Re: Two questions.
Is it just me, or are the trolls around here getting more and more lame. On 08/09/13 00:00, voic...@openmailbox.org wrote: I got couple of questions for whom I can't find an answers, You've obviously thought long and very hard. I do not wish anything bad for Theo, I just need to be sure that there are others who could keep project going. After running the OpenBSD project for over 20 years, I'm sure Theo never thought of that. We all thank you for bringing it to his attention. that OS they developing is powering most illegal things which you probably can't dream on? I'm sure OpenBSD devs are ashamed that I use it to power my kitten-stomping, baby-mulching machines. I'm also sure the people that make hammers and knives feel really, really bad too. OpenBSD people could silently include trojan I could win the lotto; gamma rays could destroy the planet; I could get hit by a bus. That's why the source and commit logs are *not* available to the public, and the whole damn thing is proprietary. There is no possible way anyone could know what the devs are doing. Thanks for reading. No, thank-YOU for pointing out such things for the very first time. To all that are reading, please let my lame attempt at humour be the first and only response. :) -- Scott McEachern https://www.blackstaff.ca Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin
Re: 10GbE (Intel X540) performance on OpenBSD 5.3
* John Jasen jja...@realityfailure.org [2013-08-09 03:36]: Topping out per 82599 card at ~8k interrupts does not surprise me, as I was unable to get any of mine beyond that. I personally think the 82598 is better under OpenBSD, using about 40% of the interrupts for similar bandwidth. The system showing 90% utilization at 16k interrupts surprises me. My systems showed about 35-40% utilization at 25-30k interrupts. with pretty much all modern chips doing some form of interrupt mitigation, the # of int/s is meaningless to judge on the amount of traffic - # of interrupts is NOT proportional to # of packets. Intel has been using a max of 8k int/s for their network chips for a long time. the work per-interrupt is everything but constant. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: 10GbE (Intel X540) performance on OpenBSD 5.3
As far as I know X540-T2 out on the market don't do PCI 3.0. Cards I have are PCI 2.1, this means (if I remember my calculations right) this 10G card is caped by PCI bus - 6G max. Basically Intel sells 10G which is caped up to 6G. and this is for the single port. If those ports are both in use, then you'll have to divide this number with 2(avrg. and not precise number). So, per port on X540-T2, you have maximum 3Gbit/s. in theory, if both ports used and have avrg. the same amount of traffic. if not both - 6Gbit/s Correct me if I'm wrong. //mxb On 9 aug 2013, at 03:35, John Jasen jja...@realityfailure.org wrote: Apologies for the top posting, please. Interestingly, despite the E3 you're using being a newer chip, and having PCIE 3.0, the systems I'm running on Xeon X5570-based CPUs seem to have a few advantages -- and can push close to 20 Gb in testing scenarios. For example, it looks like the X5570 has better system bus bandwidth and better memory bus bandwidth (ark.intel.com lets you compare chips side by side). Dunno if that means anything, but its interesting. Topping out per 82599 card at ~8k interrupts does not surprise me, as I was unable to get any of mine beyond that. I personally think the 82598 is better under OpenBSD, using about 40% of the interrupts for similar bandwidth. The system showing 90% utilization at 16k interrupts surprises me. My systems showed about 35-40% utilization at 25-30k interrupts. You may want to test jumbo frames, just to see what would happen. I would expect you to see closer to 10 Gb/s with the same number of interrupts. Since I've completely ignored email etiquette tonight, please allow me to snip through here. On 08/08/2013 08:26 PM, Maxim Khitrov wrote: snip The BIOS on these firewalls is current. For power-saving options, when I first configured these systems I tried turning Intel EIST (SpeedStep) off, but this caused OpenBSD to panic during boot. My systems are set to maximum performance at all power savings steppings. I don't know if this is Dell pretending we're all stupid, or if your BIOS has similar settings. snip Active Processor Cores: All I would turn that off, or at least make it only dual core. As a side note, iperf doesn't crash on FreeBSD when running in UDP mode, so I think it's a problem with the OpenBSD package. For these tests I stuck with TCP and 1500 MTU. Also, I noticed that a 10 second test is not always sufficient to get consistent results, so I'm now running all tests for 60 seconds. UDP can be a little iffy. FWIW, it never hurts to verify your tool's results with another tool. I used nuttcp on most of my tests. That's... a bit faster. The CPU in the desktops is Intel i7-3770, which is very similar to the Xeon E3-1275v2. Is this a FreeBSD vs OpenBSD difference? Could be. It might be worth testing FreeBSD on your packet forwarding boxes, just to see if you get similar results. -- -- John Jasen (jja...@realityfailure.org) -- No one will sorrow for me when I die, because those who would -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring
Re: Two questions.
