Re: reposync:host key verification failed
On Thu, Jun 10, 2021 at 11:06:46AM -, Stuart Henderson wrote: > On 2021-06-09, Avon Robertson wrote: > > On Tue, Jun 08, 2021 at 11:11:15AM +1200, Avon Robertson wrote: > >> On Mon, Jun 07, 2021 at 08:21:24PM -, Stuart Henderson wrote: > >> > On 2021-06-07, Avon Robertson wrote: > >> > > $ make obj > >> > >===> ssh > >> > > /usr/src/usr.bin/ssh/ssh/obj -> /usr/obj/usr.bin/ssh/ssh > >> > > mkdir: /usr/obj/usr.bin: Permission denied > >> > > *** Error 1 in ssh (:61 'obj': @cd > >> > > /usr/src/usr.bin/ssh/ssh; > >> > > umask 007; here=`/bin/pwd`; bsdsrcdir=`cd /usr/src; /bin/pwd`; s...) > >> > > *** Error 2 in /usr/src/usr.bin/ssh (:48 'obj': @for > >> > > entry in ssh sshd ssh-add ssh-keygen ssh-agent scp sftp-server > >> > > ssh-keys...) > >> > > > >> > > Mmmm. So looked first at permission in and below /usr/src. Found > >> > > permissions to be 700 with owner and group being aer:wsrc. As root, > >> > > # chmod -R 775 /usr/src > >> > > and tried 'make obj' again. The same error as above was output. > >> > > >> > The "permission denied" is on /usr/obj. > >> > > >> > > I do not rule out the possibility that my local /cvs repository has > >> > > been inadvertently corrupted by me. > >> > > >> > unlikely. > >> > > >> > > Theo, I am willing to install (not update) a later snapshot and try to > >> > > build a test kernel for you tomorrow; if you belief it likely my /cvs > >> > > repo is ok. If you think it likely that my repo is corrupt, I will > >> > > remove it and reinstall a local repo from scratch before trying to > >> > > build a test kernel for you. > >> > > >> > I think at this point the best thing to do is simply update to a newer > >> > snapshot and try reposync again. (Update is fine, no need to reinstall). > >> > No need to build a kernel. > >> > > >> > If there is still a failure then adjust permissions or group membership > >> > so you can write to /usr/obj (there are various methods that will work), > >> > and confirm that it works with a build of ssh fresh from cvs. But if I > >> > got > >> > my testing right then I think this is now working. > >> > > >> > > >> Many thanks Stuart. > >> Will do as you have suggested. > >> > >> Regards Avon > >> -- > >> > > > > Hello Stuart and misc@, > > Installed new snaphot: > > $ uname -prsv > > OpenBSD 6.9 GENERIC.MP#58 amd64 > > > > My script failed again with error: > > reposync: host key verification failed - see > > /var/db/reposync/known_hosts > > > > After executing > > $ cd /usr/src/usr.bin/ssh > > $ cvs up > > $ make obj > > $ make > > $ doas make install > > my script is working again without error. > > > > Thank you all for your help. > > > > Regards Avon > > > > > > It should work OK with snapshots dated after 2021/06/08. > > btw for future reference, the GENERIC.MP#58 isn't very useful for > identification; it's better to use "sysctl kern.version". > > Have noted "sysctl kern.version". Thanks Stuart. -- aer
Re: Howto measure pps at forwarding plane
Thanks, it's better now.
From: owner-m...@openbsd.org on behalf of Claudio
Jeker
Sent: Thursday, June 10, 2021 12:33 PM
To: misc@openbsd.org
Subject: Re: Howto measure pps at forwarding plane
On Thu, Jun 10, 2021 at 09:23:03AM -, Stuart Henderson wrote:
> On 2021-06-10, Valdrin MUJA wrote:
> > Hello,
> >
> > I'm trying to figure out how much packets are being forwarded on my OpenBSD
> > firewall.
> > Here a small script i wrote.
> >
> >
> > #!/bin/sh
> >
> >
> > VAL1=`netstat -s | grep 'packets forwarded' | head -1 | awk -F ' ' '{print
> > $1}'`
> >
> > sleep 1
> >
> > VAL2=`netstat -s | grep 'packets forwarded' | head -1 | awk -F ' ' '{print
> > $1}'`
> >
> >
> > echo "$(($VAL2-$VAL1))"
> >
> >
> > But i can not be sure if i am doing the right thing?
> > Can anyone check it please.
> > Thanks.
> >
>
> If you are only interested in IPv4 then yes that'll do it.
> This would save some cpu cycles though:
>
> VAL1=`netstat -s | awk '/packets forwarded/ { print $1; exit }'`
>
And use netstat -spip which limits the number of sysctls made in netstat.
--
:wq Claudio
Re: bind dhcpd to IP address
Thanks, working like a charm.
From: owner-m...@openbsd.org on behalf of Stuart
Henderson
Sent: Thursday, June 10, 2021 12:15 PM
To: misc@openbsd.org
Subject: Re: bind dhcpd to IP address
On 2021-06-10, Ralf Horstmann wrote:
> Hi Valdrin,
>
> that setup works fine. You would use "ip helper-address" on the Ciscos to
> forward the DHCP requests to your OpenBSD box. The forwarded requests use the
> specified helper address as unicast destination. No need to have the VLANs
> present on your OpenBSD box.
