Re: ifconfig autoconf stopped working - how to debug?
On Mon, May 27, 2024 at 03:06:04PM +0100, Zé Loff wrote: > On Mon, May 27, 2024 at 01:51:25PM +0100, Chris Narkiewicz wrote: > dhcpleased now handles this. You can run it with -d and with one or > more "-v"s. You can also use dhcpleasectl to request a new lease. I run dhcpleased -d -vvv and here is the output: state_transition[vio0] Down -> Rebooting, timo: 1 DHCPREQUEST on vio0 iface_timeout[1]: Rebooting state_transition[vio0] Rebooting -> Rebooting, timo: 2 DHCPREQUEST on vio0 iface_timeout[1]: Rebooting deleting AAA.BBB.CCC.DDD from vio0 (lease from 0.0.0.0) state_transition[vio0] Rebooting -> Init, timo: 1 DHCPDISCOVER on vio0 deconfigure_interface vio0 iface_timeout[1]: Init state_transition[vio0] Init -> Init, timo: 2 DHCPDISCOVER on vio0 iface_timeout[1]: Init state_transition[vio0] Init -> Init, timo: 4 and so on, so on, so on, timo: 8, 16, 32, 64... The weird thing is that AAA.BBB.CCC.DDD is the IP address I'm expecting to receive, but it's not listed in ifconfig vio0 output. Best regards, Chris Narkiewicz
ifconfig autoconf stopped working - how to debug?
I have a netcup VPS and it crashed recently. After service restoration and fsck, the system cannot obtain IPv4 using autoconf. I'm wondering how I can debug DHCP autoconfiguration. dhclient -v -d doesn't show anything, as the functionality has been mmoved to ifconfig. ifconfig vio0 debug doesn't print anything. Best regards, Chris Narkiewicz
Re: obsd wifi
On Sat, May 04, 2024 at 03:40:18PM -0300, Gustavo Rios wrote: > how to install via pkg_add if i have no network connection ? dmesg and ifconfig should give you a name of the wifi chipset already. To install required packages and firmware, buy a USB adapter. They are $5 and work out of the box. I keep RTL dongle around for such situations: https://man.openbsd.org/urtwn.4 You can also buy a USB ethernet dongle. Those are also dirt-cheap. Best regards, Chris Narkiewicz
Booting with secure boot enabled
Is it possible to boot OpenBSD with secure boot enabled? I'd like to try unattended installation over WiFi on ThinkPad X1 and my UEFI firmware supports PXE over WiFi, but it works only in Secure Boot mode. Best regards, Chris Narkiewicz
Re: Trying to access /dev/ttyUSB0 device from VM
Hardware passthrough is not supported by vmd. Best regards, Chris Narkiewicz
Re: Ctrl+A shortcut not working on the browser
On my machine, Ctrl-A moves cursor to the beginning of input field, while Ctrl-E to the end. I think it emulates Emacs input mode. Best regards, Chris Narkiewicz
Re: MCU recommendations to program on OpenBSD?
On Sun, Mar 03, 2024 at 05:11:17PM +0800, Sadeep Madurange wrote: > Any recommendations for MCUs with C > language SDKs supported by OpenBSD? AVR - 8 bit ARM - 32 bit Especially AVRs are top of the game when it comes to open source toolchain support. Best regards, Chris Narkiewicz
Re: Pre-built images for embeded machines
On Sat, Mar 02, 2024 at 12:51:05PM -0700, Theo de Raadt wrote: > It might be easy, but it is wrong. Besides extra burden on the build infrastructure, are there other issues? Curiosity calling, as I'm not using any arm64 devices personally. I'd assume that such image would be very challenging to tailor for the general use, as embedded systems are ususally highly specialized. What are perceived issues with approach? Best regards, Chris Narkiewicz
Re: Installing shellinabox on OpenBSD
On Mon, Feb 12, 2024 at 02:38:25PM -0500, Daniel Ouellet wrote: > I am not sure why people say they can't have a safe ssh client for window... OP mentioned he cannot install software on the machine. This is pretty common issue if machine is managed by somebody else. Best regards, Chris Narkiewicz
Re: Installing shellinabox on OpenBSD
On Mon, Feb 12, 2024 at 07:12:49PM +, Chris Narkiewicz wrote: > If security is not a problem, you can use telnet. Windows has telnet > client built-in. Also, ttyd is in ports. This could be handy: https://openports.pl/path/www/ttyd Best regards, Chris Narkiewicz
Re: Installing shellinabox on OpenBSD
On Mon, Feb 12, 2024 at 07:01:11PM +0300, Odhiambo Washington wrote: > The VM is NOT exposed to the Internet so I am not worried. If security is not a problem, you can use telnet. Windows has telnet client built-in. Best regards, Chris Narkiewicz
unwind not picking up autoconf resolver from wg0
