from:"scott"

Re: volatility or something like that in the future ?

2023-08-17 Thread Scott Cheloha

> On Aug 17, 2023, at 10:28, whistlez  wrote:
> 
> [...] I believe we need to realize that, while the kernel is very
> secure, zero-day vulnerabilities are always a lurking threat. 
> 
> For those that don't know what is volatility, this is github page
> https://github.com/volatilityfoundation/volatility3

What is the utility of this software?  How
would supporting it benefit the project?

I read the summary on Github.  I am still
more or less completely in the dark on
why I or anyone would want to use it.

Re: OpenBSD 7.3 and some old IA32 CPUs

2023-07-04 Thread Scott Cheloha

> On Jun 28, 2023, at 13:26, Anton Borisov  wrote:
> 
> Hi all,
> 
> here's sysctl extracts from Rise iDragon, IDT WinChip C6/2A running
> OpenBSD 7.3. All seems quite stable.

Interesting.  Can you post a full dmesg for each of these?

Unbound rlimits when reloading vs. restarting

2023-03-20 Thread Scott Colby

I noticed this in my logs (as well as noticing incorrect SERVFAIL
responses from time to time):

unbound: [12887:0] warning: setrlimit: Operation not permitted
unbound: [12887:0] warning: cannot increase max open fds from 512 to 4152
unbound: [12887:0] warning: continuing with less udp ports: 460
unbound: [12887:0] warning: increase ulimit or decrease threads, ports in 
config to remove this warning
unbound: [12887:0] notice: init module 0: validator
unbound: [12887:0] notice: init module 1: iterator
unbound: [12887:0] info: start of service (unbound 1.16.3).

So, I edited /etc/login.conf and ran `cap_mkdb /etc/login.conf`:

unbound:\
#:openfiles=512:\
:openfiles=8192:\
:tc=daemon:

And now when I run `rcctl restart unbound` (or at boot), I see
(this also fixed the random SERVFAILS):

unbound: [26394:0] notice: init module 0: validator
unbound: [26394:0] notice: init module 1: iterator
unbound: [26394:0] info: start of service (unbound 1.16.3).

However, when I then run `rcctl reload unbound`, I see:

unbound: [26394:0] info: service stopped (unbound 1.16.3).
unbound: [26394:0] info: server stats for thread 0: 125 queries, 69 answers 
from cache, 56 recursions, 0 prefetch, 0 rejected by ip ratelimiting
unbound: [26394:0] info: server stats for thread 0: requestlist max 35 avg 
1.66071 exceeded 0 jostled 0
unbound: [26394:0] info: average recursion processing time 0.181258 sec
unbound: [26394:0] info: histogram of recursion processing times
unbound: [26394:0] info: [25%]=0.0444709 median[50%]=0.0928427 [75%]=0.302474
unbound: [26394:0] info: lower(secs) upper(secs) recursions
unbound: [26394:0] info:0.000.01 5
unbound: [26394:0] info:0.0163840.032768 4
unbound: [26394:0] info:0.0327680.065536 14
unbound: [26394:0] info:0.0655360.131072 12
unbound: [26394:0] info:0.1310720.262144 5
unbound: [26394:0] info:0.2621440.524288 13
unbound: [26394:0] info:0.5242881.00 3
unbound: [26394:0] notice: Restart of unbound 1.16.3.
unbound: [26394:0] warning: setrlimit: Operation not permitted
unbound: [26394:0] warning: cannot increase max open fds from 512 to 4152
unbound: [26394:0] warning: continuing with less udp ports: 460
unbound: [26394:0] warning: increase ulimit or decrease threads, ports in 
config to remove this warning
unbound: [26394:0] notice: init module 0: validator
unbound: [26394:0] notice: init module 1: iterator
unbound: [26394:0] info: start of service (unbound 1.16.3).

Have I misunderstood login.conf or configured it wrong? Why can the
restarted process set its rlimit, but the reloaded one cannot?
Should I simply avoid reloading unbound in favor of restarting it?

Thanks,
Scott

veb(4) with multiple vlan(4)'s

2023-01-21 Thread Scott Colby

Hello,

I am trying to set up a router with a fresh install of OpenBSD 7.2,
and I'm having a hard time grokking how to use veb.

I have organized my network into 4 subnets:

- DHCP "WAN"
- 192.168.0.0/24 "LAN"
- 192.168.2.0/24 "IOT"
- 192.168.3.0/24 "Guest"

My computer has 4 interfaces em{0..3} and my desired setup has the
following qualities:
- em0 is the WAN uplink with DHCP
- em1 is the uplink to my WAP and carries all 3 internal networks,
  with "LAN" untagged and "IOT" and "Guest" tagged as VLAN 1102
  and 1103, respectively
- em2 carries only "LAN", untagged
- em3 carries only "IOT", untagged

I think I should have configuration files like:
hostname.em0:
inet autoconf

hostname.em{1..3}:
up

hostname.veb0:
add em1
add em2
add em3
add vport0  # ??
add vport1  # ??
up

As for the vlan and vport interfaces, I have no idea.

After this, of course, I will want to do some filtering with pf
(such as hosts on "IOT" and "Guest" not having access to hosts on
"LAN.")

My questions are thus:
1) What is the proper network configuration to achieve the above
   goal?
2) What is the right way to filter packets transiting between subnets
   in this configuration? I see in the man page that the directionality
   of packets emerging from a veb to the network stack is not normal.
   I've seen things with adding groups to the interfaces, but not
   sure what that gets me that using interface names in pf.conf
   doesn't.


Thanks in advance for any help that you can provide!

Scott

rtl8192ee currently supported?

2022-12-01 Thread Heppler, J. Scott


I'm shopping for a faster (300mbps +) PCIe wireless card.  Although I'm
leaning intel, realtek's base firmware is an advantage.
V2 of the TP-LINK TL-WN881ND uses rtl8192ee chipset which was in the
separate sysutils/firmware builds:

@comment $OpenBSD: PLIST,v 1.2 2018/09/21 09:49:45 sthen Exp $
firmware/rtwn-license
firmware/rtwn-rtl8188efw
firmware/rtwn-rtl8192cfwU
firmware/rtwn-rtl8192cfwU_B
firmware/rtwn-rtl8192eefw
firmware/rtwn-rtl8723befw_36
firmware/rtwn-rtl8723fw
firmware/rtwn-rtl8723fw_B


Recent current ls /etc/firwmare | grep rtwn:

rtwn-licensertwn-rtl8192cU  rtwn-rtl8723
rtwn-rtl8188e   rtwn-rtl8192cU_Brtwn-rtl8723_B

Would a rtl8192ee chipset be supported?

There are a plethora a cheap 1200mbps cards with 8821ce chips.
Is there inclinations/efforts to add support?

Thanks 



--
J. Scott Heppler

Re: PC Engines APU alternative for OpenBSD - 2022h2

2022-12-01 Thread Scott Vanderbilt


On 11/24/2022 1:22 PM, Stuart Henderson wrote:

Yes. Sometimes they even have stock.



PCEngines have stock again. Just ordered an apu2e4, and it shipped 
within hours after placing my order and making payment.

Re: mSATA woes on APU2D0

2022-08-26 Thread Scott Seekamp

That was the first thing PCEngines folks had me change. I tried 3 different 
official power supplies with no change


> On Aug 25, 2022, at 11:09, Mike Larkin  wrote:
> 
> On Thu, Aug 25, 2022 at 05:51:18PM +0200, Jan Stary wrote:
>> This is current/amd64 on and APU2D0 (dmesg below)
>> upgraded to the most recent coreboot and snapshot.
>> 
>> I am having trouble using an mSATA disk on the machine.
>> It boots from a 32GB SD card and runs just fine;
>> but with an mSATA plugged into the mSATA port,
>> it does not even get to boot the OS.
>> 
>> I have tried two cards: a cheapo from ebay,
>> and the good one straight from PC Engines.
>> Same story in both cases: it worked for a few boots,
>> running a filesystem on the msata which reads and writes,
>> but then, after one more reboot, the leds on the card
>> start blinking, the card makes a clicking sound,
>> and the cereal emits only garbage AFAICT.
> 
> Sounds like a power supply issue. IIRC APUs were super sensitive to having
> enough current. Probably try a beefier power supply?
> 
> -ml
> 
>> 
>> Here are two very short videos of what happens:
>> 
>> http://stare.cz/.tmp/msata1.mp4
>> http://stare.cz/.tmp/msata2.mp4
>> 
>> These are the cereal outputs (as in script of cu, hexdump -C),
>> with one card:
>> 
>>   c0 00 00 00 00 fe 00 00  e0 00 e0 00 00 f8 00 00  
>> ||
>> 0010  c0 00 80 00 80 00 00 00  e0 00 e0 00 80 00 00 c0  
>> ||
>> 0020  00 00 00 00 00 e0 00 00  c0 00 00 f8 00 c0 00 80  
>> ||
>> 0030  00 00 c0 00 00 00 c0 00  00 00 00 00 00 e0 00 c0  
>> ||
>> 0040  00 c0 00 80 00 00 e0 00  c0 00 c0 00 00 00 00 00  
>> ||
>> 
>> and the other:
>> 
>>   80 00 00 00 00 00 00 00  c0 00 00 00 00 00 e0 00  
>> ||
>> 0010  00 00 00 00 00 00 c0 00  00 c0 00 00 80 00 00 00  
>> ||
>> 0020  00 fe 00 00 80 00 00 f0  00 00 00 00 e0 00 00 00  
>> ||
>> 0030  00 00 80 00 00 00 80 00  00 00 fe 00 c0 00 00 80  
>> ||
>> 0040  00 00 c0 00 80 00 00 00  c0 00 00 00 00 e0 00 00  
>> ||
>> 
>> Note that I am not booting _from_ the msata card,
>> but from the SD card, which in itself works fine,
>> if the msata card is not plugged in.
>> 
>> (On an APU2E2, I am booting from msata without problems.)
>> 
>> Is anyone else seeing this?
>> Is this a hardware problem?
>> 
>>  Jan
>> 
>> 
>> OpenBSD 7.2-beta (GENERIC.MP) #707: Wed Aug 24 10:03:37 MDT 2022
>>dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>> real mem = 2112430080 (2014MB)
>> avail mem = 2031087616 (1936MB)
>> random: good seed from bootblocks
>> mpath0 at root
>> scsibus0 at mpath0: 256 targets
>> mainbus0 at root
>> bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x7ee92040 (13 entries)
>> bios0: vendor coreboot version "v4.17.0.2" date 07/28/2022
>> bios0: PC Engines apu2
>> acpi0 at bios0: ACPI 6.0
>> acpi0: sleep states S0 S1 S4 S5
>> acpi0: tables DSDT FACP SSDT MCFG TPM2 APIC HEST SSDT SSDT DRTM HPET
>> acpi0: wakeup devices PBR4(S4) PBR5(S4) PBR6(S4) PBR7(S4) PBR8(S4) UOH1(S3) 
>> UOH2(S3) UOH3(S3) UOH4(S3) UOH5(S3) UOH6(S3) XHC0(S4)
>> acpitimer0 at acpi0: 3579545 Hz, 32 bits
>> acpimcfg0 at acpi0
>> acpimcfg0: addr 0xf800, bus 0-63
>> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
>> cpu0 at mainbus0: apid 0 (boot processor)
>> cpu0: AMD GX-412TC SOC, 998.28 MHz, 16-30-01
>> cpu0: 
>> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,ITSC,BMI1,XSAVEOPT
>> cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 2-way I-cache, 2MB 64b/line 
>> 16-way L2 cache
>> cpu0: smt 0, core 0, package 0
>> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
>> cpu0: apic clock running at 99MHz
>> cpu0: mwait min=64, max=64, IBE
>> cpu1 at mainbus0: apid 1 (application processor)
>> cpu1: AMD GX-412TC SOC, 998.11 MHz, 16-30-01
>> cpu1: 
>> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,ITSC,BMI1,XSAVEOPT
>> cpu1: 32KB 64b/line 8-way D-cache, 32KB 64b/line 2-way I-cache, 2MB 64b/line 
>> 16-way L2 cache
>> cpu1: smt 0, core 1, package 0
>> cpu2 at mainbus0: apid 2 (application processor)
>> cpu2: AMD GX-412TC SOC, 998.11 MHz, 16-30-01
>> cpu2: 
>>

aligned_alloc shouldn't require size to be a multiple of alignment

2022-06-07 Thread John Scott

Hi,

On OpenBSD, aligned_alloc currently fails with EINVAL if the requested
size is not a multiple of the requested alignment. Indeed, this stems
from a botch in the original specification in the C11 standard.

See Defect Report 460 or the NetBSD man page for more details, but this
silly requirement has been dropped in C17/C18, and I believe OpenBSD
should conform to this. I haven't tested, but it might be sufficient to
simply remove the check.

faq4.html multibooting grub

2022-01-26 Thread Heppler, J. Scott


I believe the FAQ4 section on multibooting is placing all Grub2 based
distributions into the same bucket incorrectly.  Debian and its
derivatives utilize a different path to BOOTX64.EFI and are amendable to
multibooting with OpenBSD.  See attached patch for details.


--
J. Scott Heppler
--- faq4.html   Wed Jan 26 10:17:32 2022
+++ faq4_new.html   Wed Jan 26 10:42:04 2022
@@ -572,8 +572,15 @@
 
 https://www.rodsbooks.com/refind/;>rEFInd is reported to usually
 work.
-https://www.gnu.org/software/grub/;>GRUB is reported to usually
-fail.
+https://www.gnu.org/software/grub/;>GRUB has issues when
+multibooting Fedora, Redhat, and their derivatives.
+OpenBSD uses the same /boot/efi/BOOT/EFI/BOOTX64.EFI location as the previosly
+listed Linux distributions and will overwrite it on installation.  It is
+possible to move BOOTX64.EFI to another location but this causes OpenBSD's
+kernel relinking to fail.
+Debian, and derivatives, utilize /boot/efi/EFI/debian/grubx64.efi which avoids
+the conflict.
+
 In either case, you are completely on your own.
 
 Windows

using a thread-local buffer for strerror()

2021-12-18 Thread John Scott

Hi,

I don't use OpenBSD, but I've played with it and am interested in making
my code portable to it. A trend which the GNU C Library recently got on
board with is to use a thread-local storage buffer for strerror() which
makes it safe to use across multiple threads. I was wondering if there
is a particular reason OpenBSD has not taken this approach, perhaps just
because it hasn't been raised, or if it doesn't support thread-local
storage.

>From the strerror() code [1] it seems that, if OpenBSD supports a C11
compiler, it should be as easy as adding the _Thread_local (or otherwise
the GCC/Clang-specific __thread) keyword to the static buffer.

Whether thread-local storage is allowed was clarified in POSIX [2] by a
Technical Corrigendum although I have not referred to an official copy;
they affirmed it can be used, so if this change were to be made in
OpenBSD, it should not break conforming applications.

Off-topic, but since I know someone will ask: I dislike strerror_r() and
strerror_l() because they are allowed to fail, and since POSIX places no
restrictions, that means they are allowed to fail for any reason. Even
on failure, plain strerror() is always required to return a valid NUL-
terminated string of some sort, which makes it convenient.

In order to use perror(), one has to assign the error number to errno,
which in the case of functions like POSIX threads seems to somewhat
defeat the point of the design of the interfaces in my opinion.

Thanks,
John 

[1] 
https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/lib/libc/string/strerror.c
[2] https://www.austingroupbugs.net/view.php?id=656


signature.asc
Description: This is a digitally signed message part

Re: EC 25 pci-express support in arm64

2021-11-20 Thread Heppler, J. Scott


On Nov 20, 2021: 17:38, Łukasz Moskała wrote:

W dniu 20.11.2021 o 16:34, Heppler, J. Scott pisze:

I live in a rural area with poor broadband.  T-mobile is introducing a
cellular based home internet plan and if the speeds are 1/3 of what they
tout, my bandwidth will increase 20x.

This would be stationary and I would build to that goal.

I found there is usb support for the Quectel EC25 but a list search did
not show pci-e.

https://marc.info/?l=openbsd-tech=162106996807242=2

This chipset is available in a pci-express card and there is a base hat
for the Rasberry Pi's 40-pin connector.

https://sixfab.com/product/raspberry-pi-base-hat-3g-4g-lte-minipcie-cards/

I'd prefer a Gigybyte ethernet port on the arm64; Rasberry
Pi4/M3/BPI-M2, Banana Pi, Nano Pi.  These appear to be Realtek or
Broadcom.

Questions:

Is there pci-e interface support for the Quectel EC25?
Broadcom (bge) vs Realtek (re) NIC's; is one better supported than 
the other?




Hi,

Raspberry pi does not have neither PCIe or USB lines on GPIO header. 
Description of that hat says "Both UART and USB communication with 
modules are available on the shield". I assume that to get USB 
communication (since UART will limit you to 115200 bits/second) you 
will have to connect it with usb cable anyway.


At this point you could just go with USB modem, and don't spend the 
$40 on hat that will give you essentially nothing, except maybe more 
compact form factor.


If you really want to connect modem with PCIe, there is rockpro64, 
that has PCIe slot. Or some amd64 thin clients, like fujitsu futro 
s920.


As for second question, a lot of people does not recommend using 
realtek NICs with freebsd, I'd avoid them if possible, in case you 
will want to switch OS in the future. I had problems with them on 
freebsd, but I didn't use them with openbsd so maybe someone else can 
say more.


I didn't have problems with broadcom nics.

If I were you, I'd go with raspberry pi 4 and USB modem, since rpi4 
also has built in wifi, which IIRC is supported in AP mode on openbsd.


Kind regards
--
Łukasz Moskała



Using the usb interface would ensure OpenBSD compatibility from what
I've been able to gleen so far.  Pci-e is more attractive for my use
case but it's unclear the Vendor ID's are in OpenBSD for anything other
thatn usb.

There are pci-e <-> usb adapter or LTE modules on usb cards
https://www.aliexpress.com/item/1267232403.html
Some of the supported boards have usb connectors along another board
edge to prevent obstruction the ethernet port:
https://www.pine64.org/devices/single-board-computers/pine-a64-lts/

Also found male usb2 <-> male usb2 connectors/angle adapters
https://www.ebay.com/itm/224698400405?mkevt=1=1=711-53200-19255-0=5338722076=10001


This board has a usb3 on the opposite edge and pci-e on the underside:
https://wiki.radxa.com/RockpiN10/hardware/rockpiN10
I like the heat sink.  The dwge(4) ethernet appears to be fully
supported.  Has a 27 week lead time in the US or out-of-stock
https://man.openbsd.org/arm64/dwge.4
--
J. Scott Heppler

Penguin Innovations

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 



NOTICE: This e-mail message and any attachments may
contain legally privileged and confidential information intended
solely for the use of the intended recipients. If you are not an
intended recipient, you are hereby notified that you have
received this message in error and any review, dissemination,
distribution, copying, or other unauthorized use of this email
and any attachment is strictly prohibited. If you have received
this email in error, please notify the sender immediately and
delete the message and any attachments from your system.

EC 25 pci-express support in arm64

2021-11-20 Thread Heppler, J. Scott


I live in a rural area with poor broadband.  T-mobile is introducing a
cellular based home internet plan and if the speeds are 1/3 of what they
tout, my bandwidth will increase 20x.

This would be stationary and I would build to that goal.

I found there is usb support for the Quectel EC25 but a list search did
not show pci-e.

https://marc.info/?l=openbsd-tech=162106996807242=2

This chipset is available in a pci-express card and there is a base hat
for the Rasberry Pi's 40-pin connector.

https://sixfab.com/product/raspberry-pi-base-hat-3g-4g-lte-minipcie-cards/

I'd prefer a Gigybyte ethernet port on the arm64; Rasberry
Pi4/M3/BPI-M2, Banana Pi, Nano Pi.  These appear to be Realtek or
Broadcom.

Questions:

Is there pci-e interface support for the Quectel EC25?
Broadcom (bge) vs Realtek (re) NIC's; is one better supported than the other?


--
J. Scott Heppler

libsqlite3 errors while attempting to install numerous packages...

2021-08-22 Thread Scott Vargovich

Let me preface what I'm about to say:  I'm a long time Linux user, but I'm
very much a novice to openbsd.  I know the list says to "do your homework"
before posting here, but I don't even know where to begin to do the
homework you're suggesting.

Here's the error I'm getting while attempting to install qutebrowser and a
number of other packages:

Can't install libsoup2.72.0 because of libraries library sqlite3.37.12 not
found
I believe there's some sort of symlinking I need to do to point to the
right sqlite3 library, but I have no clue where the link needs to go and
what it needs to point to.  Please help me figure this out and fix it.

