Re: pf queue bandwidth estimation

[Stuart Henderson]

On 2016-05-12, niya levi  wrote:
> using broadbandspeedchecker.co.uk i measured the bandwidth on my virgin
> media line,
> the download speed varied form as low as 20Mb/sec up to 50Mb/sec
> depending on the time of day the test was run,

Queuing is done on the transmit side, so the bandwidth you should be
interested is upload, not download.

You have already received the download traffic. You *can* queue when
you pass it on to another host but that doesn't have a direct effect
on what people on the internet send to you so however you do things
"download queueing" won't work reliably. If I send 1Gb/s of packets
to you, it doesn't matter what you do, it's going to starve out
other traffic and nothing you can do on your side of the link is
going to help.

> what will be the result if i put a value for the queue bandwidth which
> is greater or lesser the the maximum download speed ?

If lesser: transfers will be limited to a slower speed than is actually
available. This gives more predictable performance; queues work ok;
but total bandwidth will be reduced.

If greater: you lose control over queueing as it will then be done on
a device upstream from you (e.g. a modem or router on the next hop
or later).

If the times/bandwidths are fairly predictable then you could always
use a cronjob to switch config. (Setup variables in pf.conf to reference
in the 'queue' rules then you can override them like 'pfctl -Dbandwidth=20M
-Dbulk=3M -f /etc/pf.conf' rather than having a mess of separate files).
That way you don't lose too much at times when the ISP is coping, and
still don't have too many problems when they're overloaded.

But hopefully your upload bandwidth is a lot more consistent throughout
the day anyway.

Re: TLS now supported on openbsd.org?

[Kevin Chadwick]

> >So
> >is their an agenda or just many idiots who see TLS=security and don't
> >see lack of secure cookie usage and XSS vulnerabilities (now protected
> >by SSL everywhere) meaning a site is likely exploitable in other ways!!  
> 
> You guys should seriously check "Nirvana fallacy".

Nivana Fallacy, Complete nonsense, it is completely plausible to
encourage better control of JS and encourage more responsible use and
not even difficult for browsers to set up sites to replace the
thousands of CAs which can't all be secure.

If users don't know what they are doing then why do the browsers
view SSL as more important than the situation that allows them to do so
much damage simply by pasting scripts into their sites. Partly the
reason is browser developers are also using js more than they
should. Google use javascript themselves for tracking by the way.

Google groups won't even load without javascript despite w3c guidelines
saying javascript should not be required for site navigation. Sites are
starting to create their own scroll bars. It is getting worse not
better despite html5 promising and giving the potential of the opposite.

-- 

KISSIS - Keep It Simple So It's Securable

TPO (Technical platform owner) role

[Ruslanas Gžibovskis]

Hi team,

Sorry for spamming, but I would like to get some info from this mailing
list participants, cause I think you may suggest something interesting and
be good example for me and my org.

I really would like to get Knowledge or some exp share from OpenBSD
community, as I really like this OS and it's philosophy, and I recently
started to learn it :)

So my issue:
My current organization is establishing TPO role.
I am suggested for this role from Linux side.
Maybe someone knows what TPO does in your or your friends working
environment?
Maybe someone can share some draft of role specification or some docs or at
least structure of documents prepared by TPO.

What results are expected from TPO in our org is:
Document OS install, support and decom.
Create LifeCycle roadmap
Create Specs of what we can offer from OS side and what we cannot.
And anything else is accepted :) :D


Thank you very much in advance.
Sorry for spamming this mailing list, but I do not know which ML I should
choose for this type of question :) this one desc looked most close for
this type of question :)
--

Ruslanas Gžibovskis
+370 6030 7030
RHCE: 130-192-255

reboot automatically after stack trace / system halted

[ML mail]

Hello,
My OpenBSD 5.9 just got a stack trace and stuck in the prompt "The operating 
system has halted". I would like it to reboot automatically in case this 
happens again, is this possible?
I got ddb.panic=0 in my /etc/sysctl.conf file but in that very precise case 
there was no panic just a stack trace and had to manually reboot it.
RegardsML

