Re: memory usage at a given time

[Otto Moerbeek]

On Sat, Nov 14, 2020 at 02:26:47AM +0200, Mihai Popescu wrote:

> Hello,
> 
> My computer has 2 x 4GB memory, as one can see in dmesg. A part of it is
> used by the video card, I'm not sure how much, maybe around 256MB or less I
> want to know if I will hit the swap space when I will let it run on 1 x 4GB
> memory, but I'm not sure how to interpret some of the following outputs or
> if I need to run other commands:
> 
> $ dmesg
> OpenBSD 6.8-current (GENERIC.MP) #175: Wed Nov 11 10:02:40 MST 2020
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 8029429760 (7657MB)
> avail mem = 7770787840 (7410MB)
> [ ... ]
> spdmem0 at iic0 addr 0x52: 4GB DDR3 SDRAM PC3-10600
> spdmem1 at iic0 addr 0x53: 4GB DDR3 SDRAM PC3-10600
> [ ... ]
> 
> $ systat
>1 users Load 0.19 0.37 0.31thinkc.my.domain
> 02:23:22
> 
> memory totals (in KB)PAGING   SWAPPING
> Interrupts
>real   virtual free   in  out   in  out  360
> total
> Active  1530836   1530836  2928304   ops100
> clock
> All 4668644   4668644 11031684   pages  237 ipi
> 
> radeondr
> Proc:r  d  s  wCsw   Trp   Sys   Int   Sof  Flt   forks  13
> ahci0
>  2   259   769   746  304022   288  520   fkppw
> ohci0
>   fksvm
> ehci0
>0.0%Int   0.1%Spn   1.1%Sys   5.1%Usr  93.7%Idle   pwait   8
> ohci1
> |||||||||||   175 relck
> ehci1
> =>>   175 rlkok
> azalia0
>   noram
> ohci2
> Namei Sys-cacheProc-cacheNo-cache  56 ndcpy   2 bge0
> Calls hits%hits %miss   % fltcp
> ohci3
>   102   79   7722  22 295 zfod
>  pckbc0
>   cow
> Disks   sd0   cd0   63307 fmin
> seeks   84409 ftarg
> xfers26   itarg
> speed  410K 2 wired   3
> IPKTS
>   sec   0.0   pdfre   1
> OPKTS
> 
> $ vmstat
>  procsmemory   pagediskstraps  cpu
>  r   s   avm fre  flt  re  pi  po  fr  sr sd0 cd0  int   sys   cs us sy
> id
>  1 259 1504M   2848M 1450   0   0   0   0   0   2   0  174 13338 3982 13  3
> 83

vmstat only swows pi an po, pages paged in and out, not swap usage.

For sysyat: the vmstat view does not show swap usage, but it does show
paging/swap traffic. The swap view does (per swap device), as does the
uvm view (swpginuse, this is a total swap pages in use).

top also shows swap usage.

-Otto

Re: packet filter question

[Harald Dunkel]

On 11/13/20 2:06 PM, Harald Dunkel wrote:

Hi folks,

if it is allowed to ask a question about packet filter here?



Found it, please ignore.

Harri

memory usage at a given time

[Mihai Popescu]

Hello,

My computer has 2 x 4GB memory, as one can see in dmesg. A part of it is
used by the video card, I'm not sure how much, maybe around 256MB or less I
want to know if I will hit the swap space when I will let it run on 1 x 4GB
memory, but I'm not sure how to interpret some of the following outputs or
if I need to run other commands:

$ dmesg
OpenBSD 6.8-current (GENERIC.MP) #175: Wed Nov 11 10:02:40 MST 2020
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8029429760 (7657MB)
avail mem = 7770787840 (7410MB)
[ ... ]
spdmem0 at iic0 addr 0x52: 4GB DDR3 SDRAM PC3-10600
spdmem1 at iic0 addr 0x53: 4GB DDR3 SDRAM PC3-10600
[ ... ]