Thanks in advance,
-- 
---
<><  Scott Vargovich  <><

Ham Call Sign:  KE8CQC

GMRS Call: WQXJ287
---

Re: unexpected behavior with pf queues (bandwidth allocations seemingly ignored)

2021-07-24 Thread Scott Lewandowski

Hi David, thanks for your reply. I had initially tried the rule without a max 
or min specification, and was not seeing the desired behavior. I just 
reconfirmed that using the rules without a min specified exhibits the 
unexpected behavior:

queue rootq on $ext_if bandwidth 13M max 13M
queue file1_bak parent rootq bandwidth 10M qlimit 1024
queue std parent rootq bandwidth 3M default qlimit 1024

fw0# pfctl -v -sq 
queue rootq on vmx0 bandwidth 13M, max 13M
  [ pkts:  0  bytes:  0  dropped pkts:  0 bytes:  0 ]
  [ qlength:   0/ 50 ]
queue file1_bak parent rootq bandwidth 10M qlimit 1024
  [ pkts:   6719  bytes:9497288  dropped pkts:  0 bytes:  0 ]
  [ qlength:   0/1024 ]
queue std parent rootq bandwidth 3M default qlimit 1024
  [ pkts:  75265  bytes:  103153102  dropped pkts:  0 bytes:  0 ]
  [ qlength:   9/1024 ]


> -Original Message-
> From: David Dahlberg 
> Sent: Saturday, July 24, 2021 8:47 AM
> To: Scott Lewandowski 
> Cc: misc@openbsd.org
> Subject: Re: unexpected behavior with pf queues (bandwidth allocations
> seemingly ignored)
> 
> Please try first to remove „min“. „Min“ makes it a „real-time service curve“ 
> in
> HFSC terminology, which may react … „unexpectedly“ when exceeded. And
> you do not want „real-time“ properties for file transfer anyways.
> 
> > Am 24.07.2021 um 00:21 schrieb Scott Lewandowski
> :
> >
> > I am attempting to prioritize traffic from a particular host. I have the
> following queue definitions, with this match rule:
> >
> > queue rootq on $ext_if bandwidth 13M max 13M queue file1_bak parent
> > rootq bandwidth 10M min 8M qlimit 1024 queue std parent rootq
> > bandwidth 3M min 2M default qlimit 1024
> >
> > match from 192.168.1.176 set queue file1_bak
> >
> > However, even when the host at .176 has a steady stream of data to
> output, it is not being prioritized for bandwidth utilization. For example:
> >
> > fw0# pfctl -v -sq
> > queue rootq on vmx0 bandwidth 13M, max 13M
> >  [ pkts:  0  bytes:  0  dropped pkts:  0 bytes:  0 ]
> >  [ qlength:   0/ 50 ]
> > queue file1_bak parent rootq bandwidth 10M, min 8M qlimit 1024
> >  [ pkts:   1279  bytes:1825459  dropped pkts:  0 bytes:  0 ]
> >  [ qlength:   0/1024 ]
> > queue std parent rootq bandwidth 3M, min 2M default qlimit 1024
> >  [ pkts:   8994  bytes:   12333179  dropped pkts:  0 bytes:  0 ]
> >  [ qlength:   2/1024 ]
> >
> > Even after an extended period of execution, I see similar results. The
> supposedly prioritized host sees upload speeds of 17-200KB/s, whereas
> other hosts see 800KB/s or more.
> >
> > I do not understand the behavior I am seeing. Why are other hosts being
> allocated so much bandwidth for uploads?
> >
> > Also of interest is that when I added the queues, a host that reliably used
> to have consistent 27MB/s downloads now sees variable speeds between 13
> and 24MB/s, even when there is no other (meaningful) network activity. I'm
> not sure if this is related to the upload speed issue I am seeing. I realize 
> there
> is outbound control traffic from the downloading host, but I can't imagine
> that should be impacted by the queues when there is no other meaningful
> network traffic. To try to address the download issue, I've experimented
> with adding a control traffic queue and assigning traffic to (std, ctrl), but 
> that
> hasn't helped (in fact, it's hurt).
> >
> > Based on some past threads I've read on related issues, I've tried adding
> "max" specifications to each queue, but that hasn't helped, and it doesn't
> seem it should be necessary based on the docs. Oddly, if I specify a max of 13
> on each rule -- with no suffix, which I accidentally did -- I seem to get the
> desired behavior, but in that case pf obviously isn't enforcing the max
> correctly, and I also see download speeds of less than 1KB/s. Adding the
> intended suffix gives the same observable behavior as I saw without the max
> specifier at all.
> >
> > I am running up-to-date 6.9 on ESX 6.7 with vmxnet3 vNICs. The VM has 2
> vCPUs and 1G and is showing no sign of resource constraints.
> >
> > Any help or thoughts would be appreciated!
> >

unexpected behavior with pf queues (bandwidth allocations seemingly ignored)

2021-07-23 Thread Scott Lewandowski

I am attempting to prioritize traffic from a particular host. I have the 
following queue definitions, with this match rule:

queue rootq on $ext_if bandwidth 13M max 13M
queue file1_bak parent rootq bandwidth 10M min 8M qlimit 1024
queue std parent rootq bandwidth 3M min 2M default qlimit 1024

match from 192.168.1.176 set queue file1_bak

However, even when the host at .176 has a steady stream of data to output, it 
is not being prioritized for bandwidth utilization. For example:

fw0# pfctl -v -sq 
queue rootq on vmx0 bandwidth 13M, max 13M
  [ pkts:  0  bytes:  0  dropped pkts:  0 bytes:  0 ]
  [ qlength:   0/ 50 ]
queue file1_bak parent rootq bandwidth 10M, min 8M qlimit 1024
  [ pkts:   1279  bytes:1825459  dropped pkts:  0 bytes:  0 ]
  [ qlength:   0/1024 ]
queue std parent rootq bandwidth 3M, min 2M default qlimit 1024
  [ pkts:   8994  bytes:   12333179  dropped pkts:  0 bytes:  0 ]
  [ qlength:   2/1024 ]

Even after an extended period of execution, I see similar results. The 
supposedly prioritized host sees upload speeds of 17-200KB/s, whereas other 
hosts see 800KB/s or more.

I do not understand the behavior I am seeing. Why are other hosts being 
allocated so much bandwidth for uploads? 

Also of interest is that when I added the queues, a host that reliably used to 
have consistent 27MB/s downloads now sees variable speeds between 13 and 
24MB/s, even when there is no other (meaningful) network activity. I'm not sure 
if this is related to the upload speed issue I am seeing. I realize there is 
outbound control traffic from the downloading host, but I can't imagine that 
should be impacted by the queues when there is no other meaningful network 
traffic. To try to address the download issue, I've experimented with adding a 
control traffic queue and assigning traffic to (std, ctrl), but that hasn't 
helped (in fact, it's hurt).

Based on some past threads I've read on related issues, I've tried adding "max" 
specifications to each queue, but that hasn't helped, and it doesn't seem it 
should be necessary based on the docs. Oddly, if I specify a max of 13 on each 
rule -- with no suffix, which I accidentally did -- I seem to get the desired 
behavior, but in that case pf obviously isn't enforcing the max correctly, and 
I also see download speeds of less than 1KB/s. Adding the intended suffix gives 
the same observable behavior as I saw without the max specifier at all. 

I am running up-to-date 6.9 on ESX 6.7 with vmxnet3 vNICs. The VM has 2 vCPUs 
and 1G and is showing no sign of resource constraints.

Any help or thoughts would be appreciated!

Re: [EXTERNAL] Why demotion counter for group carp is set to 33 on boot?

2021-07-15 Thread Scott Reese




- Original Message -
> From: "Tom K" 
> To: "misc" 
> Sent: Tuesday, July 13, 2021 3:32:04 AM
> Subject: [EXTERNAL] Why demotion counter for group carp is set to 33 on boot?

> Hallo,
> 
> why demotion counter for group carp is set to 33 on boot? This is the
> primary firewall and there are no adskew settings in all hostname.carpX
> files or anywhere else.
> Because of this the other firewall which should be normaly the standby
> (adskew 100), is always MASTER (comes up with carp demote count 0).
> 


> 
> 
> I can do "/sbin/ifconfig -g carp -carpdemote 33" in rc.local then this
> system takes the MASTER rule and work together with the 2nd system as
> expected.
> This ar physical machines. I try to simulate this on vmware, but there
> is everything fine. Both system starting with demote count 0.
> 
> 
> I would appreciate any hint to understand this.
> 
> Tom

Greetings Tom:

I don't have an answer for you, but I see the same behavior across a number of 
different hardware platforms (all amd64) and across all recent versions of 
OpenBSD (6.3+ for sure - maybe further back). I have pairs of machines as 
firewalls at remote sites. The only time that I reboot them is for patching and 
they sometimes get rebooted in an unplanned fashion due to power loss. It does 
not happen every time the systems are rebooted - maybe 1 time in 20. It happens 
often enough that checking the carp demotion counters after reboot is now part 
of the standard patching procedure and our monitoring system looks for and 
fixes the situation.

It's always the box we consider 'primary' (advskew 10 vs. the secondary with 
advskew 100), and the carpdemote value is always set to 33. I can't be 100% 
certain, but I don't think I've ever seen it happen with the unplanned 
reboot/power loss. It only ever seems to happen after a syspatch and reboot.

I have carp.preempt enabled, and I have suspected that the problem lies in 
there somewhere, but I have no evidence and it hasn't been enough of a problem 
to justify digging into it.

Sorry I don't have an answer for you. I just wanted you to know that it isn't 
just you.

-Scott

Re: Not possible to sysupgrade via snapshots right now?

2021-05-11 Thread Scott Vanderbilt

On 5/11/2021 3:41 AM, Edgar Pettijohn wrote:

On May 11, 2021 3:42 AM, Robert Klein  wrote:

   On Sun, 9 May 2021 07:47:32 -0700
   Scott Vanderbilt  wrote:

   > On 5/9/2021 4:04 AM, Stuart Henderson wrote:
   > > On 2021-05-08, Scott Vanderbilt  wrote:
   > >> Apologies if this is a question to which there is an obvious
   > >> answer, but I could not find one in the sysupgrade man page, in
   > >> the FAQ, or by Googling.
   > >>
   > >> Is it not possible to do a sysupgrade from 6.9-current to latest
   > >> using snapshots at the moment? When I try, I get the following
   > >> response from sysupgrade:
   > >
   > > This can only have happened if you were running a "6.9" kernel
   and
   > > not "6.9-current". You might still have the boot messages to
   > > confirm; zgrep OpenBSD /var/log/messages*
   > >
   >
   > I can assure you with absolute certainty that this machine in
   > question was running 6.9-current prior to the attempt to run
   > sysupgrade.
   >

   maybe you had a snapshot claiming to be “release”.  This
   typically
   happened in the past a couple of days around the actual release.  If
   you look at the history of sys/conf/newvers.sh (e.g. at the github
   mirror, if CVS is too much effort for one file) you'll see 6.9 went
   out
   of beta on April, 4 and into current on April 18.  I'd guess
   snapshots
   made during this period all are marked “release”.

This is similar to how pkg_* requires -Dsnap from time to time. I've just
trained myself to always use the flags so as not to let the software have
to decide for me.

Excellent advice. I will make a habit of doing this going forward.

Many thanks.

Re: Not possible to sysupgrade via snapshots right now?

2021-05-11 Thread Scott Vanderbilt


On 5/11/2021 1:42 AM, Robert Klein wrote:

On Sun, 9 May 2021 07:47:32 -0700
Scott Vanderbilt  wrote:


On 5/9/2021 4:04 AM, Stuart Henderson wrote:

On 2021-05-08, Scott Vanderbilt  wrote:

Apologies if this is a question to which there is an obvious
answer, but I could not find one in the sysupgrade man page, in
the FAQ, or by Googling.

Is it not possible to do a sysupgrade from 6.9-current to latest
using snapshots at the moment? When I try, I get the following
response from sysupgrade:


This can only have happened if you were running a "6.9" kernel and
not "6.9-current". You might still have the boot messages to
confirm; zgrep OpenBSD /var/log/messages*
   


I can assure you with absolute certainty that this machine in
question was running 6.9-current prior to the attempt to run
sysupgrade.



maybe you had a snapshot claiming to be “release”.  This typically
happened in the past a couple of days around the actual release.  If
you look at the history of sys/conf/newvers.sh (e.g. at the github
mirror, if CVS is too much effort for one file) you'll see 6.9 went out
of beta on April, 4 and into current on April 18.  I'd guess snapshots
made during this period all are marked “release”.


Bingo. The upgrade history on the machine in question went from:

   OpenBSD 6.9 (GENERIC.MP) #469: Fri Apr 16 11:07:03 MDT 2021

to:

   OpenBSD 6.9-current (GENERIC.MP) #9: Sat May  8 14:55:48 MDT 2021

So the Apr 16 snapshot I assumed to be 6.9-current was masquerading as 
6.9 release. Now it's all making sense. Thanks for pointing that out.

Re: Not possible to sysupgrade via snapshots right now?

2021-05-09 Thread Scott Vanderbilt


On 5/9/2021 4:04 AM, Stuart Henderson wrote:

On 2021-05-08, Scott Vanderbilt  wrote:

Apologies if this is a question to which there is an obvious answer, but
I could not find one in the sysupgrade man page, in the FAQ, or by Googling.

Is it not possible to do a sysupgrade from 6.9-current to latest using
snapshots at the moment? When I try, I get the following response from
sysupgrade:


This can only have happened if you were running a "6.9" kernel and
not "6.9-current". You might still have the boot messages to confirm;
zgrep OpenBSD /var/log/messages*



I can assure you with absolute certainty that this machine in question 
was running 6.9-current prior to the attempt to run sysupgrade.


Is it possibly relevant that the upgrade files were "cached" to a host 
on my LAN before the sysupgrade? I typically download all the upgrade 
files to a local machine and sysupgrade that machine first. Then for two 
other machines on my network, I sysupgrade with /etc/installurl pointing 
to my local server. I do this to prevent multiple downloads from the 
OpenBSD servers.


Might having SHA256.sig come from one location while the other upgrade 
files come from a second location possibly confuse sysupgrade?

Re: Not possible to sysupgrade via snapshots right now?

2021-05-08 Thread Scott Vanderbilt


On 5/8/2021 6:04 PM, trondd wrote:

On Sat, May 8, 2021 7:58 pm, Scott Vanderbilt wrote:

Apologies if this is a question to which there is an obvious answer, but
I could not find one in the sysupgrade man page,


What is sysupgrade trying to do?  What do you want it to do?

No?  Read it again.  It's not that long.



Another responder politely pointed out I needed to add the -s switch, 
which in fact eliminated the error.


But your reply seems to imply I'm doing something unreasonable.
I looked at the -s switch in the man page, where it says:

-s  Upgrade to a snapshot. This is the default if the system
is currently running a snapshot.

I thus disregarded this switch for two reasons:

(1) As I am already running a snapshot (6.9-current as stated in my 
original post), I concluded that the switch would effectively be a NOOP 
since it specifically says it's the _default behavior_ under these 
circumstances.


(2) I've used sysupgrade without the -s switch for years and it's always 
worked fine.


What is not clear or explained anywhere that I can find is why it 
behaves differently right now. Notwithstanding your suggestion, reading 
the man page more than once does not make the answer magically appear.

Not possible to sysupgrade via snapshots right now?

2021-05-08 Thread Scott Vanderbilt

Apologies if this is a question to which there is an obvious answer, but 
I could not find one in the sysupgrade man page, in the FAQ, or by Googling.


Is it not possible to do a sysupgrade from 6.9-current to latest using 
snapshots at the moment? When I try, I get the following response from 
sysupgrade:


$ doas sysupgrade
Fetching from https://ftp.OpenBSD.org/pub/OpenBSD/7.0/amd64/
sysupgrade: Error retrieving 
https://ftp.OpenBSD.org/pub/OpenBSD/7.0/amd64/SHA256.sig: 404 Not Found


It's been this way for the past three days. Presumably something to do 
with the recent release of 6.9.


Many thanks in advance.

Re: Understanding download speed reduction by introducing an inline Ubiquity ERL device

2020-10-04 Thread Scott Seekamp

I had a similar speed drop on an Edge Router 4. I don’t know if it’s the same 
situation on the Lite, but I believe it’s expected due to hardware acceleration 
support (or lack of) and single core performance on the pf side. 

Scott

> On Oct 4, 2020, at 17:24, Amarendra Godbole  
> wrote:
> 
> Sorry I forgot including "ifconfig" output:
> 
> lo0: flags=8049 mtu 32768
> index 5 priority 0 llprio 3
> groups: lo
> inet6 ::1 prefixlen 128
> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
> inet 127.0.0.1 netmask 0xff00
> 
> cnmac0: flags=808843 mtu 
> 1500
> lladdr a8:28:dc:cc:2e:6f
> index 1 priority 0 llprio 3
> groups: egress
> media: Ethernet autoselect (1000baseT full-duplex,master)
> status: active
> inet 73.xx.xx.xx netmask 0xfe00 broadcast 73.xx.xx.255
> 
> cnmac1: flags=8b43
> mtu 1500
> lladdr 78:8a:20:46:a8:c1
> index 2 priority 0 llprio 3
> media: Ethernet autoselect (1000baseT full-duplex)
> status: active
> 
> cnmac2: flags=8b43
> mtu 1500
> lladdr 78:8a:20:46:a8:c2
> index 3 priority 0 llprio 3
> media: Ethernet autoselect (none)
> status: no carrier
> enc0: flags=0<>
> index 4 priority 0 llprio 3
> groups: enc
> status: active
> 
> bridge0: flags=41
> index 6 llprio 3
> groups: bridge
> priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp
> cnmac2 flags=7
> port 3 ifpriority 0 ifcost 0
> cnmac1 flags=7
> port 2 ifpriority 0 ifcost 0
> vether0 flags=7
> port 7 ifpriority 0 ifcost 0
> 
> vether0: flags=8943 mtu 1500
> lladdr fe:e1:ba:d0:c8:a9
> index 7 priority 0 llprio 3
> groups: vether
> media: Ethernet autoselect
> status: active
> inet 192.168.10.1 netmask 0xff00 broadcast 192.168.10.255
> 
> pflog0: flags=141 mtu 33136
> index 8 priority 0 llprio 3
> groups: pflog
> 
>> On Sun, Oct 4, 2020 at 2:22 PM Amarendra Godbole
>>  wrote:
>> 
>> Hi misc@
>> 
>> I recently introduced an OpenBSD firewall inline and noticed a
>> reduction in overall download speeds. I am trying to understand why
>> this may be so. The firewall is Ubiquiti ERL running 6.7 release.
>> Internet connection is Comcast xfinity via cable modem, plan 200
>> Mbits/s down and 10 Mbits/s up. Details follow:
>> 
>> 1. config #1: MacBook - Linksys WRT1200AC  - xfinity cable modem
>> (speed: ~210 Mbits/s down, 6 Mbits/s up)
>> 2. config #2: MacBook - Linksys WRT1200AC - Ubiquiti ERL - xfinity
>> cable modem (speed: ~90 MBits down, 6 Mbits/s up)
>> 3. config #3 (Line speed): MacBook wired to cable modem (~230 Mbits/s
>> down, ~8 Mbits/s up).
>> 
>> Linksys is running latest OpenWrt, and speed tests were run on MacBook
>> connected wired to Linksys. It was difficult to try tcpbench since the
>> setup was cumbersome, and iperf3 public servers end up being busy more
>> often than not (and threads on misc@ indicated iperf3 wasn't as
>> reliable either). Test numbers come from speedtest.net and
>> speed.cloudflare.com. While I realize this speed test is hardly
>> accurate, I have tried to maintain the same configuration (no ERL and
>> inline ERL) to obtain relative numbers.
>> 
>> I am trying to understand the reduction from 210 Mbits/s down to 90
>> Mbits/s down between config #1 and config #2 above. The slowdown is
>> not noticeable to family, so this is more of my intellectual curiosity
>> than screams over a buffering video! :-)
>> 
>> Relevant system information (dmesg, etc.) below. All sysctl values
>> attached as sysctl.txt I gathered it by reading similar threads on
>> misc@. If I missed anything, please let me know. Thanks in advance.
>> 
>> -Amarendra
>> 
>> 
>> dmesg:
>> 
>> Copyright (c) 1982, 1986, 1989, 1991, 1993
>> The Regents of the University of California.  All rights reserved.
>> Copyright (c) 1995-2020 OpenBSD. All rights reserved.  
>> https://www.OpenBSD.org
>> OpenBSD 6.7 (GENERIC.MP) #134: Thu May  7 16:05:06 MDT 2020
>>dera...@octeon.openbsd.org:/usr/src/sys/arch/octeon/compile/GENERIC.MP
>> real mem = 536870912 (512MB)
>> avail mem = 506740736 (483MB)
>> mainbus0 at root: board 20002 rev 2.18
>> cpu0 at mainbus0: CN50xx CPU rev 0.1 500 MHz, Software FP emulation
>> cpu0: cache L1-I 32KB 4 way D 16KB 64 way, L2 128KB 8 way
>> cpu1 at mainbus0: CN50xx CPU rev 0.1 500 MHz, Software FP emulation
>> cpu1: cache L1-I 32KB 4 way D 16KB 64 way, L2 128KB 8 way
>> clock0 at mainbus0: int 5
>> octcrypto0 at mainbus0
>> iobus0 at mainbus0
>> simplebus0 at iobus0: "soc"
>> octciu0 at simplebus0
>> octsmi0 at simplebus0
>>

Re: [EXTERNAL] Re: Troubleshooting pf congestion

2020-09-16 Thread Scott Reese



> On 2020-09-14, Scott Reese  wrote:
>> Greetings:
>>
>> - Original Message -
>>> From: "Uwe Werler" 
>>> To: "misc" , "Scott Reese" , "misc"
>>> 
>>> Sent: Monday, September 14, 2020 12:47:31 PM
>>> Subject: [EXTERNAL]  Re: Troubleshooting pf congestion
>>
>>> Without seeing a rule set what should one say?
>>> 
>>
>>>>
>>>>If anyone could spare a couple of sentences or a share a link to a page
>>>>detailing what
>>>>state causes the system to consider itself contested, I would
>>>>appreciate it.
>>
>> Thanks for your reply. The question that I can't find a good answer for is,
>> "What is pf congestion?". I would like to solve the actual problem myself, 
>> I'm
>> just looking
>> for some information about what it means for pf to be congested.
> 
> When enqueueing packets to an interface fails (queue is full), a
> global congestion marker variable in the kernel is set to the current
> timestamp.
> 
> When PF tests an inbound packet against rules (i.e. when it has a packet
> that doesn't match an existing state) it checks if that congestion timestamp
> is recent. If it is, the packet is dropped and the PF stats congestion
> counter is incremented.
> 
> Look around if_congested/if_congestion in /sys/net and the mq_ functions
> in /sys/kern/uipc_mbuf.c - the functions described in mq_init(9) as "If the
> queue is full then XX will be dropped" trigger congestion.
> 
> You might get some suggestions if you post a description of your
> configuration (at least which interface types - physical or virtual -
> are in use, what they're connected to, what if any VPNs it's running,
> and it may help to see the ruleset).
> 
> Output from these might help too:
> 
> netstat -m
> systat mbuf | cat
> vmstat -i
> vmstat -m

Greetings Stuart:

Thank you for your reply. It was very helpful and pointed me in the right
direction. The 1000+ windows workstations behind that firewall had been
converted from 7 to 10. Most aren't allowed to access the internet, and the
new OS is much more aggressive about trying to phone home. All of those 
dropped packets had to traverse all of the rules before being dropped, and 
that was the root cause of the issue. It didn't look like too much traffic
because it was just SYN packets, but it was a lot of SYN packets.

