Re: mosquitto with websockets enabled?

[Jeff Ross]

On 11/25/20 3:03 PM, Stuart Henderson wrote:

[moved to ports@ and cc'ing mosquitto maintainer]

In gmane.os.openbsd.misc, Jeff Ross wrote:

Greetings,

I've been trying to build mosquitto with websockets enabled on 6.8
release.  The web says that all I should have to do is edit config.mk
and change WITH_WEBSOCKETS:=no to WITH_WEBSOCKETS:=yes.
I also added libwebsockets from ports.

I built a patch to do that and then built the port with that patch.

test68# cd /usr/ports/net/mosquitto/patches/
test68# cat patch-config_mk
--- config.mk.orig    Wed Nov 25 09:33:17 2020
+++ config.mk    Wed Nov 25 09:33:34 2020
@@ -65,7 +65,7 @@
   WITH_SRV:=no

   # Build with websockets support on the broker.
-WITH_WEBSOCKETS:=no
+WITH_WEBSOCKETS:=yes

   # Use elliptic keys in broker
   WITH_EC:=yes

However, I still get the following:

test68# /usr/local/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf
1606323544: Error: Websockets support not available.
1606323544: Error found at /etc/mosquitto/mosquitto.conf:241.

ktracing the command above I don't even see a place where it actually
looks to see if websockets are enabled.

I'm hoping someone has gone down this path before and can share the
secret sauce to enable websockets.

Alternatively, a suggestion for a different implementation of MQTT with
websockets would be fine.

Thanks,

Jeff Ross



config.mk is for the autoconf-based build system, the mosquitto port
uses the CMake one instead so you need to set configure flags.

This works for me - Jasper, what do you think about adding to the
port? (either directly like this or as a flavour)?

Index: Makefile
===
RCS file: /cvs/ports/net/mosquitto/Makefile,v
retrieving revision 1.33
diff -u -p -r1.33 Makefile
--- Makefile22 Aug 2020 13:55:07 -  1.33
+++ Makefile25 Nov 2020 21:42:00 -
@@ -3,6 +3,7 @@
  COMMENT = opensource MQTT broker
  
  DISTNAME =		mosquitto-1.6.12

+REVISION = 0
  
  SHARED_LIBS +=  mosquitto 1.0 # 1.5

  SHARED_LIBS +=  mosquittopp   1.0 # 1.5
@@ -15,7 +16,7 @@ MAINTAINER =  Jasper Lievisse Adriaanse
  # EPL/EDL
  PERMIT_PACKAGE =  Yes
  
-WANTLIB +=		c crypto m pthread ssl ${COMPILER_LIBCXX}

+WANTLIB += c crypto m pthread ssl websockets ${COMPILER_LIBCXX}
  
  MASTER_SITES =		https://mosquitto.org/files/source/
  
@@ -29,12 +30,15 @@ MODPY_RUNDEP=		No

  MODPY_VERSION=${MODPY_DEFAULT_VERSION_3}
  
  BUILD_DEPENDS =		devel/uthash

+LIB_DEPENDS =  www/libwebsockets
  
  DEBUG_PACKAGES =	${BUILD_PACKAGES}
  
-CONFIGURE_ARGS=		-DWITH_SRV=no

+CONFIGURE_ARGS=-DWITH_SRV=no \
+   -DWITH_WEBSOCKETS=yes
  # Pre-shared key support was intentionally removed from libressl
  CONFIGURE_ARGS += -DWITH_TLS_PSK=no
+CONFIGURE_ENV +=   LDFLAGS="-L${LOCALBASE}/lib"
  
  CFLAGS +=		-I${LOCALBASE}/include
  



Thanks, Stuart!  I never would have hit upon the right combination of 
changes.


Jeff

Re: Reinstall to upgrade

[Navan Carson]

> On Nov 25, 2020, at 2:15 PM, Manuel Giraud  wrote:
> 
> I have one (somewhat) related question left: is possible to capture the
> output of pkg_delete -an in a file? I tried the following (without
> luck):
>   $ pkg_delete -an > /tmp/foo
>   $ pkg_delete -an > /tmp/foo 2>&1

How about:

$ script
$ pkg... ; exit

Re: Security & Compliance - A/V

[Brogan Beard]

Thanks, John. I am going to look into ClamAV in detail as some homework for
myself. I appreciate the helpful pointers!