I have a setup where a machine has 2 network interfaces: host fqdn: foo.company.com - public address vio0 - autoconf'd from internet provider, public IP wg0 - intranet with it's own DNS intra.company.com dns domain and 10.0.0.0/8 network Wireguard is configured in star topology, with 10.0.0.1 server providing org-wide DNS, router, printing, etc. unwind.conf: -- forwarder { 1.1.1.1 port 853 authentication name cloudflare-dns.com DoT 1.0.0.1 port 853 authentication name cloudflare-dns.com DoT } force accept bogus autoconf { intra.company.com } preference { autoconf forwarder } wg0 has DNS resolver added using route, as instructed in man resolvd(8) /etc/hostname.wg0: -- inet ... wgkey ... ... snip wg vpn config here ... !route nameserver wg0 10.0.0.1 -- I can definitely observe commented out 10.0.0.1 resolver in /etc/resolv.conf, as expected when unwind and resolvd are running. However, when I try to resolve anything with unwind, it fails: # host foo.intra.company.com localhost Using domain server: Name: localhost Address: 127.0.0.1#53 Aliases: Host foo.intra.company.com not found: 3(NXDOMAIN) Resolver on the other side of wg0 is working: # host foo.intra.company.com 10.0.0.1 Using domain server: Name: 172.16.0.1 Address: 10.0.0.1#53 Aliases: foo.intra.company.com has address 10.0.0.xx When checking autoconf status, I see that unwind is not picking up resolver from wg0: # unwindctl status autoconf autoconfiguration forwarders: DHCP[vio0]: aa.bb.cc.dd ee.ff.gg.hh I'm out of ideas here. How can convince unwind to use resolver from wg0? Cheers, Chris
ntpd not adjusting clock in vm
I'm running OpenBSD 7.4 in qemu VM on my laptop. After hibernation, vm clock is delayed. ntpd works in background, but it fails to adjust the clock: reply from 162.159.200.1: offset 0.005599 delay 0.013842, next query 32s reply from 139.162.219.252: offset 0.007199 delay 0.011274, next query 30s reply from 162.159.200.123: offset 0.007154 delay 0.010765, next query 31s reply from 131.111.8.61: offset 0.007642 delay 0.016057, next query 30s adjusting local clock by 4686.953122s (...) reply from 83.151.207.133: offset 0.011828 delay 0.014193, next query 33s reply from 139.162.219.252: offset 0.009902 delay 0.011271, next query 32s reply from 131.111.8.61: offset 0.010350 delay 0.015616, next query 33s adjusting local clock by 4686.164970s reply from 162.159.200.1: offset 0.013156 delay 0.011764, next query 34s reply from 131.111.8.61: offset 0.013905 delay 0.017363, next query 30s adjusting local clock by 4686.001301s However, the lock does not budge at all. I can still manually set the clock by date -s HHMM. Not sure how to debug it. Is it because I'm using vm and it doesn't support? diso# dmesg | grep pvclock pvclock0 at pvbus0 Best regards, Chris Narkiewicz
Re: netcup.eu arm64 (kvm, Ampere Altra), bsd.rd hangup
On Sun, Dec 17, 2023 at 09:56:04PM +0100, Sven Wolf wrote: > I only have access to the graphical console IIRC they have a forum where some support could be provided. I'd ask about serial over lan access. Hetzner have it, but I'm not sure about netcup. Best regards, Chris Narkiewicz
Auto-install over network using UEFI
I'm experimentin with auto-install over network using linux libvirt (qemu). I managed to load pxeboot in BIOS mode and I'm wondering if UEFI is supported. According to this blog, I should load BOOTX64.EFI instead of pxeboot. https://eradman.com/posts/autoinstall-openbsd.html I was skeptical but tried it neverthekess and system immediately reboots after probing disk: probing: p0 com0 mem[640K 2029M 9M 3M] disk:BS->LocateHandle() returns 14 Is it possible to net-boot installer in UEFI using QEMU? Cheers, Chris
Custom siteXY.tgz and signature verification
I'm trying to automate some deployment and I use miniroot image with HTTPS repository containing site74.tgz and site74-$(hostname -s).tgz. Custom file sets are not signed (obviously) so the installer complains about fileset validation. Is there a way to supply custom signing key for the installer, in a similar way we bootstrap firwmware files by mounting the image using vnd? Best regards, Chris Narkiewicz
Limiting RAM on boot to emulate low-memory situation
Is it possible to decrease amount of available RAM at boot time? I'm about to migrate some VPS system to a significantly cheaper option that comes with less RAM and I need to evaluate how existing system will behave. Sadly, I can't reconfigure RAM in VPS config. Cheers, Chris
Re: OT: Github requiring 2FA auth, meaning
On Tue, Aug 29, 2023 at 08:40:38PM +0200, Daniele B. wrote: > Since today powers and financial interests will be able to block me > access to the Github platform by their discrection. All ready for > that? Yes, Firefox from ports seems to handle Yubikey 2FA just fine. Best regards, Chris Narkiewicz
Re: non-amd64 vps's in europe?
On Sun, Aug 13, 2023 at 09:17:58AM +0200, Peter J. Philipp wrote: > He doesn't want to deal with hetzner because of their tight control checks > regarding id cards and stuff. Huh? They didn't check my national ID nor passport. Payment card was enough. Is he using some dodgy payment method that triggered KYC alarm? Given that VPS can be used for criminal activity, I doubht he will find anyone willing to provide the service without KYC. Best regards, Chris Narkiewicz
Re: how to startx with kde?
