Re: Problems with a fresh install not finding SSD drive over floppy img HTML5/KVM

[Theo de Raadt]

I am dissapointed to see "long answers" to "short spurious claims".

Nick, your long mail didn't help anything.

Chris, your report sucks.  Use sendbug and file a bug report with no
details missing.  Not one user has reported a drive missing on a ahci
controller before you, and suddenly you say (paraphasing) "oh i hear this
is very common!"). The intentionally vague way you approach this looks like
you want to make us look bad.

Nick Holland  wrote:

> On 11/30/21 3:30 PM, Chris Bennett wrote:
> > After looking over the list, it looks like many SSD's have compatibility
> > problems, so I'm just going to switch over to a spinning drive.
> > Sorry for the noise.
> > 
> 
> categorical nonsense.
> 
> SSDs work.  Cheap ones work, expensive ones work.  Some work better than
> others,  I wish cost predicted success, hasn't in my experience, but
> some IBM branded SAN SSD drives have had an oddly low rate of failure at
> work...but then each drive probably costs as much as one of my cars,
> and stores a very modest amount of data...so maybe at the really high
> end you get what you pay for.  maybe.
> 
> I've had nothing but problems with /some/ Samsung drives, good luck
> with some junk no-name drives, but the key thing is...if the SATA or SAS
> port the drive is plugged into works, the drive will be recognized and
> work (though maybe better or worse than you wish...but that's not an OS
> issue).
> 
> For a system to boot, the BIOS must support the drive.  For the system
> to get installed, the OS must support the drive.  You can boot a kernel
> from a disk the OS doesn't recognize, and you can install the OS to a
> drive the system can't boot from.  The fact that you "see" the drive in
> the BIOS means only that the drive is hooked up properly.  Doesn't
> indicate OS support.
> 
> Make sure your BIOS is set to support the drives as "AHCI" if that's an
> option.  If you see "RAID", that won't work for good reasons.  If the
> drive is attached to a real RAID controller, the controller may not be
> supported, or you may have it configured wrong (i.e., the drives are there,
> but not configured on the RAID Card, so the RAID card isn't presenting
> "drives" to the OS).
> 
> Provide useful info rather than stomping your feet and saying "it worked
> before!".  Obviously, things are different.  The answer is almost
> certainly in the dmesg.
> 
> Nick.
> 

Re: /etc/bsd.re-config - change a device?

[Paul B. Henson]

On Tue, Nov 30, 2021 at 11:13:26PM -0500, Nick Holland wrote:

> hint: snapshots that do what you need beat releases that don't.

Granted; or I could just apply that patch to the 7.0 stable source and
copy in the new config binary :). I doubt if there will be any binary patches
that would overwrite it before 7.1 comes out.

Saving me the trouble of tweaking the kernel by hand on the rare
occasion a kernel patch comes by probably isn't worth running a
snapshot, at least in my case.

Thanks...

Re: /etc/bsd.re-config - change a device?

[Nick Holland]

On 11/30/21 3:12 PM, Paul B. Henson wrote:

Thanks much for the info guys; something to look forward to in 7.1 :).


hint: snapshots that do what you need beat releases that don't.

Nick.



On 11/30/2021 4:17 AM, Stuart Henderson wrote:

On 2021-11-30, Paul de Weerd  wrote:

On Tue, Nov 30, 2021 at 08:46:34AM -, Stuart Henderson wrote:
| On 2021-11-29, Paul B. Henson  wrote:
| > I'm upgrading to OpenBSD 7 and I was happy to see the new support for
| > /etc/bsd.re-config to allow modified kernels to be automatically
| > rebuilt. However, one of the changes I need to make is updating the IRQ
| > on com2, as my bios assigns it a non-standard value 8-/.
| >
| > I can't figure out how to do that? Is it supported? When I put "change
| > com2" in /etc/bsd.re-config, config interactively asks me:
| >
| > change [n]
| >
| > I tried "change com2 y" and "change com2", then "y" on the next line,
| > but the first gave an error and the second still prompted interactively.
| >
| > Are the only changes supported by /etc/bsd.re-config those that don't
| > need further input?
|
| Currently yes. jcs@ has a diff to change this but it needs review.

I believe this has been committed on November 20:

https://marc.info/?l=openbsd-cvs&m=163737802014911&w=2

However, that means that it won't work in OpenBSD 7.0, you will need
to run something newer (which, at the moment, means -current /
snapshots).


Ah good catch, thanks.

Re: Problems with a fresh install not finding SSD drive over floppy img HTML5/KVM

[Nick Holland]

On 11/30/21 3:30 PM, Chris Bennett wrote:

After looking over the list, it looks like many SSD's have compatibility
problems, so I'm just going to switch over to a spinning drive.

Sorry for the noise.



categorical nonsense.

SSDs work.  Cheap ones work, expensive ones work.  Some work better than
others,  I wish cost predicted success, hasn't in my experience, but
some IBM branded SAN SSD drives have had an oddly low rate of failure at
work...but then each drive probably costs as much as one of my cars,
and stores a very modest amount of data...so maybe at the really high
end you get what you pay for.  maybe.

I've had nothing but problems with /some/ Samsung drives, good luck
with some junk no-name drives, but the key thing is...if the SATA or SAS
port the drive is plugged into works, the drive will be recognized and
work (though maybe better or worse than you wish...but that's not an OS
issue).

For a system to boot, the BIOS must support the drive.  For the system
to get installed, the OS must support the drive.  You can boot a kernel
from a disk the OS doesn't recognize, and you can install the OS to a
drive the system can't boot from.  The fact that you "see" the drive in
the BIOS means only that the drive is hooked up properly.  Doesn't
indicate OS support.

Make sure your BIOS is set to support the drives as "AHCI" if that's an
option.  If you see "RAID", that won't work for good reasons.  If the
drive is attached to a real RAID controller, the controller may not be
supported, or you may have it configured wrong (i.e., the drives are there,
but not configured on the RAID Card, so the RAID card isn't presenting
"drives" to the OS).

Provide useful info rather than stomping your feet and saying "it worked
before!".  Obviously, things are different.  The answer is almost
certainly in the dmesg.

Nick.

Re: dd: /dev/rsd1c: device not configured

[Nick Holland]

On 11/30/21 8:36 AM, Luca Ferrari wrote:

Hi,
I'm trying to install 7.0 in a virtual box machine using full disk
encryption, following
. I've done it on
real hardware without a problem, but I'm not understanding the error
in the virtual box machine. In particular, I cannot copy random data
on the disk before doing the effective encryption.
This is what I do, after entering the shell at the very first prompt:


# sysctl hw.disknames
hw.disknames=wd0:,cd0:,rd0:7c72fe60b4e2338d

# ls  /dev/rsd*c
/dev/rsd0c


I wonder if that is what you think it is.


Uhm, why is sd0 there and does not appear in the hw.disknames?
However, I tried to configure the sd1 device:


the devices in /dev are not dynamically created...they are whatever is
in the /dev directory when it was created, you can add and remove drives,
the entries in /dev/ will not change on their own -- but you might have
to change 'em.

Install kernels have a very deficient set of drives in /dev


# cd /dev
# sh MAKEDEV sd1
# dd if=/dev/urandom of=/dev/rsd1c bs=1m
dd: /dev/rsd1c: device not configured


There was no sd0, or sd1 in your hw.disknames output.  So why do you
think you can write to something that doesn't exist?


# ls /dev/rsd1c
/dev/rsd1c

What am I missing here?


A lot.
For one, the guy who wrote that is a bit of a jerk.  Rather than taking
you by the nose and telling you what keys to hit, he kinda expects you
to read and understand the whole article...and in fact, the whole page.
And yeah, he really wants you to UNDERSTAND what you are doing.
Total jerk, I know.
Humor him, start at the top, work all the way to the bottom.  Part of
the reason it's in the order it's in is because that's how he wrote
parts of it, but some of it is because the later stuff builds on the
earlier stuff.

But...  Your machine has only a "wd" device.  In that, you will create
a new encrypted "disk", which will be of type sd, sd0 in this case,
since you don't have an sd0 already. Then you will install to that.

The obvious errors you have are you are trying to use devices you don't
actually have on your machine, even though you have a dev file by a
suggestive name.  My machine here has /dev entries for sd0 to sd9, and
wd0 to wd3, and there are no wd devices and only three sd devices.

I'm a little suspicious of that sd0 in your /dev directory -- was it
there all along, or did it just pop up when you dd'd to /dev/rsd0c and
created a file with a name that annoyingly matches a drive device name?
The recent installs I've done, the boot kernel had NO sd devices at all
until I MAKEDEV'd 'em...but you might be using a different install
kernel than I was using.  Good news, a reboot will clear and recreate
the /dev directory on install kernels (not on an installed machine, of
course).

Nick.

Re: libdmx removal incomplete?

[Alexander]

On 2021/11/30  8:14, Stuart Henderson wrote:
> On 2021-11-29, Amit Kulkarni  wrote:
> > On Sun, Nov 28, 2021 at 5:17 PM Alexander  wrote:
> >> Just to gauge what to expect from this and whether I did this wrong:
> >> After configuring /etc/sysclean.ignore I get 3382 files of which 3274
> >> are in /usr/X11R6/lib/X11/fonts/. Are numbers this large to be expected?
> >
> > 3382 files is too large.
> 
> That seems about right for the removed font variants to me. You can't
> judge by the number of files, only the filenames.
> 
> *If* you don't compile your own software from outside ports/packages, the
> files under /usr listed in sysclean's default output (no -a flag) is good.
> I do review manually before rm'ing but I have *never* had it suggesT
> removing something under /usr that is required. Files outside /usr
> need more care.
> 
This is probably a stupid question but how do you review them manually?
I have a couple files that are manpages, that's easy. signify-keys, too.
There is some sgi stuff, also easy, retirement is known.
Same goes for switchd-related things.
But what about the rest? Assuming you don't just know everything about
those files already, do you find(1)/grep(1) through the source tree and
commit messages or is there a different way?

Best regards,
Alexander

Re: libdmx removal incomplete?