>
> I'm running dhcpd without -u for that. dhcpd will pickup all packets with
> destination port 67 on the specified interface via bpf. No need to bind to a
> specific IP.
dhcpd will need to be listening on the interface containing the helper-address
though; if you don't want it to actually serve clients on that network, the
subnet declaration can be empty e.g. subnet 192.0.2.0 netmask 255.255.255.0 { }
> I understand your last question as: Can dhcpd provide leases for subnets when
> the dhcpd box has no IP addresses within the range? The answer is yes. You
> will
> need subnet declarations for all pools in dhcpd.conf though.
The relay includes its own address on the client-facing interface in the
relayed DHCP request; dhcpd uses that to determine which subnet to use.
Re: Unconsistent two-level write speed bouncing on softraid RAID1 SSD's
>> The Crucial BX500 SSD uses SMR technology, which is best used for >> infrequent-write applications. >> For general-purpose, and especially NAS, applications, CMR technology should >> be used. > > hmm, does SMR stand for something other than "shingled magnetic recording" > related to storage? that only relates to HD not SSD. You're right. I was confused because I was recently burned by both SMR-based and MX500-based issues recently, and hence conflated them after a quick "BX500 SMR" search seemed to return hits. I recall now that the MX500 SSDs were really quite amazing, but I couldn't use them because they don't report ATA TRIM in a way that is understood by the LSI HBAs I have. K.
Re: Unconsistent two-level write speed bouncing on softraid RAID1 SSD's
On 2021-06-10, Kent Watsen wrote: > The Crucial BX500 SSD uses SMR technology, which is best used for > infrequent-write applications. > For general-purpose, and especially NAS, applications, CMR technology should > be used. hmm, does SMR stand for something other than "shingled magnetic recording" related to storage? that only relates to HD not SSD. >> On Jun 10, 2021, at 6:20 AM, Xavier Sanchez wrote: >> >> Written from my laptop directly to the device and >> - good and constant read speed >> - bouncing 7MB/s to high write speed Bouncing between speeds is not impossible, SSDs often have faster cache and do flash erase/programming in the background, until the cache is full. But 7MB/s seems a bit too slow even then.
Re: openbgpd "depend on"
On 2021-06-10, open...@kene.nu wrote: > Looks like the syntax is not valid and I cannot find any reference in the > man pages either. Maybe am missing the intent of your reply. Is it intended > as pseudo code that would pose as my intent or is it actually already > possible to achieve this? It's not yet implemented. I didn't quite work out from your description what you'd like openbgpd to do, but are you aware that you don't have to distribute a route which points at "this router's IP address"? Some situations involving carp routes can be dealt with by setting the nexthop as the carp address, e.g. "network 192.0.2.0/29 set nexthop 10.100.2.1" Not sure if this helps you but maybe.
Can lmdb library linked C code be profiled?
I’ve discovered that C source code only seems to be able to be profiled by gprof profiled with gcc (or egcc from gcc package) and with the “-static” flag to static link the program. But statically linked code which uses lmdb with lmdb.a from the lmdb package will throw compile-time errors. Is there a way?-- -Luke
Re: Unconsistent two-level write speed bouncing on softraid RAID1 SSD's
On 2021-06-10 11:49:59, Xavier Sanchez wrote: > > Read somewhere that issuing a security erase could also help. So I > tried issuing the following: > > # atactl sd0c secsetpass user high > User password: > Retype user password: > atactl: ATA device returned error register 0 > > But any sec* command returned: > atactl: ATA device returned error register 0 > > even after a coldboot ( non-frozen ), despite the devices supports the > Security Mode feature set > > - Am I attempting to issue the security erase the wrong way ? > This is not possible on OpenBSD. It's actually a feature, not a bug. OpenBSD issues the secfreeze command at the driver level when disks attach. >From atactl(8): secfreeze Prevents changes to passwords until a following power cycle. The purpose of this command is to prevent password setting attacks on the security system. After command completion any other commands that update the device lock mode will be aborted. You can see in src/sys/dev/ata/atascsi.c:408 and src/sys/dev/ata/wd.c:305 that the same command is issued to all sd(4) and wd(4) drives as a security measure. You're going to need to boot from a live CD/USB in order to set a password on the drive. You should also double-check that your BIOS doesn't have a setting to disable this too. I've heard that some BIOSes have a toggle for this to help mitigate the above-mentioned password setting attacks. Also, another poster mentioned that these are SMR drives. If that's the case, then the "stuttering" speeds you described is normal for them. SMR drives are good for storing infrequently accessed files. They're big and they're cheap, but they're not always