Re: pf queue bandwidth estimation

[Stuart Henderson]

On 2016/05/13 11:31, niya levi wrote:
> hi Stuart
> 
> On 13/05/16 08:32, Stuart Henderson wrote:
> > On 2016-05-12, niya levi  wrote:
> >> using broadbandspeedchecker.co.uk i measured the bandwidth on my virgin
> >> media line,
> >> the download speed varied form as low as 20Mb/sec up to 50Mb/sec
> >> depending on the time of day the test was run,
> > Queuing is done on the transmit side, so the bandwidth you should be
> > interested is upload, not download.
> >
> > You have already received the download traffic. You *can* queue when
> > you pass it on to another host but that doesn't have a direct effect
> > on what people on the internet send to you so however you do things
> > "download queueing" won't work reliably. If I send 1Gb/s of packets
> > to you, it doesn't matter what you do, it's going to starve out
> > other traffic and nothing you can do on your side of the link is
> > going to help.
> thanks understood
> 
> >> what will be the result if i put a value for the queue bandwidth which
> >> is greater or lesser the the maximum download speed ?
> > If lesser: transfers will be limited to a slower speed than is actually
> > available. This gives more predictable performance; queues work ok;
> > but total bandwidth will be reduced.
> >
> > If greater: you lose control over queueing as it will then be done on
> > a device upstream from you (e.g. a modem or router on the next hop
> > or later).
> i assume that this also applies to the upload speed

Yes.

> > If the times/bandwidths are fairly predictable then you could always
> > use a cronjob to switch config. (Setup variables in pf.conf to reference
> > in the 'queue' rules then you can override them like 'pfctl -Dbandwidth=20M
> > -Dbulk=3M -f /etc/pf.conf' rather than having a mess of separate files).
> > That way you don't lose too much at times when the ISP is coping, and
> > still don't have too many problems when they're overloaded.
> >
> > But hopefully your upload bandwidth is a lot more consistent throughout
> > the day anyway.
> >
> do you know of any software i can use to measure upload speeds ?

There's speedtest-cli (in packages), but as with any tests like this,
you're testing bandwidth to the speed test server (so this includes
your line, but also connectivity between your ISP and the test server,
and sometimes speedtest servers max out their own network connection).

Re: Balanced and failover IPSEC

[Claer]

On Thu, May 12 2016 at 47:18, Info wrote:
> Hello, this is my first post on OpenBSD, so do not riddle me, please...
Hello,

Welcome to the lists.

> I have one infrastructure with one tunnel IPSEC. This works ok, but I think I
> can duplicate the transfers. My topology is like this:
> 
>   * One ADSL 20Mb on Site A
>   * Two ADSL 10Mb on Site B
>   * Consists on one OpenBSD by site, attached the router directly
> 
> I need share Network A with Network B with ipsec like now, but
> balanced/failovered. I search solutions and found 3 methods, but I'm not sure
> which use and this seems a little complicated:
> 
>   * CARP (I haven't two server by site)
>   * PF (with ipsec i'm lost)
>   * ifstated (I dont know nothing of this)
> 
> I will send my topology graphically on attachment (it will read with system
> or fixed font).

I implemented solutions like that in the past. The easier method with IPSEC is
using encapsulation. I tried two different setups: gif(4)+ifstated and 
gif(4)+OSPF
The latter is simpler to maintain, and for us scaled over 50 sites.

With just 2 sites, you can use gre(4) encapsulation instead of gif and use gre
keepalives instead of setting up ospfd. We didn't use that solution because
GRE keepalives are not implemented on Linux and we needed interoperability.