[Alexander]

> Date: Mon, 29 Nov 2021 08:31:15 -0500
> From: Nick Holland 
> 
> On 11/28/21 6:17 PM, Alexander wrote:
> ...
> > Lastly: From your emails it seems to me that the use of sysclean after
> > upgrading is very much encouraged if not necessary. Then why is it not
> > included in base (especially when it's developed by OpenBSD developers)?
> > Or am I misunderstanding the requirements for inclusion of packages in
> > base?
> 
> VERY WRONG (as others have said).
> 
> I've been using OpenBSD since v2.4, I have never run a "clean up" tool of
> any kind.  I reinstall only when replacing hardware, the rest of the time,
> I run upgrades, I run snapshots and update frequently so I get a lot of
> old files piling up at times.  And they just don't matter.
> 
> Occasionally, I have manually deleted old libraries when I have
> run a system too long and an old HD starts getting tight on space
> 
> [...]
> 
> Using an automatic cleanup tool is far more likely to CAUSE problems
> than to fix problems.  I'm not saying they /often/ cause problems,
> but since old files laying around basically never cause problems other
> than a small amount of space, there's some risk and almost no gain.
> 
Thanks Nick. That makes sense to me and is/was already my approach.
I was mainly just curious to double-check with find(1) when I saw that
notice on current.html. I was not actively looking to free up space, as
me previously not even knowing that sysclean even exists might also
suggest ;)
But good to read another account on the OS's stability, thank you.
> 
> --
> 
> Date: Sun, 28 Nov 2021 22:58:38 -0700 (MST)
> From: Theo de Raadt 
> 
> >These files are still part of xshare70 set, and should not be
> >removed. There are part of xorgproto (xenocara/proto/xorgproto).
> >
> >> Lastly: From your emails it seems to me that the use of sysclean after
> >> upgrading is very much encouraged if not necessary. Then why is it not
> >> included in base (especially when it's developed by OpenBSD developers)?
> >> Or am I misunderstanding the requirements for inclusion of packages in
> >> base?
> 
>   ^^^
>   WRONG.  Deleting old files is DISCOURAGED -- because we do
>   not have tooling to discover if a user has built their own
>   private programs which require those files.  I am actually
>   getting a bit tired of (1) people overly worried about old
>   files (2) who don't recognize they can always reinstall and
>   (3) that we (OpenBSD) are not able to determine what to delete
>   any better than you the user.

Thanks for making this very clear, makes sense that you can't deal with
every weird non-standard installation. I hadn't thought of that before.
But again not worried here, I was just a bit surprised when I stumbled
over those original *dmx* files.
As for reinstalling: Sure, I'm not really worried about my system, my
(tested) backup scheme is working beautifully and reinstalling takes
about as long as brewing a cup of coffee. But I would always like to
avoid it when possible, especially when I can learn something about my
system and how it works/is designed in the process.

Best regards,
Alexander

Re: libdmx removal incomplete?

[Alexander]

On 2021/11/29  6:45, Sebastien Marie wrote:
> On Sun, Nov 28, 2021 at 11:17:01PM +, Alexander wrote:
> > 
> > Just to gauge what to expect from this and whether I did this wrong:
> > After configuring /etc/sysclean.ignore I get 3382 files of which 3274
> > are in /usr/X11R6/lib/X11/fonts/. Are numbers this large to be expected?
> 
> There are a bunch of files from /usr/X11R6/lib/X11/fonts/ which were
> removed. On Sept 3, 3274 files were removed.
> 
> https://github.com/openbsd/xenocara/commit/65ebc3c6dcf6461818fcc3917f443b4ab5b1ce1c
> 
> So it is expected if your install was done before Sept 3, and your
> current version is after Sept 3.

That is the case, the install was a 6.9 continuing in -current.
The diff you pointed to actually turns out to account for the majority
of the files listed. So that cuts down the output significantly already.
> 
> > Also: The above mentioned dmx files are not listed. Does that mean my
> > assumption that they are related to the removed libdmx is false or did I
> > screw something else up?
> 
> $ pkg_locate dmx | grep X11R6
> xshare70:/usr/X11R6/include/X11/extensions/dmx.h
> xshare70:/usr/X11R6/include/X11/extensions/dmxproto.h
> xshare70:/usr/X11R6/lib/pkgconfig/dmxproto.pc
> 
> These files are still part of xshare70 set, and should not be
> removed. There are part of xorgproto (xenocara/proto/xorgproto).

Thanks a lot, this really confused me.
> 
> > Lastly: From your emails it seems to me that the use of sysclean after
> > upgrading is very much encouraged if not necessary. Then why is it not
> > included in base (especially when it's developed by OpenBSD developers)?
> > Or am I misunderstanding the requirements for inclusion of packages in
> > base?
> 
> If removal of files is required, it is explicitly mentioned in
> upgradeXX.html or current.html. Very few files will broke your system
> if present.
> 
> In the other side, removing files that are used will broke your system
> (for example, if you compile a program yourself, it will use system
> libraries like libc, libm...).
> 
Thanks for the explanation, that makes sense.

Best regards,
Alexander

Re: Problems with a fresh install not finding SSD drive over floppy img HTML5/KVM

[Chris Bennett]

On Tue, Nov 30, 2021 at 03:25:30PM -0700, Theo de Raadt wrote:
> Chris Bennett  wrote:
> 
> > After looking over the list, it looks like many SSD's have compatibility
> > problems, so I'm just going to switch over to a spinning drive.
> 
> That is news to us.
> 

I am also more than a little shocked by this.

>From amd64 7.0 -current floppy img:

OpenBSD 7.0-current Ramdisk #129 Tue Nov 30 11:03
Supermicro X11SSD-F
cpu0 Intel Xeon E3-1270 v6 3.80Ghz


>From an auto-installed FreeBSD 12.x by the company:

Samsung SSD 860 Pro 256GB RVM01B6Q ACS-4 ATA SATA 3.x device



Back to OpenBSD, amd64 shows sd0 as the floppy img
i386 (7.0 release) does not mention sd0 at all

I could not get network up at all under either OpenBSD or FreeBSD (zero
experience with FreeBSD).

However, I did get an error I have never seen before.
When they (supposedly) changed boxes, I kept the same /29 IP block.
I accidentally assigned the static IP addresses to em0 instead of em1.
Then I added it correctly to em1.

STDERR constantly repeated that I had assigned the same IP to both.
Bringing both down stopped the error.

However, I did not touch igb0 (em0) under FreeBSD. After changing igb1
(em1) to the correct address, I got the same error in FreeBSD.
Huh?

The company refuses to change the SSD to the spinning drive, but I can
add it as a second drive. This was a special offer, so I can't complain.
I looked at the specials again. All are only with this drive.

I am at a complete loss here about what's going on. I specifically
grabbed this to be able to run -current OpenBSD.
I previously ran this exact type of box with this company before with a
1TB drive. So I have used this IPMI before.

-- 
Frustrated,
Chris Bennett

can't get fonts to show up

[Carson Chittom]

I have purchased some fonts that I like, and I want to use them
throughout my OpenBSD 7.0 system.  I have both TTF and OTF versions of
the fonts.

I created a new port in /usr/ports/mystuff/myfonts and copied over the
Makefile from fonts/ibm-plex to use as a model, edited it *only*
(AFAICR) to adjust for font names and paths, did the minimum possible to
actually create a package, and installed it.  That worked fine.

I may have run mkfontscale and mkfontdir manually in each font's
directory as well; I don't remember. In any case, the fonts are
available to GTK and Qt.

As part of ~/.xsession, I also have:

if [ -d /usr/local/share/fonts ]; then
  for i in /usr/local/share/fonts/*; do
xset fp+ $i
  done
  xset fp rehash
fi

But the fonts still do not show up in xfontsel (unlike, for example, if
I install fonts/ibm-plex), and I don't seem to be able to use them in
Fvwm either, even if I copy a font description directly from
/usr/local/share/fonts/myfonts/fonts.dir

So, I'm guessing either my fonts are missing something, or I'm missing
something.  I've tried to search and mostly just turned up Arch Linux
wiki pages telling me to do the things I'd already done with
mkfontscale, mkfontdir, and xset.  Can anyone point me in the right
direction?

Re: Problems with a fresh install not finding SSD drive over floppy img HTML5/KVM

[Theo de Raadt]

Chris Bennett  wrote:

> After looking over the list, it looks like many SSD's have compatibility
> problems, so I'm just going to switch over to a spinning drive.

That is news to us.

Re: Problems with a fresh install not finding SSD drive over floppy img HTML5/KVM

[Allan Streib]

On Tue, Nov 30, 2021, at 3:47 PM, Crystal Kolipe wrote:
> There are plenty of SSDs that work just fine with OpenBSD, and have done
> for a long time.
>
> We've used Corsair, Sandisk, and Kingston SSDs in various OpenBSD machines
> for many years with very few issues.

$ dmesg | grep ^sd

sd0 at scsibus2 targ 0 lun 0:  naa.50025385a01f1611
sd0: 488386MB, 512 bytes/sector, 1000215216 sectors, thin
sd1 at scsibus2 targ 1 lun 0:  naa.500a075112866a03
sd1: 976762MB, 512 bytes/sector, 2000409264 sectors, thin

Both working without issue for me.

Allan

Re: Running redmine on OpenBSD

[Łukasz Moskała]

W dniu 30.11.2021 o 16:07, Radek pisze:

On Tue, 30 Nov 2021 10:04:30 +0100
Łukasz Moskała  wrote:




Dnia 30 listopada 2021 09:45:15 CET, Radek  napisał/a:

On Mon, 29 Nov 2021 11:19:28 +0100
Łukasz Moskała  wrote:


W dniu 28.11.2021 o 18:07, Radek pisze:

Hello,
following the official guide [1] and few others webites I finally installed my 
first Ruby on Rails/Puma web app...  and it passed the local test by curl 
(bundle exec rails server webrick -e production) - relayd wasn't configured yet.

Then, I ran my app with puma server. I can't figure out how to make it work 
with FQDN and LetsEncrypt cert.
My configs seems to be fine. It's 7.0/amd64. I've read [2], [3].

