Re: CWM + Monitor Shutoff
On Wed, Oct 2, 2024 at 11:13 AM David Anthony wrote: > > Thank you for the suggestions, misc. > > xset -dpms did not seem to work > xset s noblank seems to partially work. Instead of my screen going black - it > now goes white-greyish > > Nonetheless the screen is now covered and whichever applications I was using > are no longer visible due to the screen being blanked out Does anyone have > further suggestions? I use: xset s off xset dpms 0 0 0 Cheers, David
Re: CWM + Monitor Shutoff
Thank you for the suggestions, misc. xset -dpms did not seem to work xset s noblank seems to partially work. Instead of my screen going black - it now goes white-greyish Nonetheless the screen is now covered and whichever applications I was using are no longer visible due to the screen being blanked out Does anyone have further suggestions? On Tue, 2024-10-01 at 20:05 -0500, izzy Meyer wrote: > On Tue, 01 Oct 2024 13:12:33 -0400 > David Anthony wrote: > > > Hello, > > > > Despite my best efforts - CWM always makes my monitor shutoff after > > a > > few minutes. I'm not talking about screensaver, sleep or hibernate - > > rather the monitor is entirely black but appears "on". Moving the > > mouse resumes the display. > > > > Does anyone know how I might stop this? > > That's automatic display power management. Comes default with how > Xenocara is configured, regardless of window manager. Its trivial to > tweak that behaviour though. > > Run $ xset -dpms to disable it temporarily, and $ xset +dpms to > re-enable it. > > It could also be worthwhile to do $ xset s noblank to disable > screen blanking. To flop screen blanking back on, $ xset s blank. > > You can probably configure your .xsession file to run that, or > perhaps > hack together a toggleable bind for CWM. I'm not a CWM user, so IDK > the specifics on what that could look like. Best of luck to you. > > This xset stuff *should* be applicable on all X11 sessions that > don't implement some sort of their own power management system, as > well. > > Read more about it in the xset(1) manpage: > > $ man 1 xset > > Peace- >
CWM + Monitor Shutoff
Hello, Despite my best efforts - CWM always makes my monitor shutoff after a few minutes. I'm not talking about screensaver, sleep or hibernate - rather the monitor is entirely black but appears "on". Moving the mouse resumes the display. Does anyone know how I might stop this?
Re: Firewall for isolated hosts
On Sat, Sep 28, 2024 at 01:24:46PM -, Stuart Henderson wrote: > On 2024-09-28, Nicolas Goy wrote: > > On Fri Sep 27, 2024 at 5:45 AM CEST, David Gwynne wrote: > >> > >> using a /32 on each host with a single shared gateway ip for the > >> subnet should work too. the config on the protected host side sounded > >> fiddly though, especially if you have multiple hosts on promisc or > >> community ports on the pvlan that you want to be accessible without > >> going via the router. > > > > I looked at different datacenter hosting, (OVH in france, Hetzner in > > germany) > > and they all do this. > > I don't know how the upstream side is configured, it would be > interesting to know. > > On the client side, typically they advise running DHCP and it "just > works" with most OS. (OpenBSD added this to dhclient in Dec 2013). > > Alternatively for manual config, on OpenBSD it's something like > > route add $gateway -cloning -link -iface $iface > route add default $gateway > > Some Linux examples at > https://docs.hetzner.com/robot/dedicated-server/network/net-config-debian-ubuntu/ can our dhcpd serve /32s? what does that config look like? > > -- > Please keep replies on the mailing list. >
Re: Firewall for isolated hosts
On Thu, Sep 26, 2024 at 07:21:38PM +0200, Nicolas Goy wrote: > Hello, > > I want to use OpenBSD as firewall for a configuration where every hosts is > isolated. cool. > For example, let's say I have 1.0.0.0/24 subnet and 2000::/56 subnet. > > I want each host to have a single ip for ipv4, and a /64 for ipv6. > > On the layer 2 side, I can configure a single VLAN for each host, I can either > show each VLAN to the OpenBSD router as different VLAN or I an use PVLAN to > have > a single VLAN on the OpenBSD side. > > Now, with ipv6 it's easy, I can create a /64 for each host, but for ipv4 it's > trickier. I'd like to use as few IP as I can and I think the lowest I can do > is > to use 2 IP per host. > > I was wondering if you had general advices on what was the best configuration. > > I looked at hetzner, and for ipv4, they use point to point ethernet, so the > host > has ip in 1.0.0.24 with route to 1.0.0.23/32. It uses Linux's SystemD > "[Address] Peer" > configuration and I am not sure exactly what it entails. For ipv6 it uses > fe80::1 as gateway which is also a bit weird as I would expect the gateway to > be > on the same subnet. > > The general idea is to be able to manage all firewalling between hosts using > pf. > > Regards > > -- > Nicolas Goy > Developer and Engineer > Goyman SA we have done this with PVLAN at work. the firewalls are set up with promisc ports on the network, and the hosts are all on isolated ports. we use a normal subnet on this network, ie, we allocate a /25 (or /24, whatever) and set up carp on it, and it works. the only problem is if you want the hosts to be able to talk to each other. in that situation you'll want to steer all the traffic to the firewalls. the way we do that is with proxy arp, at least i think that's what the accepted name in the industry is for what we're doing. we basically get the firewalls to accept ARP packets from protected clients to protected clients and reply to them with their own MAC address. this causes the protected clients to send their packets via the firewall instead of directly to each other. i wrote https://github.com/eait-itig/commarp to fiddle with the arp packets. using a /32 on each host with a single shared gateway ip for the subnet should work too. the config on the protected host side sounded fiddly though, especially if you have multiple hosts on promisc or community ports on the pvlan that you want to be accessible without going via the router.
Re: enc0 without MULTICAST flag
On Fri, Sep 20, 2024 at 07:28:35AM +0200, Luca Di Gregorio wrote: > I achieved to implement the site-to-site vpn via sec0. > ospfd works on sec0. > > A couple of comments: > when sec0 is created, the default mtu is 1280. > I changed this value to 1500 and tested with > ping -D -s > I see that the max mtu is 1446, when the underlay network has mtu 1500. > So, a scrub ( max-mss 1406 ) should be configured in PF for outgoing > connections. > sec0 is quite better than enc0 in this: enc0 has max mtu 1444. > > Anyway, AFAIK, sec(4) is a quite new interface, so, I'm wondering if a > fragment > reassembly could be possible, to reach max mtu 1500 on sec0. sec(4) uses the IPsec encapsulation code as is, which copies the DF flag from the inside packet to the outside one. there's currently no mechanism to force DF to be set or unset at the moment. > Other interfaces, such as vxlan(4), do fragment reassembly. > > Here you can find my configurations for testing. > > Host1 > -- > # cat /etc/iked.conf > ikev2 "server1_rsa" passive \ > from 192.168.4.0/30 to 192.168.4.0/30 \ > local 192.168.3.111 peer 192.168.3.121 \ > srcid server1.domain \ > iface sec0 > > # cat /etc/hostname.sec0 > mtu 1446 > 192.168.4.1 192.168.4.2 netmask 0xfffc > up > > Host2 > -- > # cat /etc/iked.conf > ikev2 'server2_rsa' active \ > from 192.168.4.0/30 to 192.168.4.0/30 \ > peer 192.168.3.111 \ > srcid server2.domain \ > iface sec0 > > # cat /etc/hostname.sec0 > mtu 1446 > 192.168.4.2 192.168.4.1 netmask 0xfffc > up > > > > Il giorno ven 20 set 2024 alle ore 03:16 David Gwynne > ha scritto: > > > On Thu, Sep 19, 2024 at 10:57:42PM +0200, Luca Di Gregorio wrote: > > > I'm running 7.5, I see this alert: > > > > > > # ifconfig sec0 create > > > # ifconfig sec0 tunnel 169.254.229.42/30 169.254.229.41 > > > > sorry, this should read: > > > > # ifconfig sec0 inet 169.254.229.42/30 169.254.229.41 > > > > i just committed a fix to the manpage. > > > > > ifconfig: error in parsing address string: non-recoverable failure in > > name > > > resolution > > > > > > I can't configure sec0 > > > > > > Il giorno gio 19 set 2024 alle ore 21:32 Luca Di Gregorio < > > luc...@gmail.com> > > > ha scritto: > > > > > > > Thanks a lot, > > > > > > > > I'll try it tomorrow. Unfortunately I won't attend EuroBSDCon, > > > > anyway, thanks a lot for the invite. > > > > > > > > Il giorno gio 19 set 2024 alle ore 21:23 Jason Tubnor < > > ja...@tubnor.net> > > > > ha scritto: > > > > > > > >> Use sec(4) for this. Don???t use enc for anything except inspection. > > If you > > > >> are at EuroBSDCon this weekend, come to my talk as I???ll be diving > > into this > > > >> exact subject. > > > >> > > > >> Cheers, > > > >> > > > >> Jason. > > > >> > > > >> Sent from my iPhone > > > >> > > > >> On 19 Sep 2024, at 7:16???PM, Luca Di Gregorio > > wrote: > > > >> > > > >> ??? > > > >> I configured a site-to-site vpn with ike2, > > > >> it works for unicast traffic. > > > >> > > > >> I need to enable ospf on the 2 hosts via enc0, but > > > >> ifconfig enc0 shows: > > > >> > > > >> enc0: flags=41 > > > >> index 2 priority 0 llprio 3 > > > >> groups: enc > > > >> status: active > > > >> inet ... > > > >> > > > >> So, ospfd shows, in /var/log/daemon: > > > >> > > > >> ospfd[53563]: if_join_group: error IP_ADD_MEMBERSHIP, interface enc0 > > > >> address 224.0.0.5: Can't assign requested address > > > >> > > > >> How can I set the flag MULTICAST on enc0? > > > >> man ifconfig doesn't say how to to it. > > > >> > > > >> > >
Re: vxlan(4) Between Three Sites
On Fri, Sep 20, 2024 at 09:27:03AM +0200, Luca Di Gregorio wrote:
> It seems it's not working for me.
>
> I got rid off veb3 and vport3
> I added the ip address to vxlan3
>
> # ifconfig vxlan3
> vxlan3: flags=8843 mtu 1450
> lladdr fe:e1:ba:d1:2b:00
> index 6 llprio 3
> encap: vnetid 13133 parent gif0 txprio 0 rxprio outer
> groups: vxlan
> tunnel: inet PublicIP:4789 --> 239.13.13.3 ttl 255 nodf
> Addresses (max cache: 100, timeout: 240):
> inet 192.168.3.11 netmask 0xff00 broadcast 192.168.3.255
>
> I modified /etc/vm.conf in this way, setting vxlan3 as "my_switch":
> # cat /etc/vm.conf
>
> switch "my_switch" {
> # interface veb3
> interface vxlan3
> }
>
> vm "vm11_1" {
> memory 1024M
> disable
> disk /home/vms/vm11_1.qcow2
> interface { switch "my_switch" }
> boot device disk
> }
>
> I see:
> # vmd -n
> vmd: /etc/vm.conf:5: invalid switch interface: vxlan3
ah, sorry, i didnt realise you were running VMs and wanted them on the
same network. youll definitely need veb and vport in this situation.
>
>
> You mentioned that you modified VXLAN interface.
> I think that it could be optimized even better.
> RFC7348 says (Linux does this way):
> - Source Port: It is recommended that the UDP source port number
> be calculated using a hash of fields from the inner packet --
> one example being a hash of the inner Ethernet frame's headers.
> This is to enable a level of entropy for the ECMP/load-
> balancing of the VM-to-VM traffic across the VXLAN overlay.
> When calculating the UDP source port number in this manner, it
> is RECOMMENDED that the value be in the dynamic/private port
> range 49152-65535 [RFC6335].
>
> I see that OpenBSD set the same port as the Destination Port,
> that is, 4789 for every outcoming packets.
>
> Do you think it's possible to optimize in this way?
yes, but there are more useful optimisations that are a higher priority
for me to do first. ecmp for vxlan in our stack isnt going to give you a
speed increase today.
>
>
> Il giorno ven 20 set 2024 alle ore 03:32 David Gwynne
> ha scritto:
>
> > On Thu, Sep 19, 2024 at 10:05:37PM +0200, Luca Di Gregorio wrote:
> > > PublicIP1
> > > ---
> > > # cat /etc/hostname.vxlan3
> > > tunnel PublicIP1:4789 239.13.13.3
> > > parent gif0
> > > vnetid 13133
> > > tunnelttl 255
> > > mtu 1450
> > > up
> > >
> > > # cat /etc/hostname.gif0
> > > mtu 1480
> > > 10.13.11.2 10.13.11.1 netmask 255.255.255.252
> > > tunnel PublicIP1 PublicIP3
> > > up
> > >
> > > # cat /etc/hostname.vport3
> > > mtu 1450
> > > inet 192.168.3.11 0xff00
> > > up
> > >
> > > # cat /etc/hostname.veb3
> > > add vxlan3
> > > add vport3
> > > up
> > >
> > >
> > >
> > > PublicIP2
> > >
> > > # cat /etc/hostname.vxlan3
> > > tunnel PublicIP2:4789 239.13.13.3
> > > parent gif1
> > > vnetid 13133
> > > tunnelttl 255
> > > mtu 1450
> > > up
> > >
> > > # cat /etc/hostname.gif1
> > > mtu 1480
> > > 10.13.12.2 10.13.12.1 netmask 0xfffc
> > > tunnel PublicIP2 PublicIP3
> > > up
> > >
> > > # cat /etc/hostname.vport3
> > > mtu 1450
> > > inet 192.168.3.12 0xff00
> > > up
> > >
> > > # cat /etc/hostname.veb3
> > > add vxlan3
> > > add vport3
> > > up
> >
> > a veb with a single port (vxlan in this case) and a single vport
> > is unecessary. you can move the IP config to the vxlan interface and get
> > the same functionality without the overhead of having to switch the
> > packets through the veb to the vport.
> >
> > historically a vxlan had to be part of a bridge to support dynamic
> > endpoint learning, but i rewrote vxlan to be able to do that itself.
> >
Re: vxlan(4) Between Three Sites
On Thu, Sep 19, 2024 at 10:05:37PM +0200, Luca Di Gregorio wrote: > PublicIP1 > --- > # cat /etc/hostname.vxlan3 > tunnel PublicIP1:4789 239.13.13.3 > parent gif0 > vnetid 13133 > tunnelttl 255 > mtu 1450 > up > > # cat /etc/hostname.gif0 > mtu 1480 > 10.13.11.2 10.13.11.1 netmask 255.255.255.252 > tunnel PublicIP1 PublicIP3 > up > > # cat /etc/hostname.vport3 > mtu 1450 > inet 192.168.3.11 0xff00 > up > > # cat /etc/hostname.veb3 > add vxlan3 > add vport3 > up > > > > PublicIP2 > > # cat /etc/hostname.vxlan3 > tunnel PublicIP2:4789 239.13.13.3 > parent gif1 > vnetid 13133 > tunnelttl 255 > mtu 1450 > up > > # cat /etc/hostname.gif1 > mtu 1480 > 10.13.12.2 10.13.12.1 netmask 0xfffc > tunnel PublicIP2 PublicIP3 > up > > # cat /etc/hostname.vport3 > mtu 1450 > inet 192.168.3.12 0xff00 > up > > # cat /etc/hostname.veb3 > add vxlan3 > add vport3 > up a veb with a single port (vxlan in this case) and a single vport is unecessary. you can move the IP config to the vxlan interface and get the same functionality without the overhead of having to switch the packets through the veb to the vport. historically a vxlan had to be part of a bridge to support dynamic endpoint learning, but i rewrote vxlan to be able to do that itself.