very fast. Like the old saying goes when it comes to hard drives, "Pick any two: cheap, fast, big". SMR drives write data in "stripes". If you change even one bit of one byte anywhere in that stripe, the drive has to read the entire stripe into memory, change what was changed, then re-write the entire stripe. This is a limitation of the technology they use. It allows very high density drives, but has the drawback of slowing things down a lot whenever the drive has to re-write a stripe of data. I've personally found that SMR drives are good enough for my use case, but I wouldn't recommend them for a live database where latency is much more critical. It seems like the new hierarchy is now: SSD >> PMR > SMR when it comes to speed. The inverse is true when it comes to capacity. So to summarize, your drive may be working exactly as intended. -- Bryan
Re: Unconsistent two-level write speed bouncing on softraid RAID1 SSD's
The Crucial BX500 SSD uses SMR technology, which is best used for infrequent-write applications. For general-purpose, and especially NAS, applications, CMR technology should be used. K. > On Jun 10, 2021, at 6:20 AM, Xavier Sanchez wrote: > > Hi ! not so surprising news: hardware is the problem > > I managed to get one of the two disks apart yesterday and I figured out > that those disks was in cause. (both of them) > > Written from my laptop directly to the device and > - good and constant read speed > - bouncing 7MB/s to high write speed > > I did looked at the serial number, they're the same. > > Manufacturer's support suggests that if there's no trim, write speed > may be impacted ( but so much ? ) and told to let the disk idle for 6 > to 8 hours so the internal garbage collector could clean it. > > I tried that with no luck as well. > > Read somewhere that issuing a security erase could also help. So I > tried issuing the following: > > # atactl sd0c secsetpass user high > User password: > Retype user password: > atactl: ATA device returned error register 0 > > But any sec* command returned: > atactl: ATA device returned error register 0 > > even after a coldboot ( non-frozen ), despite the devices supports the > Security Mode feature set > > - Am I attempting to issue the security erase the wrong way ? > > To me it was 0) check if not frozen 2) set user pass 3) issue security > erase command with password. > > # atactl sd0c > Model: CT480BX500SSD1, Rev: M6CR022, Serial #: 2030E408CA88 > Device type: ATA, fixed > Cylinders: 16383, heads: 16, sec/track: 63, total sectors: 937703088 > Device capabilities: >ATA standby timer values >IORDY operation >IORDY disabling > Device supports the following standards: > ATA-3 ATA-4 ATA-5 ATA-6 ATA-7 ATA-8 ATA-9 ATA-10 > Master password revision code 0xfffe > Device supports the following command sets: >NOP command >READ BUFFER command >WRITE BUFFER command >Host Protected Area feature set >Read look-ahead >Write cache >Power Management feature set >Security Mode feature set >SMART feature set >Flush Cache Ext command >Flush Cache command >48bit address feature set >Advanced Power Management feature set >DOWNLOAD MICROCODE command > Device has enabled the following command sets/features: >NOP command >READ BUFFER command >WRITE BUFFER command >Host Protected Area feature set >Read look-ahead >Write cache >Power Management feature set >SMART feature set >Flush Cache Ext command >Flush Cache command >48bit address feature set >DOWNLOAD MICROCODE command > > >> On Wed, 2021-06-09 at 03:45 +0200, xavie...@mailoo.org wrote: >> Hello, There's a strange write speed bounce behavior on my SATA >> softraid >> RAID1 SSD (Crucial BX500 480GB 3D NAND). Sequential writes starts >> high >> (~450MB/s with dd and a bs of 1M) then after about 30s to 1:30 minute >> it >> falls to a low ~7MB/s for one minute, then bounce back to the high >> speed >> of 450MB/s and so forth. >> >> Maybe the problem come from my Crucial BX500 480GB 3D NAND SATA 2.5- >> inch >> SSD which are new. But I'm not 100% sure what's happening really. >> Maybe >> this would help someone facing a similar situation with this >> particular >> high / low write speed bounces. I also tried with a second softraid >> on >> the same machine but with spinning USB disks. No problems so far, the >> write speed is constant. Read speed are fine and constant on SSD as >> well. >> >> Please let me know if there something I should try to workaroud or >> identify this >> problem. >> >> Reproduction scenario: >> >> note: The test I made to show you used the default 512B block size >> with dd (so >> the high speed is limited to ~130MB/s and the low speed remains >> around 7MB/s) >> >> - disabled pf and system logs >> - dd if=/dev/zero of=testfile # on /home >> - iostat -w1 sd0 sd1 sd6 # chunk0 chunk1 softraid_volume >> >> See iostat: for results >> >> mount: >> /dev/sd6a on / type ffs (local, softdep) >> /dev/sd6h on /home type ffs (local, nodev, nosuid, softdep) >> /dev/sd6e on /tmp type ffs (local, nodev, nosuid, softdep) >> /dev/sd6f on /usr type ffs (local, nodev, softdep) >> /dev/sd6g on /var type ffs (local, nodev, nosuid, softdep) >> >> disklabel: >> # /dev/rsd0c: >> type: SCSI >> disk: SCSI disk >> label: CT480BX500SSD1 >> duid: 808fe38d1751a671 >> flags: >> bytes/sector: 512 >> sectors/track: 63 >> tracks/cylinder: 255 >> sectors/cylinder: 16065 >> cylinders: 58369 >> total sectors: 937703088 >> boundstart: 64noatimenoatime >> boundend: 937697985 >> drivedata: 0 >> >> 16 partitions: >> # size offset fstype [fsize bsize cpg] >> a: 937697921 64 RAID