Again, thanks for your help.

-Scott

Re: [EXTERNAL] Re: Troubleshooting pf congestion

2020-09-14 Thread Scott Reese

Greetings:

- Original Message -
> From: "Uwe Werler" 
> To: "misc" , "Scott Reese" , "misc" 
> 
> Sent: Monday, September 14, 2020 12:47:31 PM
> Subject: [EXTERNAL]  Re: Troubleshooting pf congestion

> Without seeing a rule set what should one say?
> 

>>
>>If anyone could spare a couple of sentences or a share a link to a page
>>detailing what
>>state causes the system to consider itself contested, I would
>>appreciate it.

Thanks for your reply. The question that I can't find a good answer for is, 
"What is pf congestion?". I would like to solve the actual problem myself, I'm 
just looking
for some information about what it means for pf to be congested.

-Scott

Troubleshooting pf congestion

2020-09-14 Thread Scott Reese

Greetings:

I am troubleshooting an issue: users complaining about network performance. The 
firewall
is an OpenBSD 6.7 system with patches applied. I've traced the issue and I'm 
seeing the
congestion counter incrementing on system. The problems that we're seeing fit 
with what
I have been able to find about congestion - when the firewall is congested it 
continues
passing packets that match existing state entries but it will not create any 
new state
entries until the congestion clears.

I'm having trouble troubleshooting it beyond that point because I have not been 
able to
find any additional information about what the congestion counter is counting. 
There is
the information in the pfctl man page: "congestion: network interface queue 
congested",
but beyond that I can't really find any information about exactly what network 
interface
queue is congested.

I'm not seeing packets being dropped, either on the switch side or firewall 
side that
correspond with the congestion counter going up. The average on the congestion 
counter
stays around 10/s, but what it's really doing is going up by 100-300/s for 
short periods
and then not moving for longer periods.

If anyone could spare a couple of sentences or a share a link to a page 
detailing what
state causes the system to consider itself contested, I would appreciate it.

Thanks for your time.

-Scott


System dmesg:

OpenBSD 6.7 (GENERIC.MP) #6: Thu Sep  3 14:08:18 MDT 2020

r...@syspatch-67-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8386699264 (7998MB)
avail mem = 8119902208 (7743MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x7fb76000 (62 entries)
bios0: vendor American Megatrends Inc. version "2.2" date 05/23/2018
bios0: Supermicro X11SSL-F
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT SPMI MCFG HPET LPIT SSDT SSDT SSDT DBGP 
DBG2 SSDT SSDT UEFI SSDT DMAR EINJ ERST BERT HEST
acpi0: wakeup devices PEG0(S4) PEGP(S4) PEG1(S4) PEGP(S4) PEG2(S4) PEGP(S4) 
RP09(S4) PXSX(S4) RP10(S4) PXSX(S4) RP11(S4) PXSX(S4) RP12(S4) PXSX(S4) 
RP13(S4) PXSX(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E3-1280 v6 @ 3.90GHz, 3901.62 MHz, 06-9e-09
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 24MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU E3-1280 v6 @ 3.90GHz, 3900.01 MHz, 06-9e-09
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Xeon(R) CPU E3-1280 v6 @ 3.90GHz, 3900.01 MHz, 06-9e-09
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Xeon(R) CPU E3-1280 v6 @ 3.90GHz, 3900.01 MHz, 06-9e-09
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE

Re: OpenBSD alternatives to Pi-Hole

2020-06-12 Thread Scott Seekamp

I'm using unbound/nsd for my home network to accomplish a similar 
function (although without all the fancy metrics tracking and such)


I borrowed this from someone else so I can't take credit/blame for it.

cron script that runs periodically:

#!/bin/sh
ftp -o /var/unbound/etc/unbound_ad_servers 
"https://pgl.yoyo.org/adservers/serverlist.php?hostformat=unbound=0=plaintext;

unbound-control reload

and then unbound pull that file in as a local zone:
# Ad servers block
include: /var/unbound/etc/unbound_ad_servers

Scott

On 6/12/20 1:24 PM, George wrote:

Hi guys,

I am trying to setup a Pi-Hole service, i.e. add blocking based on 
empty DNS records zones files, for my local LAN and would like to ask 
what people are using on OpenBSD in this role?


Thanks in advance,

George

Re: reorder_kernel: failed

2019-12-11 Thread Heppler, J. Scott

1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 
addr 1
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on wd0a (5463234f8754b441.a) swap on wd0b dump on wd0b
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec

Organization:




--
J. Scott Heppler

ahci cd/dvd failure key_sense

2019-11-18 Thread Heppler, J. Scott


On amd64 6.6release/stable and -current my TSSTcorp CDDVDW SH-223DB has
failed to function.  It does not key_sense and backends
cdio/xorriso-tcltk seem to write a lead-in track and nothing else.

The system dual boots with Debian 10 the same drive is recognized and
works without issue.

# xorriso -as cdrecord dev=/dev/rcd0c crux-3.5-updated.iso  
xorriso 1.5.2 : RockRidge filesystem manipulator, libburnia project.


Drive current: -outdev '/dev/rcd0c' Media current: CD-R
Media status : is blank
Media summary: 0 sessions, 0 data blocks, 0 data,  703m free
Beginning to write data track.
libburn : FATAL : SCSI error on write(-22,16): See MMC specs:
Sense Key 2 "Drive not ready", ASC 00 ASCQ 00.
libburn : FATAL : CDB= WRITE(10) : 2a 00 ff ff ff ea 00 00 10 00  :
dxfer_len= 32768
libburn : FAILURE : Failed to synchronize drive cache. SCSI error : See
MMC specs: Sense Key 2 "Drive not ready", ASC 00 ASCQ 00.  xorriso :
FATAL : -abort_on 'FAILURE' encountered 'FATAL' during image writing
xorriso : NOTE : libburn has now been urged to cancel its operation
libburn : FATAL : Burn run failed
xorriso : FAILURE : libburn indicates failure with writing.
xorriso : NOTE : Gave up -outdev ''
xorriso : FAILURE : -as cdrecord: Job could not be performed properly.
xorriso : aborting : -abort_on 'FAILURE' encountered 'FATAL'

If found this which seems to fit the issue I am having.

https://marc.info/?l=openbsd-misc=147411010102451=2

There were no F/U's to this post.  It appears this is device dependent.
Can anyone recommend a make/model of SATA drive that can be used in
OpenBSD.  The recommended to use "xorriso -as cdrecord" in OpenBSD?
Lastly, are any developer interested in addressing key sense in the ahci
driver?  I'm willing to test on the hardware I have.



--
J. Scott Heppler

Re: GPS hardware and TTYs

2019-07-23 Thread Scott Seekamp

On 23.07.2019 16:16, Theo de Raadt wrote:

> Todd C. Miller  wrote:
> 
> On Tue, 23 Jul 2019 13:42:28 -0600, Scott Seekamp wrote:
> 
> I tested by: 
> 
> - unplugging the sensor 
> 
> - changing /etc/ttys 
> 
> - kill -HUP 1 
> 
> - plugging sensor in and waiting 30 seconds 
> 
> - check sysctl output for data 
> You need to run "ttyflags ttyU0" instead of sending a HUP to init.
> If the cua device works I would expect that setting the local flag
> in /etc/ttys for ttyU0 would be sufficient.

That is what I suspect also.

But that doesn't seem right.  Something is wrong.  Internal cabling
error? 

Thanks Todd and Theo (again!). 

I redid my tests using "ttyflags ttyU0" instead of HUP'ing init. Same
response. 

I found a few other folks with what looks to be the same device putting
the dial out device in as well so it does seem to be more than just my
unit. The cable is non-removable on the device so there's not much to
work with there. 

If anyone is curious the device I have is: 

https://www.ebay.com/itm/USB-GPS-Receiver-Module-Antenna-Output-USB-Global-4M-FLASH-1-5m-BN-82U-GLONASS/273794727010?hash=item3fbf6ffc62:g:kmIAAOSw4~1cp097

Chipset manufacturer: 

https://www.u-blox.com/en/product/ubx-m8030-series#tab-document-resources

I can start the ldattach process outside of /etc/ttys so this isn't a
critical issue, just a curiosity. Much appreciate the response and if
there's other information I can provide please let me know.

Thanks
Scott

Re: GPS hardware and TTYs

2019-07-23 Thread Scott Seekamp

On 23.07.2019 11:56, Theo de Raadt wrote:

> Scott Seekamp  wrote:
> 
>> I purchased an inexpensive USB GPS receiver to test with time keeping on
>> my OpenBSD 6.5 box. It's a "u-blox" supported by the nmea driver. 
>> 
>> Following the man pages for ldattach it says: 
>> 
>> "Specifies the name of the serial line. device should be a string of the
>> form "cuaXX" or "/dev/cuaXX". 
>> 
>> cua(4) [1] devices should be used when ldattach is started from the
>> command line; when started using init(8) [2], tty(4) [3] devices should
>> be used." 
>> 
>> However, if I use ttyU0 as the device in /etc/ttys I never get the
>> hw.sensors.nmea0 tree created. If I manually start ldattach with cuaU0
>> or put cuaU0 in /etc/ttys everything behaves as expected.
> 
> There should never be cua devices in /etc/ttys, so something is curiously
> wrong.
> 
> Can you try playing with some of the following flags, and tell us
> which ones work, from ttys(4):
> 
> Additionally, the following flags modify the default behavior of the
> terminal line.  Some of these flags may not be supported by a terminal
> line driver.  The flag fields should not be quoted.
> 
> localTreat the line as if it is locally connected.
> 
> rtscts   Use RTS/CTS hardware flow control, if possible.
> 
> mdmbuf   Use DTR/DCD flow control if possible.
> 
> softcar  Ignore hardware carrier on the line.
> 
> Try all.  Some of them will have similar effects.

I tested by: 

- unplugging the sensor 

- changing /etc/ttys 

- kill -HUP 1 

- plugging sensor in and waiting 30 seconds 

- check sysctl output for data 

No difference in behavior with any of the flags above. Dmesg output of
the device is: 

umodem0 at uhub0 port 3 configuration 1 interface 0 "u-blox AG -
www.u-blox.com u-blox GNSS receiver" rev 1.10/3.01 addr 3 

umodem0: data interface 1, has CM over data, has no break 

umodem0: status change notification available 

ucom0 at umodem0 

I know I'm not telling you anything you don't already know, but
according to the ttys manpage: 

> Whereas the dial-in device (the tty) normally requires a hardware signal to 
> indicate to the system that it is active, the dial-out device (the cua) does 
> not, and hence can communicate unimpeded with a device such as a modem, or 
> with another system over a serial link. 

Is it possible the sensor doesn't behave properly to tell the system
it's ready? 

Thanks for the help! 

Scott

GPS hardware and TTYs

2019-07-23 Thread Scott Seekamp

I purchased an inexpensive USB GPS receiver to test with time keeping on
my OpenBSD 6.5 box. It's a "u-blox" supported by the nmea driver. 

Following the man pages for ldattach it says: 

"Specifies the name of the serial line. device should be a string of the
form "cuaXX" or "/dev/cuaXX". 

cua(4) [1] devices should be used when ldattach is started from the
command line; when started using init(8) [2], tty(4) [3] devices should
be used." 

However, if I use ttyU0 as the device in /etc/ttys I never get the
hw.sensors.nmea0 tree created. If I manually start ldattach with cuaU0
or put cuaU0 in /etc/ttys everything behaves as expected. 

Is this a documentation issue, hardware issue, something else? I have
confirmed the same behavior on 2 servers (one current and one 6.5). 

Even with this hiccup the process has been incredibly easy and smooth.
I'm constantly impressed with the work put into the OS and associated
tools. 

Thanks 

Scott 

Links:
--
[1] https://man.openbsd.org/cua.4
[2] https://man.openbsd.org/init.8
[3] https://man.openbsd.org/tty.4

Re: 4GB RAM too little for Firefox?

2019-07-06 Thread Heppler, J. Scott


Richard Ulmar wrote

Iridium looked interesting, but upon research
I found a lot of people concerned about whether this project has the
resources to keep up with Chromiums security standards. The last commit
for Iridium was 3 Months ago [1], so I'm not to sure if I want to use
it..


Robert Nagy is the OpenBSD ports maintainer for www/iridium and he also
also one of the iridium developers.  As far as iridium lagging Chromium
development, that is largely on the basis of new features rather than
security.  You can check by searching for Chromium cve's and cross
checking with the iridium version.  Unfortunately, there is not a
buildbot for iridium or chromium so you either have to wait for 6.6 to
get the latest version or run -current.  Still, I do not believe it has
any major security issues at this time.

Scott

Re: 4GB RAM too little for Firefox?

2019-07-05 Thread Heppler, J. Scott


Richard Ulmer wrote:

Hi all,
after having Firefox running for some time (ca. 30min to 2h) my
system seems to become slow. I get frequent freezes for several
seconds, mpv instances start crashing and things like switching tabs
in Firefox become a pain.

I've got 4GB of RAM installed and when I look at htop after my system
became slow, I can see that OpenBSD started swapping. When I close
Firefox it takes several seconds and I can watch how my memory becomes
free again in htop. My system is then again responsive.

RAM prices seem to be low right now, but I don't want to spend money
uneedingly and I didn't have this problem under Linux. Has anyone had
similar experieces and noticed an improvement after a RAM upgrade?


OpenBSD derives some security by confining processes and web browsing
with firefox is notorious for memory leaks.

If you mobo supports it, more ram will also improve performance with
firefox and other memory intensive tasks.

Other options:

Adding the Firefox "forget" widget to your panel
https://support.mozilla.org/en-US/kb/forget-button-quickly-delete-your-browsing-history
and using it frequently.

Under preference disable access to webcams, microphone etc.

Consider www/iridium as an alternative browser.  You can export your
firefox bookmarks.html and import it into iridium.  Although I do not
have solid numbers, I thought it was better in this regard than firefox.

--
J. Scott Heppler

Re: Upgrade procedure encrypted filesystem (6.4 -> 6.5)

2019-05-06 Thread Scott Bonds


On 05/06, shadrock uhuru wrote:

hi everyone
when upgrading my laptop which is encrypted with a keydisk
i assume that i boot the 6.5 kernel which will be on a usb stick with
the keydisk inserted,
will the hard drive still be decrypted and upgraded,


yes

also will the encryption step need to be redone 


no


or will the keydisk
continue to unlock the 6.5 filesystem on subsequent reboots.


yes

That's how it worked for my anyway. I'm not an OpenBSD dev and I've not 
read the code, so YMMV.

Re: Is anyone able to use certificates with openbsd iked/ikev2 and Apple iOS (iphone)?

2019-04-05 Thread Scott Bonds


On 04/05, Michael Lam wrote:

Are you able to have 2 clients connected at the same time? When I tried
that (I am using mschap) whenever the 2nd client connects the 1st one's
traffic will not go through anymore (it stays connected but no traffic
can go through).


I've noticed that, if my 2 ikedv2 clients are on the same network using 
NAT and private IPs, instead of having their own public IPs, that they 
kick each other off when either of them connects to my remote ikedv2 
server. At least last time I tried, on OpenBSD 6.3 I think. Both clients 
and server are running OpenBSD.


Searching the interwebs led me to think maybe IPSEC and NAT-T don't 
support that scenario...the flows say to send all the packets to the 
NATted network's public IP, but maybe the NATted network router doesn't 
know where to send it to after that, or rather, only can handle one such 
connection at a time, so, whenever a new one is started, the old one 
gets stomped.


Anyhoo, I don't know what I'm talking about, my usage of OpenBSD has 
only helped me get from complete ignorance of this stuff to slightly 
less ignorant, so, take all this with a grain of salt. :)

Re: Multiple instances of OSPFD in different RDomains - rcctl behavior

2019-02-19 Thread Scott Reese

- Original Message -
> From: "Henry Bonath" 
> To: "misc" 
> Sent: Tuesday, February 19, 2019 2:03:31 PM
> Subject: Multiple instances of OSPFD in different RDomains - rcctl behavior

> Hello, I am seeing some strange behavior with my /etc/rc.conf.local
> regarding my configuration for running two instances of OSPFD in
> different RDomains.
> 
> The way I have this configured, is I have a symlink: /etc/rc.d/ospf2d
> -> /etc/rc.d/ospfd so that the ospfd that runs in rdomain 2 has its
> own entry in rc.conf.local, pointing to its own config file.
> 
> In my /etc/rc.conf.local I have the following:
> #
> bgpd_flags=
> ldpd_flags=
> ospf2d_flags=-f /etc/ospf2d.conf
> ospf2d_rtable=2
> ospfd_flags=
> pf=NO
> pkg_scripts=salt_minion ospf2d
> salt_minion_rtable=3
> #
> 
> However I notice that something is removing the "ospf2d_flags=..."
> line as output from daily insecurity mail:
> 
> ==
> /etc/rc.conf.local diffs (-OLD  +NEW)
> ==
> --- /var/backups/etc_rc.conf.local.current  Wed Jan 16 01:30:06 2019
> +++ /etc/rc.conf.local  Fri Feb 15 13:05:17 2019
> @@ -1,9 +1,7 @@
> bgpd_flags=
> ldpd_flags=
> -ospf2d_flags=-f /etc/ospf2d.conf
> ospf2d_rtable=2
> ospfd_flags=
> pf=NO
> pkg_scripts=salt_minion ospf2d
> salt_minion_rtable=3
> 
> Is my syntax incorrect? Would /etc/daily be doing something here to my
> configuration?
> Why would this line keep being automatically removed?
> 
> Thanks in advance!

Greetings Henry:

Looks like you're running Saltstack. Any chance that your Salt master
has a copy of the rc.conf.local that doesn't have the ospf2d_flags line
and is resetting the file back to its "correct" values?

-Scott

Intel Celeron SoC support

2018-11-18 Thread Heppler, J. Scott


I'm running amd64-current on an ASrock J3355M and recall a similar issue
installing from a USB thumb drive.  My suspicion was that the BIOS
treated the drive as an unknown input device like a keyboard or mouse.

I was able to install from a DVD/CD drive.  If you do not have one, you
may be able to a PXE install or Disable the legacy usb keyboard/mouse
settings in the BIOS.

The other issue I had was frequent lockups due to buggy C-state power
savings.  It works fine with Bios setting C-state=1

On 2018-11-14, Andrew Lemin wrote:



Hi,

I am running an ASRock J4105B-ITX board and wanting to run OpenBSD on this.
https://www.asrock.com/MB/Intel/J4105B-ITX/index.asp#BIOS

It boots up, and at the 'boot>' prompt I can use the keyboard find.

However after it boots up, the keyboard stops working, and no disks are
found by the installer (used auto_install to send test commands).
It appears that there is no chipset support, for the Intel Celeron J4105
CPU from what I can work out.

To test that it was working fine and is just OpebBSD which is not working,
I installed Linux and have included the dmesg below (from Linux).
I cannot run a dmesg from the OpenBSD installer as I cannot use the
keyboard etc.

Will support come for this SoC architecture? Or am I better of selling this
board?

Think its a Gemini Lake SoC Chipset;


--
J. Scott Heppler

OpenBSD 6.2 - 6.4 crash on ASRock Q1900 ITX boards

2018-11-14 Thread Heppler, J. Scott


Is there anything I can do to help possibly solve this problem?


I'm running current on an ASrock J3355M
http://daemonforums.org/showpost.php?p=63678=103

Baytrail motherboards have aggressive C-state power saving issues even
in linux.

https://wiki.archlinux.org/index.php/Intel_graphics#Baytrail_complete_freeze

I disabled all c-states in the bios although C1 will probably be OK.
Crashes/Lockups went away.


--
J. Scott Heppler

Re: spamd and google smtp ips

2018-10-30 Thread Scott Seekamp

On 30.10.2018 13:59, Peter N. M. Hansteen wrote:

> On 10/30/18 8:46 PM, Chris Narkiewicz wrote: W dniu 30/10/2018 o 19:31, Peter 
> N. M. Hansteen pisze: yes, a well-known problem, and it's what nospamd 
> (hinted at in the spamd
> man pages) is for.
> 
> To some extent it helps to whitelist IP addresses and networks that
> domains list in their SPF info. 
> Yeah, I hoped there are some reputable sources of validated mail
> sources based on SPF and DKIM.
> 
> I'll give a try to your compiled list, but the fact you maintain
> it manually is a bit discouraging.

Fortunately MX records and by extension SPF info per domain changes
infrequently enough that a semi-manually maintained list will be mostly
right, most of the time.

But you're right in principle -- I *should* really take the time out to
recreate the list of domains that went into it and just re-generate with
smtpctl spf walk something like once per day or once per week.

All the best,
Peter 

I regenerate once an hour at least and still get burned by some major
domains changing SPF IP's constantly. It's pretty frustrating, but once
you get an update process in place it settles down and doesn't require
much handholding. 