Re: vxlan(4) Between Three Sites
On Thu, Sep 19, 2024 at 09:48:15AM -0700, Bryan Vyhmeister wrote: > On Wed, Sep 18, 2024 at 11:17:45AM +1000, David Gwynne wrote: > > On Mon, Sep 16, 2024 at 09:57:18PM -0700, Bryan Vyhmeister wrote: > > > On Tue, Sep 17, 2024 at 02:31:09PM +1000, David Gwynne wrote: > > > > > > > > On Mon, Sep 16, 2024 at 12:25:35PM -0700, Bryan Vyhmeister wrote: > > > > > I am attempting to build a proof of concept of how to use vxlan(4) > > > > > on OpenBSD in a fully meshed OSPF network with [wireless] links > > > > > between sites under my full control so mtu is not an issue (mtu 1550 > > > > > for vxlan0 and mtu 1600 or higher for hardware interfaces). The goal > > > > > is to bridge a group of VLANs between sites A, B, and C. > > > > > > > > > > > vxlan(4) in learning mode relies on a single multicast capable > > > > underlay network between all sites/points. if you are using separate > > > > interfaces on A to talk to B and C, then this requirement isn't > > > > satisfied. > > > > > > > > i dont know enough about multicast routing to know if or how i should > > > > support vxlan in learning mode with routes to multiple interfaces. > > > > > > Thanks for your response. That makes sense then if that is how things > > > are underneath. I'm not that familiar with how multicast routing works > > > either but that does appear to be how commercial vendors' > > > implementations work from what I have read. > > > > they rely on routes? > > I think it relies on PIM which I just found out is not supported. Again, > I'm not too familiar with PIM. I could also use a Juniper or some or > other switch to do all of the OSPF routing and provide the multicast > routing environment and then just attach OpenBSD routers for running the > vxlan(4) only but I would prefer to do everything in OpenBSD. > > > > > > I also tried using a WireGuard overlay on top of this network. With > > > > > wg0 as the parent but that does not seem to work either in vxlan(4) > > > > > learning mode unless I am missing something. > > > > > > > > wireguard as an underlay for vxlan in learning mode doesn't work > > > > because wg isn't multicast capable. the cryptokey routing thing doesnt > > > > support sending a packet destined to a single address (eg, 239.0.0.1) > > > > to multiple peers (ie, B and C). > > > > > > I was testing BGP over tunnels and noticed that ospf6d will not function > > > over wg(4) either. > > > > wg is neither multicast or point-to-point, and it completely ignored > > existing point to multipoint semantics. so yeah. it feels pretty clumsy > > when you try to do interesting stuff beyond what it was specifically > > created for. > > Once I realized wg(4) wouldn't work, my solution was to use a gif(4) > tunnel or etherip(4) bridged with veb(4) to a vport(4) but I think the > gif(4) solution is simpler. Either solution worked fine for ospfd and > ospf6d as well as BGP over IPv4 and IPv6. Is there a performance benefit > with etherip(4) and vport(4) rather than gif(4)? gif over dedicated ethernet links seems unecessary becase you should already have working IP connectivity. how does it help your situation? > > openbsd lets you combine vlans and bridges/vebs/tpmr and tunnels in > > pretty arbitrary ways. there's advantages to doing everything in > > software sometimes. > > It's quite nice to have so many flexible options. > > > etherip(4) is the lowest overhead ethernet over ip tunnel interface, but > > you can only have one etherip tunnel between 2 endpoints. you can add > > vlans on top of etherip, or you can use egre/vxlan/etc with different > > vnetids instead. > > I had not tried using VLANs over etherip(4) but that is a good idea and > maybe better than trying to get vxlan(4) to do what I want. My plan is > to feed the site A hardware ethernet interface from a switch with all > traffic being tagged with VLAN tags. At sites B and C (and D, E, etc.), > the hardware ethernet interface would plug right into a switch port that > will be prepared for the tagged traffic as well. I'm essentially > building a network ring and that's where I thought vxlan(4) would work > well. Once I have this setup properly, I don't anticipate needing to > make that many changes to the OpenBSD setup and can just add and remove > VLANs from the managed switches as needed. > > > a couple of notes though: > > > &
Re: enc0 without MULTICAST flag
On Thu, Sep 19, 2024 at 10:57:42PM +0200, Luca Di Gregorio wrote: > I'm running 7.5, I see this alert: > > # ifconfig sec0 create > # ifconfig sec0 tunnel 169.254.229.42/30 169.254.229.41 sorry, this should read: # ifconfig sec0 inet 169.254.229.42/30 169.254.229.41 i just committed a fix to the manpage. > ifconfig: error in parsing address string: non-recoverable failure in name > resolution > > I can't configure sec0 > > Il giorno gio 19 set 2024 alle ore 21:32 Luca Di Gregorio > ha scritto: > > > Thanks a lot, > > > > I'll try it tomorrow. Unfortunately I won't attend EuroBSDCon, > > anyway, thanks a lot for the invite. > > > > Il giorno gio 19 set 2024 alle ore 21:23 Jason Tubnor > > ha scritto: > > > >> Use sec(4) for this. Don???t use enc for anything except inspection. If you > >> are at EuroBSDCon this weekend, come to my talk as I???ll be diving into > >> this > >> exact subject. > >> > >> Cheers, > >> > >> Jason. > >> > >> Sent from my iPhone > >> > >> On 19 Sep 2024, at 7:16???PM, Luca Di Gregorio wrote: > >> > >> ??? > >> I configured a site-to-site vpn with ike2, > >> it works for unicast traffic. > >> > >> I need to enable ospf on the 2 hosts via enc0, but > >> ifconfig enc0 shows: > >> > >> enc0: flags=41 > >> index 2 priority 0 llprio 3 > >> groups: enc > >> status: active > >> inet ... > >> > >> So, ospfd shows, in /var/log/daemon: > >> > >> ospfd[53563]: if_join_group: error IP_ADD_MEMBERSHIP, interface enc0 > >> address 224.0.0.5: Can't assign requested address > >> > >> How can I set the flag MULTICAST on enc0? > >> man ifconfig doesn't say how to to it. > >> > >>
Re: vxlan(4) Between Three Sites
On Mon, Sep 16, 2024 at 09:57:18PM -0700, Bryan Vyhmeister wrote: > On Tue, Sep 17, 2024 at 02:31:09PM +1000, David Gwynne wrote: > > > > On Mon, Sep 16, 2024 at 12:25:35PM -0700, Bryan Vyhmeister wrote: > > > I am attempting to build a proof of concept of how to use vxlan(4) > > > on OpenBSD in a fully meshed OSPF network with [wireless] links > > > between sites under my full control so mtu is not an issue (mtu 1550 > > > for vxlan0 and mtu 1600 or higher for hardware interfaces). The goal > > > is to bridge a group of VLANs between sites A, B, and C. > > > > > vxlan(4) in learning mode relies on a single multicast capable > > underlay network between all sites/points. if you are using separate > > interfaces on A to talk to B and C, then this requirement isn't > > satisfied. > > > > i dont know enough about multicast routing to know if or how i should > > support vxlan in learning mode with routes to multiple interfaces. > > Thanks for your response. That makes sense then if that is how things > are underneath. I'm not that familiar with how multicast routing works > either but that does appear to be how commercial vendors' > implementations work from what I have read. they rely on routes? > > > I also tried using a WireGuard overlay on top of this network. With > > > wg0 as the parent but that does not seem to work either in vxlan(4) > > > learning mode unless I am missing something. > > > > wireguard as an underlay for vxlan in learning mode doesn't work > > because wg isn't multicast capable. the cryptokey routing thing doesnt > > support sending a packet destined to a single address (eg, 239.0.0.1) > > to multiple peers (ie, B and C). > > I was testing BGP over tunnels and noticed that ospf6d will not function > over wg(4) either. wg is neither multicast or point-to-point, and it completely ignored existing point to multipoint semantics. so yeah. it feels pretty clumsy when you try to do interesting stuff beyond what it was specifically created for. > > > > The other possible solution that I believe I tested and works is to > > > have a vxlan0 between sites A and B and then a vxlan1 between sites > > > A and C and then use veb(4) to bridge vxlan0, vxlan1, and whatever > > > the hardware interface is together. This seems to defeat the purpose > > > of using vxlan(4) to begin with and is not ideal for traffic between > > > sites B and C unless I missed something. > > > > this last one is pretty good, > > > > veb and vxlan in learning mode actually use the same "etherbridge" > > code internally, the main difference between them is what endpoints > > they learn and associate with Ethernet addresses. veb associates > > Ethernet addresses with the interfaces added as ports to the bridge, > > while vxlan associates Ethernet addresses with the IP addresses of > > peers. > > > > with veb bridging tunnels together, the tunnel interfaces basically > > act as proxies for the ip tunnel enpoints in the bridge. > > > > i would just add ethernet tunnels between B and C so they can talk > > directly too. you will probably have to add them to the same protected > > bridge domain to avoid loops, which is discussed a bit in the mpw > > manpage examples a bit. > > I will test that and see if it works to my satisfaction. I had not come > across this "protected bridge domain" or at least I ignored it when > reading through mpw(4). Would it be better to use etherip(4) or egre(4) > (I want VLAN support) rather than vxlan(4) between the endpoints based > on what you're saying? Would I add only the vxlan(4) or egre(4) > interfaces as protected and not the bridged ethernet hardware interface > to the switch or should all be configured as protected. In the mpw(4) > example, only the mpw(4) interfaces are added as protected and not the > ethernet interface itself. Thank you for taking the time to get back to > me. openbsd lets you combine vlans and bridges/vebs/tpmr and tunnels in pretty arbitrary ways. there's advantages to doing everything in software sometimes. etherip(4) is the lowest overhead ethernet over ip tunnel interface, but you can only have one etherip tunnel between 2 endpoints. you can add vlans on top of etherip, or you can use egre/vxlan/etc with different vnetids instead. a couple of notes though: veb (and bridge) are not vlan aware. this means they will not scope the mac addresses they learn by vlan ids, and apart from the link0 flag on veb they don't let you filter vlans. if you want to control individual vlans, create a veb for a specific networks
Re: No speakers or microphone dino-0.4.4
On Tue, Sep 17, 2024 at 10:11 AM Dylan D'Silva wrote: > > Yes both are set. > On Tue Sep 17, 2024 at 6:56 PM AEST, Dan wrote: > > tried sysctl kern.audio.record = 1 and sysctl kern.video.record = 1 ? > > > > -Dan You could try adding some debug printfs to plugins/rtp/src/plugin.vala, particularly around the get_audio_devices() function, to see why Dino is not finding your audio device. The backend it uses is gstreamer, so sndio should be supported. Cheers, David -- "If you try a few times and give up, you'll never get there. But if you keep at it... There's a lot of problems in the world which can really be solved by applying two or three times the persistence that other people will." -- Stewart Nelson
Re: vxlan(4) Between Three Sites
On Mon, Sep 16, 2024 at 12:25:35PM -0700, Bryan Vyhmeister wrote: > I am attempting to build a proof of concept of how to use vxlan(4) on OpenBSD > in a fully meshed OSPF network with [wireless] links between sites under my > full control so mtu is not an issue (mtu 1550 for vxlan0 and mtu 1600 or > higher for hardware interfaces). The goal is to bridge a group of VLANs > between sites A, B, and C. > > In my example I have sites A, B, and C. The details aren't very important on > how the OSPF mesh is setup but it works perfectly and the router-id for OSPF > is a loopback on each router. What I am having trouble with is the parent > interface of the vxlan(4) interface. The idea is to have vxlan0 in learning > mode which shows up at site A, B, and C and can be bridged to a VLAN-capable > switch there. > > Let's say site A router's em1 interface is connected to site B router's ix1. > Site A router's em2 interface is connected to site C router's bnxt1. > > The vxlan0 interface on site A's router is configured with: > ifconfig vxlan0 parent em1 tunnel 10.10.0.1 239.0.0.1 > > The vxlan0 interface on site B's router is configured with: > ifconfig vxlan0 parent ix1 tunnel 10.10.0.2 239.0.0.1 > > With this configuration, the vxlan0 interface passes traffic perfectly > between site A and B but not site C. If I change the parent interface of > vxlan0 to the interface pointing to site C, the vxlan(4) link from site A to > C works fine but not A to B. > > I figured setting the parent of vxlan0 to a loopback interface would work > since that would be more typical of other environments but that does not work > at all and no link is formed between loopback IP addresses even though they > are fully reachable via OSPF. > > I then tried creating a pair of pair(4) interface in another rdomain(4) to > see if that would work my making the vxlan(4) interface's parent the pair(4) > in a different rdomain but it did not work. > > I do have net.inet.ip.forwarding=1, net.inet.ip.mforwarding=1, and > multicast=YES as well as mrouted turned on for all routers in this setup. vxlan(4) in learning mode relies on a single multicast capable underlay network between all sites/points. if you are using separate interfaces on A to talk to B and C, then this requirement isn't satisfied. i dont know enough about multicast routing to know if or how i should support vxlan in learning mode with routes to multiple interfaces. > The other possibility that I have not configured is to have a fully meshed > set of routers and then have another router that is separate from each of the > three doing the vxlan(4) interface but I have not tried that setup since I > believe all of this should be able to be accomplished in one router and I > would rather not have to double the number of routers. > > I also tried using a WireGuard overlay on top of this network. With wg0 as > the parent but that does not seem to work either in vxlan(4) learning mode > unless I am missing something. wireguard as an underlay for vxlan in learning mode doesn't work because wg isn't multicast capable. the cryptokey routing thing doesnt support sending a packet destined to a single address (eg, 239.0.0.1) to multiple peers (ie, B and C). > The other possible solution that I believe I tested and works is to have a > vxlan0 between sites A and B and then a vxlan1 between sites A and C and then > use veb(4) to bridge vxlan0, vxlan1, and whatever the hardware interface is > together. This seems to defeat the purpose of using vxlan(4) to begin with > and is not ideal for traffic between sites B and C unless I missed something. > > Any ideas? this last one is pretty good, veb and vxlan in learning mode actually use the same "etherbridge" code internally, the main difference between them is what endpoints they learn and associate with Ethernet addresses. veb associates Ethernet addresses with the interfaces added as ports to the bridge, while vxlan associates Ethernet addresses with the IP addresses of peers. with veb bridging tunnels together, the tunnel interfaces basically act as proxies for the ip tunnel enpoints in the bridge. i would just add ethernet tunnels between B and C so they can talk directly too. you will probably have to add them to the same protected bridge domain to avoid loops, which is discussed a bit in the mpw manpage examples a bit. dlg
Re: CheriBSD
CheriBSD appears to be very hardware specific - a niche sub-version. On 9/14/24 16:15, Fabio Martins wrote: I would not switch away from OpenBSD. Theo is a benevolent dictator, with all due respect. Keep using/support OpenBSD. I will. Even more. On Sat, Sep 14, 2024, 5:06 PM Kevin Chadwick wrote: Any thoughts on the security and performance of CHERI. The claim is making existing C codebases memory safe with insignificant modifications to the code being required. https://www.cheribsd.org/
Re: WAS: MariaDB install any different for OpenBSD 7.5 than 6.4? NOW: 0.0.0.0 Exploit Impact OpenBSD?