This has been asked and answered numerous times, with generous helpings of shitheadery that serves to mask any real information offered. Check the archives for the obvious keywords. There's nothing to add since the last iteration. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Accept two vlans
On 08/08/2013 02:33 PM, Joerg Streckfuss wrote: Am 07.08.2013 16:20, schrieb Christian Weisgerber: Well, you can either use two NICs on your gateway, one connected to a vlan1 port on the switch, the other to vlan2. Or you can can set up vlan1 and vlan2 on em0 and connect them to a trunk port on the switch. This is straight from my home gateway: == /etc/hostname.em0 == description Trunk up == /etc/hostname.vlan1 == description LAN vlan 1 vlandev em0 inet 172.16.0.1 255.255.255.0 NONE inet6 2001:6f8:124a::1 == /etc/hostname.vlan2 == description WLAN vlan 2 vlandev em0 inet 172.16.1.1 255.255.255.0 NONE inet6 2001:6f8:124a:1::1 I'm just a little bit curious. Why do you use VLANs instead of just a physical interface for each lan (wlan). Is it because VLANs give you a little bit more flexibility? Vlans are giving more flexibility and a count of the may be much more then count of interfaces physically available By Joerg [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s] -- With best regards, Gregory Edigarov
C partition of type 4.2BSD
I don't know how I made it (probably in previous releases of OS), but now I have a disk with the following disklabel: # /dev/rsd2c: type: SCSI disk: SCSI disk label: ST1000DM003-9YN1 duid: b0e3fc037df87899 flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 255 sectors/cylinder: 16065 cylinders: 121601 total sectors: 1953525168 boundstart: 64 boundend: 1953520065 drivedata: 0 16 partitions: #size offset fstype [fsize bsize cpg] a: 1953519936 64 4.2BSD 8192 655361 # /bu c: 19535251680 4.2BSD 2048 163841 As you can see the c partition is not of type unused, and some commands complain of this. I wasn't able to change this situation. I tried with disklabel -E sd2, disklabel -d sd2, disklabel -R sd2 proto (with a proper proto file), but nothing changed. What is the proper way to handle this? Please note that a partition contains data that must be preserved (I umounted that partition before all disklabel commands). The system is a 5.3 amd64, and sd2 is a normal SATA disk. Thanks.
Re: 10GbE (Intel X540) performance on OpenBSD 5.3
- Original message - As far as I know X540-T2 out on the market don't do PCI 3.0. Cards I have are PCI 2.1, this means (if I remember my calculations right) this 10G card is caped by PCI bus - 6G max. Basically Intel sells 10G which is caped up to 6G. and this is for the single port. If those ports are both in use, then you'll have to divide this number with 2(avrg. and not precise number). You're mentioning numbers that were relevant for PCI-X not PCIe. A single PCIe 1 x8 slot is fine for a single port 10Gb adapter. A PCIe 2 x8 slot is required for a dual port 10Gb adapter. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: C partition of type 4.2BSD
On Fri, Aug 09, 2013 at 11:38:16AM +0200, Federico Giannici wrote: 16 partitions: #size offset fstype [fsize bsize cpg] a: 1953519936 64 4.2BSD 8192 655361 # /bu c: 19535251680 4.2BSD 2048 163841 It were more fun if a larger c. Well, if i were you, I would back up everyting from a, delete the whole disk and start from new.
Re: ifconfig(8) --frontend
On 2013-08-04 Sun 14:30 PM |, Gregor Best wrote: known wireless ESSIDs, known gateway MAC addresses and known network topologies, for example When I'm at home, my gateway is 192.168.2.1, there's a host named Zim and one named Gir and my public IP address resolves back to Unity Media. That's probably unportable and needs to be reimplemented for every user. Maybe knock up a config file for all your specific stuff? -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
/etc/mail/spamd.key permissions/ownership?
On a multi-user box, what are the recommended permissions/ownership of /etc/mail/spamd.key? Or is the question irrelevant as a checksum of the file is used, not its contents? Thanks, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: /etc/mail/spamd.key permissions/ownership?
On Fri, Aug 09, 2013 at 01:05:34PM +0100, Craig R. Skinner wrote: On a multi-user box, what are the recommended permissions/ownership of /etc/mail/spamd.key? I checked the nearest couple of spamd equipped boxes, and it tends to be [Fri Aug 09 14:21:47] peter@skapet:~/www_sider$ ls -l /etc/mail/spamd.key -rw-r--r-- 1 root wheel 2048 Nov 1 2009 /etc/mail/spamd.key (much on par with the rest of the files in that directory). - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Network appliance recomendation.
Hi folks. Currently I have a Wireless network serving in my town using a small form factor (mini-itx) PC with OpenBSD for pf,squid, and dns cache. I need recommendations for a network appliance in rack mode with flash storage and five rj45 ports. Can anyone recommended a solution for my needs ? I'm disappointing using other network solutions with proprietary brands in the market. Best Regards. P.S sorry for my bad english. -- Francisco Valladolid H. -- http://blog.bsdguy.org - Jesus Christ follower.
