Re: serious watchdog timeout issues with em driver
On 08/12/15 21:47, Kapetanakis Giannis wrote: The event happened only once and it's network recovered after a few seconds. no reboot. G Well that didn't last long. Today I found the server hanged at ddb after a new watchdog timeout on em0. Keyboard was not working so I could not get all the info. I wrote on paper: uvm_fault(0xd0ba3660, 0xefffe000, 0, 1) -> d kernel: page fault trap, code=0 Stopped at bpf_m_xhalt+0x6f: movzwl 0(%esi),%eax G
Re: Empty MFS on root
2015-12-08 21:18 GMT+01:00 Alexander Hall: > On December 8, 2015 4:21:16 PM GMT+01:00, Otto Moerbeek > wrote: > >On Tue, Dec 08, 2015 at 03:03:14PM +, Tati Chevron wrote: > > > >> Currently, it's possible, (as root), to do something like: > >> # mount_mfs -s 1g swap / > >> > >> which succeeds, and mounts the empty filesystem as the root > >filesystem. > >> This makes the machine inoperable and requires a physical reset, > >without a clean shutdown, as no system binaries are available. > >> > >> Shouldn't we make mount_mfs error out in this case? > >Why? Unix does not prevent you from doing stupid things in general. > >Besides, a small variation (using -P) could be a proper and sane use > >of mount_mfs on / > > FWIW, I don't think so, as the mfs is populated after being mounted. > > > Yeah, mount_mfs will need /bin/pax, and if you give -P a block device, it will use /mnt in order to mount the wanted device on so pax can read the files out of it, so / and /mnt can't be mfs-mounted upon with -P. -- May the most significant bit of your life be positive.
Re: Octeon snapshots
> [1]: https://www.mail-archive.com/tech%40openbsd.org/msg26048.html You have to use the octeon native objcopy by building the cross compiler: # cd /usr/src # make -f Makefile.cross TARGET=octeon cross-gcc And then use the objcopy from /usr/cross/octeon/usr/mips64-unknown-openbsd5.8/bin/objcopy
Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/
On 2015-12-08 Tue 12:06 PM |, szs wrote: > So with letsencrypt here, how about making the main site > default to https? Is this a good idea or is this a great idea? > Copy & Paste from 2013: "OpenBSD site SSL" http://marc.info/?t=13815459562=1=2 Please don't. That would slow it down & eliminate cachability - increasing network load & costs. Encryption soaks up CPU time & electricty costs, leaving less money for hackathons, etc, etc... There's no personal data & no point. Anyway, THIS email is being sent in clear text from Scotland to Canada. It will also be archived and published on several public websites. -- Miksch's Law: If a string has one end, then it has another end.
Re: Octeon snapshots
Hi Everybody, Has anyone successfully installed on a D-Link DSR-500N (HW A1)? I have tried again with the last snapshot, and I am still stuck [1]. Thanks, [1]: https://www.mail-archive.com/tech%40openbsd.org/msg26048.html On 12/06/15 05:54, Daniel Ouellet wrote: On 12/5/15 8:01 PM, jungle Boogie wrote: On 5 December 2015 at 01:36, Daniel Ouelletwrote: I very much appreciate it. I appreciate this too, but I can't complete the install. I tried an update and now an install. Like the first time, I'm following the network boot instructions here: ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/octeon/INSTALL.octeon I can get the bsd.rd file fine from my server and boot into the installer. This is the problem: Available disks are: sd0. Which disk is the root disk? ('?' for details) [sd0] Disk: sd0 geometry: 1946/255/63 [31266816 Sectors] Offset: 0 Signature: 0xAA55 Starting Ending LBA Info: #: id C H S - C H S [ start:size ] --- *0: 0C 0 1 2 - 2 11 9 [ 64: 32768 ] Win95 FAT32L 1: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 