Re: xfsdump INTERRUPT
Hi, mkdir /mnt/fap mkdir /mnt/hr20 mount -t xfs -o rtdev=/dev/sda3 /dev/sda2 /mnt/fap mount -t xfs -o rtdev=/dev/sdb3 /dev/sdb2 /mnt/fap You mount both devices to the same destination /mnt/fap Regards, Erwin
suspend on Thinkpad T40
This is current/i386 on a Thinkpad T40 (dmesg below). It's an APM machine; no acpi. I am running apmd -A, and have scripts in /etc/apm/ that just go logger -f /var/log/messages $0 apm -S indeed puts the machine to standby, but comes right back up itself. Is that intended? Nov 20 09:11:49 ibm root: /etc/apm/standby Nov 20 09:12:02 ibm root: /etc/apm/resume Nov 20 09:12:02 ibm apmd: system resumed from APM sleep Suspend mostly works, trigerred either by an explicit apm -s, or Fn+F4, or closing the lid. Nov 20 09:25:41 ibm root: /etc/apm/suspend Nov 20 09:26:16 ibm root: /etc/apm/resume Nov 20 09:26:16 ibm apmd: system resumed from APM sleep After a successfull resume, everything seems to be in order, including X and open connections (haven't tested wifi though). Mostly means that it _usually_ resumes back up, by either pressing the power button or pressing Fn. But sometimes it doesn't. The only pattern I have spotted is that it fails to resume back if it has been suspended for longer: after two minutes of suspend, it always comes back; after ten minutes of suspend, it never comes back. What could be causing that? The exact method of suspending (lid, button, Fn+F4) seems to be irrelevant to this; the method of waking up too: when it happens, there is no reaction to nothing. The only way to get back up then is to remove the power and battery and have a rough awakening. Being on AC or not, or plugging AC in or out during the sleep doesn't seem to make a difference either. Also, I have machdep.lidsuspend=0, but the machine still suspends when I close the lid - is that intended? Are there other settings that regulate when a suspend happens, possibly something that overrides machdep.lidsuspend? Hibernate (apm -Z or Fn+F12) never happens. Fn+F12 however makes the low beep that Fn+F4 makes, so perhaps it is attempting something; there is nothing in the logs though. The console/xterm says System will enter hibernate mode momentarily. but nothing happens after that. I understand that the suspend/hibernate subsystem is currently being heavily worked on, particularly on i386, and I want to thank the people improving that. Is there something specific I should test or report? Thank you for your time Jan OpenBSD 5.2-current (GENERIC) #87: Sat Nov 17 13:27:31 MST 2012 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) M processor 1500MHz (GenuineIntel 686-class) 1.50 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,TM,PBE,EST,TM2,PERF real mem = 267317248 (254MB) avail mem = 251985920 (240MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 06/18/07, BIOS32 rev. 0 @ 0xfd750, SMBIOS rev. 2.33 @ 0xe0010 (61 entries) bios0: vendor IBM version 1RETDRWW (3.23 ) date 06/18/2007 bios0: IBM 237382G apm0 at bios0: Power Management spec V1.2 acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 2.1 @ 0xfd6e0/0x920 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdea0/272 (15 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #6 is the last bus bios0: ROM list: 0xc/0x1 0xd/0x1000 0xd1000/0x1000 0xdc000/0x4000! 0xe/0x1 cpu0 at mainbus0: (uniprocessor) cpu0: Enhanced SpeedStep 1496 MHz: speeds: 1500, 1400, 1200, 1000, 800, 600 MHz pci0 at mainbus0 bus 0: configuration mode 1 (bios) 0:31:1: io address conflict 0x5800/0x8 0:31:1: io address conflict 0x5808/0x4 0:31:1: io address conflict 0x5810/0x8 0:31:1: io address conflict 0x580c/0x4 pchb0 at pci0 dev 0 function 0 Intel 82855PM Host rev 0x03 intelagp0 at pchb0 agp0 at intelagp0: aperture at 0xd000, size 0x1000 ppb0 at pci0 dev 1 function 0 Intel 82855PM AGP rev 0x03 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Radeon Mobility M7 rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) radeondrm0 at vga1: irq 11 drm0 at radeondrm0 uhci0 at pci0 dev 29 function 0 Intel 82801DB USB rev 0x01: irq 11 uhci1 at pci0 dev 29 function 1 Intel 82801DB USB rev 0x01: irq 11 uhci2 at pci0 dev 29 function 2 Intel 82801DB USB rev 0x01: irq 11 ehci0 at pci0 dev 29 function 7 Intel 82801DB USB rev 0x01: irq 11 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb1 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0x81 pci2 at ppb1 bus 2 2:0:0: mem address conflict 0xb000/0x1000 2:0:1: mem address conflict 0xb100/0x1000 cbb0 at pci2 dev 0 function 0 TI PCI1520 CardBus rev 0x01: irq 11 cbb1 at pci2 dev 0 function 1 TI PCI1520 CardBus rev 0x01: irq 11 em0 at pci2 dev 1 function 0 Intel PRO/1000MT (82540EP) rev 0x03: irq 11, address 00:0d:60:7f:83:fa ipw0 at pci2 dev 2 function 0 Intel PRO/Wireless 2100 rev 0x04: irq 11, address 00:0c:f1:16:9b:b8 cardslot0 at cbb0 slot 0 flags 0 cardbus0 at
Re: ftp(1) errors on an HTTPS url
