen on $ext_addr tls port 443
> >
> >  # TLS certificate and key files created with acme-client(1)
> > #   tls certificate "/etc/ssl/acme/www.autonsys.com.fullchain.pem"
> > #   tls key "/etc/ssl/acme/private/www.autonsys.com.key"
> >
> >  # Define server-specific log files relative to /logs
> > #   log { access "secure-access.log", error "secure-error.log" }
> >
> >  # Increase connection limits to extend the lifetime
> > #   connection { max requests 500, timeout 3600 }
> >
> > #   root "/htdocs/mcba/pub"
> > #}
> >
> >
> > # Include MIME types instead of the built-in ones
> > types {
> >  include "/usr/share/misc/mime.types"
> > }
> >
> >
> >
> > # acme-client -vAD mcba.autonlab.org
> > acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not 
> > creating)
> > acme-client: /etc/ssl/acme/private/mcba.autonlab.org.key: generated RSA 
> > domain key
> > acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
> > acme-client: acme-v01.api.letsencrypt.org: DNS: 23.196.58.251
> > acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: 
> > mcba.autonlab.org
> > acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: bad HTTP: 
> > 403
> > acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized",
> > "detail": "No registration exists matching provided key", "status": 403
> > }] (120 bytes)
> > acme-client: bad exit: netproc(58513): 1
> >
> >

acme-client No registration exists matching provided key

[Predrag Punosevac]

Hi Misc,

I have done this half dozen times in the past but I am having helluva
time using acme-client to sign certificate for a domain. Any clues?
Please see below machine, acme-client.conf and httpd.conf files

# uname -a
OpenBSD mcba.autonlab.org 6.2 GENERIC.MP#2 amd64

# more /etc/acme-client.conf
 
#
# $OpenBSD: acme-client.conf,v 1.4 2017/03/22 11:14:14 benno Exp $
#
authority letsencrypt {
agreement url
"https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf";
api url "https://acme-v01.api.letsencrypt.org/directory";
account key "/etc/acme/letsencrypt-privkey.pem"
}

authority letsencrypt-staging {
agreement url
"https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf";
api url "https://acme-staging.api.letsencrypt.org/directory";
account key "/etc/acme/letsencrypt-staging-privkey.pem"
}

domain mcba.autonlab.org {
#   alternative names { secure.mcba.autonlab.org }
domain key "/etc/ssl/acme/private/mcba.autonlab.org.key"
domain certificate "/etc/ssl/acme/mcba.autonlab.org.crt"
domain full chain certificate
"/etc/ssl/acme/mcba.autonlab.org.fullchain.pem"
sign with letsencrypt
}



# more /etc/httpd.conf
 
# $OpenBSD: httpd.conf,v 1.17 2017/04/16 08:50:49 ajacoutot Exp $

#
# Macros
#
ext_addr="*"

#
# Global Options
#
# prefork 3

#
# Servers
#

# A name-based "virtual" server on the same address
# server "mcba.autonlab.org" {
server "mcba.autonlab.org" {
listen on $ext_addr port 80

location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
}
#   block return 301 "https://$SERVER_NAME$REQUEST_URI";
}

# An HTTPS server using SSL/TLS
# server "mcba.autonlab.org" {
#   listen on $ext_addr tls port 443

# TLS certificate and key files created with acme-client(1)
#   tls certificate "/etc/ssl/acme/www.autonsys.com.fullchain.pem"
#   tls key "/etc/ssl/acme/private/www.autonsys.com.key"

# Define server-specific log files relative to /logs
#   log { access "secure-access.log", error "secure-error.log" }

# Increase connection limits to extend the lifetime
#   connection { max requests 500, timeout 3600 }

#   root "/htdocs/mcba/pub"
#}


# Include MIME types instead of the built-in ones
types {
include "/usr/share/misc/mime.types"
}



# acme-client -vAD mcba.autonlab.org  
acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not 
creating)
acme-client: /etc/ssl/acme/private/mcba.autonlab.org.key: generated RSA domain 
key
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 23.196.58.251
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: 
mcba.autonlab.org
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: bad HTTP: 403
acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized",
"detail": "No registration exists matching provided key", "status": 403
}] (120 bytes)
acme-client: bad exit: netproc(58513): 1

Re: Flatbed scanner that works well with OpenBSD?