$ systat
   1 users Load 0.19 0.37 0.31thinkc.my.domain
02:23:22

memory totals (in KB)PAGING   SWAPPING
Interrupts
   real   virtual free   in  out   in  out  360
total
Active  1530836   1530836  2928304   ops100
clock
All 4668644   4668644 11031684   pages  237 ipi

radeondr
Proc:r  d  s  wCsw   Trp   Sys   Int   Sof  Flt   forks  13
ahci0
 2   259   769   746  304022   288  520   fkppw
ohci0
  fksvm
ehci0
   0.0%Int   0.1%Spn   1.1%Sys   5.1%Usr  93.7%Idle   pwait   8
ohci1
|||||||||||   175 relck
ehci1
=>>   175 rlkok
azalia0
  noram
ohci2
Namei Sys-cacheProc-cacheNo-cache  56 ndcpy   2 bge0
Calls hits%hits %miss   % fltcp
ohci3
  102   79   7722  22 295 zfod
 pckbc0
  cow
Disks   sd0   cd0   63307 fmin
seeks   84409 ftarg
xfers26   itarg
speed  410K 2 wired   3
IPKTS
  sec   0.0   pdfre   1
OPKTS

$ vmstat
 procsmemory   pagediskstraps  cpu
 r   s   avm fre  flt  re  pi  po  fr  sr sd0 cd0  int   sys   cs us sy
id
 1 259 1504M   2848M 1450   0   0   0   0   0   2   0  174 13338 3982 13  3
83

Re: System auditing and logging

[James]

Thanks. I have enabled system accounting.

acct(5) seems to be limited by the fact that it is triggered on process
exit, doesn't contain the process ID or parent process ID and can only
store 10 characters for the command name.

ktrace could work but it's far too slow without limiting syscalls
recorded to a specific subset.

Is there any interest in modifying ktrace to allow for specifying
individual names of syscalls to trace?

e.g. ktrace -t c -u execve,sendmsg

On Fri, Nov 13, 2020 at 07:57:54AM -0700, Theo de Raadt wrote:

man accton

James  wrote:


Recently a machine running OpenBSD 6.8 had its configuration changed and I
believe it to have been subject to a malicious attack.

This change is completely unexplainable, compromised security, and would
have required root access.

The log files reveal nothing out of the ordinary except for wtmp
indicating 0 users are logged in:

-bash-5.0# who
-bash-5.0# w
 1:49PM  up  2:21, 0 users, load averages: 1.35, 1.38, 1.50
USERTTY FROM  LOGIN@  IDLE WHAT
-bash-5.0#


I would like to be able to log every exec syscall with the details of the
current timestamp, calling PID, program path, arguments, and new PID.

Ideally this would be implemented in the kernel. Are there any
existing solutions?

Thanks,

Re: E-mail problem

[Ashlen]

On 20/11/13 11:26, Berkay Tuncel wrote:
> Hi all,
>
>
>
> We need an advice for our e-mail traffic with openbsd.org
>
>
> When I sent an e-mail to openbsd.org which is rhs, from 160.75.0.0/16, I
> got a TLS handshake error. On the other hand, when I tried from another
> subnet, there was no problem.
>
>
> Nevertheless, our mta has not a problem like this with any other mta.
> That's why, I think it can be a network related issue but still we need
> some help :)
>
>
> Thanks.
>
> Berkay

I'm no expert on smtpd(8); that said, it's essential to post an
appropriate amount of information to troubleshoot the problem. In your
case, that means including what's inside smtpd.conf(5) and pf.conf(5)
(as it could be related to packet filtering), as well as output from
/var/log/maillog and dmesg(8).

I might be forgetting something, in which case someone else can chime in
with additions, but these are the obvious inclusions in my mind.

--
https://amissing.link

System auditing and logging

[James]

Recently a machine running OpenBSD 6.8 had its configuration changed and I
believe it to have been subject to a malicious attack.

This change is completely unexplainable, compromised security, and would
have required root access. 