On Wed, Nov 25, 2020 at 5:46 PM John McGuigan  wrote:

> I've seen people install ClamAV on an OpenBSD box and have it do a
> filesystem scan on a cron job just to meet audit requirements...
>
> On Wed, Nov 25, 2020 at 3:23 PM Brogan Beard 
> wrote:
> >
> > In the enterprise context, there are often extensive security compliance
> > rules, which include but are not limited to anti-virus software
> > requirements. There are, of course, exceptions to these rules but
> generally
> > policies drive the technology in use or allow it to be used. I am not
> aware
> > of any anti-virus software that supports openbsd or any bsd for that
> matter
> > (not saying it needs it ;) ).
> >
> > How does OpenBSD handle the compliance aspects of security in regards to
> > A/V? Is there an, "it's already under the hood," response based on modern
> > security standards?
> >
> > I would like to use OpenBSD in future projects, beyond just personal
> > interest. And with that, I am sure these types of questions will arise.
> >
> > Thanks in advance for thoughtful comments!
>

Re: Security & Compliance - A/V

[Brogan Beard]

Peter,

Thank you. I was unaware of clamav support and will certainly look into
your linked documentation to better understand it's use case and
qualifications. I did know about clamav in name alone but never set out to
learn how to implement it.

I will certainly read through documentation based on the need to check off
boxes for the compliance regimes - I like how you put that. I will also
watch your presentation - thanks so much!!

Unrelated - I have one of your books, The Book of PF, 3rd edition. Thank
you for your contributions to bettering computing. I will admit that I
never finished reading it. I picked it up when I needed some help managing
a pure OpenBSD firewall running PF. Now when I begin my OpenBSD related
personal projects, it is by my side. I am familiar with commercial firewall
software but I like the joy of being in the *pilot's seat. *I think you
understand that.

I appreciate you taking the time to respond to my questions.

Take care,

Brogan

On Wed, Nov 25, 2020 at 5:33 PM Peter Nicolai Mathias Hansteen <
pe...@bsdly.net> wrote:

>
>
> 25. nov. 2020 kl. 23:10 skrev Brogan Beard :
>
> In the enterprise context, there are often extensive security compliance
> rules, which include but are not limited to anti-virus software
> requirements. There are, of course, exceptions to these rules but generally
> policies drive the technology in use or allow it to be used. I am not aware
> of any anti-virus software that supports openbsd or any bsd for that matter
> (not saying it needs it ;) ).
>
>
> You will find functional antivirus in packages, such as clamav (which I
> use in my spameater appliance), see eg
> https://bsdly.blogspot.com/2014/02/effective-spam-and-malware.html (a
> longish piece, but for reasons)
>
>
> How does OpenBSD handle the compliance aspects of security in regards to
> A/V? Is there an, "it's already under the hood," response based on modern
> security standards?
>
>
> I am not aware of any publicly available set of documents that provide the
> direct checkoffs for OpenBSD with respect to specific compliance regimes,
> but I’m fairly certain that you will find useful answers by reading OpenBSD
> documentation with your lists of requirements in hand, checking off on your
> list (if any) as you go along.
>
> I would recommend browsing the official OpenBSD docs at
> https://www.openbsd.org/, with special attention to
> https://www.openbsd.org/events.html and searching https://man.openbsd.org/ 
> using
> relevant keywords. FWIW, perhaps even my recent presentation («OpenBSD and
> you, the 6.8 update»), linked from
> https://undeadly.org/cgi?action=article;sid=20201109055713 could provide
> some useful pointers.
>
> All the best,
> Peter
>
>
> —
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
>
>
>
>
>

Re: Reinstall to upgrade

[Alexander Hall]

On November 25, 2020 11:09:02 PM GMT+01:00, Stuart Henderson 
 wrote:
>On 2020-11-25, Manuel Giraud  wrote:
>> I have one (somewhat) related question left: is possible to capture
>the
>> output of pkg_delete -an in a file? I tried the following (without
>> luck):
>>$ pkg_delete -an > /tmp/foo
>
>Here you redirect stdout from the process to /tmp/foo
>
>>$ pkg_delete -an > /tmp/foo 2>&1
>
>And here you redirect stdout from the process to /tmp/foo, and then
>stderr to stdout.
>
>What you need is:
>
> $ pkg_delete -an 2>&1 > /tmp/foo
>
>- redirect stderr to stdout, then redirect stdout (which now includes
>stderr) to /tmp/foo.