I started with simple httpd configuration to get certs with acme-clinet and 
then https://redmine.MY.DOMAIN.COM showed my testing index.html properly.
Now /etc/httpd.conf has changed but I assume my certs are still OK.

Remote firefox is giving me a "Redirect Loop" error when trying to access 
https://redmine.MY.DOMAIN.COM

Could someone please shed some light on this puzzle?

1. https://www.redmine.org/projects/redmine/wiki/RedmineInstall
2. https://github.com/basicfeatures/openbsd-rails
3. https://gist.github.com/anon987654321/4532cf8d6c59c1f43ec8973faa031103

$ openssl s_client -connect redmine.MY.DOMAIN.COM:443
CONNECTED(0003)
depth=0 CN = redmine.MY.DOMAIN.COM
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = redmine.MY.DOMAIN.COM
verify error:num=21:unable to verify the first certificate
verify return:1
write W BLOCK
---
Certificate chain
   0 s:/CN=redmine.MY.DOMAIN.COM
 i:/C=US/O=Let's Encrypt/CN=R3
---
Server certificate
-BEGIN CERTIFICATE-
[...]
-END CERTIFICATE-
subject=/CN=redmine.MY.DOMAIN.COM
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 2403 bytes and written 367 bytes
---
New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
  Protocol  : TLSv1.3
  Cipher: AEAD-AES256-GCM-SHA384
  Session-ID:
  Session-ID-ctx:
  Master-Key:
  Start Time: 1638116582
  Timeout   : 7200 (sec)
  Verify return code: 21 (unable to verify the first certificate)
---


[redminepk@@redmine70~/redminepk:]bundle exec pumactl27 --config-file 
config/puma.rb start
Puma starting in single mode...
* Puma version: 5.5.2 (ruby 2.7.4-p191) ("Zawgyi")
*  Min threads: 0
*  Max threads: 5
*  Environment: production
*  PID: 85983
* Listening on 
ssl://127.0.0.1:3000?cert=/etc/ssl/redmine.MY.DOMAIN.COM.crt&key=/etc/ssl/private/redmine.MY.DOMAIN.COM.key&verify_mode=none
* Listening on http://127.0.0.1:3001
Use Ctrl-C to stop




# /home/redminepk/redminepk/config/puma.rb
#!/usr/bin/env puma
app = "redminepk"
ssl_bind "127.0.0.1", "3000", {
key: "/etc/ssl/private/redmine.MY.DOMAIN.COM.key",
cert: "/etc/ssl/redmine.MY.DOMAIN.COM.crt"
}
bind "tcp://127.0.0.1:3001"
pidfile "/home/#{app}/#{app}/tmp/puma.pid"
state_path "/home/#{app}/#{app}/tmp/puma.state"
stdout_redirect "/home/#{app}/#{app}/log/puma_access.log", 
"/home/#{app}/#{app}/log/puma_errors.log"
environment "production"


# /home/redminepk/redminepk/config/environments/production.rb
 Rails.application.configure do
 config.cache_classes = true
 config.eager_load = true
 config.consider_all_requests_local = false
 config.action_controller.perform_caching = true
 config.action_mailer.raise_delivery_errors = false
 config.action_mailer.logger = nil
 config.active_support.deprecation = :log
 config.force_ssl = true
end



# /etc/httpd.conf
ext_if="vmx0"
types { include "/usr/share/misc/mime.types" }
server "redmine.MY.DOMAIN.COM" {
  listen on $ext_if port 80
  location "/.well-known/acme-challenge/*" {
  root "/acme"
  request strip 2
  }
  location "*" {
  block return 302 "https://$HTTP_HOST$REQUEST_URI";
  }
}


# /etc/relayd.conf
egress="A.B.C.D"
table  { 127.0.0.1 }
redminepk_port="3001"
table  { 127.0.0.1 }
httpd_port="80"
http protocol "http" {
match request header set "Connection" value "close"
match response header remove "Server"
}
http protocol "https" {
pass request header "Host" value "redmine.MY.DOMAIN.COM" forward to 

tls keypair "redmine.MY.DOMAIN.COM"
# Preserve address headers
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "X-Forwarded-Port" value "$REMOTE_PORT"
match request header append "X-Forwaded-By" value 
"$SERVER_ADDR:$SERVER_PORT"
match request header set "Connection" value "close"
match response header remove "Server"
}
relay "http" {
listen on $egress port http
protocol "http"
forward to  port $httpd_port
}
relay "https" {
listen on $egress port http

Re: /etc/bsd.re-config - change a device?

[Paul B. Henson]

Thanks much for the info guys; something to look forward to in 7.1 :).

On 11/30/2021 4:17 AM, Stuart Henderson wrote:

On 2021-11-30, Paul de Weerd  wrote:

On Tue, Nov 30, 2021 at 08:46:34AM -, Stuart Henderson wrote:
| On 2021-11-29, Paul B. Henson  wrote:
| > I'm upgrading to OpenBSD 7 and I was happy to see the new support for
| > /etc/bsd.re-config to allow modified kernels to be automatically
| > rebuilt. However, one of the changes I need to make is updating the IRQ
| > on com2, as my bios assigns it a non-standard value 8-/.
| >
| > I can't figure out how to do that? Is it supported? When I put "change
| > com2" in /etc/bsd.re-config, config interactively asks me:
| >
| > change [n]
| >
| > I tried "change com2 y" and "change com2", then "y" on the next line,
| > but the first gave an error and the second still prompted interactively.
| >
| > Are the only changes supported by /etc/bsd.re-config those that don't
| > need further input?
|
| Currently yes. jcs@ has a diff to change this but it needs review.

I believe this has been committed on November 20:

https://marc.info/?l=openbsd-cvs&m=163737802014911&w=2

However, that means that it won't work in OpenBSD 7.0, you will need
to run something newer (which, at the moment, means -current /
snapshots).


Ah good catch, thanks.

Re: Routing between different subnets

[Łukasz Moskała]

W dniu 30.11.2021 o 21:22, Radek pisze:

Hello,
I have a router (6.9/amd64) with NATed subnets (vlan425, vlan426, etc..). This 
box is also connected to another subnet via vlan43 and the box can ping gw of 
vlan43 and machines inside this subnet.
I need to enable access for clients from vlan426 to machines in vlan43 .

I have no idea how to achieve that...

I've tried to add some routes to /etc/hostname.vlan426:
!sleep 2
!route -v add -inet default 10.4.26.254
!route -v add -net 10.43.0.0/16 10.43.0.197
but /etc/netstart stucks with these lines...

What am I doing wrong?

My configs:

$ cat /etc/hostname.em0
-inet
inet A.B.C.D 255.255.255.192 NONE

$ cat /etc/mygate
A.B.C.1

$ cat /etc/hostname.vlan426
inet 10.4.26.254 255.255.255.0 NONE vnetid 426 parent em1

$ cat /etc/hostname.vlan43
-inet
inet 10.43.10.197 255.255.0.0 NONE vnetid 43 parent em1
!route -v add -inet default 10.43.0.1

$ grep 10.43.0 /etc/pf.conf
pass quick from 10.4.26.0/24 to 10.43.0.0/16
pass quick from 10.43.0.0/16 to 10.4.26.0/24



Hi,

First of all, don't do this:
> !route -v add -inet default 10.4.26.254
> !route -v add -net 10.43.0.0/16 10.43.0.197
and this:
> !route -v add -inet default 10.43.0.1

You have to set routing on machines in vlan426 and vlan43, not on 
gateway between them.


So, let's say you want to allow hostA with IP 10.4.26.5 to reach hostB 
with IP 10.43.0.10.



On hostA, you need to add route to 10.43.0.0/16 via 10.4.26.254
On hostB, you need to add route to 10.4.26.0/24 via 10.43.10.197

You don't have to do this on hostA, if hostA already has default route 
via 10.4.26.254
Likewise, you don't do this on hostB if hostB has default route via 
10.43.10.197.


Repeat above steps for every machine in vlan43 and vlan426.

Aside from allowing this traffic in pf (which you did), you need to 
enable IP forwarding.


--
Łukasz Moskała

Re: Problems with a fresh install not finding SSD drive over floppy img HTML5/KVM

[Crystal Kolipe]

On Tue, Nov 30, 2021 at 12:30:50PM -0800, Chris Bennett wrote:
> After looking over the list, it looks like many SSD's have compatibility
> problems, so I'm just going to switch over to a spinning drive.

There are plenty of SSDs that work just fine with OpenBSD, and have done
for a long time.

We've used Corsair, Sandisk, and Kingston SSDs in various OpenBSD machines
for many years with very few issues.

Re: Problems with a fresh install not finding SSD drive over floppy img HTML5/KVM

[Chris Bennett]

After looking over the list, it looks like many SSD's have compatibility
problems, so I'm just going to switch over to a spinning drive.

Sorry for the noise.
-- 
Chris Bennett

Routing between different subnets

[Radek]

Hello,
I have a router (6.9/amd64) with NATed subnets (vlan425, vlan426, etc..). This 
box is also connected to another subnet via vlan43 and the box can ping gw of 
vlan43 and machines inside this subnet.
I need to enable access for clients from vlan426 to machines in vlan43 .

I have no idea how to achieve that...

I've tried to add some routes to /etc/hostname.vlan426:
!sleep 2
!route -v add -inet default 10.4.26.254
!route -v add -net 10.43.0.0/16 10.43.0.197
but /etc/netstart stucks with these lines...

What am I doing wrong?

My configs:

$ cat /etc/hostname.em0
-inet
inet A.B.C.D 255.255.255.192 NONE

$ cat /etc/mygate
A.B.C.1

$ cat /etc/hostname.vlan426
inet 10.4.26.254 255.255.255.0 NONE vnetid 426 parent em1

$ cat /etc/hostname.vlan43
-inet
inet 10.43.10.197 255.255.0.0 NONE vnetid 43 parent em1
!route -v add -inet default 10.43.0.1

$ grep 10.43.0 /etc/pf.conf
pass quick from 10.4.26.0/24 to 10.43.0.0/16
pass quick from 10.43.0.0/16 to 10.4.26.0/24

-- 
Radek

Re: Raspberry Pi 4B performance compared to APU / wireless networking?

