Re: pf queue bandwidth estimation
On 2016-05-12, niya levi wrote: > using broadbandspeedchecker.co.uk i measured the bandwidth on my virgin > media line, > the download speed varied form as low as 20Mb/sec up to 50Mb/sec > depending on the time of day the test was run, Queuing is done on the transmit side, so the bandwidth you should be interested is upload, not download. You have already received the download traffic. You *can* queue when you pass it on to another host but that doesn't have a direct effect on what people on the internet send to you so however you do things "download queueing" won't work reliably. If I send 1Gb/s of packets to you, it doesn't matter what you do, it's going to starve out other traffic and nothing you can do on your side of the link is going to help. > what will be the result if i put a value for the queue bandwidth which > is greater or lesser the the maximum download speed ? If lesser: transfers will be limited to a slower speed than is actually available. This gives more predictable performance; queues work ok; but total bandwidth will be reduced. If greater: you lose control over queueing as it will then be done on a device upstream from you (e.g. a modem or router on the next hop or later). If the times/bandwidths are fairly predictable then you could always use a cronjob to switch config. (Setup variables in pf.conf to reference in the 'queue' rules then you can override them like 'pfctl -Dbandwidth=20M -Dbulk=3M -f /etc/pf.conf' rather than having a mess of separate files). That way you don't lose too much at times when the ISP is coping, and still don't have too many problems when they're overloaded. But hopefully your upload bandwidth is a lot more consistent throughout the day anyway.
Re: TLS now supported on openbsd.org?
> >So > >is their an agenda or just many idiots who see TLS=security and don't > >see lack of secure cookie usage and XSS vulnerabilities (now protected > >by SSL everywhere) meaning a site is likely exploitable in other ways!! > > You guys should seriously check "Nirvana fallacy". Nivana Fallacy, Complete nonsense, it is completely plausible to encourage better control of JS and encourage more responsible use and not even difficult for browsers to set up sites to replace the thousands of CAs which can't all be secure. If users don't know what they are doing then why do the browsers view SSL as more important than the situation that allows them to do so much damage simply by pasting scripts into their sites. Partly the reason is browser developers are also using js more than they should. Google use javascript themselves for tracking by the way. Google groups won't even load without javascript despite w3c guidelines saying javascript should not be required for site navigation. Sites are starting to create their own scroll bars. It is getting worse not better despite html5 promising and giving the potential of the opposite. -- KISSIS - Keep It Simple So It's Securable
TPO (Technical platform owner) role
Hi team, Sorry for spamming, but I would like to get some info from this mailing list participants, cause I think you may suggest something interesting and be good example for me and my org. I really would like to get Knowledge or some exp share from OpenBSD community, as I really like this OS and it's philosophy, and I recently started to learn it :) So my issue: My current organization is establishing TPO role. I am suggested for this role from Linux side. Maybe someone knows what TPO does in your or your friends working environment? Maybe someone can share some draft of role specification or some docs or at least structure of documents prepared by TPO. What results are expected from TPO in our org is: Document OS install, support and decom. Create LifeCycle roadmap Create Specs of what we can offer from OS side and what we cannot. And anything else is accepted :) :D Thank you very much in advance. Sorry for spamming this mailing list, but I do not know which ML I should choose for this type of question :) this one desc looked most close for this type of question :) -- Ruslanas Gžibovskis +370 6030 7030 RHCE: 130-192-255
reboot automatically after stack trace / system halted