I think you're wrong. I hope I'm not.

Is it rather possibly so that pkg_delete handles output to a TTY different than 
to a non-TTY?

/Alexander

Re: Security & Compliance - A/V

[John McGuigan]

I've seen people install ClamAV on an OpenBSD box and have it do a
filesystem scan on a cron job just to meet audit requirements...

On Wed, Nov 25, 2020 at 3:23 PM Brogan Beard  wrote:
>
> In the enterprise context, there are often extensive security compliance
> rules, which include but are not limited to anti-virus software
> requirements. There are, of course, exceptions to these rules but generally
> policies drive the technology in use or allow it to be used. I am not aware
> of any anti-virus software that supports openbsd or any bsd for that matter
> (not saying it needs it ;) ).
>
> How does OpenBSD handle the compliance aspects of security in regards to
> A/V? Is there an, "it's already under the hood," response based on modern
> security standards?
>
> I would like to use OpenBSD in future projects, beyond just personal
> interest. And with that, I am sure these types of questions will arise.
>
> Thanks in advance for thoughtful comments!

Re: Security & Compliance - A/V

[Peter Nicolai Mathias Hansteen]

> 25. nov. 2020 kl. 23:10 skrev Brogan Beard :
> 
> In the enterprise context, there are often extensive security compliance
> rules, which include but are not limited to anti-virus software
> requirements. There are, of course, exceptions to these rules but generally
> policies drive the technology in use or allow it to be used. I am not aware
> of any anti-virus software that supports openbsd or any bsd for that matter
> (not saying it needs it ;) ).

You will find functional antivirus in packages, such as clamav (which I use in 
my spameater appliance), see eg 
https://bsdly.blogspot.com/2014/02/effective-spam-and-malware.html 
 (a longish 
piece, but for reasons)

> 
> How does OpenBSD handle the compliance aspects of security in regards to
> A/V? Is there an, "it's already under the hood," response based on modern
> security standards?

I am not aware of any publicly available set of documents that provide the 
direct checkoffs for OpenBSD with respect to specific compliance regimes, but 
I’m fairly certain that you will find useful answers by reading OpenBSD 
documentation with your lists of requirements in hand, checking off on your 
list (if any) as you go along. 

I would recommend browsing the official OpenBSD docs at 
https://www.openbsd.org/ , with special attention to 
https://www.openbsd.org/events.html  and 
searching https://man.openbsd.org/  using relevant 
keywords. FWIW, perhaps even my recent presentation («OpenBSD and you, the 6.8 
update»), linked from 
https://undeadly.org/cgi?action=article;sid=20201109055713 
 could provide some 
useful pointers.

All the best,
Peter


—
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Reinstall to upgrade

[Stuart Henderson]

On 2020-11-25, Chris Bennett  wrote:
> On Wed, Nov 25, 2020 at 02:26:42PM +0100, Manuel Giraud wrote:
>> Hi,
>> 
>> I'd like to upgrade (on -current) and, in the process, remove some cruft
>> accumulated over the years. I usually do sysupgrade and sysclean for
>> system.
>> 
>> But for packages, I think I would be better to reinstall everything
>> since "pkg_check -F" does not seems to complain and I can see I have,
>> for example, some firefox-57 files left.
>> 
>> I think I could do the following but I don't know if it is safe:
>> - sysupgrade (+ sysclean)
>> - pkg_info -mz > mypkg
>> - umount /usr/local
>> - newfs partition_of_usr_local
>> - mount /usr/local
>> - pkg_add -l mypkg
>> 
>
> It's not right. Use pkg_delete -cX first. There are package files in
> many other places that need to go away.

Be very careful with -c! It may remove configuration files that you
actually want to keep.

Security & Compliance - A/V

[Brogan Beard]

In the enterprise context, there are often extensive security compliance
rules, which include but are not limited to anti-virus software
requirements. There are, of course, exceptions to these rules but generally
policies drive the technology in use or allow it to be used. I am not aware
of any anti-virus software that supports openbsd or any bsd for that matter
(not saying it needs it ;) ).