[Steve Williams]

On 30/11/2021 12:38 a.m., Stuart Henderson wrote:

On 2021-11-30, Steve Williams  wrote:

Hi,

I have an APU 2C4 running OpenBSD 7.

I see that the Raspberry Pi 4B is supported by OpenBSD now and I was
thinking of getting one to play with as my APU is my main server and I
don't want to take it down to experiment.

I can't seem to find any reviews/comparisons of an APU vs. a Raspberry
Pi 4B.

Does anyone have a "gut" feeling on the relative performance?

Network performance and compiling are way better on the rpi4. Disk io on
OpenBSD can be way better on the APU (we don't support UAS so the faster
USB SSDs don't reach the performance they are capable of). Though there
are some Pi CM4 carrier board which support PCIe-based storage which
should be better than the APU.


Does the wireless networking work well on the Raspberry as the APU's
wireless is less than optimal :) ?

The APU itself doesn't have wlan so that depends on what card you use
of course. bwfm(4) does work well though the antenna is a resonant cavity
etched on the PCB and there's no way to move it outside of the case.
If you want to run a high performance AP you'll still want a separate
device.



Hi Stuart,

Thanks very much for the information!  I'm surprised the Pi will compile 
faster, outside of IO issues.


And the WLAN on the Pi with no antenna?  that sounds a bit weak... I was 
looking at getting an aluminum case that acts as a passive heatsink, but 
my gut feeling is that would be contra-indicated for good wifi... I'll 
follow up with the manufacturer to see what their feedback is.


Thanks again!

Cheers,
Steve W.

Problems with a fresh install not finding SSD drive over floppy img HTML5/KVM

[Chris Bennett]

Hi.
I have never done an install to a SSD drive.
The first server they gave me was a bust, so they swapped out boxes.
That has not helped. BIOS shows a Samsung SSD drive, but the settings
were at hard drive instead of SSD drive. I changed that.
Drive does not show up with either setting.
There were also weird networking problems with em0 and em1.

For both boxes, the KVM has been very wonky. Sometimes it works,
sometimes it doesn't, sometimes it disconnects.

I have used this type of server with this company before.
I had zero problems.
I have tried 7.0 and 6.9 amd64. floppy image shows up as sd0 and rd0a
I also tried 7.0 i386. With this one, no drive except rd0a

Shell does not show any drive.

I just did an automated FreeBSD 12 and that installed, but doesn't
manage ssh or pings. It shows up in KVM, but I can't get my keyboard or
virtual keyboard to work.

This server shows up with a status of up. The new one has a status of
NA.
Any help deeply appreciated.

I will probably end up requesting a spinning 1TB drive.
But I have some doubts at this point if I am getting junk boxes.
This was with a Black Friday discount.

--
Chris Bennett

Re: Mouse touchpad no longer working

[Kevin Chadwick]

Ignore this. Sorry for the junk thread.

Apparently there is a touchpad disable button that I hit whilst trying to work
out why the OpenBSD compatible wireless cards Windows driver isn't working with
Windows.

Mouse touchpad no longer working

[Kevin Chadwick]

Unfortunately due to covid the following machine hasn't been updated a great 
deal.

The touchpad works in Windows and used to work in OpenBSD but now no movement or
button presses have any affect.

> OpenBSD 7.0-current (GENERIC.MP) #133: Tue Nov 30 00:53:23 MST 2021
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 3129393152 (2984MB)
> avail mem = 3018649600 (2878MB)
> random: good seed from bootblocks
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe7d50 (39 entries)
> bios0: vendor Acer version "V1.14" date 07/26/2011
> bios0: Acer TravelMate 5735
> acpi0 at bios0: ACPI 4.0
> acpi0: sleep states S3 S4 S5
> acpi0: tables DSDT FACP HPET APIC MCFG ASF! SLIC BOOT SSDT
> acpi0: wakeup devices UHC0(S3) EHC1(S3) UHC3(S3) EHC2(S3) EXP3(S4) AZAL(S3)
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpihpet0 at acpi0: 14318179 Hz
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Core(TM)2 Duo CPU T6670 @ 2.20GHz, 2194.80 MHz, 06-17-0a
> cpu0: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR,MELTDOWN
> cpu0: 2MB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 199MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2.1.3, IBE
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: Intel(R) Core(TM)2 Duo CPU T6670 @ 2.20GHz, 2194.50 MHz, 06-17-0a
> cpu1: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR,MELTDOWN
> cpu1: 2MB 64b/line 8-way L2 cache
> cpu1: smt 0, core 1, package 0
> ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins, remapped
> acpimcfg0 at acpi0
> acpimcfg0: addr 0xf800, bus 0-63
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus -1 (PEGP)
> acpiprt2 at acpi0: bus 2 (EXP1)
> acpiprt3 at acpi0: bus 4 (EXP2)
> acpiprt4 at acpi0: bus 5 (EXP3)
> acpiprt5 at acpi0: bus -1 (EXP4)
> acpiprt6 at acpi0: bus -1 (EXP5)
> acpiprt7 at acpi0: bus -1 (EXP6)
> acpiec0 at acpi0
> acpipci0 at acpi0 PCI0
> "pnp0c14" at acpi0 not configured
> acpibat0 at acpi0: BAT0 model "13848641818153793" serial 63 type Lion oem 
> "SANYO "
> acpiac0 at acpi0: AC unit online
> acpibtn0 at acpi0: PWRB
> acpibtn1 at acpi0: LID0
> acpibtn2 at acpi0: SLPB
> acpicmos0 at acpi0
> "PNP0C14" at acpi0 not configured
> "PNP0C14" at acpi0 not configured
> acpicpu0 at acpi0: !C3(100@162 mwait.3@0x50), !C2(500@1 mwait.1@0x10), 
> C1(1000@1 mwait.1), PSS
> acpicpu1 at acpi0: !C3(100@162 mwait.3@0x50), !C2(500@1 mwait.1@0x10), 
> C1(1000@1 mwait.1), PSS
> acpitz0 at acpi0: critical temperature is 110 degC
> acpivideo0 at acpi0: VGA_
> acpivideo1 at acpi0: OVGA
> acpivout0 at acpivideo1: DD02
> cpu0: Enhanced SpeedStep 2194 MHz: speeds: 2201, 2200, 1600, 1200 MHz
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "Intel GM45 Host" rev 0x07
> inteldrm0 at pci0 dev 2 function 0 "Intel GM45 Video" rev 0x07
> drm0 at inteldrm0
> intagp0 at inteldrm0
> agp0 at intagp0: aperture at 0xc000, size 0x1000
> inteldrm0: apic 4 int 16, GM45, gen 4
> "Intel GM45 Video" rev 0x07 at pci0 dev 2 function 1 not configured
> uhci0 at pci0 dev 26 function 0 "Intel 82801I USB" rev 0x03: apic 4 int 20
> uhci1 at pci0 dev 26 function 1 "Intel 82801I USB" rev 0x03: apic 4 int 21
> ehci0 at pci0 dev 26 function 7 "Intel 82801I USB" rev 0x03: apic 4 int 21
> usb0 at ehci0: USB revision 2.0
> uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 
> addr 1
> azalia0 at pci0 dev 27 function 0 "Intel 82801I HD Audio" rev 0x03: msi
> azalia0: codecs: Realtek ALC272, Intel/0x2802, using Realtek ALC272
> audio0 at azalia0
> ppb0 at pci0 dev 28 function 0 "Intel 82801I PCIE" rev 0x03: msi
> pci1 at ppb0 bus 2
> ppb1 at pci0 dev 28 function 1 "Intel 82801I PCIE" rev 0x03: msi
> pci2 at ppb1 bus 4
> iwn0 at pci2 dev 0 function 0 "Intel Centrino Advanced-N 6200" rev 0x35: msi, 
> MIMO 2T2R, MoW, address 58:94:6b:6f:f8:b4
> ppb2 at pci0 dev 28 function 2 "Intel 82801I PCIE" rev 0x03: msi
> pci3 at ppb2 bus 5
> bge0 at pci3 dev 0 function 0 "Broadcom BCM57780" rev 0x01, BCM57780 A1 
> (0x57780001): msi, address 1c:75:08:f5:34:9b
> brgphy0 at bge0 phy 1: BCM57780 10/100/1000baseT PHY, rev. 1
> uhci2 at pci0 dev 29 function 0 "Intel 82801I USB" rev 0x03: apic 4 int 23
> uhci3 at pci0 dev 29 function 1 "Intel 82801I USB" rev 0x03: apic 4 int 19
> uhci4 at pci0 dev 29 function 2 "Intel 82801I USB" rev 0x03: apic 4 int 20
> uhci5 at pci0 dev 29 function 3 "Intel 82801I USB" rev 0x03: apic 4 int 18
> ehci1 at pci0 dev 29 function 7 "Int

Re: Running redmine on OpenBSD

[Radek]

On Tue, 30 Nov 2021 10:04:30 +0100
Łukasz Moskała  wrote:

> 
> 
> Dnia 30 listopada 2021 09:45:15 CET, Radek  napisał/a:
> >On Mon, 29 Nov 2021 11:19:28 +0100
> >Łukasz Moskała  wrote:
> >
> >> W dniu 28.11.2021 o 18:07, Radek pisze:
> >> > Hello,
> >> > following the official guide [1] and few others webites I finally 
> >> > installed my first Ruby on Rails/Puma web app...  and it passed the 
> >> > local test by curl (bundle exec rails server webrick -e production) - 
> >> > relayd wasn't configured yet.
> >> > 
> >> > Then, I ran my app with puma server. I can't figure out how to make it 
> >> > work with FQDN and LetsEncrypt cert.
> >> > My configs seems to be fine. It's 7.0/amd64. I've read [2], [3].
> >> > 
> >> > I started with simple httpd configuration to get certs with acme-clinet 
> >> > and then https://redmine.MY.DOMAIN.COM showed my testing index.html 
> >> > properly.
> >> > Now /etc/httpd.conf has changed but I assume my certs are still OK.
> >> > 
> >> > Remote firefox is giving me a "Redirect Loop" error when trying to 
> >> > access https://redmine.MY.DOMAIN.COM
> >> > 
> >> > Could someone please shed some light on this puzzle?
> >> > 
> >> > 1. https://www.redmine.org/projects/redmine/wiki/RedmineInstall
> >> > 2. https://github.com/basicfeatures/openbsd-rails
> >> > 3. https://gist.github.com/anon987654321/4532cf8d6c59c1f43ec8973faa031103
> >> > 
> >> > $ openssl s_client -connect redmine.MY.DOMAIN.COM:443
> >> > CONNECTED(0003)
> >> > depth=0 CN = redmine.MY.DOMAIN.COM
> >> > verify error:num=20:unable to get local issuer certificate
> >> > verify return:1
> >> > depth=0 CN = redmine.MY.DOMAIN.COM
> >> > verify error:num=21:unable to verify the first certificate
> >> > verify return:1
> >> > write W BLOCK
> >> > ---
> >> > Certificate chain
> >> >   0 s:/CN=redmine.MY.DOMAIN.COM
> >> > i:/C=US/O=Let's Encrypt/CN=R3
> >> > ---
> >> > Server certificate
> >> > -BEGIN CERTIFICATE-
> >> > [...]
> >> > -END CERTIFICATE-
> >> > subject=/CN=redmine.MY.DOMAIN.COM
> >> > issuer=/C=US/O=Let's Encrypt/CN=R3
> >> > ---
> >> > No client certificate CA names sent
> >> > Server Temp Key: ECDH, X25519, 253 bits
> >> > ---
> >> > SSL handshake has read 2403 bytes and written 367 bytes
> >> > ---
> >> > New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384
> >> > Server public key is 4096 bit
> >> > Secure Renegotiation IS NOT supported
> >> > Compression: NONE
> >> > Expansion: NONE
> >> > No ALPN negotiated
> >> > SSL-Session:
> >> >  Protocol  : TLSv1.3
> >> >  Cipher: AEAD-AES256-GCM-SHA384
> >> >  Session-ID:
> >> >  Session-ID-ctx:
> >> >  Master-Key:
> >> >  Start Time: 1638116582
> >> >  Timeout   : 7200 (sec)
> >> >  Verify return code: 21 (unable to verify the first certificate)
> >> > ---
> >> > 
> >> > 
> >> > [redminepk@@redmine70~/redminepk:]bundle exec pumactl27 --config-file 
> >> > config/puma.rb start
> >> > Puma starting in single mode...
> >> > * Puma version: 5.5.2 (ruby 2.7.4-p191) ("Zawgyi")
> >> > *  Min threads: 0
> >> > *  Max threads: 5
> >> > *  Environment: production
> >> > *  PID: 85983
> >> > * Listening on 
> >> > ssl://127.0.0.1:3000?cert=/etc/ssl/redmine.MY.DOMAIN.COM.crt&key=/etc/ssl/private/redmine.MY.DOMAIN.COM.key&verify_mode=none
> >> > * Listening on http://127.0.0.1:3001
> >> > Use Ctrl-C to stop
> >> > 
> >> > 
> >> > 
> >> > 
> >> > # /home/redminepk/redminepk/config/puma.rb
> >> > #!/usr/bin/env puma
> >> > app = "redminepk"
> >> > ssl_bind "127.0.0.1", "3000", {
> >> >key: "/etc/ssl/private/redmine.MY.DOMAIN.COM.key",
> >> >cert: "/etc/ssl/redmine.MY.DOMAIN.COM.crt"
> >> > }
> >> > bind "tcp://127.0.0.1:3001"
> >> > pidfile "/home/#{app}/#{app}/tmp/puma.pid"
> >> > state_path "/home/#{app}/#{app}/tmp/puma.state"
> >> > stdout_redirect "/home/#{app}/#{app}/log/puma_access.log", 
> >> > "/home/#{app}/#{app}/log/puma_errors.log"
> >> > environment "production"
> >> > 
> >> > 
> >> > # /home/redminepk/redminepk/config/environments/production.rb
> >> > Rails.application.configure do
> >> > config.cache_classes = true
> >> > config.eager_load = true
> >> > config.consider_all_requests_local = false
> >> > config.action_controller.perform_caching = true
> >> > config.action_mailer.raise_delivery_errors = false
> >> > config.action_mailer.logger = nil
> >> > config.active_support.deprecation = :log
> >> > config.force_ssl = true
> >> > end
> >> > 
> >> > 
> >> > 
> >> > # /etc/httpd.conf
> >> > ext_if="vmx0"
> >> > types { include "/usr/share/misc/mime.types" }
> >> > server "redmine.MY.DOMAIN.COM" {
> >> >  listen on $ext_if port 80
> >> >  location "/.well-known/acme-challenge/*" {
> >> >  root "/acme"
> >> >  request strip 2
> >> >  }
> >> >  location "*" {
> >> >  block return 302 "https://$HTTP_HOST$REQUEST_URI";
> >> >  }
> >> > }
> >> > 
> >> > 
> >> > # /etc/relayd.conf
> >> > egress=

Re: dd: /dev/rsd1c: device not configured

[Crystal Kolipe]

On Tue, Nov 30, 2021 at 02:36:22PM +0100, Luca Ferrari wrote:
> Hi,
> I'm trying to install 7.0 in a virtual box machine using full disk
> encryption, following
> . I've done it on
> real hardware without a problem, but I'm not understanding the error
> in the virtual box machine. In particular, I cannot copy random data
> on the disk before doing the effective encryption.
> This is what I do, after entering the shell at the very first prompt:
> 
> 
> # sysctl hw.disknames
> hw.disknames=wd0:,cd0:,rd0:7c72fe60b4e2338d
> 
> # ls  /dev/rsd*c
> /dev/rsd0c
> 
> Uhm, why is sd0 there and does not appear in the hw.disknames?
> However, I tried to configure the sd1 device:
> 
> # cd /dev
> # sh MAKEDEV sd1
> # dd if=/dev/urandom of=/dev/rsd1c bs=1m
> dd: /dev/rsd1c: device not configured
> 
> # ls /dev/rsd1c
> /dev/rsd1c
> 
> What am I missing here?

You've successfully created a set of device special files in /dev/ for
sd1, I.E. files that have a major device number of 4, and corresponding
minor numbers for each partition.

But since there is no sd1 device present in your, (virtual), machine,
you get the device not configured error.  You're trying to talk to a
device that does not exist.

If your main disk is attaching as wd0, you will need to specify
of=/dev/rwd0c in the dd command to write scratch data over it.

Assuming you don't have any sd devices, when you create the softraid
volume, it will appear as sd0.

Re: Default window manager

[Kristjan Komloši]

On 27. 11. 21 22:34, jwinnie@tilde.institute wrote:

Hello OpenBSD users and devs,

I am wondering if there are plans to change the
default window manager in OpenBSD.

Currently, the default WM is fvwm, with cwm and
openbox available as alternatives. However, none
of these are particularly user-friendly, simple,
or modern, and I think it might be advisable to
use a better default here.

Some things which might be wanted:

* Using xcb instead of xlib, since xcb is faster
   and supposedly better
* Dynamic virtual desktops
* Tiling (dynamic or manual)
* Decent window decorations
* Can be controlled with both the pointer and the
   keyboard
* Simple, minimal configuration that fits with the
   rest of OpenBSD

What do you think?

~jwinnie
My poorly-educated opinion is that the defaults work fine. My use case 
for a desktop environment on OpenBSD is little more than terminals and 
the occasional Firefox window. For this usage, fvwm is more than enough 
and I was finding myself using dwm most of the time because it was even 
lighter (plus I was used to the keybinds).


I think that the default package set should cover the lowest common 
denominator in graphics capability. I've been using X on a pretty wide 
set of machines, most of which were either low-power Intel Atom boards, 
C2D ThinkPads, virtual machines, or servers without a dedicated GPU, so 
I was happy that the defaults would be always snappy on the hardware at 
hand. I'm positive I couldn't say that for any of the "modern"  user 
friendlier (i. e. visually appealing) offerings.


--
Kristjan Komloši

Re: dd: /dev/rsd1c: device not configured

[Samarul Meu]

mar., 30 nov. 2021, 15:39 Luca Ferrari  a scris:

> Hi,
> I'm trying to install 7.0 in a virtual box machine using full disk
> encryption, following
> . I've done it on
> real hardware without a problem, but I'm not understanding the error
> in the virtual box machine. In particular, I cannot copy random data
> on the disk before doing the effective encryption.
> This is what I do, after entering the shell at the very first prompt:
>
>
> # sysctl hw.disknames
> hw.disknames=wd0:,cd0:,rd0:7c72fe60b4e2338d
>
> # ls  /dev/rsd*c
> /dev/rsd0c
>
> Uhm, why is sd0 there and does not appear in the hw.disknames?
> However, I tried to configure the sd1 device:
>
> # cd /dev
> # sh MAKEDEV sd1
> # dd if=/dev/urandom of=/dev/rsd1c bs=1m
> dd: /dev/rsd1c: device not configured
>
> # ls /dev/rsd1c
> /dev/rsd1c
>
> What am I missing here?
>
> Thnaks,
> Luca
>

Shouldn't you first configure wd0? Create a RAID partition and encrypt it
and then  attache it as sd0?

In the FAQ14 section that you mentioned consider sd0 as wd0 and sd1 as sd0.

Re: dd: /dev/rsd1c: device not configured

[Luca Ferrari]

On Tue, Nov 30, 2021 at 3:01 PM Hiltjo Posthuma  wrote:
>
> On Tue, Nov 30, 2021 at 02:36:22PM +0100, Luca Ferrari wrote:
> > Hi,
> > I'm trying to install 7.0 in a virtual box machine using full disk
> > encryption, following
> > . I've done it on
> > real hardware without a problem, but I'm not understanding the error
> > in the virtual box machine. In particular, I cannot copy random data
> > on the disk before doing the effective encryption.
> > This is what I do, after entering the shell at the very first prompt:
> >
> >
> > # sysctl hw.disknames
> > hw.disknames=wd0:,cd0:,rd0:7c72fe60b4e2338d
> >
> > # ls  /dev/rsd*c
> > /dev/rsd0c
> >
> > Uhm, why is sd0 there and does not appear in the hw.disknames?
> > However, I tried to configure the sd1 device:
> >
> > # cd /dev
> > # sh MAKEDEV sd1
>
> Hi,
>
> You probably need to "sh MAKEDEV sd0" here, the disk is hw.disknames above is
> wd0.

