subscribe

[N6Ghost]

subscribe

How to use proot?

[Xiyue Deng]

Hi,

I'm trying to set up a chroot for dpb using proot, but it looks like I'm
doing something wrong and nothing has been created in the chroot
directory.  According to proot man page the following command should be
sufficient, but I got the following outputs and nothing happens in /build:

8<
$ sudo ./proot -B /build
Password: 
loguser: _pbuild
fetchuser: _pfetch
builduser: _pbuild
PORTSDIR=/usr/ports
DISTDIR=/usr/ports/distfiles
WRKOBJDIR=/usr/ports/pobj
LOCKDIR=/usr/ports/pobj/locks
LOGDIR=/usr/ports/logs
PACKAGE_REPOSITORY=/usr/ports/packages
PLIST_REPOSITORY=/usr/ports/plist
Couldn't find mountpoint for /build ???
Running locate: ok
8<

It looks like it treats /build as a mountpoint, but what if I just need
a local chroot?  I wonder what is the correct way to use proot.  Thanks!


signature.asc
Description: PGP signature

Re: What do you use to generate invoices on OpenBSD?

[Allan Streib]

jeanfrancois  writes:

> Thanks for that insight on using LaTeX (from ports).

If you look on CTAN there are several invoicing pacakges.

https://ctan.org/topic/invoice

Allan

Re: Disabling ACPI permanently

[Radek]

Hello Philip,

This box has installed the newest BIOS firmware. 

Following your suggestion I sent a bug report to b...@openbsd.org
https://marc.info/?l=openbsd-bugs=157747038309405=2


On Mon, 23 Dec 2019 08:25:13 -0800
Philip Guenther  wrote:

> On Mon, Dec 23, 2019 at 5:10 AM Radek  wrote:
> 
> > I'm trying to permanently disable acpi doing the following steps[1].
> > After the first reboot OS boots fine.
> > After the second reboot acpi seems to be re-enabled at boot - I get [2].
> > What Am I doing wrong?
> >
> 
> First, you should also check whether there's a newer BIOS firmware for this
> box, as there's a good chance Intel has fixed issues and issued a new one.
> If so, installing that may totally resolve the issue.
> 
> If not, or if upgrading the firmware doesn't resolve this, then you should
> next send a bug report to b...@openbsd.org using sendbug.  To get the most
> data when you do so, disable _just_ the acpipci device (using boot -c)
> instead of all of acpi and then run sendbug as root on that system.  The
> bug report will then include the data from the ACPI tables, so that the
> driver can be fixed to deal with this.
> 
> ...
> 
> > acpipci0 at acpi0 PCI0panic: malloc: allocation too large, type = 33, size
> > = 292057776136
> >
> 
> 
> Philip Guenther


-- 
Radek

Re: Fun play with egrep, sed and awk

[goleo .]

On Fri, Dec 27, 2019 at 10:49 PM Guilherme Janczak
 wrote:
>
> On Thu, 26 Dec 2019 16:13:33 +
> "goleo ."  wrote:
>
> > I was wondering how much space distfiles on "ftp" take, so because
> > I couldn't see that in my web browser clearly, I downloaded the page
> > https://ftp.openbsd.org/pub/OpenBSD/distfiles/ as distfiles.txt
>
> With wget, you can download the HTML of a web page, and also recurse
> into links within it.
>
> $ wget -r -l 0 -A '*.html' --no-parent -O everything.html 
> https://ftp.openbsd.org/pub/OpenBSD/distfiles/
>
> This command recurses into an infinite number of links without going up
> in the hierarchy and into the parent directory, downloads only other
> .html files (from which more links can be acquired), and appends
> everything to an "everything.html" file.
>
> After a few minutes running and just ~1.7MiB of HTML downloaded, it
> tried to recurse into a lot of non-existing directories, so I cut it
> short there. The figure may not be perfect.
>
> $ grep -E '[0-9]$' everything.html | sed 's|.* \([0-9]*\)$|\1|' | awk 
> '{sum+=$1} END{print sum / 1024 / 1024}'
> 65629
>
>
> The sum of all filesizes, which are listed in kebibytes, divided by
> 1024^2, to turn it into gibibytes, returns 65629 gibibytes or about
> 65 tebibytes.
> This number seems a little absurd, I'm not sure if I made a mistake.
> It does not seem completely implausible either however, the tree
> does have files dating all the way back to 1990.
> https://ftp.openbsd.org/pub/OpenBSD/distfiles/ja-fonts/

Filesizes are listed just in bytes, that means your calculation shows
65629 megabytes.