Hello, My OpenBSD 5.9 just got a stack trace and stuck in the prompt "The operating system has halted". I would like it to reboot automatically in case this happens again, is this possible? I got ddb.panic=0 in my /etc/sysctl.conf file but in that very precise case there was no panic just a stack trace and had to manually reboot it. RegardsML
Re: pf queue bandwidth estimation
On 2016/05/13 11:31, niya levi wrote: > hi Stuart > > On 13/05/16 08:32, Stuart Henderson wrote: > > On 2016-05-12, niya levi wrote: > >> using broadbandspeedchecker.co.uk i measured the bandwidth on my virgin > >> media line, > >> the download speed varied form as low as 20Mb/sec up to 50Mb/sec > >> depending on the time of day the test was run, > > Queuing is done on the transmit side, so the bandwidth you should be > > interested is upload, not download. > > > > You have already received the download traffic. You *can* queue when > > you pass it on to another host but that doesn't have a direct effect > > on what people on the internet send to you so however you do things > > "download queueing" won't work reliably. If I send 1Gb/s of packets > > to you, it doesn't matter what you do, it's going to starve out > > other traffic and nothing you can do on your side of the link is > > going to help. > thanks understood > > >> what will be the result if i put a value for the queue bandwidth which > >> is greater or lesser the the maximum download speed ? > > If lesser: transfers will be limited to a slower speed than is actually > > available. This gives more predictable performance; queues work ok; > > but total bandwidth will be reduced. > > > > If greater: you lose control over queueing as it will then be done on > > a device upstream from you (e.g. a modem or router on the next hop > > or later). > i assume that this also applies to the upload speed Yes. > > If the times/bandwidths are fairly predictable then you could always > > use a cronjob to switch config. (Setup variables in pf.conf to reference > > in the 'queue' rules then you can override them like 'pfctl -Dbandwidth=20M > > -Dbulk=3M -f /etc/pf.conf' rather than having a mess of separate files). > > That way you don't lose too much at times when the ISP is coping, and > > still don't have too many problems when they're overloaded. > > > > But hopefully your upload bandwidth is a lot more consistent throughout > > the day anyway. > > > do you know of any software i can use to measure upload speeds ? There's speedtest-cli (in packages), but as with any tests like this, you're testing bandwidth to the speed test server (so this includes your line, but also connectivity between your ISP and the test server, and sometimes speedtest servers max out their own network connection).
Re: Balanced and failover IPSEC
On Thu, May 12 2016 at 47:18, Info wrote: > Hello, this is my first post on OpenBSD, so do not riddle me, please... Hello, Welcome to the lists. > I have one infrastructure with one tunnel IPSEC. This works ok, but I think I > can duplicate the transfers. My topology is like this: > > * One ADSL 20Mb on Site A > * Two ADSL 10Mb on Site B > * Consists on one OpenBSD by site, attached the router directly > > I need share Network A with Network B with ipsec like now, but > balanced/failovered. I search solutions and found 3 methods, but I'm not sure > which use and this seems a little complicated: > > * CARP (I haven't two server by site) > * PF (with ipsec i'm lost) > * ifstated (I dont know nothing of this) > > I will send my topology graphically on attachment (it will read with system > or fixed font). I implemented solutions like that in the past. The easier method with IPSEC is using encapsulation. I tried two different setups: gif(4)+ifstated and gif(4)+OSPF The latter is simpler to maintain, and for us scaled over 50 sites. With just 2 sites, you can use gre(4) encapsulation instead of gif and use gre keepalives instead of setting up ospfd. We didn't use that solution because GRE keepalives are not implemented on Linux and we needed interoperability. Basically, you create 2 ipsec tunnels between A and your 2 pub IP addresses on B. Then you setup 2 GRE tunnels above IPSEC. On site A, you configure 2 routes with different weights to access your network on B. Do the same on site B. In case of failure, the primary GRE tunnel will go down (because of missing keepalives).Your BSD boxes will disable the 1st GRE tunnel interface and use the 2nd route entry available. > #20.0.0.0 > #--- ## > ##### 10Mb |DSL|\ ## ## > #--- | ## > #####/ | ## ## > #### 20Mb## /|.2 ## > --- .2 --- .1 ##--/--- >|BSD|---|DSL|# INET # |BSD|--- > --- --- ##--\--- \ > | ## \|.2| > | 10.0.0.0 #\ | --- > --- #--- | NET > NET # 10Mb |DSL|/ --- > --- #---101.0.0.0 > 100.0.0.0 #21.0.0.0 Best regards, Claer
