Re: ifconfig autoconf stopped working - how to debug?

2024-05-27 Thread Chris Narkiewicz
On Mon, May 27, 2024 at 03:06:04PM +0100, Zé Loff wrote:
> On Mon, May 27, 2024 at 01:51:25PM +0100, Chris Narkiewicz wrote:
> dhcpleased now handles this.  You can run it with -d and with one or
> more "-v"s.  You can also use dhcpleasectl to request a new lease.

I run dhcpleased -d -vvv and here is the output:

state_transition[vio0] Down -> Rebooting, timo: 1
DHCPREQUEST on vio0
iface_timeout[1]: Rebooting
state_transition[vio0] Rebooting -> Rebooting, timo: 2
DHCPREQUEST on vio0
iface_timeout[1]: Rebooting
deleting AAA.BBB.CCC.DDD from vio0 (lease from 0.0.0.0)
state_transition[vio0] Rebooting -> Init, timo: 1
DHCPDISCOVER on vio0
deconfigure_interface vio0
iface_timeout[1]: Init
state_transition[vio0] Init -> Init, timo: 2
DHCPDISCOVER on vio0
iface_timeout[1]: Init
state_transition[vio0] Init -> Init, timo: 4

and so on, so on, so on, timo: 8, 16, 32, 64...

The weird thing is that AAA.BBB.CCC.DDD is the IP address
I'm expecting to receive, but it's not listed in ifconfig vio0 output.

Best regards,
Chris Narkiewicz



ifconfig autoconf stopped working - how to debug?

2024-05-27 Thread Chris Narkiewicz
I have a netcup VPS and it crashed recently. After service restoration
and fsck, the system cannot obtain IPv4 using autoconf.

I'm wondering how I can debug DHCP autoconfiguration.  dhclient -v -d
doesn't show anything, as the functionality has been mmoved to
ifconfig.

ifconfig vio0 debug doesn't print anything.

Best regards,
Chris Narkiewicz



Re: obsd wifi

2024-05-04 Thread Chris Narkiewicz
On Sat, May 04, 2024 at 03:40:18PM -0300, Gustavo Rios wrote:
> how to install via pkg_add if i have no network connection ?

dmesg and ifconfig should give you a name of the wifi chipset already.

To install required packages and firmware, buy a USB adapter.
They are $5 and work out of the box. I keep RTL dongle around
for such situations:

https://man.openbsd.org/urtwn.4

You can also buy a USB ethernet dongle. Those are also dirt-cheap.

Best regards,
Chris Narkiewicz



Booting with secure boot enabled

2024-03-31 Thread Chris Narkiewicz
Is it possible to boot OpenBSD with secure boot enabled?

I'd like to try unattended installation over WiFi on ThinkPad X1 and
my UEFI firmware supports PXE over WiFi, but it works only in Secure
Boot mode.

Best regards,
Chris Narkiewicz



Re: Trying to access /dev/ttyUSB0 device from VM

2024-03-17 Thread Chris Narkiewicz
Hardware passthrough is not supported by vmd.

Best regards,
Chris Narkiewicz



Re: Ctrl+A shortcut not working on the browser

2024-03-16 Thread Chris Narkiewicz


On my machine, Ctrl-A moves cursor to the beginning of input field,
while Ctrl-E to the end.

I think it emulates Emacs input mode.

Best regards,
Chris Narkiewicz



Re: MCU recommendations to program on OpenBSD?

2024-03-03 Thread Chris Narkiewicz
On Sun, Mar 03, 2024 at 05:11:17PM +0800, Sadeep Madurange wrote:
> Any recommendations for MCUs with C
> language SDKs supported by OpenBSD?

AVR - 8 bit
ARM - 32 bit

Especially AVRs are top of the game when it comes to
open source toolchain support.

Best regards,
Chris Narkiewicz



Re: Pre-built images for embeded machines

2024-03-03 Thread Chris Narkiewicz
On Sat, Mar 02, 2024 at 12:51:05PM -0700, Theo de Raadt wrote:
> It might be easy, but it is wrong.

Besides extra burden on the build infrastructure, are there other
issues? Curiosity calling, as I'm not using any arm64 devices
personally.

I'd assume that such image would be very challenging to tailor for the
general use, as embedded systems are ususally highly specialized.

What are perceived issues with approach?

Best regards,
Chris Narkiewicz



Re: Installing shellinabox on OpenBSD

2024-02-12 Thread Chris Narkiewicz
On Mon, Feb 12, 2024 at 02:38:25PM -0500, Daniel Ouellet wrote:
> I am not sure why people say they can't have a safe ssh client for window...

OP mentioned he cannot install software on the machine. This is pretty
common issue if machine is managed by somebody else.

Best regards,
Chris Narkiewicz



Re: Installing shellinabox on OpenBSD

2024-02-12 Thread Chris Narkiewicz
On Mon, Feb 12, 2024 at 07:12:49PM +, Chris Narkiewicz wrote:

> If security is not a problem, you can use telnet. Windows has telnet
> client built-in.

Also, ttyd is in ports. This could be handy:

https://openports.pl/path/www/ttyd

Best regards,
Chris Narkiewicz



Re: Installing shellinabox on OpenBSD

2024-02-12 Thread Chris Narkiewicz
On Mon, Feb 12, 2024 at 07:01:11PM +0300, Odhiambo Washington wrote:
> The VM is NOT exposed to the Internet so I am not worried.

If security is not a problem, you can use telnet. Windows has telnet
client built-in.

Best regards,
Chris Narkiewicz



unwind not picking up autoconf resolver from wg0

2023-12-20 Thread Chris Narkiewicz
I have a setup where a machine has 2 network interfaces:

host fqdn: foo.company.com - public address
vio0 - autoconf'd from internet provider, public IP
wg0 - intranet with it's own DNS intra.company.com dns domain and 10.0.0.0/8 
network

Wireguard is configured in star topology, with 10.0.0.1 server providing 
org-wide
DNS, router, printing, etc.

 unwind.conf: --
forwarder {
1.1.1.1 port 853 authentication name cloudflare-dns.com DoT
1.0.0.1 port 853 authentication name cloudflare-dns.com DoT
}

force accept bogus autoconf {
  intra.company.com
}

preference { autoconf forwarder }


wg0 has DNS resolver added using route, as instructed in man resolvd(8)

 /etc/hostname.wg0: --
inet ...
wgkey ...
... snip wg vpn config here ...
!route nameserver wg0 10.0.0.1
--

I can definitely observe commented out 10.0.0.1 resolver in /etc/resolv.conf,
as expected when unwind and resolvd are running.