[Predrag Punosevac]

Bryan Linton writes:
> Hello misc@
>
> I'm currently looking to purchase a scanner that works well with OpenBSD.
>
> I'm aware of the list provided at: 
>
> 0211038.pdf Desktop Documents Downloads Library Movies Music Pictures 
> Programs Videos s-nail.corehttp://www.sane-project.org/sane-mfgs.html
>
> but I recently purchased (and returned) a scanner that was listed as being
> fully supported on that list because no matter what I did, I couldn't
> get it to work right with xsane or scanimage.  Though I purchased it used,
> so it's possible it may have simply been broken from the get-go.
>
> Does anyone happen to know of a scanner that is *known* to work well
> with OpenBSD?


This is a very silly question. Most modern all-in-one office grade
devices can scan directly onto an umass device or into the e-mail. You
don't need OpenBSD to scan. The scan quality fall within technical
requirements you have.

That being said I have three scanners currently attached to my OpenBSD
desktops at work and at home and all of them work perfectly. They are
older devices.

1. Epson Perfection 1650 (plug and play)

2 .Epson Perfection 1670 (use cabextract to get a firmware needed to
scan from Windows installation disk)

3. Epson all-in-one WorkForce 845 (plug and play but printer is 
paperweight but good enough for me to print from my smart phone with
proprietary driver)


I see people complaining about CanoScan LiDE line of Canon "scanners".
Those scanners come without power supply and they are supposed to draw
the electricity from USB cable. They cost about $10 new. Well you get
what you paid for. 

Now in whole honestly Epson started selling $100-$200 flatbed scanners
here in U.S. which do require epkowa binary blob driver so they are
Linux only. Those scanners are no better than what I have. Now real good
scanners like Perfection V850 Pro ($1000) are fully supported but you
probably don't need that unless you are digitizing massive amount of
old photos and negatives.


Cheers,
Predrag

Re: syspatch not updating kernel

[Predrag Punosevac]

Steven Surdock wrote:

> I just ran syspatch on a 6.2/i386 host and the kernel did not change as
> it =
> has on my other patched machines.  It appears that
> pub/OpenBSD/syspatch/6.2=
>  was updated on 12/10.
> 
> root@rad03 [/root]# syspatch -l
> 002_fktrace
> 003_mpls
> root@rad03 [/root]# uname -a
> OpenBSD cts-rad03.ctstelecom.com 6.2 GENERIC.MP#166 i386
> 
> 
> -Steve S.

Steve,

Anything in the log files? Is /var/db/kernel.SHA256 empty? Do you run sp
kernel on the machine capable of multi processing? Check out the misc
archive for various "syspatch bug reports". Most if not all of them were
trivial omissions on the part of the user (I am a culprit of one such
fake report myself).

Predrag 

Re: Relinking to create unique kernel... failed!

[Predrag Punosevac]

Predrag Punosevac wrote:
> 
> # uname -a
> OpenBSD oko.bagdala2.net 6.2 GENERIC.MP#0 amd64
> 
> # syspatch
> Get/Verify syspatch62-002_fktrace... 100% |*|   785 KB00:01   
>  
> Installing patch 002_fktrace
> Relinking to create unique kernel... failed!
> 
> 
> Any hints where should I look for the reason relinking is failing?
> 
> Predrag
> 

I am onto something 

# pwd
/usr/share/compile/GENERIC.MP
# more relink.log  
sha256: /var/db/kernel.SHA256: no properly formatted checksum lines
found
sha256: /bsd does not exist in /var/db/kernel.SHA256

The kernel I am currently using was copied from the other machine when
the desktop was trashed due to pmap_flash_cache problem on Apollo Lake

https://www.mail-archive.com/misc@openbsd.org/msg157274.html

Cheers,
Predrag

Relinking to create unique kernel... failed!

[Predrag Punosevac]

# uname -a
OpenBSD oko.bagdala2.net 6.2 GENERIC.MP#0 amd64

# syspatch
Get/Verify syspatch62-002_fktrace... 100% |*|   785 KB00:01
Installing patch 002_fktrace
Relinking to create unique kernel... failed!


Any hints where should I look for the reason relinking is failing?

Predrag

motion detection video surveillance

[Predrag Punosevac]

Hi Misc,

Is anybody willing to share her/his experience in building motion
detection video surveillance system using OpenBSD?