Thanks! So much to learn ... so many printed pages with notes. I'll get there. On 9/2/24 06:15, Stuart Henderson wrote: On Sun, Sep 01, 2024 at 05:09:14PM -0400, David Colburn wrote: 3. That's the addresses where the server daemon will listen to for connections from clients. It has to be the address of one of the machine's interfaces. See previous messages on the thread, to decide whether you want it to listen on a loopback interface, or on an egress interface. Set this option to 0.0.0.0 to listen on all available interfaces. That is talking about the address that mariadb server is listening on. 0.0.0.0 is "listen for requests to any v4 address on the machine". I was searching to learn about using a specific machine interface vs 0.0.0.0 and came upon this from August 7, 2024 ... https://www.oligo.security/blog/0-0-0-0-day-exploiting-localhost-apis-from-the-browser That is talking about browsers allowing client connections *to* 0.0.0.0 which may allow javascript/html to trigger making a connection to a service that is only listening to 127.0.0.1. Now you could still connect to that service by connecting to 127.0.0.1, but newer browsers specifically treat connections to localhost or private network addresses as more highly privileged, and don't allow random websites to do that (only trigger connections to internet servers). That (or the v6 equivalent) doesn't work on OpenBSD anyway. $ telnet 0.0.0.0 22 Trying 0.0.0.0... telnet: connect to address 0.0.0.0: Invalid argument $ telnet :: 22 Trying ::... telnet: connect to address ::: Invalid argument Although they don't specifically mention OpenBSD is it correct that: A. Using 0.0.0.0 in my server settings may be less-secure? B. That in the near future it won't work at all? C. I'm misunderstanding the article and it's not relevant to my server setup? C.
Re: I wrote this about packages and ports in 2023, hopefully still useful to some who come here
Good advice. Thanks! On 9/2/24 09:38, Åke Nordin wrote: On 2024-08-31 15:55, Peter N. M. Hansteen wrote: After offering https://marc.info/?l=openbsd-misc&m=172503305621176&w=2, I remembered writing that slightly longer piece, which offers some explanation of how things work in addition to copy-pasteable material. There is room for both approaches. There is one piece of advice in Peters https://nxdomain.no/~peter/youve_installed_it_now_what_packages.html that is virtually invaluable: use the "script" command to get a log of all commands you enter and their output. https://man.openbsd.org/script I'll add one piece of advice: keep a log book, a diary of what problems you face and how you intend to solve them. Then, if something doesn't work the way you intended, your script files and the log book tells you where to start digging. As a bonus, when you eventually replace the machine, you will know a lot better what you need to do to get the new one in the working order you prefer. Even if you're a seasoned Unix admin and work with OpenBSD systems all day, you will forget details about individual systems. Keeping a log book is how you still can stay on top of your game. It also improves learning.
Re: MariaDB install any different for OpenBSD 7.5 than 6.4?
chrooted daemons and MariaDB socket === For external program running under a chroot(8) to be able to access the MariaDB server without using a network connection, the socket must be placed inside the chroot. e.g. httpd(8) or nginx(8): connecting to MariaDB from PHP - Create a directory for the MariaDB socket: # install -d -m 0711 -o _mysql -g _mysql /var/www/var/run/mysql Adjust /etc/my.cnf to use the socket in the chroot - this applies to both client and server processes: [client-server] socket = /var/www/var/run/mysql/mysql.sock You have three progressively less restrictive ways of providing access to your database server: * A Unix socket: If all the database consumers will be running locally, you can use a socket. If any of the consumers will be running chrooted to /var/www, then you'll need to put the socket in the chroot, as described on the pkg-readme (and remember not to use the full path when configuring the chrooted clients). * TCP, listening on 127.0.0.1: If all consumers will be running on the same host, and if you don't want the hassle of setting up the socket -- the tradeoff being having the socket available for every process that can use inet -- then you can just configure mariadb to listen on the loopback interface. If you have "set skip on lo0" on pf.conf (it's there by default), then you won't need to add anything else to that file. * TCP, listening on other interfaces: You'll need this if the database is to be accessible to other hosts. Using this option might require adjusting your filtering rules on pf.conf. You can use any combination of the above methods (socket only, loopback only, socket+loopback, socket+other interfaces, etc). See the "port", "socket", "skip-networking" and "bind-address" options on the [mysqld] section of /etc/my.cnf, and remember to setup the [client] section accordingly (i.e., if you skip-networking, don't configure the client to use TCP/IP, and if you don't setup a server socket, don't configure the client to use it). I have several concerns with /etc/my.cnf The instructions I found here are somewhat generic https://mariadb.com/kb/en/configuring-mariadb-with-option-files/ Am I understanding them, correctly, please? 1. I need to uncomment both the socket and port lines? #socket=/var/run/mysql/mysql.sock #port=3306 2. I need to provide a password for MariaDB (or, does it want the user password)? #password=my_password 3. Is this address the same as for the machine? e.g. "bind-address=192.168.50.xxx"? 4. I do want to uncomment all of the following? #data=/var/mysql #log-basename=mysqld #general-log #slow_query_log Thanks! - [client-server] #socket=/var/run/mysql/mysql.sock #port=3306 # This will be passed to all MariaDB clients [client] #password=my_password # The MariaDB server [mysqld] # To listen to all network addresses, use "bind-address = *" bind-address=localhost # Directory where you want to put your data #data=/var/mysql # This is the prefix name to be used for all log, error and replication files #log-basename=mysqld # Logging #general-log #slow_query_log
Re: TOr
On Fri, 2024-08-30 at 04:11 -0400, openbsd_fr...@mail2tor.com wrote: > Does OpenBSD support Tor? Here's everything OpenBSD supports: https://openbsd.app/ Cheers!
Re: MariaDB install any different for OpenBSD 7.5 than 6.4?
On 8/26/24 04:41, Zé Loff wrote: On Sun, Aug 25, 2024 at 08:10:52PM -0400, David Colburn wrote: On 8/25/24 17:55, Zé Loff wrote: On Sun, Aug 25, 2024 at 02:49:03PM -0400, David Colburn wrote: After a cursory reading, it looks OK. But don't forget to read the supplied documentation, after installing the package: less /usr/local/share/doc/pkg-readmes/mariadb-server Also, most of those steps don't have to do with mariadb, but with simple system administration. Installing the package, starting and stopping services, and checking if processes are running and ports are open are all tasks you should be familiar with. All good to this point, thanks. Now I'm reading this in /usr/local/share/doc/pkg-readmes/mariadb-server Given that lighttpd runs in chroot am I correct that I need to run the following install and then edit /etc/my.cnf for things to play nicely together? Thanks, David chrooted daemons and MariaDB socket === For external program running under a chroot(8) to be able to access the MariaDB server without using a network connection, the socket must be placed inside the chroot. e.g. httpd(8) or nginx(8): connecting to MariaDB from PHP - Create a directory for the MariaDB socket: # install -d -m 0711 -o _mysql -g _mysql /var/www/var/run/mysql Adjust /etc/my.cnf to use the socket in the chroot - this applies to both client and server processes: [client-server] socket = /var/www/var/run/mysql/mysql.sock You have three progressively less restrictive ways of providing access to your database server: * A Unix socket: If all the database consumers will be running locally, you can use a socket. If any of the consumers will be running chrooted to /var/www, then you'll need to put the socket in the chroot, as described on the pkg-readme (and remember not to use the full path when configuring the chrooted clients). * TCP, listening on 127.0.0.1: If all consumers will be running on the same host, and if you don't want the hassle of setting up the socket -- the tradeoff being having the socket available for every process that can use inet -- then you can just configure mariadb to listen on the loopback interface. If you have "set skip on lo0" on pf.conf (it's there by default), then you won't need to add anything else to that file. * TCP, listening on other interfaces: You'll need this if the database is to be accessible to other hosts. Using this option might require adjusting your filtering rules on pf.conf. You can use any combination of the above methods (socket only, loopback only, socket+loopback, socket+other interfaces, etc). See the "port", "socket", "skip-networking" and "bind-address" options on the [mysqld] section of /etc/my.cnf, and remember to setup the [client] section accordingly (i.e., if you skip-networking, don't configure the client to use TCP/IP, and if you don't setup a server socket, don't configure the client to use it). And make sure you know what you need, and why, before configuring things. Thank you for your reply. Here's my attempt to assess & describe what I need, and why ... This will be a self-hosted Web-facing server using the Chamilo-LMS (learning management system) interface. All of the users, students and teachers alike, would log into the Chamilo-LMS host. All of the data that Chamilo-LMS would serve would be hosted on the same machine where it resides. (Note: If I understand, correctly, the preferred best-security practice is to require a user of Chamilo-LMS to access any external links by leaving the server - e.g. a remote user would open a second tab on their machine to open a non-local URL, rather than my server passing that content. True?) As I understand it, Chamilo-LMS is based on PHP and uses MariaDB, but Lighttpd is what manages the internal and Web-facing network side of things? So, database consumers would only communicate with MariaDB via Chamilo-LMS? Would Chamilo-LMS need a Unix socket to communicate with MariaDB? And then Lighttpd would use TCP (listening on 127.0.0.1) between the Chamilo-LMS consumer login accounts and the world? Thanks! I'm not familiar with Chamilo-LMS, but you'll probably need to also run php-fpm. I'm far from understanding the inner workings of all this, but I believe this is how it usually goes: a web server gets the request from the client (whether 'internal' or 'web-facing', it doesn't matter), and if its a PHP page, it passes it via CGI to an interpreter (e.g. php-fpm). You'll need to configure your web server to do this, by setting up a rule not unlike "if the requested URL ends with .php t
Re: MariaDB install any different for OpenBSD 7.5 than 6.4?
On 8/25/24 17:55, Zé Loff wrote: On Sun, Aug 25, 2024 at 02:49:03PM -0400, David Colburn wrote: After a cursory reading, it looks OK. But don't forget to read the supplied documentation, after installing the package: less /usr/local/share/doc/pkg-readmes/mariadb-server Also, most of those steps don't have to do with mariadb, but with simple system administration. Installing the package, starting and stopping services, and checking if processes are running and ports are open are all tasks you should be familiar with. All good to this point, thanks. Now I'm reading this in /usr/local/share/doc/pkg-readmes/mariadb-server Given that lighttpd runs in chroot am I correct that I need to run the following install and then edit /etc/my.cnf for things to play nicely together? Thanks, David chrooted daemons and MariaDB socket === For external program running under a chroot(8) to be able to access the MariaDB server without using a network connection, the socket must be placed inside the chroot. e.g. httpd(8) or nginx(8): connecting to MariaDB from PHP - Create a directory for the MariaDB socket: # install -d -m 0711 -o _mysql -g _mysql /var/www/var/run/mysql Adjust /etc/my.cnf to use the socket in the chroot - this applies to both client and server processes: [client-server] socket = /var/www/var/run/mysql/mysql.sock You have three progressively less restrictive ways of providing access to your database server: * A Unix socket: If all the database consumers will be running locally, you can use a socket. If any of the consumers will be running chrooted to /var/www, then you'll need to put the socket in the chroot, as described on the pkg-readme (and remember not to use the full path when configuring the chrooted clients). * TCP, listening on 127.0.0.1: If all consumers will be running on the same host, and if you don't want the hassle of setting up the socket -- the tradeoff being having the socket available for every process that can use inet -- then you can just configure mariadb to listen on the loopback interface. If you have "set skip on lo0" on pf.conf (it's there by default), then you won't need to add anything else to that file. * TCP, listening on other interfaces: You'll need this if the database is to be accessible to other hosts. Using this option might require adjusting your filtering rules on pf.conf. You can use any combination of the above methods (socket only, loopback only, socket+loopback, socket+other interfaces, etc). See the "port", "socket", "skip-networking" and "bind-address" options on the [mysqld] section of /etc/my.cnf, and remember to setup the [client] section accordingly (i.e., if you skip-networking, don't configure the client to use TCP/IP, and if you don't setup a server socket, don't configure the client to use it). And make sure you know what you need, and why, before configuring things. Thank you for your reply. Here's my attempt to assess & describe what I need, and why ... This will be a self-hosted Web-facing server using the Chamilo-LMS (learning management system) interface. All of the users, students and teachers alike, would log into the Chamilo-LMS host. All of the data that Chamilo-LMS would serve would be hosted on the same machine where it resides. (Note: If I understand, correctly, the preferred best-security practice is to require a user of Chamilo-LMS to access any external links by leaving the server - e.g. a remote user would open a second tab on their machine to open a non-local URL, rather than my server passing that content. True?) As I understand it, Chamilo-LMS is based on PHP and uses MariaDB, but Lighttpd is what manages the internal and Web-facing network side of things? So, database consumers would only communicate with MariaDB via Chamilo-LMS? Would Chamilo-LMS need a Unix socket to communicate with MariaDB? And then Lighttpd would use TCP (listening on 127.0.0.1) between the Chamilo-LMS consumer login accounts and the world? Thanks!
Re: MariaDB install any different for OpenBSD 7.5 than 6.4?
After a cursory reading, it looks OK. But don't forget to read the supplied documentation, after installing the package: less /usr/local/share/doc/pkg-readmes/mariadb-server Also, most of those steps don't have to do with mariadb, but with simple system administration. Installing the package, starting and stopping services, and checking if processes are running and ports are open are all tasks you should be familiar with. All good to this point, thanks. Now I'm reading this in /usr/local/share/doc/pkg-readmes/mariadb-server Given that lighttpd runs in chroot am I correct that I need to run the following install and then edit /etc/my.cnf for things to play nicely together? Thanks, David chrooted daemons and MariaDB socket === For external program running under a chroot(8) to be able to access the MariaDB server without using a network connection, the socket must be placed inside the chroot. e.g. httpd(8) or nginx(8): connecting to MariaDB from PHP - Create a directory for the MariaDB socket: # install -d -m 0711 -o _mysql -g _mysql /var/www/var/run/mysql Adjust /etc/my.cnf to use the socket in the chroot - this applies to both client and server processes: [client-server] socket = /var/www/var/run/mysql/mysql.sock
MariaDB install any different for OpenBSD 7.5 than 6.4?
