Re: Bad network performance on apu2c4
On Thu, Nov 9, 2017 at 1:42 AM, Rupert Gallagherwrote: > New speed record today: 963Mbps between apu2c4 and a PC, both ways. > > I never get above 550Mbit with pf enabled.
Re: Debugging a php's script startup
On Wed, Nov 08, 2017 at 08:43:55PM +0100, Martijn van Duren wrote: > Hello C., > > Can you start up the daemon process from the CLI (without the rc > script)? If not and it still has the same error message as below (which > I reckon it will) you might want to change your mysqli.default_socket = > in your /etc/php-7.0.ini. > Do note however that this will also affect php-fpm and mod_php which run > chrooted by default (hence the weird path), so if you need those installs > unaffected try to create a custom ini-file and specify it with -c as a > php-argument. > > Also note that php is not designed to write daemons in and should only > be done if there are no other options. The rc-script won't restart your > daemon automatically if it crashes. > > Hope this helps. > > martijn@ > > > Wow!! ... Many many thanks Martijn. I have added "-c" switch to daemon_args and created another .ini file for this "daemon", and it works. Here it is: #!/bin/sh -x # daemon="/usr/local/bin/php-7.0" daemon_flags="-c /etc/tt-rss/php-7.0.ini /var/www/htdocs/rss/update_daemon2.php --log /tmp/update_rss.log" daemon_user="www" . /etc/rc.d/rc.subr pexp="${daemon}${daemon_flags:+ ${daemon_flags}}" rc_bg=YES rc_reload=NO rc_post() { rm -f /var/www/htdocs/rss/lock/update_daemon.lock } rc_cmd $1 Inside .ini I have configured mysqli.default_socket option: mysqli.default_socket = /var/www/var/run/mysql/mysql.sock -- Greetings, C. L. Martinez
Re: Debugging a php's script startup
Hello C., Can you start up the daemon process from the CLI (without the rc script)? If not and it still has the same error message as below (which I reckon it will) you might want to change your mysqli.default_socket = in your /etc/php-7.0.ini. Do note however that this will also affect php-fpm and mod_php which run chrooted by default (hence the weird path), so if you need those installs unaffected try to create a custom ini-file and specify it with -c as a php-argument. Also note that php is not designed to write daemons in and should only be done if there are no other options. The rc-script won't restart your daemon automatically if it crashes. Hope this helps. martijn@ On 11/08/17 20:22, C. L. Martinez wrote: > Hi all, > > I am trying to setup a startup file for TT-Rss (installed under OpenBSD 6.2 > host, fully patched). This is the script: > > #!/bin/sh -x > # > > daemon="/usr/local/bin/php-7.0" > daemon_flags="/var/www/htdocs/rss/update_daemon2.php --log > /tmp/update_rss.log" > daemon_user="www" > > . /etc/rc.d/rc.subr > > pexp="${MODPHP_BIN} ${daemon}${daemon_flags:+ ${daemon_flags}}" > > rc_bg=YES > rc_reload=NO > > rc_post() { > rm -f /var/www/htdocs/rss/lock/update_daemon.lock > } > > rc_cmd $1 > > And when I try to start it, this is the output: > > root@rssweb:/etc/rc.d# ./tt_rss start > + daemon=/usr/local/bin/php-7.0 > + daemon_flags=/var/www/htdocs/rss/update_daemon2.php --log > /tmp/update_rss.log > + daemon_user=www > + . /etc/rc.d/rc.subr > + _rc_actions=start stop restart reload check > + readonly _rc_actions > + [ -n ] > + basename ./tt_rss > + _name=tt_rss > + _rc_check_name tt_rss > + [ -n /usr/local/bin/php-7.0 ] > + unset _RC_DEBUG _RC_FORCE > + getopts df c > + shift 0 > + _RC_RUNDIR=/var/run/rc.d > + _RC_RUNFILE=/var/run/rc.d/tt_rss > + _rc_do _rc_parse_conf > + eval _rcflags=${tt_rss_flags} > + _rcflags= > + eval _rcrtable=${tt_rss_rtable} > + _rcrtable= > + eval _rcuser=${tt_rss_user} > + _rcuser= > + eval _rctimeout=${tt_rss_timeout} > + _rctimeout= > + getcap -f /etc/login.conf tt_rss > + > /dev/null > + 2>&1 > + daemon_class=daemon > + [ -z ] > + daemon_rtable=0 > + [ -z www ] > + [ -z ] > + daemon_timeout=30 > + [ -n -o start != start ] > + [ -n ] > + [ -n ] > + [ -n ] > + [ -n ] > + [ -n ] > + readonly daemon_class > + unset _rcflags _rcrtable _rcuser _rctimeout > + pexp=/usr/local/bin/php-7.0 /var/www/htdocs/rss/update_daemon2.php --log > /tmp/update_rss.log > + rcexec=su -l -c daemon -s /bin/sh www -c > + [ 0 -eq 0 ] > + pexp= /usr/local/bin/php-7.0 /var/www/htdocs/rss/update_daemon2.php --log > /tmp/update_rss.log > + rc_bg=YES > + rc_reload=NO > + rc_cmd start > tt_rss(failed) > > pexp's option seems good ... I think the problem is with 'www' user and with > this command: "su -l -c daemon -s /bin/sh www -c". Launching from console > returns an error: > > root@rssweb:/etc/rc.d# su -l -c daemon -s /bin/sh www -c > '/usr/local/bin/php-7.0 /var/www/htdocs/rss/update_daemon2.php --log > /tmp/update_rss.log' > PHP Warning: mysqli_connect(): (HY000/2002): Can't connect to local MySQL > server through socket '/var/run/mysql/mysql.sock' (2 "No such file or > directory") in /var/www/htdocs/rss/classes/db/mysqli.php on line 8 > Unable to connect to database (as rss to localhost, database dbrss): Can't > connect to local MySQL server through socket '/var/run/mysql/mysql.sock' > > mysql's socket is created under www's chroot like in pkg-readme says: > srwxrwxrwx 1 _mysql _mysql 0 Nov 8 17:45 /var/www/var/run/mysql/mysql.sock > > If I am not wrong, then, how can I configure this startup script? > > Thanks >
Debugging a php's script startup
Hi all, I am trying to setup a startup file for TT-Rss (installed under OpenBSD 6.2 host, fully patched). This is the script: #!/bin/sh -x # daemon="/usr/local/bin/php-7.0" daemon_flags="/var/www/htdocs/rss/update_daemon2.php --log /tmp/update_rss.log" daemon_user="www" . /etc/rc.d/rc.subr pexp="${MODPHP_BIN} ${daemon}${daemon_flags:+ ${daemon_flags}}" rc_bg=YES rc_reload=NO rc_post() { rm -f /var/www/htdocs/rss/lock/update_daemon.lock } rc_cmd $1 And when I try to start it, this is the output: root@rssweb:/etc/rc.d# ./tt_rss start + daemon=/usr/local/bin/php-7.0 + daemon_flags=/var/www/htdocs/rss/update_daemon2.php --log /tmp/update_rss.log + daemon_user=www + . /etc/rc.d/rc.subr + _rc_actions=start stop restart reload check + readonly _rc_actions + [ -n ] + basename ./tt_rss + _name=tt_rss + _rc_check_name tt_rss + [ -n /usr/local/bin/php-7.0 ] + unset _RC_DEBUG _RC_FORCE + getopts df c + shift 0 + _RC_RUNDIR=/var/run/rc.d + _RC_RUNFILE=/var/run/rc.d/tt_rss + _rc_do _rc_parse_conf + eval _rcflags=${tt_rss_flags} + _rcflags= + eval _rcrtable=${tt_rss_rtable} + _rcrtable= + eval _rcuser=${tt_rss_user} + _rcuser= + eval _rctimeout=${tt_rss_timeout} + _rctimeout= + getcap -f /etc/login.conf tt_rss + > /dev/null + 2>&1 + daemon_class=daemon + [ -z ] + daemon_rtable=0 + [ -z www ] + [ -z ] + daemon_timeout=30 + [ -n -o start != start ] + [ -n ] + [ -n ] + [ -n ] + [ -n ] + [ -n ] + readonly daemon_class + unset _rcflags _rcrtable _rcuser _rctimeout + pexp=/usr/local/bin/php-7.0 /var/www/htdocs/rss/update_daemon2.php --log /tmp/update_rss.log + rcexec=su -l -c daemon -s /bin/sh www -c + [ 0 -eq 0 ] + pexp= /usr/local/bin/php-7.0 /var/www/htdocs/rss/update_daemon2.php --log /tmp/update_rss.log + rc_bg=YES + rc_reload=NO + rc_cmd start tt_rss(failed) pexp's option seems good ... I think the problem is with 'www' user and with this command: "su -l -c daemon -s /bin/sh www -c". Launching from console returns an error: root@rssweb:/etc/rc.d# su -l -c daemon -s /bin/sh www -c '/usr/local/bin/php-7.0 /var/www/htdocs/rss/update_daemon2.php --log /tmp/update_rss.log' PHP Warning: mysqli_connect(): (HY000/2002): Can't connect to local MySQL server through socket '/var/run/mysql/mysql.sock' (2 "No such file or directory") in /var/www/htdocs/rss/classes/db/mysqli.php on line 8 Unable to connect to database (as rss to localhost, database dbrss): Can't connect to local MySQL server through socket '/var/run/mysql/mysql.sock' mysql's socket is created under www's chroot like in pkg-readme says: srwxrwxrwx 1 _mysql _mysql 0 Nov 8 17:45 /var/www/var/run/mysql/mysql.sock If I am not wrong, then, how can I configure this startup script? Thanks -- Greetings, C. L. Martinez
Re: spamd.conf with rsync and DNS-based lists
2017-11-08 17:01 GMT+01:00 Mark Carroll: > I am looking to expand my spamd.conf's blacklisting and I now see that > some providers prefer one to rsync their blacklist rather than simply > fetching it and more others make their lists queryable by DNS only. > Is there a "good" OpenBSD way to do it or maybe the whole idea is > ill-conceived. I'd say go with bgp-spamd (http://bgp-spamd.net), but that's the networker I am talking :) Peter Hessler gave several talks about it, here are the slides from one of his talks: https://www.openbsd.org/papers/asiabsdcon2015-bgp-spamd.pdf