I see at least one interesting port

http://openports.se/multimedia/motion

but I am really curious about the type of video hardware people are
using.

Thank you all.
Predrag

error: [drm:pid81687:intel_pipe_update_start]

[Predrag Punosevac]

I just notice on xconsole of my ThinkPad X201

error: [drm:pid81687:intel_pipe_update_start] *ERROR* Potential atomic update 
failure on pipe A


Has anybody else seen this on 6.2 stable?

predrag@oko-mobile$ uname -a
OpenBSD oko-mobile.bagdala2.net 6.2 GENERIC.MP#0 amd64


OpenBSD 6.2 (GENERIC.MP) #0: Thu Oct 12 19:53:18 CEST 2017

r...@syspatch-62-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8357658624 (7970MB)
avail mem = 8097341440 (7722MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xe0010 (78 entries)
bios0: vendor LENOVO version "6QET44WW (1.14 )" date 04/20/2010
bios0: LENOVO 3626AC8
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT ECDT APIC MCFG HPET ASF! SLIC BOOT SSDT TCPA SSDT 
SSDT SSDT
acpi0: wakeup devices LID_(S3) SLPB(S3) IGBE(S4) EXP1(S4) EXP2(S4) EXP3(S4) 
EXP4(S4) EXP5(S4) EHC1(S3) EHC2(S3) HDEF(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiec0 at acpi0
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 2394.49 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,AES,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: TSC frequency 2394492560 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 132MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 2393.99 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,AES,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 1, core 0, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 2393.99 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,AES,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 5 (application processor)
cpu3: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 2394.00 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,AES,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 2, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
, remapped to apid 1
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEG_)
acpiprt2 at acpi0: bus 13 (EXP1)
acpiprt3 at acpi0: bus -1 (EXP2)
acpiprt4 at acpi0: bus -1 (EXP3)
acpiprt5 at acpi0: bus 5 (EXP4)
acpiprt6 at acpi0: bus 2 (EXP5)
acpicpu0 at acpi0: C3(350@245 mwait.3@0x20), C2(500@205 mwait.3@0x10), 
C1(1000@3 mwait.1), PSS
acpicpu1 at acpi0: C3(350@245 mwait.3@0x20), C2(500@205 mwait.3@0x10), 
C1(1000@3 mwait.1), PSS
acpicpu2 at acpi0: C3(350@245 mwait.3@0x20), C2(500@205 mwait.3@0x10), 
C1(1000@3 mwait.1), PSS
acpicpu3 at acpi0: C3(350@245 mwait.3@0x20), C2(500@205 mwait.3@0x10), 
C1(1000@3 mwait.1), PSS
acpipwrres0 at acpi0: PUBS, resource for EHC1, EHC2
acpitz0 at acpi0: critical temperature is 100 degC
acpibtn0 at acpi0: LID_
acpibtn1 at acpi0: SLPB
"LEN0018" at acpi0 not configured
"SMO1200" at acpi0 not configured
acpibat0 at acpi0: BAT0 model "08K8193" serial  1238 type LION oem "JingYi"
acpiac0 at acpi0: AC unit offline
acpithinkpad0 at acpi0
"PNP0C14" at acpi0 not configured
acpidock0 at acpi0: GDCK not docked (0)
acpivideo0 at acpi0: VID_
acpivout0 at acpivideo0: LCD0
acpivideo1 at acpi0: VID_
cpu0: Enhanced SpeedStep 2394 MHz: speeds: 2400, 2399, 2266, 2133, 1999, 1866, 
1733, 1599, 1466, 1333, 1199 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core Host" rev 0x02
inteldrm0 at pci0 dev 2 function 0 "Intel HD Graphics" rev 0x02
drm0 at inteldrm0
intagp0 at inteldrm0
agp0 at intagp0: aperture at 0xd000, size 0x1000
inteldrm0: msi
inteldrm0: 1280x800, 32bpp
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
"Intel 3400 MEI" rev 0x06 at pci0 dev 22 function 0 not configured
puc0 at pci0 dev 22 function 3 "Intel 3400 KT" rev 0x06: ports: 1 com
com4 at puc0 port 0 apic 1 int 17: ns16550a, 16 byte fifo
com4: probed fifo 

Re: Apollo Lake kernel panic

[Predrag Punosevac]

I copied the bsd.mp kernel from a working machine. Here is the dmesg.  I
also disabled C states in BIOS and was able cleanly to halt machine