However, when I try to resolve anything with unwind, it fails:

# host foo.intra.company.com localhost 
Using domain server:
Name: localhost
Address: 127.0.0.1#53
Aliases: 

Host foo.intra.company.com not found: 3(NXDOMAIN)

Resolver on the other side of wg0 is working:

# host foo.intra.company.com 10.0.0.1
Using domain server:
Name: 172.16.0.1
Address: 10.0.0.1#53
Aliases: 

foo.intra.company.com has address 10.0.0.xx

When checking autoconf status, I see that unwind is not picking
up resolver from wg0:

# unwindctl status autoconf 
 
autoconfiguration forwarders:
  DHCP[vio0]: aa.bb.cc.dd ee.ff.gg.hh

I'm out of ideas here. How can convince unwind to use resolver
from wg0?

Cheers,
Chris



ntpd not adjusting clock in vm

2023-12-17 Thread Chris Narkiewicz
I'm running OpenBSD 7.4 in qemu VM on my laptop. After hibernation,
vm clock is delayed.

ntpd works in background, but it fails to adjust the clock:

reply from 162.159.200.1: offset 0.005599 delay 0.013842, next query 32s
reply from 139.162.219.252: offset 0.007199 delay 0.011274, next query 30s
reply from 162.159.200.123: offset 0.007154 delay 0.010765, next query 31s
reply from 131.111.8.61: offset 0.007642 delay 0.016057, next query 30s
adjusting local clock by 4686.953122s
(...)
reply from 83.151.207.133: offset 0.011828 delay 0.014193, next query 33s
reply from 139.162.219.252: offset 0.009902 delay 0.011271, next query 32s
reply from 131.111.8.61: offset 0.010350 delay 0.015616, next query 33s
adjusting local clock by 4686.164970s
reply from 162.159.200.1: offset 0.013156 delay 0.011764, next query 34s
reply from 131.111.8.61: offset 0.013905 delay 0.017363, next query 30s
adjusting local clock by 4686.001301s

However, the lock does not budge at all. I can still manually set
the clock by date -s HHMM.

Not sure how to debug it. Is it because I'm using vm and it doesn't
support?

diso# dmesg | grep pvclock
pvclock0 at pvbus0

Best regards,
Chris Narkiewicz



Re: netcup.eu arm64 (kvm, Ampere Altra), bsd.rd hangup

2023-12-17 Thread Chris Narkiewicz
On Sun, Dec 17, 2023 at 09:56:04PM +0100, Sven Wolf wrote:
> I only have access to the graphical console 

IIRC they have a forum where some support could be provided.
I'd ask about serial over lan access. Hetzner have it, but I'm not
sure about netcup.

Best regards,
Chris Narkiewicz



Auto-install over network using UEFI

2023-11-21 Thread Chris Narkiewicz
I'm experimentin with auto-install over network using linux libvirt
(qemu).

I managed to load pxeboot in BIOS mode and I'm wondering if UEFI
is supported.

According to this blog, I should load BOOTX64.EFI instead of pxeboot.

https://eradman.com/posts/autoinstall-openbsd.html

I was skeptical but tried it neverthekess and system immediately reboots after
probing disk:

probing: p0 com0 mem[640K 2029M 9M 3M]
disk:BS->LocateHandle() returns 14


Is it possible to net-boot installer in UEFI using QEMU?

Cheers,
Chris



Custom siteXY.tgz and signature verification

2023-10-27 Thread Chris Narkiewicz
I'm trying to automate some deployment and I use miniroot image with
HTTPS repository containing site74.tgz and site74-$(hostname -s).tgz.

Custom file sets are not signed (obviously) so the installer complains
about fileset validation.

Is there a way to supply custom signing key for the installer, in a
similar way we bootstrap firwmware files by mounting the image using
vnd?

Best regards,
Chris Narkiewicz



Limiting RAM on boot to emulate low-memory situation

2023-10-20 Thread Chris Narkiewicz
Is it possible to decrease amount of available RAM at boot time?

I'm about to migrate some VPS system to a significantly cheaper option
that comes with less RAM and I need to evaluate how existing system
will behave.

Sadly, I can't reconfigure RAM in VPS config.

Cheers,
Chris



Re: OT: Github requiring 2FA auth, meaning

2023-08-29 Thread Chris Narkiewicz
On Tue, Aug 29, 2023 at 08:40:38PM +0200, Daniele B. wrote:

> Since today powers and financial interests will be able to block me
> access to the Github platform by their discrection. All ready for
> that?

Yes, Firefox from ports seems to handle Yubikey 2FA just fine.

Best regards,
Chris Narkiewicz



Re: non-amd64 vps's in europe?

2023-08-13 Thread Chris Narkiewicz
On Sun, Aug 13, 2023 at 09:17:58AM +0200, Peter J. Philipp wrote:
> He doesn't want to deal with hetzner because of their tight control checks
> regarding id cards and stuff.

Huh? They didn't check my national ID nor passport. Payment card was enough.

Is he using some dodgy payment method that triggered KYC alarm?

Given that VPS can be used for criminal activity, I doubht he will
find anyone willing to provide the service without KYC.

Best regards,
Chris Narkiewicz



Re: how to startx with kde?

2023-07-22 Thread Chris Narkiewicz
On Sun, Jul 23, 2023 at 03:22:13AM +0800, ykla wrote:
> Hi,
> 
> I install kde by pkg_add kde but how to boot it?

There is no Plasma desktop on OpenBSD. KDE metapackage
installs KDE applications.

Best regards,
Chris Narkiewicz



Re: Syspatch https://cdn.openbsd.org/pub/OpenBSD

2023-07-12 Thread Chris Narkiewicz
On Wed, Jul 12, 2023 at 03:19:17PM -0700, latin...@vcn.bc.ca wrote:
> Is it working?
> https://cdn.openbsd.org/pub/OpenBSD

Works for me.