Re: Suppessing logging of arp movement messages
> -Original Message- > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf > Of OpenBSD > Sent: 08 November 2017 15:44 > To: misc@openbsd.org > Subject: Suppessing logging of arp movement messages > > hello all, > > I have finally build an internet gateway with OpenBSD 6.2 (AMD64), > including pf and IPSec. Great stuff. > Now I am seeing a lot of arp movement, that I know are caused by > Apple's Bonjour Sleep Proxy. > > Nov 8 00:00:27 gatekeeper /bsd: arp info overwritten for 192.168.20.99 > by 00:46:ab:ba:19:87 on vmx0 Nov 8 00:00:58 gatekeeper /bsd: arp info > overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0 Nov 8 > 00:01:57 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by > 00:46:ab:ba:19:87 on vmx0 Nov 8 00:02:04 gatekeeper /bsd: arp info > overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0 Nov 8 > 00:02:35 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by > 00:46:ab:ba:19:87 on vmx0 Nov 8 00:03:28 gatekeeper /bsd: arp info > overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0 Nov 8 > 00:03:42 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by > 00:46:ab:ba:19:87 on vmx0 Nov 8 00:04:27 gatekeeper /bsd: arp info > overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0 > > These messages are repeating every 15-30 seconds for Apple devices like > laptops that are in standby (sleep mode). > > On pfSense and FreeBSD you have a sysctl: > net.link.ether.inet.log_arp_movements > when set to zero it will no longer log the messages. > > Discussions can be found on internet dating back to 2010, but no > solution has been provided for what I could find. > I have not yet found any sysctl in OpenBSD to do the same. Did I miss > something or does OpenBSD have any trick to not log these messages. > Currently these messages are filling up the logs /var/run/dmesg.boot > and /var/log/messages. > > Marco PC Mi Marco In freebsd is is usually done with sysctl net.link.ether.inet.log_arp_movements=0 and I guess this applies to openbsd too. T
spamd.conf with rsync and DNS-based lists
I am looking to expand my spamd.conf's blacklisting and I now see that some providers prefer one to rsync their blacklist rather than simply fetching it and more others make their lists queryable by DNS only. I am not missing some easy rsync syntax for spamd.conf right? It is a sufficient workaround to just rsync to a local file then have the base spamd look at that. The fast table lookups that pf can do are great. As for the DNSBLs, last year Clint Pachl kindly shared a spamd-dnsbl script here which every few minutes looks to trap hosts while they are graylisted. Also promising is https://github.com/echothrust/pf-diverters though the README warns "IN NO-WAY PRODUCTION READY" and dnsbl-divert is "still work-in-progress" and there are no recent commits. Maybe it's more reliable than it seems though I am still trying to understand the implications of a divert-packet to something that then does DNS lookups: this is a side of pf that's new to me. For using IP blacklists to immediately divert senders to spamd, it'd be interesting to try Spamhaus Zen and similar. How are people approaching this? Is there a "good" OpenBSD way to do it or maybe the whole idea is ill-conceived. -- Mark
Re: mandoc -Tlint requires Mdocdate and RCS id
Hi Jan, Jan Stary wrote on Wed, Nov 08, 2017 at 04:13:19PM +0100: > this is a minimalized manpage that currently fails mandoc -Tlint: > > .Dd November 8, 2017 > .Dt AUDIO 3 > .Os > .Sh NAME > .Nm libaudio This is broken, .Dt/.Nm mismatch. Mandoc should probably warn, but doesn't. > .Nd manipulate digital audio formats and files > .Sh SYNOPSIS > .In audio.h > .Ft AUFILE* Missing blank, same problem reappears twice below. > .Fn au_open "const char* path" "AUMODE mode" "AUINFO* info" > .Ft int > .Fn au_close "AUFILE* file" > .Sh DESCRIPTION > .Nm > provides a simple uniform interface to manipulating > digital audio data in various formats and file types. > .Sh RETURN VALUES > .Fn au_open > returns a pointer to an initialized > .Ft AUFILE That ought to be .Vt. > structure, or NULL Missing .Dv. > if an error occurs. > .Fn au_close > returns 0 upon successfully closing the file, > or -1 if an error occurs. > > $ mandoc -Tlint /tmp/libaudio.3 > mandoc: /tmp/libaudio.3:1:5: STYLE: Mdocdate missing: Dd November (OpenBSD) > mandoc: /tmp/libaudio.3: STYLE: RCS id missing: (OpenBSD) > > I remember this was not the case. True, this feature is newish. > Is it considered bad style if > a manpage does not have "$Mdocdate: ... $" and a RCS id such as > .