OpenBSD 6.2 (GENERIC) #132: Tue Oct  3 21:18:21 MDT 2017
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 16799846400 (16021MB)
avail mem = 16283758592 (15529MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xed450 (18 entries)
bios0: vendor American Megatrends Inc. version "P1.30" date 04/18/2017
bios0: ASRock J4205-ITX
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP FPDT FIDT MCFG DBG2 DBGP LPIT APIC NPKT PRAM WSMT SSDT 
SSDT AAFT SSDT SSDT SSDT SSDT SSDT UEFI BERT WDAT NHLT
acpi0: wakeup devices SIO1(S4) PS2K(S4) HDAS(S3) XHC_(S4) XDCI(S4) BRCM(S0) 
PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) 
PXSX(S4) RP05(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Pentium(R) CPU J4205 @ 1.50GHz, 1497.60 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,SENSOR,ARAT
cpu0: 1MB 64b/line 16-way L2 cache
cpu0: TSC frequency 149760 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 19MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.2.4.2.1.1, IBE
cpu at mainbus0: not configured
cpu at mainbus0: not configured
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 120 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (RP03)
acpiprt2 at acpi0: bus 2 (RP04)
acpiprt3 at acpi0: bus 3 (RP05)
acpiprt4 at acpi0: bus 4 (RP06)
acpiec0 at acpi0: not present
acpicpu0 at acpi0: C1(@1 halt!), PSS
acpipwrres0 at acpi0: FN00, resource for FAN0
acpitz0 at acpi0: critical temperature is 100 degC
acpibtn0 at acpi0: PWRB
"INT3452" at acpi0 not configured
"INT3452" at acpi0 not configured
"INT3452" at acpi0 not configured
"INT3452" at acpi0 not configured
"INT33A1" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD1F
cpu0: Enhanced SpeedStep 1497 MHz: speeds: 1501, 1500, 1400, 1300, 1200, 1100, 
1000, 900, 800 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 vendor "Intel", unknown product 0x5af0 rev 0x0b
inteldrm0 at pci0 dev 2 function 0 vendor "Intel", unknown product 0x5a84 rev 
0x0b
drm0 at inteldrm0
inteldrm0: msi
error: [drm:pid0:i915_firmware_load_error_print] *ERROR* failed to load 
firmware i915/bxt_dmc_ver1.bin (-22)
error: [drm:pid0:i915_gem_init_hw] *ERROR* Failed to initialize GuC, error -8 
(ignored)
inteldrm0: 1440x900, 32bpp
Unclaimed register detected after writing to register 0x68980
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
azalia0 at pci0 dev 14 function 0 vendor "Intel", unknown product 0x5a98 rev 
0x0b: msi
azalia0: codecs: Realtek/0x0892, 0x/0x, using Realtek/0x0892
audio0 at azalia0
vendor "Intel", unknown product 0x5a9a (class communications subclass 
miscellaneous, rev 0x0b) at pci0 dev 15 function 0 not configured
ahci0 at pci0 dev 18 function 0 vendor "Intel", unknown product 0x5ae3 rev 
0x0b: msi, AHCI 1.3.1
ahci0: port 0: 6.0Gb/s
ahci0: port 1: 6.0Gb/s
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0:  SCSI3 0/direct 
fixed naa.5000c500a20c8afc
sd0: 1907729MB, 512 bytes/sector, 3907029168 sectors
sd1 at scsibus1 targ 1 lun 0:  SCSI3 0/direct 
fixed naa.5000c500a20c72e9
sd1: 1907729MB, 512 bytes/sector, 3907029168 sectors
ppb0 at pci0 dev 19 function 0 vendor "Intel", unknown product 0x5ad8 rev 0xfb: 
msi
pci1 at ppb0 bus 1
re0 at pci1 dev 0 function 0 "Realtek 8168" rev 0x11: RTL8168G/8111G (0x4c00), 
msi, address 70:85:c2:4a:bf:5b
rgephy0 at re0 phy 7: RTL8251 PHY, rev. 0
ppb1 at pci0 dev 19 function 1 vendor "Intel", unknown product 0x5ad9 rev 0xfb: 
msi
pci2 at ppb1 bus 2
ppb2 at pci0 dev 19 function 2 vendor "Intel", unknown product 0x5ada rev 0xfb: 
msi
pci3 at ppb2 bus 3
ahci1 at pci3 dev 0 function 0 "ASMedia ASM1061 AHCI" rev 0x02: msi, AHCI 1.2
ahci1: port 0: 1.5Gb/s
scsibus2 at ahci1: 32 targets
cd0 at scsibus2 targ 0 lun 0:  ATAPI 5/cdrom 
removable
ppb3 at pci0 dev 19 function 3 vendor "Intel", unknown product 0x5adb rev 0xfb: 
msi
pci4 at ppb3 bus 4
xhci0 at pci0 dev 21 function 0 vendor "Intel", unknown product 0x5aa8 rev 
0x0b: msi
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00 
addr 1
pcib0 at pci0 dev 31 function 0 ven