2: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 3: A6 2 11 10 - 1946 68 42 [ 32832:31233984 ] OpenBSD Use (W)hole disk, use the (O)penBSD area or (E)dit the MBR? [OpenBSD] The auto-allocated layout for sd0 is: #size offset fstype [fsize bsize cpg] a: 464.9M32832 4.2BSD 2048 163841 # / b: 465.1M 984896swap c: 15267.0M0 unused d: 735.8M 1937472 4.2BSD 2048 163841 # /tmp e: 1080.7M 316 4.2BSD 2048 163841 # /var f: 1284.9M 5657696 4.2BSD 2048 163841 # /usr g: 742.9M 8289120 4.2BSD 2048 163841 # /usr/X11R6 h: 2817.8M 9810624 4.2BSD 2048 163841 # /usr/local i:16.0M 64 MSDOS j: 1178.0M 15581408 4.2BSD 2048 163841 # /usr/src k: 1607.9M 17993856 4.2BSD 2048 163841 # /usr/obj l: 4872.9M 21286848 4.2BSD 2048 163841 # /home Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout? [a] disklabel(27018): syscall 5 "cpath" Abort trap What's syscall 5 cpath and why does it cause an abort trap? I've tried with two different thumb drives with the same abort trap message. Thanks! Well I can't say what you did or didn't do. Below there is WAY more information then needed. But I just did it again all the way and here are all the steps by steps I did and here is what my layout is before I started: # fdisk sd0 Disk: sd0 geometry: 1946/255/63 [31266816 Sectors] Offset: 0 Signature: 0xAA55 Starting Ending LBA Info: #: id C H S - C H S [ start:size ] --- *0: 0C 0 1 2 - 2 11 9 [ 64: 32768 ] Win95 FAT32L 1: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 2: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 3: A6 2 11 10 - 1946 68 42 [ 32832:31233984 ] OpenBSD # disklabel sd0 # /dev/rsd0c: type: SCSI disk: SCSI disk label: Cruzer Fit duid: 55072c2137c3a4e7 flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 255 sectors/cylinder: 16065 cylinders: 1946 total sectors: 31266816 boundstart: 32832 boundend: 31266816 drivedata: 0 16 partitions: #size offset fstype [fsize bsize cpg] a: 105958432832 4.2BSD 2048 163841 # / b: 1044229 1092416swap # none c: 312668160 unused d: 2104480 2136672 4.2BSD 2048 163841 # /tmp e: 10474368 4241152 4.2BSD 2048 163841 # /var f: 2088448 14715520 4.2BSD 2048 163841 # /var/log g: 10474400 16803968 4.2BSD 2048 163841 # /usr h: 3988448 27278368 4.2BSD 2048 163841 # /home i:32768 64 MSDOS And here are the step by step: # mount_msdos /dev/sd0i /mnt # cd /mnt # ls -al total 22664 drwxr-xr-x 1 root wheel16384 Dec 31 1979 . drwxr-xr-x 13 root wheel 512 Dec 5 00:11 .. -rwxr-xr-x 1 root wheel 4020931 Nov 14 17:29 bsd -rwxr-xr-x 1 root wheel 7562057 Nov 14 17:29 bsd.rd # ftp ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/octeon/bsd.rd Connected to openbsd.sunsite.ualberta.ca. 220 openbsd.srv.ualberta.ca FTP server ready. ... Retrieving
kerberos
What is/are the alternative(ies) for kerberos on openbsd ? (Since is was removed from the distribution). Thanks.
Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/
Kevin Chadwick writes: > The cvs page fingerprint page could be https enabled, however you can > use googles cache over https, also buy a CD to help the project greatly > would do far more for world security than TLS everywhere and even look > at mailing list archives over https as a web of trust. > > ISPs snooping is a compelling reason but not enough for me to adopt > HSTS, a VPN makes more sense. I changed my ISP instead though ;). There are valid complaints about HTTPS (generally involving the CA system, sthen brought some of them up), but some of these responses are just ridiculous. I mean, really? "ISPs snooping is a compelling reason but not enough for me to adopt SSH instead of telnet, a VPN makes more sense." And you would trust signify keys from Google Cache? Come on.
Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/
Em 08-12-2015 23:23, Stuart Henderson escreveu: > I wasn't aware that > it lets you disregard the CAs though Once the client has the two certs pinned (the primary and the backup), if a malicious CA try to impersonate the server using a forged (although perfectly valid) certificate, the client shouldn't connect to it, because it already has the fingerprint pinned. It is the same rationale as ssh host keys, trust on first use. But, by the way this thread evolved, we're beating a dead horse here now. Cheers, Giancarlo Razzolini
Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/
> In the case of www.openbsd.org, using HTTPS isn't so much about > privacy as it is about integrity. Yes, signify(1) is a thing, but > using HTTPS in addition to it would make release and package > downloads more difficult to tamper with. Well packages usually come from mirrors which I know from before signify most don't offer https. All you would achieve now is to make it more likely that people couldn't patch security holes in their systems due to mirrors going down. > Another attack currently possible against www.openbsd.org is changing > the https://openbsdstore.com links to http://openbsdstore.com, and > running sslstrip on that. Or the PayPal links... So use HSTS, nope because now users don't bother checking as they have a false sense of security and when they find a site that doesn't use HSTS they miss the downgrade. Also users still need to check the domain is correct so checking if the bar is bright green like with the xombrero browser that does things properly mutes any point. > (For the record, I highly approve of many https efforts, but think > that https everywhere would be an utter disaster.) Here hear The cvs page fingerprint page could be https enabled, however you can use googles cache over https, also buy a CD to help the project greatly would do far more for world security than TLS everywhere and even look at mailing list archives over https as a web of trust. ISPs snooping is a compelling reason but not enough for me to adopt HSTS, a VPN makes more sense. I changed my ISP instead though ;). -- KISSIS - Keep It Simple So It's Securable
Re: kerberos
On 09/12/15 15:13, Friedrich Locke wrote: What is/are the alternative(ies) for kerberos on openbsd ? (Since is was removed from the distribution). Thanks. Don't know if you can compile it, but the commit-remove msg is all time classic :) http://marc.info/?l=openbsd-cvs=139816103911227=2 G
Re: kerberos
On Wed, Dec 09, 2015 at 11:13:40AM -0200, Friedrich Locke wrote: > What is/are the alternative(ies) for kerberos on openbsd ? (Since is was > removed from the distribution). I use kerberos from ports every day with FF. Unfortunatelly other apps from ports don't have krb flavor so you either have to recompile it yourself or just live without krb support. j.
Re: kerberos
On Wed, Dec 09, 2015 at 11:13:40AM -0200, Friedrich Locke wrote: > What is/are the alternative(ies) for kerberos on openbsd ? (Since is was > removed from the distribution). It depends on your exact needs, but there's: ports/security/heimdal ports/sysutils/login_krb5 -- Antoine
Re: Empty MFS on root
Alexander Hall wrote: > > I've been thinking about having mount_mfs mounting the new mfs in some > temporary place prior to /bin/pax the lot into it, and then unmount it > and mount it into its final destination. I guess I just have not had > any use for that yet. :-) This would be beneficial for a number of reasons. The current race condition isn't very nice.
Re: Empty MFS on root
On Wed, Dec 09, 2015 at 09:02:25AM +0100, Janne Johansson wrote: > 2015-12-08 21:18 GMT+01:00 Alexander Hall: > > > On December 8, 2015 4:21:16 PM GMT+01:00, Otto Moerbeek > > wrote: > > >On Tue, Dec 08, 2015 at 03:03:14PM +, Tati Chevron wrote: > > > > > >> Currently, it's possible, (as root), to do something like: > > >> # mount_mfs -s 1g swap / > > >> > > >> which succeeds, and mounts the empty filesystem as the root > > >filesystem. > > >> This makes the machine inoperable and requires a physical reset, > > >without a clean shutdown, as no system binaries are available. > > >> > > >> Shouldn't we make mount_mfs error out in this case? > > >Why? Unix does not prevent you from doing stupid things in general. > > >Besides, a small variation (using -P) could be a proper and sane use > > >of mount_mfs on / > > > > FWIW, I don't think so, as the mfs is populated after being mounted. > > > > > > > Yeah, mount_mfs will need /bin/pax, and if you give -P a block device, it > will > use /mnt in order to mount the wanted device on so pax can read the files > out > of it, so / and /mnt can't be mfs-mounted upon with -P. I've been thinking about having mount_mfs mounting the new mfs in some temporary place prior to /bin/pax the lot into it, and then unmount it and mount it into its final destination. I guess I just have not had any use for that yet. :-) /Alexander > > > -- > May the most significant bit of your life be positive.