Re: openbgpd "depend on"
Looks like the syntax is not valid and I cannot find any reference in the man pages either. Maybe am missing the intent of your reply. Is it intended as pseudo code that would pose as my intent or is it actually already possible to achieve this? # bgpd -vn /etc/bgpd.conf:47: syntax error # awk 'NR==47' /etc/bgpd.conf match to group "leaf" depend on carp100 prepend-self 5 # uname -a OpenBSD fw1 6.8 GENERIC.MP#2 amd64 # ifconfig carp100 | grep carp: carp: MASTER carpdev vlan100 vhid 1 advbase 1 advskew 10 On Thu, Jun 10, 2021 at 2:10 PM wrote: > This looks precisely what I am looking for. Will try it out. Thank you! > > On Wed, Jun 9, 2021 at 10:42 AM Claudio Jeker > wrote: > >> On Wed, Jun 09, 2021 at 09:57:32AM +0200, open...@kene.nu wrote: >> > Hello, >> > >> > Just a question and maybe a suggestion. I am implementing a few DCs that >> > use vxlan symmetric routing and hence, layer2 redundancy protocols like >> > CARP (and VRRP/HSRP) do not work as intended due to evpn layer2 being >> the >> > technology of choice to announce ARP entries. >> > >> > This led me to try out the "depend on carp" functionality that is >> available >> > on openbgpd. It does what I want, partially. It would be much more >> usable >> > if you cold define what this functionality does in case of a CARP backup >> > state. Currently it puts the bgp neighbor into Idle state. However, it >> > would be better if one could define that it should as-path prepend >> and/or >> > add a metric (MED) instead. This way, carp failovers would not rely on >> the >> > tedious and relatively time consuming process of setting up a BGP >> session >> > and announcing prefixes before it can truly be carp master. >> > >> > WDYT? >> >> The 'depend on' feature was added to use a CARP cluster as a BGP border >> router (e.g. at an IXP that only gives one IP/port). In that case the >> backup carp interface is not able to open a TCP session. The backup carp >> interface is not reachable and the session would conflict with the master >> session. >> >> What you would like is to add depend on on announcements (network >> 10.0.0.0/24 depend on carp0) or probably as a filter (match to group >> uplinks depend on carp set med 100). At least this is how I understand >> your request. >> >> -- >> :wq Claudio >> >>
Re: openbgpd "depend on"
This looks precisely what I am looking for. Will try it out. Thank you! On Wed, Jun 9, 2021 at 10:42 AM Claudio Jeker wrote: > On Wed, Jun 09, 2021 at 09:57:32AM +0200, open...@kene.nu wrote: > > Hello, > > > > Just a question and maybe a suggestion. I am implementing a few DCs that > > use vxlan symmetric routing and hence, layer2 redundancy protocols like > > CARP (and VRRP/HSRP) do not work as intended due to evpn layer2 being the > > technology of choice to announce ARP entries. > > > > This led me to try out the "depend on carp" functionality that is > available > > on openbgpd. It does what I want, partially. It would be much more usable > > if you cold define what this functionality does in case of a CARP backup > > state. Currently it puts the bgp neighbor into Idle state. However, it > > would be better if one could define that it should as-path prepend and/or > > add a metric (MED) instead. This way, carp failovers would not rely on > the > > tedious and relatively time consuming process of setting up a BGP session > > and announcing prefixes before it can truly be carp master. > > > > WDYT? > > The 'depend on' feature was added to use a CARP cluster as a BGP border > router (e.g. at an IXP that only gives one IP/port). In that case the > backup carp interface is not able to open a TCP session. The backup carp > interface is not reachable and the session would conflict with the master > session. > > What you would like is to add depend on on announcements (network > 10.0.0.0/24 depend on carp0) or probably as a filter (match to group > uplinks depend on carp set med 100). At least this is how I understand > your request. > > -- > :wq Claudio > >
Re: reposync:host key verification failed