On 2012-11-18, Rodolfo Gouveia rgouv...@cosmico.net wrote: On Fri, Nov 16, 2012 at 08:23:40PM +, Rodolfo Gouveia wrote: Hello, It seems that https://www.prelude-ids.org doesn't play well with the ftp(1). I normally get an 'improper response': $ ftp -v -d https://www.prelude-ids.org/attachments/download/241/libprelude-1.0.1.tar.gz host www.prelude-ids.org, port (null), path attachments/download/241/libprelude-1.0.1.tar.gz, save as libprelude-1.0.1.tar.gz. Trying 88.190.33.136... Requesting https://www.prelude-ids.org/attachments/download/241/libprelude-1.0.1.tar.gz received 'f' ftp: Improper response from www.prelude-ids.org Tried this with wget and got: $ wget https://www.prelude-ids.org/attachments/download/241/libprelude-1.0.1.tar.gz --2012-11-18 19:34:08-- https://www.prelude-ids.org/attachments/download/241/libprelude-1.0.1.tar.gz Resolving www.prelude-ids.org (www.prelude-ids.org)... 88.190.33.136 Connecting to www.prelude-ids.org (www.prelude-ids.org)|88.190.33.136|:443... connected. ERROR: cannot verify www.prelude-ids.org's certificate, issued by `/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=EssentialSSL CA': Unable to locally verify the issuer's authority. To connect to www.prelude-ids.org insecurely, use `--no-check-certificate'. So maybe the problem is the certificate? No this is just because /etc/ssl/cert.pem is hopelessly out of date. You can use the one from http://curl.haxx.se/docs/caextract.html :- # ftp -o/etc/ssl/cert.pem http://curl.haxx.se/ca/cacert.pem (this is a repackaged version of the Mozilla certificate store). This particular URL is from a port that I'm working on so I'll be using wget for FETCH_CMD. FETCH_CMD may not be used in a port Makefile, it's a user setting only, this file would need to be mirrored for now (if the license permits). One thing I noticed is that if I connect with openssl s_client and make a GET or HEAD request using the HOST header, this server does a renegotiation. Not sure why (doesn't seem to be SNI). But in any event ftp(1) doesn't seem to handle it very well.. ... HEAD / HTTP/1.0 HOST: www.prelude-ids.org depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = PositiveSSL CA 2 verify error:num=20:unable to get local issuer certificate verify return:0 read R BLOCK HTTP/1.1 200 OK Date: Tue, 20 Nov 2012 12:29:19 GMT Server: Apache ...
Re: suspend on Thinkpad T40
On Tue, Nov 20, 2012 at 2:55 AM, Jan Stary h...@stare.cz wrote: This is current/i386 on a Thinkpad T40 (dmesg below). It's an APM machine; no acpi. I am running apmd -A, and have scripts in /etc/apm/ that just go ... Suspend mostly works, trigerred either by an explicit apm -s, or Fn+F4, or closing the lid. ... After a successfull resume, everything seems to be in order, including X and open connections (haven't tested wifi though). Mostly means that it _usually_ resumes back up, by either pressing the power button or pressing Fn. But sometimes it doesn't. The only pattern I have spotted is that it fails to resume back if it has been suspended for longer: after two minutes of suspend, it always comes back; after ten minutes of suspend, it never comes back. ... Also, I have machdep.lidsuspend=0, but the machine still suspends when I close the lid - is that intended? Are there other settings that regulate when a suspend happens, possibly something that overrides machdep.lidsuspend? Perhaps the BIOS is controlling this. Hibernate (apm -Z or Fn+F12) never happens. Fn+F12 however makes the low beep that Fn+F4 makes, so perhaps it is attempting something; there is nothing in the logs though. The console/xterm says System will enter hibernate mode momentarily. but nothing happens after that. I understand that the suspend/hibernate subsystem is currently being heavily worked on, particularly on i386, and I want to thank the people improving that. Is there something specific I should test or report? While hibernation is being worked on, a fair amount of that work focuses on ACPI hibernate--APM hibernate is not the focus (and this is handled by the BIOS on my ThinkPad). That said, my T42p suspends and hibernates mostly without incident--including Wi-Fi--but there were some things I needed to do for the BIOS-based hibernate to work and they revolved around the tphdisk package.
Re: ftp(1) errors on an HTTPS url
On Tue, Nov 20, 2012 at 12:43:38PM +, Stuart Henderson wrote: So maybe the problem is the certificate? No this is just because /etc/ssl/cert.pem is hopelessly out of date. You can use the one from http://curl.haxx.se/docs/caextract.html :- # ftp -o/etc/ssl/cert.pem http://curl.haxx.se/ca/cacert.pem (this is a repackaged version of the Mozilla certificate store). Cool. I thought that could be the problem (outdated certificate store) but look further. This particular URL is from a port that I'm working on so I'll be using wget for FETCH_CMD. FETCH_CMD may not be used in a port Makefile, it's a user setting only, this file would need to be mirrored for now (if the license permits). I'll check that. Thanks!