How does OpenBSD handle the compliance aspects of security in regards to
A/V? Is there an, "it's already under the hood," response based on modern
security standards?

I would like to use OpenBSD in future projects, beyond just personal
interest. And with that, I am sure these types of questions will arise.

Thanks in advance for thoughtful comments!

Re: Reinstall to upgrade

[Stuart Henderson]

On 2020-11-25, Manuel Giraud  wrote:
> I have one (somewhat) related question left: is possible to capture the
> output of pkg_delete -an in a file? I tried the following (without
> luck):
>$ pkg_delete -an > /tmp/foo

Here you redirect stdout from the process to /tmp/foo

>$ pkg_delete -an > /tmp/foo 2>&1

And here you redirect stdout from the process to /tmp/foo, and then
stderr to stdout.

What you need is:

 $ pkg_delete -an 2>&1 > /tmp/foo

- redirect stderr to stdout, then redirect stdout (which now includes
stderr) to /tmp/foo.

Re: mosquitto with websockets enabled?

[Stuart Henderson]

On 2020-11-25, Jeff Ross  wrote:
> I've been trying to build mosquitto with websockets enabled on 6.8 
> release.

For the benefit of misc@ readers, I've replied on ports@.

Re: Reinstall to upgrade

[Manuel Giraud]

Chris Bennett  writes:


[...]

> Sometimes you just have to do tedious. upgrade vs install does not give
> you the same system. I almost never do a fresh install, but every once
> in a while, it's a good choice.
> Hope this is helpful. Others may give different or better advice.
> sysupgrade is a tool of convenience. I like it, but never had any
> problems doing things manually.

Thanks for your reply. The "pkg_delete -an" did the trick: I saved some
GB with this.

I have one (somewhat) related question left: is possible to capture the
output of pkg_delete -an in a file? I tried the following (without
luck):
   $ pkg_delete -an > /tmp/foo
   $ pkg_delete -an > /tmp/foo 2>&1

> Useful advice: Learn to use ed. It will save your butt during
> disasters!

Yes I know :-) I always have to look that up mostly to change DUID in
/etc/fstab.
-- 
Manuel Giraud

Re: Reinstall to upgrade

[Chris Bennett]

On Wed, Nov 25, 2020 at 02:26:42PM +0100, Manuel Giraud wrote:
> Hi,
> 
> I'd like to upgrade (on -current) and, in the process, remove some cruft
> accumulated over the years. I usually do sysupgrade and sysclean for
> system.
> 
> But for packages, I think I would be better to reinstall everything
> since "pkg_check -F" does not seems to complain and I can see I have,
> for example, some firefox-57 files left.
> 
> I think I could do the following but I don't know if it is safe:
> - sysupgrade (+ sysclean)
> - pkg_info -mz > mypkg
> - umount /usr/local
> - newfs partition_of_usr_local
> - mount /usr/local
> - pkg_add -l mypkg
> 

It's not right. Use pkg_delete -cX first. There are package files in
many other places that need to go away.
Then look in /usr/local. See if anything is leftover that shouldn't be
there. Look in /etc and /var/db/pkg and 

But I think that what you might want to do is a fresh install.
dump is a bit slow and will probably carry over some cruft.

I tar all of the pieces regularly.
tar ... /etc
tar ... /root
tar ... /home
etc.

Then you have copies of the new and old files to work with.
tar xzf .. into another place such as home. compare new and old files in
the necessary places and you are good.

Sometimes you just have to do tedious. upgrade vs install does not give
you the same system. I almost never do a fresh install, but every once
in a while, it's a good choice.
Hope this is helpful. Others may give different or better advice.
sysupgrade is a tool of convenience. I like it, but never had any
problems doing things manually.

Useful advice: Learn to use ed. It will save your butt during disasters!

Chris Bennett


> Or maybe, I should dump, do a complete reinstall, pkg_add -l mypkg,
> restore /home and, tediously, restore some /etc files.
> How would you do this?
> -- 
> Manuel Giraud
> 

mosquitto with websockets enabled?

[Jeff Ross]

Greetings,

I've been trying to build mosquitto with websockets enabled on 6.8 
release.  The web says that all I should have to do is edit config.mk 
and change WITH_WEBSOCKETS:=no to WITH_WEBSOCKETS:=yes.

I also added libwebsockets from ports.