The same happens with sd0, I mean, dd reports "device not configured".
Moreover, as shown, sd0 is already there before MAKEDEV, that's why I
tried sd1.

Luca

Re: dd: /dev/rsd1c: device not configured

[Hiltjo Posthuma]

On Tue, Nov 30, 2021 at 02:36:22PM +0100, Luca Ferrari wrote:
> Hi,
> I'm trying to install 7.0 in a virtual box machine using full disk
> encryption, following
> . I've done it on
> real hardware without a problem, but I'm not understanding the error
> in the virtual box machine. In particular, I cannot copy random data
> on the disk before doing the effective encryption.
> This is what I do, after entering the shell at the very first prompt:
> 
> 
> # sysctl hw.disknames
> hw.disknames=wd0:,cd0:,rd0:7c72fe60b4e2338d
> 
> # ls  /dev/rsd*c
> /dev/rsd0c
> 
> Uhm, why is sd0 there and does not appear in the hw.disknames?
> However, I tried to configure the sd1 device:
> 
> # cd /dev
> # sh MAKEDEV sd1

Hi,

You probably need to "sh MAKEDEV sd0" here, the disk is hw.disknames above is
wd0.

> # dd if=/dev/urandom of=/dev/rsd1c bs=1m
> dd: /dev/rsd1c: device not configured
> 
> # ls /dev/rsd1c
> /dev/rsd1c
> 
> What am I missing here?
> 
> Thnaks,
> Luca
> 

-- 
Kind regards,
Hiltjo

dd: /dev/rsd1c: device not configured

[Luca Ferrari]

Hi,
I'm trying to install 7.0 in a virtual box machine using full disk
encryption, following
. I've done it on
real hardware without a problem, but I'm not understanding the error
in the virtual box machine. In particular, I cannot copy random data
on the disk before doing the effective encryption.
This is what I do, after entering the shell at the very first prompt:


# sysctl hw.disknames
hw.disknames=wd0:,cd0:,rd0:7c72fe60b4e2338d

# ls  /dev/rsd*c
/dev/rsd0c

Uhm, why is sd0 there and does not appear in the hw.disknames?
However, I tried to configure the sd1 device:

# cd /dev
# sh MAKEDEV sd1
# dd if=/dev/urandom of=/dev/rsd1c bs=1m
dd: /dev/rsd1c: device not configured

# ls /dev/rsd1c
/dev/rsd1c

What am I missing here?

Thnaks,
Luca

Re: /etc/bsd.re-config - change a device?

[Stuart Henderson]

On 2021-11-30, Paul de Weerd  wrote:
> On Tue, Nov 30, 2021 at 08:46:34AM -, Stuart Henderson wrote:
>| On 2021-11-29, Paul B. Henson  wrote:
>| > I'm upgrading to OpenBSD 7 and I was happy to see the new support for
>| > /etc/bsd.re-config to allow modified kernels to be automatically
>| > rebuilt. However, one of the changes I need to make is updating the IRQ
>| > on com2, as my bios assigns it a non-standard value 8-/.
>| >
>| > I can't figure out how to do that? Is it supported? When I put "change
>| > com2" in /etc/bsd.re-config, config interactively asks me:
>| >
>| > change [n]
>| >
>| > I tried "change com2 y" and "change com2", then "y" on the next line,
>| > but the first gave an error and the second still prompted interactively.
>| >
>| > Are the only changes supported by /etc/bsd.re-config those that don't
>| > need further input?
>| 
>| Currently yes. jcs@ has a diff to change this but it needs review.
>
> I believe this has been committed on November 20:
>
> https://marc.info/?l=openbsd-cvs&m=163737802014911&w=2
>
> However, that means that it won't work in OpenBSD 7.0, you will need
> to run something newer (which, at the moment, means -current /
> snapshots).

Ah good catch, thanks.

-- 
Please keep replies on the mailing list.

Re: CPU recommendation

[Hrvoje Popovski]

On 29.11.2021. 15:55, Barbaros Bilek wrote:
> Hello @misc,
> 
> I’m network administrator at a Hotel. We have nearly ~=1600 users
> concurrently.
> I’m trying to figure out which hardware covers my pc based OpenBSD firewall.
> Disk : 1 TB SSD
> RAM : 16 GB
> Ethernet : Intel i211AT
> But what about CPU. As far as I know CPU frequency is more important at
> OpenBSD cause there is netlock() etc.
> Right?
> 
> So which CPU is better at the moment?
> Intel Core i3-6320 @ 3.90GHz
> Intel Core i7-7700 @ 3.60GHz
> 

Hi,

I would go with at least 4 cores (8 cores are better) without HT and
with X540-T/X550-T ix(4) interface rather that em(4), even on 1G...
that's because openbsd doesn't have multiqueue support for em(4) yet,
but for ix(4) it does.

if you can wait for em(4) to gain multiqueue support, go with em ...but
it seems to me that motivation to have mq em(4) is not that high :)

openbsd could be unlocked soon and multiqueue support of network cards
is fundamental for that to happen and in that moment you would like to
have a reasonable amount of core and proper mq interface

Re: IKEv1 and IKEv2 coexistence

[Grzegorz Patola]

Many thanks Stuart.

On 30/11/2021 08:48, Stuart Henderson wrote:

On 2021-11-29, Grzegorz Patola  wrote:

Could you tell me if it is possible to run ipsec in v1 and v2

ie. isakmpd and iked daemons on just one gateway ?

It is not.



--




We Revolutionise Customer Journeys.

www.engagehub.com 
 | Follow us on LinkedIn 







This communication is sent by Engage Hub and contains information which 
is confidential and privileged and is intended for the use of the addressee 
only. If you are not the intended recipient please destroy and contact the 
sender. Please note that any distribution, copying or use of this 
communication or the information in it is strictly prohibited. Any views 
expressed in this email are those of the individual sender and may not 
necessarily reflect the views of Engage Hub. Engage Hub makes no warranties 
that emails are virus free. This company is registered in England and Wales 
as Brainstorm Mobile Solutions Ltd and trading as Engage Hub (registered at 
Studio 311 Highgate Studios, 53-79 Highgate Road, London NW5 1TL. Company 
Number: 01661467; VAT Number: 214 9845 90) and Oxygen8 Communications 
Limited (registered in Ireland at 1st Floor, 21-22 Grafton Street, Dublin 
2, Ireland. Company No: 350312; VAT Number: 6370312O).

Re: /etc/bsd.re-config - change a device?

[Paul de Weerd]

On Tue, Nov 30, 2021 at 08:46:34AM -, Stuart Henderson wrote:
| On 2021-11-29, Paul B. Henson  wrote:
| > I'm upgrading to OpenBSD 7 and I was happy to see the new support for
| > /etc/bsd.re-config to allow modified kernels to be automatically
| > rebuilt. However, one of the changes I need to make is updating the IRQ
| > on com2, as my bios assigns it a non-standard value 8-/.
| >
| > I can't figure out how to do that? Is it supported? When I put "change
| > com2" in /etc/bsd.re-config, config interactively asks me:
| >
| > change [n]
| >
| > I tried "change com2 y" and "change com2", then "y" on the next line,
| > but the first gave an error and the second still prompted interactively.
| >
| > Are the only changes supported by /etc/bsd.re-config those that don't
| > need further input?
| 
| Currently yes. jcs@ has a diff to change this but it needs review.

I believe this has been committed on November 20:

https://marc.info/?l=openbsd-cvs&m=163737802014911&w=2

However, that means that it won't work in OpenBSD 7.0, you will need
to run something newer (which, at the moment, means -current /
snapshots).

Cheers,

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 

Re: Running redmine on OpenBSD

[Łukasz Moskała]