Re: C partition of type 4.2BSD
On 08/09/2013 05:38 AM, Federico Giannici wrote: I don't know how I made it (probably in previous releases of OS), but now I have a disk with the following disklabel: # /dev/rsd2c: type: SCSI disk: SCSI disk label: ST1000DM003-9YN1 duid: b0e3fc037df87899 flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 255 sectors/cylinder: 16065 cylinders: 121601 total sectors: 1953525168 boundstart: 64 boundend: 1953520065 drivedata: 0 16 partitions: #size offset fstype [fsize bsize cpg] a: 1953519936 64 4.2BSD 8192 655361 # /bu c: 19535251680 4.2BSD 2048 163841 As you can see the c partition is not of type unused, and some commands complain of this. oops. (about your use of 'c', not the complaining) I wasn't able to change this situation. I tried with disklabel -E sd2, disklabel -d sd2, disklabel -R sd2 proto (with a proper proto file), but nothing changed. What is the proper way to handle this? Please note that a partition contains data that must be preserved (I umounted that partition before all disklabel commands). that response pretty well indicates insufficient backups. Just thought I'd mention that. The system is a 5.3 amd64, and sd2 is a normal SATA disk. Thanks. I'm testing on -current-ish. Nifty. I was able to create a disk similar to yours (used disklabel -e, changed the partition type from unused to 4.2BSD, and filled in the other fields as yours was). I also had trouble fixing it. It appears there is insufficient checking to prevent this from happening, but too much to fix it. Maybe eXpert mode can have this relaxed so you can edit 'c', both to screw the pooch...and maybe unscrew it, too. disklabel -E showed the overlapping partitions, asked me which I wanted to disable, I disabled 'c', it showed everything exactly as I wanted it, wrote to disk, reinvoked disklabel and the old c -- 4.2BSD was back. disklabel -e let me change the type from 4.2BSD to MSDOS to RAID, but not to unused. changing it to unused or an invalid fstype resulted in no change being made, with an error message if the fstype was unknown, but silent failure if fstype was valid. using disklabel -e to delete the 'c' line also silently failed to change anything. using disklabel -E, disabling 'c' (as I had to disable something), hitting A to autoconfigure the drive looked good, but upon saving and re-loading disklabel, I 'c' was back to (in my case) RAID. My partition was gone and replaced with the Autoconfig layout. At this point, for comic relief, I'm going to point out I'm doing this on my netbook, which has a SD card in it that ends up with a backup of my believed most important files (at the time I wrote the script) every time I boot the machine up. I'm doing this on my SD card. So I, too, am working with insufficient backups now. :) Here's the good news: disklabel does not hit the partitions themselves. As long as I put my 'd' partition back when I am done with the exact same parameters it had before (and don't write anything else to that part of the disk), my data will still be there. hopefully. :) Making changes in -E then doing a disklabel -c to read from disk ended up with no productive change. AH-HAH! Got it! Definitely a work around, not what I'd call elegant, and it may scare the hell out of you... 1) Backup your data. you won't need it. probably. :) 2) Go into fdisk, change the starting offset of the partition from 64 to 63 (could be 23, too. anything smaller than 64 and bigger than 2 or so). That will screw with all the offsets for the existing disklabel, you will now end up with a completely new disklabel (or so I thought) 3) disklabel the disk. Curiously, this pulled up almost my exact OLD disklabel, 'cept my 'd' partition (and yes, it was 'd') started at sector 63, instead of 64. I have no idea where this came from. Last I saw, I had most of an 'A'uto disklabel in place. I can not explain this. Finding the current disklabel, I'd have believed. finding no disklabel, I expected. Finding something too like my original disklabel to be an accident? no. Your milage may vary. You have a couple options here. 4a) You could just recreate exactly the disklabel you had before, and other than the boundstart sector being wrong (now 63, was 64), you are done. Or... 4b) go back in with fdisk and move the start back to 64, and then go back into disklabel and rebuild things. 5) Verify that your data is intact. I did 4b, and the big gotcha of the end result is since the disklabel ended up being rebuilt completely, it now has a new duid. Unlike you, I didn't jot down my duid. Yours is in the e-mail :) So...work around. Ugly. I learned something, but I'm not quite sure what yet. I think there's a bug in there somewhere. Nick.
Re: 10GbE (Intel X540) performance on OpenBSD 5.3
On Thu, Aug 8, 2013 at 9:35 PM, John Jasen jja...@realityfailure.org wrote:
You may want to test jumbo frames, just to see what would happen. I
would expect you to see closer to 10 Gb/s with the same number of
interrupts.
Results for jumbo frames are below (spoiler: 10 Gbps, same number of
interrupts, 40% CPU0 usage).
On 08/08/2013 08:26 PM, Maxim Khitrov wrote:
Active Processor Cores: All
I would turn that off, or at least make it only dual core.
No effect, results are also below.
That's... a bit faster. The CPU in the desktops is Intel i7-3770,
which is very similar to the Xeon E3-1275v2. Is this a FreeBSD vs
OpenBSD difference?
Could be. It might be worth testing FreeBSD on your packet forwarding
boxes, just to see if you get similar results.
I installed FreeBSD on a USB flash drive, booted the backup firewall
from that, and ran iperf -c 127.0.0.1 -t 60:
[ 3] 0.0-60.0 sec 373 GBytes 53.4 Gbits/sec
Almost the same as the desktops, so this performance boost is due to
FreeBSD (which keeps all cores at 70% load) and not the hardware.
Now for jumbo frames:
# s1: iperf -s
# c1: iperf -c s1 -t 60 -m
[ 3] 0.0-60.0 sec 69.1 GBytes 9.89 Gbits/sec
[ 3] MSS size 8192 bytes (MTU 8232 bytes, unknown interface)
With MTU set to 9000 along the entire path, a single client can max
out the 10 gigabit link through the firewall. This also addresses the
question of PCIe bandwidth - not an issue. I just had to double
kern.ipc.nmbjumbo9 to 12800 on all FreeBSD hosts before I could enable
jumbo frames (got ix0: Could not setup receive structures
otherwise).
Both clients together:
# s1: iperf -s
# s2: iperf -s
# c1: nc gw 1234 ; iperf -c s1 -t 60
# c2: nc gw 1234 ; iperf -c s2 -t 60
[ 3] 0.0-60.0 sec 34.6 GBytes 4.95 Gbits/sec
[ 3] 0.0-60.0 sec 34.5 GBytes 4.94 Gbits/sec
During all of these tests, systat shows 8k interrupts on each
interface, and CPU0 usage is 40% interrupt, 60% idle.