I found these instructions to install MariaDB Servers in OpenBSD. (They're for OpenBSD v6.4.) Any changes for 7.5, please, or should I just 'send it'? (From the 'It's better to ask than to be told 'If only you'd asked.'', file.) Thanks, in advance ... *``` OpenBSD install MariaDB database server* # pkg_add -v mariadb-server *How to enable and start MariaDB server at boot time on OpenBSD* # rcctl enable mysqld *Initialize MariaDB data directory* You need to run mysql_install_db command. It initializes the MariaDB data directory and creates the system tables: # mysql_install_db *Start MariaDB service on OpenBSD* # rcctl start mysqld *Stop MariaDB service on OpenBSD* # rcctl stop mysqld *Restart MariaDB service on OpenBSD* # rcctl restart mysqld *Check MariaDB service status on OpenBSD* # rcctl check mysqld *Verify that MariDB service running and port is open* * /Run pgrep command to search the process named mysqld:/* # pgrep mysqld */Another option is to run ps command:/* # ps aux | grep mysqld *Verify that TCP port 3306 is open using netstat command:* # netstat -f inet -na # netstat -f inet -na | grep 3306 *How to secure MariaDB installation* */Run the following script:/* # mysql_secure_installation *How to test MariaDB installation* * /Run the following mysql command:/* mysql -u root -p *How to configure MariaDB on OpenBSD* */Edit /etc/my.cnf file:/* # vi /etc/my.cnf / *For example, change IP address binding from localhost:*/ bind-address = 127.0.0.1 To LAN IP address 192.168.2.200: bind-address = 192.168.2.200 /*Save and close the file. Restart mysqld service on OpenBSD:*/ # rcctl restart mysqld *How to open MariaDB port using PF firewall on OpenBSD* */Simply add the following rule to /etc/pf.conf/* pass in proto tcp from 192.168.2.0/24 to any port 3306 keep state *Test it and reload the rules:* # pfctl -v -nf /etc/pf.conf # pfctl -v -f /etc/pf.conf ```
Re: lighttpd in openbsd - cant find devnull
Awesome! That worked. Thanks! I guess I can now move on to install MariaDB ... And after that the Chamilo-LMS. On 8/24/24 09:24, Страхиња Радић wrote: Дана 24/08/23 10:04PM, David Colburn написа: Owner and Group are "www www" - is that correct? No. On a clean install (using defaults for the OpenBSD port), /var/www/logs/error.log and /var/www/logs/access.log are owned by the user _lighttpd and group _lighttpd. That differs from the instructions at https://redmine.lighttpd.net/projects/lighttpd/wiki/TutorialConfiguration#A-real-daemon which use www:www. If you are using custom values for server.username and server.groupname, then the log files ownership should match that setting. For the default lighttpd privilege separation user _lighttpd and the matching group, # chown _lighttpd:_lighttpd /var/www/logs/*.log should fix accessing log files by lighttpd. You would also need to do this if you previously used some other HTTP server, which created the log files using different ownership. For example, by default httpd(8) has root:daemon as ownership for the log files, which are in the same directory /var/www/logs. As stated in the thread on the link you provided, the file system which holds /var/www/dev needs to be mounted without the "nodev" flag set. By default (using the default partitioning scheme in OpenBSD), /var is mounted with the "nodev" flag set. So, **if you are using the defaults,** you would need to execute: # sed -i.bak '/\/var/s/nodev,//' /etc/fstab # shutdown -r now After reboot, lighttpd should be able to start: # rcctl start lighttpd # rcctl check lighttpd lighttpd(ok) Дана 24/08/24 09:31AM, Stuart Henderson написа: Seems the port docs, or perhaps defaults, could do with some tweaks as there are definitely some things which are not obvious (/dev/null and not mounting nodev) and are a bit hard to figure out unless you know OpenBSD. The behavior/UX of lighttpd differs from the rest of the system, including httpd. It should work out of the box with sensible defaults. At least there should be some warning during install (or in the manpage) to modify /etc/fstab. Curiously, httpd(8) also chroots (by default to /var/www), but it doesn't need nodev on /var/www, nor creating a duplicate /dev under /var/www. That's what I meant by the necessity for the maintainer of lighttpd port to take a look at this. Looking at the source code though, I'm not sure if that is even possible. OpenBSD's httpd is simply better written, if lacking some of the features of lighttpd.
Re: lighttpd in openbsd - cant find devnull
On 8/24/24 04:31, Stuart Henderson wrote: On 2024/08/23 22:04, David Colburn wrote: On 8/21/24 14:25, Stuart Henderson wrote: On 2024/08/21 14:02, David Colburn wrote: "$ cat /var/www/dev/null" Returns to the prompt. Here's this ... b7# rcctl -d start lighttpd doing _rc_parse_conf lighttpd_flags empty, using default >-f /etc/lighttpd.conf< doing rc_check lighttpd doing rc_start doing _rc_wait_for_start doing rc_check 2024-08-21 13:59:01: (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1840) opening errorlog 'logs/error.log' failed: Permission denied Well that is failing on writing /var/www/logs/error.log I just checked and the permissions for /var/www/logs/error.log are 644 converted from "-rw-r--r--" (if I'm reading things correctly). Is that correct? Owner and Group are "www www" - is that correct? That depends on what user you have got lighttpd running as. If it's the default, _lighttpd, then that yser needs to be able to write to the log file that lighttpd is configured to use. Seems the port docs, or perhaps defaults, could do with some tweaks as there are definitely some things which are not obvious (/dev/null and not mounting nodev) and are a bit hard to figure out unless you know OpenBSD. But you might want to pick a different web server if you're needing help with file permissions etc as there's a lot more documentation you can find online for e.g. nginx or apache httpd than lighttpd. I looked at all three and chose lighttpd for a variety of reasons that I won't go into atm. If you're saying that lighttpd isn't ready to deploy in OpenBSD then I guess I'll have to look at one of the other two - which would be unfortunate. If you're saying that with a few adjustments lighttpd can be made to work with OpenBSD (as well as it does with Linux) then I'm fine with a learning curve. Despite various quirks (and missing drivers) I've been primarily using Linux for over 20 years - rather than Apple or MS. (I also have Graphene on my Pixel phone vs google/alphabet's Android.) Thanks.
MAKEDEV hangs on amd64 sysupgrade in virtualbox
I've been infrequently following snapshots with a vbox installation and have been experiencing hangs like this for a year or two now. Everything works great on my actual hardware. The VM boots fine after resetting, but the subsequent fsck and performing the skipped upgrade steps is mildly annoying. >From the install ramdisk, how would I go about collecting more diagnostic information? Thanks. --david (dmesg below, apologies for line-wrapping) OpenBSD 7.6-beta (GENERIC) #274: Fri Aug 23 19:04:48 MDT 2024 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 1056899072 (1007MB) avail mem = 1001926656 (955MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xe1000 (10 entries) bios0: vendor innotek GmbH version "VirtualBox" date 12/01/2006 bios0: innotek GmbH VirtualBox acpi0 at bios0: ACPI 4.0 acpi0: sleep states S0 S5 acpi0: tables DSDT FACP APIC SSDT acpi0: wakeup devices acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i5-6360U CPU @ 2.00GHz, 1860.00 MHz, 06-4e-03 cpu0: cpuid 1 edx=178bfbff ecx=56da220b cpu0: cpuid 6 eax=4 cpu0: cpuid 7.0 ebx=842529 edx=3400 cpu0: cpuid 8001 edx=28100800 ecx=121 cpu0: cpuid 8007 edx=100 cpu0: MELTDOWN cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 256KB 64b/line 4-way L2 cache, 4MB 64b/line 16-way L3 cache cpu0: smt 0, core 0, package 0 mtrr: CPU supports MTRRs but not enabled by BIOS cpu0: apic clock running at 1000MHz cpu0: mwait min=64, max=64 ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins, remapped acpiprt0 at acpi0: bus 0 (PCI0) acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001 acpibat0 at acpi0: BAT0 model "1" serial 0 type VBOX oem "innotek" acpiac0 at acpi0: AC unit online acpicpu0 at acpi0: C1(@1 halt!) acpivideo0 at acpi0: GFX0 cpu0: using VERW MDS workaround (except on vmm entry) pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02 pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00 vga1 at pci0 dev 2 function 0 "InnoTek Graphics Adapter" rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) em0 at pci0 dev 3 function 0 "Intel 82540EM" rev 0x02: apic 1 int 19, address 08:00:27:e9:64:ff "InnoTek Guest Service" rev 0x00 at pci0 dev 4 function 0 not configured ohci0 at pci0 dev 6 function 0 "Apple Intrepid USB" rev 0x00: apic 1 int 22, version 1.0 piixpm0 at pci0 dev 7 function 0 "Intel 82371AB Power" rev 0x08: apic 1 int 23 iic0 at piixpm0 em1 at pci0 dev 8 function 0 "Intel 82540EM" rev 0x02: apic 1 int 16, address 08:00:27:1f:8f:14 em2 at pci0 dev 9 function 0 "Intel 82540EM" rev 0x02: apic 1 int 17, address 08:00:27:13:48:5a ehci0 at pci0 dev 11 function 0 "Intel 82801FB USB" rev 0x00: apic 1 int 19 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 ahci0 at pci0 dev 13 function 0 "Intel 82801HBM AHCI" rev 0x02: apic 1 int 21, AHCI 1.1 ahci0: device on port 0 didn't come ready, TFD: 0x171 ahci0: port 0: 3.0Gb/s scsibus1 at ahci0: 32 targets sd0 at scsibus1 targ 0 lun 0: t10.ATA_VBOX_HARDDISK_VBa5540626-6a15461b_ sd0: 20480MB, 512 bytes/sector, 41943040 sectors isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 irq 1 irq 12 pckbd0 at pckbc0 (kbd slot) wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 usb1 at ohci0: USB revision 1.0 uhub1 at usb1 configuration 1 interface 0 "Apple OHCI root hub" rev 1.00/1.00 addr 1 vscsi0 at root scsibus2 at vscsi0: 256 targets softraid0 at root scsibus3 at softraid0: 256 targets root on sd0a (ddf460662c748e5c.a) swap on sd0b dump on sd0b WARNING: /mnt was not properly unmounted
Re: lighttpd in openbsd - cant find devnull
On 8/21/24 14:25, Stuart Henderson wrote: On 2024/08/21 14:02, David Colburn wrote: "$ cat /var/www/dev/null" Returns to the prompt. Here's this ... b7# rcctl -d start lighttpd doing _rc_parse_conf lighttpd_flags empty, using default >-f /etc/lighttpd.conf< doing rc_check lighttpd doing rc_start doing _rc_wait_for_start doing rc_check 2024-08-21 13:59:01: (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1840) opening errorlog 'logs/error.log' failed: Permission denied Well that is failing on writing /var/www/logs/error.log I just checked and the permissions for /var/www/logs/error.log are 644 converted from "-rw-r--r--" (if I'm reading things correctly). Is that correct? Owner and Group are "www www" - is that correct?
Re: lighttpd in openbsd - cant find devnull
Does this mean that the /dev/null problem I've been chasing can't be solved
without the maintainer's intervention?
On 8/23/24 01:06, Страхиња Радић wrote:
I use httpd(8), since a static website server is enough for my use
cases, so I tried creating a fresh installation of OpenBSD 7.5 in a VM
to test this. It seems that lighttpd doesn't work out of the box on
OpenBSD 7.5, and this is something for the maintainer of lighttpd port
to take a look at, privsep in particular.
After running *on clean install*:
# pkg_add lighttpd
# rcctl -df start lighttpd
it complains about not being able to find "server.upload-dirs" with the
value of "/var/www/var/tmp". After modifying /etc/lighttpd.conf to
include the line
server.upload-dirs = ("/run")
(since there is a /var/www/run directory by default), lighttpd again
refuses to start, this time leaving output in /var/www/logs/error.log,
about not being able to open /dev/null. After running
# cd /var/www
# mkdir dev
# cd dev
# sh /dev/MAKEDEVS std
there is /var/www/dev/null with the ownership of root:wheel and
permissions 666 (rw-rw-rw-), but this time lighttpd reports "Device not
configured" for /dev/null.
Re: lighttpd in openbsd - cant find devnull
|Might this then solve the failure to write error.log problem?| || |"chown _lighttpd:_lighttpd /var/www/logs/error.log"| || | | On 8/22/24 18:01, Stuart Henderson wrote: Lighttpd is running as the _lighttpd user, not as root. -- Sent from a phone, apologies for poor formatting. On 21 August 2024 21:19:20 David Colburn wrote: What do I do about the error.log problem? I'm running as root - so a permissions problem would seem impossible. Unless lighttpd is changing the User from root to something else ... NOTE: I did observe that the new User I added, dmc1, wasn't in Wheel (just added it). I'm not sure how lighttpd knows dmc1 is even there - I believe that lighttpd was installed as root - before I added the dmc1 user. On 8/21/24 14:37, David Colburn wrote: Sorry about the old error.log - I didn't even look at the date or time. My bad. Keeping locals updated about an escaped inmate atm ... I did notice in /etc/group "_lighttpd:*585:" - is that correct and in any way relevant? On 8/21/24 14:25, Stuart Henderson wrote: On 2024/08/21 14:02, David Colburn wrote: "$ cat /var/www/dev/null" Returns to the prompt. Here's this ... b7# rcctl -d start lighttpd doing _rc_parse_conf lighttpd_flags empty, using default >-f /etc/lighttpd.conf< doing rc_check lighttpd doing rc_start doing _rc_wait_for_start doing rc_check 2024-08-21 13:59:01: (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1840) opening errorlog 'logs/error.log' failed: Permission denied Well that is failing on writing /var/www/logs/error.log 2024-08-21 13:59:01: (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/server.c.1935) Opening errorlog failed. Going down. daemonized server failed to start; check error log for details doing _rc_rm_runfile (failed) And ... 2024-08-13 22:29:37: (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1891) opening /dev/null failed: No such file or directory 2024-08-13 22:29:37: (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/server.c.1935) Opening errorlog failed. Going down. And that is old On 8/21/24 12:46, Stuart Henderson wrote: On 2024/08/21 12:11, David Colburn wrote: On 2024/08/21 10:21, David Colburn wrote: Notes: 1. I've read the manual entry, and multiple threads related to this, more than once. 2. The “chroot location” as defined in /etc/lighttpd.conf. is unchanged - /var/www 3. Someone suggested, and I also tried "/var/www/" - same error. 4. As previously noted - Stuart's answer was tested on a clean, unmodified, lighttpd.conf. 5. As previously noted I also tried removing "nodev" from /etc/fstab on line "/var ffs rw,nosuid 1 2" Did you either reboot or remount /var after changing this? Yes. Reboot. Try this: $ cat /var/www/dev/null It should just return to the prompt (same as "cat /dev/null"). If it says "Device not configured" then for some reason it still seems to be mounted with nodev. (Or check "mount | grep /var").. If that test works, what's the output from # rcctl -d start lighttpd and what, if any, new entries in lighttpd's error log do you have?
Re: lighttpd in openbsd - cant find devnull
"$ cat /var/www/dev/null" Returns to the prompt. Here's this ... b7# rcctl -d start lighttpd doing _rc_parse_conf lighttpd_flags empty, using default >-f /etc/lighttpd.conf< doing rc_check lighttpd doing rc_start doing _rc_wait_for_start doing rc_check 2024-08-21 13:59:01: (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1840) opening errorlog 'logs/error.log' failed: Permission denied 2024-08-21 13:59:01: (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/server.c.1935) Opening errorlog failed. Going down. daemonized server failed to start; check error log for details doing _rc_rm_runfile (failed) And ... 2024-08-13 22:29:37: (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1891) opening /dev/null failed: No such file or directory 2024-08-13 22:29:37: (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/server.c.1935) Opening errorlog failed. Going down. On 8/21/24 12:46, Stuart Henderson wrote: On 2024/08/21 12:11, David Colburn wrote: On 2024/08/21 10:21, David Colburn wrote: Notes: 1. I've read the manual entry, and multiple threads related to this, more than once. 2. The “chroot location” as defined in /etc/lighttpd.conf. is unchanged - /var/www 3. Someone suggested, and I also tried "/var/www/" - same error. 4. As previously noted - Stuart's answer was tested on a clean, unmodified, lighttpd.conf. 5. As previously noted I also tried removing "nodev" from /etc/fstab on line "/var ffs rw,nosuid 1 2" Did you either reboot or remount /var after changing this? Yes. Reboot. Try this: $ cat /var/www/dev/null It should just return to the prompt (same as "cat /dev/null"). If it says "Device not configured" then for some reason it still seems to be mounted with nodev. (Or check "mount | grep /var").. If that test works, what's the output from # rcctl -d start lighttpd and what, if any, new entries in lighttpd's error log do you have?
