Re: seeing carp interface state change for unknown reason ; cluestick hunting

[Bryan Stenson]

Thanks for the response.  I've mounted a ramdisk at /mnt and have run
"doas route -n monitor > /mnt/route.monitor" in a tmux session for a
few days.  Here are some details:

erl3-01$ grep carp1 route.monitor  | sort | uniq -c
  91 RTM_ADD: Add Route: len 192, priority 146, table 0, if# 6, name
carp1, pid: 0, seq 0, errno 0
 428 RTM_ADD: Add Route: len 192, priority 18, table 0, if# 6, name
carp1, pid: 0, seq 0, errno 0
  43 RTM_DELETE: Delete Route: len 192, priority 146, table 0, if# 6,
name carp1, pid: 0, seq 0, errno 0
 478 RTM_DELETE: Delete Route: len 192, priority 18, table 0, if# 6,
name carp1, pid: 0, seq 0, errno 0
  31 RTM_IFINFO: iface status change: len 168, if# 6, name carp1,
link: backup, mtu: 1500,
flags:
  31 RTM_IFINFO: iface status change: len 168, if# 6, name carp1,
link: invalid, mtu: 1500, flags:
  31 RTM_IFINFO: iface status change: len 168, if# 6, name carp1,
link: master, mtu: 1500,
flags:
   1 RTM_RESOLVE: Route created by cloning: len 192, priority 146,
table 0, if# 6, name carp1, pid: 0, seq 0, errno 0
 385 RTM_RESOLVE: Route created by cloning: len 192, priority 18,
table 0, if# 6, name carp1, pid: 0, seq 0, errno 0

erl3-01$ grep vlan100 route.monitor  | sort | uniq -c
  31 RTM_IFINFO: iface status change: len 168, if# 8, name vlan100,
link: active, mtu: 1500,
flags:
  31 RTM_IFINFO: iface status change: len 168, if# 8, name vlan100,
link: no carrier, mtu: 1500,
flags:

erl3-01$ grep cnmac2 route.monitor  | sort | uniq -c
  57 RTM_ADD: Add Route: len 192, priority 3, table 0, if# 3, name
cnmac2, pid: 0, seq 0, errno 0
  57 RTM_DELETE: Delete Route: len 192, priority 3, table 0, if# 3,
name cnmac2, pid: 0, seq 0, errno 0
  31 RTM_IFINFO: iface status change: len 168, if# 3, name cnmac2,
link: active, mtu: 1500,
flags:
  31 RTM_IFINFO: iface status change: len 168, if# 3, name cnmac2,
link: no carrier, mtu: 1500,
flags:

It looks like the underlying cnmac2 interface is flapping...so, that's a bummer.

As generally underpowered as this machine is, might the kernel be
overwhelmed with other tasks, and have a watchdog timeout mark the
cnmac2 interface as down (due to some expired timeout)?

Just grasping for something here...my next steps are to swap this unit
out with the other one (to try and eliminate hardware failure of THIS
unit).  Any other suggestions?

