Re: WebDAV server for nginx?
On 5/25/2014 1:48 AM, raul o wrote: Hi buddies, can anyone tell me as I implement WebDAV with nginx? Thanks. Are you hitting any specific problems that may be OpenBSD-centric? As long as nginx is compiled with --with-http_dav_module (which it isn't by default, so you may have to recompile it), it sounds like it should be a straightforward problem to solve. This seems like a very general question that hasn't been Googled enough to take it to misc@ so you may not get great input. I've never implemented WebDAV in nginx, but I certainly see at least a dozen tutorials on how to do it by searching for it. Unless OpenBSD is doing something slightly crazy with nginx (like they did with apache), any Linux-based tutorial should be generally fine to follow. http://nginx.org/en/docs/http/ngx_http_dav_module.html
Re: remote management
On 5/14/2013 3:23 PM, Stuart Henderson wrote: On 2013-05-13, Tony Berth tonybe...@googlemail.com wrote: Dear Group, I would like to know what kind of environment you use for remote management of one or more openbsd servers. N.B. shared IPMI/LAN ports generally do *not* work on OpenBSD (intentionally). FWIW the IPMI + Intel PRO/1000 MT (82574L) shared port on these boards works great: http://www.supermicro.com/products/motherboard/Xeon/C202_C204/X9SCL-F.cfm I was even able to use the IPMI-provided virtual CDROM drive to do the initial install from an ISO located on my desktop PC. OpenBSD 5.3 (GENERIC.MP) #62: Tue Mar 12 18:21:20 MDT 2013 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8560050176 (8163MB) avail mem = 8309690368 (7924MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeb4c0 (55 entries) bios0: vendor American Megatrends Inc. version 2.0b date 09/17/2012 bios0: Supermicro X9SCL/X9SCM acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP APIC FPDT MCFG HPET SSDT SPMI SSDT SSDT EINJ ERST HEST BERT acpi0: wakeup devices PS2K(S4) PS2M(S4) UAR1(S4) UAR2(S4) P0P1(S4) USB1(S4) USB2(S4) USB3(S4) USB4(S4) USB5(S4) USB6(S4) USB7(S4) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4) RP06(S4) PXSX(S4) RP07(S4) PXSX(S4) RP08(S4) PEGP(S4) PEG0(S4) PEG1(S4) PEG2(S4) PEG3(S4) GLAN(S4) EHC1(S4) EHC2(S4) HDEF(S4) PWRB(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3300.47 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC cpu0: 256KB 64b/line 8-way L2 cache cpu0: apic clock running at 100MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3300.03 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC cpu1: 256KB 64b/line 8-way L2 cache cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3300.03 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC cpu2: 256KB 64b/line 8-way L2 cache cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3300.03 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC cpu3: 256KB 64b/line 8-way L2 cache cpu4 at mainbus0: apid 1 (application processor) cpu4: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3300.03 MHz cpu4: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC cpu4: 256KB 64b/line 8-way L2 cache cpu5 at mainbus0: apid 3 (application processor) cpu5: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3300.03 MHz cpu5: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC cpu5: 256KB 64b/line 8-way L2 cache cpu6 at mainbus0: apid 5 (application processor) cpu6: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3300.03 MHz cpu6: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC cpu6: 256KB 64b/line 8-way L2 cache cpu7 at mainbus0: apid 7 (application processor) cpu7: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3300.03 MHz cpu7: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC cpu7: 256KB 64b/line 8-way L2 cache ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24
Re: hardware suggestion: off topic (probably)
On 11/6/2012 8:28 AM, Friedrich Locke wrote: Dear list members, I have setted up a web server in my working environment and i was asked to install webalizer. Now my boss asked me to install a tool that looks at webalizer stats files and suggest a hardware capacity for that workload reported by webalizer. I dont know what to tell him. Why do you think he asked me that ? To each their own on the exact value of webalizer and similar stuff (awstats, Analytics, etc), but I would say a hardware capacity decision influenced chiefly by webalizer stats is a poorly informed decision. Anyway I do not know of a product that does something like this off of the top of my head, mostly because if I were to be evaluating my hardware needs, I'd look at about a dozen other metrics first.
Re: boot(8) on amd64 asks for passphrase but keydisk...?
