Boise mirror certificate expired : Boise, ID, USA : mirrors.syringanetworks.net
Boise mirror certificate expired : Boise, ID, USA : mirrors.syringanetworks.net mirrors@ didn't quite seem like it was being used. -Luke
Re: chroot for go webserver with pledge and unveil
On Thu, Mar 17, 2022 at 06:34:28PM -, Stuart Henderson wrote: > On 2022-03-16, Marc Espie wrote: > > On Tue, Mar 15, 2022 at 11:32:19PM +0100, i...@tutanota.com wrote: > >> Since Go has support for pledge and unveil, I was thinking about > >> "imitating" the setup for httpd. > >> > >> I basically need to run a Go webserver with access to MariaDB, > >> but would like to chroot the Go webserver. > >> > >> I was thinking that since Go by default doesn't run a webserver on > >> port 80 or 443, I would just spawn as www user on some higher > >> port and then use PF to redirect. > > > > The age old practice of dropping privileges just works. > > > > I assume go has bindings for setuid() and friends. > > Go software doesn't usually like to do this because of some issue > with doing so on Linux that I don't _think_ apply to OpenBSD. > And they have the "allow binding to low ports as a non-root uid" > setcap thingy so nobody fixes it. (That would have been much more > acceptable if it was a "bind to _a specific_ low port"...) > Since Go 1.16 this issue has been fixed, at least for static and glibc-based builds (not sure about musl libc). See https://github.com/golang/go/commit/d1b1145cace8b968307f9311ff611e4bb810710c and https://github.com/golang/go/commit/d1b1145cace8b968307f9311ff611e4bb810710c And you're correct--the issue was always specific to Linux. But until Go few people cared because glibc and musl contained hacks to transparently implement POSIX semantics--process-global, not thread-local. However, Go spawns threads directly, rather than using libc's pthreads API and its setuid, et al syscall wrappers, which emulate proper behavior. Such workarounds aren't necessary on OpenBSD, even if not using the libc userspace APIs, as credentials are process-global in the kernel.
Re: chroot for go webserver with pledge and unveil
On Thu, Mar 17, 2022 at 09:41:13PM +0100, i...@tutanota.com wrote: > >> I assume go has bindings for setuid() and friends. > > > Go software doesn't usually like to do this because of some issue > > with doing so on Linux that I don't _think_ apply to OpenBSD. And > > they have the "allow binding to low ports as a non-root uid" setcap > > thingy so nobody fixes it. (That would have been much more acceptable > > if it was a "bind to _a specific_ low port"...) > > For future reference, if someone stumbles upon this. > > I found this: > > https://stackoverflow.com/questions/41248866/golang-dropping-privileges-v1-7 > > And this (Linux specific): > > https://git.kernel.org/pub/scm/libs/libcap/libcap.git/tree/goapps/web > > The PF solution seems simpler to implement. Since Go 1.16 this issue has been fixed, at least for static and glibc-based builds (not sure about musl libc). See https://github.com/golang/go/commit/d1b1145cace8b968307f9311ff611e4bb810710c and https://github.com/golang/go/commit/d1b1145cace8b968307f9311ff611e4bb810710c But it was never an issue on OpenBSD, anyhow; rather a problem with how Linux implements these syscalls in the kernel. On OpenBSD things will work as expected, without requiring any hacks. The libcap hack is specific to Linux specific because the problem is specific to Linux.