On Sun, Jul 23, 2023 at 03:22:13AM +0800, ykla wrote: > Hi, > > I install kde by pkg_add kde but how to boot it? There is no Plasma desktop on OpenBSD. KDE metapackage installs KDE applications. Best regards, Chris Narkiewicz
Re: Syspatch https://cdn.openbsd.org/pub/OpenBSD
On Wed, Jul 12, 2023 at 03:19:17PM -0700, latin...@vcn.bc.ca wrote: > Is it working? > https://cdn.openbsd.org/pub/OpenBSD Works for me. Best regards, Chris Narkiewicz
Re: Hibernation on Thinkpad Carbon X1 gen 7 - unhibernate failed
On Sat, 2023-06-17 at 09:21 -0600, Ashlen wrote: > I have a 7th gen X1 Carbon and am not sure that the hardware is the > issue here. I've only experienced this very rarely. > I can confirm that I managed to unhibernate successfully and the error is no longer occuring, confirming your observation. However, image unhibernation took about 5 minutes. unhibernating @ block 50329532 length 750MB <- this takes ~5 minutes Unpacking image... <- this few seconds and I'm back in X11 I was so confused that I thought it just hangs. How long does it take to ZZZ and unhibernate? Cheers, Chris
Hibernation on Thinkpad Carbon X1 gen 7 - unhibernate failed
Hi, I got Thinkpad Carbon X1 gen7 and I tried to test hibernation (ZZZ). When system is resumed, it took several minutes to load image. dmesg shows: unhibernate failed: original kernel changed and my iwm0 wifi card is not visible anymore. Is there someobdy with 7th gen X1 that could confirm? According to https://jcs.org/2019/08/14/x1c7 it should work. Thanks for any suggestions, Chris
Generating xorg.conf
Hi, I'm trying to customize my touchpad input handling in X11. Normally I'd call X -configure to generate the config file and tune it to my needs. X -h lists -configure as available options. However, when calling X -configure, it says option is not recognized: # X -configure ... (EE) Fatal server error: (EE) Unrecognized option: -configure (EE) (EE) Please consult the The X.Org Foundation support ... I'm puzzled. Is it supported? Can I generate xorg config? Cheers, Chris
Battery not detected on StarLabs Starlite Mk IV
Hi, I'm struggling with a battery problem on StarLabs Starlite Mk IV. Laptop is flashed with AMI BIOS and I noticed that battery is not detected reliably. When battery is not detected, it does not detect AC adapter cable as well. I can see acpiac0 but the cable is not reported as connected in apm. In Linux it works reliably, so I suppose it must be some combination of firmware issue and/or better autodetection logic. I'm wondering how can I debug root cause of the issue? I'd be grateful for any suggestions. Cheers, Chris Narkiewicz
InfluxDB stopped working on OpenBSD 7.3
I have a fresh OpenBSD 7.3 install (no update) with InfluxDB installed from packages. When I try to start it, it did start initially, but eventually it crashed. Now I can't start it again. It complains about bad system call. Could that be related to latest security features? Below is rcctl -d output. I'd be thankful for any suggestions. dev# rcctl -d start influxdb doing _rc_parse_conf influxdb_flags empty, using default >< doing rc_check influxdb doing rc_start doing _rc_wait_for_start doing rc_check influxdb[2285]: ts=2023-04-15T00:19:33.358242Z lvl=info msg="InfluxDB starting" log_id=0hC_LoRW000 version=unknown branch=unknown commit=unknown influxdb[2285]: ts=2023-04-15T00:19:33.358479Z lvl=info msg="Go runtime" log_id=0hC_LoRW000 version=go1.20.1 maxprocs=1 influxdb[2285]: ts=2023-04-15T00:19:33.383092Z lvl=info msg="Using data dir" log_id=0hC_LoRW000 service=store path=/var/influxdb/data influxdb[2285]: ts=2023-04-15T00:19:33.383498Z lvl=info msg="Compaction settings" log_id=0hC_LoRW000 service=store max_concurrent_compactions=1 throughput_bytes_per_second=50331648 throughput_bytes_per_second_burst=50331648 influxdb[2285]: ts=2023-04-15T00:19:33.383565Z lvl=info msg="Open store (start)" log_id=0hC_LoRW000 service=store trace_id=0hC_LoXl000 op_name=tsdb_open op_event=start influxdb[2285]: SIGSYS: bad system call influxdb[2285]: PC=0x23c8afdf7 m=0 sigcode=0 influxdb[2285]: influxdb[2285]: goroutine 0 [idle]: influxdb[2285]: syscall.rawSyscall10X(0x1d704e0, 0xc5, 0x0, 0x10248, 0x1, 0x1, 0x18, 0x0, 0x0, 0x0, ...) influxdb[2285]: runtime/sys_openbsd3.go:114 +0x4d fp=0xc6d820 sp=0xc6d800 pc=0x1d10bad influxdb[2285]: syscall.rawSyscall10X(0x0?, 0xc6d900?, 0x1ce9291?, 0x1?, 0x0?, 0xc0002b7380?, 0xc6d900?, 0x0?, 0xc6d938?, 0x0, ...) influxdb[2285]: :1 +0x59 fp=0xc6d8a0 sp=0xc6d820 pc=0x1d16d79 influxdb[2285]: syscall.syscall9Internal(0xc0002b7380?, 0x20003?, 0xc6d958?, 0x1ce89e5?, 0xc0002b7380?, 0xc6d978?, 0x1d0eabb?, 0xc0002b7380?, 0x20003?, 0x0) influxdb[2285]: syscall/syscall_openbsd_libc.go:38 +0x49 fp=0xc6d908 sp=0xc6d8a0 pc=0x1d6a489 influxdb[2285]: syscall.syscall9Internal(0xc5, 0x0, 0x10248, 0x1, 0x1, 0x18, 0x0, 0x0, 0x0, 0x0) influxdb[2285]: :1 +0x68 fp=0xc6d968 sp=0xc6d908 pc=0x1d70f08 influxdb[2285]: golang.org/x/sys/unix.mmap(0x1d6d534?, 0x0?, 0xc6da60?, 0xc6da18?, 0x1d90366?, 0xc0005275f8?) influxdb[2285]: golang.org/x/sys@v0.0.0-20201119102817-f84b799fce68/unix/zsyscall_openbsd_amd64.go:1639+0x52fp=0xc6d9e8sp=0xc6d968pc=0x2062532 influxdb[2285]: golang.org/x/sys/unix.