Re: lighttpd in openbsd - cant find devnull
On 8/21/24 10:34, Stuart Henderson wrote: On 2024/08/21 10:21, David Colburn wrote: Notes: 1. I've read the manual entry, and multiple threads related to this, more than once. 2. The “chroot location” as defined in /etc/lighttpd.conf. is unchanged - /var/www 3. Someone suggested, and I also tried "/var/www/" - same error. 4. As previously noted - Stuart's answer was tested on a clean, unmodified, lighttpd.conf. 5. As previously noted I also tried removing "nodev" from /etc/fstab on line "/var ffs rw,nosuid 1 2" Did you either reboot or remount /var after changing this? Yes. Rebooted.
Re: lighttpd in openbsd - cant find devnull
.pl" => "/usr/bin/perl",
# ".cgi" => "/usr/bin/perl" )
#
SSL engine
#ssl.engine = "enable"
#ssl.pemfile = "/etc/ssl/private/lighttpd.pem"
status module
#status.status-url = "/server-status"
#status.config-url = "/server-config"
auth module
## read authentication.txt for more info
#auth.backend = "plain"
#auth.backend.plain.userfile = "lighttpd.user"
#auth.backend.plain.groupfile = "lighttpd.group"
#auth.backend.ldap.hostname = "localhost"
#auth.backend.ldap.base-dn = "dc=my-domain,dc=com"
#auth.backend.ldap.filter = "(uid=$)"
#auth.require = ( "/server-status" =>
# (
# "method" => "digest",
# "realm" => "download archiv",
# "require" => "user=jan"
# ),
# "/server-config" =>
# (
# "method" => "digest",
# "realm" => "download archiv",
# "require" => "valid-user"
# )
# )
url handling modules (rewrite, redirect, access)
#url.rewrite = ( "^/$" => "/server-status" )
#url.redirect = ( "^/wishlist/(.+)" =>
"http://www.123.org/$1"; )
both rewrite/redirect support back reference to regex conditional
using %n
#$HTTP["host"] =~ "^www\.(.*)" {
# url.redirect = ( "^/(.*)" => "http://%1/$1"; )
#}
#
# define a pattern for the host url finding
# %% => % sign
# %0 => domain name + tld
# %1 => tld
# %2 => domain name without tld
# %3 => subdomain 1 name
# %4 => subdomain 2 name
#
#evhost.path-pattern = "/srv/www/vhosts/%3/htdocs/"
expire module
#expire.url = ( "/buggy/" => "access 2 hours",
"/asdhas/" => "access plus 1 seconds>
ssi
#ssi.extension = ( ".shtml" )
rrdtool
#rrdtool.binary = "/usr/local/bin/rrdtool"
#rrdtool.db-name = "/var/lib/lighttpd/lighttpd.rrd"
setenv
#setenv.add-request-header = ( "TRAV_ENV" => "mysql://user@host/db" )
#setenv.add-response-header = ( "X-Secret-Message" => "42" )
## for mod_trigger_b4_dl
# trigger-before-download.gdbm-filename = "/var/lib/lighttpd/trigger.db"
# trigger-before-download.memcache-hosts = ( "127.0.0.1:11211" )
# trigger-before-download.trigger-url = "^/trigger/"
# trigger-before-download.download-url = "^/download/"
# trigger-before-download.deny-url = "http://127.0.0.1/index.html";
# trigger-before-download.trigger-timeout = 10
variable usage:
## variable name without "." is auto prefixed by "var." and becomes
"var.bar"
#bar = 1
#var.mystring = "foo"
## integer add
#bar += 1
## string concat, with integer cast as string, result: "www.foo1.com"
#server.name = "www." + mystring + var.bar + ".com"
## array merge
#index-file.names = (foo + ".php") + index-file.names
#index-file.names += (foo + ".php")
include
#include /etc/lighttpd/lighttpd-inc.conf
## same as above if you run: "lighttpd -f /etc/lighttpd/lighttpd.conf"
#include "lighttpd-inc.conf"
include_shell
#include_shell "echo var.a=1"
## the above is same as:
#var.a=1
```
On 8/21/24 06:06, Robert Klein wrote:
Hi,
your “chroot location” is defined in /etc/lighttpd.conf. If you didn't change
it, it is /var/www.
Please read the man page for chroot(8). The command to do this is “man 8
chroot” (without the quotes). Alternatively the Wikipedia entry for chroot can
help you understand what chroot is and does.
Stuart's answers assume you didn't change the file /etc/lighttpd.conf. If you
did change it, you might want to send the contents of the changed file, too.
Best regards,
Robert
On Tue, 20 Aug 2024 12:33:57 -0400
David Colburn wrote:
So, I'm at a dead end atm.
It was a clean install - OpenBSD 7.5, php 8.3.10, lighttpd-1.4.74-mysql
What should have worked (Stuart's instructions) didn't.
'chroot' locations are as listed (see following).
Where do I go from here, please?
Is it possible that the lighttpd.c
Re: lighttpd in openbsd - cant find devnull
So, I'm at a dead end atm. It was a clean install - OpenBSD 7.5, php 8.3.10, lighttpd-1.4.74-mysql What should have worked (Stuart's instructions) didn't. 'chroot' locations are as listed (see following). Where do I go from here, please? Is it possible that the lighttpd.conf from lighttpd-1.4.74-mysql contains errors? Or, that I should have used a different version of lighttpd? Or ... Thanks. b7# locate chroot /usr/local/share/doc/pkg-readmes/femail-chroot /usr/sbin/chroot /usr/share/man/man2/chroot.2 /usr/share/man/man8/chroot.8 /var/db/pkg/femail-chroot-1.0p3 /var/db/pkg/femail-chroot-1.0p3/+CONTENTS /var/db/pkg/femail-chroot-1.0p3/+DESC /var/db/pkg/femail-chroot-1.0p3/+REQUIRED_BY /var/db/pkg/femail-chroot-1.0p3/REQUIRING On 8/18/24 20:30, Stuart Henderson wrote: Hmm. That should be ok... -- Sent from a phone, apologies for poor formatting. On 18 August 2024 21:19:25 David Colburn wrote: total 0 crw-rw-rw- 1 root wheel 2, 2 Aug 18 10:07 null On 8/18/24 16:00, Stuart Henderson wrote: Did you do the mkdir etc? What does ls -l /var/www/dev show? -- Sent from a phone, apologies for poor formatting. On 18 August 2024 17:01:52 David Colburn wrote: I removed "nodev" from the /var line and rebooted. Same error: 2024-08-13 22:29:37: (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1891) opening /dev/null failed. No such file or directory. 2024-08-13 22:29:37: (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/server.c.1935) Opening errorlog failed. On 8/18/24 11:19, David Colburn wrote: /etc/fstab currently looks like this: none swap sw / ffs rw 1 1 /home ffs rw,nodev,nosuid 1 2 /tmp ffs rw,nodev,nosuid 1 2 /usr ffs rw,nodev 1 2 /usr/X11R6 ffs rw,nodev 1 2 /usr/local ffs rw,wxallowed,nodev 1 2 /usr/obj ffs rw,nodev,nosuid 1 2 /usr/src ffs rw,nodev,nosuid 1 2 /var ffs rw,nodev,nosuid 1 2 On 8/18/24 10:28, David Colburn wrote: That's very helpful, thanks! /var is mounted "ffs rw,nodev,nosuid, 1 2" /var/www isn't specifically mentioned. Would it be affected by the /var mount settings? Thanks again. On 8/18/24 07:50, Stuart Henderson wrote: On 2024-08-15, David Colburn wrote: This is a multi-part message in MIME format. --SIjdwSa43FawypA6wB8kzt18 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Dell OptiPlex 7050 OpenBSD 7.5 php 8.3.10 lighttpd-1.4.74-mysql I'm using root. "*rcctl -df start lighttpd*" errors "/daemonized server failed to start; check error log for details doing _rc_rm_runfile (failed)/" error.log says: "... (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1981) opening /dev/null failed: No such file or directory" "... (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1935) Opening errorlog failed: No such file or directory" According to this: https://www.reddit.com/r/openbsd/comments/nygjdm/lighttpd_cant_find_devnull_on_69/ there's supposed to be a directory here: /usr/sbin/chroot/ but chroot is actually a file. I'm not sure how to proceed to fix the dev/null problem ... Assuming /var/www/dev does not already exist, this should do it: # mkdir /var/www/dev # cd /var/www/dev # sh /dev/MAKEDEV std # rm !(null) If it already exists then you may need to adapt the rm command to preserve existing entries, or use mknod(8) manually to just create the "null" node. You'll also need to make sure that /var/www is _not_ mounted with the "nodev" option (/etc/fstab). If this is a hard requirement for lighttpd then the port could probably do with explaining it somewhere .. (maintainer cc'd)
Re: lighttpd in openbsd
b7# locate chroot /usr/local/share/doc/pkg-readmes/femail-chroot /usr/sbin/chroot /usr/share/man/man2/chroot.2 /usr/share/man/man8/chroot.8 /var/db/pkg/femail-chroot-1.0p3 /var/db/pkg/femail-chroot-1.0p3/+CONTENTS /var/db/pkg/femail-chroot-1.0p3/+DESC /var/db/pkg/femail-chroot-1.0p3/+REQUIRED_BY /var/db/pkg/femail-chroot-1.0p3/REQUIRING On 8/18/24 16:47, Страхиња Радић wrote: Дана 24/08/16 01:10PM, David Colburn написа: According to this: https://www.reddit.com/r/openbsd/comments/nygjdm/lighttpd_cant_find_devnull_on_69/ there's supposed to be a directory here: /usr/sbin/chroot/ but chroot is actually a file. That's a misquote. The exact quote from a reply to the linked article is: You need to find the directory of the chroot, likely something like /var/lighttpd/chroot/ or something (totally guessing at the directory name here; adjust accordingly below) [...] (what follows are the instructions similar to the ones given here, just using "raw" mknod(8) instead of the script /dev/MAKEDEV) So, /var/lighttpd/chroot/, not /usr/sbin/chroot/. /usr/sbin/chroot is the canonical location of chroot(8) executable in various Unix-like operating systems and I have yet to come across a system where it is a directory.