Thanks 

Scott

Dual boot OpenBSD with DragonFly BSD

2018-10-08 Thread Heppler, J. Scott


This theoretically is doable but will be a challenge.  Your options will
also swing on whether the laptop you purchase will boot an old MBR
scheme or is restricted to GPT/UEFI.  DragonflyBSD has instructions on
multibooting an older MBR.

https://www.dragonflybsd.org/docs/handbook/Booting/

If you need GPT/UEFI, then you choosing a bootloader that is capable of
GPT/UEFI dual booting.  According to OpenBSD FAQ,  Grub2 or reFIND
will work.  


https://www.openbsd.org/faq/faq4.html#Multibooting
--
J. Scott Heppler

Block TLD senders with opensmtpd

2018-08-30 Thread Scott Seekamp

Hi all,

Looking at the manpage for smtpd.conf it’s possible to block a domain with:

reject sender 

and put:

@domain.tld

Is it possible to block entire tld’s and if so what would the syntax be?

I’d like to filter out high spam content senders “.bid, .date, .us” that I”m 
seeing and avoid spam processing altogether.

Thanks
Scott

Re: wifi gui manager

2018-08-28 Thread Heppler, J. Scott


It is possible to put together a gui, wifi tray applet that utilizes
doas.

http://daemonforums.org/showthread.php?t=10400


--
J. Scott Heppler

Re: Introducing pf-badhost and unbound-adblock

2018-08-06 Thread Scott Bonds


On 08/05, Jordan Geoghegan wrote:

Hi everyone,

I thought I would share a couple scripts I wrote to block ads and bad 
hosts. I have found them to increase web-browsing speed and reduce 
battery consumption, especially on mobile devices. They also help 
reduce pop ups and fake sites, especially on mobile/in apps.


I have also found pf-badhost to reduce noise in my httpd/ssh auth 
logs. I used to get over 10,000 ssh attempts per day on my router, now 
I usually get less than 100 a day. Another added benefit of pf-badhost 
is that it blocks Shodan scans, which may appeal to some.


I shared a similar script on misc@ earlier this year and received 
positive feedback, so I thought I would clean up the scripts and write 
a how-to guide.


Enjoy!

https:/www.geoghegan.ca

https://www.geoghegan.ca/pfbadhost.html

https://www.geoghegan.ca/unbound-adblock.html



Very nice, thank you for sharing and for the nicely written guides.

Re: newaliases vs makemap

2018-07-16 Thread Scott Vanderbilt


On 7/16/2018 9:15 AM, Todd C. Miller wrote:


On Mon, 16 Jul 2018 09:11:50 -0700, Scott Vanderbilt wrote:


BTW, newaliases seg faults for me with latest couple of snapshots
(amd64). No message other than "segmentation fault". Just submitted a PR
with sendbug.


Already fixed in -current by:

CVSROOT:/cvs
Module name:src
Changes by: morti...@cvs.openbsd.org2018/07/02 19:34:43

Modified files:
 usr.sbin/smtpd : config.c makemap.c
 usr.sbin/smtpd/smtpctl: Makefile

Log message:
unbreak newaliases.
ok millert@


Ach! I thought I was running a more recent snapshot on my mail server. 
It was in fact:


OpenBSD 6.3-current (GENERIC.MP) #80: Sun Jul  1 12:22:16 MDT 2018

Thank you.

Re: newaliases vs makemap

2018-07-16 Thread Scott Vanderbilt


On 7/16/2018 8:32 AM, Todd C. Miller wrote:


On Sun, 15 Jul 2018 17:59:58 -0700, Scott Vanderbilt wrote:


In /etc/mail/aliases, there is the following note:

#   >>>>>>>>>>The program "newaliases" must be run after
#   >> NOTE >>  this file is updated for any changes to
#   >>>>>>>>>>show through to smtpd.


That is correct.


Yet the man page for newaliases(8) says:

Note: this utility is provided for sendmail compatibility. The
preferred way of rebuilding the database is withmakemap(8)
<https://man.openbsd.org/makemap.8>:


This is bad advices that should be removed.  It is only true if
using db files for aliases.  When using a flat file for aliases,
you should use newaliases, which will notify smtpd that the file
has changed.


Taking the note in the man page at face value, I would expect that the
note in /etc/mail/aliases is now out-of-date, is it not? Or am I
overlooking something?


It is the other way around.


Thanks for your explanation, Todd.

BTW, newaliases seg faults for me with latest couple of snapshots 
(amd64). No message other than "segmentation fault". Just submitted a PR 
with sendbug.

Re: newaliases vs makemap

2018-07-16 Thread Scott Vanderbilt


On 7/16/2018 3:01 AM, Benjamin Baier wrote:

On Sun, 15 Jul 2018 19:54:12 -0700
Joshua Taylor Eppinette  wrote:


On Sun, Jul 15, 2018 at 05:59:58PM -0700, Scott Vanderbilt wrote:

In /etc/mail/aliases, there is the following note:

#   >>>>>>>>>>The program "newaliases" must be run after
#   >> NOTE >>  this file is updated for any changes to
#   >>>>>>>>>>show through to smtpd.


I found this note confusing, because I was able to make changes and see them
reflected without running newaliases(8). However, I believe this is because
you only need to run newaliases(8)/makemap(8) if you are using a db table.


True. 2 years ago smtpd defaults switched from db to file based tables.

Because backwards compatibility: newaliases(8), makemap(8), sendmail(8)
and mailq(8) are all symlinks to mailwrapper(8) which then runs smtpctl(8).



That all makes sense, but my original point was that the note in 
aliases(5) is incorrect/misleading. It should be struck or modified. I 
would submit a diff myself if I were more confident about what it should 
say. Barring that, who should be notified/asked? The OpenSMTPD devs? 
Someone else?

newaliases vs makemap

2018-07-15 Thread Scott Vanderbilt


In /etc/mail/aliases, there is the following note:

#   >>The program "newaliases" must be run after
#   >> NOTE >>  this file is updated for any changes to
#   >>show through to smtpd.

Yet the man page for newaliases(8) says:

    Note: this utility is provided for sendmail compatibility. The 
preferred way of rebuilding the database is withmakemap(8) 
:


# makemap -t aliases /etc/mail/aliases

Taking the note in the man page at face value, I would expect that the 
note in /etc/mail/aliases is now out-of-date, is it not? Or am I 
overlooking something?


Thanks.

Re: httpd setup info?

2018-07-02 Thread Scott Vanderbilt


On 7/2/2018 8:05 AM, John Long wrote:

What userid does httpd run under?

I have some kind of permission problem, httpd can't serve some of the
content.


ps aux|grep httpd

Re: httpd setup info?

2018-07-02 Thread Scott Vanderbilt


On 7/2/2018 8:03 AM, John Long wrote:

On Mon, 2018-07-02 at 17:18 +0300, IL Ka wrote:

What's the appropriate way to let the browser
know it should open it in Acrobat

See "Content-Disposition" header.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Dis
position

It tells client to download document or open it inline.


Thanks, how do I translate this info into something httpd can use?


https://man.openbsd.org/httpd.conf#TYPES

Re: httpd rewrite and REQUEST_URI value

2018-06-30 Thread Scott Vanderbilt


On 6/24/2018 10:25 PM, Ve Telko wrote:


If you or your framework uses REQUEST_URI you don't need
request rewrite feature. Using REQUEST_URI and request
rewrite feature are two oposite solutions for the same problem.
To mimic nginx's try_files do something like this:

location match "/hello/.*" {
 
 root "/index.php"
 
}

It is not obvious from man page but file can act as document
root :) Then in that file, index.php in this case, you can route
requests by parsing $_SERVER['REQUEST_URI'] what your
framework probably does.


Thank you for your reply. I finally got an opportunity to test your 
suggested workaround, but it does not appear to work.


Request as logged in error log:

	server nomina2.onomasticon.org, client 1 (1 active), 
162.229.162.103:53790 -> 162.229.162.102:443, /hello/fred (404 Not Found)



Request as logged in access log:

	nomina2.onomasticon.org 162.229.162.103 - scott [30/Jun/2018:10:20:47 
-0700] "GET /hello/fred HTTP/1.1" 404 0


The index.php file is in the location specified:

$ ls -al /var/www/htdocs/lpn/src/public/
total 24
drwxr-xr-x  4 root  daemon   512 Jun 21 13:13 .
drwxr-xr-x  5 root  daemon   512 Jun 20 17:43 ..
-rw-r--r--  1 root  daemon  1081 Jun 23 07:00 index.php



From httpd.conf:

server "nomina2.onomasticon.org" {
listen  on $ext_addr tls port 443
directory index index.php
root"/htdocs/lpn/src/public"

log access onom_access.log
log error onom_error.log

authenticate finklejinkleheimer with "/conf/ok_users"

tls certificate 
"/etc/ssl/acme/nomina2.onomasticon.org/fullchain.pem"
tls key 
"/etc/ssl/acme/private/nomina2.onomasticon.org/privkey.pem"


location "*.php" {
fastcgi socket "/run/php-fpm.sock"
}

location "/.well-known/acme-challenge/*" {
no authenticate
root "/htdocs/lpn/src/acme"
request strip 2
}

# Block user access to these files
location "/composer\.(json|lock)" {
block   return 404
}

location match "/hello/.*" {
root"/htdocs/lpn/src/public/index.php"
}

location match "/old/(.*)" {
request rewrite "/new/%1"
}
}

server "nomina2.onomasticon.org" {
listen on $ext_addr port 80
block return 301 "https://$HTTP_HOST$REQUEST_URI;
}

Re: httpd chroot outbound

2018-06-25 Thread Scott Vanderbilt


On 6/25/2018 9:37 AM, Elias M. Mariani wrote:


Does anybody knows what is needed to allow php to retrieve files while
under httpd chrooted ?
I recall the need of /etc/resolv.conf on the jail but that didn't work.


Also: http://php.net/manual/en/install.unix.openbsd.php

Re: httpd chroot outbound

2018-06-25 Thread Scott Vanderbilt


On 6/25/2018 9:37 AM, Elias M. Mariani wrote:


Does anybody knows what is needed to allow php to retrieve files while
under httpd chrooted ?
I recall the need of /etc/resolv.conf on the jail but that didn't work.


See /usr/local/share/doc/pkg-readmes/php-*

httpd rewrite and REQUEST_URI value

2018-06-23 Thread Scott Vanderbilt

I was very eager to implement the new rewrite functionality in httpd. 
However, I've run into an issue, and I am uncertain whether the new 
behavior is CGI-compliant or not.


The app I am attempting to convert to httpd is currently built on nginx, 
and the rewrite functionality it offers satisfies all of my app's needs. 
But for a variety of reasons, I would prefer to use httpd. My goal is to 
implement a RESTful API, which involves rewriting all requests for 
"virtual" resources to target an index.php page, which uses the SlimPHP 
micro framework to handle routing and all other tasks related to 
servicing requests. That routing relies on the value of the REQUEST_URI 
parameter to perform its work.


In httpd.conf, I have this rewrite rule:

    location match "/hello/.*" {
    request rewrite "/index.php"
    }

while in nginx, I have this one:

    try_files  $uri /index.php;

    location /index.php {
    fastcgi_pass unix:run/php-fpm.sock;
    fastcgi_param   SCRIPT_FILENAME 
$document_root$fastcgi_script_name;

    include fastcgi_params;
    }

For the URL: http://example.com/hello/fred, here are the differing 
values of REQUEST_URI:


    nginx: /hello/fred

    httpd: /index.php

Based on the definition in the httpd.conf(5) man page,  which says 
$REQUEST_URI contains "the request path and optional query string", I 
would have expected that the original value of REQUEST_URI would have 
been preserved even after the rewrite. Otherwise, there is no way for 
the target resource to know the original (pre-rewrite) URI. Unless, of 
course, it was embedded within the rewritten URI as a query string by 
the rewrite directive in the .conf file. But that's not very practical 
if the original URI already has a query string.


Am I correct in assuming the REQUEST_URI's value should not be altered 
by the rewrite operation? If the post-rewrite URI is meant to be borne 
by DOCUMENT_URI, why also change the value of REQUEST_URI? This makes no 
sense to me.


Many thanks in advance for any enlightenment you can provide.

Re: New laptop recommendations

2018-06-19 Thread Scott Bonds


On 06/19/18 03:37, Rupert Gallagher wrote:


I have 1500EUR for a new laptop. What would you buy with it?



On 06/19, Jordan Geoghegan wrote:

Have you considered one of the Librem laptops by Purism? I hear they're 
quite nice, and are running coreboot straight from the factory.


They run OpenBSD fine with some caveats:

https://forums.puri.sm/t/openbsd-on-librem/1080

Another Lock Order Reversal with amd64 snapshot

2018-06-09 Thread Scott Vanderbilt

Not quite the same as earlier reports. Also not sure if this qualifies 
as something reportable to bugs@ or not. The system appears to be 
working normally otherwise.



scott #sysctl kern.version
kern.version=OpenBSD 6.3-current (GENERIC.MP) #90: Thu Jun  7 09:08:25 
MDT 2018

dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

scott #dmesg
OpenBSD 6.3-current (GENERIC.MP) #90: Thu Jun  7 09:08:25 MDT 2018
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 1020133376 (972MB)
avail mem = 965754880 (921MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xf0100 (38 entries)
bios0: vendor Award Software International, Inc. version "F3" date 
04/09/2009

bios0: Gigabyte Technology Co., Ltd. G41M-ES2L
acpi0 at bios0: rev 0
acpi0: TAMG checksum error
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP HPET MCFG TAMG APIC SSDT
acpi0: wakeup devices PEX0(S5) PEX1(S5) PEX2(S5) PEX3(S5) PEX4(S5) 
PEX5(S5) HUB0(S5) UAR1(S3) UAR2(S3) USB0(S3) USB1(S3) USB2(S3) USB3(S3) 
USBE(S3) AZAL(S5) PCI0(S5)

acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimcfg0 at acpi0 addr 0xc000, bus 0-255
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) CPU E3200 @ 2.40GHz, 1700.25 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,XSAVE,NXE,LONG,LAHF,PERF,SENSOR,MELTDOWN

cpu0: 1MB 64b/line 4-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 199MHz
cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Celeron(R) CPU E3200 @ 2.40GHz, 1699.96 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,XSAVE,NXE,LONG,LAHF,PERF,SENSOR,MELTDOWN

cpu1: 1MB 64b/line 4-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
, remapped to apid 2
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (PEX0)
acpiprt2 at acpi0: bus 2 (PEX1)
acpiprt3 at acpi0: bus -1 (PEX2)
acpiprt4 at acpi0: bus -1 (PEX3)
acpiprt5 at acpi0: bus -1 (PEX4)
acpiprt6 at acpi0: bus -1 (PEX5)
acpiprt7 at acpi0: bus 3 (HUB0)
acpicpu0 at acpi0: C1(@1 halt!), FVS, 1600, 1200 MHz
acpicpu1 at acpi0: C1(@1 halt!), FVS, 1600, 1200 MHz
acpibtn0 at acpi0: PWRB
acpicmos0 at acpi0
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel G41 Host" rev 0x03
inteldrm0 at pci0 dev 2 function 0 "Intel G41 Video" rev 0x03
drm0 at inteldrm0
intagp0 at inteldrm0
agp0 at intagp0: aperture at 0xd000, size 0x1000
inteldrm0: msi
inteldrm0: 1280x1024, 32bpp
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
azalia0 at pci0 dev 27 function 0 "Intel 82801GB HD Audio" rev 0x01: msi
azalia0: codecs: Realtek/0x0887
audio0 at azalia0
ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01: msi
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 1 "Intel 82801GB PCIE" rev 0x01: msi
pci2 at ppb1 bus 2
re0 at pci2 dev 0 function 0 "Realtek 8168" rev 0x02: RTL8168C/8111C 
(0x3c00), msi, address 00:24:1d:86:28:95

rgephy0 at re0 phy 7: RTL8169S/8110S/8211 PHY, rev. 2
uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x01: apic 2 int 23
uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x01: apic 2 int 19
uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x01: apic 2 int 18
uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x01: apic 2 int 16
ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x01: apic 2 int 23
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 
2.00/1.00 addr 1

ppb2 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xe1
pci3 at ppb2 bus 3
pcib0 at pci0 dev 31 function 0 "Intel 82801GB LPC" rev 0x01
pciide0 at pci0 dev 31 function 2 "Intel 82801GB SATA" rev 0x01: DMA, 
channel 0 wired to compatibility, channel 1 wired to compatibility

wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA48, 476938MB, 976771055 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 6
atapiscsi0 at pciide0 channel 1 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0:  ATAPI 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
ichiic0 at pci0 dev 31 function 3 "Intel 82801GB SMBus" rev 0x01: apic 2 
int 19

iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM non-parit

Re: acme-client new cert error

2018-05-26 Thread Scott Vanderbilt


On 5/26/2018 4:54 AM, Stuart Henderson wrote:


aeneas.datagenic.com doesn't respond on port 80. (And if I can't
fetch it, letsencrypt's checkers are also unlikely to be able to).

Firewall issue?


Oh, FFS.

Yes. A silly pf rule blocking incoming traffic from outside my LAN that 
I overlooked when I first considered that idea, but then discarded on 
account of the error message. Which, to me, at least, does not in any 
reasonable way point to a connection problem.


So, thanks very much for applying the clue stick. And, to whom may I 
suggest that the misleading error message from acme-client be changed to 
something actually resembling the problem it has encountered?

Re: acme-client new cert error

2018-05-25 Thread Scott Vanderbilt


On 5/25/2018 2:41 PM, Bryan Harris wrote:

Did you already have a cert for datagenic.com but which didn’t include the new 
name?

I think the -A argument only makes a new cert when old one doesn’t exist. 
Otherwise tries to use found cert and failed because old cert doesn’t have new 
name. At least that’s my understanding.

Or maybe I misunderstood the error message.

V/r,
Bryan


Thanks for chipping in.

Regrettably, I get the same error with -D flag only (i.e., no -A).



On May 25, 2018, at 4:10 PM, Scott Vanderbilt <li...@datagenic.com> wrote:

I'm having difficulty creating a new SSL cert for a virtual host I'm just 
standing up for the first time. I get the following error on successive 
attempts:

urn:acme:error:unauthorized
Error creating new cert :: authorizations for these names not found or expired: 
aeneas.datagenic.com

I've verified it's not a web server access issue, as I am able to successfully 
retrieve a static HTML file from the challenge directory

aeneas$ curl 
http://aeneas.datagenic.com/.well-known/acme-challenge/test.html
Foo
aeneas$

Complete verbose error message, config file, and dmesg follow.

Thanks in advance for any assistance you can lend.



aeneas# acme-client -vvAD aeneas.datagenic.com
acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: domain key 
exists (not creating)
acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not 
creating)
acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: loaded RSA 
domain key
acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 23.75.196.250
acme-client: transfer buffer: [{ "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change;, "meta": { "caaIdentities": [ "letsencrypt.org" ], "terms-of-service": 
"https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf;, "website": "https://letsencrypt.org; }, "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz;, "new-cert": 
"https://acme-v01.api.letsencrypt.org/acme/new-cert;, "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg;, "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert;, "sw0ePngTU-0": 
"https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417; }] (658 bytes)
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: 
aeneas.datagenic.com
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": "aeneas.datagenic.com" }, "status": "pending", "expires": "2018-06-01T19:22:23Z", "challenges": [ { "type": "tls-sni-01", "status": "pending", "uri": 
"https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114624;, "token": "TpW1KNEcns3ebXVxbBwYToVOjsMEzR78MWySuyKvdhI" }, { "type": "dns-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114625;, 
"token": "Iq66R_OgKJ2VURMLyVxLD8hjnWtLqrjqSYb0L3YRqNU" }, { "type": "http-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;, "token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co" } ], "combinations": [ [ 1 ], [ 0 ], [ 2 ] ] }] 
(998 bytes)
acme-client: 
/var/www/htdocs/default/acme/iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co: 
created
acme-client: 
https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626:
 challenge
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", "uri": 
"https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;, "token": 
"iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co", "keyAuthorization": 
"iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co.oHnB0_JsMCOWBPKhfVMYsIDZr_T2Wo-Y5z0fh-cmkA4" }] (336 bytes)
acme-client: 
https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT

Re: acme-client new cert error

2018-05-25 Thread Scott Vanderbilt


On 5/25/2018 2:20 PM, Fred wrote:

On 05/25/18 21:10, Scott Vanderbilt wrote:
I'm having difficulty creating a new SSL cert for a virtual host I'm 
just standing up for the first time. I get the following error on 
successive attempts:


urn:acme:error:unauthorized
Error creating new cert :: authorizations for these names not found or 
expired: aeneas.datagenic.com


I've verified it's not a web server access issue, as I am able to 
successfully retrieve a static HTML file from the challenge directory


    aeneas$ curl 
http://aeneas.datagenic.com/.well-known/acme-challenge/test.html

    Foo
    aeneas$

Complete verbose error message, config file, and dmesg follow.

Thanks in advance for any assistance you can lend.