Basically, you create 2 ipsec tunnels between A and your 2 pub IP addresses on 
B.
Then you setup 2 GRE tunnels above IPSEC. On site A, you configure 2 routes with
different weights to access your network on B. Do the same on site B.
In case of failure, the primary GRE tunnel will go down (because of missing
keepalives).Your BSD boxes will disable the 1st GRE tunnel interface and
use the 2nd route entry available.


>  #20.0.0.0  
>  #--- ##
>  #####  10Mb |DSL|\   ##   ##
>  #--- |   ##
>  #####/   |   ##   ##
>  ####   20Mb##   /|.2 ##
> --- .2  ---  .1 ##--/---
>|BSD|---|DSL|#  INET  #  |BSD|---
> --- --- ##--\--- \
>  |  ##   \|.2|
>  | 10.0.0.0  #\   | ---
> ---  #--- | NET
> NET  #  10Mb |DSL|/ ---
> ---  #---101.0.0.0
>  100.0.0.0   #21.0.0.0

Best regards,

Claer

Re: light browsers

[Rubén Llorente]

Dmitrij D. Czarkoff  wrote:
> Webkit1-based browsers (Luakit, Midori, surf, Vimb and Xombrero) use
> unmaintained engine, so nobody fixes even known issues.  People who care
> about security should probably avoid these.

I heard the developer of Surf (Webkit-1 based browser) say that he
suspects that Webkit2 is still a worse option to use than Webkit1 even
if you acknowledge that Webkit1 is EOled. There is some work being
done in a Webkit2 version of Surf, but he said that Webkit2 was likely
a bigger problem than a Webkit1 with known unpatched issues. 

I have not checked the facts so I can't back any of these engines, but
I thought this post was going to be relevant to the conversation. 

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA

Re: Balanced and failover IPSEC

[Info]

Thanks Claer! I will check next week.

Regards,

Toni

On Fri, May 13, 2016 at 11:34:18AM +0200, Claer wrote:
> On Thu, May 12 2016 at 47:18, Info wrote:
> > Hello, this is my first post on OpenBSD, so do not riddle me, please...
> Hello,
> 
> Welcome to the lists.
> 
> > I have one infrastructure with one tunnel IPSEC. This works ok, but I think 
> > I
> > can duplicate the transfers. My topology is like this:
> > 
> >   * One ADSL 20Mb on Site A
> >   * Two ADSL 10Mb on Site B
> >   * Consists on one OpenBSD by site, attached the router directly
> > 
> > I need share Network A with Network B with ipsec like now, but
> > balanced/failovered. I search solutions and found 3 methods, but I'm not 
> > sure
> > which use and this seems a little complicated:
> > 
> >   * CARP (I haven't two server by site)
> >   * PF (with ipsec i'm lost)
> >   * ifstated (I dont know nothing of this)
> > 
> > I will send my topology graphically on attachment (it will read with system
> > or fixed font).
> 
> I implemented solutions like that in the past. The easier method with IPSEC is
> using encapsulation. I tried two different setups: gif(4)+ifstated and 
> gif(4)+OSPF
> The latter is simpler to maintain, and for us scaled over 50 sites.
> 
> With just 2 sites, you can use gre(4) encapsulation instead of gif and use gre
> keepalives instead of setting up ospfd. We didn't use that solution because
> GRE keepalives are not implemented on Linux and we needed interoperability.
> 
> Basically, you create 2 ipsec tunnels between A and your 2 pub IP addresses 
> on B.
> Then you setup 2 GRE tunnels above IPSEC. On site A, you configure 2 routes 
> with
> different weights to access your network on B. Do the same on site B.
> In case of failure, the primary GRE tunnel will go down (because of missing
> keepalives).Your BSD boxes will disable the 1st GRE tunnel interface and
> use the 2nd route entry available.
> 
> 
> >  #20.0.0.0  
> >  #--- ##
> >  #####  10Mb |DSL|\   ##   
> > ##
> >  #--- |   ##
> >  #####/   |   ##   
> > ##
> >  ####   20Mb##   /|.2 ##
> > --- .2  ---  .1 ##--/---
> >|BSD|---|DSL|#  INET  #  |BSD|---
> > --- --- ##--\--- \
> >  |  ##   \|.2|
> >  | 10.0.0.0  #\   | ---
> > ---  #--- | NET
> > NET  #  10Mb |DSL|/ ---
> > ---  #---
> > 101.0.0.0
> >  100.0.0.0   #21.0.0.0
> 
> Best regards,
> 
> Claer

lite browsers

[jsg]