(*mmapper).Mmap(0x2a60da0, 0xc6dab0?, 0xcc4900?, 0x10248, 0xc6db20?, 0x1d902cc?) influxdb[2285]: golang.org/x/sys@v0.0.0-20201119102817-f84b799fce68/unix/syscall_unix.go:113+0x89fp=0xc6da90sp=0xc6d9e8pc=0x2061d69 influxdb[2285]: golang.org/x/sys/unix.Mmap(...) influxdb[2285]: golang.org/x/sys@v0.0.0-20201119102817-f84b799fce68/unix/syscall_bsd.go:650 influxdb[2285]: github.com/influxdata/influxdb/tsdb/engine/tsm1.mmap(0xc0003a61d0?, 0xc0003a61d0?, 0x60?) influxdb[2285]: github.com/influxdata/influxdb/tsdb/engine/tsm1/mmap_unix.go:18 +0x65 fp=0xc6dad8sp=0xc6da90pc=0x29b5d65 influxdb[2285]: github.com/influxdata/influxdb/tsdb/engine/tsm1.(*mmapAccessor).init(0x c000430d20) influxdb[2285]: github.com/influxdata/influxdb/tsdb/engine/tsm1/reader.go:1335 +0x113 fp=0xc6db70sp=0xc6dad8pc=0x29bedf3 influxdb[2285]: github.com/influxdata/influxdb/tsdb/engine/tsm1.NewTSMReader(0xc0003a61 d0, {0xc6dc80, 0x1, 0x0?}) influxdb[2285]: github.com/influxdata/influxdb/tsdb/engine/tsm1/reader.go:239 +0x18d fp=0xc6dbe8sp=0xc6db70pc=0x29b802d influxdb[2285]: github.com/influxdata/influxdb/tsdb/engine/tsm1.(*FileStore).Open.func1 (0x0, 0xc0003a61d0) influxdb[2285]: github.com/influxdata/influxdb/tsdb/engine/tsm1/file_store.go:543 +0x115fp=0xc6dfc0sp=0xc6dbe8pc=0x299f1d5 influxdb[2285]: github.com/influxdata/influxdb/tsdb/engine/tsm1.(*FileStore).Open.func3 () influxdb[2285]: github.com/influxdata/influxdb/tsdb/engine/tsm1/file_store.go:565 +0x2efp=0xc6dfe0sp=0xc6dfc0pc=0x299f08e influxdb[2285]: runtime.goexit() influxdb[2285]: runtime/asm_amd64.s:1598 +0x1 fp=0xc6dfe8 sp=0xc6dfe0 pc=0x1d14141 influxdb[2285]: created by github.com/influxdata/influxdb/tsdb/engine/tsm1.(*FileStore).Open influxdb[2285]: github.com/influxdata/influxdb/tsdb/engine/tsm1/file_store.go:535 +0x4a5 influxdb[2285]: influxdb[2285]: goroutine 16 [running]: influxdb[2285]: runtime.systemstack_switch() influxdb[2285]: runtime/asm_amd64.s:463 fp=0xc6d7d0 sp=0xc6d7c8 pc=0x1d11f00 influxdb[2285]: runtime.libcCall(0x0?, 0xc0002b7380?) influxdb[2285]: runtime/sys_libc.go:49 +0x66 fp=0xc6d800 sp=0xc6d7d0 pc=0x1cfdee6 influxdb[2285]: syscall.rawSyscall10X(0x1d704e0, 0xc5, 0x0, 0x10248, 0x1,
amd64 ddb somewhat poor - why?
Hi, Amd64 page (https://ftp.openbsd.org/amd64.html) states that: The only major shortcoming at this time is that the kernel debugger ddb is somewhat poor. Myself not being familiar with it, can someone explain to me why amd64 is considered "poor" and what shortcomings it has, relative to other platforms? Cheers, Chris signature.asc Description: PGP signature
Re: Sunday presentaion on OpenBSD
On Sat, Aug 21, 2021 at 07:12:41PM -0600, Jonathan Drews wrote: > This Sunday Peter Hansteen will give a presentaion on OpenBSD: > > "Recent and not so recent changes in OpenBSD that make > life better" Any recording available? signature.asc Description: PGP signature
X11 SIGSEGV on VirtualBox
I'm trying to run xenodm on VirtualBox VM. VirtualBox 6.1.16_Ubuntu r140961 running on Ubuntu 20.04 with Intel card. VM uses VMSVGA display with NO 3D acceleration. Fresh OpenBSD 6.9 install, but I tried latest snapshot - same problem. When starting Xorg server, it crashes with SIGSEGV. Does anybody know why it happens? How can I generate some actionable debug output, such as stacktrace, to help identify root cause? Here is complete /var/log/Xorg.0.log: [13.815] (WW) checkDevMem: failed to open /dev/xf86 and /dev/mem (Operation not permitted) Check that you have set 'machdep.allowaperture=1' in /etc/sysctl.conf and reboot your machine refer to xf86(4) for details [13.815]linear framebuffer access unavailable [13.858] (--) Using wscons driver on /dev/ttyC4 [13.868] X.Org X Server 1.20.10 X Protocol Version 11, Revision 0 [13.868] Build Operating System: OpenBSD 6.9 amd64 [13.868] Current Operating System: OpenBSD ws.etacassiopeiae.net 6.9 GENERIC#4 amd64 [13.868] Build Date: 19 April 2021 11:06:48AM [13.868] [13.868] Current version of pixman: 0.38.4 [13.868]Before reporting problems, check http://wiki.x.org to make sure that you have the latest version. [13.868] Markers: (--) probed, (**) from config file, (==) default setting, (++) from command line, (!!) notice, (II) informational, (WW) warning, (EE) error, (NI) not implemented, (??) unknown. [13.868] (==) Log file: "/var/log/Xorg.0.log", Time: Fri Jun 18 21:17:03 2021 [13.869] (==) Using system config directory "/usr/X11R6/share/X11/xorg.conf.d" [13.871] (==) No Layout section. Using the first Screen section. [13.871] (==) No screen section available. Using defaults. [13.871] (**) |-->Screen "Default Screen Section" (0) [13.871] (**) | |-->Monitor "" [13.877] (==) No monitor specified for screen "Default Screen Section". Using a default monitor configuration. [13.877] (==) Automatically adding devices [13.877] (==) Automatically enabling devices [13.877] (==) Not automatically adding GPU devices [13.877] (==) Max clients allowed: 256, resource mask: 0x1f [13.883] (==) FontPath set to: /usr/X11R6/lib/X11/fonts/misc/, /usr/X11R6/lib/X11/fonts/TTF/, /usr/X11R6/lib/X11/fonts/OTF/, /usr/X11R6/lib/X11/fonts/Type1/, /usr/X11R6/lib/X11/fonts/100dpi/, /usr/X11R6/lib/X11/fonts/75dpi/ [13.883] (==) ModulePath set to "/usr/X11R6/lib/modules" [13.883] (II) The server relies on wscons to provide the list of input devices. If no devices become