Re: rebound with dhcp

[lists]

On Sun, Aug 21, 2016 at 08:36:51PM -0600, Theo de Raadt wrote:
> It has been discussed a few times, but no complete plan has formed.
> 
> It is a mix of problems.  If rebound is running you want libc to use
> rebound's data.  If rebound is not running it should work as before
> (at least until we come up with a firm plan).  rebound needs to be
> pointed at the right sources which requires colating the information
> from the various input sources (dhcp, umb(4), rtsol, etc) and then
> hook them up.  And detect when results become wrong, and deal with a
> variety of startup or failure conditions.
> 
> We've observed others building overly complicated solutions for this,
> and not been satisfied by those solutions.
> 
> Something interesting happened in the last year which could play an
> interesting part.  The introduction of pledge(2) led to cooperation
> between our resolver (libc/asr) and the kernel -- DNS sockets are
> tagged with SOCK_DNS.  We could play some sort of redirection game in
> the kernel, and leave resolv.conf as the file that libc observes.
> That could be a piece of the puzzle.

Ah - thanks!  I look forward to finding out what the future
implementation will end up being.  The whole concept of rebound
seems like a neat idea.

The last couple years have been really exciting to follow :)  The
progress made with tame/pledge has completely blown me away.

Re: rebound with dhcp

[Theo de Raadt]

>Are there any plans to have rebound use dns servers provided via dhcp?
>I think a nice feature would be having it read from resolv.conf.
>
>Wouldn't this allow us to still have the nice features rebound provides,
>but get the benefits of dhcp-provided dns for roadwarriors?
>
>I did a quick search on misc@, and the man pages are a little light, so
>sorry if this has been covered.

It has been discussed a few times, but no complete plan has formed.

It is a mix of problems.  If rebound is running you want libc to use
rebound's data.  If rebound is not running it should work as before
(at least until we come up with a firm plan).  rebound needs to be
pointed at the right sources which requires colating the information
from the various input sources (dhcp, umb(4), rtsol, etc) and then
hook them up.  And detect when results become wrong, and deal with a
variety of startup or failure conditions.

We've observed others building overly complicated solutions for this,
and not been satisfied by those solutions.

Something interesting happened in the last year which could play an
interesting part.  The introduction of pledge(2) led to cooperation
between our resolver (libc/asr) and the kernel -- DNS sockets are
tagged with SOCK_DNS.  We could play some sort of redirection game in
the kernel, and leave resolv.conf as the file that libc observes.
That could be a piece of the puzzle.

Re: Recent package archives?

[STeve Andre']

On 08/21/16 17:29, Stuart Henderson wrote:

On 2016-08-21, STeve Andre'  wrote:

 Does anyone have archives of recent amd64 snapshot packages?

I blew my aug-09 set away and I'd like libreoffice back.  Anyone?

(And yes, I know it's always a gamble to mismatch packages and the OS)


Thanks, STeve Andre'



The last snapshot package built for libreoffice is against old X
libraries so if you run them you get symbol conflicts (old package
wanting libfreetype.so.25.0 but *also* pulling in X libraries linked
against libfreetype.so.26.0).

libreoffice builds from ports are currently failing due to W^X enforcement
("uno.bin(39666): mprotect W^X violation" when running code which is produced
during the build as part of the build).  I'm hoping that the recently
committed change to ports gcc will let us work around this for now (I'll
be testing this shortly) and then once we've got a working build of libreoffice
again it will hopefully be simpler to track down the libreoffice code that
currently needs W+X mappings - we can set kern.wxabort=1 sysctl and
get some kind of coredump.



Thanks Stuart.  I figured that was the general problem.

--STeve Andre'

rebound with dhcp

[lists]

Are there any plans to have rebound use dns servers provided via dhcp?
I think a nice feature would be having it read from resolv.conf.

Wouldn't this allow us to still have the nice features rebound provides,
but get the benefits of dhcp-provided dns for roadwarriors?

I did a quick search on misc@, and the man pages are a little light, so
sorry if this has been covered.