I like speed/performance of links and links -g
I must use at times Midori and or Firefox and don't like speed/performance

Have not heard on here any "Lynx" comments?

Re: light browsers

[jsg]

   I have been using links and links -g and am very satisfied with 
speed/performance.
   I have to use Midori/Firefox etc oscasionally not satisfied with speed/ 
performance.

   Have not heard anyone hear mention Lynx?

Re: light browsers

[Alex Ahn]

Has anyone ever used rekonq?

On Fri, May 13, 2016 at 7:45 AM, jsg  wrote:

>I have been using links and links -g and am very satisfied with
> speed/performance.
>I have to use Midori/Firefox etc oscasionally not satisfied with speed/
> performance.
>
>Have not heard anyone hear mention Lynx?

Re: Subpixel / RGB antialiasing

[Ted Unangst]

Simon McFarlane wrote:
> On 04/14/16 12:23, Matej Nanut wrote:
> > Hello,
> > 
> > OpenBSD's freetype library is built without the feature.
> > 
> > If you have your source trees set up, you can rebuild it after
> > uncommenting FT_CONFIG_OPTION_SUBPIXEL_RENDERING in
> > /usr/xenocara/lib/freetype/include/freetype/config/ftoption.h.
> > 
> 
> Wow, That did the trick! I was afraid I'd never see beautiful fonts on
> OpenBSD.
> 
> The comment above says the feature is covered by Microsoft patents, and
> is why it isn't enabled by default. Didn't those patents expire in 2010?
> http://www.freetype.org/patents.html

It says right on the linked page that the bytecode hinting patents expired and
the interpreter is now enabled by default. That does not mean the subpixel
filtering patents have expired.

Re: light browsers

[Kevin Chadwick]

> Has anyone ever used rekonq?

I just came across these that have source code today

http://www.palemoon.org/
https://www.waterfoxproject.org

-- 

KISSIS - Keep It Simple So It's Securable

rtadvd advertised non-local prefix

[Bastien Durel]

Hello,

I have an OpenBSD router with a few interfaces, connected to a few
other routers, sharing routes with ospf(6)d.

There's also some hosts connected to its interfaces.

rtadvd.conf is really simple:

# cat /etc/rtadvd.conf
em0:\
:rdnss="2001:6f8:3c8:42::10":\
:dnssl="geekwu.org":
em1:\
:rdnss="2001:6f8:3c8:42::10":\
:dnssl="geekwu.org":
em5:\
:rdnss="2001:6f8:3c8:42::10":\
:dnssl="geekwu.org":
em4:\
:rdnss="2001:6f8:3c8:42::10":\
:dnssl="geekwu.org":

A router connected to em1 provides connectivity to the prefix
2001:41d0:fe4b:ec01::/64 ; so whe have this in OSPF6 RIB:

Destination  Nexthop   Path TypeType  CostUptime   
2001:41d0:fe4b:ec01::/64 fe80::225:22ff:fe1e:bb7%em1 Type 1 ext   Network   10  
00:26:13

and this in routing table :

DestinationGatewayFlags   Refs  
Use   Mtu  Prio Iface
2001:41d0:fe4b:ec01::/64   fe80::225:22ff:fe1e:bb7%em1UG 0  
  0 -32 em1   

em1 have 2 inet6 address configured :

em1: flags=18843 mtu 1500
lladdr 00:00:24:d1:42:0d
description: DMZ
[...]
inet6 fe80::200:24ff:fed1:420d%em1 prefixlen 64 scopeid 0x2
inet6 2001:6f8:3c8:42:200:24ff:fec6:94c8 prefixlen 64
inet6 2001:41d0:fe4b:ec42:200:24ff:fed1:420d prefixlen 64