On 11/4/2012 2:07 AM, Stefan Sperling wrote: On Sat, Nov 03, 2012 at 07:08:58PM -0400, Jiri B wrote: This is totally fantastic what jsing@ did, boot(8) can now ask for passphrase for root disk laying on softraid crypto volume. It works OK. But I didn't know it works with passphrase beforeso I first tried with keydisk... What a surprise, boot(8) could not use key disk for crypto volume (still printing 'Passphrase:'). Is this my PEBKAC/a bug or this feature is still WIP? It seems the current code doesn't support it yet. It could be made to work as long as the bios exposes the key disk. If you can boot from your keydisk the bios can see it. I believe booting from USB sticks is usually possible with today's laptops, while booting from SD card rarely works. I don't boot a lot of laptops off of USB, but it's been a few years since I had a desktop or server that had a problem booting from USB, and even if they had a problem booting, the BIOS could usually at least see it as a disk. You know you're a sys admin when you have a USB stick with a *nix on it ready to go in the car/backpack/wallet/shoe at all times.
Re: 5.2 SSD machine won't boot
On 11/2/2012 6:39 AM, Devin Ceartas wrote: hp laptop with Intel SSD won't boot under 5.2 - the problem reported on screen appears to be the one described here: http://old.nabble.com/Re%3A-Fwd%3A--mSATA-failure-on-6501-w--OpenBSD-5.0-td32881415.html#a32884546 ahci0: stopping the port, softreset slot 31 was still active. ahci0: failed to reset port during timeout handling, disabling it Does anyone have a patch to try or is there a way to boot into the full system starting from a CD or network boot? -- devin If you have no reason not to, try disabling AHCI? A while ago (not now) I had a few motherboards with SSDs that did were not happy with AHCI on. They were extremely low disk use systems, though. Note this will change your disk device names from sdX to wdX (I think) so some minor fstab tinkering may be needed if you aren't using labels or anything. Unless you are booting a kernel that has strayed far from generic, I don't think it would matter if you got your kernel from a CD or the network -- it's still the same kernel going after the same hardware and will hit the same problem -- so going to current (as was already suggested) is the only direction to move in. Or to generic, if possible and not already.
Re: Upgrade to 5.2?
On 10/31/2012 9:48 AM, Jamie Paul Griffin wrote: / Stuart Henderson wrote on Wed 31.Oct'12 at 15:56:31 + / On 2012-10-31, Jamie Paul Griffin ja...@kode5.net wrote: Is it best to remove all packages prior to upgrade and then reinstall them or should we simply upgrade the packges using pkg_add -i once the upgrade has been completed? pkg_add -u - package upgrades have been pretty reliable for years now. yeah i meant the -u switch, that was a typo (sorry). I've just read the upgrade document and as I don't have that many packages installed I think i'll just back-up some config files and install from scratch. Probably the easiest and quickest method in my case. cheers, Jamie Don't do it! Seriously, the upgrade process is easy, and is worth becoming familiar with. At least give it a shot since you're planning on reinstalling anyway. I think you'll be pleasantly surprised! For a long time I did fresh installs too since my average OpenBSD box is a router with ~15 files changed from default and little to no packages so it was trivial to recreate, and even then I should have been upgrading in hindsight.
Re: iked vs. isakmpd + carp
On 10/19/2012 1:16 AM, Jim Miller wrote: Two part question: 1. Anyone had any success getting iked and carp working on OpenBSD 5.1 (amd64)? We can get it working with isakmpd. The issue seems to be that iked wants to send out packets as the physical interface IP instead of the carp IP. iked documentation eludes to the fact that it should work. In my experience under 5.1 isakmpd wants to use the IP from the real physical interface instead of the virtual carp interface too, so I have to use the local x.x.x.x command in ipsec.conf, where x.x.x.x = my carp IP -- this forces it onto the carp IP and all is well. iked.conf(5) has a similar local command. Does it not work? and keep in mind the caveat: iked is not yet finished and is missing some important security features. It should not yet be used in production networks. -- iked(8)
Re: PFSync question
On 10/17/2012 8:51 AM, Bennett Samowich wrote: I just had an event that I'm having trouble identifying the root cause. I'm hoping that someone might have encountered this or might be able to point me toward some things to check. Yesterday we had an event where our primary firewall would stop passing traffic. The only thing short of a reboot that would restore service was to run 'sh /etc/netstart pfsync0'. Resetting pfsync's physical interface or pulling that cable didn't produce results. Only resetting the pfsync0 virtual interface would restore service. I'm not even sure what information would be helpful to provide or what other questions to ask. I also found it odd that the two servers did not show the same number of state entries by a difference of anywhere from 100 to 1000s. Is this typical? Thanks, Bennett States come and go so depending on the amount of traffic going through the router, it could be off by a few hundred, or maybe even a few thousand if you do a lot of traffic. I just counted the states (at the exact same time, several times) on some primary/backup CARP routers using pfsync that push a constant 10-20mbit to several thousand web clients at any given moment, and the states were within about 150 of each other consistently. I would say being off by 1000s is indicative of a problem, but if you push a lot of traffic, it might not be. Anyway, you need to post: a full ifconfig, dmesg, and look through /var/log/messages for anything interesting from CARP or pfsync to get started. Also put your pfsync cabling through a cable tester just to double check it. I've had a bad pfsync interface cable cause weird problems before. Any errors on the interface? netstat -in will tell you about errors, not ifconfig it seems.