The log files reveal nothing out of the ordinary except for wtmp
indicating 0 users are logged in:

-bash-5.0# who
-bash-5.0# w
 1:49PM  up  2:21, 0 users, load averages: 1.35, 1.38, 1.50
USERTTY FROM  LOGIN@  IDLE WHAT
-bash-5.0#


I would like to be able to log every exec syscall with the details of the
current timestamp, calling PID, program path, arguments, and new PID.

Ideally this would be implemented in the kernel. Are there any
existing solutions?

Thanks,

Re: System auditing and logging

[Theo de Raadt]

So you want to ktrace your entire system, with a limited set of
monitors.

I've played with this before, to identify specific behaviours
when developing pledge.  It required a large number of hacks,
and the performance was dismal.

Based upon my experience, I predict it will not work for your usage
case at all.



James  wrote:

> Thanks. I have enabled system accounting.
> 
> acct(5) seems to be limited by the fact that it is triggered on process
> exit, doesn't contain the process ID or parent process ID and can only
> store 10 characters for the command name.
> 
> ktrace could work but it's far too slow without limiting syscalls
> recorded to a specific subset.
> 
> Is there any interest in modifying ktrace to allow for specifying
> individual names of syscalls to trace?
> 
> e.g. ktrace -t c -u execve,sendmsg
> 
> On Fri, Nov 13, 2020 at 07:57:54AM -0700, Theo de Raadt wrote:
> >man accton
> >
> >James  wrote:
> >
> >> Recently a machine running OpenBSD 6.8 had its configuration changed and I
> >> believe it to have been subject to a malicious attack.
> >>
> >> This change is completely unexplainable, compromised security, and would
> >> have required root access.
> >>
> >> The log files reveal nothing out of the ordinary except for wtmp
> >> indicating 0 users are logged in:
> >>
> >> -bash-5.0# who
> >> -bash-5.0# w
> >>  1:49PM  up  2:21, 0 users, load averages: 1.35, 1.38, 1.50
> >> USERTTY FROM  LOGIN@  IDLE WHAT
> >> -bash-5.0#
> >>
> >>
> >> I would like to be able to log every exec syscall with the details of the
> >> current timestamp, calling PID, program path, arguments, and new PID.
> >>
> >> Ideally this would be implemented in the kernel. Are there any
> >> existing solutions?
> >>
> >> Thanks,
> >>
> >

Re: System auditing and logging

[Theo de Raadt]

man accton

James  wrote:

> Recently a machine running OpenBSD 6.8 had its configuration changed and I
> believe it to have been subject to a malicious attack.
> 
> This change is completely unexplainable, compromised security, and would
> have required root access. 
> 
> The log files reveal nothing out of the ordinary except for wtmp
> indicating 0 users are logged in:
> 
> -bash-5.0# who
> -bash-5.0# w
>  1:49PM  up  2:21, 0 users, load averages: 1.35, 1.38, 1.50
> USERTTY FROM  LOGIN@  IDLE WHAT
> -bash-5.0#
> 
> 
> I would like to be able to log every exec syscall with the details of the
> current timestamp, calling PID, program path, arguments, and new PID.
> 
> Ideally this would be implemented in the kernel. Are there any
> existing solutions?
> 
> Thanks,
> 

packet filter question

[Harald Dunkel]

Hi folks,

if it is allowed to ask a question about packet filter here?

Please take a look at the attached pf.conf file. Problem is
that incoming traffic from a host in (internal:network) to an
external host port is passed in rule 86 (thats one of the
debproxy lines)

pass $log0 quick proto tcp from (internal:network) to $debproxy port 
$debproxy_port

but then its blocked for outgoing in the default rule 0.