And the router sends RAs on this interface with *3* prefixes :

15:23:54.878534 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 168) 
fe80::200:24ff:fed1:420d > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, 
length 168
hop limit 64, Flags [none], pref medium, router lifetime 1800s, 
reachable time 0s, retrans time 0s
  source link-address option (1), length 8 (1): 00:00:24:d1:42:0d
0x:   24d1 420d
  prefix info option (3), length 32 (4): 2001:6f8:3c8:42::/64, Flags 
[onlink, auto], valid time 2592000s, pref. time 604800s
0x:  40c0 0027 8d00 0009 3a80   2001
0x0010:  06f8 03c8 0042    
  prefix info option (3), length 32 (4): 2001:41d0:fe4b:ec42::/64, 
Flags [onlink, auto], valid time 2592000s, pref. time 604800s
0x:  40c0 0027 8d00 0009 3a80   2001
0x0010:  41d0 fe4b ec42    
  prefix info option (3), length 32 (4): 2001:41d0:fe4b:ec01::/64, 
Flags [onlink, auto], valid time 2592000s, pref. time 604800s
0x:  40c0 0027 8d00 0009 3a80   2001
0x0010:  41d0 fe4b ec01    
  rdnss option (25), length 24 (3):  lifetime 900s, addr: 
2001:6f8:3c8:42::10
0x:    0384 2001 06f8 03c8 0042 
0x0010:    0010
  dnssl option (31), length 24 (3):  lifetime 900s, domain(s): 
geekwu.org.
0x:    0384 0667 6565 6b77 7503 6f72
0x0010:  6700  

If I disconnect the 2001:41d0:fe4b:ec01::/64 from the remote router, it
disappear from OSPF6 RIB, and from RAs too.

15:33:59.901622 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 136) 
fe80::200:24ff:fed1:420d > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, 
length 136
hop limit 64, Flags [none], pref medium, router lifetime 1800s, 
reachable time 0s, retrans time 0s
  source link-address option (1), length 8 (1): 00:00:24:d1:42:0d
0x:   24d1 420d
  prefix info option (3), length 32 (4): 2001:6f8:3c8:42::/64, Flags 
[onlink, auto], valid time 2592000s, pref. time 604800s
0x:  40c0 0027 8d00 0009 3a80   2001
0x0010:  06f8 03c8 0042    
  prefix info option (3), length 32 (4): 2001:41d0:fe4b:ec42::/64, 
Flags [onlink, auto], valid time 2592000s, pref. time 604800s
0x:  40c0 0027 8d00 0009 3a80   2001
0x0010:  41d0 fe4b ec42    
  rdnss option (25), length 24 (3):  lifetime 900s, addr: 
2001:6f8:3c8:42::10
0x:    0384 2001 06f8 03c8 0042 
0x0010:    0010
  dnssl option (31), length 24 (3):  lifetime 900s, domain(s): 
geekwu.org.
0x:    0384 0667 6565 6b77 7503 6f72
0x0010:  6700  

The prefix is only advertised on em1, not on the other interfaces.

Is there a way to prevent rtadvd from advertising
2001:41d0:fe4b:ec01::/64 ?