I built a patch to do that and then built the port with that patch.

test68# cd /usr/ports/net/mosquitto/patches/
test68# cat patch-config_mk
--- config.mk.orig    Wed Nov 25 09:33:17 2020
+++ config.mk    Wed Nov 25 09:33:34 2020
@@ -65,7 +65,7 @@
 WITH_SRV:=no

 # Build with websockets support on the broker.
-WITH_WEBSOCKETS:=no
+WITH_WEBSOCKETS:=yes

 # Use elliptic keys in broker
 WITH_EC:=yes

However, I still get the following:

test68# /usr/local/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf
1606323544: Error: Websockets support not available.
1606323544: Error found at /etc/mosquitto/mosquitto.conf:241.

ktracing the command above I don't even see a place where it actually 
looks to see if websockets are enabled.


I'm hoping someone has gone down this path before and can share the 
secret sauce to enable websockets.


Alternatively, a suggestion for a different implementation of MQTT with 
websockets would be fine.


Thanks,

Jeff Ross

Re: OpenBSD + Firebird Server

[Radek]

> Assuming you mean the SQL database,
Yes, I mean Firebird SQL db.

> Firebird required pthread_condattr_setpshared
> and pthread_mutexattr_setpshared, which OpenBSD doesn't implement.
Does anybody know if there is a plan to implement it?

On Tue, 24 Nov 2020 21:37:51 -0800
Jeremy Evans  wrote:

> On Tue, Nov 24, 2020 at 9:27 PM Radek  wrote:
> 
> > Hi,
> > is it possible to install Firebird Server in OpenBSD? I can't find any
> > info about that anywhere.
> > Thanks!
> 
> 
> Assuming you mean the SQL database, when last I looked into this years ago,
> Firebird required pthread_condattr_setpshared
> and pthread_mutexattr_setpshared, which OpenBSD doesn't implement.
> 
> Thanks,
> Jeremy


-- 
Radek

Re: Reinstall to upgrade

[Manuel Giraud]

Sebastien Marie  writes:

> looks at the output of:
> # pkg_delete -a -n

That was quick! Thanks to both of you.
-- 
Manuel Giraud

Re: Reinstall to upgrade

[Sebastien Marie]

On Wed, Nov 25, 2020 at 02:26:42PM +0100, Manuel Giraud wrote:
> Hi,
> 
> I'd like to upgrade (on -current) and, in the process, remove some cruft
> accumulated over the years. I usually do sysupgrade and sysclean for
> system.
> 
> But for packages, I think I would be better to reinstall everything
> since "pkg_check -F" does not seems to complain and I can see I have,
> for example, some firefox-57 files left.

looks at the output of:
# pkg_delete -a -n

it will told you the list of packages that doesn't depends of manual
installed packages.

in this list, you should have packages like .libs-firefox-57

it is left over packages after upgrades. the libraries are kept as you
could have local program linked against them (and if the libraries are
removed, they will not work anymore).

once you identified the packages you want to remove, just remove them:

# pkg_delete .libs-firefox-57 .libs-firefox-58 .libs-firefox-59

Thanks.
-- 
Sebastien Marie

Re: Reinstall to upgrade

[Navan Carson]

> On Nov 25, 2020, at 6:29 AM, Manuel Giraud  wrote:
> 
> I think I could do the following but I don't know if it is safe:
>- sysupgrade (+ sysclean)
>- pkg_info -mz > mypkg
>- umount /usr/local
>- newfs partition_of_usr_local
>- mount /usr/local
>- pkg_add -l mypkg

Does ‘pkg_delete -an’ do what you want?

Reinstall to upgrade

[Manuel Giraud]

Hi,

I'd like to upgrade (on -current) and, in the process, remove some cruft
accumulated over the years. I usually do sysupgrade and sysclean for
system.

But for packages, I think I would be better to reinstall everything
since "pkg_check -F" does not seems to complain and I can see I have,
for example, some firefox-57 files left.

I think I could do the following but I don't know if it is safe:
- sysupgrade (+ sysclean)
- pkg_info -mz > mypkg
- umount /usr/local
- newfs partition_of_usr_local
- mount /usr/local
- pkg_add -l mypkg

Or maybe, I should dump, do a complete reinstall, pkg_add -l mypkg,
restore /home and, tediously, restore some /etc files.
How would you do this?
-- 
Manuel Giraud