Re: memory usage at a given time
On Sat, Nov 14, 2020 at 02:26:47AM +0200, Mihai Popescu wrote: > Hello, > > My computer has 2 x 4GB memory, as one can see in dmesg. A part of it is > used by the video card, I'm not sure how much, maybe around 256MB or less I > want to know if I will hit the swap space when I will let it run on 1 x 4GB > memory, but I'm not sure how to interpret some of the following outputs or > if I need to run other commands: > > $ dmesg > OpenBSD 6.8-current (GENERIC.MP) #175: Wed Nov 11 10:02:40 MST 2020 > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 8029429760 (7657MB) > avail mem = 7770787840 (7410MB) > [ ... ] > spdmem0 at iic0 addr 0x52: 4GB DDR3 SDRAM PC3-10600 > spdmem1 at iic0 addr 0x53: 4GB DDR3 SDRAM PC3-10600 > [ ... ] > > $ systat >1 users Load 0.19 0.37 0.31thinkc.my.domain > 02:23:22 > > memory totals (in KB)PAGING SWAPPING > Interrupts >real virtual free in out in out 360 > total > Active 1530836 1530836 2928304 ops100 > clock > All 4668644 4668644 11031684 pages 237 ipi > > radeondr > Proc:r d s wCsw Trp Sys Int Sof Flt forks 13 > ahci0 > 2 259 769 746 304022 288 520 fkppw > ohci0 > fksvm > ehci0 >0.0%Int 0.1%Spn 1.1%Sys 5.1%Usr 93.7%Idle pwait 8 > ohci1 > ||||||||||| 175 relck > ehci1 > =>> 175 rlkok > azalia0 > noram > ohci2 > Namei Sys-cacheProc-cacheNo-cache 56 ndcpy 2 bge0 > Calls hits%hits %miss % fltcp > ohci3 > 102 79 7722 22 295 zfod > pckbc0 > cow > Disks sd0 cd0 63307 fmin > seeks 84409 ftarg > xfers26 itarg > speed 410K 2 wired 3 > IPKTS > sec 0.0 pdfre 1 > OPKTS > > $ vmstat > procsmemory pagediskstraps cpu > r s avm fre flt re pi po fr sr sd0 cd0 int sys cs us sy > id > 1 259 1504M 2848M 1450 0 0 0 0 0 2 0 174 13338 3982 13 3 > 83 vmstat only swows pi an po, pages paged in and out, not swap usage. For sysyat: the vmstat view does not show swap usage, but it does show paging/swap traffic. The swap view does (per swap device), as does the uvm view (swpginuse, this is a total swap pages in use). top also shows swap usage. -Otto
Re: packet filter question
On 11/13/20 2:06 PM, Harald Dunkel wrote: Hi folks, if it is allowed to ask a question about packet filter here? Found it, please ignore. Harri
memory usage at a given time
Hello, My computer has 2 x 4GB memory, as one can see in dmesg. A part of it is used by the video card, I'm not sure how much, maybe around 256MB or less I want to know if I will hit the swap space when I will let it run on 1 x 4GB memory, but I'm not sure how to interpret some of the following outputs or if I need to run other commands: $ dmesg OpenBSD 6.8-current (GENERIC.MP) #175: Wed Nov 11 10:02:40 MST 2020 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8029429760 (7657MB) avail mem = 7770787840 (7410MB) [ ... ] spdmem0 at iic0 addr 0x52: 4GB DDR3 SDRAM PC3-10600 spdmem1 at iic0 addr 0x53: 4GB DDR3 SDRAM PC3-10600 [ ... ] $ systat 1 users Load 0.19 0.37 0.31thinkc.my.domain 02:23:22 memory totals (in KB)PAGING SWAPPING Interrupts real virtual free in out in out 360 total Active 1530836 1530836 2928304 ops100 clock All 4668644 4668644 11031684 pages 237 ipi radeondr Proc:r d s wCsw Trp Sys Int Sof Flt forks 13 ahci0 2 259 769 746 304022 288 520 fkppw ohci0 fksvm ehci0 0.0%Int 0.1%Spn 1.1%Sys 5.1%Usr 93.7%Idle pwait 8 ohci1 ||||||||||| 175 relck ehci1 =>> 175 rlkok azalia0 noram ohci2 Namei Sys-cacheProc-cacheNo-cache 56 ndcpy 2 bge0 Calls hits%hits %miss % fltcp ohci3 102 79 7722 22 295 zfod pckbc0 cow Disks sd0 cd0 63307 fmin seeks 84409 ftarg xfers26 itarg speed 410K 2 wired 3 IPKTS sec 0.0 pdfre 1 OPKTS $ vmstat procsmemory pagediskstraps cpu r s avm fre flt re pi po fr sr sd0 cd0 int sys cs us sy id 1 259 1504M 2848M 1450 0 0 0 0 0 2 0 174 13338 3982 13 3 83
Re: System auditing and logging