Dnia 30 listopada 2021 09:45:15 CET, Radek  napisał/a:
>On Mon, 29 Nov 2021 11:19:28 +0100
>Łukasz Moskała  wrote:
>
>> W dniu 28.11.2021 o 18:07, Radek pisze:
>> > Hello,
>> > following the official guide [1] and few others webites I finally 
>> > installed my first Ruby on Rails/Puma web app...  and it passed the local 
>> > test by curl (bundle exec rails server webrick -e production) - relayd 
>> > wasn't configured yet.
>> > 
>> > Then, I ran my app with puma server. I can't figure out how to make it 
>> > work with FQDN and LetsEncrypt cert.
>> > My configs seems to be fine. It's 7.0/amd64. I've read [2], [3].
>> > 
>> > I started with simple httpd configuration to get certs with acme-clinet 
>> > and then https://redmine.MY.DOMAIN.COM showed my testing index.html 
>> > properly.
>> > Now /etc/httpd.conf has changed but I assume my certs are still OK.
>> > 
>> > Remote firefox is giving me a "Redirect Loop" error when trying to access 
>> > https://redmine.MY.DOMAIN.COM
>> > 
>> > Could someone please shed some light on this puzzle?
>> > 
>> > 1. https://www.redmine.org/projects/redmine/wiki/RedmineInstall
>> > 2. https://github.com/basicfeatures/openbsd-rails
>> > 3. https://gist.github.com/anon987654321/4532cf8d6c59c1f43ec8973faa031103
>> > 
>> > $ openssl s_client -connect redmine.MY.DOMAIN.COM:443
>> > CONNECTED(0003)
>> > depth=0 CN = redmine.MY.DOMAIN.COM
>> > verify error:num=20:unable to get local issuer certificate
>> > verify return:1
>> > depth=0 CN = redmine.MY.DOMAIN.COM
>> > verify error:num=21:unable to verify the first certificate
>> > verify return:1
>> > write W BLOCK
>> > ---
>> > Certificate chain
>> >   0 s:/CN=redmine.MY.DOMAIN.COM
>> > i:/C=US/O=Let's Encrypt/CN=R3
>> > ---
>> > Server certificate
>> > -BEGIN CERTIFICATE-
>> > [...]
>> > -END CERTIFICATE-
>> > subject=/CN=redmine.MY.DOMAIN.COM
>> > issuer=/C=US/O=Let's Encrypt/CN=R3
>> > ---
>> > No client certificate CA names sent
>> > Server Temp Key: ECDH, X25519, 253 bits
>> > ---
>> > SSL handshake has read 2403 bytes and written 367 bytes
>> > ---
>> > New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384
>> > Server public key is 4096 bit
>> > Secure Renegotiation IS NOT supported
>> > Compression: NONE
>> > Expansion: NONE
>> > No ALPN negotiated
>> > SSL-Session:
>> >  Protocol  : TLSv1.3
>> >  Cipher: AEAD-AES256-GCM-SHA384
>> >  Session-ID:
>> >  Session-ID-ctx:
>> >  Master-Key:
>> >  Start Time: 1638116582
>> >  Timeout   : 7200 (sec)
>> >  Verify return code: 21 (unable to verify the first certificate)
>> > ---
>> > 
>> > 
>> > [redminepk@@redmine70~/redminepk:]bundle exec pumactl27 --config-file 
>> > config/puma.rb start
>> > Puma starting in single mode...
>> > * Puma version: 5.5.2 (ruby 2.7.4-p191) ("Zawgyi")
>> > *  Min threads: 0
>> > *  Max threads: 5
>> > *  Environment: production
>> > *  PID: 85983
>> > * Listening on 
>> > ssl://127.0.0.1:3000?cert=/etc/ssl/redmine.MY.DOMAIN.COM.crt&key=/etc/ssl/private/redmine.MY.DOMAIN.COM.key&verify_mode=none
>> > * Listening on http://127.0.0.1:3001
>> > Use Ctrl-C to stop
>> > 
>> > 
>> > 
>> > 
>> > # /home/redminepk/redminepk/config/puma.rb
>> > #!/usr/bin/env puma
>> > app = "redminepk"
>> > ssl_bind "127.0.0.1", "3000", {
>> >key: "/etc/ssl/private/redmine.MY.DOMAIN.COM.key",
>> >cert: "/etc/ssl/redmine.MY.DOMAIN.COM.crt"
>> > }
>> > bind "tcp://127.0.0.1:3001"
>> > pidfile "/home/#{app}/#{app}/tmp/puma.pid"
>> > state_path "/home/#{app}/#{app}/tmp/puma.state"
>> > stdout_redirect "/home/#{app}/#{app}/log/puma_access.log", 
>> > "/home/#{app}/#{app}/log/puma_errors.log"
>> > environment "production"
>> > 
>> > 
>> > # /home/redminepk/redminepk/config/environments/production.rb
>> > Rails.application.configure do
>> > config.cache_classes = true
>> > config.eager_load = true
>> > config.consider_all_requests_local = false
>> > config.action_controller.perform_caching = true
>> > config.action_mailer.raise_delivery_errors = false
>> > config.action_mailer.logger = nil
>> > config.active_support.deprecation = :log
>> > config.force_ssl = true
>> > end
>> > 
>> > 
>> > 
>> > # /etc/httpd.conf
>> > ext_if="vmx0"
>> > types { include "/usr/share/misc/mime.types" }
>> > server "redmine.MY.DOMAIN.COM" {
>> >  listen on $ext_if port 80
>> >  location "/.well-known/acme-challenge/*" {
>> >  root "/acme"
>> >  request strip 2
>> >  }
>> >  location "*" {
>> >  block return 302 "https://$HTTP_HOST$REQUEST_URI";
>> >  }
>> > }
>> > 
>> > 
>> > # /etc/relayd.conf
>> > egress="A.B.C.D"
>> > table  { 127.0.0.1 }
>> > redminepk_port="3001"
>> > table  { 127.0.0.1 }
>> > httpd_port="80"
>> > http protocol "http" {
>> >match request header set "Connection" value "close"
>> >match response header remove "Server"
>> > }
>> > http protocol "https" {
>> >pass request header "Host" value "redmine.MY

Re: pkg_add python errors ...

[Stuart Henderson]

On 2021-11-29, Why 42? The lists account.  wrote:
>
> Well, errors related to the python package ...
>
> After updating to the latest snapshot and rebooting I ran "pkg_add -vu"
> to update all my packages, which I think is the right thing to do.
>
> I noticed some strange errors related to python scroll past i.e.

I made a mistake with the version switch from 3.8 to 3.9 as default and you
updated to the one snapshot package build that had bad conflict markers -
I have been told that running pkg_add -u a couple more times will clear it,
if not then rm -r /var/db/pkg/partial-python* and run pkg_add -u again.

Re: IKEv1 and IKEv2 coexistence

[Stuart Henderson]

On 2021-11-29, Grzegorz Patola  wrote:
> Could you tell me if it is possible to run ipsec in v1 and v2
>
> ie. isakmpd and iked daemons on just one gateway ?

It is not.

Re: /etc/bsd.re-config - change a device?

[Stuart Henderson]

On 2021-11-29, Paul B. Henson  wrote:
> I'm upgrading to OpenBSD 7 and I was happy to see the new support for
> /etc/bsd.re-config to allow modified kernels to be automatically
> rebuilt. However, one of the changes I need to make is updating the IRQ
> on com2, as my bios assigns it a non-standard value 8-/.
>
> I can't figure out how to do that? Is it supported? When I put "change
> com2" in /etc/bsd.re-config, config interactively asks me:
>
> change [n]
>
> I tried "change com2 y" and "change com2", then "y" on the next line,
> but the first gave an error and the second still prompted interactively.
>
> Are the only changes supported by /etc/bsd.re-config those that don't
> need further input?

Currently yes. jcs@ has a diff to change this but it needs review.

Re: Running redmine on OpenBSD

[Radek]

On Mon, 29 Nov 2021 11:19:28 +0100
Łukasz Moskała  wrote:

> W dniu 28.11.2021 o 18:07, Radek pisze:
> > Hello,
> > following the official guide [1] and few others webites I finally installed 
> > my first Ruby on Rails/Puma web app...  and it passed the local test by 
> > curl (bundle exec rails server webrick -e production) - relayd wasn't 
> > configured yet.
> > 
> > Then, I ran my app with puma server. I can't figure out how to make it work 
> > with FQDN and LetsEncrypt cert.
> > My configs seems to be fine. It's 7.0/amd64. I've read [2], [3].
> > 
> > I started with simple httpd configuration to get certs with acme-clinet and 
> > then https://redmine.MY.DOMAIN.COM showed my testing index.html properly.
> > Now /etc/httpd.conf has changed but I assume my certs are still OK.
> > 
> > Remote firefox is giving me a "Redirect Loop" error when trying to access 
> > https://redmine.MY.DOMAIN.COM
> > 
> > Could someone please shed some light on this puzzle?
> > 
> > 1. https://www.redmine.org/projects/redmine/wiki/RedmineInstall
> > 2. https://github.com/basicfeatures/openbsd-rails
> > 3. https://gist.github.com/anon987654321/4532cf8d6c59c1f43ec8973faa031103
> > 
> > $ openssl s_client -connect redmine.MY.DOMAIN.COM:443
> > CONNECTED(0003)
> > depth=0 CN = redmine.MY.DOMAIN.COM
> > verify error:num=20:unable to get local issuer certificate
> > verify return:1
> > depth=0 CN = redmine.MY.DOMAIN.COM
> > verify error:num=21:unable to verify the first certificate
> > verify return:1
> > write W BLOCK
> > ---
> > Certificate chain
> >   0 s:/CN=redmine.MY.DOMAIN.COM
> > i:/C=US/O=Let's Encrypt/CN=R3
> > ---
> > Server certificate
> > -BEGIN CERTIFICATE-
> > [...]
> > -END CERTIFICATE-
> > subject=/CN=redmine.MY.DOMAIN.COM
> > issuer=/C=US/O=Let's Encrypt/CN=R3
> > ---
> > No client certificate CA names sent
> > Server Temp Key: ECDH, X25519, 253 bits
> > ---
> > SSL handshake has read 2403 bytes and written 367 bytes
> > ---
> > New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384
> > Server public key is 4096 bit
> > Secure Renegotiation IS NOT supported
> > Compression: NONE
> > Expansion: NONE
> > No ALPN negotiated
> > SSL-Session:
> >  Protocol  : TLSv1.3
> >  Cipher: AEAD-AES256-GCM-SHA384
> >  Session-ID:
> >  Session-ID-ctx:
> >  Master-Key:
> >  Start Time: 1638116582
> >  Timeout   : 7200 (sec)
> >  Verify return code: 21 (unable to verify the first certificate)
> > ---
> > 
> > 
> > [redminepk@@redmine70~/redminepk:]bundle exec pumactl27 --config-file 
> > config/puma.rb start
> > Puma starting in single mode...
> > * Puma version: 5.5.2 (ruby 2.7.4-p191) ("Zawgyi")
> > *  Min threads: 0
> > *  Max threads: 5
> > *  Environment: production
> > *  PID: 85983
> > * Listening on 
> > ssl://127.0.0.1:3000?cert=/etc/ssl/redmine.MY.DOMAIN.COM.crt&key=/etc/ssl/private/redmine.MY.DOMAIN.COM.key&verify_mode=none
> > * Listening on http://127.0.0.1:3001
> > Use Ctrl-C to stop
> > 
> > 
> > 
> > 
> > # /home/redminepk/redminepk/config/puma.rb
> > #!/usr/bin/env puma
> > app = "redminepk"
> > ssl_bind "127.0.0.1", "3000", {
> >key: "/etc/ssl/private/redmine.MY.DOMAIN.COM.key",
> >cert: "/etc/ssl/redmine.MY.DOMAIN.COM.crt"
> > }
> > bind "tcp://127.0.0.1:3001"
> > pidfile "/home/#{app}/#{app}/tmp/puma.pid"
> > state_path "/home/#{app}/#{app}/tmp/puma.state"
> > stdout_redirect "/home/#{app}/#{app}/log/puma_access.log", 
> > "/home/#{app}/#{app}/log/puma_errors.log"
> > environment "production"
> > 
> > 
> > # /home/redminepk/redminepk/config/environments/production.rb
> > Rails.application.configure do
> > config.cache_classes = true
> > config.eager_load = true
> > config.consider_all_requests_local = false
> > config.action_controller.perform_caching = true
> > config.action_mailer.raise_delivery_errors = false
> > config.action_mailer.logger = nil
> > config.active_support.deprecation = :log
> > config.force_ssl = true
> > end
> > 
> > 
> > 
> > # /etc/httpd.conf
> > ext_if="vmx0"
> > types { include "/usr/share/misc/mime.types" }
> > server "redmine.MY.DOMAIN.COM" {
> >  listen on $ext_if port 80
> >  location "/.well-known/acme-challenge/*" {
> >  root "/acme"
> >  request strip 2
> >  }
> >  location "*" {
> >  block return 302 "https://$HTTP_HOST$REQUEST_URI";
> >  }
> > }
> > 
> > 
> > # /etc/relayd.conf
> > egress="A.B.C.D"
> > table  { 127.0.0.1 }
> > redminepk_port="3001"
> > table  { 127.0.0.1 }
> > httpd_port="80"
> > http protocol "http" {
> >match request header set "Connection" value "close"
> >match response header remove "Server"
> > }
> > http protocol "https" {
> >pass request header "Host" value "redmine.MY.DOMAIN.COM" forward to 
> > 
> >tls keypair "redmine.MY.DOMAIN.COM"
> ># Preserve address headers
> >match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
> >match request heade

Re: Raspberry Pi 4B performance compared to APU / wireless networking?