On Mon, Feb 1, 2021 at 3:04 AM David Gwynne  wrote:
>
>
>
> > On 1 Feb 2021, at 6:02 pm, Bryan Stenson  wrote:
> >
> > Hi all -
> >
> > I'm trying to setup a pair of ERL3 octeon routers in master/standby
> > mode via carp/pfsync to route traffic from my internal lan to the
> > internet.  I've seen strange behavior wrt carp on these machines, so
> > in an attempt to reduce the problem, I've removed one completely.
> >
> > Even with only a single box (ERL3-01) on the network configured as a
> > carp member, the carp interface state periodically changes (as seen
> > from ifstated(8)).
> >
> > I'm wondering if disconnecting the other ERL3 device is a valid isolated 
> > test.
> > 1.  Will/might this cause issues with the carp device, as it cannot
> > determine state from any other host?
>
> If carp state flaps around while it is the only device on the network, that 
> would imply the parent device is flapping around.
>
> > 2.  Will/might this cause issues as it cannot send/receive pfsync
> > updates (the other node is disconnected).
>
> pfsync doesn't really care about carp state.
>
> > 3.  Is there something else in my setup causing carp to fail here?
>
> I'd be running "route monitor" and looking for link state changes on the carp 
> parent interface.
>
> > 4.  Could this be hardware/temperature related to this ERL3?  Wouldn't
> > I see an additional error in dmesg if the physical device (cnmac2)
> > failed periodically?
> >
> > I'd appreciate any pointers here...I feel like I'm missing something dumb.
>
> My first ideas are above. If it turns out the carp parent is stable we can 
> try come up with something else.
>
> dlg
>
> >
> > Thanks in advance.
> >
> > Bryan
> >
> > Here are some of my configs.  If I've missed including something
> > critical to help describe my setup, please let me know and I'll add
> > it.
> >
> > ## Help me OBSD-Misc Kenobi.  You're my only hope. ##
> >
> > erl3-01# uname -a
> > OpenBSD erl3-01.siliconvortex.com 6.8 GENERIC#522 octeon
> >
> > erl3-01# dmesg
> > ...
> > carp1: state transition: BACKUP -> MASTER
> > carp1: state transition: BACKUP -> MASTER
> > carp1: state transition: BACKUP -> MASTER
> > carp1: state transition: BACKUP -> MASTER
> > carp1: s

seeing carp interface state change for unknown reason ; cluestick hunting

[Bryan Stenson]

Hi all -

I'm trying to setup a pair of ERL3 octeon routers in master/standby
mode via carp/pfsync to route traffic from my internal lan to the
internet.  I've seen strange behavior wrt carp on these machines, so
in an attempt to reduce the problem, I've removed one completely.

Even with only a single box (ERL3-01) on the network configured as a
carp member, the carp interface state periodically changes (as seen
from ifstated(8)).

I'm wondering if disconnecting the other ERL3 device is a valid isolated test.
1.  Will/might this cause issues with the carp device, as it cannot
determine state from any other host?
2.  Will/might this cause issues as it cannot send/receive pfsync
updates (the other node is disconnected).
3.  Is there something else in my setup causing carp to fail here?
4.  Could this be hardware/temperature related to this ERL3?  Wouldn't
I see an additional error in dmesg if the physical device (cnmac2)
failed periodically?

I'd appreciate any pointers here...I feel like I'm missing something dumb.

Thanks in advance.

Bryan

Here are some of my configs.  If I've missed including something
critical to help describe my setup, please let me know and I'll add
it.

## Help me OBSD-Misc Kenobi.  You're my only hope. ##

erl3-01# uname -a
OpenBSD erl3-01.siliconvortex.com 6.8 GENERIC#522 octeon

erl3-01# dmesg
...
carp1: state transition: BACKUP -> MASTER
carp1: state transition: BACKUP -> MASTER
carp1: state transition: BACKUP -> MASTER
carp1: state transition: BACKUP -> MASTER
carp1: state transition: BACKUP -> MASTER
carp1: state transition: BACKUP -> MASTER

erl3-01# tail mbox
Mon, 1 Feb 2021 06:49:26 + (UTC)
From: Charlie Root 
Date: Mon, 1 Feb 2021 06:49:25 + (UTC)
To: root@localhost
Subject: carp master changed
Message-ID: <515eb74cff427...@erl3-01.siliconvortex.com>
Status: RO

master is now erl3-01.siliconvortex.com


erl3-01# sysctl -a | grep carp
net.inet.carp.allow=1
net.inet.carp.preempt=1
net.inet.carp.log=2

erl3-01# cat /etc/hostname.carp1
#carp for lan side
192.168.122.1/23 carpdev vlan100 vhid 1 pass somethinglongandsecret

erl3-01# cat /etc/hostname.vlan100
vnetid 100 parent cnmac2
up

erl3-01# cat /etc/hostname.cnmac2
inet 192.168.1.253 255.255.254.0

erl3-01# cat /etc/hostname.pfsync0
up syncdev cnmac1

erl3-01# cat /etc/hostname.cnmac1
inet 10.10.200.1 255.255.255.252

erl3-01# cat /etc/ifstated.conf
# Initial State
init-state auto

# Macros
if_carp_up="carp1.link.up"
if_carp_down="!carp1.link.up"

state auto {
  if $if_carp_up {
set-state master
  }

  if $if_carp_down {
set-state backup
  }
}

state master {
  init {
run "echo master is now `hostname` | mail -s 'carp master changed'
root@localhost"
}