 



aeneas# acme-client -vvAD aeneas.datagenic.com
acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: 
domain key exists (not creating)
acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists 
(not creating)
acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: 
loaded RSA domain key

acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 23.75.196.250
acme-client: transfer buffer: [{ "key-change": 
"https://acme-v01.api.letsencrypt.org/acme/key-change;, "meta": { 
"caaIdentities": [ "letsencrypt.org" ], "terms-of-service": 
"https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf;, 
"website": "https://letsencrypt.org; }, "new-authz": 
"https://acme-v01.api.letsencrypt.org/acme/new-authz;, "new-cert": 
"https://acme-v01.api.letsencrypt.org/acme/new-cert;, "new-reg": 
"https://acme-v01.api.letsencrypt.org/acme/new-reg;, "revoke-cert": 
"https://acme-v01.api.letsencrypt.org/acme/revoke-cert;, 
"sw0ePngTU-0": 
"https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417; 
}] (658 bytes)
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: 
req-auth: aeneas.datagenic.com

acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "identifier": { "type": "dns", 
"value": "aeneas.datagenic.com" }, "status": "pending", "expires": 
"2018-06-01T19:22:23Z", "challenges": [ { "type": "tls-sni-01", 
"status": "pending", "uri": 
"https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114624;, 
"token": "TpW1KNEcns3ebXVxbBwYToVOjsMEzR78MWySuyKvdhI" }, { "type": 
"dns-01", "status": "pending", "uri": 
"https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114625;, 
"token": "Iq66R_OgKJ2VURMLyVxLD8hjnWtLqrjqSYb0L3YRqNU" }, { "type": 
"http-01", "status": "pending", "uri": 
"https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;, 
"token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co" } ], 
"combinations": [ [ 1 ], [ 0 ], [ 2 ] ] }] (998 bytes)
acme-client: 
/var/www/htdocs/default/acme/iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co: 
created
acme-client: 
https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626: 
challenge

acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "type": "http-01", "status": 
"pending", "uri": 
"https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;, 
"token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co", 
"keyAuthorization": 
"iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co.oHnB0_JsMCOWBPKhfVMYsIDZr_T2Wo-Y5z0fh-cmkA4" 
}] (336 bytes)
acme-client: 
https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626: 
status

acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: 
certificate

acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: bad 
HTTP: 403
acme-client: transfer buffer: [{ "type": 
"urn:acme:error:unauthorized", "detail": "Error creating new cert :

acme-client new cert error

2018-05-25 Thread Scott Vanderbilt

I'm having difficulty creating a new SSL cert for a virtual host I'm 
just standing up for the first time. I get the following error on 
successive attempts:


urn:acme:error:unauthorized
Error creating new cert :: authorizations for these names not found or 
expired: aeneas.datagenic.com


I've verified it's not a web server access issue, as I am able to 
successfully retrieve a static HTML file from the challenge directory


   aeneas$ curl 
http://aeneas.datagenic.com/.well-known/acme-challenge/test.html

   Foo
   aeneas$

Complete verbose error message, config file, and dmesg follow.

Thanks in advance for any assistance you can lend.



aeneas# acme-client -vvAD aeneas.datagenic.com
acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: 
domain key exists (not creating)
acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not 
creating)
acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: 
loaded RSA domain key

acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 23.75.196.250
acme-client: transfer buffer: [{ "key-change": 
"https://acme-v01.api.letsencrypt.org/acme/key-change;, "meta": { 
"caaIdentities": [ "letsencrypt.org" ], "terms-of-service": 
"https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf;, 
"website": "https://letsencrypt.org; }, "new-authz": 
"https://acme-v01.api.letsencrypt.org/acme/new-authz;, "new-cert": 
"https://acme-v01.api.letsencrypt.org/acme/new-cert;, "new-reg": 
"https://acme-v01.api.letsencrypt.org/acme/new-reg;, "revoke-cert": 
"https://acme-v01.api.letsencrypt.org/acme/revoke-cert;, "sw0ePngTU-0": 
"https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417; 
}] (658 bytes)
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: 
req-auth: aeneas.datagenic.com

acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": 
"aeneas.datagenic.com" }, "status": "pending", "expires": 
"2018-06-01T19:22:23Z", "challenges": [ { "type": "tls-sni-01", 
"status": "pending", "uri": 
"https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114624;, 
"token": "TpW1KNEcns3ebXVxbBwYToVOjsMEzR78MWySuyKvdhI" }, { "type": 
"dns-01", "status": "pending", "uri": 
"https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114625;, 
"token": "Iq66R_OgKJ2VURMLyVxLD8hjnWtLqrjqSYb0L3YRqNU" }, { "type": 
"http-01", "status": "pending", "uri": 
"https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;, 
"token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co" } ], 
"combinations": [ [ 1 ], [ 0 ], [ 2 ] ] }] (998 bytes)
acme-client: 
/var/www/htdocs/default/acme/iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co: 
created
acme-client: 
https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626: 
challenge

acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", 
"uri": 
"https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;, 
"token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co", 
"keyAuthorization": 
"iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co.oHnB0_JsMCOWBPKhfVMYsIDZr_T2Wo-Y5z0fh-cmkA4" 
}] (336 bytes)
acme-client: 
https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626: 
status

acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certificate
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: bad 
HTTP: 403
acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized", 
"detail": "Error creating new cert :: authorizations for these names not 
found or expired: aeneas.datagenic.com", "status": 403 }] (176 bytes)

acme-client: bad exit: netproc(38047): 1


-
aeneas$ cat /etc/acme-client.conf
#
# $OpenBSD: acme-client.conf,v 1.7 2018/04/13 08:24:38 ajacoutot Exp $
#
authority letsencrypt {
    api url "https://acme-v01.api.letsencrypt.org/directory;
    account key "/etc/acme/letsencrypt-privkey.pem"
}

authority letsencrypt-staging {
    api url "https://acme-staging.api.letsencrypt.org/directory;
    account key "/etc/acme/letsencrypt-staging-privkey.pem"
}

domain aeneas.datagenic.com {
#   alternative names {

thank you for 6.3

2018-04-18 Thread Scott Bonds

Under 6.2 my laptop would hang a few hours after waking from sleep, and 
it was my own damn fault for running an unsupported config (Lenovo x200 
+ coreboot + SeaBIOS). But after upgrading to 6.3 I haven't been able to 
get it to hang and I find myself back in 'it just works' land which is 
so, so nice. So nice.


I don't know who to thank, and maybe the dev that fixed my issue 
wouldn't know *they* fixed it, but...thank you.

Relayd and ipv6

2018-04-10 Thread Scott Seekamp

Hello!

I’m setting up Relayd for a few services in my lab as a test bed and couldn’t 
find answers in the docs on expected behavior.

Is it better/worse/no difference to split ip4 from ip6 redirects and relays:

Combined:
redirect "ldap" {
listen on $ext_addr port 389 
listen on $ext_v6 port 389

forward to  check tcp
}


Split:
redirect "smtprelay4" {
listen on $ext_addr port 25

forward to  check tcp
}

redirect "smtprelay6" {
listen on $ext_v6 port 25

forward to  check tcp
}


Does it depend on whether it’s a relay or redirect?

My pf rules end looking like this for the redirects:

anchor "ldap" all {
  pass in quick on rdomain 0 inet6 proto tcp from any to “ip6 addr" port = 389 
flags S/SA keep state (tcp.established 600) rdr-to  port 389 round-robin
  pass in quick on rdomain 0 inet proto tcp from any to “ip4 addr" port = 389 
flags S/SA keep state (tcp.established 600) rdr-to  port 389 round-robin
}

with the  table containing both the ip4 and ip6 address.


Thanks!
Scott

is there foomatic-rip for lpd on openBSD 6.3?

2018-04-09 Thread Heppler, J. Scott


It is in print/cups-filters

http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/ports/print/cups-filters/pkg/README?rev=1.9=text/plain


--
J. Scott Heppler

Re: Switchd-VMD

2018-01-29 Thread Scott Seekamp


On 29.01.2018 17:28, Mike Larkin wrote:


On Mon, Jan 29, 2018 at 03:07:49PM -0700, Scott Seekamp wrote:

I'm attempting to set up an OpenBSD virtualized environment and 
running into

issues.

OpenBSD 6.2 AMD64 hypervisor

vm.conf:

vm "vm1" {
disable
memory 1g
disk "/vmm/vm1.img"
interface { switch "uplink" }
}

vm "vm2" {
disable
memory 1g
disk "/vmm/vm2.img"
interface { switch "uplink" }
}

vm "vm3" {
disable
memory 1g
disk "/vmm/vm3.img"
interface { switch "uplink" }
}

switch "uplink" {
interface switch0
add vlan50
}

I let vmd bring up the switch and once up it shows:

switch0: flags=41<UP,RUNNING>
description: switch1-uplink
index 108 llprio 3
groups: switch
datapath 0x6393eae0ca8447fb maxflow 1 maxgroup 1000
vlan50 flags=0<>
port 10 ifpriority 0 ifcost 0
tap3 flags=0<>
port 112 ifpriority 0 ifcost 0
vether0 flags=1000
port 4294967294 ifpriority 0 ifcost 0
tap1 flags=0<>
port 115 ifpriority 0 ifcost 0
tap2 flags=0<>
port 116 ifpriority 0 ifcost 0

vether0 defined as:

vether0: flags=41<UP,RUNNING> mtu 1500
lladdr fe:e1:ba:df:57:3b
index 113 priority 0 llprio 3
groups: vether egress
media: Ethernet autoselect
status: active
inet 172.50.7.254 netmask 0xf800

vlan50 is a vlan on top of a trunk (2 em's LACP to a switch):

vlan50: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 
1500

lladdr 00:25:90:0c:78:42
description: Lab
index 10 priority 0 llprio 3
encap: vnetid 50 parent trunk0
groups: vlan
media: Ethernet autoselect
status: active

I have 3 vm's as defined above:

ID   PID VCPUS  MAXMEM  CURMEM TTYOWNER NAME
2 11840 11.0G450M   ttyp6 root vm1
1 14496 11.0G560M   ttyp2 root vm2
3 48053 11.0G450M   ttyp7 root vm3

The vm's are configured with sequential IP's in the vlan50 network 
such as:


vio0: 
flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>

mtu 1500
lladdr fe:e1:bb:d1:58:82
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect
status: active
inet 172.50.0.6 netmask 0xf800 broadcast 172.50.7.255

The problem:

I can ping from vm -> vm
I can ping from vm -> vether0 IP
I can ping from vether0 to vm

I cannot communicate out of the VM to the rest of the environment 
reliably.


tcpdump on the tap interface shows:

tcpdump -i tap2
tcpdump: listening on tap2, link-type EN10MB
14:58:54.507948 172.50.0.6 > 172.50.0.1: icmp: echo request
14:58:56.527958 172.50.0.6 > 172.50.0.1: icmp: echo request

tcpdump on the vlan interface shows the traffic gets out and tries to 
come

back:

tcpdump -i vlan50
tcpdump: listening on vlan50, link-type EN10MB
15:02:23.657480 172.50.0.6 > 172.50.0.1: icmp: echo request
15:02:23.657656 172.50.0.1 > 172.50.0.6: icmp: echo reply
15:02:25.667671 172.50.0.6 > 172.50.0.1: icmp: echo request
15:02:25.667864 172.50.0.1 > 172.50.0.6: icmp: echo reply

I'm using the out of the box pf rules on both the hypervisor box and 
vm's.


I can see the macs of the vm's in the switch table:

switchctl show sum
Switch  PortTypeNameInfo
1   switch  /dev/switch0
1   10  mac 00:0d:b9:42:d0:fc   age 
135s
1   115 mac fe:e1:bb:d1:1c:f5   age 
135s
1   116 mac fe:e1:bb:d1:58:82   age 
201s
1   112 mac     fe:e1:bb:d1:6d:f4   age 
201s


What am I missing? What would block the incoming traffic from getting 
back

to the vm from the host level?

Thanks
Scott


Can you try adding pass rules for the tapX interfaces to /etc/pf.conf 
(don't

forget to reload the rules). And maybe the vether too. (Mine contains a
sequence of "pass on tap0" "pass on tap1" , etc, lines).

I was having similar issues until I did that; I could never figure out 
what

rule was blocking it but that seemed to fix it.

Also, not sure if you need net.inet.ip.forwarding=1 in your sysctl 
config

in this environment?

-ml



Mike you are my hero - I can't believe I didn't try that. Looks like I'm 
in business thank you!


Scott


OpenBSD 6.2 (GENERIC.MP) #2: Sun Dec 10 21:14:42 CET 2017
r...@syspatch-62-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 85873721344 (81895MB)
avail mem = 83264139264 (79406MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0x99c00 (81 entries)
bios0: vendor American Megatrends Inc. version "2.1c" date 08/03/2012
bios0: Supermicro X8DTU
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC MCFG SLIT OEMB SRAT HPET DMAR SSDT
acpi0: wakeup devices NPE1(S4) NPE2(S4) NPE3(S4) NPE4(S4) NPE5(S4) 
NPE6(S4) NPE7(S4) NPE8(S4) NPE9(S4) NPEA(S4) P0P1(S4) USB0(S4) 
USB1(S4) USB2(S4) USB5(S

Switchd-VMD

2018-01-29 Thread Scott Seekamp

I'm attempting to set up an OpenBSD virtualized environment and running 
into issues.


OpenBSD 6.2 AMD64 hypervisor

vm.conf:

vm "vm1" {
disable
memory 1g
disk "/vmm/vm1.img"
interface { switch "uplink" }
}

vm "vm2" {
disable
memory 1g
disk "/vmm/vm2.img"
interface { switch "uplink" }
}

vm "vm3" {
disable
memory 1g
disk "/vmm/vm3.img"
interface { switch "uplink" }
}

switch "uplink" {
interface switch0
add vlan50
}


I let vmd bring up the switch and once up it shows:

switch0: flags=41
description: switch1-uplink
index 108 llprio 3
groups: switch
datapath 0x6393eae0ca8447fb maxflow 1 maxgroup 1000
vlan50 flags=0<>
port 10 ifpriority 0 ifcost 0
tap3 flags=0<>
port 112 ifpriority 0 ifcost 0
vether0 flags=1000
port 4294967294 ifpriority 0 ifcost 0
tap1 flags=0<>
port 115 ifpriority 0 ifcost 0
tap2 flags=0<>
port 116 ifpriority 0 ifcost 0

vether0 defined as:

vether0: flags=41 mtu 1500
lladdr fe:e1:ba:df:57:3b
index 113 priority 0 llprio 3
groups: vether egress
media: Ethernet autoselect
status: active
inet 172.50.7.254 netmask 0xf800

vlan50 is a vlan on top of a trunk (2 em's LACP to a switch):

vlan50: flags=8943 mtu 
1500

lladdr 00:25:90:0c:78:42
description: Lab
index 10 priority 0 llprio 3
encap: vnetid 50 parent trunk0
groups: vlan
media: Ethernet autoselect
status: active

I have 3 vm's as defined above:

   ID   PID VCPUS  MAXMEM  CURMEM TTYOWNER NAME
2 11840 11.0G450M   ttyp6 root vm1
1 14496 11.0G560M   ttyp2 root vm2
3 48053 11.0G450M   ttyp7 root vm3

The vm's are configured with sequential IP's in the vlan50 network such 
as:


vio0: 
flags=8b43 mtu 
1500

lladdr fe:e1:bb:d1:58:82
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect
status: active
inet 172.50.0.6 netmask 0xf800 broadcast 172.50.7.255

The problem:

I can ping from vm -> vm
I can ping from vm -> vether0 IP
I can ping from vether0 to vm

I cannot communicate out of the VM to the rest of the environment 
reliably.


tcpdump on the tap interface shows:

tcpdump -i tap2
tcpdump: listening on tap2, link-type EN10MB
14:58:54.507948 172.50.0.6 > 172.50.0.1: icmp: echo request
14:58:56.527958 172.50.0.6 > 172.50.0.1: icmp: echo request

tcpdump on the vlan interface shows the traffic gets out and tries to 
come back:


tcpdump -i vlan50
tcpdump: listening on vlan50, link-type EN10MB
15:02:23.657480 172.50.0.6 > 172.50.0.1: icmp: echo request
15:02:23.657656 172.50.0.1 > 172.50.0.6: icmp: echo reply
15:02:25.667671 172.50.0.6 > 172.50.0.1: icmp: echo request
15:02:25.667864 172.50.0.1 > 172.50.0.6: icmp: echo reply

I'm using the out of the box pf rules on both the hypervisor box and 
vm's.


I can see the macs of the vm's in the switch table:

switchctl show sum
Switch  PortTypeNameInfo
1   switch  /dev/switch0
1   10  mac 00:0d:b9:42:d0:fc   age 135s
1   115 mac fe:e1:bb:d1:1c:f5   age 135s
1   116 mac fe:e1:bb:d1:58:82   age 201s
1   112 mac fe:e1:bb:d1:6d:f4   age 201s

What am I missing? What would block the incoming traffic from getting 
back to the vm from the host level?


Thanks
ScottOpenBSD 6.2 (GENERIC.MP) #2: Sun Dec 10 21:14:42 CET 2017

r...@syspatch-62-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 85873721344 (81895MB)
avail mem = 83264139264 (79406MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0x99c00 (81 entries)
bios0: vendor American Megatrends Inc. version "2.1c" date 08/03/2012
bios0: Supermicro X8DTU
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC MCFG SLIT OEMB SRAT HPET DMAR SSDT
acpi0: wakeup devices NPE1(S4) NPE2(S4) NPE3(S4) NPE4(S4) NPE5(S4) NPE6(S4) 
NPE7(S4) NPE8(S4) NPE9(S4) NPEA(S4) P0P1(S4) USB0(S4) USB1(S4) USB2(S4) 
USB5(S4) EUSB(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.40 MHz
cpu0:

Re: bsd.mp not installed on EdgeRouter Lite

2018-01-18 Thread Scott Bennett

On 1/18/2018 9:23 AM, Stefan Sperling wrote:
> On Thu, Jan 18, 2018 at 09:06:44AM -0500, Sean Murphy wrote:
>> I performed the steps as indicated n the links above and now have GENERIC.MP
>> running on my ERL.  I did see that KARL failed on the initial install and
>> reboot,
> 
> It looks like this issue was just fixed in -current by visa@

I saw the commit messages. Very exciting! I'll give it a try once a new snapshot
gets rolled. Luckily I haven't deployed the ERL yet, so re-installing won't be
a problem.

Re: bsd.mp not installed on EdgeRouter Lite

2018-01-16 Thread Scott Bennett

On 1/15/2018 5:30 PM, jungle Boogie wrote:
> On 12 January 2018 at 08:24, Scott Bennett <sbennett1...@gmail.com> wrote:
>> After reading INSTALL.octeon, I was able to write miniroot62.fs to a usb,
>> plug that into the ERL, and perform a normal installation. The problem is
>> that the installer was not able to detect both cores, so it only installed
>> bsd.sp (bsd.mp was not an option in the set selection).
> 
> See this post:
> https://an.undulating.space/post/171020-erl-openbsd-smp/
> 
> See this reddit thread:
> https://www.reddit.com/r/openbsd/comments/7agdgh/openbsd_62_on_edgerouter_lite_with_bsdmp/
> 
> Hope that helps

Much appreciated! The reddit thread may just work.

Re: bsd.mp not installed on EdgeRouter Lite

2018-01-16 Thread Scott Bennett

On 1/13/2018 5:01 AM, Stefan Sperling wrote:
> On Fri, Jan 12, 2018 at 11:24:59AM -0500, Scott Bennett wrote:
>> After reading INSTALL.octeon, I was able to write miniroot62.fs to a usb,
>> plug that into the ERL, and perform a normal installation. The problem is
>> that the installer was not able to detect both cores, so it only installed
>> bsd.sp (bsd.mp was not an option in the set selection).
>>
>> Running 6.2-release.
>>
>> I did follow the instructions for setting the coremask=0x3 when booting the
>> installer, and setting the coremask=0x3 in the bootcmd. It seems that the
>> installer just wasn't able to recognize that it's a dual core system.
> 
> I've seen this, too. For some reason bsd.rd doesn't count CPUs correctly
> even with coremask=0x3.
> 
>> To workaround this problem, I downloaded bsd.mp after installation and copied
>> that to the FAT partition. My ERL can now run SMP, but as you probably
>> guessed this does break KARL.
> 
> That's what I did, too.
> 
>> Has anyone been able to install bsd.mp on the ERL and not break KARL?
> 
> Not me.
> 
> Looking into this is somewhere at the far end of my todo list.
> Not sure I'll ever get to it.

Thanks for the reply, Stefan! At least it's a known issue. I will
watch the tree for any updates in this area.

bsd.mp not installed on EdgeRouter Lite

2018-01-12 Thread Scott Bennett

After reading INSTALL.octeon, I was able to write miniroot62.fs to a usb,
plug that into the ERL, and perform a normal installation. The problem is
that the installer was not able to detect both cores, so it only installed
bsd.sp (bsd.mp was not an option in the set selection).

Running 6.2-release.

I did follow the instructions for setting the coremask=0x3 when booting the
installer, and setting the coremask=0x3 in the bootcmd. It seems that the
installer just wasn't able to recognize that it's a dual core system.

To workaround this problem, I downloaded bsd.mp after installation and copied
that to the FAT partition. My ERL can now run SMP, but as you probably
guessed this does break KARL.

Has anyone been able to install bsd.mp on the ERL and not break KARL?

Selected snippets from the install process below.

Cheers,
Scott

[snip]

Octeon ubnt_e100# fatload usb 0 $loadaddr bsd.rd
reading bsd.rd
..
.