On 2021-06-09, Avon Robertson wrote: > On Tue, Jun 08, 2021 at 11:11:15AM +1200, Avon Robertson wrote: >> On Mon, Jun 07, 2021 at 08:21:24PM -, Stuart Henderson wrote: >> > On 2021-06-07, Avon Robertson wrote: >> > > $ make obj >> > >===> ssh >> > > /usr/src/usr.bin/ssh/ssh/obj -> /usr/obj/usr.bin/ssh/ssh >> > > mkdir: /usr/obj/usr.bin: Permission denied >> > > *** Error 1 in ssh (:61 'obj': @cd /usr/src/usr.bin/ssh/ssh; >> > > umask 007; here=`/bin/pwd`; bsdsrcdir=`cd /usr/src; /bin/pwd`; s...) >> > > *** Error 2 in /usr/src/usr.bin/ssh (:48 'obj': @for >> > > entry in ssh sshd ssh-add ssh-keygen ssh-agent scp sftp-server >> > > ssh-keys...) >> > > >> > > Mmmm. So looked first at permission in and below /usr/src. Found >> > > permissions to be 700 with owner and group being aer:wsrc. As root, >> > > # chmod -R 775 /usr/src >> > > and tried 'make obj' again. The same error as above was output. >> > >> > The "permission denied" is on /usr/obj. >> > >> > > I do not rule out the possibility that my local /cvs repository has >> > > been inadvertently corrupted by me. >> > >> > unlikely. >> > >> > > Theo, I am willing to install (not update) a later snapshot and try to >> > > build a test kernel for you tomorrow; if you belief it likely my /cvs >> > > repo is ok. If you think it likely that my repo is corrupt, I will >> > > remove it and reinstall a local repo from scratch before trying to >> > > build a test kernel for you. >> > >> > I think at this point the best thing to do is simply update to a newer >> > snapshot and try reposync again. (Update is fine, no need to reinstall). >> > No need to build a kernel. >> > >> > If there is still a failure then adjust permissions or group membership >> > so you can write to /usr/obj (there are various methods that will work), >> > and confirm that it works with a build of ssh fresh from cvs. But if I got >> > my testing right then I think this is now working. >> > >> > >> Many thanks Stuart. >> Will do as you have suggested. >> >> Regards Avon >> -- >> > > Hello Stuart and misc@, > Installed new snaphot: > $ uname -prsv > OpenBSD 6.9 GENERIC.MP#58 amd64 > > My script failed again with error: > reposync: host key verification failed - see > /var/db/reposync/known_hosts > > After executing > $ cd /usr/src/usr.bin/ssh > $ cvs up > $ make obj > $ make > $ doas make install > my script is working again without error. > > Thank you all for your help. > > Regards Avon > > It should work OK with snapshots dated after 2021/06/08. btw for future reference, the GENERIC.MP#58 isn't very useful for identification; it's better to use "sysctl kern.version".
Re: Unconsistent two-level write speed bouncing on softraid RAID1 SSD's
Hi ! not so surprising news: hardware is the problem I managed to get one of the two disks apart yesterday and I figured out that those disks was in cause. (both of them) Written from my laptop directly to the device and - good and constant read speed - bouncing 7MB/s to high write speed I did looked at the serial number, they're the same. Manufacturer's support suggests that if there's no trim, write speed may be impacted ( but so much ? ) and told to let the disk idle for 6 to 8 hours so the internal garbage collector could clean it. I tried that with no luck as well. Read somewhere that issuing a security erase could also help. So I tried issuing the following: # atactl sd0c secsetpass user high User password: Retype user password: atactl: ATA device returned error register 0 But any sec* command returned: atactl: ATA device returned error register 0 even after a coldboot ( non-frozen ), despite the devices supports the Security Mode feature set - Am I attempting to issue the security erase the wrong way ? To me it was 0) check if not frozen 2) set user pass 3) issue security erase command with password. # atactl sd0c Model: CT480BX500SSD1, Rev: M6CR022, Serial #: 2030E408CA88 Device type: ATA, fixed Cylinders: 16383, heads: 16, sec/track: 63, total sectors: 937703088 Device capabilities: ATA standby timer values IORDY operation IORDY disabling Device supports the following standards: ATA-3 ATA-4 ATA-5 ATA-6 ATA-7 ATA-8 ATA-9 ATA-10 Master password revision code 0xfffe Device supports the following command sets: NOP command READ BUFFER command WRITE BUFFER command Host Protected Area feature set Read look-ahead Write cache Power Management feature set Security Mode feature set SMART feature set Flush Cache Ext command Flush Cache command 48bit address feature set Advanced Power Management feature set DOWNLOAD MICROCODE command Device has enabled the following command sets/features: NOP command READ BUFFER command WRITE BUFFER command Host Protected Area feature set Read look-ahead Write cache Power Management feature set SMART feature set Flush Cache Ext command Flush Cache command 48bit address feature set DOWNLOAD MICROCODE command On Wed, 2021-06-09 at 03:45 +0200, xavie...@mailoo.org wrote: > Hello, There's a strange write speed bounce behavior on my SATA > softraid > RAID1 SSD (Crucial BX500 480GB 3D NAND). Sequential writes starts > high > (~450MB/s with dd and a bs of 1M) then after about 30s to 1:30 minute > it > falls to a low ~7MB/s for one minute, then bounce back to the high > speed > of 450MB/s and so forth. > > Maybe the problem come from my Crucial BX500 480GB 3D NAND SATA 2.5- > inch > SSD which are new. But I'm not 100% sure what's happening really. > Maybe > this would help someone facing a similar situation with this > particular > high / low write speed bounces. I also tried with a second softraid > on > the same machine but with spinning USB disks. No problems so far, the > write speed is constant. Read speed are fine and constant on SSD as > well. > > Please let me know if there something I should try to workaroud or > identify this > problem. > > Reproduction scenario: > > note: The test I made to show you used the default 512B block size > with dd (so > the high speed is limited to ~130MB/s and the low speed remains > around 7MB/s) > > - disabled pf and system logs > - dd if=/dev/zero of=testfile # on /home > - iostat -w1 sd0 sd1 sd6 # chunk0 chunk1 softraid_volume > > See iostat: for results > > mount: > /dev/sd6a on / type ffs (local, softdep) > /dev/sd6h on /home type ffs (local, nodev, nosuid, softdep) > /dev/sd6e on /tmp type ffs (local, nodev, nosuid, softdep) > /dev/sd6f on /usr type ffs (local, nodev, softdep) > /dev/sd6g on /var type ffs (local, nodev, nosuid, softdep) > > disklabel: > # /dev/rsd0c: > type: SCSI > disk: SCSI disk > label: CT480BX500SSD1 > duid: 808fe38d1751a671 > flags: > bytes/sector: 512 > sectors/track: 63 > tracks/cylinder: 255 > sectors/cylinder: 16065 > cylinders: 58369 > total sectors: 937703088 > boundstart: 64noatimenoatime > boundend: 937697985 > drivedata: 0 > > 16 partitions: > # size offset fstype [fsize bsize cpg] > a: 937697921 64 RAID > c: 937703088 0 unused > # /dev/rsd1c: > type: SCSI > disk: SCSI disk > label: CT480BX500SSD1 > duid: 33c950831897af57 > flags: > bytes/sector: 512 > sectors/track: 63 > tracks/cylinder: 255 > sectors/cylinder: 16065 > cylinders: 58369 > total sectors: 937703088 > boundstart: 64 > boundend: 937697985 > drivedata: 0 > > 16 partitions: > # size offset fstype [fsize bsize cpg] > a: 937697921 64 RAID > c: 937703088 0 unused > # /dev/rsd6c: >
Re: web server security
On 2021-06-10, Gustavo Rios wrote: > Hi folks! > > I am planning a web serve using openbsd as the os and using php. My > question is: how to avoid any given user from implement an php script that > will read some else file, since everything will run as the web server user > and group ? > > thanks a lot. > The PHP scripts don't need to run as the same user and group. Use different application pools in php-fpm.conf listening on different sockets, and have the web server use the relevant socket for the website. You can even chroot them separately if you think that will help. e.g. --- [global] error_log = syslog syslog.facility = daemon log_level = notice [user1] user = user1 group = user1 listen = /var/www/run/php-fpm.user1.sock pm = ondemand pm.max_children = 20 pm.process_idle_timeout = 30s chroot = /var/www [user2] user = user2 group = user2 listen = /var/www/run/php-fpm.user2.sock pm = ondemand pm.max_children = 20 pm.process_idle_timeout = 30s chroot = /var/www --- Quick warning to head off a possible problem you might run into in the future though; you will need to make sure that the web server (not the PHP interpreter) has read access to those files which _it_ needs (e.g. static content). One way to do that is to add the www user to the group for each user account (e.g. user1:*:1001:www, user2:*:1002:www, in /etc/group). That works nicely for small setups but you will run into a wall after a while because on OpenBSD a user account can only be a member of up to 16 supplemental groups. (There are other ways to handle this e.g. running multiple web server processes, but with a bunch more complication).
Re: Howto measure pps at forwarding plane
On Thu, Jun 10, 2021 at 09:23:03AM -, Stuart Henderson wrote:
> On 2021-06-10, Valdrin MUJA wrote:
> > Hello,
> >
> > I'm trying to figure out how much packets are being forwarded on my OpenBSD
> > firewall.
> > Here a small script i wrote.
> >
> >
> > #!/bin/sh
> >
> >
> > VAL1=`netstat -s | grep 'packets forwarded' | head -1 | awk -F ' ' '{print
> > $1}'`
> >
> > sleep 1
> >
> > VAL2=`netstat -s | grep 'packets forwarded' | head -1 | awk -F ' ' '{print
> > $1}'`
> >
> >
> > echo "$(($VAL2-$VAL1))"
> >
> >
> > But i can not be sure if i am doing the right thing?
> > Can anyone check it please.
> > Thanks.
> >
>
> If you are only interested in IPv4 then yes that'll do it.
> This would save some cpu cycles though:
>
> VAL1=`netstat -s | awk '/packets forwarded/ { print $1; exit }'`
>
And use netstat -spip which limits the number of sysctls made in netstat.
--
:wq Claudio
Re: Howto measure pps at forwarding plane
On 2021-06-10, Valdrin MUJA wrote:
> Hello,
>
> I'm trying to figure out how much packets are being forwarded on my OpenBSD
> firewall.
> Here a small script i wrote.
>
>
> #!/bin/sh
>
>
> VAL1=`netstat -s | grep 'packets forwarded' | head -1 | awk -F ' ' '{print
> $1}'`
>
> sleep 1
>
> VAL2=`netstat -s | grep 'packets forwarded' | head -1 | awk -F ' ' '{print
> $1}'`
>
>
> echo "$(($VAL2-$VAL1))"
>
>
> But i can not be sure if i am doing the right thing?
> Can anyone check it please.
> Thanks.
>
If you are only interested in IPv4 then yes that'll do it.
This would save some cpu cycles though:
VAL1=`netstat -s | awk '/packets forwarded/ { print $1; exit }'`
Re: bind dhcpd to IP address
On 2021-06-10, Ralf Horstmann wrote:
> Hi Valdrin,
>
> that setup works fine. You would use "ip helper-address" on the Ciscos to
> forward the DHCP requests to your OpenBSD box. The forwarded requests use the
> specified helper address as unicast destination. No need to have the VLANs
> present on your OpenBSD box.