Still nice, I didn't know it's so easy to fetch contents of
subdirectories :)

Re: Fun play with egrep, sed and awk

[Guilherme Janczak]

On Thu, 26 Dec 2019 16:13:33 +
"goleo ."  wrote:

> I was wondering how much space distfiles on "ftp" take, so because
> I couldn't see that in my web browser clearly, I downloaded the page
> https://ftp.openbsd.org/pub/OpenBSD/distfiles/ as distfiles.txt

With wget, you can download the HTML of a web page, and also recurse
into links within it. 

$ wget -r -l 0 -A '*.html' --no-parent -O everything.html 
https://ftp.openbsd.org/pub/OpenBSD/distfiles/

This command recurses into an infinite number of links without going up
in the hierarchy and into the parent directory, downloads only other
.html files (from which more links can be acquired), and appends 
everything to an "everything.html" file.

After a few minutes running and just ~1.7MiB of HTML downloaded, it 
tried to recurse into a lot of non-existing directories, so I cut it
short there. The figure may not be perfect.

$ grep -E '[0-9]$' everything.html | sed 's|.* \([0-9]*\)$|\1|' | awk 
'{sum+=$1} END{print sum / 1024 / 1024}'
65629


The sum of all filesizes, which are listed in kebibytes, divided by
1024^2, to turn it into gibibytes, returns 65629 gibibytes or about
65 tebibytes.
This number seems a little absurd, I'm not sure if I made a mistake.
It does not seem completely implausible either however, the tree 
does have files dating all the way back to 1990.
https://ftp.openbsd.org/pub/OpenBSD/distfiles/ja-fonts/

Re: No WAF detected - Solved

[Kihaguru Gathura]

Hi,

WAF is detected when certain methods are filtered in relayd.

Thanks,

Kihaguru.




On Monday, December 9, 2019, Kihaguru Gathura  wrote:
>
>
> Hi,
> A message form assessors and further tests below.
>
>

>
>
> I have configured relayd to serve a single url that accepts no
parameters. This url is blocked by relayd with error 403 Forbidden if
anything is appended to its end.
> I would expect WAF detection in such a test case but this has not
happened.
> what other means are malicious payloads being delivered in this case?
>
> Thanks and regards,
> Kihaguru
>
>
>

>
> # $OpenBSD: relayd.conf,v 1.5 2018/05/06 20:56:55 benno Exp $
> #
> # Relay and protocol
> #
> http protocol httpp {
> return error
> match response header remove "Server"
>
> pass
> block quick path "/cgi-bin/index.cgi" value "*command=*"
> pass quick path "/net/index.html" value ""
> block
> }
>
> relay httpr {
> # Listen on localhost, accept diverted connections from
pf(4)
> listen on 127.0.0.1 port 8080
> protocol httpp
>
> # Forward to the original target host
> forward to destination
> }
>
> http protocol httpsp {
> return error
> match response header remove "Server"
>
> pass
> block quick path "/cgi-bin/index.cgi" value "*command=*"
> pass quick path "/net/index.html" value ""
> block
>
> tls keypair example.net
>  }
>
> relay httpsr {
> # Listen on localhost, accept diverted connections from
pf(4)
> listen on 127.0.0.1 port 8443 tls
> protocol httpsp
>
> # Forward to the original target host
> forward with tls to destination
> }
>
---
>
> On Thu, Dec 5, 2019 at 2:11 PM Stuart Henderson 
wrote:
>>
>> On 2019/12/05 00:17, Kihaguru Gathura wrote:
>> >
>> >
>> >
>> > On Wed, Dec 4, 2019 at 11:58 PM Kihaguru Gathura 
wrote:
>> >
>> >
>> >
>> > >> Which is a better way to implement a WAF on OpenBSD using
the base utilities?
>> > >
>> > > relayd configured in certain ways might be considered as a
WAF.
>> >
>> >
>> > All methods and all other security headers and path filters are
coded in the web
>> > application which had always been detected as a custom WAF until
two weeks ago.
>> >
>> > I have now included relayd and a re-test passes all other
requirements but does not detect
>> > a WAF (please find sample configurations and test report below).
>> >
>> > Any hint highly appreciated
>>
>> I think you will need to talk to your assessors and ask what they're
looking for.
>>
>