Thanks. I have enabled system accounting. acct(5) seems to be limited by the fact that it is triggered on process exit, doesn't contain the process ID or parent process ID and can only store 10 characters for the command name. ktrace could work but it's far too slow without limiting syscalls recorded to a specific subset. Is there any interest in modifying ktrace to allow for specifying individual names of syscalls to trace? e.g. ktrace -t c -u execve,sendmsg On Fri, Nov 13, 2020 at 07:57:54AM -0700, Theo de Raadt wrote: man accton James wrote: Recently a machine running OpenBSD 6.8 had its configuration changed and I believe it to have been subject to a malicious attack. This change is completely unexplainable, compromised security, and would have required root access. The log files reveal nothing out of the ordinary except for wtmp indicating 0 users are logged in: -bash-5.0# who -bash-5.0# w 1:49PM up 2:21, 0 users, load averages: 1.35, 1.38, 1.50 USERTTY FROM LOGIN@ IDLE WHAT -bash-5.0# I would like to be able to log every exec syscall with the details of the current timestamp, calling PID, program path, arguments, and new PID. Ideally this would be implemented in the kernel. Are there any existing solutions? Thanks,
Re: E-mail problem
On 20/11/13 11:26, Berkay Tuncel wrote: > Hi all, > > > > We need an advice for our e-mail traffic with openbsd.org > > > When I sent an e-mail to openbsd.org which is rhs, from 160.75.0.0/16, I > got a TLS handshake error. On the other hand, when I tried from another > subnet, there was no problem. > > > Nevertheless, our mta has not a problem like this with any other mta. > That's why, I think it can be a network related issue but still we need > some help :) > > > Thanks. > > Berkay I'm no expert on smtpd(8); that said, it's essential to post an appropriate amount of information to troubleshoot the problem. In your case, that means including what's inside smtpd.conf(5) and pf.conf(5) (as it could be related to packet filtering), as well as output from /var/log/maillog and dmesg(8). I might be forgetting something, in which case someone else can chime in with additions, but these are the obvious inclusions in my mind. -- https://amissing.link
System auditing and logging
Recently a machine running OpenBSD 6.8 had its configuration changed and I believe it to have been subject to a malicious attack. This change is completely unexplainable, compromised security, and would have required root access. The log files reveal nothing out of the ordinary except for wtmp indicating 0 users are logged in: -bash-5.0# who -bash-5.0# w 1:49PM up 2:21, 0 users, load averages: 1.35, 1.38, 1.50 USERTTY FROM LOGIN@ IDLE WHAT -bash-5.0# I would like to be able to log every exec syscall with the details of the current timestamp, calling PID, program path, arguments, and new PID. Ideally this would be implemented in the kernel. Are there any existing solutions? Thanks,
Re: System auditing and logging
So you want to ktrace your entire system, with a limited set of monitors. I've played with this before, to identify specific behaviours when developing pledge. It required a large number of hacks, and the performance was dismal. Based upon my experience, I predict it will not work for your usage case at all. James wrote: > Thanks. I have enabled system accounting. > > acct(5) seems to be limited by the fact that it is triggered on process > exit, doesn't contain the process ID or parent process ID and can only > store 10 characters for the command name. > > ktrace could work but it's far too slow without limiting syscalls > recorded to a specific subset. > > Is there any interest in modifying ktrace to allow for specifying > individual names of syscalls to trace? > > e.g. ktrace -t c -u execve,sendmsg > > On Fri, Nov 13, 2020 at 07:57:54AM -0700, Theo de Raadt wrote: > >man accton > > > >James wrote: > > > >> Recently a machine running OpenBSD 6.8 had its configuration changed and I > >> believe it to have been subject to a malicious attack. > >> > >> This change is completely unexplainable, compromised security, and would > >> have required root access. > >> > >> The log files reveal nothing out of the ordinary except for wtmp > >> indicating 0 users are logged in: > >> > >> -bash-5.0# who > >> -bash-5.0# w > >> 1:49PM up 2:21, 0 users, load averages: 1.35, 1.38, 1.50 > >> USERTTY FROM LOGIN@ IDLE WHAT > >> -bash-5.0# > >> > >> > >> I would like to be able to log every exec syscall with the details of the > >> current timestamp, calling PID, program path, arguments, and new PID. > >> > >> Ideally this would be implemented in the kernel. Are there any > >> existing solutions? > >> > >> Thanks, > >> > >
Re: System auditing and logging