Re: light browsers
Dmitrij D. Czarkoff wrote: > Webkit1-based browsers (Luakit, Midori, surf, Vimb and Xombrero) use > unmaintained engine, so nobody fixes even known issues. People who care > about security should probably avoid these. I heard the developer of Surf (Webkit-1 based browser) say that he suspects that Webkit2 is still a worse option to use than Webkit1 even if you acknowledge that Webkit1 is EOled. There is some work being done in a Webkit2 version of Surf, but he said that Webkit2 was likely a bigger problem than a Webkit1 with known unpatched issues. I have not checked the facts so I can't back any of these engines, but I thought this post was going to be relevant to the conversation. -- OpenPGP Key Fingerprint: BB5A C2A2 2CAD ACB7 D50D C081 1DB9 6FC4 5AB7 92FA
Re: Balanced and failover IPSEC
Thanks Claer! I will check next week. Regards, Toni On Fri, May 13, 2016 at 11:34:18AM +0200, Claer wrote: > On Thu, May 12 2016 at 47:18, Info wrote: > > Hello, this is my first post on OpenBSD, so do not riddle me, please... > Hello, > > Welcome to the lists. > > > I have one infrastructure with one tunnel IPSEC. This works ok, but I think > > I > > can duplicate the transfers. My topology is like this: > > > > * One ADSL 20Mb on Site A > > * Two ADSL 10Mb on Site B > > * Consists on one OpenBSD by site, attached the router directly > > > > I need share Network A with Network B with ipsec like now, but > > balanced/failovered. I search solutions and found 3 methods, but I'm not > > sure > > which use and this seems a little complicated: > > > > * CARP (I haven't two server by site) > > * PF (with ipsec i'm lost) > > * ifstated (I dont know nothing of this) > > > > I will send my topology graphically on attachment (it will read with system > > or fixed font). > > I implemented solutions like that in the past. The easier method with IPSEC is > using encapsulation. I tried two different setups: gif(4)+ifstated and > gif(4)+OSPF > The latter is simpler to maintain, and for us scaled over 50 sites. > > With just 2 sites, you can use gre(4) encapsulation instead of gif and use gre > keepalives instead of setting up ospfd. We didn't use that solution because > GRE keepalives are not implemented on Linux and we needed interoperability. > > Basically, you create 2 ipsec tunnels between A and your 2 pub IP addresses > on B. > Then you setup 2 GRE tunnels above IPSEC. On site A, you configure 2 routes > with > different weights to access your network on B. Do the same on site B. > In case of failure, the primary GRE tunnel will go down (because of missing > keepalives).Your BSD boxes will disable the 1st GRE tunnel interface and > use the 2nd route entry available. > > > > #20.0.0.0 > > #--- ## > > ##### 10Mb |DSL|\ ## > > ## > > #--- | ## > > #####/ | ## > > ## > > #### 20Mb## /|.2 ## > > --- .2 --- .1 ##--/--- > >|BSD|---|DSL|# INET # |BSD|--- > > --- --- ##--\--- \ > > | ## \|.2| > > | 10.0.0.0 #\ | --- > > --- #--- | NET > > NET # 10Mb |DSL|/ --- > > --- #--- > > 101.0.0.0 > > 100.0.0.0 #21.0.0.0 > > Best regards, > > Claer
lite browsers
I like speed/performance of links and links -g I must use at times Midori and or Firefox and don't like speed/performance Have not heard on here any "Lynx" comments?
Re: light browsers
I have been using links and links -g and am very satisfied with speed/performance. I have to use Midori/Firefox etc oscasionally not satisfied with speed/ performance. Have not heard anyone hear mention Lynx?
Re: light browsers
Has anyone ever used rekonq? On Fri, May 13, 2016 at 7:45 AM, jsg wrote: >I have been using links and links -g and am very satisfied with > speed/performance. >I have to use Midori/Firefox etc oscasionally not satisfied with speed/ > performance. > >Have not heard anyone hear mention Lynx?