Going back to 1500 MTU, disabling Hardware Prefetcher and Adjacent
Cache Line Prefetch in BIOS has no effect:
# c1-s1
[ 3] 0.0-60.0 sec 29.5 GBytes 4.22 Gbits/sec
# c1-s1, c2-s2
[ 3] 0.0-60.0 sec 14.8 GBytes 2.12 Gbits/sec
[ 3] 0.0-60.0 sec 15.7 GBytes 2.25 Gbits/sec
Same goes for disabling two of the cores:
# c1-s1
[ 3] 0.0-60.0 sec 30.7 GBytes 4.39 Gbits/sec
# c1-s1, c2-s2
[ 3] 0.0-60.0 sec 15.2 GBytes 2.18 Gbits/sec
[ 3] 0.0-60.0 sec 15.2 GBytes 2.17 Gbits/sec
Same with bsd.sp kernel and all but one of the cores disabled:
# c1-s1
[ 3] 0.0-60.0 sec 31.3 GBytes 4.48 Gbits/sec
# c1-s1, c2-s2
[ 3] 0.0-60.0 sec 15.0 GBytes 2.15 Gbits/sec
[ 3] 0.0-60.0 sec 16.1 GBytes 2.30 Gbits/sec
Finally, I went back to all cores enabled, bsd.mp kernel, Hardware
Prefetcher and Adjacent Cache Line Prefetch enabled:
# c1-s1
[ 3] 0.0-60.0 sec 30.9 GBytes 4.43 Gbits/sec
# c1-s2, c2-s2
[ 3] 0.0-60.0 sec 16.8 GBytes 2.40 Gbits/sec
[ 3] 0.0-60.0 sec 14.0 GBytes 2.00 Gbits/sec
As you can see, none of these tweaks had any measurable impact. The
firewall can only handle so many packets per second. To push more
packets through, I need to reduce the per-packet processing overhead.
Here's a simple illustration of this fact using just the c1-s1 test:
# pf disabled (set skip on {ix0, ix1}):
[ 3] 0.0-60.0 sec 37.4 GBytes 5.35 Gbits/sec
# pf enabled, no state on ix0:
[ 3] 0.0-60.1 sec 8.28 GBytes 1.18 Gbits/sec
# pf enabled, keep state:
[ 3] 0.0-60.0 sec 30.8 GBytes 4.41 Gbits/sec
# pf enabled, keep state (sloppy):
[ 3] 0.0-60.0 sec 31.2 GBytes 4.46 Gbits/sec
# pf enabled, modulate state:
[ 3] 0.0-60.0 sec 28.3 GBytes 4.05 Gbits/sec
# pf enabled, modulate state scrub (random-id reassemble tcp):
[ 3] 0.0-60.0 sec 25.8 GBytes 3.69 Gbits/sec
The interesting thing about the last test is that systat shows double
the number of interrupts (32k total, 16k per interface) and CPU0 is
about 5% idle instead of the usual 10%. The rest is self-evident. More
work per packet = lower throughput. This is also another confirmation
that the sloppy state tracker has no performance benefits.
Unless someone has any other ideas on how to reduce the per-packet
processing time, I think ~4.5 Gbps is the most that my hardware can
handle at the default MTU. A bit disappointing, but it was the fastest
CPU that I could get from Lanner and also my first step beyond 1
gigabit.
If OpenBSD starts using multiple cores for interrupt processing in the
future, 10+ Gbps should be easy to achieve. FreeBSD is an option if
performance is critical, but for now I'd rather have all the 4.6+ pf
improvements.
Re: 10GbE (Intel X540) performance on OpenBSD 5.3
* Maxim Khitrov m...@mxcrypt.com [2013-08-09 17:47]:
and ran iperf
# s1: iperf -s
# c1: iperf -c s1 -t 60 -m
# s1: iperf -s
# s2: iperf -s
# c1: nc gw 1234 ; iperf -c s1 -t 60
# c2: nc gw 1234 ; iperf -c s2 -t 60
your tests are flawed. you are testing iperf ('s lack of) performance.
use tcpbench. or an ixia.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
Re: 10GbE (Intel X540) performance on OpenBSD 5.3
On Fri, Aug 9, 2013 at 11:52 AM, Henning Brauer lists-open...@bsws.de wrote:
* Maxim Khitrov m...@mxcrypt.com [2013-08-09 17:47]:
and ran iperf
# s1: iperf -s
# c1: iperf -c s1 -t 60 -m
# s1: iperf -s
# s2: iperf -s
# c1: nc gw 1234 ; iperf -c s1 -t 60
# c2: nc gw 1234 ; iperf -c s2 -t 60
your tests are flawed. you are testing iperf ('s lack of) performance.
use tcpbench. or an ixia.
These aren't available from FreeBSD packages. What about nuttcp?
# c1: nuttcp -t -T60 s1
5442.6100 MB / 10.10 sec = 4521.6131 Mbps 34 %TX 60 %RX 1233
host-retrans 0.19 msRTT
# c1: nuttcp -t -T60 s1
# c2: nuttcp -t -T60 s2
15960.2372 MB / 60.10 sec = 2227.8129 Mbps 15 %TX 32 %RX 10532
host-retrans 0.19 msRTT
17349.9260 MB / 60.10 sec = 2421.8063 Mbps 19 %TX 33 %RX 10932
host-retrans 0.20 msRTT
TCP tests don't look any different. UDP is slightly better:
# c1: nuttcp -t -u -R 10g -T 60 s1
36592.9785 MB / 60.00 sec = 5116.0419 Mbps 96 %TX 48 %RX 21725 /
37492935 drop/pkt 0.05794 %loss
# c1: nuttcp -t -u -R 10g -T 60 s1
# c2: nuttcp -t -u -R 10g -T 60 s2
22217.3467 MB / 60.00 sec = 3105.9963 Mbps 96 %TX 38 %RX 14801348 /
37551911 drop/pkt 39.42 %loss
22270.5674 MB / 60.01 sec = 3113.3326 Mbps 96 %TX 40 %RX 14875602 /
37680663 drop/pkt 39.48 %loss
Re: Two questions.