\" $OpenBSD: ls.1,v 1.79 2016/10/24 13:46:58 schwarze Exp $ ? No. Try $ mandoc -Tlint -Wstyle tmp.1 and you will see that it does not raise a STYLE message. > I tried looking for this -Tlint change in cvsweb but could not find it. RTFS is good, but RTFM first: https://man.openbsd.org/mandoc.1#base > This particular manpage is stored in git repo and does not have a RCS id. > In fact, it uses none of the $...$ constructs of CVS. For checking manual pages of portable software, mandoc -Tlint -Wstyle is recommended, and mandoc -Tlint -Wbase is excessive. > Is this enforced for base manpages, Exactly. > so that the OpenBSD mandoc requires it, while the portable mandoc > does not require it? No. OpenBSD and portable mandoc do not differ in functionality - oh well, with very few exceptions, for example portable mandoc honours .Lb while OpenBSD partially ignores it. Both do checking based on the -W and -Ios= arguments, and -Ios= defaults to what uname(3) returns. If you test on a different operating system, or if you run the OpenBSD version but test *for* a different system, you will see results that differ in just these tiny details: schwarze@isnote $ uname -a OpenBSD isnote.usta.de 6.2 GENERIC.MP#123 amd64 schwarze@isnote $ mandoc -Tlint tmp.1; echo $? mandoc: tmp.1:1:5: STYLE: Mdocdate missing: Dd November (OpenBSD) mandoc: tmp.1: STYLE: RCS id missing: (OpenBSD) 1 schwarze@isnote $ mandoc -Tlint -I os=Linux tmp.1; echo $? 0 schwarze@isnote $ mandoc -Tlint -Wnetbsd tmp.1; echo $? mandoc: tmp.1: STYLE: RCS id missing: (NetBSD) 1 > I don't find it bad style in general to not have a RCS id ... Everybody i talked to agrees with that, and so do i. But when i originally made the message mandoc: tmp.1:1:5: BASE: Mdocdate missing: Dd November (OpenBSD) people rightfully complained that BASE is not only hard to understand but also sounds much too scary, much too serious, as if something were fundamentally broken. So we agreed to print "STYLE:" in the message. Yours, Ingo
Suppessing logging of arp movement messages
hello all, I have finally build an internet gateway with OpenBSD 6.2 (AMD64), including pf and IPSec. Great stuff. Now I am seeing a lot of arp movement, that I know are caused by Apple's Bonjour Sleep Proxy. Nov 8 00:00:27 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by 00:46:ab:ba:19:87 on vmx0 Nov 8 00:00:58 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0 Nov 8 00:01:57 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by 00:46:ab:ba:19:87 on vmx0 Nov 8 00:02:04 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0 Nov 8 00:02:35 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by 00:46:ab:ba:19:87 on vmx0 Nov 8 00:03:28 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0 Nov 8 00:03:42 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by 00:46:ab:ba:19:87 on vmx0 Nov 8 00:04:27 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0 These messages are repeating every 15-30 seconds for Apple devices like laptops that are in standby (sleep mode). On pfSense and FreeBSD you have a sysctl: net.link.ether.inet.log_arp_movements when set to zero it will no longer log the messages. Discussions can be found on internet dating back to 2010, but no solution has been provided for what I could find. I have not yet found any sysctl in OpenBSD to do the same. Did I miss something or does OpenBSD have any trick to not log these messages. Currently these messages are filling up the logs /var/run/dmesg.boot and /var/log/messages. Marco PC
Re: iked + gif + ospfd - use null-route to stop default route being used in case of no vpn