# tcpdump -envi pflog0 host 172.19.96.126
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
13:19:46.286235 rule 86/(match) [uid 0, pid 10501] pass in on em1: 10.150.1.32.37024 
> 172.19.96.126.3142: S [tcp sum ok] 1742174933:1742174933(0) win 64240  (DF) (ttl 64, id 58124, len 60)
13:19:46.286263 rule 0/(match) [uid 0, pid 10501] block out on em0: 10.150.1.32.37024 > 
172.19.96.126.3142: S [tcp sum ok] 1742174933:1742174933(0) win 64240  (DF) (ttl 63, id 47021, len 60, bad ip 
cksum 3f68! -> 6bc7)
^C
294 packets received by filter
0 packets dropped by kernel


Rule 86 explicitly says "pass quick", not "pass in quick". The
tcpdump line shows that the outgoing packet is still filtered
using the IP address bound to (internal:network) as for the
incoming packet. How comes that this rule 86 is not applied for
the outgoing packet?

The workaround is to add a tag in rule 86 and to add a line

pass out quick tagged ALLOWED

But thats ugly.


Every insightful comment is highly appreciated

Harri
#
# gate6a/b firewall configuration
#
#   to watch pf at work use 'tcpdump -nettt -i pflog0' 
#   to check the rule numbers use 'pfctl -gsr | grep ^@'
#   to check built in tables use something like
#
#   pfctl -a _pf -s Tables
#   pfctl -a _pf -t self -T show
#   pfctl -a _pf -t internal:network -T show
#
# The groups are assigned in /etc/hostname.$ifname. There are also a 
# few predefined groups, depending on the interface type, see ifconfig(8). 
# Here is a list, as used in this pf config file
#
#   egress: the interface with the default gateway
#   external:   the interface to access the internet
#   public: public IP address range to access the containers
#   internal:   local IP address range to access the nodes
#   switches:   local IP address range to access the switches and idracs
#   dblan:  local IP address range to access the databases
#
# external, public, internal, switches and dblan are mutually exclusive
#
# special groups:
#
#   carpdev:interface running carp protocol
#   pfsyncdev:  interface running pfsync protocol
#   carp:   interface *is* a carp interface
#
# Please keep this list up to date.


# ==
# macros for logging
# ==
# we surely need some policy for logging. How about this:
log0= "log (to pflog0)" # "regular" traffic (passed or blocked)"
log1= "log (to pflog1)" # traffic to or from public network
log2= "log (to pflog2)" # unused
log3= "log (to pflog3)" # exclusively for spamlogd (unused)
logd= "log (to pflog0)" # verbose
# logd  = ""


# ==
# runtime options
# ==
set block-policy return # default: drop
set fingerprints "/etc/pf.os"   # /etc/pf.os

set limit states 10 # default: 10
set limit tables 1000   # default: 1000
set limit table-entries 20  # default: 20
set limit frags 65536   # default: platform dependent
set limit src-nodes 1   # default: unknown

set loginterface egress # default: none
set optimization normal # default: normal
set reassemble yes  # default: yes
set ruleset-optimization basic  # default: basic
set skip on { lo }
# set state-defaults ...
# set state-policy if-bound # default: floating
set syncookies never# default: never

set timeout udp.first 240   # default: 60
set timeout udp.single 120  # defualt: 30
set timeout udp.multiple 240# default: 60


# ==
# IP addresses and ports
# ==
ssh_port= "{ ssh 1023 }"
http_port   = "{ http https }"
smtp_host   = "{ 10.150.1.1 }"
smtp_port   = "{ smtp }"
debproxy= "{ 172.19.96.126 10.150.1.32 }"
debproxy_port   = 3142
dns_host= "any"
ntp_host= "any"
oracle_port = "{ 1521 }"
zabbix_agent= 10050 # Zabbix Agent port
zabbix_trapper  = 10051 # Zabbix Server port


# ===

Re: E-mail problem

[Berkay Tuncel]

Hi Tom,

Firstly thanks for your response.

I am sending it from itu.edu.tr

Yes, we have spf records and also other smtp precautions such as dkim and
so on.

We use sendmail, so we have sendmail conf and macro. Also, we have cipher
restrictions.