On 08/09/2013 12:00 AM, voic...@openmailbox.org wrote: ... The first one. We all know that the operating system OpenBSD largely depends on lead, so what will happen when time will come for Theo? We all know that so far people do not live thousands of years... I think that not only me would be interesting to know the future of this great project in case something happens. Please do not misunderstand me here, I do not wish anything bad for Theo, I just need to be sure that there are others who could keep project going. same thing that happens for any open source volunteer project, or any sole proprietorship...or any corporation. Someone(s) may step up, they may not. They may succeed in keeping the team together, they may not. The project may improve, it may lessen. A friend of mine used to work for a big corporate services company, one that was structured for long-term survival and so on. Well, she lost her job quite unexpectedly shortly after much of the company's leadership was lost all at once. You see, their corporate offices were in the top floors of the World Trade Center... The only certainty is change. Being that OpenBSD is lead by one person, when that leadership changes, there WILL be change. Hopefully, the net will be good, but you can be sure it will be mixed. That's true no matter what, though. change happens. it should always be part of everything you implement -- the tools you use today may not exist in two years, and probably won't exist in recognizable form in 20 years. If you aren't a few weeks from retirement, this needs to be thought about. Part of any good implementation plan should include how a product *will be replaced when need be*. Most consumers aren't used to thinking about that...however commercial software vendors are quite familiar with the idea...and do what they can to keep you from switching products -- vendor lock-in. The problem is...you have now locked your company's future into the health and welfare not of that vendor, but of that PRODUCT. I cringe when I see companies dropping all their documents into proprietary document imaging systems and shredding the originals.. What do they plan to do /when/ the product becomes unsupported and unsupportable? Do they realize they have married that company, not like a modern marriage where a trip to a lawyer will dissolve it, but the old style, 'til death do us part style? Usually not. However, if OpenBSD vanished tomorrow, the current version and its source code would be out there, someone will try to keep it up for a while, I'm sure, and meanwhile, you can migrate elsewhere. Compare this to committee run projects which have gone stagnant...were people may not notice they have in effect shut down... 2nd: how would OpenBSD leaders and developers would react, that OS they developing is powering most illegal things which you probably can't dream on? you know...I'm saddened. not that bad guys are using OpenBSD...but that the good guys don't. We create the tools to take a battle tank into a spitball fight... and they prefer the little plastic cap that says Stay Dry on it. It must work, it says 'stay-dry!' Most people *still* haven't learned that there is more to security than saying I'm secure. So the people selling kiddie porn are taking security more seriously than your bank. That says something, I don't think I like what. I wouldn't be surprised if some damn fool somewhere uses a connection to bad stuff to discourage the use of OpenBSD and other good tools. Lots of damn fools in the world. What I'm saying, is it possible that under certain circumstances OpenBSD people could silently include trojan or any other related piece of code which could lead of compromise of machines which are powering deep web ? I can't imagine anyone on the OpenBSD project going for the idea of adding any kind of attack against any kind of user, as it could be used to go after ALL kinds of users. The track record of those kind of things is bad -- usually, they end up causing as much trouble for the innocent as the target ... see Stuxnet. Nick.
Re: Two questions.
@Scott I could win the lotto; gamma rays could destroy the planet; I could get hit by a bus. That's why the source and commit logs are *not* available to the public, and the whole damn thing is proprietary. There is no possible way anyone could know what the devs are doing. Forgive my squirrelly ignorance, but everything the devs do is revealed with each new release, is it not? How can you call the project proprietary? Is it so uncommon to hide source and commit logs? (i.e. in other projects) On Fri, Aug 9, 2013 at 1:48 AM, Scott McEachern sc...@blackstaff.ca wrote: Is it just me, or are the trolls around here getting more and more lame. On 08/09/13 00:00, voic...@openmailbox.org wrote: I got couple of questions for whom I can't find an answers, You've obviously thought long and very hard. I do not wish anything bad for Theo, I just need to be sure that there are others who could keep project going. After running the OpenBSD project for over 20 years, I'm sure Theo never thought of that. We all thank you for bringing it to his attention. that OS they developing is powering most illegal things which you probably can't dream on? I'm sure OpenBSD devs are ashamed that I use it to power my kitten-stomping, baby-mulching machines. I'm also sure the people that make hammers and knives feel really, really bad too. OpenBSD people could silently include trojan I could win the lotto; gamma rays could destroy the planet; I could get hit by a bus. That's why the source and commit logs are *not* available to the public, and the whole damn thing is proprietary. There is no possible way anyone could know what the devs are doing. Thanks for reading. No, thank-YOU for pointing out such things for the very first time. To all that are reading, please let my lame attempt at humour be the first and only response. :) -- Scott McEachern https://www.blackstaff.ca Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin
Re: Two questions.
On 08/09/2013 03:43 PM, slhac tivist wrote: @Scott I could win the lotto; gamma rays could destroy the planet; I could get hit by a bus. That's why the source and commit logs are *not* available to the public, and the whole damn thing is proprietary. There is no possible way anyone could know what the devs are doing. Forgive my squirrelly ignorance, but everything the devs do is revealed with each new release, is it not? How can you call the project proprietary? Is it so uncommon to hide source and commit logs? (i.e. in other projects) sarcasm. everything the developers do is revealed within a few minutes of being done. :) Nick.