  if $if_carp_down {
set-state backup
  }
}

state backup {
  init {
run "echo backup is now `hostname` | mail -s 'carp master changed
root@localhost"
  }

  if $if_carp_up {
set-state master
  }
}

erl3-01# cat /etc/pf.conf
# adopted from https://www.openbsd.org/faq/pf/example1.html
wan_dev = cnmac0
lan_dev = cnmac2
carp_dev = vlan100
pfsync_dev = cnmac1
table  { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\
203.0.113.0/24 }

# carp
pass quick on $lan_dev proto carp keep state (no-sync)

# pfsync
pass quick on $pfsync_dev proto pfsync keep state (no-sync)

set block-policy drop
set loginterface $wan_dev
set skip on lo0

match in all scrub (no-df random-id max-mss 1440)

# redirect DNS queries to localhost
pass in quick on { $carp_dev $lan_dev } proto { udp tcp } from any to
any port domain rdr-to 192.168.1.253 port domain

# NAT to the world
match out on $wan_dev inet from !($wan_dev:network) to any nat-to ($wan_dev:0)

antispoof quick for { $wan_dev }

# martians
block in quick on $wan_dev from  to any
block return out quick on $wan_dev from any to 

block all

# manage buffer bloat
queue outq on $wan_dev flows 1024 bandwidth 3M max 3M qlimit 1024 default
queue inq on $lan_dev flows 1024 bandwidth 45M max 45M qlimit 1024 default

pass out quick inet

pass in on { $carp_dev $lan_dev } inet

Re: dynamic dns updates for clients in my home network?

[Bryan Stenson]

I've thought about this as welland would love to use native
OpenBSD tools for the job.

Just a design idea:

1. Use dhcpd(8) synchronization
(https://man.openbsd.org/dhcpd.8#SYNCHRONISATION) to send details of
dhcp leases to a DNS creator/listener.
2. The dns creator/listener creates/updates the zone file, and
3. Send a SIGHUP to nsd(8) (https://man.openbsd.org/nsd.8#SIGHUP) to
reload the zone details.

Issues to consider:
1. hostname collisions - what happens (what should happen?) when more
than one dhcp client has the same hostname?
2. what should ttl on these A records be?  probably something much
less than the dhcp lease duration (depending on how aggressive clients
are at renewing soon-to-be-expired leases).

I'm sure there are a thousand other things to consider here...thoughts/ideas?

On Sat, Apr 25, 2020 at 3:10 PM Raymond, David  wrote:
>
> I use dnsmasq (an openbsd package) on the gateway for my lab ethernet
> network and it works great with minimal configuration as a local DNS
> server.  At home I have a Synology wireless router which does the same
> as long as you tell it to make DNS reservations.  Your mileage may
> vary with cheaper routers.  One could in principle use dnsmasq even in
> this case, but I haven't tried it.
>
>
> Dave Raymond
>
> On 4/25/20, bofh  wrote:
> > Hi,
> > I searched through the archives and saw a couple of discussions about using
> > Dnsmasq from a long time ago.
> >
> > Is that the best way to let the stuff in my home to have valid dns entries
> > in my home network?
> >
> > How difficult is it to get the OpenBSD provided dhcpd and unbound to do
> > this?
> >
> > Thanks.
> >
>
>
> --
> David J. Raymond
> david.raym...@nmt.edu
> http://physics.nmt.edu/~raymond
>

user-agent spoofing info; working around site "requirements"

[Bryan Stenson]

most of you already know this.

tldr - inferring system requirements from the "user-agent" http header
is useless/dangerous/silly, and your site/page stop (nothing new
here...not sure why certain sites trust the user-provided data).

This is not OpenBSD specific, but hopefully helpful for anyone wanting
their system to "just work" when accessing a site requiring a certain
operating system, or browser.