8750939 bytes read
Octeon ubnt_e100# bootoctlinux rootdev=rd0 coremask=0x3
argv[2]: coremask=0x3
ELF file is 64 bit
Allocating memory for ELF segment: addr: 0x8100 (adjusted to: 
0x100), size 0x86f890
Allocated memory for ELF segment: addr: 0x8100, size 0x86f890
Processing PHDR 0
  Loading 7ef710 bytes at 8100
  Clearing 80180 bytes at 817ef710
## Loading Linux kernel with entry point: 0x8100 ...
Bootloader: Done loading app on coremask: 0x3

[snip]

boot_desc->argc:3
boot_desc->flags:0x5
boot_desc->core_mask:0x3
boot_desc->dram_size:512
boot_desc->phy_mem_desc_addr:0

[snip]

OpenBSD 6.2 (RAMDISK) #0: Wed Oct  4 05:40:31 UTC 2017
visa@octeon:/usr/src/sys/arch/octeon/compile/RAMDISK
real mem = 536870912 (512MB)
avail mem = 520896512 (496MB)
mainbus0 at root
cpu0 at mainbus0: CN50xx CPU rev 0.1 500 MHz, Software FP emulation
cpu0: cache L1-I 32KB 4 way D 8KB 64 way, L2 128KB 8 way
clock0 at mainbus0: int 5
iobus0 at mainbus0

[snip]

Select sets by entering a set name, a file name pattern or 'all'. De-select
sets by prepending a '-', e.g.: '-game*'. Selected sets are labelled '[X]'.
[X] bsd   [X] comp62.tgz[X] xbase62.tgz   [X] xserv62.tgz
[X] bsd.rd[X] man62.tgz [X] xshare62.tgz
[X] base62.tgz[X] game62.tgz[X] xfont62.tgz

Re: rdomain/rtable

2017-12-24 Thread Scott Nicholas

Hello

You may need a direct route to the gateway as well

Happy holidays,
Scott


On Dec 24, 2017 4:08 PM, "Paul B. Henson" <hen...@acm.org> wrote:

Thanks for the info. I don't want to move any interfaces to a
non-default routing domain, I just want to be able to run a process with
a different default route. I can make that work, via the route -T 10
exec you mention after setting a default route in that domain.

But I can't seem to get traffic for my local subnet sent out my
internal interface, even after I add a route to it in the non-default
routing domain. Dunno, maybe I'm missing something.

I set it up like:

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio
Iface
default24.x.x.x  UGS02 - 8 umb0
10.0/1610.128.0.20UGS00 - 8 em0

But 'ping 10.128.0.20' shows the packets going out umb0, not em0?

Thanks again.

On Sat, Dec 23, 2017 at 05:07:37PM +0100, Sebastian Benoit wrote:
>
> When you create a new routing domain, for example by adding an interface
to
> a routing domain (e.g. ifconfig umb0 rdomain 10), you create a new routing
> table 10. It will be empty until you add an address on umb0 or, for
example
> add your default route.
>
> This routing table will be used to forward packets that are "in that
routing
> domain" (the packet is marked with the rdomain or rather the rtable it
will
> use). How does the packet get marked?
>
> Three ways:
>
> * with pf, as you have discovered. As the manpage documents, the
> mark needs to be set before route lookup is done.
>
> * when a paket comes in on an interface in rdomain 10, it will stay in
> rdomain 10 (unless pf changes it).
>
> * a packet is generated on the local machine by a process that "is in that
> routing domain". I.e. processes are also marked with a rdomain.
>
> To start a process in a specific rdomain (10), use "route -T 10 exec
> command", for example
>
>   route -T 10 exec ping -n ip
>
> or even
>
>   route -T 10 exec ksh
>
> Processes spawned by that shell will inherit the rdomain.
>
> Note that i used -n in the ping example. DNS resolving using the resolvers
> in resolv.conf might not work, as long as those resolvers are not
reachable
> in rdomain 10.
>
> Hope this helps ...

Re: Solved IPMI, but I can't get onto network to outside

2017-12-21 Thread Scott Nicholas

On Dec 21, 2017 2:58 PM, "Chris Bennett" <webmas...@bennettconstruction.us>
wrote:



>  Original Message 
> Subject: Re: Solved IPMI, but I can't get onto network to outside
> From: ed...@pettijohn-web.com
> Date: Thu, December 21, 2017 1:42 pm
> To: Chris Bennett <webmas...@bennettconstruction.us>
> Cc: misc@openbsd.org
>
>
> On Dec 21, 2017 12:57 PM, Chris Bennett <webmas...@bennettconstruction.us>
wrote:
> >
> > OK, I've not had this setup before and I can't get it
> > to work. I am not sure what to move or which commands
> > to use to investigate. I.E. I don't know how to
> > interpret what I see from them.
> >
> > I got this from support:
> >
> > I have checked the prefix routing and I dont see any issue with
> > networking.
> > You have assigned the below prefix. Please check and configure as per,
> >
> > IP: 104.217.196.248/29
> > Gateway: 104.217.196.249
> > Netmask: 255.255.255.248
> >
>
> What is your network interface?
>

I have two, em0 and em1

em0:
inet 104.217.196.248 255.255.255.248

And I admit I really don't see what IP addresses I get
with 104.217.196.248/29.
Especially confusing with 104.217.196.249 as the gateway address

Chris Bennett


You get 6 addresses from that, but one is used by the gateway. Use
104.217.196.250 to 254 for your devices.

em0:
inet 104.217.196.250 255.255.255.248 104.217.196.255


Regards,
Scott

Re: no registration exists matching provided key

2017-12-19 Thread Scott Nicholas

On Tue, Dec 19, 2017 at 3:26 AM, ?? ??  wrote:
> Hello, I am very new to all these things, and wanted to have ssl for my own 
> server (Openbsd6.2, Openbsd httpd, Openbsd acme-client), which will be my 
> first ssl, other than previous self-signed one.
>
> Previously, to create a website, I followed some blog posts and created 
> self-signed ssl 
> (http://thecyberrecce.net/2017/01/15/secure-webservers-with-openbsd-6-0-setting-up-httpd-mariadb-and-php/),
>  and as the site was somehow ready so I wanted to have the Letsencrypt ssl on 
> the site, replacing the existing self-signed one.
> After reading man pages, documentations, and blog posts, (but I don't 
> understand much really) I did just almost the same as others stated in their 
> blogs (httpd.conf, acme-client.conf and then the command), using "acme-client 
> -vvAD example.com" command. But I got an error ("provided agreement URL 
> doesn't match" or similar), and then tried several times again while making  
> changes (e.g deleting self-signed crt, etc...)
> but I still get an error: "no registration exists matching provided key".
>
> Could anyone help me know what the error means or give any advice to me?

I just had this happen. acme-client saved an account key but since the
TOS needed updated, the account wasn't created. I imagine you updated
the agreement url? This is the new one:

agreement url 
"https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf;

Delete your account key so it makes a new one. It's in the location below:

account key "/etc/acme/letsencrypt-privkey.pem"

then run acme-client again.

> Also this is my second time writing to a "mailing list", and at the first 
> time I couln't send a reply to say thank you to the reply that sent to me as 
> I don't know how to reply. So I'd be really grateful for kindly letting me 
> know that as well.
>
> Would really appreciate any help.
>
>

Multicast in OSPF with shared interface addresses

2017-12-03 Thread Scott Nicholas

I joined a VPN network (dn42) to learn BGP and such and decided to do
so with OpenBSD, which I'm also learning. Most peers are Linux
machines and they re-use their address on each VPN tunnel as a /32. I
have been successful doing the same until I decided I needed ospf for
my internal routes.

openospfd sets the interface (identified only by its IP) as the
multicast source. Since several tunnels have that address, it sets it
incorrectly. A brief look at Linux headers show that their newer
ip_mreqn struct includes an interface index since Linux 2.2. Perhaps
this is a useful inclusion in the OpenBSD kernel so that userland can
pick the interface correctly?

For now I've worked around this by assigning /31 aliases in
192.168.0.0/16 to the interfaces. But I'm curious what others are
doing that use OpenBSD as a router, as it's all fairly new to me. I'm
reading that OSPF could also have unicast neighbors setup, but
OpenOSPFd doesn't have this feature.

Re: Keeping up to date with ports and putting ports/pobj on wxallowed filesystem

2017-11-09 Thread Scott Bennett

On 11/9/2017 2:04 PM, Jeff wrote:
> Hello all,
> 
> [...]
>
> Also, is there an easy/sane way to remove packages that were only
> required for building once the ports have been updated?

You could use:
$ pkg_info -t

to show packages which are not required by any other packages
(man.openbsd.org/pkg_info#t). Obviously this will also show you
packages that you want to keep, such as mariadb, firefox, etc... But
this should help in determining some packages to remove.

Scott

Re: pf not redirecting DNS queries

2017-11-07 Thread Scott Bennett


On 11/7/2017 9:39 AM, Jeremie Courreges-Anglas wrote:

On Mon, Nov 06 2017, Scott Bennett <sbennett1...@gmail.com> wrote:

[...]


$ cat /etc/resolv.conf.tail
search 123090.net
lookup file bind
options edns0


Just being curious, why use "options edns0" here?


I haven't actually modified this file in a few years. This is
just a holdover from following a BSDnow guide when I set up my
first gateway, which recommended setting that option.

Re: pf not redirecting DNS queries

2017-11-07 Thread Scott Bennett


On 11/7/2017 8:46 AM, Stuart Henderson wrote:

On 2017-11-07, Scott Bennett <sbennett1...@gmail.com> wrote:


I want to be able to enforce that all queries get funneled to OpenDNS. I
don't want someone to be able to outsmart the filter, at least at this
one level. Redirection lets me configure the laptops to have their own
hard-coded configurations when out and about, and then when I come home
they transparently query the gateway with no changes. Blocking would
probably result in me trying to load a page when I get home, failing,
then remembering to change the DNS config.


If you redirect, you may then end up funneling requests which are meant
for an *authoritative* DNS server, towards a recursive resolver instead.

Can you just hardcode the laptops to OpenDNS's resolver addresses, and
just permit those through PF? Then, if wanted, you could redirect just
those addresses to your local unbound resolver, and block other port 53.


That could be a solution. In what situations would there be a request
for an authoritative DNS server? There's not much on my network (at the
moment) that does anything more than general internet browsing.

Re: pf not redirecting DNS queries

2017-11-06 Thread Scott Bennett


On 11/6/2017 9:29 PM, trondd wrote:

On Mon, November 6, 2017 8:50 pm, Scott Bennett wrote:

pass quick proto { tcp, udp } to port $udp_ports


Because you're telling pf to pass all taffic on port domain to anywhere.
Quick rules stop evaluation and you never hit the rdr-to rules below.



Oh, duh. I thought it had to be something minor that I wasn't seeing.




# Redirect DNS Queries
pass in on $wifi  proto { udp, tcp } from any to any port domain \
  rdr-to $wifi_ip  port domain label "dns-redirect"
pass in on $wired proto { udp, tcp } from any to any port domain \
  rdr-to $wired_ip port domain label "dns-redirect"



What is on your LAN that isn't using your DHCP settings for DNS?  Why
redirect instead of just blocking DNS from the LAN to all but unbound?



I want to be able to enforce that all queries get funneled to OpenDNS. I
don't want someone to be able to outsmart the filter, at least at this
one level. Redirection lets me configure the laptops to have their own
hard-coded configurations when out and about, and then when I come home
they transparently query the gateway with no changes. Blocking would
probably result in me trying to load a page when I get home, failing,
then remembering to change the DNS config.

pf not redirecting DNS queries

2017-11-06 Thread Scott Bennett


I have an APU2 running 6.2, acting as pf NAT gateway, DHCP server, and
DNS cache (unbound) for my internal LAN.

I've attempted to make all DNS queries redirect to the APU2, as many
examples have illustrated, so that they can be forwarded to OpenDNS (to
take advantage of domain filtering). But it seems that it is still
possible for queries to evade the redirection.

Using dig as a concrete example, if I do the following simple
query from a client, I get an answer from unbound as expected:

$ dig openbsd.org

; <<>> DiG 9.4.2-P2 <<>> openbsd.org @192.168.2.1
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57692
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;openbsd.org.   IN  A

;; ANSWER SECTION:
openbsd.org.28755   IN  A   129.128.5.194

;; Query time: 217 msec
;; SERVER: 192.168.2.1#53(192.168.2.1)
;; WHEN: Mon Nov  6 20:15:30 2017
;; MSG SIZE  rcvd: 45


However, if I specify an alternate DNS server, I get a response from
that server:

$ dig openbsd.org @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> openbsd.org @8.8.8.8
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20902
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;openbsd.org.   IN  A

;; ANSWER SECTION:
openbsd.org.20716   IN  A   129.128.5.194

;; Query time: 19 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Nov  6 20:19:21 2017
;; MSG SIZE  rcvd: 45


I expected to receive the answer from unbound on the APU2 at
192.168.2.1, not 8.8.8.8. However, even if that is not how dig is
actually supposed to work, I can still see evidence where my LAN
clients are able to go around the internal unbound. Relevant APU2
configurations are below. Omitting the unbound configuration as it
seems unhelpful. I have verified that it works; just the
redirection isn't working.

What have I goofed up?


Scott


$ cat /etc/resolv.conf.tail
search 123090.net
lookup file bind
options edns0

$ cat /etc/dhclient.conf
send host-name "comet.123090.net";
supersede domain-name-servers 208.67.222.222, 208.67.220.220;

$ cat /etc/dhcpd.conf
option domain-name "123090.net";
subnet 192.168.2.0 netmask 255.255.255.0 {
option routers 192.168.2.1;
option domain-name-servers 192.168.2.1;
range 192.168.2.2 192.168.2.199;
}
subnet 192.168.0.0 netmask 255.255.255.0 {
option routers 192.168.0.1;
option domain-name-servers 192.168.0.1;
range 192.168.0.101 192.168.0.199;
}

$ doas cat /etc/pf.conf
wired = "{ vether0 em1 em2 }"
wifi = "athn0"
wired_ip = "192.168.0.1"
wifi_ip = "192.168.2.1"
icmp_types = "{ echoreq, unreach }"
udp_ports = "{ domain, ntp }"
tcp_ports = "{ ssh, smtp, domain, www, pop3, auth, http, https, pop3s }"

table  { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, \
  172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, \
  192.168.0.0/16, 198.18.0.0/15, 198.51.100.0/24, \
  203.0.113.0/24, 224.0.0.0/3 }
set block-policy drop
set loginterface egress
set skip on lo
match in all scrub (no-df random-id)
match out on egress set prio (5, 6)
match in on $wifi set prio (5, 6)
match proto tcp to port ssh set prio 7
match out on egress inet from !(egress:network) to any nat-to (egress:0)
antispoof quick for { egress, $wifi }
block in quick log on egress from  to any
block return out quick log on egress from any to 
block in quick on egress from no-route to any
block in quick on egress inet proto icmp all label "icmp-in"
block all
pass quick proto { tcp, udp } to port $udp_ports
pass inet proto icmp icmp-type $icmp_types
pass out on egress inet proto udp to port 33433:33626
pass inet proto tcp from $wifi:network to port $tcp_ports modulate state
pass from { self, $wifi:network } modulate state
pass in on $wired inet
# Redirect DNS Queries
pass in on $wifi  proto { udp, tcp } from any to any port domain \
rdr-to $wifi_ip  port domain label "dns-redirect"
pass in on $wired proto { udp, tcp } from any to any port domain \
rdr-to $wired_ip port domain label "dns-redirect"

Re: Openbsd 6.1 and Current Console Freezes and lockup Proxmox PVE5.0

2017-10-12 Thread Scott Reese


> On 8 Oct 2017, at 23:59, Oliver Marugg wrote:
>>>
>> Thanks Mike, will do so. The proxmox guys have also the idea that it
>> could be a bug in kvm hypervisor (which is the hypervisor part for
>> proxmox) and will affect OpenBSD since 4.9, they wrote me in their
>> public forum. As far as I understood they do not know what OpenBSD
>> needs in kvm or what/where should be fixed in kvm run OpenBSD without
>> that freezes.
>>
>> -oliver
> 
> I have to correct my previous post "...will affect OpenBSD since 4.9"
> was nonsense and sorry for this noise. Proxmox guys said it will affect
> OpenBSD guests under KVM with Linux kernels starting from 4.9 on, I only
> saw wrong version numbers.
> 
> Currently running tests with OpenBSD 6.2-release and 6.2-stable guests
> in proxmox/kvm, but it seems there is no change with freezes to OpenBSD
> 6.1.

Greetings:

Just a data point for you: I run about a dozen OpenBSD VMs, versions 6.0, 6.1, 
and 6.2 under KVM on Linux kernel 4.11 without any of the issues that you are 
describing. The host system is running Fedora 25, the kernel version is 4.11.3, 
and the qemu-kvm package version is 2.7.1-7.

If there's any information I can provide, please let me know.

-Scott

pf route-to vs static route

2017-10-03 Thread Scott Bonds

Hi everybody. I used to host my own email and I have ambitions to give 
it another try. I prefer to keep my email on my home server if I can, 
but I use Comcast and they block port 25. So, I thought I'd try setting 
up an IKEDv2 based VPN between my home network (including my email 
server at home) and a VPS which doesn't have any ports blocked, so as to 
have an unblocked path to the internet for my email traffic from my home 
network.


I've got the VPN setup and working fine. I'm able to ping from my home 
servers through the VPN and out the cloud server. I'm able to telnet 
port 25 from my home network too:


$ ping -I $vpn_if_ip 8.8.8.8
$ telnet -b $vpn_if_ip smtp.gmail.com 25

Those work great. Adding a route works great too, i.e.:

# route add smtp.gmail.com $vpn_if
# telnet smtp.gmail.com 25

That works, and I don't need to specify the -b option with telnet once I 
have the static route setup.


What I'm having trouble with is simulating a static route with PF, so 
instead of setting up a static route for every email server in the 
world, I was hoping I could do something like:


pass out inet proto tcp to port smtp nat-to $vpn_if route-to \
   $vpn_gateway_ip@$vpn_if

So that *only* traffic bound for port 25 gets sent over the VPN 
connection, but it does so for all hosts. Anyhow, I haven't been able to 
get it to work, and I realize I don't understand enough about how pf 
route-to and static routes work and are different from each other.


I've read and reread the nat-to and route-to sections in man pf.conf.  
I've used tcpdump on the various interfaces on both sides of the vpn 
connection to try and understand how the packets are moving, where they 
are stopping and why, in both the static routing scenario (which works) 
and my failed attempts at configuring pf to do something similar (which 
doesn't work). I searched for route-to in the Book of PF 3rd Edition, 
but didn't find it there.


Before I give up on this approach and try using an smtpd relay server or 
relayd or just host my mail on the VPS like any sensible PF newb should 
perhaps do, I thought I'd try subjecting myself to public ridicule and 
the possibility that someone else might have attempted something like 
this before and maybe willing to share their insights and help me 
understand PF vs static routes a bit better than I do today. Thanks to 
those who made it to the bottom of this long email--I'll be grateful for 
any pointers.

MediaTek Mt7601

2017-08-25 Thread Heppler, J. Scott


I just purchased a nano-usb wifi dongle with the expectation that it
would have a rtl8188cu chipset.  In fact it has a MediaTek MT7601U and
on perusing alot of purchase comments it seems that the MT7601U is
supplanting the RealTek chipset.

Ralink was fairly open and provided partial documentation for the
FreeBSD drivers that were imported into OpenBSD.  I'm not sure if
corporate policy changed when MediaTek bought RaLink but the MT7601
driver is in the Linux Kernel => 4.2, the source is GPLV2 and
redistribution of the closed source firmware is allowed.

https://wikidevi.com/wiki/Mt7601u

The MediaTek dongle came on a slow boat from China so I'm not sending it
back.  The wikidevi entry suggests that this may be low-hanging fruit to
add to OpenBSD/FreeBSD/NetBSD.  The question I have is whether to give
the MediaTek away and try to purchase on older RealTek or be patient and
wait a few months?  I'm presently using an older, larger rum(4) usb
device.

Thanks
--
J. Scott Heppler

httpd and URL rewriting

2017-07-06 Thread Scott Vanderbilt

I am investigating the feasibility of migrating aRESTful webapp 
currently hosted on nginx and6.1-currentto use httpd. Naturally, such an 
application requires a URL-rewriting facility.


Perusing the httpd.conf(5) and httpd(8) man pages, this list's archive, 
and Google, I see nothing that indicates this is possible. Of course, I 
know you can redirect from within httpd, but that's obviously not 
thesort of behavior an app like this requires.


I am encouraged by reyk@'s post to tech on 20 June 2015 wherein he says 
"Here is a diff that adds pattern matching to httpd, allowing rewrites 
with redirects." But that last bit is kind of ambiguous about whether 
rewrites independent of redirects can be achieved.


Might anyone knowwhether this can be accomplished and how?

Many thanks.

Re: Doubling in Size of base61.tgz

2017-06-14 Thread Scott Vanderbilt


On 6/14/2017 3:37 PM, Theo de Raadt wrote:

Please forgive me if this has been noted on misc@, as I've overlooked
it, but, just out of curiosity, can anyone account for the recent
doubling in size of base61.tgz in recent amd64 snapshots of -current?

As recently as 7 June, it was ~58 MB in size, but over the last couple
of days at least, it has ballooned to nearly 120 MB in size. None of the
other tarballs seem to have changed much at all.


KARL creates a new /usr/share/compile.tgz file, which is expanded
to /usr/share/compile/GENERIC.MP directory at first boot

that is the new space, a link kit

The .o's are compiled with -ggdb, and that may shrink in the future
if someone provides glue to shrink-down the .o files


Kewl. I saw the post about KARL on undeadly.org, but didn't realize the 
two events were related.


Thanks!

Doubling in Size of base61.tgz

2017-06-14 Thread Scott Vanderbilt

Please forgive me if this has been noted on misc@, as I've overlooked 
it, but, just out of curiosity, can anyone account for the recent 
doubling in size of base61.tgz in recent amd64 snapshots of -current?


As recently as 7 June, it was ~58 MB in size, but over the last couple 
of days at least, it has ballooned to nearly 120 MB in size. None of the 
other tarballs seem to have changed much at all.


Just wondering.

Cheers.

PSA: autodisklabel '\' must be configured

2017-05-28 Thread Scott Bonds

You might get the error "'\' must be configured" when trying to 
autoinstall, if your autodisklabel layout is only minimums, and the 
minimums add up to more than the total available disk size. So, you 
know, don't do that.


Putting this out there to save someone some troubleshooting time when 
they go searching for that message.