Four no
Just look at this beautiful name for command-line parameter: -Wno-non-virtual-dtor Again, step by step: Warnings No Non Virtual De- structor No, Non, Virtual and De-. Four times no. Excellent example of brilliant software (all of the lang, compiler and piece of shit being built) design, isn't it? :) -- WBR, Vadim Zhukov
Re: OpenBSD hangs when i unplug USB disk
Marcos Ariel Laufer wrote: On 11/18/2012 12:35 PM, Paul de Weerd wrote: On Thu, Nov 15, 2012 at 01:04:02PM -0300, Marcos Laufer wrote: | I did this quite often a couple of weeks ago. Haven't tried for a | while (no need) and have upgraded to newer snaps a bunch of times | since. Tonight I'll confirm I can unplug safely on the latest snap. | | Thank you Paul, i look forward for the results of your testing tonight. Apologies for the late response; my Thursday plans got changed at the last minute. However, I've verified that unplugging works fine with the latest snapshot. So no regressions from my POV. Paul 'WEiRD' de Weerd Damn, why mine isn't working fine then? Do you have i386 or AMD? I'll try latest 5.1 and 5.2 tomorrow and see what happens. Ok , i've just tried it on a OpenBSD 5.1 and unplugging the USB works just fine, no crash, no freeze. The weird thing and i don't understand why, is that you guys had good results with old OpenBSD versions and i didn't. Regards, Marcos
Re: OpenBSD hangs when i unplug USB disk
On Mon, Nov 19, 2012 at 06:14:49PM -0300, Marcos Ariel Laufer wrote: | However, I've verified that unplugging works fine with the latest | snapshot. So no regressions from my POV. | | Damn, why mine isn't working fine then? Do you have i386 or AMD? | I'll try latest 5.1 and 5.2 tomorrow and see what happens. I've tested all currently connected disks on my machine: sd0 at scsibus1 targ 1 lun 0: WD, My Passport 0740, 1003 SCSI4 0/direct fixed sd1 at scsibus2 targ 1 lun 0: WD, My Passport 0748, 1010 SCSI4 0/direct fixed sd2 at scsibus3 targ 1 lun 0: WD, My Passport 0730, 1015 SCSI4 0/direct fixed sd3 at scsibus4 targ 1 lun 0: WD, My Passport 070A, 1032 SCSI2 0/direct fixed sd4 at scsibus5 targ 1 lun 0: WD, My Passport 0748, 1010 SCSI4 0/direct fixed sd5 at scsibus6 targ 1 lun 0: WD, My Passport 0748, 1010 SCSI4 0/direct fixed which is running: kern.version=OpenBSD 5.2-current (GENERIC.MP) #112: Tue Nov 13 12:57:16 MST 2012 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP and I've not been able to reproduce the issue (dmesg with detach and re-attach cycle for all disks included below). In the past, I ran i386 on another machine which also used a My Password disk (1008) and did not have this issue there either, so I don't think it's an i386-only problem... Cheers, Paul 'WEiRD' de Weerd OpenBSD 5.2-current (GENERIC.MP) #112: Tue Nov 13 12:57:16 MST 2012 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 2144333824 (2044MB) avail mem = 2064830464 (1969MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xf0450 (76 entries) bios0: vendor Dell Inc. version 2.1.0 date 12/04/2006 bios0: Dell Inc. OptiPlex 745 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SSDT APIC BOOT ASF! MCFG HPET SLIC SSDT SSDT SSDT acpi0: wakeup devices VBTN(S4) PCI0(S5) PCI4(S5) PCI2(S5) PCI3(S5) PCI1(S5) PCI5(S5) PCI6(S5) MOU_(S3) USB0(S3) USB1(S3) USB2(S3) USB3(S3) USB4(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM)2 CPU 6700 @ 2.66GHz, 2658.43 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,NXE,LONG,LAHF,PERF cpu0: 4MB 64b/line 16-way L2 cache cpu0: apic clock running at 265MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM)2 CPU 6700 @ 2.66GHz, 2658.07 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,NXE,LONG,LAHF,PERF cpu1: 4MB 64b/line 16-way L2 cache ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 8 acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 4 (PCI4) acpiprt1 at acpi0: bus 2 (PCI2) acpiprt2 at acpi0: bus -1 (PCI3) acpiprt3 at acpi0: bus 1 (PCI1) acpiprt4 at acpi0: bus 3 (PCI5) acpiprt5 at acpi0: bus -1 (PCI6) acpiprt6 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0: PSS acpicpu1 at acpi0: PSS acpibtn0 at acpi0: VBTN cpu0: Enhanced SpeedStep 2658 MHz: speeds: 2667, 2400, 2133, 1867, 1600 MHz memory map conflict 0x7fe03c00/0x1fc400 pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 Intel 82Q965 Host rev 0x02 ppb0 at pci0 dev 1 function 0 Intel 82Q965 PCIE rev 0x02: msi pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Radeon X1300 Pro rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) radeondrm0 at vga1: apic 8 int 16 drm0 at radeondrm0 ATI Radeon X1300 Pro Sec rev 0x00 at pci1 dev 0 function 1 not configured uhci0 at pci0 dev 26 function 0 Intel 82801H USB rev 0x02: apic 8 int 16 uhci1 at pci0 dev 26 function 1 Intel 82801H USB rev 0x02: apic 8 int 17 ehci0 at pci0 dev 26 function 7 Intel 82801H USB rev 0x02: apic 8 int 22 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 azalia0 at pci0 dev 27 function 0 Intel 82801H HD Audio rev 0x02: msi azalia0: codecs: Analog Devices AD1983 audio0 at azalia0 ppb1 at pci0 dev 28 function 0 Intel 82801H PCIE rev 0x02: msi pci2 at ppb1 bus 2 ppb2 at pci0 dev 28 function 4 Intel 82801H PCIE rev 0x02: msi pci3 at ppb2 bus 3 bge0 at pci3 dev 0 function 0 Broadcom BCM5754 rev 0x02, BCM5754/5787 A2 (0xb002): apic 8 int 16, address 00:18:8b:6a:6d:87 brgphy0 at bge0 phy 1: BCM5787 10/100/1000baseT PHY, rev. 0 uhci2 at pci0 dev 29 function 0 Intel 82801H USB rev 0x02: apic 8 int 23 uhci3 at pci0 dev 29 function 1 Intel 82801H USB rev 0x02: apic 8 int 17 uhci4 at pci0 dev 29 function 2 Intel 82801H USB rev 0x02: apic 8 int 18 ehci1 at pci0 dev 29 function 7 Intel 82801H USB rev 0x02: apic 8 int 23 usb1 at ehci1: USB revision 2.0 uhub1 at usb1 Intel EHCI root hub rev