Here are some details for those who might be suffering from the same
stupid "required operating systems" limitation my bank imposes...

Given:
- the bank has a HTTP interface
- the bank "requires" a specific browser/version
- the bank "requires" a specific set of closed-source operating systems
- OpenBSD ships recent browsers (chromium, firefox, etc)

Problem:
When logging into said financial institution, the page declines to
work correctly because I don't have an operating system on their list.

Solution:
Spoof (add/modify) "user-agent" http header (via browser plugin, for
example), to include a common user-agent used by one of the
aforementioned "required operating systems".  This seems to work, for
me, at my bank:

Mozilla/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X)
AppleWebKit/601.1 (KHTML, like Gecko) CriOS/47.0.2526.70 Mobile/13C71
Safari/601.1.46

Why this works:
Your browser sends a user-agent with browser/OS details in the
request.  This means you can modify those details before you send your
request.  Effectively, it's an unverified claim.  So take advantage of
it, and claim what you want/need. :)

Bryan

FDE: converting passphrase to usb key

[Bryan Stenson]

I currently have FDE installed using a passphrase, but would like to
update this to using a usb key.  Is this possible?

Or, should I just wipe/re-install?

Thanks.

Re: recent troubles with iwn(4)

[Bryan Stenson]

sorry about that...here's the most recent one:

Sep 11 06:31:13 e530c /bsd: iwn0: sending probe_req to
80:2a:a8:57:5e:17 on channel 6 mode 11n
Sep 11 06:31:15 e530c ntpd[87584]: DNS lookup tempfail
Sep 11 06:31:16 e530c dhclient[9122]: iwn0: writev(DHCPREQUEST): No
buffer space available
Sep 11 06:31:18 e530c /bsd: iwn0: RUN -> SCAN
Sep 11 06:31:18 e530c /bsd: iwn0: end active scan
Sep 11 06:31:18 e530c /bsd: iwn0: - 00:0d:67:7d:a9:431  +172 54M
ess   no!  rsn! "CableWiFi"!
Sep 11 06:31:18 e530c /bsd: iwn0: - 08:86:3b:b6:2f:801  +182 54M
ess  privacy   rsn  "belkin.f80"!
...

On Wed, Sep 11, 2019 at 7:53 AM Stefan Sperling  wrote:
>
> On Wed, Sep 11, 2019 at 12:16:06AM -0700, Bryan Stenson wrote:
> > doh...I don't know why I didn't think of that...
> >
> > Good news, with 'ifconfig iwn0 debug' set, once the strange behavior
> > starts, I see LOTS of repeated messages, the pattern happens about
> > once every 4 seconds, and dumps the following into /var/log/messages:
> >
> > ...
> > # continuous spamming of /var/log/messages from after the network has
> > been in the troubled/failed state for a while
>
> You snipped the exciting part.
>
> I need to know why it decides to do a transition of the form:
>
> RUN -> something
>
> This should be somewhere at the top of this stream of output.

Re: recent troubles with iwn(4)

[Bryan Stenson]