man accton James wrote: > Recently a machine running OpenBSD 6.8 had its configuration changed and I > believe it to have been subject to a malicious attack. > > This change is completely unexplainable, compromised security, and would > have required root access. > > The log files reveal nothing out of the ordinary except for wtmp > indicating 0 users are logged in: > > -bash-5.0# who > -bash-5.0# w > 1:49PM up 2:21, 0 users, load averages: 1.35, 1.38, 1.50 > USERTTY FROM LOGIN@ IDLE WHAT > -bash-5.0# > > > I would like to be able to log every exec syscall with the details of the > current timestamp, calling PID, program path, arguments, and new PID. > > Ideally this would be implemented in the kernel. Are there any > existing solutions? > > Thanks, >
packet filter question
Hi folks, if it is allowed to ask a question about packet filter here? Please take a look at the attached pf.conf file. Problem is that incoming traffic from a host in (internal:network) to an external host port is passed in rule 86 (thats one of the debproxy lines) pass $log0 quick proto tcp from (internal:network) to $debproxy port $debproxy_port but then its blocked for outgoing in the default rule 0. # tcpdump -envi pflog0 host 172.19.96.126 tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG 13:19:46.286235 rule 86/(match) [uid 0, pid 10501] pass in on em1: 10.150.1.32.37024 > 172.19.96.126.3142: S [tcp sum ok] 1742174933:1742174933(0) win 64240 (DF) (ttl 64, id 58124, len 60) 13:19:46.286263 rule 0/(match) [uid 0, pid 10501] block out on em0: 10.150.1.32.37024 > 172.19.96.126.3142: S [tcp sum ok] 1742174933:1742174933(0) win 64240 (DF) (ttl 63, id 47021, len 60, bad ip cksum 3f68! -> 6bc7) ^C 294 packets received by filter 0 packets dropped by kernel Rule 86 explicitly says "pass quick", not "pass in quick". The tcpdump line shows that the outgoing packet is still filtered using the IP address bound to (internal:network) as for the incoming packet. How comes that this rule 86 is not applied for the outgoing packet? The workaround is to add a tag in rule 86 and to add a line pass out quick tagged ALLOWED But thats ugly. Every insightful comment is highly appreciated Harri # # gate6a/b firewall configuration # # to watch pf at work use 'tcpdump -nettt -i pflog0' # to check the rule numbers use 'pfctl -gsr | grep ^@' # to check built in tables use something like # # pfctl -a _pf -s Tables # pfctl -a _pf -t self -T show # pfctl -a _pf -t internal:network -T show # # The groups are assigned in /etc/hostname.$ifname. There are also a # few predefined groups, depending on the interface type, see ifconfig(8). # Here is a list, as used in this pf config file # # egress: the interface with the default gateway # external: the interface to access the internet # public: public IP address range to access the containers # internal: local IP address range to access the nodes # switches: local IP address range to access the switches and idracs # dblan: local IP address range to access the databases # # external, public, internal, switches and dblan are mutually exclusive # # special groups: # # carpdev:interface running carp protocol # pfsyncdev: interface running pfsync protocol # carp: interface *is* a carp interface # # Please keep this list up to date. # == # macros for logging # == # we surely need some policy for logging. How about this: log0= "log (to pflog0)" # "regular" traffic (passed or blocked)" log1= "log (to pflog1)" # traffic to or from public network log2= "log (to pflog2)" # unused log3= "log (to pflog3)" # exclusively for spamlogd (unused) logd= "log (to pflog0)" # verbose # logd = "" # == # runtime options # == set block-policy return # default: drop set fingerprints "/etc/pf.os" # /etc/pf.os set limit states 10 # default: 10 set limit tables 1000 # default: 1000 set limit table-entries 20 # default: 20 set limit frags 65536 # default: platform dependent set limit src-nodes 1 # default: unknown set loginterface egress # default: none set optimization normal # default: normal set reassemble yes # default: yes set ruleset-optimization basic # default: basic set skip on { lo } # set state-defaults ... # set state-policy if-bound # default: floating set syncookies never# default: never set timeout udp.first 240 # default: 60 set timeout udp.single 120 # defualt: 30 set timeout udp.multiple 240# default: 60 # == # IP addresses and ports # == ssh_port= "{ ssh 1023 }" http_port = "{ http https }" smtp_host = "{ 10.150.1.1 }" smtp_port = "{ smtp }" debproxy= "{ 172.19.96.126 10.150.1.32 }" debproxy_port = 3142 dns_host= "any" ntp_host= "any" oracle_port = "{ 1521 }" zabbix_agent= 10050 # Zabbix Agent port zabbix_trapper = 10051 # Zabbix Server port # ===