Re: Overloaded machine kernel death

[sven falempin]

On Sun, Aug 21, 2016 at 4:57 PM, Stuart Henderson 
wrote:

> On 2016-08-20, sven falempin  wrote:
> > On Sat, Aug 20, 2016 at 3:50 PM, Stuart Henderson 
> > wrote:
> >
> >> This report is totally useless without a dmesg.
> >> We don't know which version,which arch, and a bunch of other
> >> things that would be included in it.
> >>
> >>
> > Yes i just leave it in Misc , because i think the problem is acutally not
> > openBSD related.
> > Unless work-binpatch59-amd64 is dirty .
>
> So 5.9 + patches. It's probably worth trying -current and see if it behaves
> any better.
>
>
For those interested this is related to the amount of cores i give to the
VM.
The problem does not occur if i put a 1 socket , 4 cores config in qemu but
it does with a 2 socket 4 cores, and also 1 socket 6 cores.

This makes very difficult to know where is the problem qemu or openBSD ?

Moreover the device is actually used and only with high load i can create
the
problem, i d like

Using systat i saw a very high load of softnet and way to much fork, that i
will
work on reducing. But that s about it.

load averages: 15.13, 15.59, 16.02
 X 02:11:50
187 processes: 3 running, 180 idle, 4 on processor
   up 1
day,  3:05
CPU0 states:  0.0% user,  9.7% nice, 45.4% system, 26.3% interrupt, 18.7%
idle
CPU1 states:  0.0% user,  6.2% nice, 61.3% system,  6.6% interrupt, 25.9%
idle
CPU2 states:  0.0% user,  4.5% nice, 65.0% system,  1.0% interrupt, 29.5%
idle
CPU3 states:  0.0% user, 15.8% nice, 70.8% system,  1.9% interrupt, 11.4%
idle
Memory: Real: 617M/1633M act/tot Free: 6299M Cache: 714M Swap: 0K/182M

This is after reducing the load a bit.

I will try current if the problem persist, to get some maybe useful back
traces.

-- 
-
() ascii ribbon campaign - against html e-mail
/\

A couple minor corrections for 60.html on www.openbsd.org

[randy hartman]

I don't have -current for reference, so I just downloaded the page. Please,
add http:// to the chroot(2) link and remove the "ordering" dittography.

--- a/60.html   Sun Aug 21 14:33:18 2016
+++ b/60.html   Sun Aug 21 15:25:59 2016
@@ -406,7 +406,7 @@
 a new chown promise that allows pledged programs to set
 setugid attributes,
 a stricter enforcement of the recvfd promise and
-chroot(2) is no longer
allowed
+http://man.openbsd.org/chroot.2;>chroot(2) is no
longer allowed
 for pledged programs.
 a number of
 http://man.openbsd.org/pledge;>pledge(2)-related bugs
@@ -497,7 +497,7 @@
   and only included for legacy compatibility.
   http://man.openbsd.org/ssh.1;>ssh(1),
   http://man.openbsd.org/sshd.8;>sshd(8):
-  Improve ordering ordering of MAC verification for
+  Improve ordering of MAC verification for
   Encrypt-then-MAC (EtM) mode transport MAC algorithms to
   verify the MAC before decrypting any ciphertext.  This removes
the
   possibility of timing differences leaking facts about the
plaintext,

Re: Recent package archives?

[Stuart Henderson]

On 2016-08-21, STeve Andre'  wrote:
> Does anyone have archives of recent amd64 snapshot packages?
>
> I blew my aug-09 set away and I'd like libreoffice back.  Anyone?
>
> (And yes, I know it's always a gamble to mismatch packages and the OS)
>
>
> Thanks, STeve Andre'
>
>

The last snapshot package built for libreoffice is against old X
libraries so if you run them you get symbol conflicts (old package
wanting libfreetype.so.25.0 but *also* pulling in X libraries linked
against libfreetype.so.26.0).

libreoffice builds from ports are currently failing due to W^X enforcement
("uno.bin(39666): mprotect W^X violation" when running code which is produced
during the build as part of the build).  I'm hoping that the recently
committed change to ports gcc will let us work around this for now (I'll
be testing this shortly) and then once we've got a working build of libreoffice
again it will hopefully be simpler to track down the libreoffice code that
currently needs W+X mappings - we can set kern.wxabort=1 sysctl and
get some kind of coredump.