Re: lighttpd in openbsd - cant find devnull
total 0 crw-rw-rw- 1 root wheel 2, 2 Aug 18 10:07 null On 8/18/24 16:00, Stuart Henderson wrote: Did you do the mkdir etc? What does ls -l /var/www/dev show? -- Sent from a phone, apologies for poor formatting. On 18 August 2024 17:01:52 David Colburn wrote: I removed "nodev" from the /var line and rebooted. Same error: 2024-08-13 22:29:37: (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1891) opening /dev/null failed. No such file or directory. 2024-08-13 22:29:37: (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/server.c.1935) Opening errorlog failed. On 8/18/24 11:19, David Colburn wrote: /etc/fstab currently looks like this: none swap sw / ffs rw 1 1 /home ffs rw,nodev,nosuid 1 2 /tmp ffs rw,nodev,nosuid 1 2 /usr ffs rw,nodev 1 2 /usr/X11R6 ffs rw,nodev 1 2 /usr/local ffs rw,wxallowed,nodev 1 2 /usr/obj ffs rw,nodev,nosuid 1 2 /usr/src ffs rw,nodev,nosuid 1 2 /var ffs rw,nodev,nosuid 1 2 On 8/18/24 10:28, David Colburn wrote: That's very helpful, thanks! /var is mounted "ffs rw,nodev,nosuid, 1 2" /var/www isn't specifically mentioned. Would it be affected by the /var mount settings? Thanks again. On 8/18/24 07:50, Stuart Henderson wrote: On 2024-08-15, David Colburn wrote: This is a multi-part message in MIME format. --SIjdwSa43FawypA6wB8kzt18 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Dell OptiPlex 7050 OpenBSD 7.5 php 8.3.10 lighttpd-1.4.74-mysql I'm using root. "*rcctl -df start lighttpd*" errors "/daemonized server failed to start; check error log for details doing _rc_rm_runfile (failed)/" error.log says: "... (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1981) opening /dev/null failed: No such file or directory" "... (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1935) Opening errorlog failed: No such file or directory" According to this: https://www.reddit.com/r/openbsd/comments/nygjdm/lighttpd_cant_find_devnull_on_69/ there's supposed to be a directory here: /usr/sbin/chroot/ but chroot is actually a file. I'm not sure how to proceed to fix the dev/null problem ... Assuming /var/www/dev does not already exist, this should do it: # mkdir /var/www/dev # cd /var/www/dev # sh /dev/MAKEDEV std # rm !(null) If it already exists then you may need to adapt the rm command to preserve existing entries, or use mknod(8) manually to just create the "null" node. You'll also need to make sure that /var/www is _not_ mounted with the "nodev" option (/etc/fstab). If this is a hard requirement for lighttpd then the port could probably do with explaining it somewhere .. (maintainer cc'd)
Waking from sleep on X1 Carbon
Good news! I previously reported that various generations of Lenovo X1 Carbon laptops would occasionally hang on waking up from sleep. I am happy to report that the problem has apparently gone away after upgrading to OpenBSD 7.5. Dave David J. Raymond david.raym...@nmt.edu http://kestrel.nmt.edu/~raymond
Re: lighttpd in openbsd - cant find devnull
I removed "nodev" from the /var line and rebooted. Same error: 2024-08-13 22:29:37: (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1891) opening /dev/null failed. No such file or directory. 2024-08-13 22:29:37: (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/server.c.1935) Opening errorlog failed. On 8/18/24 11:19, David Colburn wrote: /etc/fstab currently looks like this: none swap sw / ffs rw 1 1 /home ffs rw,nodev,nosuid 1 2 /tmp ffs rw,nodev,nosuid 1 2 /usr ffs rw,nodev 1 2 /usr/X11R6 ffs rw,nodev 1 2 /usr/local ffs rw,wxallowed,nodev 1 2 /usr/obj ffs rw,nodev,nosuid 1 2 /usr/src ffs rw,nodev,nosuid 1 2 /var ffs rw,nodev,nosuid 1 2 On 8/18/24 10:28, David Colburn wrote: That's very helpful, thanks! /var is mounted "ffs rw,nodev,nosuid, 1 2" /var/www isn't specifically mentioned. Would it be affected by the /var mount settings? Thanks again. On 8/18/24 07:50, Stuart Henderson wrote: On 2024-08-15, David Colburn wrote: This is a multi-part message in MIME format. --SIjdwSa43FawypA6wB8kzt18 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Dell OptiPlex 7050 OpenBSD 7.5 php 8.3.10 lighttpd-1.4.74-mysql I'm using root. "*rcctl -df start lighttpd*" errors "/daemonized server failed to start; check error log for details doing _rc_rm_runfile (failed)/" error.log says: "... (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1981) opening /dev/null failed: No such file or directory" "... (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1935) Opening errorlog failed: No such file or directory" According to this: https://www.reddit.com/r/openbsd/comments/nygjdm/lighttpd_cant_find_devnull_on_69/ there's supposed to be a directory here: /usr/sbin/chroot/ but chroot is actually a file. I'm not sure how to proceed to fix the dev/null problem ... Assuming /var/www/dev does not already exist, this should do it: # mkdir /var/www/dev # cd /var/www/dev # sh /dev/MAKEDEV std # rm !(null) If it already exists then you may need to adapt the rm command to preserve existing entries, or use mknod(8) manually to just create the "null" node. You'll also need to make sure that /var/www is _not_ mounted with the "nodev" option (/etc/fstab). If this is a hard requirement for lighttpd then the port could probably do with explaining it somewhere .. (maintainer cc'd)
Re: lighttpd in openbsd - cant find devnull
/etc/fstab currently looks like this: none swap sw / ffs rw 1 1 /home ffs rw,nodev,nosuid 1 2 /tmp ffs rw,nodev,nosuid 1 2 /usr ffs rw,nodev 1 2 /usr/X11R6 ffs rw,nodev 1 2 /usr/local ffs rw,wxallowed,nodev 1 2 /usr/obj ffs rw,nodev,nosuid 1 2 /usr/src ffs rw,nodev,nosuid 1 2 /var ffs rw,nodev,nosuid 1 2 On 8/18/24 10:28, David Colburn wrote: That's very helpful, thanks! /var is mounted "ffs rw,nodev,nosuid, 1 2" /var/www isn't specifically mentioned. Would it be affected by the /var mount settings? Thanks again. On 8/18/24 07:50, Stuart Henderson wrote: On 2024-08-15, David Colburn wrote: This is a multi-part message in MIME format. --SIjdwSa43FawypA6wB8kzt18 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Dell OptiPlex 7050 OpenBSD 7.5 php 8.3.10 lighttpd-1.4.74-mysql I'm using root. "*rcctl -df start lighttpd*" errors "/daemonized server failed to start; check error log for details doing _rc_rm_runfile (failed)/" error.log says: "... (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1981) opening /dev/null failed: No such file or directory" "... (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1935) Opening errorlog failed: No such file or directory" According to this: https://www.reddit.com/r/openbsd/comments/nygjdm/lighttpd_cant_find_devnull_on_69/ there's supposed to be a directory here: /usr/sbin/chroot/ but chroot is actually a file. I'm not sure how to proceed to fix the dev/null problem ... Assuming /var/www/dev does not already exist, this should do it: # mkdir /var/www/dev # cd /var/www/dev # sh /dev/MAKEDEV std # rm !(null) If it already exists then you may need to adapt the rm command to preserve existing entries, or use mknod(8) manually to just create the "null" node. You'll also need to make sure that /var/www is _not_ mounted with the "nodev" option (/etc/fstab). If this is a hard requirement for lighttpd then the port could probably do with explaining it somewhere .. (maintainer cc'd)
Re: lighttpd in openbsd - cant find devnull
That's very helpful, thanks! /var is mounted "ffs rw,nodev,nosuid, 1 2" /var/www isn't specifically mentioned. Would it be affected by the /var mount settings? Thanks again. On 8/18/24 07:50, Stuart Henderson wrote: On 2024-08-15, David Colburn wrote: This is a multi-part message in MIME format. --SIjdwSa43FawypA6wB8kzt18 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Dell OptiPlex 7050 OpenBSD 7.5 php 8.3.10 lighttpd-1.4.74-mysql I'm using root. "*rcctl -df start lighttpd*" errors "/daemonized server failed to start; check error log for details doing _rc_rm_runfile (failed)/" error.log says: "... (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1981) opening /dev/null failed: No such file or directory" "... (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1935) Opening errorlog failed: No such file or directory" According to this: https://www.reddit.com/r/openbsd/comments/nygjdm/lighttpd_cant_find_devnull_on_69/ there's supposed to be a directory here: /usr/sbin/chroot/ but chroot is actually a file. I'm not sure how to proceed to fix the dev/null problem ... Assuming /var/www/dev does not already exist, this should do it: # mkdir /var/www/dev # cd /var/www/dev # sh /dev/MAKEDEV std # rm !(null) If it already exists then you may need to adapt the rm command to preserve existing entries, or use mknod(8) manually to just create the "null" node. You'll also need to make sure that /var/www is _not_ mounted with the "nodev" option (/etc/fstab). If this is a hard requirement for lighttpd then the port could probably do with explaining it somewhere .. (maintainer cc'd)
lighttpd in openbsd - cant find devnull
Dell OptiPlex 7050 OpenBSD 7.5 php 8.3.10 lighttpd-1.4.74-mysql I'm using root. "*rcctl -df start lighttpd*" errors "/daemonized server failed to start; check error log for details doing _rc_rm_runfile (failed)/" error.log says: "... (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1981) opening /dev/null failed: No such file or directory" "... (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1935) Opening errorlog failed: No such file or directory" According to this: https://www.reddit.com/r/openbsd/comments/nygjdm/lighttpd_cant_find_devnull_on_69/ there's supposed to be a directory here: /usr/sbin/chroot/ but chroot is actually a file. I'm not sure how to proceed to fix the dev/null problem ... Thanks
lighttpd in openbsd
I didn't see this on the mailing list so am trying again ... Dell OptiPlex 7050 OpenBSD 7.5 php 8.3.10 lighttpd-1.4.74-mysql I'm using root. "*rcctl -df start lighttpd*" errors "/daemonized server failed to start; check error log for details doing _rc_rm_runfile (failed)/" error.log says: "... (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1981) opening /dev/null failed: No such file or directory" "... (/usr/obj/ports/lighttpd-1.4.74-mysql/lighttpd-1.4.74/src/configfile.c.1935) Opening errorlog failed: No such file or directory" According to this: https://www.reddit.com/r/openbsd/comments/nygjdm/lighttpd_cant_find_devnull_on_69/ there's supposed to be a directory here: /usr/sbin/chroot/ but chroot is actually a file. I'm not sure how to proceed to fix the dev/null problem ... Thanks
Re: wireguard routing
> On 10 Aug 2024, at 18:18, 04-psyche.tot...@icloud.com wrote: > > Hi all, > > I am working on a wireguard network. > > I have a setup like this: > > serverA (10.0.0.0) => serverB (10.0.0.1) => serverC (10.0.0.2) > > - serverA connects to serverB with AllowedIPs = 0.0.0.0/0 > - serverB connectes to serverC with AllowedIPs = 0.0.0.0/0 > > I cannot access serverC directly from serverA (it does not have a public > facing IP), so I go via serverB. > > I therefore need to set up routing on serverB. > > If I set my default gateway to serverC: > `route change default 10.0.0.2` > > Then I cannot connect from serverA, because packets from serverA are never > returned to serverA. > > So I need to also add a route like this: > > `route add serverA_public_ip serverB_local_gateway` > > However, this is problematic with IP roaming (in other words, I don't have a > good solution to dynamically know serverA's endpoint). > > A solution would be to run a crontab every few minutes, parse the output of > `wg show wg0 endpoints` and programatically add the route for the current > endpoint. > > This solution feels atrocious though. > > The wireguard website proposes a solution with fwmark: > https://www.wireguard.com/netns/#improved-rule-based-routing > > However, this is linux based, and I am not sure this is the optimal solution > for an openBSD system. > > So I have a few questions: > > - I am currently using /etc/hostname.wg0 and routing table. Should I use > wg0-quick instead? Does wg0-quick take care automatically of routing in the > case of IP roaming? > - Is the fwmark solution a good solution for openBSD as well? If yes, how can > I implement it? Should I use routing domains? does serverB have seperate wg(4) interfaces for talking to serverA and serverB? or is it the one interface for both? if serverB has one interface, you'll need to configure wgaip for each peer so the cryptokey routing stuff knows which peer has which address. if you use separate interfaces you'll need more IPs... assuming one wg on each server: serverA# cat /etc/hostname.wg0 # wg stuff goes here wgpeer ... wgdescr serverB wgaip 0.0.0.0/0 inet 10.0.0.0 255.255.255.255 !route -qn add 10.0.0.1/32 10.0.0.0 !route -qn add 10.0.0.2/32 10.0.0.0 serverB# cat /etc/hostname.wg0 # wg stuff goes here wgpeer ... wgdescr serverA wgaip 10.0.0.0/32 wgpeer ... wgdescr serverC wgaip 10.0.0.2/32 inet 10.0.0.1 255.255.255.255 !route -qn add 10.0.0.0/32 10.0.0.1 !route -qn add 10.0.0.2/32 10.0.0.1 serverB# cat /etc/hostname.wg0 # wg stuff goes here wgpeer ... wgdescr serverB wgaip 0.0.0.0/0 inet 10.0.0.2 255.255.255.255 !route -qn add 10.0.0.1/32 10.0.0.2 !route -qn add 10.0.0.2/32 10.0.0.2 so, the routes tell the kernel to push the packets for each peer out the wg interface. using the local ip as the route destination is enough for the kernel to be able to send each peers packets out the wg interface. after that, the wgaip config tell wireguards cryptokey routing stuff how to map each destination ip to which peer. i much prefer a wg interface per peer with wgaip 0.0.0.0/0, and then i can use routes and pf for policy. dlg
Re: Automatic Disk Partitioning
Is it you that will do all these extra tests? I would like to contribute to the best of my abilities. However, it is evident that any improvement requires effort. If I possessed the necessary knowledge, I would implement these changes myself and propose them on the tech@ mailing list, just as I am currently doing on ports@. My intention is not to compel anyone to work, but merely to present ideas that can be freely adopted or dismissed.
Re: Automatic Disk Partitioning
The rationale is that the installer is not able to make a reasonable guess about how you plan to use the system. It knows the minimum required filesystem sizes, and if you have a moderate amount of extra disk it has rules on how to allocate the extra. But if you have an extremely large amount of extra space there's no way to tell what you have planned for it. Are you going to run a database? Maybe the extra space should go into /var. Or better yet, use that extra space to make a new filesystem like /var/mariadb or /var/postgresql. Or maybe you are setting up a web server and you'll want /var/www enlarged. Maybe you will want the extra space in an entirely new directory like /nfs. If the installer can't reasonably guess, it is better to leave the space unused as it's easy to add space somewhere if you have extra, but hard if you don't. The idea here is to start with sane defaults, not immediately paint you into a corner. Now I understand the rationale. It might be beneficial for the installer to offer multiple templates when selecting the automatic partitioning option. These templates could cater to various common use cases, making the process more convenient and often eliminating the need for manual disk partitioning.
Re: Automatic Disk Partitioning
Generally I would expect somebody who is new to OpenBSD to do a scratch install on a spare machine to try out the system, but then re-install at least once rather than continue using that scratch system as their 'final' installation. For nothing else, because generally people fiddle with all sorts of settings that have effects beyond what they realise, (including security related effects), and it's not always obvious how to twiddle the knobs back. Also, some people install without FDE and later want it. A re-install is not a bad thing. (In fact, part of my job is to re-install our servers from scratch for every release - we never use the upgrade tools.) The issue at hand is the limitation of time. Personally, I have made irreversible installation errors on operating systems that I currently use. However, I am unable to afford the time required to reinstall and reconfigure everything to its present state. I think this situation is common for many individuals. But more specifically to the issue of disk partitioning, there are three other points here: Firstly, the physically last partition that the installer automatically creates is mounted on /home, and this is usually the one that the average home user is going to want to expand in to free space that follows. Secondly, having an enormous /home or any other standard system partition is not necessarily desirable for various reasons, some of which have already been pointed out. So adding a separate partition using the free space and mounting it on, say, /storage, might also be a better idea. Thirdly, unless you are on a machine with hardware constraints, (laptop, SBC, etc), why would you want a boot/system disk larger than 512 Gb? Keeping the boot/system disk small and installing a separate drive for bulk data storage has the benefits of easy replacement in case of failure, (you're only replacing and re-installing the system drive, not all of your data), and it's also convenient if you want to swap out the drive for another to install a new release, but keep the option of returning to the old system without the hassle of restoring. I acknowledge that it is always preferable to use separate storage units for the operating system and for data. The issue with fsck(8) that Åke Nordin mentioned at the outset is a compelling reason to adopt this practice. However, it is not always feasible due to hardware limitations or budget constraints. My specific situation is a combination of both. I have a home server with a 4TB hard disk, and given its usage, I should have only enlarged the partitions mounted on /var and /home. Instead, I expanded all the partitions proportionally. I hope to never have to use the fsck(8) utility. For this reason, and to prevent data corruption, I use an Uninterruptible Power Supply (UPS) and run the stable branch. I think a UPS is essential for any desktop or server running OpenBSD.
Re: Automatic Disk Partitioning
> Why not just use a custom disklabel template that suits your needs? This is the -t option to /sbin/disklabel. How is it possible to use a custom template from the OpenBSD installer? On the other hand, this workaround is not the most convenient since one typically does not reinstall OpenBSD frequently. New users often do not realize this issue and only discover after installing and configuring their system that they are utilizing less than half of the available storage on their hard drive, which nowadays is typically around 1TB in capacity. > I don't know if I'm misreading your inquiry but if I have more than enough storage space why would I allocate way too much space to system partitions by allocating it proportionally? The only partition that I believe does not benefit from an increase in size is the one mounted on /usr/X11R6. For the rest, there may be reasons to consider increasing their sizes.
Automatic Disk Partitioning
Hello, I have observed that the automatic partitioning feature of disklabel(8) does not allocate more than approximately 350GB to system partitions [1]. In my opinion, the tool should have been designed to use all available space on the storage device when partitioning. To address this limitation, I had to write a custom program that calculates partition sizes to maintain their initial proportions while occupying the entire storage device. I would like to understand the rationale behind this design choice. Is there a specific reason why the automatic partitioning is limited to around 350GB for system partitions? Any insights or explanations you can provide would be greatly appreciated. References: 1. https://man.openbsd.org/disklabel#AUTOMATIC_DISK_ALLOCATION Best regards, David.