SSHD setup
I'm new to the system and I'm having difficulty getting SSHD set up. I would like to be able to SSH to the computer I have OpenBSD on. I viewed rf.conf and sshd_flags= is in there, didn't see it in rf.conf.local. I tried starting it by enter /usr/sbin/sshd and received something along the lines of this: Could not load host key: /etc/ssh/ssh_host_rsa_key Could not load host key: /etc/ssh/ssh_host_dsa_key Could not load host key: /etc/ssh/ssh_host_ecdsa_key Disabling protocol version 2. Could not load host key sshd: no hostkeys available -- exiting. I'm not sure if I need to create the keys or what, looking for a little bit of guidance. Sorry for the trouble with probably such a simple task. Did quite a bit of googling, no luck
Re: SSHD setup
On 08/09/2013 03:24 PM, Lance Ferrer wrote: I'm not sure if I need to create the keys or what, looking for a little bit of guidance. Sorry for the trouble with probably such a simple task. Did quite a bit of googling, no luck You could create them yourself by running ssh-keygen -A as root. However, that is run at every boot by /etc/rc (it only generates keys if there are no existing keys), so I would guess either a) you haven't rebooted yet or b) something is wrong with your system that is preventing these files from getting created. You don't need sshd_flags in /etc/rc.conf.local unless you want to change the default set in /etc/rc.conf. -- Matthew Weigel hacker unique idempot . ent
Re: C partition of type 4.2BSD
On Fri, Aug 09, 2013 at 11:38:16AM +0200, Federico Giannici wrote: I don't know how I made it (probably in previous releases of OS), but now I have a disk with the following disklabel: # /dev/rsd2c: type: SCSI disk: SCSI disk label: ST1000DM003-9YN1 duid: b0e3fc037df87899 flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 255 sectors/cylinder: 16065 cylinders: 121601 total sectors: 1953525168 boundstart: 64 boundend: 1953520065 drivedata: 0 16 partitions: #size offset fstype [fsize bsize cpg] a: 1953519936 64 4.2BSD 8192 655361 # /bu c: 19535251680 4.2BSD 2048 163841 As you can see the c partition is not of type unused, and some commands complain of this. I wasn't able to change this situation. I tried with disklabel -E sd2, disklabel -d sd2, disklabel -R sd2 proto (with a proper proto file), but nothing changed. What is the proper way to handle this? Please note that a partition contains data that must be preserved (I umounted that partition before all disklabel commands). The system is a 5.3 amd64, and sd2 is a normal SATA disk. Thanks. disklabel(8) contains a description of the 'z' command available in the -E mode. It should kill 'c' dead. Just add 'a' back with the same parameters it had brfore. Not that Nick's solution isn't more fun! Ken
Re: Network appliance recomendation.
Francisco Valladolid H. wrote: I need recommendations for a network appliance in rack mode with flash storage and five rj45 ports. RJ45 ports? 100Mbit? Gigabit? Can anyone recommended a solution for my needs ? If 100Mbit is fine, go with a Mini-ITX board and a 4-port Ethernet card in the PCI slot. Best regards, Mikkel C. Simonsen
Re: Network appliance recomendation.
I've used the Soekris brand. http://soekris.com/, but they are a little expensive. (In México taxes are a big problem). In two months I'll test ALIX appliances: http://pcengines.ch/alix.htm They are cheaper, but I don't know about their performance. On Fri, Aug 9, 2013 at 10:05 AM, Francisco Valladolid H. fic...@gmail.comwrote: Hi folks. Currently I have a Wireless network serving in my town using a small form factor (mini-itx) PC with OpenBSD for pf,squid, and dns cache. I need recommendations for a network appliance in rack mode with flash storage and five rj45 ports. Can anyone recommended a solution for my needs ? I'm disappointing using other network solutions with proprietary brands in the market. Best Regards. P.S sorry for my bad english. -- Francisco Valladolid H. -- http://blog.bsdguy.org - Jesus Christ follower. -- Hermes Ojeda Ruiz LogicalBricks Solutions http://logicalbricks.com
Re: Network appliance recomendation.
Hermes Ojeda Ruiz [hermes@gmail.com] wrote: I've used the Soekris brand. http://soekris.com/, but they are a little expensive. (In M?xico taxes are a big problem). In two months I'll test ALIX appliances: http://pcengines.ch/alix.htm They are cheaper, but I don't know about their performance. The ALIX chipset is identical to the Soekris 5501. The rest of the hardware on the ALIX was much more reliable than the 5501 from day 1. Makes the price difference ironic...
Re: Network appliance recomendation.
I think mini-ITX boards are ok, but I need a integrated solutions. Soekris is fine but lack of characteristics. 1gb rj45 port, etc. it http://www.calyptix.com/portfolio/ae1200/ look fine. Regards. On Fri, Aug 9, 2013 at 2:14 PM, Mikkel C. Simonsen m...@post5.tele.dk wrote: Francisco Valladolid H. wrote: I need recommendations for a network appliance in rack mode with flash storage and five rj45 ports. RJ45 ports? 100Mbit? Gigabit? Can anyone recommended a solution for my needs ? If 100Mbit is fine, go with a Mini-ITX board and a 4-port Ethernet card in the PCI slot. Best regards, Mikkel C. Simonsen -- Francisco Valladolid H. -- http://blog.bsdguy.net - Jesus Christ follower.
Re: Network appliance recomendation.