Re: Subpixel / RGB antialiasing
Simon McFarlane wrote: > On 04/14/16 12:23, Matej Nanut wrote: > > Hello, > > > > OpenBSD's freetype library is built without the feature. > > > > If you have your source trees set up, you can rebuild it after > > uncommenting FT_CONFIG_OPTION_SUBPIXEL_RENDERING in > > /usr/xenocara/lib/freetype/include/freetype/config/ftoption.h. > > > > Wow, That did the trick! I was afraid I'd never see beautiful fonts on > OpenBSD. > > The comment above says the feature is covered by Microsoft patents, and > is why it isn't enabled by default. Didn't those patents expire in 2010? > http://www.freetype.org/patents.html It says right on the linked page that the bytecode hinting patents expired and the interpreter is now enabled by default. That does not mean the subpixel filtering patents have expired.
Re: light browsers
> Has anyone ever used rekonq? I just came across these that have source code today http://www.palemoon.org/ https://www.waterfoxproject.org -- KISSIS - Keep It Simple So It's Securable
rtadvd advertised non-local prefix
Hello, I have an OpenBSD router with a few interfaces, connected to a few other routers, sharing routes with ospf(6)d. There's also some hosts connected to its interfaces. rtadvd.conf is really simple: # cat /etc/rtadvd.conf em0:\ :rdnss="2001:6f8:3c8:42::10":\ :dnssl="geekwu.org": em1:\ :rdnss="2001:6f8:3c8:42::10":\ :dnssl="geekwu.org": em5:\ :rdnss="2001:6f8:3c8:42::10":\ :dnssl="geekwu.org": em4:\ :rdnss="2001:6f8:3c8:42::10":\ :dnssl="geekwu.org": A router connected to em1 provides connectivity to the prefix 2001:41d0:fe4b:ec01::/64 ; so whe have this in OSPF6 RIB: Destination Nexthop Path TypeType CostUptime 2001:41d0:fe4b:ec01::/64 fe80::225:22ff:fe1e:bb7%em1 Type 1 ext Network 10 00:26:13 and this in routing table : DestinationGatewayFlags Refs Use Mtu Prio Iface 2001:41d0:fe4b:ec01::/64 fe80::225:22ff:fe1e:bb7%em1UG 0 0 -32 em1 em1 have 2 inet6 address configured : em1: flags=18843 mtu 1500 lladdr 00:00:24:d1:42:0d description: DMZ [...] inet6 fe80::200:24ff:fed1:420d%em1 prefixlen 64 scopeid 0x2 inet6 2001:6f8:3c8:42:200:24ff:fec6:94c8 prefixlen 64 inet6 2001:41d0:fe4b:ec42:200:24ff:fed1:420d prefixlen 64 And the router sends RAs on this interface with *3* prefixes : 15:23:54.878534 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 168) fe80::200:24ff:fed1:420d > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 168 hop limit 64, Flags [none], pref medium, router lifetime 1800s, reachable time 0s, retrans time 0s source link-address option (1), length 8 (1): 00:00:24:d1:42:0d 0x: 24d1 420d prefix info option (3), length 32 (4): 2001:6f8:3c8:42::/64, Flags [onlink, auto], valid time 2592000s, pref. time 604800s 0x: 40c0 0027 8d00 0009 3a80 2001 0x0010: 06f8 03c8 0042 prefix info option (3), length 32 (4): 2001:41d0:fe4b:ec42::/64, Flags [onlink, auto], valid time 2592000s, pref. time 604800s 0x: 40c0 0027 8d00 0009 3a80 2001 0x0010: 41d0 fe4b ec42 prefix info option (3), length 32 (4): 2001:41d0:fe4b:ec01::/64, Flags [onlink, auto], valid time 2592000s, pref. time 604800s 0x: 40c0 0027 8d00 0009 3a80 2001 0x0010: 41d0 fe4b ec01 rdnss option (25), length 24 (3): lifetime 900s, addr: 2001:6f8:3c8:42::10 0x: 0384 2001 06f8 03c8 0042 0x0010: 0010 dnssl option (31), length 24 (3): lifetime 900s, domain(s): geekwu.org. 0x: 0384 0667 6565 6b77 7503 6f72 0x0010: 6700 If I disconnect the 2001:41d0:fe4b:ec01::/64 from the remote router, it disappear from OSPF6 RIB, and from RAs too. 15:33:59.901622 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 136) fe80::200:24ff:fed1:420d > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 136 hop limit 64, Flags [none], pref medium, router lifetime 1800s, reachable time 0s, retrans time 0s source link-address option (1), length 8 (1): 00:00:24:d1:42:0d 