Re: file systems

2017-05-26 Thread Scott Bonds

I've got a 27T drive, single partition, about half full. Combination of 
big files and lots of small ones. 32G of ECC RAM. Hardware RAID5 ATM 
though I've used software RAID5 on the same array and that was good too.  
I keep offline backups of everything. I think it takes around an hour to 
fsck, but I haven't timed it. Not using softdep. Not RO. Not sure what 
the file system is, whatever newfs chose...disklabel says fstype is 
4.2BSD.


On 05/26, Peter Hessler wrote:

On 2017 May 26 (Fri) at 11:35:49 -0300 (-0300), Friedrich Locke wrote:
:Hi folks,
:
:does anybody here run OBSD with a file system bigger than 10TB ?
:How much time boot takes to bring the system up (i mean fsck) ?
:Are you using ffs2 ? With softdep ?
:
:Thanks.

I created a 24T disk with ff2.  I populated 2Tb of it while in async
mode, then pulled the power.  fsck took only 5 minutes.

Later, I repartitioned the machine to the sizes we actually want
(several 5T partitions) and it is running as ftp.hostserver.de.  We
aren't using softdep, and generally run RO on many of the partitions.

Please give it a try on your own hardware, paritition sizes, and
collection of files.

--
Don't say "yes" until I finish talking.
-- Darryl F. Zanuck

Re: cloud docs

2017-05-24 Thread Scott Bonds


unison?

On 05/24, Asbel Kiprop wrote:

Yeah, i was using it for some time and i wonder if there is some more text
document based solution.

2017-05-24 20:33 GMT+03:00 Ulises M. Alvarez :


On 24/05/17 12:22, Asbel Kiprop wrote:


Hello, friends. Is there is some solution (in OpenBSD packages, like
ownCloud, for example) to handle with cloud documents? All i want is
to editsome text files on 3-4 computers with synchronization(like
ONLYOFFICE, i think, but not so complicated)



Hi,
Both, ownCloud and NextCloud, include an editor for text documents; i.e.,
*.txt
--
Ulises M. Alvarez
http://sophie.unam.mx/

Re: tmux.conf syntactic change

2017-04-20 Thread Scott Bonds

Yah, I ran into that too, syntax for that sorta stuff changed, now its 
like this:


bind -T copy-mode-vi v send -X begin-selection

On 04/20, Predrag Punosevac wrote:

Not really a question but one thing I noticed after upgrading dozen or
so OpenBSD servers from 6.0 to 6.1 per official documentation is that my
.tmux.conf file is now broken.

/root/.tmux.conf:16: invalid or unknown command: bind-key -t vi-copy 'v' 
begin-selection
/root/.tmux.conf:17: invalid or unknown command: bind-key -t vi-copy 'y' 
copy-selection

Best,
Predrag

ikedv2 + rdomains + nat = tcp works, udp doesn't

2017-04-03 Thread Scott Bonds

Hi everyone! I like to play with all the cool toys the devs give us, 
because, you know, they are there, and it helps me learn. One of my 
favorite walls to bang my head against is automatically connecting my 
(OpenBSD-stable) laptop to the internet and automatically keeping it 
connected as I open and close my laptop, change locations, etc. To make 
this more of a challenge, I have wlan, wwan, and ethernet connections to 
choose from (ethernet > wlan > wwan), and I like to connect via some 
sort of VPN so I can be at the airport or a cafe and not worry too much 
about the local folks listening in on my traffic.


I have all this working fine using ifstated, some scripts, and SSH based 
VPN, though the CPU usage is a bit high and its not without hiccups. 
Anyhow, I thought I'd try out a different way of accomplishing a similar 
effect and see what happens. This time around I thought I'd try putting 
my connections in separate routing domains so I can test their 
connectivity separately and switch between them quickly. Then I layer 
some PF config to NAT traffic from rdomain 0 to the rdomain I want to 
use for internet access, i.e. rdomain 1 is wwan, rdomain 2 is wlan. That 
all works great. As Darth Vader would say, all too easy.


So then I tried connecting to my vpn server (running OpenBSD) using 
ikedv2 on rdomain 0 and that works great too. I have another NAT rule in 
pf.conf to send traffic over the ipsec flow that ikedv2 negotiated. Ping 
works, TCP requests to websites work, but UDP based DNS lookups do not. 
I'm using a local unbound instance for DNS lookups, so I can work around 
my lack of UDP-ness by configuring it to do TCP based lookups, but I'm 
wondering if anyone might have some idea why TCP works with this setup 
but UDP does not.


Some IPs and MAC addresses replaced with consistent, unique, obvious 
fakes to protect the innocent without, hopefully, interfering with the 
usefulness of the logs:


# cat /etc/pf.conf
match in all scrub (no-df random-id max-mss 1440)
pass out on egress to !egress:network nat-to (athn0:0) rtable 2
pass out on enc0 from vether0 nat-to vether0:0

Note: that IS the entire pf.conf, I'm passing everything while I test 
this configuration out.


# cat /etc/iked.conf
ikev2 "vpn" active ipcomp \
   from egress to 0.0.0.0/0 \
   peer 104.xxx.xxx.xxx \
   srcid client.ggr.com \
   tag IKED

# cat /etc/iked.conf (on vpn server)
ikev2 "vpn" ipcomp \
   from 0.0.0.0/0 to 10.0.0.0/8 \
   from 0.0.0.0/0 to 172.16.0.0/12 \
   from 0.0.0.0/0 to 192.168.0.0/16 \
   peer any \
   srcid server.ggr.com \
   tag IKED

$ ifconfig
lo0: flags=8049 mtu 32768
   index 4 priority 0 llprio 3
   groups: lo
   inet6 ::1 prefixlen 128
   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
   inet 127.0.0.1 netmask 0xff00
em0: flags=8802 mtu 1500
   lladdr 00:zz:zz:zz:zz:zz
   index 1 priority 0 llprio 3
   media: Ethernet autoselect (none)
   status: no carrier
athn0: flags=8843 rdomain 2 mtu 1500
   index 2 priority 4 llprio 3
   lladdr 00:yy:yy:yy:yy:yy
   index 2 priority 4 llprio 3
   groups: wlan
   media: IEEE802.11 autoselect (OFDM36 mode 11a)
   status: active
   ieee80211: nwid MyFakeNetwork chan 153 bssid f0:mm:mm:mm:mm:mm 53dBm wpakey 
 wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp 
wpagroupcipher tkip
   inet 10.0.0.136 netmask 0xff00 broadcast 10.0.0.255
enc0: flags=0<>
   index 3 priority 0 llprio 3
   groups: enc
   status: active
vether0: flags=8843 mtu 1500
   lladdr fe:ii:ii:ii:ii:ii
   index 7 priority 0 llprio 3
   groups: vether egress
   media: Ethernet autoselect
   status: active
   inet 192.168.211.1 netmask 0xff00 broadcast 192.168.211.255
pflog0: flags=141 mtu 33144
   index 8 priority 0 llprio 3
   groups: pflog
ppp0: flags=8010 rdomain 1 mtu 1500
   index 27 priority 0 llprio 3
   groups: ppp

$ route -T 0 -n show -inet
Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
default192.168.211.1  UGS146528   860228 - 8 vether0
127.0.0.1  127.0.0.1  UHl   42   115625 32768 1 lo0
192.168.211/24 192.168.211.1  UC 00 - 4 vether0
192.168.211.1  fe:ii:ii:ii:ii:ii  UHLl   1   367197 - 1 vether0
192.168.211.255192.168.211.1  UHb00 - 1 vether0

$ route -T 2 -n show -inet
Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
default10.0.0.1   UGS  23854110 -12 athn0
10.0.0/24  10.0.0.136 UC 1  795 - 4 athn0
10.0.0.1   64:kk:kk:kk:kk:kk  UHLc   1  275

Re: strange behaviour with etherip bridge over IPSEC and UDP queries

2017-03-28 Thread Scott Bonds

Interesting. I may have a similar problem and was planning to post about 
it soon...in my case I've been playing with rdomains, using PF to NAT
between them, and ikedv2. I've found that when I use ikedv2 to layer 
IPSEC on top of my NATing traffic between rdomains, TCP passes fine, UDP 
does not, though I can see requests and replies moving across enc0 (DNS 
requests that show the answer in the tcpdump output). So, host -T 
google.com 8.8.8.8 (TCP DNS lookup) works but host google.com 8.8.8.8 
(UDP DNS lookup) does not.


On 03/28, Comète wrote:

Hi,

I'm trying to build an IPSEC encrypted tunnel that works as a bridge. For
this, I use isakmpd and etherip, vether, bridge interfaces. On each VPN server
(Host A and B), I've got PF running on the external interface (em2). Both
hosts run OpenBSD 6.0 stable amd64.
Host A is my main server and host B is the
client.

Now the strange part:

- If PF is running on each host (A and B),
UDP queries from B to A network don't work (UDP only, TCP is ok. But I can see
UDP packets with tcpdump going from B to A and coming back but they don't go
out from the interface)

- I disable PF on Host B only with "rcctl disable pf
&& reboot", all is working after reboot, all queries (dns, ntp...) are well
sent from B to A through the VPN. Now, I enable PF again without rebooting
with "pfctl -e && pfctl -f /etc/pf.conf" and it's still working. Then I start
"rcctl enable pf" and reboot, and it doesn't work anymore for UDP queries...
So to resume, if PF is started automatically at boot on host B (rcctl enable
pf) then UDP don't pass but if I start it manually (pfctl -e && pfctl -f
/etc/pf.conf), it works.

I've tried tcpdump -nettti pflog0 during DNS/NTP
queries but I don't see anything blocked. As I said, if I try tcpdump -nettti
em0 I can even see the answer from the DNS server coming back but dig doesn't
get it.

I just don't understand why my UDP packets don't pass, so if you have
a idea, you're welcome ;)

thanks.

This my setup on Host B (Host A is
similar)

ipsec.conf:
---

ike active esp proto etherip from $local_gw
to $remote_gw \
   main auth "hmac-sha1" enc "aes-128" group modp2048
lifetime 1800 \
   quick enc "aes-128-gcm" group modp2048 lifetime 1200 \
srcid $local_gw

ipsecctl -sa
---
ipsecctl -sa
FLOWS:
flow esp in
proto etherip from 10.65.12.10 to 10.65.13.10 peer 10.65.12.10 srcid
10.65.13.10/32 dstid 10.65.12.10/32 type use
flow esp out proto etherip from
10.65.13.10 to 10.65.12.10 peer 10.65.12.10 srcid 10.65.13.10/32 dstid
10.65.12.10/32 type require

SAD:
esp tunnel from 10.65.13.10 to 10.65.12.10
spi 0xd5acc570 enc aes-128-gcm
esp tunnel from 10.65.12.10 to 10.65.13.10 spi
0xe19efd9f enc aes-128-gcm

pf.conf:

ext_if = "em2"
int_if =
"internal"

match in all scrub (no-df random-id max-mss 1200)
antispoof for {
$ext_if, $int_if } inet
set skip on { lo, enc, $int_if }
set loginterface
$ext_if
match out on $ext_if from any to any nat-to ($ext_if)
block log all
pass quick on em0

# VPN
pass in on $ext_if proto udp from any to $ext_if port
{ isakmp, ipsec-nat-t }
pass out on $ext_if proto udp from $ext_if to any port
{ isakmp, ipsec-nat-t }
pass in on $ext_if proto esp from any to $ext_if
pass
out on $ext_if proto esp from $ext_if to any

/etc/hostname.bridge0:
--
link2
add etherip0
add vether0
add em0
group "internal"
up

/etc/hostname.etherip0
--
tunnel 10.65.13.10
10.65.12.10
group internal
up

/etc/hostname.vether0
-
inet 10.14.254.35 255.255.0.0 NONE
description "Interconnexion"
group
"internal"
up

/etc/hostname.em0
--
up

/etc/hostname.em2
--
inet 10.65.13.10 255.255.255.0 NONE
description "Evil
Network"
group "external"
up
!route add -inet 10.65.12.0/24 10.65.13.1
/etc/sysctl.conf

net.inet.ip.forwarding=1
net.inet.etherip.allow=1

Re: dmesg for Lenovo ThinkPad x200 w/coreboot

2017-03-19 Thread Scott Bonds


unfortunately no, I don't know what it is or how to solve it

On 03/19, Robert Campbell wrote:

Thanks Scott, I've followed your instructions and everything seems to be
working well on my x200. I'll let you know if I experience the period
locking you mentioned. We both get this error:

error: [drm:pid0:intel_pipe_config_compare] *ERROR* mismatch in
adjusted_mode.flags(DRM_MODE_FLAG_PHSYNC) (expected 0, found 1)
pipe state doesn't match!

Any idea what it is or how to solve it? I also tried the latest 6.1
snapshot, but it persists. I also get a "RTC BIOS diagnostic error
4" I'm not sure what to make of, wondering if NTP sync will
fix or not.


On Tue, Feb 28, 2017 at 12:24 AM, Scott Bonds <sc...@ggr.com> wrote:


By popular demand (ok, just 2 people asked)...now with instructions on how
to do this yourself: https://ggr.com/how-to-install
-coreboot-on-your-x200.html


On 02/27, Scott Bonds wrote:


I flashed a Lenovo x200 with Coreboot with Intel microcode enabled, ME
removed, and the gigabit ethernet firmware from libreboot. Everything seems
to work. Unlike with Libreboot, which comes with a Grub2 payload, Coreboot
uses the SeaBIOS payload by default and it can boot an encrypted OpenBSD
volume. I'm encountering what seems to be a random lockup every few days,
haven't had a chance to troubleshoot it yet.

For those interested, here's the start of the thread on a similar attempt
using Libreboot instead:
https://marc.info/?l=openbsd-misc=147490313431099=2

The upshot of using Coreboot or Libreboot is that I'm no longer
restricted to using mini pci-e cards that have been whitelisted by Lenovo.
I can use the sweet, sweet umb cards for wwan access, I can upgrade to the
latest iwm driver with MIMO, etc. And for those that haven't experienced an
x200 yet, and you're wondering why anyone would voluntarily use a 10 year
old laptop: the x200 is only $50 before upgrades (I like iwm, umb, an ssd,
new battery, new power adapter, usb3 expresscard), has a great keyboard,
solid build quality, good portability, good expandability (3 internal mini
pci-e, 1 external expresscard slot, 3 USB2 ports), and its relatively easy
to repair.

Downsides are its limited to 8G of RAM and the CPU aren't as sprightly as
the latest+greatest (I've shifted by heavy lifting to servers so not a big
issue for me), extended battery only lasts about 3 hours (enough for how I
roll, but I can understand if you've been spoiled by an all-day battery on
a different laptop), VGA out instead of HDMI (can be solved by an adapter),
audio quality sucks (can be solved by an adapter).

I keep 3 x200s around right now...at $50 each, it doesn't break the bank
to have some backups, and if one goes south its easy to just swap the hard
drive and go. Harder to pull off if my laptop costs $2k. ;)

My original goal was to see what a maximally open source setup might be
like and got as close as I'm likely to get (for now) with
Libreboot+OpenBSD+ral, etc. It was pretty good--I'm excited to see what the
future holds as more of the stack becomes more hacker friendly.

OpenBSD 6.0-stable (GENERIC.MP) #2: Wed Feb 15 17:18:06 PST 2017
  r...@maybe.ggr.com:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4239552512 (4043MB)
avail mem = 4106588160 (3916MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0x7db28020 (8 entries)
bios0: vendor coreboot version "CBET4000 4.5-958-gd09dc6b" date 02/08/2017
bios0: LENOVO 745432U
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT MCFG TCPA APIC DMAR HPET
acpi0: wakeup devices HDEF(S4) USB1(S4) USB2(S4) USB3(S4) EHC1(S4)
USB4(S4) USB5(S4) USB6(S4) EHC2(S4) SLT1(S4) SLT2(S4) SLT3(S4) SLT6(S4)
LANC(S3) LANR(S3) SLPB(S3) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0 addr 0xf000, bus 0-63
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM)2 Duo CPU P8700 @ 2.53GHz, 1600.30 MHz
cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMO
V,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,
SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,
PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR
cpu0: 3MB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 266MHz
cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2.1.3, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 Duo CPU P8700 @ 2.53GHz, 1600.06 MHz
cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMO
V,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,
SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,
PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR
cpu1: 3MB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)

Re: better way to detect new display

2017-03-01 Thread Scott Bonds

Thank you for the suggestion. x-on-resize compiles and runs fine. It notices 
resizes, which I suspect I'll find useful down the road :) But, unfortunately, 
it doesn't notice when I plug/unplug my VGA monitor.

I think I'll fall back to Plan B: map the F7 key to trigger a script which will 
run xrandr and switch displays to match what's plugged in. It's a little less 
magical, but it should get the job done and it avoids interrupting my audio 
every 5 seconds, since I'll only run xrandr when I'm trying to switch displays.

On 03/01, David Coppa wrote:

On Wed, Mar 1, 2017 at 11:49 AM, Raf Czlonka <rczlo...@gmail.com> wrote:

On Wed, Mar 01, 2017 at 10:14:39AM GMT, Marcus MERIGHI wrote:

sc...@ggr.com (Scott Bonds), 2017.02.28 (Tue) 02:21 (CET):
> I'm polling using xrandr to check whether a new display was plugged
> in, so I can run a script to switch to it, i.e. plug in an external
> VGA monitor and it lights up automatically, unplug it and my laptop
> automatically switches back to using its internal display.

I have wanted the same and found no way to avoid polling xrandr(1).

If you find a way, would you be so kind to share the solution?

> But, every time I run xrandr my (USB connected) audio stutters, which
> makes me sad because I was hoping to poll for a new display every 5
> seconds, but that's not so great while listening to music.

Does the --nograb parameter of xrandr(1) help?

Marcus

> Does anyone know of a better way to notice a newly plugged in
> display...perhaps one that's more passive/efficient so as not to
> provoke stuttering audio? I don't see any output from hotplugd that I
> could use unfortunately, that seemed like the right place to look
> first. I didn't notice anything I could use in the Xorg log either.
>
> !DSPAM:58b4d0ab225251121513987!

Hi all,

A while ago, Keith Packard wrote small display configuration tool
called x-on-resize[0] which might be exactly what you are looking
for but I have no idea how much effort would it be to get it
working/ported on/to OpenBSD.

[0] https://keithp.com/blogs/x-on-resize/

It builds out-of-the-box

Thanks for making me know about x-on-resize,
David

Re: better way to detect new display

2017-03-01 Thread Scott Bonds


On 03/01, Marcus MERIGHI wrote:

sc...@ggr.com (Scott Bonds), 2017.02.28 (Tue) 02:21 (CET):

I'm polling using xrandr to check whether a new display was plugged
in, so I can run a script to switch to it, i.e. plug in an external
VGA monitor and it lights up automatically, unplug it and my laptop
automatically switches back to using its internal display.


I have wanted the same and found no way to avoid polling xrandr(1).

If you find a way, would you be so kind to share the solution?


yes


But, every time I run xrandr my (USB connected) audio stutters, which
makes me sad because I was hoping to poll for a new display every 5
seconds, but that's not so great while listening to music.


Does the --nograb parameter of xrandr(1) help?


no, the sound still stutters, but that was a good idea

Re: dmesg for Lenovo ThinkPad x200 w/coreboot

2017-02-28 Thread Scott Bonds

Everyone once in a while, while I'm actively using the laptop, it just...locks 
up: what's on the screen stops changing, the hard drive light is pegged on with 
no fluctuation, moving the mouse doesn't move the pointer, typing doesn't 
effect anything, I cannot switch to a different tty (CTRL-ALT-F1)...I haven't 
tried pinging it, but I suspect its completely frozen.

I don't have any evidence that it was stable before and that Coreboot is the 
problem, it could be, or it could be some bad hardware.

On 02/28, thinkpad-e535-user wrote:

  >I flashed a Lenovo x200 with Coreboot with Intel microcode enabled,

  >ME removed, and the gigabit ethernet firmware from libreboot.

  >Everything seems to work. Unlike with Libreboot, which comes with

  >a Grub2 payload, Coreboot uses the SeaBIOS payload by default and it

  >can boot an encrypted OpenBSD volume.

  Great news! I've spent a whole day reading libre-/coreboot docs trying

  to find out if I could boot OpenBSD from an encrypted disk on my x200

  with these, and according to libre one's I could not [0]. Good to know

  that it's actually possible with coreboot and SeaBIOS.

  >I'm encountering what seems to be a random lockup every few days,

  haven't had a chance to troubleshoot it yet.

  What kind of lockup?

  [0] [1]https://libreboot.org/docs/bsd/openbsd.html#encryption

References

  1. https://libreboot.org/docs/bsd/openbsd.html#encryption

better way to detect new display

2017-02-27 Thread Scott Bonds


I'm polling using xrandr to check whether a new display was plugged in, so I 
can run a script to switch to it, i.e. plug in an external VGA monitor and it 
lights up automatically, unplug it and my laptop automatically switches back to 
using its internal display. But, every time I run xrandr my (USB connected) 
audio stutters, which makes me sad because I was hoping to poll for a new 
display every 5 seconds, but that's not so great while listening to music.

Does anyone know of a better way to notice a newly plugged in display...perhaps 
one that's more passive/efficient so as not to provoke stuttering audio? I 
don't see any output from hotplugd that I could use unfortunately, that seemed 
like the right place to look first. I didn't notice anything I could use in the 
Xorg log either.

Re: dmesg for Lenovo ThinkPad x200 w/coreboot

2017-02-27 Thread Scott Bonds


By popular demand (ok, just 2 people asked)...now with instructions on how to 
do this yourself: https://ggr.com/how-to-install-coreboot-on-your-x200.html

On 02/27, Scott Bonds wrote:

I flashed a Lenovo x200 with Coreboot with Intel microcode enabled, ME removed, 
and the gigabit ethernet firmware from libreboot. Everything seems to work. 
Unlike with Libreboot, which comes with a Grub2 payload, Coreboot uses the 
SeaBIOS payload by default and it can boot an encrypted OpenBSD volume. I'm 
encountering what seems to be a random lockup every few days, haven't had a 
chance to troubleshoot it yet.