On Fri, Aug 9, 2013 at 5:22 PM, Hermes Ojeda Ruiz hermes@gmail.com wrote: I've used the Soekris brand. http://soekris.com/, but they are a little expensive. (In México taxes are a big problem). Yes, taxes and import duties are a pain. I have a pair of Soekris 4501 running OpenBSD 4.6 yet! In two months I'll test ALIX appliances: http://pcengines.ch/alix.htm I don't found rack cases for this cards. They are cheaper, but I don't know about their performance. The throughput in this nic is low ~ 50mbps I'm watching http://www.liantec.com/product/emboard/EMB-5842 look fine and have a high throughput. On Fri, Aug 9, 2013 at 10:05 AM, Francisco Valladolid H. fic...@gmail.comwrote: Hi folks. Currently I have a Wireless network serving in my town using a small form factor (mini-itx) PC with OpenBSD for pf,squid, and dns cache. I need recommendations for a network appliance in rack mode with flash storage and five rj45 ports. Can anyone recommended a solution for my needs ? I'm disappointing using other network solutions with proprietary brands in the market. Best Regards. P.S sorry for my bad english. -- Francisco Valladolid H. -- http://blog.bsdguy.org - Jesus Christ follower. -- Hermes Ojeda Ruiz LogicalBricks Solutions http://logicalbricks.com -- Francisco Valladolid H. -- http://blog.bsdguy.net - Jesus Christ follower.
Re: Two questions.
On 08/09/2013 12:00 AM, voic...@openmailbox.org wrote: ... The first one. We all know that the operating system OpenBSD largely depends on lead, so what will happen when time will come for Theo? We all know that so far people do not live thousands of years... I think that not only me would be interesting to know the future of this great project in case something happens. Please do not misunderstand me here, I do not wish anything bad for Theo, I just need to be sure that there are others who could keep project going. same thing that happens for any open source volunteer project, or any sole proprietorship...or any corporation. Someone(s) may step up, they may not. They may succeed in keeping the team together, they may not. The project may improve, it may lessen. What a bunch of worrying balony. I have asexually reproduced a few times, and put the other copies of myself in stasis. In the event that I fall off a mountain or get attacked by group of dogs in central Turkey, a copy is automatically brought out of statis to continue to effort. The process is so transparent, that you won't even know if it has happened before...
Re: Two questions.
On Friday, August 9, 2013, Theo de Raadt wrote: The process is so transparent, that you won't even know if it has happened before... Well, *some* of us have noticed when your scars reset...
Re: Two questions.
On 08/09/13 20:45, Theo de Raadt wrote: What a bunch of worrying balony. I have asexually reproduced a few times, and put the other copies of myself in stasis. In the event that I fall off a mountain or get attacked by group of dogs in central Turkey, a copy is automatically brought out of statis to continue to effort. The process is so transparent, that you won't even know if it has happened before... Sarcastic imposters like you really get on my nerves. -- Scott McEachern https://www.blackstaff.ca Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin
Re: Network appliance recomendation.
On Fri, Aug 09, 2013 at 06:50:19PM -0500, Francisco Valladolid H. wrote: On Fri, Aug 9, 2013 at 5:22 PM, Hermes Ojeda Ruiz hermes@gmail.com wrote: I've used the Soekris brand. http://soekris.com/, but they are a little expensive. (In M?xico taxes are a big problem). Yes, taxes and import duties are a pain. I have a pair of Soekris 4501 running OpenBSD 4.6 yet! In two months I'll test ALIX appliances: http://pcengines.ch/alix.htm I don't found rack cases for this cards. Try netgate.com. They resell and repackage from various vendors, including PC Engines. They sell ALIX boards in 1U cases. I need to upgrade my ALIX board 'cause it's too slow for IPSec, even with the VPN card. Intel just came out with new Atom chips with ECC support. http://www.newegg.com/Product/Product.aspx?Item=N82E16813182782 It might be easier and cheaper to just toss that into a 1U case.
More /dev/sd* devices in default install.
Between various HDDs, RAID 1 arrays, RAID C arrays within, iDevices, USB sticks and any other stuff you can think of, I've found that the standard install of /dev/sd[0-9] doesn't have enough. (I primarily use amd64.) I don't mind creating the additional devices, which I often forget; that's not a big deal. But I can't help wondering: 1) In this day and age of increasing numbers of devices kicking around, how often do others run into this ceiling? I'm currently using sd[0-12]. 2) What harm would it be to create sd[0-15] (or more) as pre-existing devices? Just curious if it would be trivial and/or useful. -- Scott McEachern https://www.blackstaff.ca Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin
Re: Network appliance recomendation.
On Fri, Aug 9, 2013 at 8:25 PM, William Ahern will...@25thandclement.com wrote: On Fri, Aug 09, 2013 at 06:50:19PM -0500, Francisco Valladolid H. wrote: On Fri, Aug 9, 2013 at 5:22 PM, Hermes Ojeda Ruiz hermes@gmail.com wrote: I've used the Soekris brand. http://soekris.com/, but they are a little expensive. (In M?xico taxes are a big problem). Yes, taxes and import duties are a pain. I have a pair of Soekris 4501 running OpenBSD 4.6 yet! In two months I'll test ALIX appliances: http://pcengines.ch/alix.htm I don't found rack cases for this cards. Try netgate.com. They resell and repackage from various vendors, including PC Engines. They sell ALIX boards in 1U cases. Good choice.! I need to upgrade my ALIX board 'cause it's too slow for IPSec, even with the VPN card. fine. Intel just came out with new Atom chips with ECC support. http://www.newegg.com/Product/Product.aspx?Item=N82E16813182782 Thank you for the link. It might be easier and cheaper to just toss that into a 1U case. -- Francisco Valladolid H. -- http://blog.bsdguy.net - Jesus Christ follower.
Re: Network appliance recomendation.