0x: 24d1 420d prefix info option (3), length 32 (4): 2001:6f8:3c8:42::/64, Flags [onlink, auto], valid time 2592000s, pref. time 604800s 0x: 40c0 0027 8d00 0009 3a80 2001 0x0010: 06f8 03c8 0042 prefix info option (3), length 32 (4): 2001:41d0:fe4b:ec42::/64, Flags [onlink, auto], valid time 2592000s, pref. time 604800s 0x: 40c0 0027 8d00 0009 3a80 2001 0x0010: 41d0 fe4b ec42 rdnss option (25), length 24 (3): lifetime 900s, addr: 2001:6f8:3c8:42::10 0x: 0384 2001 06f8 03c8 0042 0x0010: 0010 dnssl option (31), length 24 (3): lifetime 900s, domain(s): geekwu.org. 0x: 0384 0667 6565 6b77 7503 6f72 0x0010: 6700 The prefix is only advertised on em1, not on the other interfaces. Is there a way to prevent rtadvd from advertising 2001:41d0:fe4b:ec01::/64 ? Thanks, -- Bastien
Re: Subpixel / RGB antialiasing
Fri, 13 May 2016 10:09:11 -0400 "Ted Unangst" > Simon McFarlane wrote: > > On 04/14/16 12:23, Matej Nanut wrote: > > > Hello, > > > > > > OpenBSD's freetype library is built without the feature. > > > > > > If you have your source trees set up, you can rebuild it after > > > uncommenting FT_CONFIG_OPTION_SUBPIXEL_RENDERING in > > > /usr/xenocara/lib/freetype/include/freetype/config/ftoption.h. > > > > > > > Wow, That did the trick! I was afraid I'd never see beautiful fonts on > > OpenBSD. > > > > The comment above says the feature is covered by Microsoft patents, and > > is why it isn't enabled by default. Didn't those patents expire in 2010? > > http://www.freetype.org/patents.html > > It says right on the linked page that the bytecode hinting patents expired and > the interpreter is now enabled by default. That does not mean the subpixel > filtering patents have expired. This is getting less relevant since 2010s with general pixel density above 100 PPI on mainstream displays and pixel perfect fonts default. I'm really enjoying the defaults in OpenBSD for a graphical desktop on a 27" display refresh in 2011 after a 17" in 2005 with pixel quality matching the 10" notebook from 2010 on all three displays about 100 PPI. This means, I absolutely disable and do not need sub-pixel anything, neither hinting, nor different than crisp 1 pixel line fonts. Thanks to OpenBSD for providing me the fluent desktop Xorg experience daily.
Re: light browsers
lynx has been mentioned in a previous mais on the list ;) don't remember who did but he did ;) > > From: Alex Ahn > Sent: Fri May 13 15:55:32 CEST 2016 > To: > Subject: Re: light browsers > > > Has anyone ever used rekonq? > > On Fri, May 13, 2016 at 7:45 AM, jsg wrote: > > >I have been using links and links -g and am very satisfied with > > speed/performance. > >I have to use Midori/Firefox etc oscasionally not satisfied with speed/ > > performance. > > > >Have not heard anyone hear mention Lynx? > Cordialement Francois Pussault 10 chemin de négo saoumos apt 202 - bat 2 31300 Toulouse +33 6 17 230 820 +33 5 34 365 269 fpussa...@contactoffice.fr
bioctl: unable to read passphrase
Hey friends, i have two identical ssd drives in my laptop. sd0 and sd1. I created a Raid 1 (mirroring) on them resulting in sd3. I used the following command: bioctl -c 1 -l sd0a,sd1a softraid0 On the resulting disk i created sd3b with 2 GB Swap and sd3a with 100GB with a type RAID. Now i want to put a crypto layer (Cryptoraid) on the resulting sd3a. I wanted to use the following command: bioctl -c C -l sd3a softraid0 But i get the following error message: bioctl: unable to read passphrase. Do you have any ideas why this is happening? Thanks and greetings Leo
Re: bioctl: unable to read passphrase
Leo Unglaub wrote: > > bioctl -c C -l sd3a softraid0 > > But i get the following error message: bioctl: unable to read passphrase. > > Do you have any ideas why this is happening? you might try ktrace, since bioctl is not being very helpful here.