>
> I'm running dhcpd without -u for that. dhcpd will pickup all packets with
> destination port 67 on the specified interface via bpf. No need to bind to a
> specific IP.
dhcpd will need to be listening on the interface containing the helper-address
though; if you don't want it to actually serve clients on that network, the
subnet declaration can be empty e.g. subnet 192.0.2.0 netmask 255.255.255.0 { }
> I understand your last question as: Can dhcpd provide leases for subnets when
> the dhcpd box has no IP addresses within the range? The answer is yes. You
> will
> need subnet declarations for all pools in dhcpd.conf though.
The relay includes its own address on the client-facing interface in the
relayed DHCP request; dhcpd uses that to determine which subnet to use.
Re: disklabel partition auto allocation problem
On Wed, Jun 09, 2021 at 12:40:13PM -0400, electronmuontau neutrino wrote: > disklabel in OpenBSD 6.9 doesn't seem to be allocating partition sizes > correctly according to the actual size of my OpenBSD partition. I dual > booted my ThinkPad X1 Carbon 5th gen laptop with Windows 10 and OpenBSD. I > allocated about half the disk space to OpenBSD. When I installed OpenBSD, > it allocated partitions as if my disk size was > 2.5 GB instead of >= 10 GB > as shown in the disklabel man page. It allocated 2GB to /, 256M to swap, > 3G to /usr, 2G to /home and apparently did not allocate the rest of the > free space. I've included the output of disklabel, fdisk and dmesg below. > I haven't tried installing OpenBSD 6.8 to see if it does the same thing. I > believe auto allocation worked fine in OpenBSD 6.7. If I'm not including > any info that might help diagnose this problem, if it really is a problem, > please let me know. > > > # disklabel sd0 > > # /dev/rsd0c: > type: SCSI > disk: SCSI disk > label: SAMSUNG MZVLB1T0 > duid: 9a51a841a90239b3 > flags: > bytes/sector: 512 > sectors/track: 63 > tracks/cylinder: 255 > sectors/cylinder: 16065 > cylinders: 124519 > total sectors: 2000409264 > boundstart: 1002668032 > boundend: 1998360576 > drivedata: 0 > > 16 partitions: > #size offset fstype [fsize bsize cpg] > a: 4194304 1002668032 4.2BSD 2048 16384 12960 # / > b: 524288 1006862336swap# none > c: 20004092640 unused > d: 6291456 1007386624 4.2BSD 2048 16384 12960 # /usr > e: 4194304 1013678080 4.2BSD 2048 16384 12960 # /home > i: 532480 2048 MSDOS > j:32768 534528 unknown > k: 1002100736 567296 MSDOS > l: 2048000 1998360576 unknown > > > > # fdisk sd0 > > Disk: sd0 Usable LBA: 34 to 2000409230 [2000409264 Sectors] >#: type [ start: size ] > >0: EFI Sys [2048: 532480 ] >1: e3c9e316-0b5c-4db8-817d-f92df00215ae [ 534528:32768 ] >2: FAT12[ 567296: 1002100736 ] >3: OpenBSD [ 1002668032:995692544 ] >4: Win Recovery [ 1998360576: 2048000 ] Hi, I created a vnd with this layout: $ doas dd bs=512 count=1 seek=2000409264 of=image if=/dev/null $ doas vnconfig vnd0 image $ doas fdisk -ig vnd0 $ doas fdisk -e vnd0 ... add partitions, using A5 (FreeBSD) for the "unknown" above $ doas fdisk vnd0 Disk: vnd0 Usable LBA: 64 to 2000409200 [2000409264 Sectors] #: type [ start: size ] 0: EFI Sys [2048: 532480 ] 1: FreeBSD [ 534528:32768 ] 2: FAT12[ 567296: 1002100736 ] 3: OpenBSD [ 1002668032:995692544 ] 4: FreeBSD [ 1998360576: 2048000 ] If I run disklabel -A I get the expected outcome, leavibng the "foreign" partitions intact: $ doas disklabel -A vnd0 # /dev/rvnd0c: type: vnd disk: vnd device label: fictitious duid: flags: bytes/sector: 512 sectors/track: 100 tracks/cylinder: 1 sectors/cylinder: 100 cylinders: 20004092 total sectors: 2000409264 boundstart: 1002668032 boundend: 1998360576 drivedata: 0 16 partitions: #size offset fstype [fsize bsize cpg] a: 2097152 1002668032 4.2BSD 2048 16384 1 # / b: 8414472 1004765184swap c: 20004092640 unused d: 8388576 1013179680 4.2BSD 2048 16384 1 # /tmp e: 24168960 1021568256 4.2BSD 2048 16384 1 # /var f: 12582912 1045737216 4.2BSD 2048 16384 1 # /usr g: 2097152 1058320128 4.2BSD 2048 16384 1 # /usr/X11R6 h: 41943040 1060417280 4.2BSD 2048 16384 1 # /usr/local i: 532480 2048 MSDOS j:32768 534528 unknown k: 1002100736 567296 MSDOS l: 2048000 1998360576 unknown m: 4194304 1102360320 4.2BSD 2048 16384 1 # /usr/src n: 12582912 1106554624 4.2BSD 2048 16384 1 # /usr/obj o:629145600 1119137536 4.2BSD 4096 32768 1 # /home
Howto measure pps at forwarding plane
Hello,
I'm trying to figure out how much packets are being forwarded on my OpenBSD
firewall.