Thanks,

-- 
Bastien

Re: Subpixel / RGB antialiasing

[lists]

Fri, 13 May 2016 10:09:11 -0400 "Ted Unangst" 
> Simon McFarlane wrote:
> > On 04/14/16 12:23, Matej Nanut wrote:  
> > > Hello,
> > > 
> > > OpenBSD's freetype library is built without the feature.
> > > 
> > > If you have your source trees set up, you can rebuild it after
> > > uncommenting FT_CONFIG_OPTION_SUBPIXEL_RENDERING in
> > > /usr/xenocara/lib/freetype/include/freetype/config/ftoption.h.
> > >   
> > 
> > Wow, That did the trick! I was afraid I'd never see beautiful fonts on
> > OpenBSD.
> > 
> > The comment above says the feature is covered by Microsoft patents, and
> > is why it isn't enabled by default. Didn't those patents expire in 2010?
> > http://www.freetype.org/patents.html  
> 
> It says right on the linked page that the bytecode hinting patents expired and
> the interpreter is now enabled by default. That does not mean the subpixel
> filtering patents have expired.

This is getting less relevant since 2010s with general pixel density
above 100 PPI on mainstream displays and pixel perfect fonts default.

I'm really enjoying the defaults in OpenBSD for a graphical desktop on
a 27" display refresh in 2011 after a 17" in 2005 with pixel quality
matching the 10" notebook from 2010 on all three displays about 100 PPI.

This means, I absolutely disable and do not need sub-pixel anything,
neither hinting, nor different than crisp 1 pixel line fonts.  Thanks
to OpenBSD for providing me the fluent desktop Xorg experience daily.

Re: light browsers

[Francois Pussault]

lynx has been mentioned in a previous mais on the list  ;)
don't remember who did but he did ;)

> 
> From: Alex Ahn 
> Sent: Fri May 13 15:55:32 CEST 2016
> To: 
> Subject: Re: light browsers
>
>
> Has anyone ever used rekonq?
>
> On Fri, May 13, 2016 at 7:45 AM, jsg  wrote:
>
> >I have been using links and links -g and am very satisfied with
> > speed/performance.
> >I have to use Midori/Firefox etc oscasionally not satisfied with
speed/
> > performance.
> >
> >Have not heard anyone hear mention Lynx?
>


Cordialement
Francois Pussault
10 chemin de négo saoumos
apt 202 - bat 2
31300 Toulouse
+33 6 17 230 820   +33 5 34 365 269
fpussa...@contactoffice.fr

bioctl: unable to read passphrase

[Leo Unglaub]

Hey friends,
i have two identical ssd drives in my laptop. sd0 and sd1. I created a 
Raid 1 (mirroring) on them resulting in sd3. I used the following command:



bioctl -c 1 -l sd0a,sd1a softraid0



On the resulting disk i created sd3b with 2 GB Swap and sd3a with 100GB 
with a type RAID.


Now i want to put a crypto layer (Cryptoraid) on the resulting sd3a. I 
wanted to use the following command:



bioctl -c C -l sd3a softraid0


But i get the following error message: bioctl: unable to read passphrase.

Do you have any ideas why this is happening?
Thanks and greetings
Leo

Re: bioctl: unable to read passphrase

[Ted Unangst]

Leo Unglaub wrote:
> > bioctl -c C -l sd3a softraid0
> 
> But i get the following error message: bioctl: unable to read passphrase.
> 
> Do you have any ideas why this is happening?

you might try ktrace, since bioctl is not being very helpful here.

Re: Carp interface sitting on vlan can not be pinged

[Sebastian Benoit]

Kim Zeitler(kim.zeit...@konzept-is.de) on 2016.04.15 11:41:07 +0200:
> Hello
> 
> maybe a stupid question, but is it possible to run a carp(4) interface 
> on vlan(4) interfaces?