e530c /bsd: iwn0: - 8c:0f:6f:eb:24:78   11  +201 54M
ess  privacy   rsn  "Cleveland-Bales Casa"!
Sep 10 09:00:11 e530c /bsd: iwn0: - 90:c7:92:4f:28:801  +175 54M
ess  privacy   rsn  "HOME-2882"!
Sep 10 09:00:11 e530c /bsd: iwn0: - 92:95:51:c7:c9:db   11  +172 54M
ess  privacy   rsn! ""!
Sep 10 09:00:11 e530c /bsd: iwn0: - 96:0f:6f:e7:84:181  +191 54M
ess   no!  rsn! "xfinitywifi"!
Sep 10 09:00:11 e530c /bsd: iwn0: - 96:c7:92:4f:28:801  +172 54M
ess   no!  rsn! "xfinitywifi"!
Sep 10 09:00:11 e530c /bsd: iwn0: - 9a:0f:6f:e7:84:181  +192 54M
ess  privacy   rsn  ""!
Sep 10 09:00:11 e530c /bsd: iwn0: - 9a:0f:6f:eb:24:78   11  +200 54M
ess  privacy   rsn  ""!
Sep 10 09:00:11 e530c /bsd: iwn0: - 9c:3d:cf:43:74:8a8  +172 54M
ess  privacy   rsn  "NETGEAR18"!
Sep 10 09:00:11 e530c /bsd: iwn0: - a2:0f:6f:e7:84:181  +192 54M
ess  privacy   rsn! ""!
Sep 10 09:00:11 e530c /bsd: iwn0: - a2:0f:6f:eb:24:78   11  +199 54M
ess  privacy   rsn! ""!
Sep 10 09:00:11 e530c /bsd: iwn0: - a4:56:cc:cd:e6:891  +174 54M
ess  privacy   rsn  "No ID"!
Sep 10 09:00:11 e530c /bsd: iwn0: - a4:56:cc:cd:e6:8c1  +172 54M
ess  privacy   rsn  ""!
Sep 10 09:00:11 e530c /bsd: iwn0: - a4:56:cc:cd:e6:8d1  +173 54M
ess  privacy   rsn! "OutOfService"!
Sep 10 09:00:11 e530c /bsd: iwn0: - a4:56:cc:cd:e6:8e1  +174 54M
ess  privacy   rsn! ""!
Sep 10 09:00:11 e530c /bsd: iwn0: - aa:93:5b:0c:9b:3d6  +184 54M
ess   no!  rsn! "xfinitywifi"!
Sep 10 09:00:11 e530c /bsd: iwn0: - ae:93:5b:0c:9b:3d6  +193 54M
ess  privacy   rsn  ""!
Sep 10 09:00:11 e530c /bsd: iwn0: - b0:39:56:23:b4:6b8  +172 54M
ess  privacy   rsn  "Meul"!
Sep 10 09:00:11 e530c /bsd: iwn0: - b0:93:5b:0c:9b:3d6  +191 54M
ess  privacy   rsn  "2wernergals"!
Sep 10 09:00:11 e530c /bsd: iwn0: - b2:93:5b:0c:9b:3d6  +191 54M
ess  privacy   rsn! "OutOfService"!
Sep 10 09:00:11 e530c /bsd: iwn0: - b6:93:5b:0c:9b:3d6  +190 54M
ess  privacy   rsn! ""!
Sep 10 09:00:11 e530c /bsd: iwn0: - cc:40:d0:17:22:c31  +182 54M
ess  privacy   rsn  "Cleveland-Bales Casa 5_2GEXT"!
Sep 10 09:00:11 e530c /bsd: iwn0: - d8:97:ba:be:19:706  +170 54M
ess  privacy   rsn! "CUSPNet_2.4"!
Sep 10 09:00:11 e530c /bsd: iwn0: - e8:37:7a:be:c4:a71  +173 54M
ess  privacy   rsn  "CenturyLink3718"!
Sep 10 09:00:11 e530c /bsd: iwn0: SCAN -> AUTH
Sep 10 09:00:11 e530c /bsd: iwn0: sending auth to 80:2a:a8:57:5e:17 on
channel 6 mode 11g
Sep 10 09:00:15 e530c /bsd: iwn0: AUTH -> SCAN
Sep 10 09:00:16 e530c /bsd: iwn0: end active scan
...

This scan repeats about once every 4 seconds.

A few other data points (forgive me if this is obvious...I mostly
wanted to share my general thoughts on what I've look into):
* I wondered if this was triggered by dhcp lease renewal (iwn0 uses
IPv4 dhcp only, bad packet or something), but I have observed the iwn0
driver in the "troubled" state well before my current lease expires.
* timing seems odd : once the iwn0 stops working, it takes a while for
the "scan" log entries (above) to appear in /var/log/messages
(gathering specific data on this now, but it seems to be at least 10s
of minutes).
* I have verified there are no states in the firewall, other than
those marked "SINGLE:NO_TRAFFIC" from my machine attempting to query
DNS.
* During the repeated scans above, `tcpdump` reports no UDP traffic
for this iwn0.

tl;dr -
1.) I still don't know what's triggering this.
2.) When it's triggered, it takes a while to report anything in
/var/log/messages
3.) Once it does, iwn seems to be in a 4-5 second loop, continuously
scanning all APs.
4.) I'm able to reset the driver via "doas ifconfig iwn0 down; doas sh
/etc/netstart iwn0" and it all works again...for a while (see #1).