Re: xfsdump INTERRUPT
That was just a mistake in the posting, sorry. I retried it just in case, and had the same result with the line corrected. mount -t xfs -o rtdev=/dev/sdb3 /dev/sdb2 /mnt/hr20 Best, J. On Nov 20, 2012, at 3:38 AM, Erwin Schliske-3 [via OpenBSD] ml-node+s7691n219236...@n7.nabble.com wrote: Hi, mkdir /mnt/fap mkdir /mnt/hr20 mount -t xfs -o rtdev=/dev/sda3 /dev/sda2 /mnt/fap mount -t xfs -o rtdev=/dev/sdb3 /dev/sdb2 /mnt/fap You mount both devices to the same destination /mnt/fap Regards, Erwin If you reply to this email, your message will be added to the discussion below: http://openbsd.7691.n7.nabble.com/xfsdump-INTERRUPT-tp219224p219236.html To unsubscribe from xfsdump INTERRUPT, click here. NAML -- View this message in context: http://openbsd.7691.n7.nabble.com/xfsdump-INTERRUPT-tp219224p219258.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: OpenBSD hangs when i unplug USB disk
On 2012 Nov 20 (Tue) at 12:45:09 -0300 (-0300), Marcos Laufer wrote: :Ok , i've just tried it on a OpenBSD 5.1 and unplugging the USB works :just fine, no crash, no freeze. : :The weird thing and i don't understand why, is that you guys had good :results with old OpenBSD versions and i didn't. : No, nobody bothered with older versions. We run -current, or 5.1 at the latest. -- Did you know that Spiro Agnew is an anagram of Grow a Penis?
Re: OpenBSD hangs when i unplug USB disk
Peter Hessler wrote: On 2012 Nov 20 (Tue) at 12:45:09 -0300 (-0300), Marcos Laufer wrote: :Ok , i've just tried it on a OpenBSD 5.1 and unplugging the USB works :just fine, no crash, no freeze. : :The weird thing and i don't understand why, is that you guys had good :results with old OpenBSD versions and i didn't. : No, nobody bothered with older versions. We run -current, or 5.1 at the latest. I'm sorry, but some people bothered, even asked me to send info because this worked with old versions of the OS to them and not to me. So i guess it has something to do with the firmware on the disk, i don't really know. But if it works on 5.1 then that's enough for me.
Re: Replacing Apache with nginx
On Mon, Nov 19, 2012 at 04:42:57PM -0300, Martín Ferco wrote: I can see that some files have been updated by the OpenBSD team, reading README.OpenBSD in the source directory. One of those changes seems to have been the inclusion of the -u flag to chroot nginx (I'm not entirely sure about this, but I can't find that switch in a 1.2.5 release for CentOS). Good caught! Has it gone through an audit process of some sort by the OpenBSD team? I think that was performed for the Apache code, and patches were applied because of that. Human resources are limited. Last, but not least, is there a recommended way to compile/add modules to nginx? I had to modify the Makefile.bsd-wrapper to do that, as it looke like the only way to add 3rd party modules to it. Is there a suggested way to do that? /usr/ports/www/nginx jirib
Re: xfsdump INTERRUPT
On Mon, Nov 19, 2012 at 02:10:09PM -0800, rlinsurf wrote: I'm trying to use xfsdump to copy all the files from my home DVR to a bigger hard drive. You sent probably to bad list, this is linux stuff. jirib
Re: xfsdump INTERRUPT
Can you tell me which list it belongs in? Best, J. On Nov 20, 2012, at 3:59 PM, Jiri B-2 [via OpenBSD] ml-node+s7691n219270...@n7.nabble.com wrote: On Mon, Nov 19, 2012 at 02:10:09PM -0800, rlinsurf wrote: I'm trying to use xfsdump to copy all the files from my home DVR to a bigger hard drive. You sent probably to bad list, this is linux stuff. jirib If you reply to this email, your message will be added to the discussion below: http://openbsd.7691.n7.nabble.com/xfsdump-INTERRUPT-tp219224p219270.html To unsubscribe from xfsdump INTERRUPT, click here. NAML -- View this message in context: http://openbsd.7691.n7.nabble.com/xfsdump-INTERRUPT-tp219224p219271.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: relayd and header directives
I'm seeing this exact same issue after upgrading a firewall this afternoon; any use of the header(); function in PHP with SSL is causing a big 500 Internal Server Error page to be displayed by relayd, while the other firewall (which I'm now holding out on upgrading) is having no issues at all when it's the CARP master: Nov 20 13:06:23 fw02 relayd[4423]: relay wwwssl, session 134 (2 active), 0, ***.***.127.152 - 192.168.21.218:443, invalid (500 Internal Server Error) Nov 20 13:06:26 fw02 relayd[32703]: relay wwwssl, session 166 (1 active), 0, ***.***.114.27 - 192.168.21.207:443, invalid (500 Internal Server Error) Nov 20 13:06:27 fw02 relayd[5856]: relay wwwssl, session 207 (2 active), 0, ***.***.192.47 - 192.168.21.218:443, invalid (500 Internal Server Error) Nov 20 13:06:30 fw02 relayd[32703]: relay wwwssl, session 167 (1 active), 0, ***.