available, reconfigure wscons or disable AutoAddDevices. [13.883] (II) Loader magic: 0x897417d3f10 [13.883] (II) Module ABI versions: [13.883]X.Org ANSI C Emulation: 0.4 [13.883]X.Org Video Driver: 24.1 [13.883]X.Org XInput driver : 24.1 [13.883]X.Org Server Extension : 10.0 [13.885] (--) PCI:*(0@0:2:0) 15ad:0405:15ad:0405 rev 0, Mem @ 0xe000/33554432, 0xf000/2097152, I/O @ 0xd000/16 [13.885] (II) LoadModule: "glx" [13.887] (II) Loading /usr/X11R6/lib/modules/extensions/libglx.so [13.898] (II) Module glx: vendor="X.Org Foundation" [13.898]compiled for 1.20.10, module version = 1.0.0 [13.898]ABI class: X.Org Server Extension, version 10.0 [13.898] (==) Matched vmware as autoconfigured driver 0 [13.898] (==) Matched vesa as autoconfigured driver 1 [13.898] (==) Assigned the driver to the xf86ConfigLayout [13.898] (II) LoadModule: "vmware" [13.898] (II) Loading /usr/X11R6/lib/modules/drivers/vmware_drv.so [13.899] (II) Module vmware: vendor="X.Org Foundation" [13.899]compiled for 1.20.10, module version = 13.1.0 [13.899]Module class: X.Org Video Driver [13.899]ABI class: X.Org Video Driver, version 24.1 [13.899] (II) LoadModule: "vesa" [13.900] (II) Loading /usr/X11R6/lib/modules/drivers/vesa_drv.so [13.901] (II) Module vesa: vendor="X.Org Foundation" [13.901]compiled for 1.20.10, module version = 2.3.4 [13.901]Module class: X.Org Video Driver [13.902]ABI class: X.Org Video Driver, version 24.1 [13.902] (II) vmware: driver for VMware SVGA: vmware0405, vmware0710 [13.902] (II) VESA: driver for VESA chipsets: vesa [13.902] (WW) Falling back to old probe method for vesa [13.902] (II) vmware(0): Driver was compiled without KMS- and 3D support. [13.902] (WW) vmware(0): Disabling 3D support. [13.902] (WW) vmware(0): Disabling Render Acceleration. [13.902] (WW) vmware(0): Disabling RandR12+ support. [13.902] (--) vmware(0): VMware SVGA regs at (0xd000, 0xd001) [13.902] (II) Loading sub module "vgahw" [13.902] (II) LoadModule: "vgahw" [13.903] (II) Loading /usr/X11R6/lib/modules/libvgahw.so [13.903] (II) Module vgahw: vendor="X.Org Foundation" [13.903]compiled for 1.20.10,
httpd fastcgi timeout during transfer
Hi, I have a httpd serving PHP app via FastCGI interface. This application sends quite large data (1GB) but httpd timeouts the connection during transfer. What I found is the following sequence of events: 1) curl https://somehost/download/stuff 2) transfer starts 3) no mention of new conncetion in access.log and error.log or stdout/stderr 4) 50-60s last I can see GET request in access.log 5) 60s later connection timeout event occurs 6) curl fails I tried to trace the source of this issue but I'm not familiar with httpd code. This is the only place where timeout is set in fastcgi: /usr.sbin/httpd/server_fcgi.c:369 bufferevent_settimeout(clt->clt_srvbev, srv_conf->timeout.tv_sec, srv_conf->timeout.tv_sec); bufferevent_enable(clt->clt_srvbev, EV_READ|EV_WRITE); if (clt->clt_toread != 0) { server_read_httpcontent(clt->clt_bev, clt); bufferevent_enable(clt->clt_bev, EV_READ); } else { bufferevent_disable(clt->clt_bev, EV_READ); fcgi_add_stdin(clt, NULL); } Nothing too suspicious here, but I can't figure out why it timeouts despite data being actively pumped through the connection? Any suggestions welcome. I'm out of ideas. Cheers, Chris signature.asc Description: PGP signature
httpd passes rogue request to internal vhost
I have a machine with OpenBSD 6.8 and with 2 network interfaces: egress intranet httpd has 3 vhosts defined: server "default" { listen on * tls port 443 ... location * { block return 403 } } server "externalapp.publicdomain.net" { listen on egress tls port 443 ... } server "internalapp.privatedomain.net" { listen on intranet tls port 443 ... } So far so good, but when I try to access "internalapp.privatedomain.net" from the internet, it serves the page happily. I double checked that I had no access to the intranet at that moment. But when I change "default" server to: server "default" { listen on egress tls port 443 listen on intranet port 443 ... } and try again, I get proper 403. Is that a bug or some sort of non-intuitive behavior of listen on * stanza? Cheers, Chris signature.asc Description: PGP signature
relayd and EC tls - key size 832 is not supported
Hi, I'm configuring relayd to run grafana vhost (grafana does not support FastCGI). My relayd.conf is: http protocol "www" { match request header "Host" value "grafana.mydomain.net" forward to tls keypair grafana.mydomain.net } relay "www" { listen on wg0 port 443 tls protocol www forward to port 3000 } # end if relayd.conf TLS certificate has been generated using easyrsa, and it uses EC algo with secp384r1 curve. When I start relayd, it complains about unsupported key size: ca_engine_init: using RSA privsep engine ... ssl_ctx_fake_private_key: key size 832 not support When I use RSA certificate generated using Let's Encrypt, it works. Does it support EC? Am I doing something wrong? Full relayd output in verbose mode: grafana# relayd -dvv startup pfe: filter init done socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 relay_load_certfiles: using certificate /etc/ssl/grafana.mydomain.net.crt relay_load_certfiles: using private key /etc/ssl/private/grafana.mydomain.net.key parent_tls_ticket_rekey: rekeying tickets relay_privinit: adding relay www protocol 1: name www flags: used, relay flags: tls tls flags: tlsv1.2, tlsv1.3, cipher-server-preference tls session tickets: disabled type: http match request header "Host" value "grafana.mydomain.net" forward to socket_rlimit: max open files 1024 ca_engine_init: using RSA privsep engine ca_engine_init: using RSA privsep engine ca_engine_init: using RSA privsep engine ca_engine_init: using RSA privsep engine relay_tls_ctx_create: loading certificate ssl_ctx_fake_private_key: key size 832 not support Cheers, Chris signature.asc Description: PGP signature