Nevertheless, the cipher which has successful communication with
mail.openbsd.org is allowed on our mta. Meanwhile this cipher
is ECDHE-RSA-AES256-GCM-SHA384.

Thanks.
Berkay

Tom Smyth , 13 Kas 2020 Cum, 15:27 tarihinde
şunu yazdı:

> Do u have an spf record for your domain and what domain are you sending
> from?
>
> What is your opensmtpd.conf
> Do u have restrictions onciphers supported by your mta
>
> On Friday, 13 November 2020, Berkay Tuncel  wrote:
>
>> Hi all,
>>
>>
>>
>> We need an advice for our e-mail traffic with openbsd.org
>>
>>
>> When I sent an e-mail to openbsd.org which is rhs, from 160.75.0.0/16, I
>> got a TLS handshake error. On the other hand, when I tried from another
>> subnet, there was no problem.
>>
>>
>> Nevertheless, our mta has not a problem like this with any other mta.
>> That's why, I think it can be a network related issue but still we need
>> some help :)
>>
>>
>> Thanks.
>>
>> Berkay
>>
>
>
> --
> Kindest regards,
> Tom Smyth.
>


-- 
Berkay TUNCEL

Re: E-mail problem

[Tom Smyth]

Do u have an spf record for your domain and what domain are you sending
from?

What is your opensmtpd.conf
Do u have restrictions onciphers supported by your mta

On Friday, 13 November 2020, Berkay Tuncel  wrote:

> Hi all,
>
>
>
> We need an advice for our e-mail traffic with openbsd.org
>
>
> When I sent an e-mail to openbsd.org which is rhs, from 160.75.0.0/16, I
> got a TLS handshake error. On the other hand, when I tried from another
> subnet, there was no problem.
>
>
> Nevertheless, our mta has not a problem like this with any other mta.
> That's why, I think it can be a network related issue but still we need
> some help :)
>
>
> Thanks.
>
> Berkay
>


-- 
Kindest regards,
Tom Smyth.

Re: uvn_flush: WARNING: changes to page may be lost

[Jurjen Oskam]

On Thu, Nov 12, 2020 at 08:24:51PM +0100, Paul de Weerd wrote:

> | > > uvn_flush: obj=0x0, offset=0x7c2.  error during pageout.
> | > > uvn_flush: WARNING: changes to page may be lost!

> From the reply Mark sent me on June 9th[1]:
> 
> > What you're seeing is what happens when a program writes to a file by
> > using mmap(2) and there is no disk space available when the kernel
> > finally decides to write out the modified memory to disk.
> 
> There's plenty of space available in RAM, so you can create a file
> that's bigger than the amount of space available on disk.  Then
> trying to write it to disk will fail with the error you got.

Thanks, it makes sense that mmap() would be involved. Since I've only
read the books and haven't actually written anything that uses mmap()
I was under the impression that you can't use mmap() and friends to
extend or create a file; the filesystem needs to have a file at least
as big as the area you're mapping.

So (just to understand what's going for my own curiosity) what are
the ways you can end up in a situation where the kernel wants to write
out mmapped data to disk, but there's no space in the filesystem to store
that data?

My first guess would be mmap()ing a sparse file. My second guess would be
something where the file size was changed after the mapping was created,
but before the data was written back. Probably a scenario where the
msync(2) manpage warns for: "Filesystem operations on a file that is
mapped for shared modifications are unpredictable except after an
msync()."

Thanks for pointing me in this direction, it resulted in an interesting
half hour of reading web pages about mmap on several OSes. :)

Regards,

Jurjen Oskam

E-mail problem

[Berkay Tuncel]

Hi all,



We need an advice for our e-mail traffic with openbsd.org


When I sent an e-mail to openbsd.org which is rhs, from 160.75.0.0/16, I
got a TLS handshake error. On the other hand, when I tried from another
subnet, there was no problem.


Nevertheless, our mta has not a problem like this with any other mta.
That's why, I think it can be a network related issue but still we need
some help :)


Thanks.

Berkay