Re: E-mail problem
Hi Tom, Firstly thanks for your response. I am sending it from itu.edu.tr Yes, we have spf records and also other smtp precautions such as dkim and so on. We use sendmail, so we have sendmail conf and macro. Also, we have cipher restrictions. Nevertheless, the cipher which has successful communication with mail.openbsd.org is allowed on our mta. Meanwhile this cipher is ECDHE-RSA-AES256-GCM-SHA384. Thanks. Berkay Tom Smyth , 13 Kas 2020 Cum, 15:27 tarihinde şunu yazdı: > Do u have an spf record for your domain and what domain are you sending > from? > > What is your opensmtpd.conf > Do u have restrictions onciphers supported by your mta > > On Friday, 13 November 2020, Berkay Tuncel wrote: > >> Hi all, >> >> >> >> We need an advice for our e-mail traffic with openbsd.org >> >> >> When I sent an e-mail to openbsd.org which is rhs, from 160.75.0.0/16, I >> got a TLS handshake error. On the other hand, when I tried from another >> subnet, there was no problem. >> >> >> Nevertheless, our mta has not a problem like this with any other mta. >> That's why, I think it can be a network related issue but still we need >> some help :) >> >> >> Thanks. >> >> Berkay >> > > > -- > Kindest regards, > Tom Smyth. > -- Berkay TUNCEL
Re: E-mail problem
Do u have an spf record for your domain and what domain are you sending from? What is your opensmtpd.conf Do u have restrictions onciphers supported by your mta On Friday, 13 November 2020, Berkay Tuncel wrote: > Hi all, > > > > We need an advice for our e-mail traffic with openbsd.org > > > When I sent an e-mail to openbsd.org which is rhs, from 160.75.0.0/16, I > got a TLS handshake error. On the other hand, when I tried from another > subnet, there was no problem. > > > Nevertheless, our mta has not a problem like this with any other mta. > That's why, I think it can be a network related issue but still we need > some help :) > > > Thanks. > > Berkay > -- Kindest regards, Tom Smyth.
Re: uvn_flush: WARNING: changes to page may be lost
On Thu, Nov 12, 2020 at 08:24:51PM +0100, Paul de Weerd wrote: > | > > uvn_flush: obj=0x0, offset=0x7c2. error during pageout. > | > > uvn_flush: WARNING: changes to page may be lost! > From the reply Mark sent me on June 9th[1]: > > > What you're seeing is what happens when a program writes to a file by > > using mmap(2) and there is no disk space available when the kernel > > finally decides to write out the modified memory to disk. > > There's plenty of space available in RAM, so you can create a file > that's bigger than the amount of space available on disk. Then > trying to write it to disk will fail with the error you got. Thanks, it makes sense that mmap() would be involved. Since I've only read the books and haven't actually written anything that uses mmap() I was under the impression that you can't use mmap() and friends to extend or create a file; the filesystem needs to have a file at least as big as the area you're mapping. So (just to understand what's going for my own curiosity) what are the ways you can end up in a situation where the kernel wants to write out mmapped data to disk, but there's no space in the filesystem to store that data? My first guess would be mmap()ing a sparse file. My second guess would be something where the file size was changed after the mapping was created, but before the data was written back. Probably a scenario where the msync(2) manpage warns for: "Filesystem operations on a file that is mapped for shared modifications are unpredictable except after an msync()." Thanks for pointing me in this direction, it resulted in an interesting half hour of reading web pages about mmap on several OSes. :) Regards, Jurjen Oskam
E-mail problem
Hi all, We need an advice for our e-mail traffic with openbsd.org When I sent an e-mail to openbsd.org which is rhs, from 160.75.0.0/16, I got a TLS handshake error. On the other hand, when I tried from another subnet, there was no problem. Nevertheless, our mta has not a problem like this with any other mta. That's why, I think it can be a network related issue but still we need some help :) Thanks. Berkay