Re: Octeon snapshots
On 12/09/15 12:58, Paul Irofti wrote: [1]: https://www.mail-archive.com/tech%40openbsd.org/msg26048.html You have to use the octeon native objcopy by building the cross compiler: # cd /usr/src # make -f Makefile.cross TARGET=octeon cross-gcc And then use the objcopy from /usr/cross/octeon/usr/mips64-unknown-openbsd5.8/bin/objcopy Thank you Paul. bsd.rd is now booting. -- Alexis de BRUYN
kerberos
I am a little outdated, but was heimdal removed from the bsd world or it was just moved from the base system to the ports collection ? Thanks.
authentication infra structure
If you had about 10k users and 5k machine how would you manage authenticating issues? Keep in mind that this is a very heterogenous environment with ldap, ftp, smtp, pop3, traditional unix boxes etc
Re: kerberos
On 12/09/15 17:45, Friedrich Locke wrote: > I am a little outdated, but was heimdal removed from the bsd world or it > was just moved from the base system to the ports collection ? > > Thanks. > > Ports /usr/ports/security/heimdal
Re: cyrus-sasl2
On Wed, Dec 09, 2015 at 04:15:07PM -0200, Friedrich Locke wrote: > Does security/cyrus-sasl2 include support for GSSAPI (I am in need of > kerberos) ? Not currently. They removed that support when they kicked Heimdal out of base. One of my spare time projects is looking how to put that back in as a flavor for the port. --Kurt
cyrus-sasl2
Does security/cyrus-sasl2 include support for GSSAPI (I am in need of kerberos) ? Thanks in advance.
Re: cyrus-sasl2
On Wed, Dec 09, 2015 at 10:31:01PM +0100, Antoine Jacoutot wrote: > On Wed, Dec 09, 2015 at 01:32:31PM -0500, Kurt Mosiejczuk wrote: > > On Wed, Dec 09, 2015 at 04:15:07PM -0200, Friedrich Locke wrote: > > > Does security/cyrus-sasl2 include support for GSSAPI (I am in need of > > > kerberos) ? > > Not currently. They removed that support when they kicked Heimdal out > > of base. > > One of my spare time projects is looking how to put that back in as a > > flavor for the port. > I can take care of that. That would be fantastic, thank you very much! --Kurt
Disabling dedicated GPU on Macbook Pro
I have tried to get an OpenBSD desktop running on my MacBookPro10,1 (the first Retina model). But I only get VESA working on a terrible res while the machine is running extremely hot. This is the case for most (all?) MacBook's with 2 GPUs. On linux (and osx recovery mode?) one can use this script to disable the dedicated gpu and only use the integrated, intel gpu: https://github.com/0xbb/gpu-switch Could something like this help start the intel driver on OpenBSD? Thanks!