I second this. An atom board with ECC and a pci NiC to add the ports you need is a great solution. I have a supermicro running and the performance is fantastic. I think you can get an 1u barebones for a good price On Aug 9, 2013, at 9:27 PM, William Ahern will...@25thandclement.com wrote: On Fri, Aug 09, 2013 at 06:50:19PM -0500, Francisco Valladolid H. wrote: On Fri, Aug 9, 2013 at 5:22 PM, Hermes Ojeda Ruiz hermes@gmail.com wrote: I've used the Soekris brand. http://soekris.com/, but they are a little expensive. (In M?xico taxes are a big problem). Yes, taxes and import duties are a pain. I have a pair of Soekris 4501 running OpenBSD 4.6 yet! In two months I'll test ALIX appliances: http://pcengines.ch/alix.htm I don't found rack cases for this cards. Try netgate.com. They resell and repackage from various vendors, including PC Engines. They sell ALIX boards in 1U cases. I need to upgrade my ALIX board 'cause it's too slow for IPSec, even with the VPN card. Intel just came out with new Atom chips with ECC support. http://www.newegg.com/Product/Product.aspx?Item=N82E16813182782 It might be easier and cheaper to just toss that into a 1U case.
Re: Two questions.
On Fri, Aug 9, 2013 at 5:45 PM, Theo de Raadt dera...@cvs.openbsd.org wrote: On 08/09/2013 12:00 AM, voic...@openmailbox.org wrote: ... The first one. We all know that the operating system OpenBSD largely depends on lead, so what will happen when time will come for Theo? We all know that so far people do not live thousands of years... I think that not only me would be interesting to know the future of this great project in case something happens. Please do not misunderstand me here, I do not wish anything bad for Theo, I just need to be sure that there are others who could keep project going. same thing that happens for any open source volunteer project, or any sole proprietorship...or any corporation. Someone(s) may step up, they may not. They may succeed in keeping the team together, they may not. The project may improve, it may lessen. What a bunch of worrying balony. I have asexually reproduced a few times, and put the other copies of myself in stasis. Tomorrow's headlines: Theo of OpenBSD self-admitted reptilian! Adding credibility to claims that OpenBSD has alien backdoors built in. In the event that I fall off a mountain or get attacked by group of dogs in central Turkey, I hear you on that ;) --patrick p.s., could not resist.
Re: C partition of type 4.2BSD
On Fri, Aug 09, 2013 at 04:54:01PM -0400, Kenneth R Westerback wrote: On Fri, Aug 09, 2013 at 11:38:16AM +0200, Federico Giannici wrote: I don't know how I made it (probably in previous releases of OS), but now I have a disk with the following disklabel: # /dev/rsd2c: type: SCSI disk: SCSI disk label: ST1000DM003-9YN1 duid: b0e3fc037df87899 flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 255 sectors/cylinder: 16065 cylinders: 121601 total sectors: 1953525168 boundstart: 64 boundend: 1953520065 drivedata: 0 16 partitions: #size offset fstype [fsize bsize cpg] a: 1953519936 64 4.2BSD 8192 655361 # /bu c: 19535251680 4.2BSD 2048 163841 As you can see the c partition is not of type unused, and some commands complain of this. I wasn't able to change this situation. I tried with disklabel -E sd2, disklabel -d sd2, disklabel -R sd2 proto (with a proper proto file), but nothing changed. What is the proper way to handle this? Please note that a partition contains data that must be preserved (I umounted that partition before all disklabel commands). The system is a 5.3 amd64, and sd2 is a normal SATA disk. Thanks. disklabel(8) contains a description of the 'z' command available in the -E mode. It should kill 'c' dead. Just add 'a' back with the same parameters it had brfore. Not that Nick's solution isn't more fun! Ken Or it could be a nifty snare in the kernel that is accidentally preserving info that should not be preserved. This is probably not the best patch, but it does let me use 'disklabel -e sd2' to set 'c' to 'unused'. Ken Index: subr_disk.c === RCS file: /cvs/src/sys/kern/subr_disk.c,v retrieving revision 1.150 diff -u -p -r1.150 subr_disk.c --- subr_disk.c 3 Jul 2013 15:21:40 - 1.150 +++ subr_disk.c 10 Aug 2013 03:23:26 - @@ -655,6 +674,8 @@ setdisklabel(struct disklabel *olp, stru if (DL_GETPOFFSET(npp) != DL_GETPOFFSET(opp) || DL_GETPSIZE(npp) DL_GETPSIZE(opp)) return (EBUSY); + if (i == RAW_PART) + continue; /* * Copy internally-set partition information * if new label doesn't include it. XXX
Usefulness of offloading cryptographic hashing of passwords
I recently read an article from facebook on password cracking. It got me thinking about how useful dedicated hardware might be for hashing passwords. Source: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ Fairly basic stuff (MD5, brute dictionary), however there was some neat insight into combinator attacks which made me revisit several of my passwords. I've been thinking about how breaches with big companies could be avoided. One comment stuck out, whatever vulnerability was used to dump the password database can also be leveraged to see the exact algorithm used to store the passwords in the database. Raises the question, how could you prevent this? At first I thought about kernel level protection, then realized I can't think of anything root doesn't have access to other than proprietary hardware. Suppose you had a PCI card that generated a digest from input. Without knowing the algorithm, you could safely hash a password for storage or comparison to storage. Any retrieval of your password database would be pointless without the algorithm, in turn the hardware itself. In the event of a database breach, you destroy the device. Am I over-thinking this? This might be a fun exercise with my Arduino on my OpenBSD machine.