Re: Carp interface sitting on vlan can not be pinged
Kim Zeitler(kim.zeit...@konzept-is.de) on 2016.04.15 11:41:07 +0200: > Hello > > maybe a stupid question, but is it possible to run a carp(4) interface > on vlan(4) interfaces? yes > In the following setup we have the problem that both boxes can be pinged > on their address associated with their respective vlan(4) interface, but > not on the carp(4) interface IP. Both boxes are recent installs and are > running -current > > em2 (no ip) ---> vlan100 (192.168.150.200) ---> carp2 (192.168.150.1) > \ > --> vlan101 (192.168.151.200) ---> carp3 (192.168.151.1) > > respectively the corresponding node using .202 instead of .200 for the > vlan(4) interfaces you did not send the output of ifconfig vlan ifconfig carp this might help > == The configuration == > > # uname -a > OpenBSD router12 5.9 GENERIC.MP#1983 amd64 > > # cat /etc/hostname.em2 > up > > # cat /etc/hostname.vlan100 > inet 192.168.150.200 255.255.255.0 192.168.150.255 vlan 100 vlandev em2 try to write this as inet 192.168.150.200 255.255.255.0 NONE vlan 100 vlandev em2 > # cat /etc/hostname.carp2 > inet 192.168.150.1 255.255.255.0 192.168.150.255 vhid 201 carpdev > vlan100 pass 1234 group wlan inet 192.168.150.1 255.255.255.0 NONE vhid 201 carpdev vlan100 pass 1234 group wlan > # cat /etc/pf.conf if above does not work, try pfctl -d also, the pf.conf you show is not complete, so ... > pass quick on {em2,vlan100,vlan101} proto carp > ... > pass inet proto icmp icmp-type $icmp_types > pass vlan100:network > ... > > # netstat -rn > ... > 192.168.150/24 192.168.150.200UCP0 4401 - 4 > vlan100 > 192.168.150/24 192.168.150.1 CP 00 - 4 > carp2 > 192.168.150.1 00:00:5e:00:01:c9 UHLl 0 9981 - 1 > carp2 > 192.168.150.20090:e2:ba:c1:11:11 UHLl 0 30 - 1 > vlan100 > 192.168.150.255192.168.150.200UHPb 0 80 - 1 > vlan100 > 192.168.150.255192.168.150.1 HPb00 - 1 > carp2 > 192.168.151/24 192.168.151.200UCP1 3040 - 4 > vlan101 > 192.168.151/24 192.168.151.1 CP 00 - 4 > carp3 > 192.168.151.1 00:00:5e:00:01:ca UHLl 0 182 - 1 > carp3 > 192.168.151.20090:e2:ba:c1:11:11 UHLl 0 36 - 1 > vlan101 > 192.168.151.255192.168.151.200UHPb 00 - 1 > vlan101 > 192.168.151.255192.168.151.1 HPb00 - 1 > carp3 > > > Cheers > Kim > --
Xenocara :: enabling mouse instead of trackpad
Hi, I din't find informations on this subject in the FAQ... How should I set my mouse as favourite input system instead of the trackpad? I am runnning 5.9 with Xfce4. Sent using GuerrillaMail.com Block or report abuse: https://www.guerrillamail.com/abuse/?a=TEhnBi0PU7Ebih2wvnENdQ%3D%3D
Re: bioctl: unable to read passphrase
On Fri, May 13, 2016 at 07:28:51PM +0200, Leo Unglaub wrote: > Hey friends, > i have two identical ssd drives in my laptop. sd0 and sd1. I created a Raid > 1 (mirroring) on them resulting in sd3. I used the following command: > > > bioctl -c 1 -l sd0a,sd1a softraid0 > > > On the resulting disk i created sd3b with 2 GB Swap and sd3a with 100GB with > a type RAID. > > Now i want to put a crypto layer (Cryptoraid) on the resulting sd3a. I > wanted to use the following command: > > > bioctl -c C -l sd3a softraid0 > > But i get the following error message: bioctl: unable to read passphrase. > > Do you have any ideas why this is happening? I think this is due to the fact that nested disciplines are not (yet?) supported. See stsp@'s notes on softraid: https://www.openbsd.org/papers/eurobsdcon2015-softraid-boot.pdf page 5 where it says: Disciplines cannot be nested yet! So no CRYPTO on top of RAID 1, for instance