yes
 
> In the following setup we have the problem that both boxes can be pinged 
> on their address associated with their respective vlan(4) interface, but 
> not on the carp(4) interface IP. Both boxes are recent installs and are 
> running -current
> 
> em2 (no ip) ---> vlan100 (192.168.150.200) ---> carp2 (192.168.150.1)
> \
>  --> vlan101 (192.168.151.200) ---> carp3 (192.168.151.1)
> 
> respectively the corresponding node using .202 instead of .200 for the 
> vlan(4) interfaces

you did not send the output of

ifconfig vlan
ifconfig carp

this might help
 
> == The configuration ==
> 
> # uname -a
> OpenBSD router12 5.9 GENERIC.MP#1983 amd64
> 
> # cat /etc/hostname.em2
> up
> 
> # cat /etc/hostname.vlan100
> inet 192.168.150.200 255.255.255.0 192.168.150.255 vlan 100 vlandev em2

try to write this as

inet 192.168.150.200 255.255.255.0 NONE
vlan 100 vlandev em2

> # cat /etc/hostname.carp2
> inet 192.168.150.1 255.255.255.0 192.168.150.255 vhid 201 carpdev 
> vlan100 pass 1234 group wlan

inet 192.168.150.1 255.255.255.0 NONE
vhid 201 carpdev vlan100 pass 1234
group wlan

> # cat /etc/pf.conf

if above does not work, try pfctl -d
also, the pf.conf you show is not complete, so ...

> pass quick on {em2,vlan100,vlan101} proto carp
> ...
> pass inet proto icmp icmp-type $icmp_types
> pass vlan100:network
> ...
> 
> # netstat -rn
> ...
> 192.168.150/24 192.168.150.200UCP0 4401 - 4 
> vlan100
> 192.168.150/24 192.168.150.1  CP 00 - 4 
> carp2
> 192.168.150.1  00:00:5e:00:01:c9  UHLl   0 9981 - 1 
> carp2
> 192.168.150.20090:e2:ba:c1:11:11  UHLl   0   30 - 1 
> vlan100
> 192.168.150.255192.168.150.200UHPb   0   80 - 1 
> vlan100
> 192.168.150.255192.168.150.1  HPb00 - 1 
> carp2
> 192.168.151/24 192.168.151.200UCP1 3040 - 4 
> vlan101
> 192.168.151/24 192.168.151.1  CP 00 - 4 
> carp3
> 192.168.151.1  00:00:5e:00:01:ca  UHLl   0  182 - 1 
> carp3
> 192.168.151.20090:e2:ba:c1:11:11  UHLl   0   36 - 1 
> vlan101
> 192.168.151.255192.168.151.200UHPb   00 - 1 
> vlan101
> 192.168.151.255192.168.151.1  HPb00 - 1 
> carp3
> 
> 
> Cheers
> Kim
> 

-- 

Xenocara :: enabling mouse instead of trackpad

[3ss7cb+angubqwtnb4sc]

Hi,

I din't find informations on this subject in the FAQ...

How should I set
my mouse as favourite input system instead of the trackpad?

I am runnning 5.9
with Xfce4.






Sent using GuerrillaMail.com
Block or report abuse:
https://www.guerrillamail.com/abuse/?a=TEhnBi0PU7Ebih2wvnENdQ%3D%3D

Re: bioctl: unable to read passphrase

[Theo Buehler]

On Fri, May 13, 2016 at 07:28:51PM +0200, Leo Unglaub wrote:
> Hey friends,
> i have two identical ssd drives in my laptop. sd0 and sd1. I created a Raid
> 1 (mirroring) on them resulting in sd3. I used the following command:
> 
> > bioctl -c 1 -l sd0a,sd1a softraid0
> 
> 
> On the resulting disk i created sd3b with 2 GB Swap and sd3a with 100GB with
> a type RAID.
> 
> Now i want to put a crypto layer (Cryptoraid) on the resulting sd3a. I
> wanted to use the following command:
> 
> > bioctl -c C -l sd3a softraid0
> 
> But i get the following error message: bioctl: unable to read passphrase.
> 
> Do you have any ideas why this is happening?