Re: Question about RS232/USB hub device compatibility
On Thu, Mar 17, 2022, at 3:22 PM, Nick Holland wrote: > On 3/17/22 3:18 PM, Allan Streib wrote: >> I have used the two-port version of this with Linux and it "just worked," >> wondering if anyone has used this (or something similar) successfully with >> OpenBSD? I am looking to manage a few switches via their console/RS232 >> interfaces. >> >> https://www.startech.com/en-us/cards-adapters/icusb2324i > > Haven't used /that/ one, but have used a couple, and yes, "Just Worked" > for me as well. I have USB to eight port serial in remote > production. The one I have have been around for many years, so unlikely > you would be able to get something that is completely identical. > > Here's how one of them shows up in dmesg: > ... > uhub2 at uhub0 port 4 configuration 1 interface 0 "NEC product 0x0050" > rev 2.00/1.00 addr 2 > uftdi0 at uhub2 port 1 configuration 1 interface 0 "FTDI FT232R USB > UART" rev 2.00/6.00 addr 3 > ... Thanks, it was also pointed out to me off-list that the one I linked lists the "Chipset ID" as FTDI - FT4232HL. uftdi(4) lists support for FT4232H, so maybe it would work but I don't see FT4232HL in usbdevs.h, only FT4232H so maybe not? I'll try searching for another product that is an exact match. Allan
Re: Question about RS232/USB hub device compatibility
On 3/17/22 3:18 PM, Allan Streib wrote: I have used the two-port version of this with Linux and it "just worked," wondering if anyone has used this (or something similar) successfully with OpenBSD? I am looking to manage a few switches via their console/RS232 interfaces. https://www.startech.com/en-us/cards-adapters/icusb2324i Haven't used /that/ one, but have used a couple, and yes, "Just Worked" for me as well. I have USB to eight port serial in remote production. The one I have have been around for many years, so unlikely you would be able to get something that is completely identical. Here's how one of them shows up in dmesg: ... uhub2 at uhub0 port 4 configuration 1 interface 0 "NEC product 0x0050" rev 2.00/1.00 addr 2 uftdi0 at uhub2 port 1 configuration 1 interface 0 "FTDI FT232R USB UART" rev 2.00/6.00 addr 3 ucom0 at uftdi0 portno 1 uftdi1 at uhub2 port 2 configuration 1 interface 0 "FTDI FT232R USB UART" rev 2.00/6.00 addr 4 ucom1 at uftdi1 portno 1 uftdi2 at uhub2 port 3 configuration 1 interface 0 "FTDI FT232R USB UART" rev 2.00/6.00 addr 5 ucom2 at uftdi2 portno 1 uftdi3 at uhub2 port 4 configuration 1 interface 0 "FTDI FT232R USB UART" rev 2.00/6.00 addr 6 ucom3 at uftdi3 portno 1 uftdi4 at uhub2 port 5 configuration 1 interface 0 "FTDI FT232R USB UART" rev 2.00/6.00 addr 7 ucom4 at uftdi4 portno 1 uftdi5 at uhub2 port 6 configuration 1 interface 0 "FTDI FT232R USB UART" rev 2.00/6.00 addr 8 ucom5 at uftdi5 portno 1 uhub3 at uhub2 port 7 configuration 1 interface 0 "NEC hub" rev 2.00/1.00 addr 9 uftdi6 at uhub3 port 1 configuration 1 interface 0 "FTDI FT232R USB UART" rev 2.00/6.00 addr 10 ucom6 at uftdi6 portno 1 uftdi7 at uhub3 port 2 configuration 1 interface 0 "FTDI FT232R USB UART" rev 2.00/6.00 addr 11 ucom7 at uftdi7 portno 1 ... One cool thing: the device enumeration is rock solid -- once you know what device is on what port, it seems to stay that way. One down side: once in a while, the thing locks up, where OpenBSD can't open the serial port (iirc, all of them wedge at the same time, but I'm not going to swear to that). I'm not sure who's at fault (OpenBSD or the device), but a reboot does fix it, Which is good, since I and the systems I manage with it are separated by an international border and 400km :) So ... I'd not suggest attaching it to an "important" system, but rather dedicate an easily rebooted terminal server machine. Nick.
Question about RS232/USB hub device compatibility
I have used the two-port version of this with Linux and it "just worked," wondering if anyone has used this (or something similar) successfully with OpenBSD? I am looking to manage a few switches via their console/RS232 interfaces. https://www.startech.com/en-us/cards-adapters/icusb2324i Thanks, Allan
Re: chroot for go webserver with pledge and unveil
On 2022-03-16, Marc Espie wrote: > On Tue, Mar 15, 2022 at 11:32:19PM +0100, i...@tutanota.com wrote: >> Since Go has support for pledge and unveil, I was thinking about >> "imitating" the setup for httpd. >> >> I basically need to run a Go webserver with access to MariaDB, >> but would like to chroot the Go webserver. >> >> I was thinking that since Go by default doesn't run a webserver on >> port 80 or 443, I would just spawn as www user on some higher >> port and then use PF to redirect. > > The age old practice of dropping privileges just works. > > I assume go has bindings for setuid() and friends. Go software doesn't usually like to do this because of some issue with doing so on Linux that I don't _think_ apply to OpenBSD. And they have the "allow binding to low ports as a non-root uid" setcap thingy so nobody fixes it. (That would have been much more acceptable if it was a "bind to _a specific_ low port"...)