Best regards,
Chris Narkiewicz



Re: Hibernation on Thinkpad Carbon X1 gen 7 - unhibernate failed

2023-06-17 Thread Chris Narkiewicz
On Sat, 2023-06-17 at 09:21 -0600, Ashlen wrote:
> I have a 7th gen X1 Carbon and am not sure that the hardware is the
> issue here. I've only experienced this very rarely.
> 

I can confirm that I managed to unhibernate successfully and the error
is no longer occuring, confirming your observation.

However, image unhibernation took about 5 minutes.

unhibernating @ block 50329532 length 750MB <- this takes ~5 minutes
Unpacking image... <- this few seconds and I'm back in X11

I was so confused that I thought it just hangs.

How long does it take to ZZZ and unhibernate?

Cheers,
Chris



Hibernation on Thinkpad Carbon X1 gen 7 - unhibernate failed

2023-06-16 Thread Chris Narkiewicz
Hi,

I got Thinkpad Carbon X1 gen7 and I tried to test hibernation (ZZZ).

When system is resumed, it took several minutes to load image.
dmesg shows:

unhibernate failed: original kernel changed

and my iwm0 wifi card is not visible anymore.

Is there someobdy with 7th gen X1 that could confirm?
According to https://jcs.org/2019/08/14/x1c7 it should work.

Thanks for any suggestions,
Chris



Generating xorg.conf

2023-06-16 Thread Chris Narkiewicz
Hi,

I'm trying to customize my touchpad input handling in X11.
Normally I'd call X -configure to generate the config file
and tune it to my needs.

X -h lists -configure as available options. However, when calling
X -configure, it says option is not recognized:

# X -configure
...
(EE)
Fatal server error:
(EE) Unrecognized option: -configure
(EE)
(EE)
Please consult the The X.Org Foundation support
...

I'm puzzled. Is it supported? Can I generate xorg config?

Cheers,
Chris



Battery not detected on StarLabs Starlite Mk IV

2023-05-27 Thread Chris Narkiewicz
Hi,

I'm struggling with a battery problem on StarLabs Starlite Mk IV.

Laptop is flashed with AMI BIOS and I noticed that battery is not
 detected reliably. When battery is not detected, it does not detect
AC adapter cable as well. I can see acpiac0 but the cable is not
reported as connected in apm.

In Linux it works reliably, so I suppose it must be some combination
of firmware issue and/or better autodetection logic.

I'm wondering how can I debug root cause of the issue?

I'd be grateful for any suggestions.

Cheers,
Chris Narkiewicz



InfluxDB stopped working on OpenBSD 7.3

2023-04-14 Thread Chris Narkiewicz
I have a fresh OpenBSD 7.3 install (no update) with InfluxDB installed
from packages.

When I try to start it, it did start initially, but eventually it
crashed. Now I can't start it again.

It complains about bad system call. Could that be related to latest
security features?

Below is rcctl -d output. I'd be thankful for any suggestions.

dev# rcctl -d start influxdb   
doing _rc_parse_conf
influxdb_flags empty, using default ><
doing rc_check
influxdb
doing rc_start
doing _rc_wait_for_start
doing rc_check
influxdb[2285]: ts=2023-04-15T00:19:33.358242Z lvl=info msg="InfluxDB
starting" log_id=0hC_LoRW000 version=unknown branch=unknown
commit=unknown
influxdb[2285]: ts=2023-04-15T00:19:33.358479Z lvl=info msg="Go
runtime" log_id=0hC_LoRW000 version=go1.20.1 maxprocs=1
influxdb[2285]: ts=2023-04-15T00:19:33.383092Z lvl=info msg="Using data
dir" log_id=0hC_LoRW000 service=store path=/var/influxdb/data
influxdb[2285]: ts=2023-04-15T00:19:33.383498Z lvl=info msg="Compaction
settings" log_id=0hC_LoRW000 service=store max_concurrent_compactions=1
throughput_bytes_per_second=50331648
throughput_bytes_per_second_burst=50331648
influxdb[2285]: ts=2023-04-15T00:19:33.383565Z lvl=info msg="Open store
(start)" log_id=0hC_LoRW000 service=store trace_id=0hC_LoXl000
op_name=tsdb_open op_event=start
influxdb[2285]: SIGSYS: bad system call
influxdb[2285]: PC=0x23c8afdf7 m=0 sigcode=0
influxdb[2285]: 
influxdb[2285]: goroutine 0 [idle]:
influxdb[2285]: syscall.rawSyscall10X(0x1d704e0, 0xc5, 0x0, 0x10248,
0x1, 0x1, 0x18, 0x0, 0x0, 0x0, ...)
influxdb[2285]: runtime/sys_openbsd3.go:114 +0x4d
fp=0xc6d820 sp=0xc6d800 pc=0x1d10bad
influxdb[2285]: syscall.rawSyscall10X(0x0?, 0xc6d900?, 0x1ce9291?,
0x1?, 0x0?, 0xc0002b7380?, 0xc6d900?, 0x0?, 0xc6d938?, 0x0,
...)
influxdb[2285]: :1 +0x59 fp=0xc6d8a0
sp=0xc6d820 pc=0x1d16d79
influxdb[2285]: syscall.syscall9Internal(0xc0002b7380?, 0x20003?,
0xc6d958?, 0x1ce89e5?, 0xc0002b7380?, 0xc6d978?, 0x1d0eabb?,
0xc0002b7380?, 0x20003?, 0x0)
influxdb[2285]: syscall/syscall_openbsd_libc.go:38 +0x49
fp=0xc6d908 sp=0xc6d8a0 pc=0x1d6a489
influxdb[2285]: syscall.syscall9Internal(0xc5, 0x0, 0x10248, 0x1, 0x1,
0x18, 0x0, 0x0, 0x0, 0x0)
influxdb[2285]: :1 +0x68 fp=0xc6d968
sp=0xc6d908 pc=0x1d70f08
influxdb[2285]: golang.org/x/sys/unix.mmap(0x1d6d534?, 0x0?,
0xc6da60?, 0xc6da18?, 0x1d90366?, 0xc0005275f8?)
influxdb[2285]:

golang.org/x/sys@v0.0.0-20201119102817-f84b799fce68/unix/zsyscall_openbsd_amd64.go:1639+0x52fp=0xc6d9e8sp=0xc6d968pc=0x2062532
influxdb[2285]: golang.org/x/sys/unix.(*mmapper).Mmap(0x2a60da0,
0xc6dab0?, 0xcc4900?, 0x10248, 0xc6db20?, 0x1d902cc?)
influxdb[2285]:

golang.org/x/sys@v0.0.0-20201119102817-f84b799fce68/unix/syscall_unix.go:113+0x89fp=0xc6da90sp=0xc6d9e8pc=0x2061d69
influxdb[2285]: golang.org/x/sys/unix.Mmap(...)
influxdb[2285]:

golang.org/x/sys@v0.0.0-20201119102817-f84b799fce68/unix/syscall_bsd.go:650
influxdb[2285]:
github.com/influxdata/influxdb/tsdb/engine/tsm1.mmap(0xc0003a61d0?,
0xc0003a61d0?, 0x60?)
influxdb[2285]:
github.com/influxdata/influxdb/tsdb/engine/tsm1/mmap_unix.go:18 +0x65 
fp=0xc6dad8sp=0xc6da90pc=0x29b5d65
influxdb[2285]:
github.com/influxdata/influxdb/tsdb/engine/tsm1.(*mmapAccessor).init(0x
c000430d20)
influxdb[2285]:
github.com/influxdata/influxdb/tsdb/engine/tsm1/reader.go:1335 +0x113 
fp=0xc6db70sp=0xc6dad8pc=0x29bedf3
influxdb[2285]:
github.com/influxdata/influxdb/tsdb/engine/tsm1.NewTSMReader(0xc0003a61
d0, {0xc6dc80, 0x1, 0x0?})
influxdb[2285]:
github.com/influxdata/influxdb/tsdb/engine/tsm1/reader.go:239 +0x18d 
fp=0xc6dbe8sp=0xc6db70pc=0x29b802d
influxdb[2285]:
github.com/influxdata/influxdb/tsdb/engine/tsm1.(*FileStore).Open.func1
(0x0, 0xc0003a61d0)
influxdb[2285]:
github.com/influxdata/influxdb/tsdb/engine/tsm1/file_store.go:543 
+0x115fp=0xc6dfc0sp=0xc6dbe8pc=0x299f1d5
influxdb[2285]:
github.com/influxdata/influxdb/tsdb/engine/tsm1.(*FileStore).Open.func3
()
influxdb[2285]:
github.com/influxdata/influxdb/tsdb/engine/tsm1/file_store.go:565 
+0x2efp=0xc6dfe0sp=0xc6dfc0pc=0x299f08e
influxdb[2285]: runtime.goexit()
influxdb[2285]: runtime/asm_amd64.s:1598 +0x1 fp=0xc6dfe8
sp=0xc6dfe0 pc=0x1d14141
influxdb[2285]: created by
github.com/influxdata/influxdb/tsdb/engine/tsm1.(*FileStore).Open
influxdb[2285]:
github.com/influxdata/influxdb/tsdb/engine/tsm1/file_store.go:535 +0x4a5
influxdb[2285]: 
influxdb[2285]: goroutine 16 [running]:
influxdb[2285]: runtime.systemstack_switch()
influxdb[2285]: runtime/asm_amd64.s:463 fp=0xc6d7d0
sp=0xc6d7c8 pc=0x1d11f00
influxdb[2285]: runtime.libcCall(0x0?, 0xc0002b7380?)
influxdb[2285]: runtime/sys_libc.go:49 +0x66 fp=0xc6d800
sp=0xc6d7d0 pc=0x1cfdee6
influxdb[2285]: syscall.rawSyscall10X(0x1d704e0, 0xc5, 0x0, 0x10248,
0x1, 

amd64 ddb somewhat poor - why?

2021-09-03 Thread Chris Narkiewicz
Hi,

Amd64 page (https://ftp.openbsd.org/amd64.html) states that:

The only major shortcoming at this time is that the kernel
debugger ddb is somewhat poor.

Myself not being familiar with it, can someone explain to me why amd64
is considered "poor" and what shortcomings it has, relative to other
platforms?

Cheers,
Chris


signature.asc
Description: PGP signature


Re: Sunday presentaion on OpenBSD

2021-08-29 Thread Chris Narkiewicz
On Sat, Aug 21, 2021 at 07:12:41PM -0600, Jonathan Drews wrote:
> This Sunday Peter Hansteen will give a presentaion on OpenBSD:
> 
> "Recent and not so recent changes in OpenBSD that make
> life better"

Any recording available?



signature.asc
Description: PGP signature


X11 SIGSEGV on VirtualBox

2021-06-18 Thread Chris Narkiewicz
I'm trying to run xenodm on VirtualBox VM.
VirtualBox 6.1.16_Ubuntu r140961 running on Ubuntu 20.04 with Intel
card. VM uses VMSVGA display with NO 3D acceleration.

Fresh OpenBSD 6.9 install, but I tried latest snapshot - same problem.

When starting Xorg server, it crashes with SIGSEGV. Does anybody know
why it happens? How can I generate some actionable debug output, such
as stacktrace, to help identify root cause?

Here is complete /var/log/Xorg.0.log:

[13.815] (WW) checkDevMem: failed to open /dev/xf86 and /dev/mem
(Operation not permitted)
Check that you have set 'machdep.allowaperture=1'
in /etc/sysctl.conf and reboot your machine
refer to xf86(4) for details
[13.815]linear framebuffer access unavailable
[13.858] (--) Using wscons driver on /dev/ttyC4
[13.868] 
X.Org X Server 1.20.10
X Protocol Version 11, Revision 0
[13.868] Build Operating System: OpenBSD 6.9 amd64 
[13.868] Current Operating System: OpenBSD ws.etacassiopeiae.net 6.9 
GENERIC#4 amd64
[13.868] Build Date: 19 April 2021  11:06:48AM
[13.868]  
[13.868] Current version of pixman: 0.38.4
[13.868]Before reporting problems, check http://wiki.x.org
to make sure that you have the latest version.
[13.868] Markers: (--) probed, (**) from config file, (==) default setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
[13.868] (==) Log file: "/var/log/Xorg.0.log", Time: Fri Jun 18 21:17:03 
2021
[13.869] (==) Using system config directory 
"/usr/X11R6/share/X11/xorg.conf.d"
[13.871] (==) No Layout section.  Using the first Screen section.
[13.871] (==) No screen section available. Using defaults.
[13.871] (**) |-->Screen "Default Screen Section" (0)
[13.871] (**) |   |-->Monitor ""
[13.877] (==) No monitor specified for screen "Default Screen Section".
Using a default monitor configuration.
[13.877] (==) Automatically adding devices
[13.877] (==) Automatically enabling devices
[13.877] (==) Not automatically adding GPU devices
[13.877] (==) Max clients allowed: 256, resource mask: 0x1f
[13.883] (==) FontPath set to:
/usr/X11R6/lib/X11/fonts/misc/,
/usr/X11R6/lib/X11/fonts/TTF/,
/usr/X11R6/lib/X11/fonts/OTF/,
/usr/X11R6/lib/X11/fonts/Type1/,
/usr/X11R6/lib/X11/fonts/100dpi/,
/usr/X11R6/lib/X11/fonts/75dpi/
[13.883] (==) ModulePath set to "/usr/X11R6/lib/modules"
[13.883] (II) The server relies on wscons to provide the list of input 
devices.
If no devices become available, reconfigure wscons or disable 
AutoAddDevices.
[13.883] (II) Loader magic: 0x897417d3f10
[13.883] (II) Module ABI versions:
[13.883]X.Org ANSI C Emulation: 0.4
[13.883]X.Org Video Driver: 24.1
[13.883]X.Org XInput driver : 24.1
[13.883]X.Org Server Extension : 10.0
[13.885] (--) PCI:*(0@0:2:0) 15ad:0405:15ad:0405 rev 0, Mem @ 
0xe000/33554432, 0xf000/2097152, I/O @ 0xd000/16
[13.885] (II) LoadModule: "glx"
[13.887] (II) Loading /usr/X11R6/lib/modules/extensions/libglx.so
[13.898] (II) Module glx: vendor="X.Org Foundation"
[13.898]compiled for 1.20.10, module version = 1.0.0
[13.898]ABI class: X.Org Server Extension, version 10.0
[13.898] (==) Matched vmware as autoconfigured driver 0
[13.898] (==) Matched vesa as autoconfigured driver 1
[13.898] (==) Assigned the driver to the xf86ConfigLayout
[13.898] (II) LoadModule: "vmware"
[13.898] (II) Loading /usr/X11R6/lib/modules/drivers/vmware_drv.so
[13.899] (II) Module vmware: vendor="X.Org Foundation"
[13.899]compiled for 1.20.10, module version = 13.1.0
[13.899]Module class: X.Org Video Driver
[13.899]ABI class: X.Org Video Driver, version 24.1
[13.899] (II) LoadModule: "vesa"
[13.900] (II) Loading /usr/X11R6/lib/modules/drivers/vesa_drv.so
[13.901] (II) Module vesa: vendor="X.Org Foundation"
[13.901]compiled for 1.20.10, module version = 2.3.4
[13.901]Module class: X.Org Video Driver
[13.902]ABI class: X.Org Video Driver, version 24.1
[13.902] (II) vmware: driver for VMware SVGA: vmware0405, vmware0710
[13.902] (II) VESA: driver for VESA chipsets: vesa
[13.902] (WW) Falling back to old probe method for vesa
[13.902] (II) vmware(0): Driver was compiled without KMS- and 3D support.
[13.902] (WW) vmware(0): Disabling 3D support.
[13.902] (WW) vmware(0): Disabling Render Acceleration.
[13.902] (WW) vmware(0): Disabling RandR12+ support.
[13.902] (--) vmware(0): VMware SVGA regs at (0xd000, 0xd001)
[13.902] (II) Loading sub module "vgahw"
[13.902] (II) LoadModule: "vgahw"
[13.903] (II) Loading /usr/X11R6/lib/modules/libvgahw.so
[13.903] (II) Module vgahw: vendor="X.Org Foundation"
[13.903]compiled for 1.20.10, 

httpd fastcgi timeout during transfer

2021-04-20 Thread Chris Narkiewicz
Hi,

I have a httpd serving PHP app via FastCGI interface.
This application sends quite large data (1GB) but httpd
timeouts the connection during transfer.

What I found is the following sequence of events:

1) curl https://somehost/download/stuff
2) transfer starts
3) no mention of new conncetion in access.log and error.log
   or stdout/stderr
4) 50-60s last I can see GET request in access.log
5) 60s later connection timeout event occurs
6) curl fails

I tried to trace the source of this issue but I'm not
familiar with httpd code. This is the only place where
timeout is set in fastcgi:

/usr.sbin/httpd/server_fcgi.c:369

bufferevent_settimeout(clt->clt_srvbev,
srv_conf->timeout.tv_sec, srv_conf->timeout.tv_sec);
bufferevent_enable(clt->clt_srvbev, EV_READ|EV_WRITE);
if (clt->clt_toread != 0) {
server_read_httpcontent(clt->clt_bev, clt);
bufferevent_enable(clt->clt_bev, EV_READ);
} else {
bufferevent_disable(clt->clt_bev, EV_READ);
fcgi_add_stdin(clt, NULL);
}

Nothing too suspicious here, but I can't figure out
why it timeouts despite data being actively pumped
through the connection?

Any suggestions welcome. I'm out of ideas.

Cheers,
Chris


signature.asc
Description: PGP signature


httpd passes rogue request to internal vhost

2021-04-11 Thread Chris Narkiewicz
I have a machine with OpenBSD 6.8 and with 2 network interfaces:

egress
intranet

httpd has 3 vhosts defined:

server "default" {
listen on * tls port 443
...
location * {
block return 403
}
}

server "externalapp.publicdomain.net" {
listen on egress tls port 443
...
}

server "internalapp.privatedomain.net" {
listen on intranet tls port 443
...
}

So far so good, but when I try to access
"internalapp.privatedomain.net" from the internet, it serves the page
happily. I double checked that I had no access to the intranet at that
moment.

But when I change "default" server to:

server "default" {
listen on egress tls port 443
listen on intranet port 443
...
}

and try again, I get proper 403.

Is that a bug or some sort of non-intuitive behavior of listen on *
stanza?

Cheers,
Chris


signature.asc
Description: PGP signature


relayd and EC tls - key size 832 is not supported

2021-04-05 Thread Chris Narkiewicz
Hi,

I'm configuring relayd to run grafana vhost (grafana does not
support FastCGI).