Shared memory segments are note removed after process exit
I'm running a tandem of Xvfb + x11vnc on a headless box. x11vnc runs as _x11 user. This stack works pretty well for me until one of the processes restarts. When Xvfb restarts, it no longer enabled SHM extension. # Xvfb MIT-SHM extension disabled due to lack of kernel support When I check ipcs, I see a lot of shm segments: # ipcs | grep _x11 | grep wc -l 137 Both processes are dead at this stage, so I'm not sure why those shm segments are not collected? When I manually remove them using ipcrm -m , I can restart Xvfb and it will happily enable SHM extension. x11vnc will also work as well. Is that an expected behaviour? How can I ensure shm segments are purged when processes are no longer running? Cheers, Chris signature.asc Description: PGP signature
Re: [SOLVED] PPPoE connection does not set IP
On Wed, Dec 09, 2020 at 10:59:53AM -, Stuart Henderson wrote: > Setting "inet" brings the interface up automatically. Move that > down after the point you have set the connection parameters. I escaped newlines with \ to make it one big line and this solved the issue. Thank you. Cheerio, Chris signature.asc Description: PGP signature
Re: PPPoE connection does not set IP
On Wed, Dec 09, 2020 at 01:12:11PM +0100, Georg Bege wrote: > Hello, > > Im also on an VDSL connection from the german ISP T-Online - > > I see that you dont use any VLAN, are you sure that this is > correct? This is supposed to be handled by the ISPs modem internally. When I look at a working OpenWrt configuration, it uses VLAN on DSL interface and exposes pppoe interface without VLAN. Cheers, Chris signature.asc Description: PGP signature
PPPoE connection does not set IP
covery code Terminate, version 1, type 1, id 0x144e, length 0 Best regards, Chris Narkiewicz -- +44 7502 415 180 (Phone, Signal, WhatsApp) signature.asc Description: PGP signature
Cannot open authorized_keys
I have a user with a non-standard $HOME location and I added a key to authorized_keys. When I try to login via SSH, I get a password prompt. When looking at sshd debug logs, I see this: debug1: Could not open authorized keys '/var/home/user/.ssh/authorized_keys': Permission denied That's a but strange that ssh daemon cannot open a keys. Why is that? Some sort of security to prevent sshd touching anything outside /home? Cheers, Chris signature.asc Description: PGP signature
Mounting encrypted drive on boot
My setup consist of OpenBSD 6.7 with full drive encryption using softraid, configured as described in FAQ: /dev/sd0a - encrypted volume /dev/sd1 - decrypted I have additional need to mount an encrypted /var volume on boot. This volume is separate drive attached to be VPS "machine". I want to mount this drive automatically on boot by adding relevant entries to /etc/fstab, but before this can be done, softraid device must be configured using bioctl. On Linux this is done by adding some entries to /etc/crypttab and the boot script performs required configuration before disks in fstab are mounted. How to do similar thing in OpenBSD? Somebody on StackOverflow advised on modifying /etc/rc and run bioctl before disks are mounted, but I'm not sure if this is a right approach, especially that attaching more disks might change the /dev/sd* numberign. What would be the best approach? Best regards, Chris signature.asc Description: PGP signature
httpd option max body size is ignored for subdomain
Hi, I'm trying to configure Nextcloud on a subdomain. My config has 2 vhosts and connection max request body is not respected for my subdomain. default vhost: server "default" { listen on * port 80 location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } location * { block return 404 } } server "default_tls" { listen on * tls port 443 tls certificate ... tls key ... # I must place max request body here, but why? # connection max request body 536870912 location * { block return 403 } } nextcloud vhost: server "nextcloud.mydomain.com" { listen on * tls port 443 ... # this is ignored! It takes setting from "default_tls"! connection max request body 536870912 } server "nextcloud.mydomain.com" { listen on * port 80; location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } block return 301 "https://nextcloud.mydomain.com$REQUEST_URI; } When I try PUT a file to nextcloud.mydomain.com, my access.log tells me that this request is handled by default_tls: default_tls xx.xx.xx.xx - - [03/Feb/2019:14:38:35 +] "PUT /remote.php/webdav/bigger-file.png HTTP/1.1" 413 0 For smaller files with body <1024k (default body limit) it works ok: nextcloud.mydomain.com xx.xx.xx.xx - - [03/Feb/2019:14:39:51 +] "PUT /remote.php/webdav/smaller-file.png HTTP/1.1" 201 0 Why is httpd not specting subdomain config? signature.asc Description: OpenPGP digital signature