Re: Thinkpad T480 high cpu after zzz
Guillermo Ramos writes: > Hey misc, > > First time posting to the list, nice to meet you :) > > I have just installed -current on a Thinkpad T480 and I'm seeing this > annoying behavior where, after waking up from either S3 or S4, one of > the CPU cores gets to 100% and won't go down until the machine is > restarted. According to htop, the guilty process is the 'acpi0' kernel > thread. This happens both with the laptop plugged to external power and > on battery. > > Any ideas about what could be happening here, or where to look at for > clues? I've tried monitoring /var/log/messages during the sleep+wakeup > process but I see nothing suspicious apart from those DRM notices, which > I don't know how to interpret. > Can you use systat or `vmstat -i` and see what your interrupt rates look like? Sounds like an interrupt storm. With that info I'd recommend using sendbug to report the details to bugs@. > Below are dmesg and /var/log/messages during the process. > > Any pointers are appreciated, thanks in advance. > > Guillermo > > > DMESG > > OpenBSD 7.1-beta (GENERIC.MP) #420: Sun Mar 13 11:42:04 MDT 2022 > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 25503313920 (24321MB) > avail mem = 24713121792 (23568MB) > random: good seed from bootblocks > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x7f065000 (63 entries) > bios0: vendor LENOVO version "N24ET67W (1.42 )" date 11/17/2021 > bios0: LENOVO 20L50004SP > acpi0 at bios0: ACPI 5.0 > acpi0: sleep states S0 S3 S4 S5 > acpi0: tables DSDT FACP SSDT SSDT TPM2 UEFI SSDT SSDT HPET APIC MCFG > ECDT SSDT SSDT SSDT BOOT BATB SLIC SSDT SSDT SSDT LPIT WSMT SSDT SSDT > SSDT DBGP DBG2 MSDM DMAR ASF! FPDT BGRT UEFI > acpi0: wakeup devices GLAN(S4) XHC_(S3) XDCI(S4) HDAS(S4) RP01(S4) > PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) > RP05(S4) PXSX(S4) RP06(S4) PXSX(S4) [...] > acpitimer0 at acpi0: 3579545 Hz, 24 bits > acpihpet0 at acpi0: 2399 Hz > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz, 3691.40 MHz, 06-8e-0a > cpu0: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SRBDS_CTRL,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN > cpu0: 256KB 64b/line 8-way L2 cache > cpu0: smt 0, core 0, package 0 > mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges > cpu0: apic clock running at 24MHz > cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE > cpu1 at mainbus0: apid 2 (application processor) > cpu1: Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz, 3691.41 MHz, 06-8e-0a > cpu1: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SRBDS_CTRL,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN > cpu1: 256KB 64b/line 8-way L2 cache > cpu1: smt 0, core 1, package 0 > cpu2 at mainbus0: apid 4 (application processor) > cpu2: Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz, 3691.40 MHz, 06-8e-0a > cpu2: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SRBDS_CTRL,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN > cpu2: 256KB 64b/line 8-way L2 cache > cpu2: smt 0, core 2, package 0 > cpu3 at mainbus0: apid 6 (application processor) > cpu3: Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz, 3691.40 MHz, 06-8e-0a > cpu3: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SRBDS_CTRL,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD
Re: chroot for go webserver with pledge and unveil
Am 16.03.22 03:09 schrieb i...@tutanota.com: > >> I was thinking that since Go by default doesn't run a webserver on > >> port 80 or 443 > > > What does it even mean. Go is a programming language. If you want to > > build and run a webserver with it and have it listen on whatever port > > you want, you can. Go doesnæ„’ have any opinion as to what ports you > > should or shouldn't use. And the default ports por an http/https > > server ARE 80 and 443. > > What I meant was that you cannot code the webserver to run on port 80 > or 443 unless it runs as root (for obvious reasons). What I wanted to > avoid is a change in privileges, as in starting it as root and then > change to www. The easy way it seems to be to just run on something > like port and then use PF to redirect. > > >> I can run it like this: [...] > >> But that wouldn't keep it running after a reboot. > > > There you go: > > https://man.openbsd.org/afterboot.8#System_command_scripts > > Is there something to restart it if it crashes? Just a one liner can do this: check if it's running. If not restart. But why would it crash??? Most likely because something was going wrong? So do you really want your system restart something that is going to be wrong? I must admit I have NO full 30 years expierence of sysadmin stuff (like you posted in another thread) but I would prefer to fix the problem and restart it manually only when its fixed. ...other way sounds a little bit like systemd(1) to me ;-)