***.130.66 - 192.168.21.213:443, invalid (500 Internal Server Error) Nov 20 13:06:34 fw02 relayd[20956]: relay wwwssl, session 191 (1 active), 0, ***.***.127.152 - 192.168.21.218:443, invalid (500 Internal Server Error) Any suggestions? Thanks, Andrew Klettke Systems Admin Optic Fusion On 11/15/2012 04:04 AM, Bogdan Andu wrote: Hello, I looked briefly in relay.c file and it seems that in the function void relay_read_http/2 - which is called only in ssl context - the following piece of code produces the error: } else if ((cre-method == HTTP_METHOD_DELETE || cre-method == HTTP_METHOD_GET || cre-method == HTTP_METHOD_HEAD || cre-method == HTTP_METHOD_OPTIONS || cre-method == HTTP_METHOD_POST || cre-method == HTTP_METHOD_PUT || cre-method == HTTP_METHOD_RESPONSE) strcasecmp(Content-Length, pk.key) == 0) { /* * Need to read data from the client after the * HTTP header. * XXX What about non-standard clients not using * the carriage return? And some browsers seem to * include the line length in the content-length. */ cre-toread = strtonum(pk.value, 0, ULLONG_MAX, errstr); if (errstr) { relay_close_http(con, 500, errstr, 0); goto abort; } pk.value contains a value that cannot be converted to a number, hence the function strtonum sets the error invalid in errstr, which appears in this log message: relayd www_ssl, session 1 (1 active), 0, 10.10.11.66 - 127.0.0.1:8080, invalid I think the problem is that the variable pk.value contains whatever follows after the header Content-Length. For example, curl sends this header to the server: $ curl -XPOST -k -vhttps://server/cgi-bin/query -d'param1=val1param2=val2' ** SSL handshake*** POST /cgi-bin/query HTTP/1.1 User-Agent: curl/7.27.0 Host: server Accept: */* Content-Length: 23 Content-Type: application/x-www-form-urlencoded The code stops reading further key:value header entries when encounters Content-Length, and any entry, like Content-Type: application/x-www-form-urlencoded, that follows is accumulated in pk.value, and cannot be converted to number becasue contains alfanumeric characters yielding the error invalid, in conversion, while pk.key remains with value Content-Length. What is curious enough is that a plain http request does not even calls this function, and that is why is working. Bogdan From: Bogdan Andu bo...@yahoo.com To: Sebastian Benoit be...@openbsd.org; misc@openbsd.org misc@openbsd.org Cc: r...@openbsd.org r...@openbsd.org Sent: Thursday, November 15, 2012 9:36 AM Subject: Re: relayd and header directives Hello, In the meanwhile I have discovered the following issues: [WITH SSL]: 1) No headers directives are allowed - the session is reported as invalid 2) If the POST arguments are sent as usual, like this: $ curl -XPOST -k -v https://server/cgi-bin/query -d'param1=val1param2=val2' relayd reports the session invalid: relayd www_ssl, session 1 (1 active), 0, 10.10.11.66 - 127.0.0.1:8080, invalid and the local web server is not accessed 3) If the POST argumenst are converted into GET like this: $ curl -XPOST -k -v https://server/cgi-bin/query?param1=val1¶m2=val2' everything work ok. Although there are sessions reported as invalid, the dialog with local web server works, and the respons returns to the client [WITHOUT SSL] Everything work as expected with and without header directives So, if the relayd does not makes ssl offloading seems that everything work ok. I suspect there must be something with ssl processing. The machine is in trunk0 setup with link failover in dual stack. So the relayd listens on both IPv4 and IPv6. With or without SSL offloading I cannot change
Re: Replacing Apache with nginx
On Mon, Nov 19, 2012 at 04:42:57PM -0300, Martín Ferco wrote: I can see that some files have been updated by the OpenBSD team, reading README.OpenBSD in the source directory. One of those changes seems to have been the inclusion of the -u flag to chroot nginx (I'm not entirely sure about this, but I can't find that switch in a 1.2.5 release for CentOS). No, the -u flag DISABLES the default chroot. From the manpage: -u By default nginx will chroot(2) to the home directory of the user running the daemon, typically ``www'', or to the home directory of user in nginx.conf. The -u option disables this behaviour, and returns nginx to the original unsecure behaviour. This is the same approach as in OpenBSD's Apache. Don't use the -u flag unless you know what you're doing and have an excellent reason. Nicolai
PF altq and limiting traffic among multiple interfaces