X-Accel-Redirect equivalent for httpd
Hi, Is there an equivalent or alternative for NginX X-Accel-Redirect? https://www.nginx.com/resources/wiki/start/topics/examples/x-accel/ I'm porting a django app that checks for user's permissions before allowing them to download a document and this function uses X-Accel-Redirect to achieve this. I'd like to move the app to OpenBSD httpd. Any idea how to crach this problem? Best regards, Chris
Re: spamd and google smtp ips
W dniu 30/10/2018 o 23:39, Stuart Henderson pisze: I haven't run spamd myself for years, I got fed up with delayed and lost mails. Thanks. That was probably the tipping comment for me - I decided to search for alternative spam protection. It's the lost e-mails bing the the thing I cannot afford and in absence of *reliable* whitelist, I decided not to go this route. Best regards, Chris
Re: Bluetooth Support
W dniu 30/10/2018 o 20:07, Marco Menne pisze: I read in some forum that Bluetooth is not supported in OpenBSD. Is this true? It was, but bt was removed. http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/netbt/Attic/bluetooth.h Revision 1.7, Fri Jul 11 21:54:38 2014 UTC (4 years, 3 months ago) by tedu Branch: MAIN CVS Tags: HEAD Changes since 1.6: +1 -1 lines FILE REMOVED "It's not the years, honey; it's the mileage." bluetooth support doesn't work and isn't going anywhere. the current design is a dead end, and should not be the basis for any future support. general consensus says to whack it so as to not mislead the unwary.
Re: spamd and google smtp ips
W dniu 30/10/2018 o 19:31, Peter N. M. Hansteen pisze: yes, a well-known problem, and it's what nospamd (hinted at in the spamd man pages) is for. To some extent it helps to whitelist IP addresses and networks that domains list in their SPF info. Yeah, I hoped there are some reputable sources of validated mail sources based on SPF and DKIM. I'll give a try to your compiled list, but the fact you maintain it manually is a bit discouraging. Best regards, Chris
spamd and google smtp ips
Hi, I'm configuring spamd and I noticed that when I send an e-mail from GMail, each time the e-mail is submitted by a different IP address. Here is spamdb output after sending a test email to myself: GREY|209.85.219.182|mail-yb1-f182.google.com|... GREY|209.85.219.177|mail-yb1-f177.google.com|... GREY|209.85.219.176|mail-yb1-f176.google.com|... GREY|209.85.219.172|mail-yb1-f172.google.com|... GREY|209.85.219.180|mail-yb1-f180.google.com|... GREY|209.85.219.175|mail-yb1-f175.google.com|... GREY|209.85.219.173|mail-yb1-f173.google.com|... GREY|209.85.219.179|mail-yb1-f179.google.com|... GREY|209.85.208.46|mail-ed1-f46.google.com|... GREY|209.85.161.52|mail-yw1-f52.google.com|... ... snip ... Of course they are not whitelisted, as each submission attempt is done by a different node and I guess google has A LOT of them. I see 2 issues with that: 1) e-mail delivery takes a lot of time (as google uses exponential backoff and stops frequent retries after few failures) 2) whitelisted IPs are more likely being expired, as my server is not getting a lot of gmail traffic I suppose different big e-mail providers will have similar issues. I'm also running BGP server to download a whitelist, but it does not contain google servers. Are there any solutions get around this problem? Ideally I'd like to just whitelist reputable mail providers as I see little chance that any spammer will outsmart Google/Yahoo/Microsoft/etc.
Re: spamd does not update /var/db/spamd
W dniu 30/10/2018 o 16:58, Chris Narkiewicz pisze: W dniu 30/10/2018 o 15:56, Ricardo Mestre pisze: Hi Chris, You are running spamdb /var/db/spamdb, that's not the way to use it. I'm sorry, you were right. I misread both your e-mail and man page. Thank you all for help. Best regards, Chris
Re: spamd does not update /var/db/spamd
W dniu 30/10/2018 o 15:53, Solene Rapenne pisze:> do you run spamd-setup(8)? Yes, I see that it downloads nixspam and loads 20k IPs into spamd. Best regards, Chris
Re: spamd does not update /var/db/spamd
W dniu 30/10/2018 o 15:56, Ricardo Mestre pisze: Hi Chris, You are running spamdb /var/db/spamdb, that's not the way to use it. According to man spamdb(8) this is how to list all entries, which I wanted to do. I see no entries, so I assume the database is empty. Best regards, Chris
spamd does not update /var/db/spamd
Hi, I'm trying to use spamd to block spam using graylisting, but the spamd database is not updated. I run /usr/libexec/spamd -v -d to see what's happening and I definitely see hosts connecting to it: (GREY) 209.85.219.176: mytestem...@gmail.com> -> Got Grey HELO mail-yb1-f176.google.com, IP 209.85.219.176 from to added 209.85.219.176 mail-yb1-f176.google.com 209.85.219.176 connected for 11 seconds. I also tried to submit an email using Python SMTP library and I confirmed 451 Temporary failure response. But when I browse /var/db/spamd, there is nothing there. My spamd is running and is referring to a correct file: # ps aux | grep spamd _spamd 93211 0.0 0.1 9672 1492 ?? Isp5:29AM0:00.00 spamd: (pf update) (spamd) _spamd 59023 0.0 0.5 10012 4836 ?? Ip 5:29AM0:00.02 spamd: [priv] (greylist) (spamd) _spamd 13468 0.0 0.1 9640 1172 ?? Ip 5:29AM0:00.00 spamd: (/var/db/spamd update) (spamd) Database file has correct perms: # ls- l /var/db/spamd -rw-r--r-- 1 _spamd _spamd 65536 Oct 30 05:30 /var/db/spamd # spamdb /var/db/spamd My spamd config is default. OpenBSD 6.3. What is wrong with it? Best regards, Chris