Re: bioctl: unable to read passphrase
Theo Buehler wrote: > On Fri, May 13, 2016 at 07:28:51PM +0200, Leo Unglaub wrote: > > Hey friends, > > i have two identical ssd drives in my laptop. sd0 and sd1. I created a Raid > > 1 (mirroring) on them resulting in sd3. I used the following command: > > > > > bioctl -c 1 -l sd0a,sd1a softraid0 > > > > > > On the resulting disk i created sd3b with 2 GB Swap and sd3a with 100GB with > > a type RAID. > > > > Now i want to put a crypto layer (Cryptoraid) on the resulting sd3a. I > > wanted to use the following command: > > > > > bioctl -c C -l sd3a softraid0 > > > > But i get the following error message: bioctl: unable to read passphrase. > > > > Do you have any ideas why this is happening? > > I think this is due to the fact that nested disciplines are not (yet?) > supported. See stsp@'s notes on softraid: > https://www.openbsd.org/papers/eurobsdcon2015-softraid-boot.pdf > page 5 where it says: > > Disciplines cannot be nested yet! > So no CRYPTO on top of RAID 1, for instance that will cause problems later, but should not prevent bioctl from reading a passphrase.
dhcarp
Hi Did anyone already try this DHCARP article https://sites.google.com/site/bsdstuff/dhcarp in order to run carp with an ISP providing a dynamic IP address through DHCP? Or is there any easier method for dealing with a dynamic IP address on the WAN side of the CARP interfaces? Regards ML
Re: bioctl: unable to read passphrase
> Am 13.05.2016 um 21:56 schrieb Ted Unangst : > > Theo Buehler wrote: >>> On Fri, May 13, 2016 at 07:28:51PM +0200, Leo Unglaub wrote: >>> Hey friends, >>> i have two identical ssd drives in my laptop. sd0 and sd1. I created a Raid >>> 1 (mirroring) on them resulting in sd3. I used the following command: >>> bioctl -c 1 -l sd0a,sd1a softraid0 >>> >>> >>> On the resulting disk i created sd3b with 2 GB Swap and sd3a with 100GB with >>> a type RAID. >>> >>> Now i want to put a crypto layer (Cryptoraid) on the resulting sd3a. I >>> wanted to use the following command: >>> bioctl -c C -l sd3a softraid0 >>> >>> But i get the following error message: bioctl: unable to read passphrase. >>> >>> Do you have any ideas why this is happening? >> >> I think this is due to the fact that nested disciplines are not (yet?) >> supported. See stsp@'s notes on softraid: >> https://www.openbsd.org/papers/eurobsdcon2015-softraid-boot.pdf >> page 5 where it says: >> >>Disciplines cannot be nested yet! >>So no CRYPTO on top of RAID 1, for instance > > that will cause problems later Which problems? This should really be mentioned in softraid(4) CAVEATS section then, no? Personally, I'm running CRYPTO on top of a large RAID1 for years without any problems.
Re: dhcarp
On Fri, May 13, 2016 at 4:47 PM, ML mail wrote: > Hi > > > Did anyone already try this DHCARP article > https://sites.google.com/site/bsdstuff/dhcarp in order to run carp with > an ISP providing a dynamic IP address through DHCP? Or is there any easier > method for dealing with a dynamic IP address on the WAN side of the CARP > interfaces? > > Regards > ML > > i patched 5.8 (kernel+dhclient) to have dhclient working with carp, worked well, dumped it because real life sucks. -- - () ascii ribbon campaign - against html e-mail /\