Re: OpenBSD and ext2fs (ext3)

[Dumitru Moldovan]

On Fri, Dec 27, 2019 at 04:44:46PM +0100, Stefan Sperling wrote:

On Fri, Dec 27, 2019 at 03:56:00PM +0100, Thomas de Grivel wrote:

Hello,

I have a few ext3 drives from an old gentoo which mount fine but do
not fsck (something about the first alternate superblock not matching
values) they mount and fsck fine under linux.


OpenBSD ext3 support is limited and read-only. I wouldn't expect fsck
to work since fixing errors requires writing to the filesystem.


In my experience, ext3 support is fragile, but not limited to read-only
access.  Had to save some big files on a 10-year old HDD that I used
with Gentoo, and it worked mostly fine.  Except for a panic, reported
at https://marc.info/?l=openbsd-bugs=157634364811892.

Also, fixing an ext3 filesystem in OpenBSD is handled by the Linux
fsck utilities compiled for OpenBSD as the "e2fsprogs" package.  This
worked beautifully for me after the crash.  As far as I can tell, this
need not be correlated to the ext2 support in the kernel.

Re: OpenBSD and ext2fs (ext3)

[Stefan Sperling]

On Fri, Dec 27, 2019 at 03:56:00PM +0100, Thomas de Grivel wrote:
> Hello,
> 
> I have a few ext3 drives from an old gentoo which mount fine but do
> not fsck (something about the first alternate superblock not matching
> values) they mount and fsck fine under linux.

OpenBSD ext3 support is limited and read-only. I wouldn't expect fsck
to work since fixing errors requires writing to the filesystem.
 
> The only exception being a 4Tb drive which panics when mounting the
> ext3 partition.
> 
> Is this expected or should I investigate further ?

Yes. Panics are not expected, though not unheard of with corrupt
filesystems or not well-tested filesystem code.

OpenBSD and ext2fs (ext3)

[Thomas de Grivel]

Hello,

I have a few ext3 drives from an old gentoo which mount fine but do
not fsck (something about the first alternate superblock not matching
values) they mount and fsck fine under linux.

The only exception being a 4Tb drive which panics when mounting the
ext3 partition.

Is this expected or should I investigate further ?

-- 
 Thomas de Grivel
 kmx.io

Re: Advices on AD implementation with OpenBSD

[Marcus MERIGHI]

Hello!

fm+obsd+misc+l...@phosphorusnetworks.com (Fabio Martins), 2019.12.26 (Thu) 
20:26 (CET):
> I am drawing a scenario to replace the Windows 2003 Server with OpenBSD,
> acting as AD/DC and firewall. There is a need to share folders and

AFAIK this is the current status of samba AD/DC on OpenBSD:

  "This update doesn't include lmdb support (now the default upstream);
   and doesn't fix the AD DC support in the samba daemon either."

  https://marc.info/?l=openbsd-ports=157019016817459

There have been updates (and downgrades) since then, but nothing
indicates that AD/DC works. Have not tried myself in a lng time. 

Marcus

> printers, restrict access to folders based on logins, and no GPO are
> needed at all.
> 
> Is it possible with the current samba+winbind? Anyone has done it before?
> 
> Thanks for 6.6!
> 
> -- 
> Fabio Martins
> http://www.nabundapode.com.br/

Re: relayd(8) Tables and pfctl -T

[Stuart Henderson]

On 2019-12-26, Thomas Huber  wrote:
> I just tried to get a little deeper into load-balancing and try
> to use relayd(8) in a dynamic (translate to microservices) environment
> where I´l like to add and remove hosts on the fly.
> After some reading I thought I should use tables for this purpose.
>
> relayctl(8) only allows to enable or disable complete tables but not
> to alter a table.
>
> So I checked out
>
> 'pfctl -t  -T add '
>
> which should do exactly what I want.