Re: Upgrading 3.8 to current
On 10/13/2012 9:47 AM, Matt Morrow wrote: After dealing with a number of issues due to an old 3.8 install which have been resolved in current releases, I think I'm going to do the individual release upgrades (3.8-3.9-4.0, etc etc) The 3.9 upgrade guide says: pfsync(4) http://www.openbsd.org/cgi-bin/man.cgi?query=pfsyncsektion=4 has changed format, so it can not keep state between a 3.8 and a 3.9 box. Mismatched systems will lose all connections when you switch which box is master, as states will not be transfered between systems. You can minimize the impact of this by upgrading your backup boxes first, so there is only one loss of active states. Can anyone explain what that means in terms of my existing pf configuration working as a simple router with a port forward? Does this simply mean that during the upgrade, if I had multiple servers running, that boxes would temporarily lose connectivity during the upgrade as they wouldnt switch over to a backup server automatically? I am assuming you are using CARP in a master/backup configuration and that's what you mean when you talk about switching over to a backup server automatically. Please disregard if that is not true. It seems pretty straight forward from the notes: 1) Upgrade your backup box. 2) Fail over to it, losing all current states -- dropping all established connections, but being immediately available to create new ones. It's not a full loss of connectivity, but any established connections will be dropped. 3a) Optionally change the advskew of the carp interfaces on your primary box so they don't automatically takeover as master before you get a chance to verify pfsync is working. 3b) Upgrade your primary box, verify pfsync is working (pfctl -s states), and takeover as master in carp (if you haven't already). 4) Keep upgrading! So, like it said, there would only be one loss of established/active states. You will hit this issue at least one more time going from 4.4 to 4.5 as well: http://www.openbsd.org/faq/upgrade45.html#pfsync
Re: kern.maxclusters vs syn proxy
I would vote no based on: http://www.openbsd.org/faq/pf/example1.html For an added bit of safety, we'll make use of the TCP SYN Proxy to further protect the web server. which links to: http://www.openbsd.org/faq/pf/filter.html#synproxy which gets far from saying what Henning said. On 10/2/2012 6:30 AM, David Diggles wrote: I think when a lot of newbies read the pf manual, they think oh... synproxy looks like it does good things, and without really understanding it, enable it by default? On Tue, Oct 02, 2012 at 02:33:11PM +0200, Henning Brauer wrote: * David Diggles da...@elven.com.au [2012-10-02 13:51]: but is this clear for newbies who read all the faqs? On Tue, Oct 02, 2012 at 01:17:03PM +0200, Henning Brauer wrote: it once again comes down to think before pushing random buttons. this basic principle SHOULD not need documentation :) quite seriously, this goes deep into the workings of tcp. OpenBSD documentation cannot and does not document the details of the implemented protocols. There are entire books about tcp. Read them to understand tcp, and read the OpenBSD documentation for the OpenBSD specific bits. There isn't much we can do to prevent people from pushing buttons they don't understand but not providing them - which is what we do where possible. But by not providing synproxy we'd steal an important tool for fighting attacks from those who understand what they're doing. We're not saving you from stabbing your eye with the spoon left in your coffee mug either. We can't. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/ -- Tyler Morgan Systems Administrator Trade Tech Inc. tyl...@tradetech.net office: 425-837-9000 (ext. 1022) cell/sms: 206-310-8340 fax: 425-837-9008
Re: How can I send SMS from a umsm(4) usb stick?