[Stuart Henderson]

On 2021-11-30, Steve Williams  wrote:
> Hi,
>
> I have an APU 2C4 running OpenBSD 7.
>
> I see that the Raspberry Pi 4B is supported by OpenBSD now and I was 
> thinking of getting one to play with as my APU is my main server and I 
> don't want to take it down to experiment.
>
> I can't seem to find any reviews/comparisons of an APU vs. a Raspberry 
> Pi 4B.
>
> Does anyone have a "gut" feeling on the relative performance?

Network performance and compiling are way better on the rpi4. Disk io on
OpenBSD can be way better on the APU (we don't support UAS so the faster
USB SSDs don't reach the performance they are capable of). Though there
are some Pi CM4 carrier board which support PCIe-based storage which
should be better than the APU.

> Does the wireless networking work well on the Raspberry as the APU's 
> wireless is less than optimal :) ?

The APU itself doesn't have wlan so that depends on what card you use
of course. bwfm(4) does work well though the antenna is a resonant cavity
etched on the PCB and there's no way to move it outside of the case.
If you want to run a high performance AP you'll still want a separate
device.

Re: odd bc -l output

[Jan Stary]

On Nov 30 08:38:27, p...@delphinusdns.org wrote:
> In fact it's not just bc -l, but also when I calculate the following in C
> (linked with -lm)
> 
> C = (180.0 - A) - B;
> a = (double)(c / sin(C)) * sin(A);
> b = (double)(c / sin(C)) * sin(B);
> 
> Some may recognize this as parts of the Law of Sines.
> 
> pjp@neptune$ bc -l
> (9 / s(70)) * s(76)
> 6.58357679385302895866
> 
> When I do it with xcalc I get the correct 9.2931043.

Look at /usr/share/misc/bc.library to see what bc's s(x) really is.
Then look at lib/libm/ to see what sin() and friends really are.
(Yes, a Taylor polynom around zero; almost.)

It is known that the values of goniometric functions can get way off:
sin() at multiples of pi is nonzero, etc.

For extra laughs, read this article
https://randomascii.wordpress.com/2014/10/09/intel-underestimates-error-bounds-by-1-3-quintillion/
about how Intel tried to have fsin() in their instruction set.

Jan

Re: libdmx removal incomplete?

[Stuart Henderson]

On 2021-11-29, Nick Holland  wrote:
> I've been using OpenBSD since v2.4, I have never run a "clean up" tool of
> any kind.  I reinstall only when replacing hardware, the rest of the time,
> I run upgrades, I run snapshots and update frequently so I get a lot of
> old files piling up at times.  And they just don't matter.

FWIW I've been running it since whichever version had picture with a
dark background and a red daemon head, and I use sysclean frequently.
Most of the machines I maintain are remote and the upgrade process
copes poorly or very poorly when running out of space. Before sysclean
I usually did things like "cd /usr; rm -r share libdata X11R6 include"
and looking at file dates/sizes in /usr/lib so it's a big improvement.

Different people have worked out different ways to maintain their
systems, that's fine.

Re: libdmx removal incomplete?

[Stuart Henderson]

On 2021-11-29, Amit Kulkarni  wrote:
> On Sun, Nov 28, 2021 at 5:17 PM Alexander  wrote:
>> Just to gauge what to expect from this and whether I did this wrong:
>> After configuring /etc/sysclean.ignore I get 3382 files of which 3274
>> are in /usr/X11R6/lib/X11/fonts/. Are numbers this large to be expected?
>
> 3382 files is too large.

That seems about right for the removed font variants to me. You can't
judge by the number of files, only the filenames.

*If* you don't compile your own software from outside ports/packages, the
files under /usr listed in sysclean's default output (no -a flag) is good.
I do review manually before rm'ing but I have *never* had it suggesT
removing something under /usr that is required. Files outside /usr
need more care.

(And, if you do compile your own software, it's going to break every few
releases on OpenBSD anyway, system call ABIs change fairly frequently).

Re: bgpd, announce to ibgp from 2 routers, prefixes only show up from 1

[Claudio Jeker]

On Mon, Nov 29, 2021 at 10:38:21PM +0100, Sebastian Benoit wrote:
> Stuart Henderson(s...@spacehopper.org) on 2021.11.13 00:11:08 +:
> > I have a pair of -current routers running bgpd (let's call them rtr-a
> > and rtr-b) on a subnet which also has some vpn gateways and firewalls.
> > 
> > These routers provide a carp address which the vpn gateways are using
> > as default route. There are some networks behind the vpn gateways (a
> > /32 to accept incoming vpn connections and some other prefixes that vpn
> > clients are numbered from).
> > 
> > rtr-a and rtr-b have static routes to those networks, and they have
> > network statements in bgpd.conf to announce them to their ibgp peers
> > ("network 172.24.232.0/21 set nexthop XXX" etc) so the paths are reachable
> > from the rest of the network. (This is replacing an existing setup using
> > ospf, trying to remove routing protocols from machines that don't really
> > need them).
> > 
> > It is working but something seems a little odd - the paths are announced
> > from both routers briefly and show up on the rest of the network from
> > both rtr-a and rtr-b. But after a few seconds, rtr-b receives these
> > paths from rtr-a, and then rtr-b stops announcing them itself. (they
> > stop showing in "bgpctl sh rib out" on rtr-b; "bgpctl sh nex" does
> > correctly identify the associated nexthops as connected/UP).
> > 
> > Is this expected/correct behaviour?
> 
> It is expected: once rtr-b receives the route from rtr-a, it will run the
> route decision process on it. IF both routers are configured identically
> except for the router-id, one of the routes will be prefered at either the
> "oldest path" or the "lowest bgp id" criteria.
> 
> As only one route is a best route, that one will be annouced to the
> neighbors. However this is IBGP. In a set of IBGP connected routers, a
> router will not announce a route to other IBGP peers that it received from
> on a IBGP session. Thus, rtr-b will stop announcing that route.
> 
> When rtr-a goes down, the session is shut down or the prefix is filtered,
> bgpd wont see the "better" route anymore and announce its own instead.
> 
> > I'd prefer to have them announced from both rtr-a and rtr-b, so there's
> > no blackhole period if rtr-a is restarted while rtr-b figures out that
> > it should start announcing them, etc. (No need for tracking carp state
> > in this case, I'm not using stateful pf rules on the traffic involved).
> 
> This is a place where ospf might give you faster failover, especiall y with
> the redistribute ... depend on ... syntax.
>  
> > If rtr-b stops seeing the prefixes from rtr-a (either by taking down
> > the ibgp session, or by filtering) I see the announcements from both
> > rtr-a and rtr-b again. So the obvious workaround is to filter, but
> > I thought I'd ask first in case it's something that is better handled
> > by code changes rather than config.

Or the other way is to alter localpref, as-path or metric of those routes
in some way that makes sure that both router-A and router-B announce a
"better" route.

You can do this in multiple ways. One way would be to use something like
this:
pass out on ibgp metric +1
or
pass in on ibgp metric -1
 
Long term it would be nice to reintroduce route metrics and use this
to sort nexthops in bgpd.

-- 
:wq Claudio

Re: bgpd, announce to ibgp from 2 routers, prefixes only show up from 1

[Stuart Henderson]

On 2021-11-29, Sebastian Benoit  wrote:
>
> It is expected: once rtr-b receives the route from rtr-a, it will run the
> route decision process on it. IF both routers are configured identically
> except for the router-id, one of the routes will be prefered at either the
> "oldest path" or the "lowest bgp id" criteria.
>
> As only one route is a best route, that one will be annouced to the
> neighbors. However this is IBGP. In a set of IBGP connected routers, a
> router will not announce a route to other IBGP peers that it received from
> on a IBGP session. Thus, rtr-b will stop announcing that route.

Thanks, the explanation makes sense (though it doesn't feel quite like
expected behaviour - it makes sense that it doesn't announce the route
received over IBGP but seems a little strange that an explicitly
configured local announcement from a static route depends on BGP from
other routers). Anyway filtering the incoming prefixes is having the
desired effect.

> When rtr-a goes down, the session is shut down or the prefix is filtered,
> bgpd wont see the "better" route anymore and announce its own instead.
>
>> I'd prefer to have them announced from both rtr-a and rtr-b, so there's
>> no blackhole period if rtr-a is restarted while rtr-b figures out that
>> it should start announcing them, etc. (No need for tracking carp state
>> in this case, I'm not using stateful pf rules on the traffic involved).
>
> This is a place where ospf might give you faster failover, especiall y with
> the redistribute ... depend on ... syntax.

Reducing the number of machines running ospfd was the whole reason for
changing this. And with the timers I'm having to run on OSPF to get something
vaguely approaching stability I can't say that it will be any faster than BGP!