Hi, Searched for this for a while. Found below old post, without answer. Is this actually possible to setup that way? From http://marc.info/?l=openbsd-pfm=112015092309886w=2 List: openbsd-pf Subject:Altq - limiting traffic among multiple interfaces From: Jonathan Camenisch alaythia () gmail ! com Date: 2005-06-30 14:15:55 Message-ID: fd5fdde005063007153fc4c2c2 () mail ! gmail ! com In our organization, I'd like to use Altq to keep any one process (download or whatever) from hogging bandwidth and degrading performance for others. It's more complicated than I expected, though, and I haven't been able to find an example that's much like my environment (I'd be glad to publish mine if I could get it working well). Here's the layout: Office (internal) subnet DMZ | / [fxp0] [fxp1] Internet ---[fxp4]OpenBSD/pf firewall [fxp2] [fxp3] | \ Guest class 1 subnet Guest class 2 subnet We have sort of a conference center, so we're providing access for guests as well as offices. Hence all the subnets. We also host some of our own web sites on the DMZ. Now to make it more complicated, our fractional T1 provides 512Kb of *total* bandwidth. That is, the total of upload *and* download bandwidth can never exceed 512Kb. Ideally, I would like to set up a single 512k queue and divy it up (with cbq) among all traffic that passes in or out of fxp4, regardless of which interface it exits. (I'd really like to allow borrowing among all directions.) But as far as I know, there's no way to do exactly that. What I'm hoping someone could suggest is, what's the best I can do? That is, how can I get the best utilization out of my limited connection while preventing anything from hogging it? Forgive me if I'm overlooking information that's already available. I'm afraid my brain's gotten a little scrambled trying to adapt the altq model to this scenario. Thank you for your time! Jonathan -- best regards q#
Re: relayd and header directives
A little more info; turns out this is happening on any POST when you have the option ``header change Connection to close`` in your http protocol stanza, and not necessarily when the header(); function is called, as I previously thought. Here's the simple script I was using to test: ?php echo form method=POST action=\index.php\; echo input type=\hidden\ name=\hidden\ value=\1\; echo input type=\submit\ name=\submit\ value=\submit\; echo /form; ? Clicking the submit button instantly gets me a 500 error from relayd in 5.2 when my http protocol is defined like so: http protocol httpssl { header append $REMOTE_ADDR to X-Forwarded-For header append $SERVER_ADDR:$SERVER_PORT to X-Forwarded-By header change Keep-Alive to $TIMEOUT header change Connection to close tcp { nodelay, sack, socket buffer 65536, backlog 128 } return error ssl { sslv3, tlsv1, no sslv2, ciphers HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM } } Commenting out the ``header change Connection to close`` option makes everything work just fine, as far as I can tell. Thanks, Andrew Klettke Systems Admin Optic Fusion 253-830-2943 On 11/20/2012 02:31 PM, Andrew Klettke wrote: I'm seeing this exact same issue after upgrading a firewall this afternoon; any use of the header(); function in PHP with SSL is causing a big 500 Internal Server Error page to be displayed by relayd, while the other firewall (which I'm now holding out on upgrading) is having no issues at all when it's the CARP master: Nov 20 13:06:23 fw02 relayd[4423]: relay wwwssl, session 134 (2 active), 0, ***.***.127.152 - 192.168.21.218:443, invalid (500 Internal Server Error) Nov 20 13:06:26 fw02 relayd[32703]: relay wwwssl, session 166 (1 active), 0, ***.***.114.27 - 192.168.21.207:443, invalid (500 Internal Server Error) Nov 20 13:06:27 fw02 relayd[5856]: relay wwwssl, session 207 (2 active), 0, ***.***.192.47 - 192.168.21.218:443, invalid (500 Internal Server Error) Nov 20 13:06:30 fw02 relayd[32703]: relay wwwssl, session 167 (1 active), 0, ***.***.130.66 - 192.168.21.213:443, invalid (500 Internal Server Error) Nov 20 13:06:34 fw02 relayd[20956]: relay wwwssl, session 191 (1 active), 0, ***.***.127.152 - 192.168.21.218:443, invalid (500 Internal Server Error) Any suggestions? Thanks, Andrew Klettke Systems Admin Optic Fusion On 11/15/2012 04:04 AM, Bogdan Andu wrote: Hello, I looked briefly in relay.c file and it seems that in the function void relay_read_http/2 - which is called only in ssl context - the following piece of code produces the error: } else if ((cre-method == HTTP_METHOD_DELETE || cre-method == HTTP_METHOD_GET || cre-method == HTTP_METHOD_HEAD || cre-method == HTTP_METHOD_OPTIONS || cre-method == HTTP_METHOD_POST || cre-method == HTTP_METHOD_PUT || cre-method == HTTP_METHOD_RESPONSE) strcasecmp(Content-Length, pk.key) == 0) { /* * Need to read data from the client after the * HTTP header. * XXX What about non-standard clients not using * the carriage return? And some browsers seem to * include the line length in the content-length. */ cre-toread = strtonum(pk.value, 0, ULLONG_MAX, errstr); if (errstr) { relay_close_http(con, 500, errstr, 0); goto abort; } pk.value contains a value that cannot be converted to a number, hence the function strtonum sets the error invalid in errstr, which appears in this log message: relayd www_ssl, session 1 (1 active), 0, 10.10.11.66 - 127.0.0.1:8080, invalid I think the problem is that the variable pk.value contains whatever follows after the header Content-Length. For example, curl sends this header to the server: $ curl -XPOST -k -vhttps://server/cgi-bin/query -d'param1=val1param2=val2' ** SSL handshake*** POST /cgi-bin/query HTTP/1.1 User-Agent: curl/7.27.0 Host: server Accept: */* Content-Length: 23 Content-Type: application/x-www-form-urlencoded The code stops reading further key:value header entries when encounters Content-Length, and any entry, like Content-Type: application/x-www-form-urlencoded, that follows is accumulated in pk.value, and cannot be converted to number becasue contains alfanumeric characters yielding the error invalid, in conversion, while pk.key remains with value Content-Length. What is curious enough is that a plain http request does not even calls this function, and that is why is working. Bogdan From: Bogdan Andu bo...@yahoo.com To: Sebastian Benoit be...@openbsd.org; misc@openbsd.org