Re: Apollo Lake kernel panic

[Predrag Punosevac]

I was able to boot machine which crashed with bsd.sp kernel. Please see
message below. That kernel is non-patched kernel as I was running
normally bsd.mp kernel. Also I forgot to say in my previous message that
I didn't mess with C states (BIOS option). I was also using legacy (not
pure UEFI boot) as the the original installation was done on the system 
which didn't support UEFI boot.


OpenBSD 6.2 (GENERIC) #132: Tue Oct  3 21:18:21 MDT 2017
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 16799846400 (16021MB)
avail mem = 16283758592 (15529MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xed450 (18 entries)
bios0: vendor American Megatrends Inc. version "P1.30" date 04/18/2017
bios0: ASRock J4205-ITX
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP FPDT FIDT MCFG DBG2 DBGP LPIT APIC NPKT PRAM WSMT SSDT 
SSDT AAFT SSDT SSDT SSDT SSDT SSDT UEFI BERT WDAT NHLT
acpi0: wakeup devices SIO1(S4) PS2K(S4) UAR1(S4) HDAS(S3) XHC_(S4) XDCI(S4) 
BRCM(S0) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) 
RP04(S4) PXSX(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Pentium(R) CPU J4205 @ 1.50GHz, 1497.60 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,SENSOR,ARAT
cpu0: 1MB 64b/line 16-way L2 cache
cpu0: TSC frequency 149760 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 19MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.2.4.2.1.1, IBE
cpu at mainbus0: not configured
cpu at mainbus0: not configured
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 120 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (RP03)
acpiprt2 at acpi0: bus 2 (RP04)
acpiprt3 at acpi0: bus 3 (RP05)
acpiprt4 at acpi0: bus 4 (RP06)
acpiec0 at acpi0: not present
acpicpu0 at acpi0: C3(10@150 mwait.1@0x60), C2(10@50 mwait.1@0x21), C1(1000@1 
mwait.1@0x1), PSS
acpipwrres0 at acpi0: FN00, resource for FAN0
acpitz0 at acpi0: critical temperature is 100 degC
acpibtn0 at acpi0: PWRB
"INT3452" at acpi0 not configured
"INT3452" at acpi0 not configured
"INT3452" at acpi0 not configured
"INT3452" at acpi0 not configured
"INT33A1" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD1F
cpu0: Enhanced SpeedStep 1497 MHz: speeds: 1501, 1500, 1400, 1300, 1200, 1100, 
1000, 900, 800 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 vendor "Intel", unknown product 0x5af0 rev 0x0b
inteldrm0 at pci0 dev 2 function 0 vendor "Intel", unknown product 0x5a84 rev 
0x0b
drm0 at inteldrm0
inteldrm0: msi
error: [drm:pid0:i915_firmware_load_error_print] *ERROR* failed to load 
firmware i915/bxt_dmc_ver1.bin (-22)
error: [drm:pid0:i915_gem_init_hw] *ERROR* Failed to initialize GuC, error -8 
(ignored)
inteldrm0: 1440x900, 32bpp
Unclaimed register detected after writing to register 0x68980
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
azalia0 at pci0 dev 14 function 0 vendor "Intel", unknown product 0x5a98 rev 
0x0b: msi
azalia0: codecs: Realtek/0x0892, 0x/0x, using Realtek/0x0892
audio0 at azalia0
vendor "Intel", unknown product 0x5a9a (class communications subclass 
miscellaneous, rev 0x0b) at pci0 dev 15 function 0 not configured
ahci0 at pci0 dev 18 function 0 vendor "Intel", unknown product 0x5ae3 rev 
0x0b: msi, AHCI 1.3.1
ahci0: port 0: 6.0Gb/s
ahci0: port 1: 6.0Gb/s
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0:  SCSI3 0/direct 
fixed naa.5000c500a20c8afc
sd0: 1907729MB, 512 bytes/sector, 3907029168 sectors
sd1 at scsibus1 targ 1 lun 0:  SCSI3 0/direct 
fixed naa.5000c500a20c72e9
sd1: 1907729MB, 512 bytes/sector, 3907029168 sectors
ppb0 at pci0 dev 19 function 0 vendor "Intel", unknown product 0x5ad8 rev 0xfb: 
msi
pci1 at ppb0 bus 1
re0 at pci1 dev 0 function 0 "Realtek 8168" rev 0x11: RTL8168G/8111G (0x4c00), 
msi, address 70:85:c2:4a:bf:5b
rgephy0 at re0 phy 7: RTL8251 PHY, rev. 0
ppb1 at pci0 dev 19 function 1 vendor "Intel", unknown product 0x5ad9 rev 0xfb: 
msi
pci2 at ppb1 bus 2
ppb2 at pci0 dev 19 function 2 vendor "Intel", unknown product 0x5ada rev 0xfb: 
msi
pci3 at ppb2 bus 3
ahci1 at pci3 dev 0 function 0 "ASMedia ASM1061 AHCI" rev 0x02: msi, AHCI 1.2
ahci1: port 0: 1.5Gb/s
scsibus2 at ahci1: 32 targets
cd0 at scsibus2 targ 0 lun 0:  ATAPI 5/cdrom 
removable
ppb3 at pci0 dev 19 function 3 vendo