My relayd.conf is:

http protocol "www" {
match request header "Host" value "grafana.mydomain.net" forward to 
tls keypair grafana.mydomain.net
}

relay "www" {
listen on wg0 port 443 tls
protocol www
forward to  port 3000
}
# end if relayd.conf

TLS certificate has been generated using easyrsa, and it uses EC algo
with secp384r1 curve.

When I start relayd, it complains about unsupported key size:

ca_engine_init: using RSA privsep engine
...
ssl_ctx_fake_private_key: key size 832 not support


When I use RSA certificate generated using Let's Encrypt, it works.
Does it support EC? Am I doing something wrong?


Full relayd output in verbose mode:

grafana# relayd -dvv
startup
pfe: filter init done
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
relay_load_certfiles: using certificate /etc/ssl/grafana.mydomain.net.crt
relay_load_certfiles: using private key 
/etc/ssl/private/grafana.mydomain.net.key
parent_tls_ticket_rekey: rekeying tickets
relay_privinit: adding relay www
protocol 1: name www
flags: used, relay flags: tls
tls flags: tlsv1.2, tlsv1.3, cipher-server-preference
tls session tickets: disabled
type: http
match request header "Host" value "grafana.mydomain.net" 
forward to  
socket_rlimit: max open files 1024
ca_engine_init: using RSA privsep engine
ca_engine_init: using RSA privsep engine
ca_engine_init: using RSA privsep engine
ca_engine_init: using RSA privsep engine
relay_tls_ctx_create: loading certificate
ssl_ctx_fake_private_key: key size 832 not support

Cheers,
Chris


signature.asc
Description: PGP signature


Shared memory segments are note removed after process exit

2021-02-05 Thread Chris Narkiewicz
I'm running a tandem of Xvfb + x11vnc on a headless box.
x11vnc runs as _x11 user.

This stack works pretty well for me until one of the processes
restarts.

When Xvfb restarts, it no longer enabled SHM extension.

# Xvfb
MIT-SHM extension disabled due to lack of kernel support


When I check ipcs, I see a lot of shm segments:

# ipcs | grep _x11 | grep wc -l
137

Both processes are dead at this stage, so I'm not sure why those shm
segments are not collected?

When I manually remove them using ipcrm -m , I can restart Xvfb
and it will happily enable SHM extension. x11vnc will also work as
well.

Is that an expected behaviour? How can I ensure shm segments are
purged when processes are no longer running?

Cheers,
Chris


signature.asc
Description: PGP signature


Re: [SOLVED] PPPoE connection does not set IP

2020-12-09 Thread Chris Narkiewicz
On Wed, Dec 09, 2020 at 10:59:53AM -, Stuart Henderson wrote:
> Setting "inet" brings the interface up automatically. Move that
> down after the point you have set the connection parameters.

I escaped newlines with \ to make it one big line and this solved the
issue. Thank you.

Cheerio,
Chris


signature.asc
Description: PGP signature


Re: PPPoE connection does not set IP

2020-12-09 Thread Chris Narkiewicz
On Wed, Dec 09, 2020 at 01:12:11PM +0100, Georg Bege wrote:
> Hello,
> 
> Im also on an VDSL connection from the german ISP T-Online -
> 
> I see that you dont use any VLAN,  are you sure that this is
> correct?

This is supposed to be handled by the ISPs modem internally.

When I look at a working OpenWrt configuration,
it uses VLAN on DSL interface and exposes pppoe interface
without VLAN.

Cheers,
Chris


signature.asc
Description: PGP signature


PPPoE connection does not set IP

2020-12-08 Thread Chris Narkiewicz
covery
code Terminate, version 1, type 1, id 0x144e, length 0



Best regards,
Chris Narkiewicz

-- 
+44 7502 415 180 (Phone, Signal, WhatsApp)


signature.asc
Description: PGP signature


Cannot open authorized_keys

2020-06-13 Thread Chris Narkiewicz
I have a user with a non-standard $HOME location
and I added a key to authorized_keys.

When I try to login via SSH, I get a password prompt.

When looking at sshd debug logs, I see this:

debug1: Could not open authorized keys
'/var/home/user/.ssh/authorized_keys': Permission denied

That's a but strange that ssh daemon cannot open a keys.
Why is that? Some sort of security to prevent sshd
touching anything outside /home?

Cheers,
Chris


signature.asc
Description: PGP signature


Mounting encrypted drive on boot

2020-06-02 Thread Chris Narkiewicz
My setup consist of OpenBSD 6.7 with full drive encryption using
softraid, configured as described in FAQ:

/dev/sd0a - encrypted volume
/dev/sd1 - decrypted 

I have additional need to mount an encrypted /var volume on boot.
This volume is separate drive attached to be VPS "machine".

I want to mount this drive automatically on boot by adding
relevant entries to /etc/fstab, but before this can be done,
softraid device must be configured using bioctl.

On Linux this is done by adding some entries to /etc/crypttab
and the boot script performs required configuration before disks
in fstab are mounted.

How to do similar thing in OpenBSD?

Somebody on StackOverflow advised on modifying /etc/rc
and run bioctl before disks are mounted, but I'm not sure
if this is a right approach, especially that attaching
more disks might change the /dev/sd* numberign.

What would be the best approach?

Best regards,
Chris


signature.asc
Description: PGP signature


httpd option max body size is ignored for subdomain

2019-02-03 Thread Chris Narkiewicz
Hi,

I'm trying to configure Nextcloud on a subdomain. My config has 2
vhosts and connection max request body is not respected for my subdomain.

default vhost:

server "default" {
listen on * port 80

location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}

location * {
block return 404
}
}

server "default_tls" {
listen on * tls port 443
tls certificate ...
tls key ...

# I must place max request body here, but why?
# connection max request body 536870912

location * {
block return 403
}
}


nextcloud vhost:

server "nextcloud.mydomain.com" {
listen on * tls port 443
...
# this is ignored! It takes setting from "default_tls"!
connection max request body 536870912
}

server "nextcloud.mydomain.com" {
listen on * port 80;
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}

block return 301 "https://nextcloud.mydomain.com$REQUEST_URI;
}


When I try PUT a file to nextcloud.mydomain.com, my access.log tells me
that this request is handled by default_tls:

default_tls xx.xx.xx.xx - - [03/Feb/2019:14:38:35 +] "PUT
/remote.php/webdav/bigger-file.png HTTP/1.1" 413 0

For smaller files with body <1024k (default body limit) it works ok:

nextcloud.mydomain.com xx.xx.xx.xx - - [03/Feb/2019:14:39:51 +] "PUT
/remote.php/webdav/smaller-file.png HTTP/1.1" 201 0

Why is httpd not specting subdomain config?



signature.asc
Description: OpenPGP digital signature


X-Accel-Redirect equivalent for httpd

2018-12-20 Thread Chris Narkiewicz

Hi,

Is there an equivalent or alternative for NginX X-Accel-Redirect?

https://www.nginx.com/resources/wiki/start/topics/examples/x-accel/

I'm porting a django app that checks for user's permissions before 
allowing them to download a document and this function uses 
X-Accel-Redirect to achieve this.