Re: authentication infra structure
--On Wednesday, December 09, 2015 05:25:14 PM -0200 Friedrich Lockewrote: > If you had about 10k users and 5k machine how would you manage > authenticating issues? Keep in mind that this is a very heterogenous > environment with ldap, ftp, smtp, pop3, traditional unix boxes etc You've already got the key to that solution (LDAP). Do you mean things like provisioning and credential management? I've not used it, but you might want to look at FreeIPA. Although it uses KDC at the core, IIRC you can have LDAP-only clients authenticate to it. Once you have the core, then you need to look at the service-specific docs (your ftp server, MDA, etc) as to how to wire them into LDAP. Of course, with that many machines I hope you're already using some kind of automated provisioning for at least configuration (puppet, cfengine, etc). Devin
Re: cyrus-sasl2
On Wed, Dec 09, 2015 at 01:32:31PM -0500, Kurt Mosiejczuk wrote: > On Wed, Dec 09, 2015 at 04:15:07PM -0200, Friedrich Locke wrote: > > Does security/cyrus-sasl2 include support for GSSAPI (I am in need of > > kerberos) ? > > Not currently. They removed that support when they kicked Heimdal out > of base. > > One of my spare time projects is looking how to put that back in as a > flavor for the port. I can take care of that. -- Antoine
Re: authentication infra structure
On Wed, Dec 09, 2015 at 01:21:19PM -0700, Devin Reade wrote: > --On Wednesday, December 09, 2015 05:25:14 PM -0200 Friedrich Locke >wrote: > > > If you had about 10k users and 5k machine how would you manage > > authenticating issues? Keep in mind that this is a very heterogenous > > environment with ldap, ftp, smtp, pop3, traditional unix boxes etc > > You've already got the key to that solution (LDAP). Do you mean > things like provisioning and credential management? I've not used it, > but you might want to look at FreeIPA. Although it uses KDC at the > core, IIRC you can have LDAP-only clients authenticate to it. IIUC FreeIPA does require sssd and pam, thus out of luck on OpenBSD. j.
Interaction seen between dhcp renewal and iked session forcing it to try to switch to NAT-T and die form then on.
Sorry for the long details here. It may be relevant or related to some comment I have seen in regards to DHCP client killing traffic in the last few days on tech@ I have seen and that may be it might be useful. If not just ignore as i am still digging why iked session are unstable long term. But what is sure and seen n the logs is that somehow a perfectly stable iked session with somehow after running well try for no reason to switch to NAT-T when at the same time I see DHCP renewal or request on the originating side of the iked session. The only thing I can think of is that somehow because of the timing of the dhcp renewal, one side of the iked didn't receive a confirmation back and then initiate a NAT-T instead, then it was receive after the DHCP renewal process was completed and then somehow the iked session never recover from tit because it try to do nat from this point and there isn;t any NAT in the path. Logs appear to show this is the common elements I have seen a few times so far and it appear to always be the common factor on an otherwise perfectly stable and running iked session. So, I think I may have found why my IKEDv2 doesn't stay up long term, but i am not sure how to go around it yet. Somehow the remote IKED node, even if program for passive mode, down the road it will send a request for NAT-T to the originating side of the session on a perfectly stable session. I can't fugue out why it would even do that, but I see it in the logs. Then form that point on, the session will never recover at all until I actually simply restart the session on the active side of the session. Log from remote session. Look at teh last two lines from the extract here. Dec 9 14:28:24 tunnel iked[15183]: ikev2_recv: IKE_SA_INIT request from initiator 108.56.142.37:500 to 66.63.5.250:500 policy 'Ouellet' id 0, 534 bytes Dec 9 14:28:24 tunnel iked[15183]: ikev2_msg_send: IKE_SA_INIT response from 66.63.5.250:500 to 108.56.142.37:500 msgid 0, 437 bytes Dec 9 14:28:24 tunnel iked[15183]: ikev2_recv: IKE_AUTH request from initiator 108.56.142.37:500 to 66.63.5.250:500 policy 'Ouellet' id 1, 800 bytes Dec 9 14:28:24 tunnel iked[15183]: ikev2_msg_send: IKE_AUTH response from 66.63.5.250:500 to 108.56.142.37:500 msgid 1, 768 