Re: (Fork) "IP rights" bullshit, philosophy & OpenBSD compatibility with this
> Go defend the humanity out of the misc@. I think that discussing the legitimacy of intellectual "property" from a philosophical rather than a practical standpoint is highly constructive and beneficial. The reason I completely reject the so-called copyleft "free" software licenses and fully support the copyright policy of the OpenBSD project [1] is that I am fundamentally opposed to any form of "ownership" over intangible goods. I do not consider it ethical. I believe that I should only have control over the original work hosted on my hardware. What comes out of there should not be under my control. I find the restrictions imposed by copyleft "free" software licenses to be just as unethical as those used in proprietary software licenses. For me, the end does not justify the means under any circumstances; it is a matter of ethics. Since I don't want to make this email too long, I recommend reading this article to learn about the arguments that support my (and others') position on this issue [2]. Setting aside the philosophical aspects and focusing on practical matters, I am content with avoiding legal complications by adding a disclaimer clause and waiving any legal action, even if the sole condition of retaining the license and copyright notice is violated. > I meant CC0 specifically. The main practical problem with dedicating a work to the public domain under the current system is that some jurisdictions do not recognize an author's right to relinquish their intellectual "property" "rights" before the expiration of the term established by law. In cases where public domain dedication is not legally possible, the author (by name) must explicitly authorize the use of a work for any exceptions to the standard intellectual "property" restrictions to apply. In summary, a license is necessary to waive any copy "rights" privileges. As a result, if someone in the U.S. dedicates a work to the public domain, it can theoretically be used without restrictions in the U.S., but in another country, it may be illegal for a recipient to use it without obtaining explicit permission from the copyright holder (by name) [3]. References: 1. https://www.openbsd.org/policy.html 2. https://gist.github.com/LiquidZulu/a269df658060c9e9e358c3ad43b6b736 3. https://cubicspot.blogspot.com/2014/03/writing-software-without-copyright.html
Re: WIFI
On Wed, 2024-07-03 at 08:51 +0200, Dan wrote: > > Beyond the help that everyone also eventually the spammers deserve > like a longtime OpenBSD user who target this "terrific" OS for its > security, > then portability and managiability (it will form "man"..) I would > like to state > my strange feeling reading about a WiFi choice for interconnecting > its own > OpenBSD station, doesnt appear like a great food. Then certainly > everyone > should have its own experience with related comunication modes. > But modestly I have this need to wave hand against this kind of > choice. > Again underlining Security as the subject matter. > > -Dan I have a feeling Dan works in the AI division of his building. Cheers! > > Jul 3, 2024 07:15:07 openbsd_fr...@mail2tor.com: > > > Dear users! > > > > How do I get wifi working for desktop use? > > > > /John >
Re: Copying files from an Android phone
Shotwell (an OpenBSD package) works for me on both 7.4 and 7.5. You may have to change some permissions on /dev/usb* and /dev/ugen/*. On Tue, Jul 2, 2024, 08:23 Stuart Henderson wrote: > On 2024-07-02, Sadeep Madurange wrote: > > Hello, > > > > I'm trying to backup some files (~1000 photos and two short videos, in > > total about 3GB) from an Android phone to OpenBSD. In the past I used > > Android file transfer (MTP) client. I couldn't find it on OpenBSD. > > What's the best way to achieve this? > > Probably an Android sftp client, or termux + rsync. You'll be lucky if > you can get USB between OpenBSD and Android working well enough for the > various client programs in the libmtp package. > > > -- > Please keep replies on the mailing list. > >
No wake from sleep on Carbon X1 Thinkpad
Hello Misc, I occasionally have a problem in which my laptop doesn't wake from sleep. The power LED just keeps blinking indefinitely when I open the lid. Closing the lid and opening it again doesn't seem to help. The machine doesn't respond to a ping from the network. The occurrence of this is random -- I can't put my finger on what might be causing it. Openbsd is currently running v7.4 on v9 of an X1, but it has happened previously on X1 versions 4 and 5 with earlier versions of the OS. I have to hold the power button down until the machine turns off and then restart it. During boot there are a bunch of fsck corrections, but I haven't noticed anything fatal. However, this makes me nervous for obvious reasons. The machine can be either on battery or wall power as I recall. The battery is not near being depleted. Has anybody else experienced this? Any suggestions for diagnostics or fixes? Dave Raymond David J. Raymond david.raym...@nmt.edu http://kestrel.nmt.edu/~raymond
Re: Favorite configuration and system replication tools?
Rsync. I also have a root directory in /home to keep local stuff. This is the same for about 20 machines running obsd and is also distributed by rsync. Since it is in home, it survives upgrades. Various shell scripts in /home/root/etc are used to manage the system. On Wed, May 8, 2024, 11:08 Jan Stary wrote: > On May 07 22:15:27, olp...@yahoo.ca wrote: > > I was wondering which programs you use for replicating/copying/syncing > environments/configs on your openbsd systems with between your desktops > (home or work) and laptops? > > git > > > Do you also maintain installeded/removed packages in some standard way > across systems so that you have reasonable consistent systems to work on? > > a plaintext list of package names > >
Re: Firefox hangs after sleep
I reinstalled OpenBSD on the laptop experiencing this problem (for various reasons) and the Firefox problem went away.(!) Dave David J. Raymond david.raym...@nmt.edu http://kestrel.nmt.edu/~raymond On Thu, Mar 21, 2024 at 2:36 AM Stefan Sperling wrote: > On Thu, Mar 21, 2024 at 02:29:14AM -0600, Raymond, David wrote: > > At some point (I can't put my finger on exactly when this started), an > > existing firefox instance hangs after my laptop is put to sleep and then > > wakes from sleep. Websites in existing tabs still work, but searching > for > > another webpage in an existing tab or opening a new tab is when the hang > > occurs. Killing and restarting firefox eliminates the problem until the > > next sleep. > > Alternatively, wait for a long time and the problem will resolve itself, > i.e. the stuck tabs will suddenly start working again. > > I believe it's a known issue, but nobody has invested time digging into it. > > It's probably DNS... >
Firefox hangs after sleep
At some point (I can't put my finger on exactly when this started), an existing firefox instance hangs after my laptop is put to sleep and then wakes from sleep. Websites in existing tabs still work, but searching for another webpage in an existing tab or opening a new tab is when the hang occurs. Killing and restarting firefox eliminates the problem until the next sleep. Interestingly, "simple" websites such as the OpenBSD or Arch Linux websites still can be started after sleeping, but "fancy" ones such as Gmail or the Washington Post cannot. This suggests to me the problem lies in javascript or some other non-pure html component. I am using 7.4 stable on a Lenovo X1 Carbon, gen 4, though it also occurs on an X1 gen 9. A recent update to firefox (and all the other installed packages) didn't help. This doesn't happen with other browsers such as chromium or iridium. I am not sure what kind of diagnostics would help here. David J. Raymond david.raym...@nmt.edu http://kestrel.nmt.edu/~raymond
Re: How to set up dev environment for ESP32 MCUs?
On Sun, 2024-02-11 at 13:32 +0800, Sadeep Madurange wrote: > Hello, > > Has anyone set up the ESP-IDF for programming ESP32 MCUs? > > Should I install dependencies like libmpc using pkg_add, and then > install the ESP-IDF from their GitHub or put things together using > xtensa-esp32-elf/* ports and use CMake without the ESP-IDF? > Hi, OpenBSD ports team did a great job building xtensa-/riscv32- toolchains in the tree. You can use it as-is to build an image file an ESP32 MCU, but just like that you'll end up with bare metal code and have to write lot of things to do basic things, but it's doable. Unfortunately the version of these toolchains in the tree are not compatible with esp-idf 5.1.2, in fact espressif provide toolchains that are versioned against specific version of their idf environment. Example: 5.1.2 requires 12.2.0_20230208, you can try building some code from 5.1.2 with the toolchain in the ports tree, most of the parts work but some don't. Also if you want to use esp-idf, you also have to install various python packages that are listed in tools/requirements/requirements.core.txt, some of them are packaged, some aren't so use pip3 --user if needed. Then setup some environment variables: export IDF_PATH=path/to/esp-idf-repo export IDF_PYTHON_CHECK_CONSTRAINTS=no And add the desired toolchain in your PATH, e.g. /usr/local/xtensa- esp32s3-elf/bin. Finally, you can try to build an example project: cmake -S examples/get-started/blink -B build -DPYTHON=python3 - DIDF_TARGET=esp32s3 -DPYTHON_DEPS_CHECKED=On There are some effort to use LLVM/clang at some point, but it's not ready nor officially supported AFAIK. Officially, the only way to get a compatible mixed version of their toolchains is to use their fork of crosstool-ng and as I can tell it's near to impossible of using it on OpenBSD, it uses large number of hardcoded GNUisms. HTH, -- David > Appreciate some pointers in the right direction by someone doing > ESP32 > dev on OpenBSD. >
Re: questions about RAID5C, RAID6, RAID6C, can Openbsd be a good storage-server OS?
This is a good read: https://research.exoticsilicon.com/articles/backup_strategies On Sun, 2024-02-04 at 19:02 +, beecdadd...@danwin1210.de wrote: > hello > > I will make a storage server, and RAID just has to be on it, right? > > is RAID6 in work or maybe plans, I would like to know > what about RAID5 + CRYPTO or RAID6 + CRYPTO? > I read these > https://www.reddit.com/r/openbsd/comments/r4bydk/encrypted_raid6_support/ > and from it > https://marc.info/?t=15434869341&r=1&w=2 > > encryption is a must, I won't have it unencrypted > what about RAID controller like RAID6 and software RAIDC combination? > it would be cool to have redundancy like RAID6 and secure data with > CRYPTO.. > RAID1C is too expensive > > does anyone run multi-TB storage servers with OpenBSD? what raid do > you run, > what about hardware raid? I fear/dislike hardware raid but I never > tried it > I want to live without OpenZFS/FreeBSD, butnot without encryption and > redundancy > > I don't have to be able to boot from it (canbe other disk which also > maybe in > RAID1C), but would be nice > > I know OpenBSD is not meant to be run as big fancy storage server > with maybe > complicated reliability like RAID6 + CRYPTO, but what you expect? > everyone > loves OpenBSD and wants to use it for everything, not FreeBSD > > thank you I am sorry if I ask too much, I don't demand, just nice > request >
Re: Installing OpenBSD amd64 on UTM on Intel Mac?
> On Jan 12, 2024, at 21:31, Implausibility wrote: > > Hi. > > Since there's some uncertainty around the future of VMware Fusion on the Mac, > I've decided to switch to UTM (with QEMU under the covers) -- but I can't > seem to get OpenBSD .isos (7.3 or 7.4) to boot -- instead, I get dumped into > the UEFI shell, which is a dead end. > > I've done a number of searches (on the mailing list and the web in general), > and all of the results are for running the ARM64 port on the M-series Macs -- > but my target machine has an Intel CPU. I've installed OpenBSD on my Mac Studio m2 max, you need a few tweaks but it works, keep it mind that running a desktop is near to impossible because really laggy. 1. Create a new VM 2. Select Skip ISO boot option 3. Add a new drive and import the .img file Now it should boots fine. IIRC, I've followed these instructions [0]. [0]: https://nomnp.com/plaintext/utmopenbsd HTH, -- David
Re: sec interface and rdomain
which bit doesnt work? the "tunneldomain" command or actual packets moving? sec transport is provided entirely by the ipsec stack, ie, you configure the ipsec SAs associated with the interface to operate in a specific rdomain, sec doesn't support configuration that with tunneldomain. if you tcpdump on the enc and sec interfaces, do you see the packets you're expecting? dlg > On 24 Dec 2023, at 19:21, Holger Glaess wrote: > > hi > > i try to use the new sec0 if in this manner. > > --- > > cat /etc/hostname.sec0 > > rdomain 10 > > inet 172.16.0.1 255.255.255.252 172.16.0.2 > > tunneldomain 0 > > up > > --- > > > but it will not work . > > can sec work with rdomain ? > > > happy christmas to all. > > > Holger > > >
Re: cwm on wayland
On Fri, Dec 15, 2023 at 6:29 PM wrote: > > So they're putting a Wayland in our BSD. > > I've never used that before. > > Is a port of cwm planned? I really don't think so. But there's hikari, a stacking Wayland compositor heavily inspired by cwm: https://hikari.acmelabs.space/ We might probably have a port of it in our ports tree in the future. Ciao, David
Re: ls in color
On Mon, 2023-12-11 at 08:55 +0100, David Demelier wrote: > On Fri, 2023-12-08 at 19:45 +0100, Karel Lucas wrote: > > > > > > Op 08-12-2023 om 19:42 schreef Theo de Raadt: > > > Karel Lucas wrote: > > > > > > > In openBSD V7.4 I would like to see the output of ls in color, > > > > and > > > > therefore would like to know how to configure that. The output > > > > of > > > > "man > > > > ls" provides no information about this. Can anyone give me a > > > > tip? > > > Black and white are also colours. > > > > > That is not what I had in mind! > > > > You can install colorls and alias it to ls. > > https://openports.pl/path/sysutils/colorls > Oops, sorry the mail was stuck in the mailbox and sent very much late in the party.
Re: ls in color
On Fri, 2023-12-08 at 19:45 +0100, Karel Lucas wrote: > > > Op 08-12-2023 om 19:42 schreef Theo de Raadt: > > Karel Lucas wrote: > > > > > In openBSD V7.4 I would like to see the output of ls in color, > > > and > > > therefore would like to know how to configure that. The output of > > > "man > > > ls" provides no information about this. Can anyone give me a tip? > > Black and white are also colours. > > > That is not what I had in mind! > You can install colorls and alias it to ls. https://openports.pl/path/sysutils/colorls -- David
Re: pkg_add - error while reading header / read short file / gzheader truncated
On Sat, 2023-12-09 at 11:55 +, Stuart Henderson wrote: > I suggest trying a mirror instead then, and see if there's any > difference. Pick one from www.openbsd.org/ftp.html. Good suggestion. Recent installer changes to simplify the sets "disk" option are awesome. At the same time, this likely increased the number of installations configured for cdn.openbsd.org (and maybe load on the server).
Re: pkg_add - error while reading header / read short file / gzheader truncated
On Fri, 2023-12-08 at 08:37 +, Stuart Henderson wrote: > On 2023-12-07, David Rinehart wrote: > > > > I see the same with multiple installs - Started with 7.4. No > > modification to default installurl. > > The contents of the 'default' installurl depend on whuch mirror you > selected to install from. > I select "disk" for file sets and do not recall selecting a mirror. I believe this puts https://cdn.openbsd.org/pub/OpenBSD in the file. The issue may have started before 7.4, but was not seen at 7.3 release timeframe. After giving it more thought, I believe I started seeing errors on package installation before 7.4 release. I figured it was a web site issue because I'm running -stable and no patches seemed related (so more likely an external issue). Then, the errors were familiar when I did reinstalls with 7.4. The errors are temporary and the package installations will complete if run again, or maybe a couple times. Thanks, for the reply and any help! -- David Rinehart
Re: pkg_add - error while reading header / read short file / gzheader truncated
I see the same with multiple installs - Started with 7.4. No modification to default installurl. It is amazing - For 5 years, I never considered that pkg_add(1) could fail (and it didn't)! Updating my install scripts to try until the last package add, with -l option, is confirmed. A little concerned that a package could be partially installed / marked manual and not work (I think this has happened and I restarted from scratch). On Thu, 2023-12-07 at 00:07 -0800, Joe B wrote: > Hello Misc, > > I am configuring a couple of laptops for my kids, i had installed 70 > with > i3 and gcompris in them, its been a while since the last update so i > decided to make a fresh install. > > So I installed 74 in both of them, used the autoinstall so the > process was > straightforward as always, rebooted, hw_update, syspatch, everything > as > expected. > > The problem comes when trying to install a package, i am trying just > to of > them: feh and gcompris, in both laptops, and i get the following > errors, > they are several since i do a few tries and then the problem goes and > comes > at different packages > > pkg_add: Ustar [package name, it is different every try, meaning > lcms2-2.15.tgz, gstreamer, libass-] [?]: Error while reading header > https://cdn.openbsd.org/pub/OpenBSD/7.4/packages/amd64/lame-3.100p1.tgz > : > Read short file > > My configuration are: > 1 laptop, re0, trying pkg_add feh > 1 laptop, iwn0, trying pkg_add gcompris > > both with the same results, maybe i should try in another LAN, but > could it > be a problem with the CDN server ? > > Thank you for your time, > > -- Manuel Solis > > > > > > Hello, > > I'm new to openBSD about 3 days old. and I ran into the same issue as > you. I would > > pkg_add something and I kept getting the header message. someone on > IRC helped me > > Simple. change the cdn to another mirror > > look at https://www.openbsd.org/faq/faq15.html#Mirror > > Basically You find a mirror probably ftp like I did go to vim or nano > /etc/installurl > > delete the cdn add another mirror and re-run the pkg_add you might > need to pkg_delete > > the partial and then re-run. pkg_add After all that you might need > pkg_add -u to see if the new mirror > > fixes all the other partials > > > Hope this helps > > > ~ Joe B
Re: Realtek 8723BE unsupported
On Sun, Dec 03, 2023 at 06:02:03PM +0100, Jan Stary wrote:
> (please keep replies on the list)
>
> On Dec 03 12:08:08, kolip...@exoticsilicon.com wrote:
> > On Sun, Dec 03, 2023 at 02:35:11PM +0100, Jan Stary wrote:
> > > This is current/amd64 on a HP 260 G2 mini PC (dmesg below).