I'd like to move the app to OpenBSD httpd. Any idea how to
crach this problem?

Best regards,
Chris



Re: spamd and google smtp ips

2018-11-01 Thread Chris Narkiewicz

W dniu 30/10/2018 o 23:39, Stuart Henderson pisze:

I haven't run spamd myself for years, I got fed up with delayed and
lost mails.



Thanks. That was probably the tipping comment for me - I decided to search
for alternative spam protection.

It's the lost e-mails bing the the thing I cannot afford and in absence 
of *reliable* whitelist, I decided not to go this route.


Best regards,
Chris



Re: Bluetooth Support

2018-10-30 Thread Chris Narkiewicz

W dniu 30/10/2018 o 20:07, Marco Menne pisze:

I read in some forum that Bluetooth is not supported in OpenBSD.
Is this true?


It was, but bt was removed.

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/netbt/Attic/bluetooth.h

Revision 1.7, Fri Jul 11 21:54:38 2014 UTC (4 years, 3 months ago) by tedu
Branch: MAIN
CVS Tags: HEAD
Changes since 1.6: +1 -1 lines
FILE REMOVED

"It's not the years, honey; it's the mileage."

bluetooth support doesn't work and isn't going anywhere. the current
design is a dead end, and should not be the basis for any future support.
general consensus says to whack it so as to not mislead the unwary.



Re: spamd and google smtp ips

2018-10-30 Thread Chris Narkiewicz

W dniu 30/10/2018 o 19:31, Peter N. M. Hansteen pisze:

yes, a well-known problem, and it's what nospamd (hinted at in the spamd
man pages) is for.

To some extent it helps to whitelist IP addresses and networks that
domains list in their SPF info.


Yeah, I hoped there are some reputable sources of validated mail
sources based on SPF and DKIM.

I'll give a try to your compiled list, but the fact you maintain
it manually is a bit discouraging.

Best regards,
Chris



spamd and google smtp ips

2018-10-30 Thread Chris Narkiewicz

Hi,

I'm configuring spamd and I noticed that when I send an e-mail from 
GMail, each time the e-mail is submitted by a different IP address.


Here is spamdb output after sending a test email to myself:

GREY|209.85.219.182|mail-yb1-f182.google.com|...
GREY|209.85.219.177|mail-yb1-f177.google.com|...
GREY|209.85.219.176|mail-yb1-f176.google.com|...
GREY|209.85.219.172|mail-yb1-f172.google.com|...
GREY|209.85.219.180|mail-yb1-f180.google.com|...
GREY|209.85.219.175|mail-yb1-f175.google.com|...
GREY|209.85.219.173|mail-yb1-f173.google.com|...
GREY|209.85.219.179|mail-yb1-f179.google.com|...
GREY|209.85.208.46|mail-ed1-f46.google.com|...
GREY|209.85.161.52|mail-yw1-f52.google.com|...
... snip ...

Of course they are not whitelisted, as each submission
attempt is done by a different node and I guess google has A LOT of
them. I see 2 issues with that:

1) e-mail delivery takes a lot of time (as google uses exponential 
backoff and stops frequent retries after few failures)


2) whitelisted IPs are more likely being expired, as my server is
not getting a lot of gmail traffic

I suppose different big e-mail providers will
have similar issues.

I'm also running BGP server to download a whitelist,
but it does not contain google servers.

Are there any solutions get around this problem? Ideally I'd like
to just whitelist reputable mail providers as I see little chance
that any spammer will outsmart Google/Yahoo/Microsoft/etc.



Re: spamd does not update /var/db/spamd

2018-10-30 Thread Chris Narkiewicz

W dniu 30/10/2018 o 16:58, Chris Narkiewicz pisze:

W dniu 30/10/2018 o 15:56, Ricardo Mestre pisze:

Hi Chris,

You are running spamdb /var/db/spamdb, that's not the way to use it.


I'm sorry, you were right. I misread both your e-mail and man page.
Thank you all for help.

Best regards,
Chris



Re: spamd does not update /var/db/spamd

2018-10-30 Thread Chris Narkiewicz

W dniu 30/10/2018 o 15:53, Solene Rapenne pisze:> do you run spamd-setup(8)?

Yes, I see that it downloads nixspam and loads 20k IPs into spamd.

Best regards,
Chris



Re: spamd does not update /var/db/spamd

2018-10-30 Thread Chris Narkiewicz

W dniu 30/10/2018 o 15:56, Ricardo Mestre pisze:

Hi Chris,

You are running spamdb /var/db/spamdb, that's not the way to use it.


According to man spamdb(8) this is how to list all entries, which I
wanted to do.

I see no entries, so I assume the database is empty.

Best regards,
Chris



spamd does not update /var/db/spamd

2018-10-30 Thread Chris Narkiewicz

Hi,

I'm trying to use spamd to block spam using graylisting, but the spamd 
database is not updated.


I run /usr/libexec/spamd -v -d to see what's happening and I definitely 
see hosts connecting to it:


(GREY) 209.85.219.176: mytestem...@gmail.com> -> 
Got Grey HELO mail-yb1-f176.google.com, IP 209.85.219.176 from 
 to 

added  209.85.219.176
mail-yb1-f176.google.com


209.85.219.176 connected for 11 seconds.

I also tried to submit an email using Python SMTP library and I 
confirmed 451 Temporary failure response.


But when I browse /var/db/spamd, there is nothing there.