On 7/10/2012 9:25 AM, Tomasz Marszal wrote: some mobile operators have gates email - sms and you send normal email for example on 607(the rest of phone numer)@plusnet.pl and you get sand email on your phone as sms Plus is the only polish operator that gives such a gate without extra pay and without a captcha on their page Best Regards Tomek Marszal Having used this technique extensively for 10+ years on US-based ATT, Verizon, and T-Mobile accounts, I can say it's only about 90% reliable, which wasn't reliable enough for me when it came to monitoring. Sometimes messages disappear into the void, sometimes they come across as gibberish, sometimes they are delayed by hours -- but it works fine 90% of the time. I have used asterisk with a BroadVoice account http://www.broadvoice.com/rateplans_byod.html to send real SMS messages under Linux with good results. It has been 100% reliable. For reference, the domains for some big US carriers are: 1 + area code + num...@tmomail.net area code + num...@vtext.com (Verizon) area code + num...@mobile.att.net All of these are free to use as far as I know, but you should probably call your phone company before sending hundreds of messages at one :)
Re: load now over 1.00 all the time (i386, MP)
On 6/30/2012 5:38 PM, frantisek holop wrote: hi there, it seems that since a couple of snapshots back, load never goes below 1.00 anymore on both of my notebooks (i386 MP). what prompted me to write this email is that now my old thinkpad is affected as well. looking at top right after boot shows that load was normal load averages: 1.14, 0.85, 0.43 but current load constantly being over 1.00, the averages eventually rise as well. anybody else is seeing this? Hi! I'm going to guess (guess!) this is normal. Others, feel free to tell me I'm wrong and go from there. Try to avoid the snake-pit of discussing what load average actually means or why it is normal to be around 1.00 load in OpenBSD under many circumstances when the system is more or less idle. This topic has been beaten into the ground several times: http://marc.info/?l=openbsd-miscm=130679209718361w=2 http://marc.info/?l=openbsd-miscw=2r=1s=load+averageq=b
Re: Large (3TB) HDD support
On 6/1/2012 10:04 AM, Scott McEachern wrote: Hello everyone, I'm hoping that I'm missing something simple (like usual) and maybe someone could straighten me out. I'm trying to add a pair of 3TB drives to my workstation, which I plan on turning into a ~3TB RAID 1 array, and seem to be having difficulty realizing the full size of the drives. http://www.openbsd.org/faq/faq14.html#LargeDrive I don't have any experience using disks this large in OpenBSD, but ye olde fine print: Note that not all controllers and drivers support large disks. For example, ami(4) has a limit of 2TB per logical volume. Always be aware of what was available when a controler or interface was manufactured, and don't just rely on the connectors fit. However, it's far from hopeless, yet...
Re: a live cd/dvd?
On 5/11/2012 8:48 PM, Nick Holland wrote: I suspect the interest in [an OpenBSD Live CD] is rapidly approaching zero. Its a concept who's time has come...and gone, I think. Five or six years ago, yeah...cool. Today...why?. A live CD gives you a very rigid, predefined read-only environment. I think a much more useful tool these days is a USB flash drive -- they are smaller than a CD, more rugged, and probably run on more modern systems than CDs do (I say that with some uncertainty -- some modern computers come with no DVD, virtually all come with USB ports, but some have broken BIOSs). While I generally agree a USB-based installation of whatever OS you prefer is a great solution to many tasks, I don't feel this description of a modern live CD environment is completely accurate. Before I went home on Friday, one of our not-production, local office machines needed some more room in its root filesystem so I booted into an Ubuntu live CD (11.04, I believe), manually brought up eth0, created and setup resolv.conf, apt-get installed lvm2 via network, and used the necessary tools to extend an LVM-based ext3 filesystem. Why did I do it that way? Because I had done it that way before without any problems, the CD was on the bench, the drive was available, it took about 20 minutes start to finish, and it effectively accomplished the task. At no point did I have to jump through any hoops like remounting something read/write. It was simply a usable Linux environment. I'm sure it had limitations that I do not know about and did not run into, but, respectfully (and rhetorically), what about that is pre-defined and rigid? To digress a little further, one day I was talking to our small-ish, local hardware vendor and he said he should charge to remove DVD drives from rack-mounted servers because he gets them back to have the drives put back in so often, and I wasn't sure if he was kidding or not. USB is great but, like you say, some BIOSes are broken and the death of the CD/DVD isn't upon us quite yet. I mean, look at OpenBSD's seemingly adamant support for floppy-based systems. Anyway, I hope that perspective is useful in some way. I have no strong opinion on the usefulness of an OpenBSD live CD, and this isn't a Linux mailing list blah blah blah -- gotcha. --
Re: authorized_keys and security(8)