On 11/08/17 08:37, Claudio Jeker wrote: On Tue, Nov 07, 2017 at 04:13:51PM +0100, Jeremie Courreges-Anglas wrote: On Tue, Nov 07 2017, Kim Zeitlerwrote: On 11/07/17 15:31, Jeremie Courreges-Anglas wrote: On Tue, Nov 07 2017, Stuart Henderson wrote: I have a question concerning routes and ospf. We are using iked(8) with a gif(4) interface and ospfd(8) to set up=20 routing. If the ipsec tunnel is down, no ospf route is set and the default route=20 used. Is it sensible and possible to add a null-route from the vpn-gateway to=20 the remote-networks so a 'Network not reachable' is sent immediately? Sensible - yes. Possible - not sure but I think you would probably need to monitor the ipsec status and add the route and/or gif interface only once the SA is up. I may be missing something, but maybe just add a -reject route with a low -priority for each of your ospf routes? When an ospf route disappears the -reject one would be preferred. (And if all your "vpn" routes are in a common prefix, you can just use a single -reject route for that prefix and let more-specifics win.) something like this was actually my plan. just wasn't so sure if one actually does it like this or if there are other ways of doing it. so basically a route add -inet 172.16/12 -reject -priority 33 would suffice (33 as the ospf routes have a prio of 32) Yes, but I think that what Stuart points out is that your gif tunnel might be used even if ipsec isn't protecting it... I use pf(4) to make sure that gif is not leaking outside of the enc interface (more or less): block out proto { ipencap ipv6 } pass on enc0 keep state (if-bound) Using if-bound is needed else the enc0 state would float to the egress interface. I want to thank all for there time and answers. not sure how I will implement this yet, but Stuart's and Claudio's clearly made me think a bit further. Cheers, Kim smime.p7s Description: S/MIME Cryptographic Signature
mandoc -Tlint requires Mdocdate and RCS id
Hi Ingo, this is a minimalized manpage that currently fails mandoc -Tlint: .Dd November 8, 2017 .Dt AUDIO 3 .Os .Sh NAME .Nm libaudio .Nd manipulate digital audio formats and files .Sh SYNOPSIS .In audio.h .Ft AUFILE* .Fn au_open "const char* path" "AUMODE mode" "AUINFO* info" .Ft int .Fn au_close "AUFILE* file" .Sh DESCRIPTION .Nm provides a simple uniform interface to manipulating digital audio data in various formats and file types. .Sh RETURN VALUES .Fn au_open returns a pointer to an initialized .Ft AUFILE structure, or NULL if an error occurs. .Fn au_close returns 0 upon successfully closing the file, or -1 if an error occurs. $ mandoc -Tlint /tmp/libaudio.3 mandoc: /tmp/libaudio.3:1:5: STYLE: Mdocdate missing: Dd November (OpenBSD) mandoc: /tmp/libaudio.3: STYLE: RCS id missing: (OpenBSD) I remember this was not the case. Is it considered bad style if a manpage does not have "$Mdocdate: ... $" and a RCS id such as .\" $OpenBSD: ls.1,v 1.79 2016/10/24 13:46:58 schwarze Exp $ ? I tried looking for this -Tlint change in cvsweb but could not find it. This particular manpage is stored in git repo and does not have a RCS id. In fact, it uses none of the $...$ constructs of CVS. Is this enforced for base manpages, so that the OpenBSD mandoc requires it, while the portable mandoc does not require it? I don't find it bad style in general to not have a RCS id ... Jan
Re: [cwm] ability to autogroup kbfunc_menu_ssh clients
Please disregard previous mail: https://marc.info/?l=openbsd-misc=151000897902424=2 The patch in there would break any terminal emulator which does not use "-class" to set a class. Rereading the man page, I now see it is easy to achieve the same behaviour from ~/.cwmrc: command term"xterm -class Ssh" and override the binding with bind-key CM-Return xterm so that every single terminal emulator spawned via the default shortcut does not get a 'Ssh' class Sorry for the noise.
Re: motion detection video surveillance
> I am really curious about the type of video hardware people are using. Long time ago, in a far far away company ... I used some boards based on Conexant BT878 chipset. The driver for this is bktr(4). As an application, I compiled something called camserv if I remember corectly, since it was not available as a port for OpenBSD. It is an app who can extract jpeg images for you and allows http web connection to it. I was extracting those images using some php framework and did some animation in another web page.