Re: Overloaded machine kernel death

[Stuart Henderson]

On 2016-08-20, sven falempin  wrote:
> On Sat, Aug 20, 2016 at 3:50 PM, Stuart Henderson 
> wrote:
>
>> This report is totally useless without a dmesg.
>> We don't know which version,which arch, and a bunch of other
>> things that would be included in it.
>>
>>
> Yes i just leave it in Misc , because i think the problem is acutally not
> openBSD related.
> Unless work-binpatch59-amd64 is dirty .

So 5.9 + patches. It's probably worth trying -current and see if it behaves
any better.

Re: multiple python version

[lists]

Wed, 17 Aug 2016 11:06:30 +0530 Jay Patel 
> Thanks scott. I will look into it. I found john's solution easy though.

Well, search for the tools that allow you the language environment
setup rather then demand that from the operating system, until you
find that language operating system aware enough to implement main
security mitigation measures on top of CPU features.  Good luck!!!

I.E. Try the environment setup in your $HOME for your chosen lang.

Re: Issues with syslogd and routing table

[Robert Harris]

I was able to get around this by using TCP, which was always the intent. 
I just wanted to start simple.



Robert Harris

On 08/20/2016 05:32 PM, Robert Harris wrote:

Greetings,

I have two OpenBSD servers that are configured to send syslog messages
to another syslog server.

After OSPF adjancencies are formed, the routing table changes and the
route to that syslog server changes with it. At boot those needed routes
are there yet and the machine sends out UDP syslog on the egress
interface itself.

The problem is that when the routes to become available, syslogd
continues sending out the wrong interface until I restart syslogd. Any
thoughts on this?

*.* @udp4://172.23.40.10:514

Re: donations

[Edgar Pettijohn]

On 16-08-20 19:24:10, Theo de Raadt wrote:
> > It was mentioned in another post that sales of the OpenBSD CD's
> > loses money.
> 
> The effort expended vs payout received is probably on par with the
> newspaper route I operated at age 16.
> 
> I could be doing far better things than making CDs.
> 
> For 20 years I really had no other choice.
> 
> > Would it be better to make dontations to the foundation?
> 
> Absolutely.  Look at the results:
> 
> http://www.openbsdfoundation.org/activities.html
> 
done.
-- 
Edgar Pettijohn

Re: donations

[Theo de Raadt]

It is all described here:

http://www.openbsd.org/donations.html

Re: donations

[Donald Allen]

Certainly tax consequences need to be considered, but by people who understand
the tax situation in Canada who can guide us from a position of knowing what
they are talking about. I don't think that includes either of us.

I do know something about how US tax law and if, for example, I were to send
money to Richard Stallman to be used in the same way I suggested in my post re
Theo, he could turn over what he doesn't need to the Free Software Foundation,
which is a 501(c)(3) non-profit organization, and deduct that donation from
his taxable income.

But it is pure speculation on my part that this is analogous to the situation
with Theo and the OpenBSD Foundation, since I know nothing about Canadian tax
law or how the OpenBSD Foundation is set up. So I'll stop typing and let
people who actually understand the situation take over.

> Date: Sun, 21 Aug 2016 10:01:56 -0400
> From: t...@parlementum.net
> To: misc@openbsd.org
> Subject: Re: donations
>
> That works very differently as far as taxes go. Theo would have to start
reporting
> it as income  if Canada works like the US, and things are interesting from
there.
>
> On Sun, Aug 21, 2016 at 07:36:40AM -0400, Donald Allen wrote:
> > But isn't it still better to send the money directly to you, since the
> > Foundation doesn't support you financially? If I understand the different
pots
> > of money correctly, this gives you maximum flexibility to use what you
need
> > for your own support and if there is any excess, you can send it to the
> > Foundation.
> >
> >
> > > From: dera...@openbsd.org
> > > To: ed...@pettijohn-web.com
> > > CC: misc@openbsd.org
> > > Subject: Re: donations
> > > Date: Sat, 20 Aug 2016 19:24:10 -0600
> > >
> > > > It was mentioned in another post that sales of the OpenBSD CD's
> > > > loses money.
> > >
> > > The effort expended vs payout received is probably on par with the
> > > newspaper route I operated at age 16.
> > >
> > > I could be doing far better things than making CDs.
> > >
> > > For 20 years I really had no other choice.
> > >
> > > > Would it be better to make dontations to the foundation?
> > >
> > > Absolutely.  Look at the results:
> > >
> > > http://www.openbsdfoundation.org/activities.html