Here a small script i wrote.
#!/bin/sh
VAL1=`netstat -s | grep 'packets forwarded' | head -1 | awk -F ' ' '{print $1}'`
sleep 1
VAL2=`netstat -s | grep 'packets forwarded' | head -1 | awk -F ' ' '{print $1}'`
echo "$(($VAL2-$VAL1))"
But i can not be sure if i am doing the right thing?
Can anyone check it please.
Thanks.
Re: web server security
Am 10.06.21 01:16 schrieb Gustavo Rios: > Hi folks! > > I am planning a web serve using openbsd as the os and using php. My > question is: how to avoid any given user from implement an php script that > will read some else file, since everything will run as the web server user > and group ? If your requirements are really to run everything as the same user then it's not possible to forbid this user from reading files created by someone else that has same uid. Same uid means "same person". This means your webserver expects person A to be the owner of files created by person B. If you want to separate ownership of files then you have to create different users and restrict php from reading directories that it shouldn't. Another advice for 'web server security' is to don't give untrusted users shell access or any write access to your system so you won't have to deal with someone "implementing a script that will read someone else files"... ;-)
Ynt: bind dhcpd to IP address
Thanks. I'll give a try. Gönderen: Ralf Horstmann Gönderildi: 10 Haziran 2021 Perşembe 08:42 Kime: misc@openbsd.org Bilgi: Valdrin MUJA Konu: Re: bind dhcpd to IP address Hi Valdrin, that setup works fine. You would use "ip helper-address" on the Ciscos to forward the DHCP requests to your OpenBSD box. The forwarded requests use the specified helper address as unicast destination. No need to have the VLANs present on your OpenBSD box. I'm running dhcpd without -u for that. dhcpd will pickup all packets with destination port 67 on the specified interface via bpf. No need to bind to a specific IP. I understand your last question as: Can dhcpd provide leases for subnets when the dhcpd box has no IP addresses within the range? The answer is yes. You will need subnet declarations for all pools in dhcpd.conf though. Regards, Ralf * Valdrin MUJA [2021-06-09 23:45]: > Hi misc, > > > I have 5 vlans terminated in Cisco switch as Layer 3. > > So the users' gateway is Cisco switch. > > The default gateway of Cisco switch is OpenBSD 6.9, which works as an office > firewall. > > The switch also works as a dhcp server. However, I want OpenBSD office > firewall to also act as a dhcp server. > > Is this possible while OpenBSD has no vlans on it? Only static routes for > these ip networks are installed. > > > I would set dhcp relay on the Cisco switch side, but when I looked at > dhcpd(8), I was not entirely sure. > > I see that dhcpd can listen on an ip address with the -u[bind_address] > parameter, but these lines confused me: > > ''With this option, dhcpd can answer DHCPINFORM from clients on non Ethernet > interfaces such as tun(4) or pppx(4)’’ > > What I understand from above is; if I configure -u for a physical (em0) > interface’s ip address it will not bind to em0’s IP address. > > It will use 255.255.255.255 instead of this. So it will not work; right? > > > One last and probably related question: > > Can OpenBSD be configured to distribute ip pools which it doesn’t have? > > Thanks for reading… >
Re: bind dhcpd to IP address
Hi Valdrin, that setup works fine. You would use "ip helper-address" on the Ciscos to forward the DHCP requests to your OpenBSD box. The forwarded requests use the specified helper address as unicast destination. No need to have the VLANs present on your OpenBSD box. I'm running dhcpd without -u for that. dhcpd will pickup all packets with destination port 67 on the specified interface via bpf. No need to bind to a specific IP. I understand your last question as: Can dhcpd provide leases for subnets when the dhcpd box has no IP addresses within the range? The answer is yes. You will need subnet declarations for all pools in dhcpd.conf though. Regards, Ralf * Valdrin MUJA [2021-06-09 23:45]: > Hi misc, > > > I have 5 vlans terminated in Cisco switch as Layer 3. > > So the users' gateway is Cisco switch. > > The default gateway of Cisco switch is OpenBSD 6.9, which works as an office > firewall. > > The switch also works as a dhcp server. However, I want OpenBSD office > firewall to also act as a dhcp server. > > Is this possible while OpenBSD has no vlans on it? Only static routes for > these ip networks are installed. > > > I would set dhcp relay on the Cisco switch side, but when I looked at > dhcpd(8), I was not entirely sure. > > I see that dhcpd can listen on an ip address with the -u[bind_address] > parameter, but these lines confused me: > > ''With this option, dhcpd can answer DHCPINFORM from clients on non Ethernet > interfaces such as tun(4) or pppx(4)’’ > > What I understand from above is; if I configure -u for a physical (em0) > interface’s ip address it will not bind to em0’s IP address. > > It will use 255.255.255.255 instead of this. So it will not work; right? > > > One last and probably related question: > > Can OpenBSD be configured to distribute ip pools which it doesn’t have? > > Thanks for reading… >