That manipulates tables in PF not in relayd.

> But unfortunatelly the tables (to relay or redirect) are not
> present in 'pfctl -s Table'

relayd *uses* PF tables for redirect (but not relay). They are added
under PF "anchors". See the list of relayd's anchors with pfctl -sA -a
relayd. See the list of tables attached to an anchor with pfctl -sT -a
relayd/RDR_someanchor. See table contents with pfctl -a RDR_someanchor
-t RDR_sometable -Ts. But changing PF tables doesn't feed back to
relayd. It won't start doing health checks for added hosts, etc.

> I just hava a small setup to play, no real hosts or serverices attached
> but before growing bigger I wanted to ask here if this should be
> possible how I try it or another idea how to alter realyd(8) tables
> without updating relay.conf(5) and reload.

You need to update the config and reload. This is probably easier if
you use a short file containing just the table definition and use
"include".

If you want something with more dynamic runtime configuration, haproxy
is in ports, runs ok on OpenBSD and maybe a better fit. relayd has lower
overhead in cases where packets are sent unmodified (it uses SO_SPLICE
for simple TCP relays to hand-off packet shuffling to the kernel;
haproxy can do this on Linux using splice(2) on Linux but doesn't
use SO_SPLICE) but that's irrelevant in other cases (e.g. if the
load-balancer terminates TLS connections) and might otherwise be a
better fit for microservices.

Re: relayd(8) Tables and pfctl -T

[Thomas Huber]

On Thu, 26 Dec 2019 at 17:39, Marcus MERIGHI  wrote:

> Hello Thomas,
>
> miracu...@gmail.com (Thomas Huber), 2019.12.26 (Thu) 16:42 (CET):
> > I just tried to get a little deeper into load-balancing and try
> > to use relayd(8) in a dynamic (translate to microservices) environment
> > where I´l like to add and remove hosts on the fly.
> > After some reading I thought I should use tables for this purpose.
> >
> > relayctl(8) only allows to enable or disable complete tables but not
> > to alter a table.
>
> But relayctl(8) lets you disable hosts of a table?
>
> $ relayctl show hosts
> $ relayctl host disable 3
>

Thanks, Marcus.


>
> You cannot add/remove/change, though.
>
> hm, okay
Basically it should be possible with hashicorps consule-template:
https://github.com/hashicorp/consul-template
but that´s not realy an elegnat way.


> Marcus
>
> > So I checked out
> >
> > 'pfctl -t  -T add '
> >
> > which should do exactly what I want.
> >
> > But unfortunatelly the tables (to relay or redirect) are not
> > present in 'pfctl -s Table'
> >
> > I just hava a small setup to play, no real hosts or serverices attached
> > but before growing bigger I wanted to ask here if this should be
> > possible how I try it or another idea how to alter realyd(8) tables
> > without updating relay.conf(5) and reload.
> >
> > thanks
> > --mirac
>

Re: Fun play with egrep, sed and awk

[Stuart Henderson]

On 2019-12-26, goleo .  wrote:
> I was wondering how much space distfiles on "ftp" take, so because
> I couldn't see that in my web browser clearly, I downloaded the page
> https://ftp.openbsd.org/pub/OpenBSD/distfiles/ as distfiles.txt

btw, there are files in subdirectories as well (another 35GB or so).
They are fetched with dpb(1)'s -F flag and old files are cleaned every
so often woth clean-old-distfiles(1) - the manuals are in base but the
actual programs are in the ports tree - so the total space depends on
how long old distfiles are kept when they're no longer used by a port.

> $ egrep '[0-9]$' distfiles.txt | sed 's|.* \([0-9]*\)$|\1|' | awk '{
> sum += $1 / 10 } END { print sum "G" }'
> 54.8126G
>
> Most of space is taken by distfiles which are at least 100 MB big:
>
> $ egrep '[0-9]{9}$' distfiles.txt | sed 's|.* \([0-9]*\)$|\1|' | awk
> '{ sum += $1 / 10 } END { print sum "G" }'
> 34.5359G

For more fun and efficiency, combine the egrep/sed commands into awk :)