On 4/25/2012 5:11 PM, Stuart Henderson wrote: On 2012-04-24, Tylerdisc...@gmail.com wrote: Hi, Is there a way to create logins that are only accessed via authorized_keys so that security(8) doesn't complain about them every day? The general goal is to disable remote root login via SSH and allow an unprivileged admin user access via key files and pass phrases (and then sudo or su). My problem is security(8) complains about this every day: Login admin is off but still has a valid shell and alternate access files in home directory are still readable. vipw and set the crypted password to 13 *'s. pretty sure the old /etc/security script did the same thing in this respect. Thanks for the help. This worked -- security is no longer whining about the accounts -- and I found the proper documentation in passwd(5). --
Re: authorized_keys and security(8)
On 5/3/2012 9:31 PM, Chris Cappuccio wrote: Mike Erdely [m...@erdelynet.com] wrote: FYI: For a test, I added foo with useradd(8) and bar with adduser(8): # grep -E (foo|bar) /etc/master.passwd foo:*:1002:1002::0:0::/home/foo:/bin/ksh bar:*:1003:1003::0:0:bar:/home/bar:/bin/ksh Looks like useradd does the right thing and adduser does not. Maybe I missed the memo. When did thirteen asterisks start to mean anything different than the single traditional asterisk? sshd/login tries to hash against it but not * ? For my specific case, it means something different to /usr/libexec/security's daily run, and Mike Erdely pointed out adduser and useradd have inconsistent behavior regarding the passwd file, which was probably the root of my original confusion. Note that there is nothing special about `*', it is just one of many characters that cannot occur in a valid encrypted password (see crypt(3)). Similarly, login accounts not allowing password authentication but allowing other authentication methods, for example public key authentication, conventionally have 13 asterisks in the password field. http://www.openbsd.org/cgi-bin/man.cgi?query=passwdapropos=0sektion=5manpath=OpenBSD+Currentarch=i386format=html http://www.openbsd.org/cgi-bin/man.cgi?query=passwdapropos=0sektion=5manpath=OpenBSD+Currentarch=i386format=html --
Re: OpenBSD on EC2/Amazon
On 4/25/2012 1:55 AM, Otto Moerbeek wrote: On Wed, Apr 25, 2012 at 12:42:30AM -0500, Fernando Quintero wrote: Hi all, I have a question: ?Is anyone working to make possible run OpenBSD on Amazon EC2? now, It is possible to run NetBSD and FreeBSD, but I can not find much information about the progress of OpenBSD on this topic. Thanks in advanced. I don't think anybody is working on this. But there are several VPS companies around (arpnetworks.com is one) that are OpenBSD friendly. *If* I want to run a VPS, I rather give my money to a small compmay that some behemoth. But note that virtual systems have many drawbacks. Most importantly, the security of OpenBSD (or any system run on a virtual system) is bounded by the security of the VM implementation. It's another layer that could cause security problems. -Otto Couldn't be timed better, VMWare confirms ESX source code leak: http://blogs.vmware.com/security/2012/04/vmware-security-note.html I'm sure hypervisor-guest VM exploits exist already, and hopefully this will lead to more, because it is nearly unaddressed in all the virtual computing I work with. --
Re: Performance problems with OpenBSD 4.9 under ESXi 5
Hi, I setup four 4.9-RELEASE installs under ESXi 5.0.0: amd64 as Other amd64 as FreeBSD i386 as Other i386 as FreeBSD All 4 got 512megs of RAM, unlimited use of the 8 available CPU cores, and totally default installs other than stress from ports. After installing I ran stress --cpu 8 --io 4 --vm 2 --vm-bytes 128M --hdd 4 --hdd-bytes 128M --timeout 60s in an infinite loop for a few hours. Then I let them sit for a couple days. Then I the stress loops again for a few hours with 3 days of uptime. I verified the stress was pegging 95%+ of all CPU, doing about 75% of what the RAID array is capable of in disk read/write, and as much RAM as I'd let it have -- all verified using ESXi's standard host monitoring. At the end of testing, I have no unusual messages in dmesg, a normal 0.5ish load when idle, and no noticed performance issues on all four virtual machines. The ESXi host is a 3.5 year old SuperMicro server from Penguin Linux with 2xXeon X5365s, 32Gigs of ECC DDR3, and an Adaptec RAID controller. I can get a real dmesg out of the ESXi host if anyone wants it, and someone already provided a dmesg of 4.9-RELEASE under VMWare, but I can also provide those if desired. I will leave these VMs around for at least a couple weeks so feel free to ask if you would like me to do anything to help troubleshoot the problem you're having. It seems to me that running OpenBSD under virtual environments does not get a lot of attention (largely for obvious security reasons, I'd guess), but ESXi is an important part of the systems I manage and am happy to help as best I can with anything VMWare related. On 10/28/2011 9:15 PM, Gene wrote: I was wrong, just changing the guest OS type did not fix my problem. The morning following this email I found the CPU being pegged again. I ended up installing the i386 version of 4.9 and used FreeBSD 32-bit as the guest os type. These VMs have been running for four days without a problem. If it occurs again I'll try the other suggestions provided here. -Gene -- Tyler Morgan Systems Administrator Trade Tech Inc.