Re: donations

[Patrick Dohman]

That’s the point of the new regulatory audits ;)

> On Aug 21, 2016, at 9:01 AM, Daniel Wilkins  wrote:
>
> That works very differently as far as taxes go. Theo would have to start
reporting
> it as income  if Canada works like the US, and things are interesting from
there.
>
> On Sun, Aug 21, 2016 at 07:36:40AM -0400, Donald Allen wrote:
>> But isn't it still better to send the money directly to you, since the
>> Foundation doesn't support you financially? If I understand the different
pots
>> of money correctly, this gives you maximum flexibility to use what you
need
>> for your own support and if there is any excess, you can send it to the
>> Foundation.
>>
>>
>>> From: dera...@openbsd.org
>>> To: ed...@pettijohn-web.com
>>> CC: misc@openbsd.org
>>> Subject: Re: donations
>>> Date: Sat, 20 Aug 2016 19:24:10 -0600
>>>
 It was mentioned in another post that sales of the OpenBSD CD's
 loses money.
>>>
>>> The effort expended vs payout received is probably on par with the
>>> newspaper route I operated at age 16.
>>>
>>> I could be doing far better things than making CDs.
>>>
>>> For 20 years I really had no other choice.
>>>
 Would it be better to make dontations to the foundation?
>>>
>>> Absolutely.  Look at the results:
>>>
>>> http://www.openbsdfoundation.org/activities.html

Re: donations

[Daniel Wilkins]

That works very differently as far as taxes go. Theo would have to start 
reporting
it as income  if Canada works like the US, and things are interesting from 
there.

On Sun, Aug 21, 2016 at 07:36:40AM -0400, Donald Allen wrote:
> But isn't it still better to send the money directly to you, since the
> Foundation doesn't support you financially? If I understand the different pots
> of money correctly, this gives you maximum flexibility to use what you need
> for your own support and if there is any excess, you can send it to the
> Foundation.
> 
> 
> > From: dera...@openbsd.org
> > To: ed...@pettijohn-web.com
> > CC: misc@openbsd.org
> > Subject: Re: donations
> > Date: Sat, 20 Aug 2016 19:24:10 -0600
> >
> > > It was mentioned in another post that sales of the OpenBSD CD's
> > > loses money.
> >
> > The effort expended vs payout received is probably on par with the
> > newspaper route I operated at age 16.
> >
> > I could be doing far better things than making CDs.
> >
> > For 20 years I really had no other choice.
> >
> > > Would it be better to make dontations to the foundation?
> >
> > Absolutely.  Look at the results:
> >
> > http://www.openbsdfoundation.org/activities.html

Issues with syslogd and routing table

[Robert Harris]

Greetings,

I have two OpenBSD servers that are configured to send syslog messages 
to another syslog server.

After OSPF adjancencies are formed, the routing table changes and the 
route to that syslog server changes with it. At boot those needed routes 
are there yet and the machine sends out UDP syslog on the egress 
interface itself.

The problem is that when the routes to become available, syslogd 
continues sending out the wrong interface until I restart syslogd. Any 
thoughts on this?

*.* @udp4://172.23.40.10:514

-- 
Robert Harris

Re: donations

[Donald Allen]

But isn't it still better to send the money directly to you, since the
Foundation doesn't support you financially? If I understand the different pots
of money correctly, this gives you maximum flexibility to use what you need
for your own support and if there is any excess, you can send it to the
Foundation.


> From: dera...@openbsd.org
> To: ed...@pettijohn-web.com
> CC: misc@openbsd.org
> Subject: Re: donations
> Date: Sat, 20 Aug 2016 19:24:10 -0600
>
> > It was mentioned in another post that sales of the OpenBSD CD's
> > loses money.
>
> The effort expended vs payout received is probably on par with the
> newspaper route I operated at age 16.
>
> I could be doing far better things than making CDs.
>
> For 20 years I really had no other choice.
>
> > Would it be better to make dontations to the foundation?
>
> Absolutely.  Look at the results:
>
> http://www.openbsdfoundation.org/activities.html