Re: PF altq and limiting traffic among multiple interfaces
I'm no pro (and I've never seen a connection that had a transfer cap applied to upstream+downstream), but if I was limited to 512 kb/s up+down, I'd want to: 1) Prioritize ACKs to limit getting hammered with retransmits 2) Throttle guests tightly but allow them to borrow from other queues; not too much, as if we allow 256k upstream we're probably getting back a lot more bottlenecked up on the downstream. PF can't control how much data hits the downstream except by limiting the upstream. 3) Have an upstream router that supports ECN/RED :P 4) Use the fancy HFSC scheduler! (huzzah) For example: altq on $ext_if bandwidth 128Kb hfsc queue { ack, dns, hipri, def, guest1, guest2 } queue ack bandwidth 60% priority 6 qlimit 200 hfsc (realtime 30% ecn) queue dns bandwidth 10% priority 5 qlimit 200 hfsc (realtime 20% ecn) queue hipri bandwidth 10% priority 4 qlimit 150 hfsc (realtime 20% ecn) queue def bandwidth 10% priority 2 qlimit 100 hfsc (realtime 20% ecn default) queue guest1 bandwidth 5% priority 0 qlimit 50 hfsc (upperlimit 15% red) queue guest2 bandwidth 5% priority 0 qlimit 50 hfsc (upperlimit 15% red) block in all block out on $ext_if block out log on $int_if block out log on $guest1_if block out log on $guest2_if block out log on $dmz_if # Now to allow some traffic. For example, let's allow DNS traffic out unto the internets at priority 5, and its TCP ACKs at priority 6: pass out on $ext_if proto {tcp udp} from any to any port 53 queue (dns, ack) Haven't tried it, but I imagine that that ruleset beats the hell out of plain old filtering from the end users' perspective. You'll obviously need to add all the packet filtering rules for it to work, but that would be my first shot at the queueing. Note that all the queues except guest1 and guest2 are allowed to borrow bandwidth up to 100% of the 256kb queue, but guest1 and guest2 are restricted to a max of 15% of that (so the 2 guest nets can do a max of 30% of total outbound). Note also that we're limiting outbound traffic to 128kb because outbound + inbound are rate limited to 512k. Might actually have to reduce that a little to speed things up once it gets congested; play with it and see! Also, there's a high probability that something about this is wrong/stupid, as it's untested, but I'm sure someone will correct me. ;) On Tue, Nov 20, 2012 at 5:45 PM, Mikolaj Kucharski miko...@kucharski.namewrote: Hi, Searched for this for a while. Found below old post, without answer. Is this actually possible to setup that way? From http://marc.info/?l=openbsd-pfm=112015092309886w=2 List: openbsd-pf Subject:Altq - limiting traffic among multiple interfaces From: Jonathan Camenisch alaythia () gmail ! com Date: 2005-06-30 14:15:55 Message-ID: fd5fdde005063007153fc4c2c2 () mail ! gmail ! com In our organization, I'd like to use Altq to keep any one process (download or whatever) from hogging bandwidth and degrading performance for others. It's more complicated than I expected, though, and I haven't been able to find an example that's much like my environment (I'd be glad to publish mine if I could get it working well). Here's the layout: Office (internal) subnet DMZ | / [fxp0] [fxp1] Internet ---[fxp4]OpenBSD/pf firewall [fxp2] [fxp3] | \ Guest class 1 subnet Guest class 2 subnet We have sort of a conference center, so we're providing access for guests as well as offices. Hence all the subnets. We also host some of our own web sites on the DMZ. Now to make it more complicated, our fractional T1 provides 512Kb of *total* bandwidth. That is, the total of upload *and* download bandwidth can never exceed 512Kb. Ideally, I would like to set up a single 512k queue and divy it up (with cbq) among all traffic that passes in or out of fxp4, regardless of which interface it exits. (I'd really like to allow borrowing among all directions.) But as far as I know, there's no way to do exactly that. What I'm hoping someone could suggest is, what's the best I can do? That is, how can I get the best utilization out of my limited connection while preventing anything from hogging it? Forgive me if I'm overlooking information that's already available. I'm afraid my brain's gotten a little scrambled trying to adapt the altq model to this scenario. Thank you for your time! Jonathan -- best regards q#
Re: PF altq and limiting traffic among multiple interfaces