I think this is due to the fact that nested disciplines are not (yet?)
supported. See stsp@'s notes on softraid:
https://www.openbsd.org/papers/eurobsdcon2015-softraid-boot.pdf
page 5 where it says:

Disciplines cannot be nested yet!
So no CRYPTO on top of RAID 1, for instance

Re: bioctl: unable to read passphrase

[Ted Unangst]

Theo Buehler wrote:
> On Fri, May 13, 2016 at 07:28:51PM +0200, Leo Unglaub wrote:
> > Hey friends,
> > i have two identical ssd drives in my laptop. sd0 and sd1. I created a Raid
> > 1 (mirroring) on them resulting in sd3. I used the following command:
> > 
> > > bioctl -c 1 -l sd0a,sd1a softraid0
> > 
> > 
> > On the resulting disk i created sd3b with 2 GB Swap and sd3a with 100GB with
> > a type RAID.
> > 
> > Now i want to put a crypto layer (Cryptoraid) on the resulting sd3a. I
> > wanted to use the following command:
> > 
> > > bioctl -c C -l sd3a softraid0
> > 
> > But i get the following error message: bioctl: unable to read passphrase.
> > 
> > Do you have any ideas why this is happening?
> 
> I think this is due to the fact that nested disciplines are not (yet?)
> supported. See stsp@'s notes on softraid:
> https://www.openbsd.org/papers/eurobsdcon2015-softraid-boot.pdf
> page 5 where it says:
> 
>   Disciplines cannot be nested yet!
>   So no CRYPTO on top of RAID 1, for instance

that will cause problems later, but should not prevent bioctl from reading a
passphrase.

dhcarp

[ML mail]

Hi


Did anyone already try this DHCARP article 
https://sites.google.com/site/bsdstuff/dhcarp in order to run carp with an ISP 
providing a dynamic IP address through DHCP? Or is there any easier method for 
dealing with a dynamic IP address on the WAN side of the CARP interfaces?

Regards
ML

Re: bioctl: unable to read passphrase

[Joerg Jung]

> Am 13.05.2016 um 21:56 schrieb Ted Unangst :
>
> Theo Buehler wrote:
>>> On Fri, May 13, 2016 at 07:28:51PM +0200, Leo Unglaub wrote:
>>> Hey friends,
>>> i have two identical ssd drives in my laptop. sd0 and sd1. I created a
Raid
>>> 1 (mirroring) on them resulting in sd3. I used the following command:
>>>
 bioctl -c 1 -l sd0a,sd1a softraid0
>>>
>>>
>>> On the resulting disk i created sd3b with 2 GB Swap and sd3a with 100GB
with
>>> a type RAID.
>>>
>>> Now i want to put a crypto layer (Cryptoraid) on the resulting sd3a. I
>>> wanted to use the following command:
>>>
 bioctl -c C -l sd3a softraid0
>>>
>>> But i get the following error message: bioctl: unable to read passphrase.
>>>
>>> Do you have any ideas why this is happening?
>>
>> I think this is due to the fact that nested disciplines are not (yet?)
>> supported. See stsp@'s notes on softraid:
>> https://www.openbsd.org/papers/eurobsdcon2015-softraid-boot.pdf
>> page 5 where it says:
>>
>>Disciplines cannot be nested yet!
>>So no CRYPTO on top of RAID 1, for instance
>
> that will cause problems later

Which problems? This should really be mentioned
in softraid(4) CAVEATS section then, no?

Personally, I'm running CRYPTO on top of a large
RAID1 for years without any problems.

Re: dhcarp

[sven falempin]

On Fri, May 13, 2016 at 4:47 PM, ML mail  wrote:

> Hi
>
>
> Did anyone already try this DHCARP article
> https://sites.google.com/site/bsdstuff/dhcarp in order to run carp with
> an ISP providing a dynamic IP address through DHCP? Or is there any easier
> method for dealing with a dynamic IP address on the WAN side of the CARP
> interfaces?
>
> Regards
> ML
>
>
i patched 5.8 (kernel+dhclient) to have dhclient working with carp,

worked well,

dumped it because real life sucks.

-- 
-
() ascii ribbon campaign - against html e-mail
/\