For those interested, here's the start of the thread on a similar attempt using 
Libreboot instead:
https://marc.info/?l=openbsd-misc=147490313431099=2

The upshot of using Coreboot or Libreboot is that I'm no longer restricted to 
using mini pci-e cards that have been whitelisted by Lenovo. I can use the 
sweet, sweet umb cards for wwan access, I can upgrade to the latest iwm driver 
with MIMO, etc. And for those that haven't experienced an x200 yet, and you're 
wondering why anyone would voluntarily use a 10 year old laptop: the x200 is 
only $50 before upgrades (I like iwm, umb, an ssd, new battery, new power 
adapter, usb3 expresscard), has a great keyboard, solid build quality, good 
portability, good expandability (3 internal mini pci-e, 1 external expresscard 
slot, 3 USB2 ports), and its relatively easy to repair.

Downsides are its limited to 8G of RAM and the CPU aren't as sprightly as the 
latest+greatest (I've shifted by heavy lifting to servers so not a big issue 
for me), extended battery only lasts about 3 hours (enough for how I roll, but 
I can understand if you've been spoiled by an all-day battery on a different 
laptop), VGA out instead of HDMI (can be solved by an adapter), audio quality 
sucks (can be solved by an adapter).

I keep 3 x200s around right now...at $50 each, it doesn't break the bank to 
have some backups, and if one goes south its easy to just swap the hard drive 
and go. Harder to pull off if my laptop costs $2k. ;)

My original goal was to see what a maximally open source setup might be like 
and got as close as I'm likely to get (for now) with Libreboot+OpenBSD+ral, 
etc. It was pretty good--I'm excited to see what the future holds as more of 
the stack becomes more hacker friendly.

OpenBSD 6.0-stable (GENERIC.MP) #2: Wed Feb 15 17:18:06 PST 2017
  r...@maybe.ggr.com:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4239552512 (4043MB)
avail mem = 4106588160 (3916MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0x7db28020 (8 entries)
bios0: vendor coreboot version "CBET4000 4.5-958-gd09dc6b" date 02/08/2017
bios0: LENOVO 745432U
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT MCFG TCPA APIC DMAR HPET
acpi0: wakeup devices HDEF(S4) USB1(S4) USB2(S4) USB3(S4) EHC1(S4) USB4(S4) 
USB5(S4) USB6(S4) EHC2(S4) SLT1(S4) SLT2(S4) SLT3(S4) SLT6(S4) LANC(S3) 
LANR(S3) SLPB(S3) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0 addr 0xf000, bus 0-63
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM)2 Duo CPU P8700 @ 2.53GHz, 1600.30 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR
cpu0: 3MB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 266MHz
cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2.1.3, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 Duo CPU P8700 @ 2.53GHz, 1600.06 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR
cpu1: 3MB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEGP)
acpiprt2 at acpi0: bus 1 (RP01)
acpiprt3 at acpi0: bus 2 (RP02)
acpiprt4 at acpi0: bus 3 (RP03)
acpiprt5 at acpi0: bus 4 (RP04)
acpiprt6 at acpi0: bus -1 (RP05)
acpiprt7 at acpi0: bus -1 (RP06)
acpiprt8 at acpi0: bus 5 (PCIB)
acpiec0 at acpi0
acpicpu0 at acpi0
C1: bogo buffer
C2: bogo buffer
C3: bogo buffer: C1(@1 halt!), PSS
acpicpu1 at acpi0
C1: bogo buffer
C2: bogo buffer
C3: bogo buffer: C1(@1 halt!), PSS
acpitz0 at acpi0: critical temperature is 127 degC
acpitz1 at acpi0: critical temperature is 99 degC
acpithinkpad0 at acpi0
acpiac0 at acpi0: AC unit offline
acpibat0 at acpi0: BAT0 model "COMPATIBLE" serial 18729 type LION oem "SANYO"
acpibat1 at ac

dmesg for Lenovo ThinkPad x200 w/coreboot

2017-02-27 Thread Scott Bonds


I flashed a Lenovo x200 with Coreboot with Intel microcode enabled, ME removed, 
and the gigabit ethernet firmware from libreboot. Everything seems to work. 
Unlike with Libreboot, which comes with a Grub2 payload, Coreboot uses the 
SeaBIOS payload by default and it can boot an encrypted OpenBSD volume. I'm 
encountering what seems to be a random lockup every few days, haven't had a 
chance to troubleshoot it yet.

For those interested, here's the start of the thread on a similar attempt using 
Libreboot instead:
https://marc.info/?l=openbsd-misc=147490313431099=2

The upshot of using Coreboot or Libreboot is that I'm no longer restricted to 
using mini pci-e cards that have been whitelisted by Lenovo. I can use the 
sweet, sweet umb cards for wwan access, I can upgrade to the latest iwm driver 
with MIMO, etc. And for those that haven't experienced an x200 yet, and you're 
wondering why anyone would voluntarily use a 10 year old laptop: the x200 is 
only $50 before upgrades (I like iwm, umb, an ssd, new battery, new power 
adapter, usb3 expresscard), has a great keyboard, solid build quality, good 
portability, good expandability (3 internal mini pci-e, 1 external expresscard 
slot, 3 USB2 ports), and its relatively easy to repair.

Downsides are its limited to 8G of RAM and the CPU aren't as sprightly as the 
latest+greatest (I've shifted by heavy lifting to servers so not a big issue 
for me), extended battery only lasts about 3 hours (enough for how I roll, but 
I can understand if you've been spoiled by an all-day battery on a different 
laptop), VGA out instead of HDMI (can be solved by an adapter), audio quality 
sucks (can be solved by an adapter).

I keep 3 x200s around right now...at $50 each, it doesn't break the bank to 
have some backups, and if one goes south its easy to just swap the hard drive 
and go. Harder to pull off if my laptop costs $2k. ;)

My original goal was to see what a maximally open source setup might be like 
and got as close as I'm likely to get (for now) with Libreboot+OpenBSD+ral, 
etc. It was pretty good--I'm excited to see what the future holds as more of 
the stack becomes more hacker friendly.

OpenBSD 6.0-stable (GENERIC.MP) #2: Wed Feb 15 17:18:06 PST 2017
   r...@maybe.ggr.com:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4239552512 (4043MB)
avail mem = 4106588160 (3916MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0x7db28020 (8 entries)
bios0: vendor coreboot version "CBET4000 4.5-958-gd09dc6b" date 02/08/2017
bios0: LENOVO 745432U
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT MCFG TCPA APIC DMAR HPET
acpi0: wakeup devices HDEF(S4) USB1(S4) USB2(S4) USB3(S4) EHC1(S4) USB4(S4) 
USB5(S4) USB6(S4) EHC2(S4) SLT1(S4) SLT2(S4) SLT3(S4) SLT6(S4) LANC(S3) 
LANR(S3) SLPB(S3) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0 addr 0xf000, bus 0-63
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM)2 Duo CPU P8700 @ 2.53GHz, 1600.30 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR
cpu0: 3MB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 266MHz
cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2.1.3, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 Duo CPU P8700 @ 2.53GHz, 1600.06 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR
cpu1: 3MB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEGP)
acpiprt2 at acpi0: bus 1 (RP01)
acpiprt3 at acpi0: bus 2 (RP02)
acpiprt4 at acpi0: bus 3 (RP03)
acpiprt5 at acpi0: bus 4 (RP04)
acpiprt6 at acpi0: bus -1 (RP05)
acpiprt7 at acpi0: bus -1 (RP06)
acpiprt8 at acpi0: bus 5 (PCIB)
acpiec0 at acpi0
acpicpu0 at acpi0
C1: bogo buffer
C2: bogo buffer
C3: bogo buffer: C1(@1 halt!), PSS
acpicpu1 at acpi0
C1: bogo buffer
C2: bogo buffer
C3: bogo buffer: C1(@1 halt!), PSS
acpitz0 at acpi0: critical temperature is 127 degC
acpitz1 at acpi0: critical temperature is 99 degC
acpithinkpad0 at acpi0
acpiac0 at acpi0: AC unit offline
acpibat0 at acpi0: BAT0 model "COMPATIBLE" serial 18729 type LION oem "SANYO"
acpibat1 at acpi0: BAT1 not present
acpibtn0 at acpi0: SLPB
acpibtn1 at acpi0: LID_
"PNP0303" at acpi0 not configured
"PNP0F13" at acpi0 not configured
"GOOGCB00" at acpi0 not configured
acpidock0 at acpi0: DOCK not docked (0)

splassert: yield message on 5 Feb snapshot (amd64)

2017-02-08 Thread Scott Vanderbilt

Updated a machine to latest (5 Feb.) snapshot of amd64. I'm now seeing 
the following message after booting that I've not recalled seeing before:


   splassert: yield: want 0 have 1

Looking in the list archives, I see a thread from Sept. 2016 where the 
following response from Theo Buehler is given to a similar message 
(splassert: sorwakeup: want 64 have 0) observed by someone else:



These should all be fixed now. If you still get them with the next
snapshot, set sysctl kern.splassert=2 to get a backtrace which you can
report.



Does this advice still hold, or is this unrelated?

Thank you.


OpenBSD 6.0-current (GENERIC.MP) #163: Sun Feb  5 13:55:12 MST 2017
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 1020133376 (972MB)
avail mem = 984612864 (939MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xf0100 (38 entries)
bios0: vendor Award Software International, Inc. version "F3" date 
04/09/2009

bios0: Gigabyte Technology Co., Ltd. G41M-ES2L
acpi0 at bios0: rev 0
acpi0: TAMG checksum error
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP HPET MCFG TAMG APIC SSDT
acpi0: wakeup devices PEX0(S5) PEX1(S5) PEX2(S5) PEX3(S5) PEX4(S5) 
PEX5(S5) HUB0(S5) UAR1(S3) UAR2(S3) USB0(S3) USB1(S3) USB2(S3) USB3(S3) 
USBE(S3) AZAL(S5) PCI0(S5)

acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimcfg0 at acpi0 addr 0xc000, bus 0-255
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) CPU E3200 @ 2.40GHz, 1700.17 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,XSAVE,NXE,LONG,LAHF,PERF,SENSOR

cpu0: 1MB 64b/line 4-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 199MHz
cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Celeron(R) CPU E3200 @ 2.40GHz, 1699.96 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,XSAVE,NXE,LONG,LAHF,PERF,SENSOR

cpu1: 1MB 64b/line 4-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (PEX0)
acpiprt2 at acpi0: bus 2 (PEX1)
acpiprt3 at acpi0: bus -1 (PEX2)
acpiprt4 at acpi0: bus -1 (PEX3)
acpiprt5 at acpi0: bus -1 (PEX4)
acpiprt6 at acpi0: bus -1 (PEX5)
acpiprt7 at acpi0: bus 3 (HUB0)
acpicpu0 at acpi0: C1(@1 halt!), FVS, 1600, 1200 MHz
acpicpu1 at acpi0: C1(@1 halt!), FVS, 1600, 1200 MHz
acpibtn0 at acpi0: PWRB
"PNP0700" at acpi0 not configured
"PNP0501" at acpi0 not configured
"PNP0501" at acpi0 not configured
"PNP0400" at acpi0 not configured
"PNP0F13" at acpi0 not configured
"PNP0303" at acpi0 not configured
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel G41 Host" rev 0x03
inteldrm0 at pci0 dev 2 function 0 "Intel G41 Video" rev 0x03
drm0 at inteldrm0
intagp0 at inteldrm0
agp0 at intagp0: aperture at 0xd000, size 0x1000
inteldrm0: msi
inteldrm0: 1280x1024, 32bpp
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
azalia0 at pci0 dev 27 function 0 "Intel 82801GB HD Audio" rev 0x01: msi
azalia0: codecs: Realtek/0x0887
audio0 at azalia0
ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01: msi
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 1 "Intel 82801GB PCIE" rev 0x01: msi
pci2 at ppb1 bus 2
re0 at pci2 dev 0 function 0 "Realtek 8168" rev 0x02: RTL8168C/8111C 
(0x3c00), msi, address 00:24:1d:86:28:95

rgephy0 at re0 phy 7: RTL8169S/8110S/8211 PHY, rev. 2
uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x01: apic 2 int 23
uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x01: apic 2 int 19
uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x01: apic 2 int 18
uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x01: apic 2 int 16
ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x01: apic 2 int 23
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 
2.00/1.00 addr 1

ppb2 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xe1
pci3 at ppb2 bus 3
pcib0 at pci0 dev 31 function 0 "Intel 82801GB LPC" rev 0x01
pciide0 at pci0 dev 31 function 2 "Intel 82801GB SATA" rev 0x01: DMA, 
channel 0 wired to compatibility, channel 1 wired to compatibility

wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA48, 476938MB, 976771055 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 6
atapiscsi0 at pciide0

Re: Troubleshooting JDK Segmentation Faults

2017-01-27 Thread Scott Vanderbilt


Super. Thanks!

On 1/27/2017 11:10 AM, Pablo Méndez Hernández wrote:

Hi Scott,

Yes, it was a bug that was fixed some hours ago by sthen@:
https://marc.info/?l=openbsd-cvs=148551522630798=2

Next snap should have the fix.


Regards.
Pablo

On Fri, Jan 27, 2017 at 7:28 PM, Scott Vanderbilt <li...@datagenic.com> wrote:

On 1/27/2017 9:58 AM, Philip Guenther wrote:


On Fri, Jan 27, 2017 at 8:43 AM, Scott Vanderbilt <li...@datagenic.com>
wrote:


I recently upgraded the -current snapshot on an amd64 host running Apache
Solr, and am now getting segmentation faults on Solr start-up that
weren't
occurring with the previous snapshot ((GENERIC) #145: Mon Jan 16 11:42:53
MST 2017).



You caught a build during the a2k17 hackathon where I had a  bug in
ld.so's DT_RUNPATH support.  Update to a newer snapshot, or just build
and install an up-to-date ld.so (from /usr/src/libexec/ld.so)



Thank you for your speedy reply.

I have upgraded another host to the latest amd64 snapshot, and it does
indeed resolve the seg fault problem.

However, when I attempt to upgrade my packages, I get repeated error
messages like this:

# pkg_add -u
Error from http://ftp.usa.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/
warning: libtls.so.15.0: minor version >= 2 expected, using it anyway
quirks-2.278 signed on 2017-01-26T16:24:51Z
Error from
http://ftp.usa.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/quirks-2.278.tgz
warning: libtls.so.15.0: minor version >= 2 expected, using it anyway
quirks-2.278->2.278: ok
Error from
http://ftp.usa.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/apache-httpd-2.4.23.tgz
warning: libtls.so.15.0: minor version >= 2 expected, using it anyway

Since the timestamp on the latest set of amd64 packages pre-dates the
snapshot build timestamp by several hours, may I assume this is just a sync
issue that will be sorted out after the next bulk package build?

Thanks again.

- Scott

Re: Troubleshooting JDK Segmentation Faults

2017-01-27 Thread Scott Vanderbilt


On 1/27/2017 9:58 AM, Philip Guenther wrote:

On Fri, Jan 27, 2017 at 8:43 AM, Scott Vanderbilt <li...@datagenic.com> wrote:

I recently upgraded the -current snapshot on an amd64 host running Apache
Solr, and am now getting segmentation faults on Solr start-up that weren't
occurring with the previous snapshot ((GENERIC) #145: Mon Jan 16 11:42:53
MST 2017).


You caught a build during the a2k17 hackathon where I had a  bug in
ld.so's DT_RUNPATH support.  Update to a newer snapshot, or just build
and install an up-to-date ld.so (from /usr/src/libexec/ld.so)


Thank you for your speedy reply.

I have upgraded another host to the latest amd64 snapshot, and it does 
indeed resolve the seg fault problem.


However, when I attempt to upgrade my packages, I get repeated error 
messages like this:


# pkg_add -u
Error from http://ftp.usa.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/
warning: libtls.so.15.0: minor version >= 2 expected, using it anyway
quirks-2.278 signed on 2017-01-26T16:24:51Z
Error from 
http://ftp.usa.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/quirks-2.278.tgz

warning: libtls.so.15.0: minor version >= 2 expected, using it anyway
quirks-2.278->2.278: ok
Error from 
http://ftp.usa.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/apache-httpd-2.4.23.tgz

warning: libtls.so.15.0: minor version >= 2 expected, using it anyway

Since the timestamp on the latest set of amd64 packages pre-dates the 
snapshot build timestamp by several hours, may I assume this is just a 
sync issue that will be sorted out after the next bulk package build?


Thanks again.

- Scott

Troubleshooting JDK Segmentation Faults

2017-01-27 Thread Scott Vanderbilt

I recently upgraded the -current snapshot on an amd64 host running 
Apache Solr, and am now getting segmentation faults on Solr start-up 
that weren't occurring with the previous snapshot ((GENERIC) #145: Mon 
Jan 16 11:42:53 MST 2017).


Currently running:

# uname -a
OpenBSD vergil.rockology.com 6.0 GENERIC#150 amd64

dmesg is at tail of this post. JDK is latest, updated at same time as 
snapshot:


# pkg_info|grep jdk
jdk-1.8.0.112p0v0   OpenJDK Software Development Kit v1.8.0.112

When Solr is launched via from /etc/rc.local, there is no feedback to 
console, but it clearly seg faults shortly after starting. In fact, no 
Java apps appear to work, viz.:


# /usr/local/jdk-1.8.0/bin/java -version
Segmentation fault (core dumped)

When I attempt to read the java.core with gdb, I get the following:

  # gdb /usr/local/jdk-1.8.0/bin/java java.core
  GNU gdb 6.3
  Copyright 2004 Free Software Foundation, Inc.
  GDB is free software, covered by the GNU General Public License, and
  you are welcome to change it and/or distribute copies of it under
  certain conditions. Type "show copying" to see the conditions.
  There is absolutely no warranty for GDB.  Type "show warranty" for
  details.
  This GDB was configured as "amd64-unknown-openbsd6.0"...(no debugging
  symbols found)

  Core was generated by `java'.
  Program terminated with signal 11, Segmentation fault.
  #0  0x1cb5a4603000 in ?? ()
  (gdb) bt 10
  #0  0x1cb5a4603000 in ?? ()
  #1  0x1cb33fb0 in ?? ()
  #2  0x000b0002 in ?? ()
  #3  0x636f6c2f7273752f in ?? ()
  #4  0x312d6b646a2f6c61 in ?? ()
  #5  0x6e69622f302e382e in ?? ()
  #6  0x in ?? ()
  (gdb)

As I said, this Solr instance was happily working for many month prior 
to upgrading to this latest build, so I suspect the issue lies with the 
particular JDK build or some interaction with the OS. Might someone be 
able to point me to any resources that help me track down the source of 
the problem?


Many thanks in advance.

-
# dmesg
OpenBSD 6.0-current (GENERIC) #150: Sun Jan 22 17:48:47 MST 2017
bu...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 1995309056 (1902MB)
avail mem = 1930313728 (1840MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xf0100 (52 entries)
bios0: vendor Award Software International, Inc. version "F5" date 
07/27/2007

bios0: Gigabyte Technology Co., Ltd. GA-MA69VM-S2
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP SSDT MCFG APIC
acpi0: wakeup devices USB0(S3) USB1(S3) USB2(S3) USB3(S3) USB4(S3) 
USB5(S3) SBAZ(S4) P2P_(S5) PCE2(S4) PCE3(S4) PCE4(S4) PCE5(S4) PCE6(S4) 
PCE7(S4) PCE8(S4) PCI0(S5)

acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Athlon(tm) 64 Processor 3200+, 2004.80 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,LAHF,SVM,EAPICSP,AMCR8
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 
64b/line 16-way L2 cache

cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 200MHz
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 21, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 3 (P2P_)
acpiprt2 at acpi0: bus 2 (PCE2)
acpiprt3 at acpi0: bus -1 (PCE3)
acpiprt4 at acpi0: bus -1 (PCE4)
acpiprt5 at acpi0: bus -1 (PCE5)
acpiprt6 at acpi0: bus -1 (PCE6)
acpiprt7 at acpi0: bus -1 (PCE7)
acpiprt8 at acpi0: bus -1 (PCE8)
acpiprt9 at acpi0: bus 1 (AGP_)
acpicpu0 at acpi0: C1(@1 halt!), PSS
acpibtn0 at acpi0: PWRB
"PNP0700" at acpi0 not configured
"PNP0501" at acpi0 not configured
"PNP0501" at acpi0 not configured
"PNP0400" at acpi0 not configured
cpu0: PowerNow! K8 2004 MHz: speeds: 2000 1800 1000 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "ATI RS690 Host" rev 0x00
ppb0 at pci0 dev 1 function 0 "ATI RS690 PCIE" rev 0x00
pci1 at ppb0 bus 1
radeondrm0 at pci1 dev 5 function 0 "ATI Radeon X1250" rev 0x00
drm0 at radeondrm0
radeondrm0: msi
ppb1 at pci0 dev 2 function 0 "ATI RS690M PCIE" rev 0x00: msi
pci2 at ppb1 bus 2
em0 at pci2 dev 0 function 0 "Intel 82572EI" rev 0x06: apic 2 int 18, 
address 00:1b:21:00:6e:c2
ahci0 at pci0 dev 18 function 0 "ATI SB600 SATA" rev 0x00: apic 2 int 
22, AHCI 1.1

ahci0: port 0: 3.0Gb/s
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0:  SCSI3 
0/direct fixed naa.50014ee058fb1510

sd0: 476938MB, 512 bytes/sector, 976771055 sectors
ohci0 at pci0 dev 19 function 0 "ATI SB600 USB" rev 0x00: apic 2 int 16, 
version

1 2 3 4 5 6 >

1 - 100 of 519 matches

Mail list logo