bytes Dec 9 14:28:24 tunnel iked[15183]: sa_state: VALID -> ESTABLISHED from 108.56.142.37:500 to 66.63.5.250:500 policy 'Ouellet' Dec 9 15:21:05 tunnel iked[15183]: ikev2_recv: CREATE_CHILD_SA request from initiator 108.56.142.37:500 to 66.63.5.250:500 policy 'Ouellet' id 2, 288 bytes Dec 9 15:21:05 tunnel iked[15183]: ikev2_msg_send: CREATE_CHILD_SA response from 66.63.5.250:500 to 108.56.142.37:500 msgid 2, 240 bytes Dec 9 15:21:05 tunnel iked[15183]: ikev2_recv: INFORMATIONAL request from initiator 108.56.142.37:500 to 66.63.5.250:500 policy 'Ouellet' id 3, 80 bytes Dec 9 15:21:05 tunnel iked[15183]: ikev2_pld_delete: deleted 1 spis Dec 9 15:21:05 tunnel iked[15183]: ikev2_msg_send: INFORMATIONAL response from 66.63.5.250:500 to 108.56.142.37:500 msgid 3, 80 bytes Dec 9 16:16:25 tunnel iked[15183]: ikev2_msg_send: INFORMATIONAL request from 66.63.5.250:500 to 108.56.142.37:500 msgid 0, 80 bytes Dec 9 16:16:25 tunnel iked[15183]: ikev2_recv: INFORMATIONAL response from initiator 108.56.142.37:500 to 66.63.5.250:500 policy 'Ouellet' id 0, 80 bytes Dec 9 16:20:25 tunnel iked[15183]: ikev2_msg_send: INFORMATIONAL request from 66.63.5.250:4500 to 108.56.142.37:4500 msgid 1, 80 bytes, NAT-T Dec 9 16:20:25 tunnel iked[15183]: ikev2_recv: INFORMATIONAL response from initiator 108.56.142.37:4500 to 66.63.5.250:4500 policy 'Ouellet' id 1, 80 bytes Dec 9 16:31:25 tunnel iked[15183]: ikev2_msg_send: INFORMATIONAL request from 66.63.5.250:4500 to 108.56.142.37:4500 msgid 2, 80 bytes, NAT-T And then from that point on, it will ONLY try to use NAT-T and never go back to the normal setup, not even try it as the original side somehow see it as good. and if you do ipsecctl -sa, you see that it appear to be up. But from that point on, no matter what traffic is not flowing anymore and stop exactly from that point forward and never recover until done manually. Now this may be a coincidence, but it appear to happen when there is a DHCP renewal on the source side, even if that's NOT on the interface where the session is on. Looks like a message was receive to but may be not reply to, then a NAT-T message arrive after that point and then all went dead until manually reset. Strange thing is why a DHCP renewal on a different interface affect traffic on an other interface that also operate with DHCP, BUT is not in the process of renewal at that point? Is it possible that all interface that are configure with DHCP are affected when one of them is in a renewal cycle. I saw a few DHCP commit in the last few days and one comment form Bob@ regarding DHCP session dying etc. Tjois may not have anything to do with it, but I thought that may be it may have, or becasue of the events I see and the cvs
Re: Chelsio T4 10g adapters support ?
> On 10 Dec 2015, at 12:28, Brendan Horanwrote: > > Hi, > > I am looking at building a system running OpenBSD to deal with 10g networks. > > It would seem there is good support for Intel cards via the "ix" driver. > However I was looking at Chelsio cards. > It seems the "che" driver only supports T3 series and the PE9000 cards. > > However the T3 series is PCIe 1.1, > not exactly useful on a dual port 10gbe card. > Thus I was looking at the T4 series cards. > > Would there be much needed to get one of them working on OpenBSD ? > If the answer to that is "no clue", > would the card make a good donation to someone at OpenBSD? > FreeBSD has support for T4 cards if that helps. > > I am still unsure if I want this card or an Intel card at this point. > > Thanks for your time you want an ix(4) for now. there's a few 10g chips we dont have support for yet, but developer time is more of a constraint than lack of hardware at the moment. dlg
Chelsio T4 10g adapters support ?
Hi, I am looking at building a system running OpenBSD to deal with 10g networks. It would seem there is good support for Intel cards via the "ix" driver. However I was looking at Chelsio cards. It seems the "che" driver only supports T3 series and the PE9000 cards. However the T3 series is PCIe 1.1, not exactly useful on a dual port 10gbe card. Thus I was looking at the T4 series cards. Would there be much needed to get one of them working on OpenBSD ? If the answer to that is "no clue", would the card make a good donation to someone at OpenBSD? FreeBSD has support for T4 cards if that helps. I am still unsure if I want this card or an Intel card at this point. Thanks for your time