Thank you for reading this far.  Any other pointers/suggestions?  So
many opportunities to learn. :)

Bryan


On Mon, Sep 9, 2019 at 9:23 AM Stefan Sperling  wrote:
>
> On Sun, Sep 08, 2019 at 08:31:55PM +, Bryan Stenson wrote:
> > Hi all -
> >
> > I'm writing to "misc" rather than "bugs" as I'm not yet sure this is a
> > bug.  I'm hoping to help triage this with assistance from this list.
> >
> > I'm running -CURRENT and the iwn(4) driver for my wireless card.  Over
> > the past year, this has been working great, but recently (within the
> > last month or so), I've had issues where the NIC just stops working
> > after a few hours of usage.  I don't have a solid steps for
> > reproduction.
> >
> > I realize "stops working" is not a very accurate account here...but
> > I'm confused on how to get more descriptive informat

recent troubles with iwn(4)

[Bryan Stenson]

Hi all -

I'm writing to "misc" rather than "bugs" as I'm not yet sure this is a
bug.  I'm hoping to help triage this with assistance from this list.

I'm running -CURRENT and the iwn(4) driver for my wireless card.  Over
the past year, this has been working great, but recently (within the
last month or so), I've had issues where the NIC just stops working
after a few hours of usage.  I don't have a solid steps for
reproduction.

I realize "stops working" is not a very accurate account here...but
I'm confused on how to get more descriptive information of the
problem.  When it stops, "ifconfig" shows iwn0 with an IP address, but
I'm unable to ping.  Additionally, I'm not seeing any
warnings/messages in "dmesg" about the device...so I'm confused.

A simple "ifconfig iwn0 down; sh /etc/netstart iwn0" seems to fix the
problem, but I haven't had to do that in the past...it just feels like
a recent change (iwn(4) work?) has put me in this state.

I'm really wanting to help here.  How can I run the iwn(4) in debug
mode, or increase logging verbosity?  And/or, should I try to capture
packets via tcpdump?  And/or, can I run an older bsd.mp (without
having to downgrade packages to older versions) in order to try and
"bisect" where the problem may have been introduced?

The following are my kernel and wireless details:

# uname -a
OpenBSD e530c.siliconvortex.com 6.6 GENERIC.MP#289 amd64

# pcidump -v
...
 3:0:0: Intel Centrino Wireless-N 2230
0x: Vendor ID: 8086, Product ID: 0888
0x0004: Command: 0006, Status: 0010
0x0008: Class: 02 Network, Subclass: 80 Miscellaneous,
Interface: 00, Revision: c4
0x000c: BIST: 00, Header Type: 00, Latency Timer: 00,
Cache Line Size: 10
0x0010: BAR mem 64bit addr: 0xf2d0/0x2000
0x0018: BAR empty ()
0x001c: BAR empty ()
0x0020: BAR empty ()
0x0024: BAR empty ()
0x0028: Cardbus CIS: 
0x002c: Subsystem Vendor ID: 8086 Product ID: 4262
0x0030: Expansion ROM Base Address: 
0x0038: 
0x003c: Interrupt Pin: 01 Line: 0b Min Gnt: 00 Max Lat: 00
0x00c8: Capability 0x01: Power Management
State: D0
0x00d0: Capability 0x05: Message Signalled Interrupts (MSI)
Enabled: yes
0x00e0: Capability 0x10: PCI Express
Link Speed: 2.5 / 2.5 GT/s, Link Width: x1 / x1
0x0100: Enhanced Capability 0x01: Advanced Error Reporting
0x0140: Enhanced Capability 0x03: Device Serial Number
Serial Number: 6036dded4a81

With humility, an open mind, and eagerness to learn/help:

Bryan

Re: mounting an existing softraid/crypto partition for install/update

[Bryan Stenson]

YESS!!  Thank you qwerjkl...