Re: RAID options for OpenBSD
On 6/17/2011 10:03 AM, Christian Weisgerber wrote: Tomas Bodzartomas.bod...@gmail.com wrote: You will not be happy with reliability of SSD http://www.codinghorror.com/blog/2011/05/the-hot-crazy-solid-state-drive-scal e.html After lots and lots of useless blather, the first interesting tidbit shows up in a comment more than halfway down the page: | Over at blekko, we've had 3 SSD failures after 1.5 years, out of | 700 drives. These are Intel X-25M 160G2 drives. That's the sort of figure you'd expect for spinning platters, too. Yeah, this is a terrible blog post. Like the commenters on it say, there must have been environmental factors like heat or bad power. YMMV but, I have about 60 SSDs in production and haven't had a single one fail in the ~1.5 years we've been moving everything to SSD. Crucial 32Gs in half dozen OpenBSD router pairs all running smoothly. RAID10s of Intel X-25Ms and 320s and (soon!) 510s. I love SSDs. I decided, for my fairly basic router needs, to not use RAID in OpenBSD and instead rely on CARP and backups. I am more worried about the power supply and the motherboard going wonky before the SSD.
Re: Why does GENERIC kernel for OpenBSD 4.8 and 4.9 not support software RAID
On 5/4/2011 10:04 AM, Josh Grosse wrote: I still use raid(4) -- RAIDframe -- for it's root-on-RAID capability. I eagerly await the completion of root-on-RAID with softraid(4). My thanks to Joel, Jordan, Marco, and the rest of the team developing this. I use RAIDFrame too, but it was a mistake; I had no idea RAIDFrame was no longer maintained and had no idea of the existence of softraid when I installed and implemented 4.6/4.7 machines over the last year or so. I hadn't used OpenBSD since 3.x days but I knew I needed it for some routing at work. I also knew I needed some software RAID. Almost every result from Googling something along the lines of installing OpenBSD onto a software RAID leads to a RAIDFrame guide like the one at http://www.eclectica.ca/howto/openbsd-software-raid-howto.php I'm excited to hear softraid is coming along, and remember reading that support for booting off of one was recently committed. The work done on softraid is very appreciated and I look forward to seeing more of it committed, but the reality is there is a significant split regarding software RAID in OpenBSD. I bet I'm not the only person using RAIDFrame close to production without realizing it's not even maintained code. I think this is mainly due to the fact that softraid can't be used for the root partition (or booted off of, for now). This leads everyone to follow RAIDFrame guides to install OpenBSD onto software RAID1, but nobody bothers to mention that RAIDFrame isn't actually maintained anymore. And I have a feeling it's why my routers crash once every few months or so with some odd, sd0/sd1 related FIFO errors (using SSDs too...). I'm currently pulling RAIDFrame out of various routers and not using any RAID at all anymore -- CARP + pfsync + duplicate hardware is enough for what these routers do. In no way am I blaming anyone here -- it's obviously my fault that I didn't read the 4.7 FAQ closer and learn about softraid -- but I think large amounts of people are being lead to RAIDFrame via Google without fully realizing what they are using or why they might be making a bad decision.