My spamd is running and is referring to a correct file:

# ps aux | grep spamd
_spamd   93211  0.0  0.1  9672  1492 ??  Isp5:29AM0:00.00 spamd: 
(pf  update) (spamd)
_spamd   59023  0.0  0.5 10012  4836 ??  Ip 5:29AM0:00.02 spamd: 
[priv] (greylist) (spamd)
_spamd   13468  0.0  0.1  9640  1172 ??  Ip 5:29AM0:00.00 spamd: 
(/var/db/spamd update) (spamd)


Database file has correct perms:

# ls- l /var/db/spamd
-rw-r--r--  1 _spamd  _spamd  65536 Oct 30 05:30 /var/db/spamd

# spamdb /var/db/spamd


My spamd config is default.
OpenBSD 6.3.

What is wrong with it?

Best regards,
Chris



Re: Monit logs vfprintf %s NULL in "%s" all the time

2018-10-29 Thread Chris Narkiewicz

W dniu 29/10/2018 o 19:24, Caspar Schutijser pisze:

(...) which seems to solve the same problem that
you are experiencing.


Ok, if this is a known problem, I'll upgrade. Thanks.

Best regards,
Chris



Monit logs vfprintf %s NULL in "%s" all the time

2018-10-28 Thread Chris Narkiewicz

I'm running Monit to look at few services on OpenBSD 6.3 and I'm logging
to syslog.

In my /var/log/messages I routinely observe the following log entries:

Oct 27 22:00:01 alpha syslogd[97814]: restart
Oct 27 22:00:02 alpha monit: vfprintf %s NULL in "%s"
Oct 27 22:00:32 alpha last message repeated 11 times
Oct 27 22:02:32 alpha last message repeated 24 times
Oct 27 22:12:33 alpha last message repeated 120 times
Oct 27 22:22:33 alpha last message repeated 120 times
...and so on...

Monit is installed from ports.

$ monit --version
This is Monit version 5.25.1
Built with ssl, with ipv6, with compression, without pam and with large 
files


Does anybody know what does it mean? This log is not very useful, but
it looks like some kind of bug.

Best regards,
Chris



Re: Vultr hosting of OpenBSD

2018-09-08 Thread Chris Narkiewicz

On 08/09/2018 19:55, Ken M wrote:
I have seen some comments here and there about issues with the default image 


What kind of issues? I'm curious. Can you pls provide a reference?



Re: Deploy Django app - strategy?

2018-08-28 Thread Chris Narkiewicz

On 28/08/2018 13:13, Dave Voutila wrote:

Any reason you can't use something like gunicorn as the app server and
use relayd on the egress?


I haven't thought about it. We have existing stack with config files,
admin scripts, friendly Makefiles, etc. It's a turn-key solution
that gives me a running app hanging on fastcgi socket.


Simple architecture would be egress running relayd and then gunicorn


What would be the benefit of "gunicorn+relayd" vs "uwsgi+httpd/nginx"?

There is admin know-how and automation around current stack, but
I'm keen on re-evaluating it if there are other benefits elsewhere.

Biggest win would be chroot-table app server, but I'm not sure if
it's easily doable with Python at all.

Doable with gunicorn?

Best regards,
Chris



uwsgi and semaphores limit

2018-08-27 Thread Chris Narkiewicz

Hi,

I'm trying to run uwsgi server and I even managed to start it
successfully... once.

On second time, it aborted:

uwsgi_lock_ipcsem_init()/semget(): No space left on device [core/lock.c 
line 519]


I checked ipcs (_mc is the user that runs uwsgi)

core# ipcs
Message Queues:
T   ID KEYMODE   OWNERGROUP

Shared Memory:
T   ID KEYMODE   OWNERGROUP

Semaphores:
T   ID KEYMODE   OWNERGROUP
s   327680  0 --rw-rw-rw-  _mc  _mc
s   327681  0 --rw-rw-rw-  _mc  _mc
s   327682  0 --rw-rw-rw-  _mc  _mc
s   327683  0 --rw-rw-rw-  _mc  _mc
s   327684  0 --rw-rw-rw-  _mc  _mc
s   327685  0 --rw-rw-rw-  _mc  _mc
s   327686  0 --rw-rw-rw-  _mc  _mc
s   327687  0 --rw-rw-rw-  _mc  _mc

Ok, the docs say that semaphore limits are pretty low on *BSDs and it
should be increased.

https://uwsgi-docs.readthedocs.io/en/latest/ThingsToKnow.html

2 questions then:

1) Why there are semaphores listed in ipcs if uwsgi is not running?
   I guess the listed ones were left by my first, successfull run.

2) How to increase number of allowed semaphores?

Best regards,
Chris



Re: Deploy Django app - strategy?

2018-08-26 Thread Chris Narkiewicz

On 26/08/2018 21:01, Paul de Weerd wrote:

Use python3 -m venv /path/to/venv to create a virtualenv using python3
and be done with it.


Yeah, it did the trick. I'm going to deplrecate use of virtualenv,
since it's no longer needed with Python 3.6.

  That will use a symlink to the actual python3

binary in /usr/local, so no issues with the lack of wxallowed on /var.
However, you'll have to deal with the chroot implications there...


I guess it's a non-starter with Django... I guess it'd be easier to
simply run it in Docker.


What webserver are you using?


It's pretty standard stack:

* postgresql on localhost
* uwsgi on localhost with http/fastcgi protocol
* httpd on egress

Best regards,
Chris



Deploy Django app - strategy?

2018-08-26 Thread Chris Narkiewicz

I'm deploying a Django app on OpenBSD 6.3 and I'm strugging to
wrap my head around the best practices here.

On Linux we just bootstrap virtualenv in home directory and start
uwsgi (or altenative), but on OpenBSD it seems to be a bit more
complicated:

core# mkdir /var/www/app
core# cd /var/www/app/ 

core# virtualenv-3 -p python3 env 


Running virtualenv with interpreter /usr/local/bin/python3
Using base prefix '/usr/local'
New python executable in /var/www/app/env/bin/python3
Also creating executable in /var/www/app/env/bin/python
ERROR: The executable /var/www/app/env/bin/python3 could not be run:
[Errno 13] Permission denied: '/var/www/app/env/bin/python3'

Well, that makes perfect sense for me, since we're running
some binary not in bin directory, but what is the recommended
way of deploying the app in such situation?

I'm running on vultr, which provides a non-default disk layout:

core# mount
/dev/sd0a on / type ffs (local)
/dev/sd0d on /usr/local type ffs (local, nodev, wxallowed)

Thanks for any suggestions.