Mikolaj, Before I get into this, do you really have a connection where your total bandwidth in both directions is pooled? If so you will need to modify my approach somewhat, as I've not been in that situation myself. For reference, my full rule set for my home network appears at the end of this message. PF only queues on outbound traffic, so to shape your traffic in both directions you must be operating PF in a router or bridge configuration. People sometimes make the mistake of thinking that this means that PF cannot queue download traffic. As I said earlier, PF cannot queue inbound traffic on an interface. There is a difference between queuing inbound traffic and queuing download, because inbound traffic relates to an interface while download is applied as a perspective dependent concept. With the correct configuration, you can configure your external interface to queue packets for upload and your internal interface to queue packets for download. I use quotes to indicate that these terms are relative to the perspective of a machine behind your router on your internal network. In short, the problem with keeping state across interfaces (PF's default) is that it makes it impractical, if not impossible, to have packets in different queues on both your internal and external network interfaces. To fix this, you need to configure PF to keep state on a per interface basis. This is done with a declaration in PF of set state-policy if-bound. Once that is done, a little extra work needs to be done with your pass rules. 1. You will have to determine a way to identify the priority of new packets that you wish to pass in from your internal network, such as by IP, IP range, VLAN, or real interface. On each of those pass in rules you will assign the packet to the corresponding queue on the external interface and tag the packet with an identifier for the type of queuing it needs. 2. On your external interface you will need pass out rules that sort the traffic according to how they were tagged by the internal interface pass in rule. The pass out rule will assign the packet to the corresponding queue on the internal interface. 3. The mechanism of keeping state will take care of the rest. 4. If you plan to have any open ports on your external interface (ssh, http, bittorrent), you will need to repeat the above using the external interface in step 1, and the internal interface in step 2. 5. You will also need at least one rule to allow packets to pass out from each interface on the router/bridge machine itself. You can queue these specifically or let them go to the default queue. The examples of this in my rule set below should be evident if you take the time to understand it. You might also want to read a question I asked a few days ago on this list. It will help you to understand a strange limitation I've encountered with this type of configuration. See http://marc.info/?l=openbsd-miscm=135325644931124w=2 if you are interested. No one has responded to that message, so I am not sure if the defect exists in my rule set or in PF itself. My intuition tells me that PF is the problem, but my experience tells me that my intuition cannot be trusted in these matters. :) I hope this is what you were looking for. Breen Ouellette --- # PF optimized for home router. # UPDATED: 2012-Nov-17 ### # Preamble: # REMEMBER: Enable the following line in /etc/sysctl.conf: # net.inet.ip.forwarding=1 # Blocked1Hr table requires matching crontab entry to expire blocked IPs: # * * * * * pfctl -t Blocked1Hr -T expire 3600 /dev/null 21 # Filtering of ssh abusers also requires that sshd_config is updated to listen on ports 10 and 16. ExtIf = em1 ExtIP = (em1) IntIf = em0 VLAN1If = vlan1 VLAN1Net = vlan1:network VLAN2If = vlan2 VLAN2Net = vlan2:network AthenaIP = 172.16.0.1 ScreenerIP = 172.16.0.2 LGO2XIP = 192.168.0.100 SkypeIP = 192.168.0.50 table authpf_users persist table Blocked1Hr persist table SSHBlockedOnce persist table SSHBlockedTwice persist table SSHBlockedPerm persist table CdnNets const persist file /etc/cdn_nets.pftable table MartianNets const persist file /etc/martian_nets.pftable table SSHAllowedIPs const persist file /etc/ssh_ips.pftable # Internal network queuing. altq on $IntIf cbq bandwidth 5250Kb queue \ { LGO2X_DL, PC_DL, Skype_DL, TV_DL, WiFi_DL } queue LGO2X_DL bandwidth 650Kb priority 2 cbq(borrow ecn) queue PC_DL bandwidth 1500Kb priority 1 cbq(borrow ecn default) queue Skype_DL bandwidth 100Kb priority 2 cbq(ecn) queue TV_DL bandwidth 2000Kb priority 1 cbq(borrow ecn) queue WiFi_DL bandwidth 1000Kb priority 1 cbq(borrow ecn) # ISP network queuing. altq on $ExtIf cbq bandwidth 550Kb queue \ { ACK_UL, LGO2X_UL, PC_UL, Skype_UL, TV_UL, WiFi_UL } # 27400bps ACK_UL is required for each 1Mbps of total download bandwitdh, # assuming a 40bit ACK packet size. Real world results may vary and
Re: xfsdump INTERRUPT
http://lmgtfy.com/?q=xfs+mailing+list On Tue, Nov 20, 2012 at 01:08:03PM -0800, rlinsurf wrote: Can you tell me which list it belongs in? Best, J. On Nov 20, 2012, at 3:59 PM, Jiri B-2 [via OpenBSD] ml-node+s7691n219270...@n7.nabble.com wrote: On Mon, Nov 19, 2012 at 02:10:09PM -0800, rlinsurf wrote: I'm trying to use xfsdump to copy all the files from my home DVR to a bigger hard drive. You sent probably to bad list, this is linux stuff. jirib If you reply to this email, your message will be added to the discussion below: http://openbsd.7691.n7.nabble.com/xfsdump-INTERRUPT-tp219224p219270.html To unsubscribe from xfsdump INTERRUPT, click here. NAML -- View this message in context: http://openbsd.7691.n7.nabble.com/xfsdump-INTERRUPT-tp219224p219271.html Sent from the openbsd user - misc mailing list archive at Nabble.com.