Re: Monit logs vfprintf %s NULL in "%s" all the time
W dniu 29/10/2018 o 19:24, Caspar Schutijser pisze: (...) which seems to solve the same problem that you are experiencing. Ok, if this is a known problem, I'll upgrade. Thanks. Best regards, Chris
Monit logs vfprintf %s NULL in "%s" all the time
I'm running Monit to look at few services on OpenBSD 6.3 and I'm logging to syslog. In my /var/log/messages I routinely observe the following log entries: Oct 27 22:00:01 alpha syslogd[97814]: restart Oct 27 22:00:02 alpha monit: vfprintf %s NULL in "%s" Oct 27 22:00:32 alpha last message repeated 11 times Oct 27 22:02:32 alpha last message repeated 24 times Oct 27 22:12:33 alpha last message repeated 120 times Oct 27 22:22:33 alpha last message repeated 120 times ...and so on... Monit is installed from ports. $ monit --version This is Monit version 5.25.1 Built with ssl, with ipv6, with compression, without pam and with large files Does anybody know what does it mean? This log is not very useful, but it looks like some kind of bug. Best regards, Chris
Re: Vultr hosting of OpenBSD
On 08/09/2018 19:55, Ken M wrote: I have seen some comments here and there about issues with the default image What kind of issues? I'm curious. Can you pls provide a reference?
Re: Deploy Django app - strategy?
On 28/08/2018 13:13, Dave Voutila wrote: Any reason you can't use something like gunicorn as the app server and use relayd on the egress? I haven't thought about it. We have existing stack with config files, admin scripts, friendly Makefiles, etc. It's a turn-key solution that gives me a running app hanging on fastcgi socket. Simple architecture would be egress running relayd and then gunicorn What would be the benefit of "gunicorn+relayd" vs "uwsgi+httpd/nginx"? There is admin know-how and automation around current stack, but I'm keen on re-evaluating it if there are other benefits elsewhere. Biggest win would be chroot-table app server, but I'm not sure if it's easily doable with Python at all. Doable with gunicorn? Best regards, Chris
uwsgi and semaphores limit
Hi, I'm trying to run uwsgi server and I even managed to start it successfully... once. On second time, it aborted: uwsgi_lock_ipcsem_init()/semget(): No space left on device [core/lock.c line 519] I checked ipcs (_mc is the user that runs uwsgi) core# ipcs Message Queues: T ID KEYMODE OWNERGROUP Shared Memory: T ID KEYMODE OWNERGROUP Semaphores: T ID KEYMODE OWNERGROUP s 327680 0 --rw-rw-rw- _mc _mc s 327681 0 --rw-rw-rw- _mc _mc s 327682 0 --rw-rw-rw- _mc _mc s 327683 0 --rw-rw-rw- _mc _mc s 327684 0 --rw-rw-rw- _mc _mc s 327685 0 --rw-rw-rw- _mc _mc s 327686 0 --rw-rw-rw- _mc _mc s 327687 0 --rw-rw-rw- _mc _mc Ok, the docs say that semaphore limits are pretty low on *BSDs and it should be increased. https://uwsgi-docs.readthedocs.io/en/latest/ThingsToKnow.html 2 questions then: 1) Why there are semaphores listed in ipcs if uwsgi is not running? I guess the listed ones were left by my first, successfull run. 2) How to increase number of allowed semaphores? Best regards, Chris
Re: Deploy Django app - strategy?
On 26/08/2018 21:01, Paul de Weerd wrote: Use python3 -m venv /path/to/venv to create a virtualenv using python3 and be done with it. Yeah, it did the trick. I'm going to deplrecate use of virtualenv, since it's no longer needed with Python 3.6. That will use a symlink to the actual python3 binary in /usr/local, so no issues with the lack of wxallowed on /var. However, you'll have to deal with the chroot implications there... I guess it's a non-starter with Django... I guess it'd be easier to simply run it in Docker. What webserver are you using? It's pretty standard stack: * postgresql on localhost * uwsgi on localhost with http/fastcgi protocol * httpd on egress Best regards, Chris
Deploy Django app - strategy?
I'm deploying a Django app on OpenBSD 6.3 and I'm strugging to wrap my head around the best practices here. On Linux we just bootstrap virtualenv in home directory and start uwsgi (or altenative), but on OpenBSD it seems to be a bit more complicated: core# mkdir /var/www/app core# cd /var/www/app/ core# virtualenv-3 -p python3 env Running virtualenv with interpreter /usr/local/bin/python3 Using base prefix '/usr/local' New python executable in /var/www/app/env/bin/python3 Also creating executable in /var/www/app/env/bin/python ERROR: The executable /var/www/app/env/bin/python3 could not be run: [Errno 13] Permission denied: '/var/www/app/env/bin/python3' Well, that makes perfect sense for me, since we're running some binary not in bin directory, but what is the recommended way of deploying the app in such situation? I'm running on vultr, which provides a non-default disk layout: core# mount /dev/sd0a on / type ffs (local) /dev/sd0d on /usr/local type ffs (local, nodev, wxallowed) Thanks for any suggestions.