I can confirm, "bioctl -c C -l ... softraid0" seems to have picked up the
existing partition...and after a "cd /dev && sh MAKEDEV sd2", the installer
was picked up the device (sd2), and I was able to get back to a working
system.

Thanks again!

On Mon, Jun 3, 2019 at 7:30 PM Benny  wrote:

> I have done that two days ago. When you use bioctl -c ... -l ... softraid0
> on an existing raid configuration, it will map the raid volume to another
> sd device. You will be prompted for a password if your raid level is
> crypto. This will _not_ create another raid or overwrite your data, unless
> you typed something wrong. Don't forget to MAKEDEV sd1 for the new sd.
>
> qwerjkl
>
> ‐‐‐ Original Message ‐‐‐
> On Monday, June 3, 2019 7:17 PM, Bryan Stenson 
> wrote:
>
> > Hi all -
> >
> > I'm running -CURRENT on a SSD with FDE encryption using softraid/crypto
> > with a passphrase entered via the keyboard at boot. It worked great.
> > Then, I upgraded to a build that had a broken bootloader (reported to be
> > fixed now: "Re: amd64 snapshot very broken (Jun 1 02:24:13)"). Per that
> > thread, I'm trying to boot from temp boot media to update to the fixed
> > image.
> >
> > I've tried booting both snapshots/amd64/install65.fs and
> > snapshots/amd64/miniroot65.fs, and while it appears the bootloader
> > recognizes my softraid crypto device, it's clearly not mounting the
> crypto
> > device (I'm not prompted for a passphrase), and by the time I get to the
> > install script, it shows:
> >
> > Available disks are: .
> > Which disk is the root disk? ('?' for details)
> >
> > Asking for details, both my SSD (sd0) and temp boot media (sd1) are
> shown,
> > but I'm not able to see the encrypted device.
> >
> > I've dropped to a shell, and created the device (it wasn't there) via "cd
> > /dev && sh MAKEDEV sd0", and can see my RAID partition via "disklabel
> sd0".
> >
> > But, now I'm stuck/confused...I'm trying to figure it out by following:
> > https://www.openbsd.org/faq/faq14.html#softraidFDE
> >
> > Do I re-create the softraid/crypto with something like "bioctl -c C sd0a
> > softraid0"? Or, will this will wipe out the existing data and give me a
> > fresh new partition to install to?
> >
> > How can I mount the existing crypto volume for use by the installer?
> > (Also, am I asking the right questions here?)
> >
> > Any suggestions/clarifications would be greatly appreciated. Thank you
> for
> > your time.
> >
> > Bryan
>
>
>

mounting an existing softraid/crypto partition for install/update

[Bryan Stenson]

Hi all -

I'm running -CURRENT on a SSD with FDE encryption using softraid/crypto
with a passphrase entered via the keyboard at boot.  It worked great.
Then, I upgraded to a build that had a broken bootloader (reported to be
fixed now: "Re: amd64 snapshot very broken (Jun 1 02:24:13)").  Per that
thread, I'm trying to boot from temp boot media to update to the fixed
image.

I've tried booting both snapshots/amd64/install65.fs and
snapshots/amd64/miniroot65.fs, and while it appears the bootloader
recognizes my softraid crypto device, it's clearly not mounting the crypto
device (I'm not prompted for a passphrase), and by the time I get to the
install script, it shows:

Available disks are: .
Which disk is the root disk? ('?' for details)

Asking for details, both my SSD (sd0) and temp boot media (sd1) are shown,
but I'm not able to see the encrypted device.

I've dropped to a shell, and created the device (it wasn't there) via "cd
/dev && sh MAKEDEV sd0", and can see my RAID partition via "disklabel sd0".

But, now I'm stuck/confused...I'm trying to figure it out by following:
https://www.openbsd.org/faq/faq14.html#softraidFDE

Do I re-create the softraid/crypto with something like "bioctl -c C sd0a
softraid0"?  Or, will this will wipe out the existing data and give me a
fresh new partition to install to?

How can I mount the existing crypto volume for use by the installer?
(Also, am I asking the right questions here?)

Any suggestions/clarifications would be greatly appreciated.  Thank you for
your time.

Bryan