Re: Apollo Lake kernel panic

[Predrag Punosevac]

Pedro Ramos wrote:

> Please find attached the dmesg from ASRock J4205-ITX.
> 
> 
> Best regards,
> Pedro Ramos
> 
> 
> ["asrock.j4205-itx.dmesg.gz" (application/x-gzip)]

Unfortunatelly I got one of those few weeks ago and it is nothing but
the trouble. The first one died but NewEgg sent me the second one. I
don't know where to begin. 

With the default ACPI configuration options

1. Suspend to RAM  enabled  
2. ACPI HPET Table enabled 

one can't clearly shut down 6.2 stable. This is what I got 

www.devio.us/~ppunosevac/kernel-panic-1.jpg

The system was frozen to the point that I could not get crash trace. 
With suspend to RAM and HPET table disabled I could finally do 

shutdown -p now

without crashing kernel.

I see that even on 6.2 current dmesg which was sent bunch of errors in
dmesg

pchb0 at pci0 dev 0 function 0 vendor "Intel", unknown product 0x5af0
rev 0x0b
inteldrm0 at pci0 dev 2 function 0 vendor "Intel", unknown product
0x5a84 rev 0x0b
drm0 at inteldrm0
inteldrm0: msi
error: [drm:pid0:i915_firmware_load_error_print] *ERROR* failed to load
firmware i915/bxt_dmc_ver1.bin (-22)
error: [drm:pid0:i915_gem_init_hw] *ERROR* Failed to initialize GuC,
error -8 (ignored)


Unfortunatelly at this point my system is trashed so I can't post dmesg
from of 6.2 stable. Namely after trying to start Chrome I got kernel
panic again but I was able this time to trace it 

www.devio.us/~ppunosevac/kernel-panic-2.jpg
 
Now the system hangs on the boot with the message 

entry point at 0x1000158 

My boot device was RAID 1 and I would appreciate if somebody could give
me a suggestion if I can recover the system (I do have the backup for
data). 

Few more things. I could not get X running on my DVI-D 4:3 monitor.
However both VGA output and HDMI were working. HDMI had no problem using
my high definition Panasonic TV. 

If you attach HDD to ASMedia ASM1061 SATA ports (there are 2 of those
and there are two of SATA3 6.0Gb/s Connectors, support NCQ, AHCI and Hot
Plug) S.M.A.R.T. daemon will refuse to start. I have not investigated
this further.

Sound Realtek ALC892 did work as well as Realtek 8111GR Gigabit LAN.
I could not make a use of 1 x PCI Express 2.0 x1 Slot. Note also that
M.2 is only for WiFi not for storage device.

I am not feeling good about this purchase right now. Maybe somebody
could give me some pointers.

Best,
Predrag