> > > Everything works, except the wifi seems to be unsupported:
> > >
> > > "Realtek 8723BE" rev 0x00 at pci2 dev 0 function 0 not configured
> >
> > What does pcidump -v show?
>
> First of all, pcidump -v (but not pcidump) fucks up re(4):
>
> rgephy0 detached
> re0 detached
> re0 at pci1 dev 0 function 0 "Realtek 8168" rev 0x10: RTL8168GU/8111GU
> (0x5080), msi, address 7c:d3:0a:21:eb:f5
> rgephy0 at re0 phy 7: RTL8251 PHY, rev. 0
> re0: cannot create re-stats kstat
> rgephy0 detached
> re0 detached
> re0 at pci1 dev 0 function 0 "Realtek 8168" rev 0x10: RTL8168GU/8111GU
> (0x5080), msi, address 7c:d3:0a:21:eb:f5
> rgephy0 at re0 phy 7: RTL8251 PHY, rev. 0
> re0: cannot create re-stats kstat
>
> Is anyone seeing that, i.e. devices detaching
> when they are being probed by pcidump?
>
> After doing the pcidump -v localy and rebooting to upload, I get this.
> Note that the Realtek 8168 entry seems mangled (related to the above?).
pcidump causing a device to detach is a problem, but the kstat bit is a
separate problem too.
the diff below consolidates the detach code in re(4) and adds the code
to tear the kstat down when the device goes away.
Index: ic/re.c
===
RCS file: /cvs/src/sys/dev/ic/re.c,v
retrieving revision 1.216
diff -u -p -r1.216 re.c
--- ic/re.c 10 Nov 2023 15:51:20 - 1.216
+++ ic/re.c 4 Dec 2023 01:03:30 -
@@ -199,6 +199,7 @@ int re_wol(struct ifnet*, int);
#endif
#if NKSTAT > 0
void re_kstat_attach(struct rl_softc *);
+void re_kstat_detach(struct rl_softc *);
#endif
void in_delayed_cksum(struct mbuf *);
@@ -1128,6 +1129,27 @@ fail_0:
return (1);
}
+void
+re_detach(struct rl_softc *sc)
+{
+ struct ifnet*ifp = &sc->sc_arpcom.ac_if;
+
+#if NKSTAT > 0
+ re_kstat_detach(sc);
+#endif
+
+ /* Remove timeout handler */
+ timeout_del(&sc->timer_handle);
+
+ /* Detach PHY */
+ if (LIST_FIRST(&sc->sc_mii.mii_phys) != NULL)
+ mii_detach(&sc->sc_mii, MII_PHY_ANY, MII_OFFSET_ANY);
+
+ /* Delete media stuff */
+ ifmedia_delete_instance(&sc->sc_mii.mii_media, IFM_INST_ANY);
+ ether_ifdetach(ifp);
+ if_detach(ifp);
+}
int
re_newbuf(struct rl_softc *sc)
@@ -2608,6 +2630,27 @@ freedma:
destroy:
bus_dmamap_destroy(sc->sc_dmat, re_ks_sc->re_ks_sc_map);
free:
+ free(re_ks_sc, M_DEVBUF, sizeof(*re_ks_sc));
+}
+
+void
+re_kstat_detach(struct rl_softc *sc)
+{
+ struct kstat *ks = sc->rl_kstat;
+ struct re_kstat_softc *re_ks_sc;
+
+ if (ks == NULL)
+ return;
+
+ kstat_remove(ks);
+ re_ks_sc = ks->ks_ptr;
+ kstat_destroy(ks);
+
+ bus_dmamap_unload(sc->sc_dmat, re_ks_sc->re_ks_sc_map);
+ bus_dmamem_unmap(sc->sc_dmat,
+ (caddr_t)re_ks_sc->re_ks_sc_stats, sizeof(struct re_stats));
+ bus_dmamem_free(sc->sc_dmat, &re_ks_sc->re_ks_sc_seg, 1);
+ bus_dmamap_destroy(sc->sc_dmat, re_ks_sc->re_ks_sc_map);
free(re_ks_sc, M_DEVBUF, sizeof(*re_ks_sc));
}
#endif /* NKSTAT > 0 */
Index: ic/revar.h
===
RCS file: /cvs/src/sys/dev/ic/revar.h,v
retrieving revision 1.7
diff -u -p -r1.7 revar.h
--- ic/revar.h 27 Jul 2010 20:53:39 - 1.7
+++ ic/revar.h 4 Dec 2023 01:03:30 -
@@ -18,6 +18,7 @@
intre_intr(void *);
intre_attach(struct rl_softc *, const char *);
+void re_detach(struct rl_softc *);
void re_reset(struct rl_softc *);
intre_init(struct ifnet *);
void re_stop(struct ifnet *);
Index: pci/if_re_pci.c
===
RCS file: /cvs/src/sys/dev/pci/if_re_pci.c,v
retrieving revision 1.56
diff -u -p -r1.56 if_re_pci.c
--- pci/if_re_pci.c 11 Mar 2022 18:00:48 - 1.56
+++ pci/if_re_pci.c 4 Dec 2023 01:03:30 -
@@ -223,19 +223,8 @@ re_pci_detach(struct device *self, int f
{
struct re_pci_softc *psc = (struct re_pci_softc *)self;
struct rl_softc *sc = &psc->sc_rl;
- struct ifnet*ifp = &sc->sc_arpcom.ac_if;
- /* Remove timeout handler */
- timeout_del(&sc->timer_handle);
-
- /* Detach PHY */
- if (LIST_FIRST(&sc->sc_mii.mii_phys) != NULL)
- mii_detach(&sc->sc_mii, MII_PHY_ANY, MII_OFFSET_ANY);
-
- /* Delete media stuff */
- ifmedia_delete_instance(&sc->sc_mii.mii_media, IFM_INST_ANY);
- ether_ifdetach(ifp);
- if_detach(ifp);
+ re_detach(sc);
/* Disable interrupts */
if (sc->sc_ih != NULL)
Index: cardbus/if_re_cardbus.c
===
Re: pf queues
On Thu, 2023-11-30 at 15:55 +0300, 4 wrote: > "cbq can entirely be expressed in it" ok. so how do i set priorities > for queues in hfsc You stack HFSC with link-share service curves with linkshare criterion 1:0 - or in pf.conf(5) terms: "bandwidth 1" and "bandwidth 0". Or you do not configure queuing at all, as the default one supports the "prio" argument. > for my local(not for a router above that knows nothing about my > existence. Your local interface will be at 1G or something similar. There is little chance, that there will be any queuing at all.
Re: OpenBSD 7.4, iOS 15.8 - sudden defunct of WiFi
Maybe... Is the clock set to the correct time on the iPhone? > o I tried disabling the RPZ: > no luck. > > o I tried loading /etc/examples/pf.conf: > no luck. > > o I tried re-naming the WiFi and changing the wpakey: > no luck. > > o I tried enabling and disabling encryption on my WiFi: > no luck. > > o I tried handing out different IPs / re-enabling MAC address > randomization: > no luck. > > o I tried bringing down the interface, rebooting, flushing the > routing table: > no luck. > > Any suggestions, ideas, tips, either network- or software-wise - or > is > this simply a hardware defect / support case for Cupertino? > > Best regards. >
Re: umb0: open error: FAILURE
On Tue, Nov 14, 2023 at 10:10 AM Samuel Jayden wrote: > Nothing changed. I've also rebooted... Just to be sure... If you put this sim card into a mobile phone, is it asking for a PIN or not? Ciao, David
Re: texlive and tlmgr
On Sun, 2023-11-05 at 10:44 +0100, Luciano Ribichini wrote: > Hallo openbsd-mailinglist, > > 1) my name is Luciano, I am a long time linux user. > > 2) Currently I keep an eye on openbsd. > > 3) Thanks a lot for your work, really. > > 4) Having plenty of operating systems to choose from is a good thing. > > 5) Since I use TeX/LaTeX I ask: > > does Texlive work on openbsd, Yes. https://openbsd.app/?search=texlive > and does tlmgr work too? I have no idea, and should advise against using it. All the different Linux and BSDs have their different packages and tlmgr would probably not cater to that. I've used texlive for ages, and experience no problems with the system specific package managers. Cheers! -- `I intend to live forever, or die trying'. --Groucho Marx
Re: iPhone Charging
On Sat, 2023-10-28 at 06:33 +, Lucretia wrote: > From a security perspective, how dangerous is it to plug in my iPhone > into the USB port on my laptop? > > I only have one charging cable, so I use my laptop to charge it, not > having the correct wall adapter. I've skimmed material about Vault 7 > and know The CIA actively develops tools which compromise Apple > iPhones, and probably some of those tools get leaked. It's bad enough the CIA has them. And not just the CIA. iPhone are renowned for having a backdoor the FBI access. This is actually the real reason they don't like Huawei. They can't access them. > > Can an iPhone plugged into the USB port be a potential security risk? > I assume so, but I haven't gotten around to buying a wall adapter. > Not that I have much which would interest hackers on my laptops, > mostly just lists of prayers. It doesn't even need to be plugged in. There have been instances where the proximity of a mobile phone to a computer has been sufficient to access computer passwords. Cheers! -- `I intend to live forever, or die trying'. --Groucho Marx
Re: iPhone Charging
On Sat, 2023-10-28 at 06:55 +, Lucretia wrote: > So there's no way an iPhone plugged into USB could be used as a > hacking tool? I would think that the possibility exists. I'd like to > understand more the why if anyone has time to explain. > > It doesn't just charge, it connects to the system as a couple of > devices in my dmesg: uaudio0, ugen1. Is it possible it could be > manipulated to act as a USB keyboard or some other kind of > potentially dangerous USB input? > > I know the risk would be very low, but is it possible? It would be quite possible. Cheers! > > On Sat, Oct 28, 2023 at 12:46, Peter J. Philipp > <[p...@delphinusdns.org](mailto:On Sat, Oct 28, 2023 at 12:46, Peter > J. Philipp < wrote: > > > On Sat, Oct 28, 2023 at 06:33:59AM +, Lucretia wrote: > > > From a security perspective, how dangerous is it to plug in my > > > iPhone into the USB port on my laptop? > > > > > > I only have one charging cable, so I use my laptop to charge it, > > > not having the correct wall adapter. I've skimmed material about > > > Vault 7 and know The CIA actively develops tools which compromise > > > Apple iPhones, and probably some of those tools get leaked. > > > > > > Can an iPhone plugged into the USB port be a potential security > > > risk? I assume so, but I haven't gotten around to buying a wall > > > adapter. Not that I have much which would interest hackers on my > > > laptops, mostly just lists of prayers. > > > > No it's perfectly safe. Go on. Do know that you get only a certain > > amount > > of amps though, a dedicated charger is probably a bit better. > > > > Best Regards, > > -peter > > > > -- > > Over thirty years experience on Unix-like Operating Systems > > starting with QNX. -- `I intend to live forever, or die trying'. --Groucho Marx
Re: Connecting a wireless keyboard via Bluetooth
On Wed, Oct 25, 2023 at 3:49 PM Zé Loff wrote: > > > On Wed, Oct 25, 2023 at 03:24:27PM +0200, Karel Lucas wrote: > > Hi all, > > > > I have a computer with openBSD V7.4 without X11, to which I want to connect > > a wireless keyboard via Bluetooth. The keyboard is connected via a separate > > USB Bluetooth receiver. What software do I need for this, and how do I > > configure it? I hope someone responds to this. > > I've read tales of some legendary (literally, not in the "awesome" sense > of the word) bluetooth adapters that could be switched in to "HID proxy > mode", and present themselves as uhid(4) devices, which would then be > picked up by the OS as HIDs. Supposedly those devices would remember > the pairings with keyboards/mice, and that would stick across boots. > Apparently, they're very hard to find, and even harder to get to work > properly. I have one of these: https://www.ebay.nl/itm/155745705345 And it's working with my Anne Pro 2 keyboard on OpenBSD (and Linux). Cheers, David
Re: Slow relink in 7.4
On Tue, Oct 17, 2023 at 8:18 AM Nick Holland wrote: > On 10/17/23 05:07, David Higgs wrote: > > I have an underpowered amd64 VPS and attempted to (auto)upgrade it to > 7.4. > > Everything went swimmingly until it attempted to relink the kernel, at > > which point it (seemingly) hung. > > > > With previous releases, I would expect the host to become unresponsive > for > > a few minutes, and eventually recover. I chalked the issue up to > > insufficient RAM and hitting swap - however, my upgrade has been in this > > state for more than 6 hours. > > > > I plan to consult the manual upgrade guide to hopefully figure out a way > to > > successfully finish the install, and then disable relinking while I find > a > > solution. > > > > Does anyone have tips for this situation, aside from throwing more > hardware > > at it? > > I had some issues with a VPS for a while -- absolutely horrific disk > performance. Upgrades that used to take ten minutes (and yes, THAT was > really bad) started taking well over an hour (I gave up, stopped it, and > did it manually by unpacking tar files, coping kernel, etc., so I have no > idea what the actual time was going to be if I had let it complete). I > contacted tech support at the VPS, and they came back with, "oh yeah, you > are on some really old hardware. Please set up a new instance and migrate > to that, that should solve your problem", but since the machine was doing > its usual job just fine (low volume mail and webserver), I was slow to > actually do this. Finally, they sent me notice they were decommissioning > the old hw I was on, and I HAD to move by x/x/, and thus, I did, and > things are much better. And it turned out, cheaper. > > However, I did find it interesting that my poor disk performance was even > worse when doing the upgrade. > > Moral: might be worth talking to your VPS provider. You might be on old > hw, too. > > A number of releases ago, but after KARL and library relinks1, I found > that on i386, 384MB was required to prevent swapping during the kernel and > library relink at boot. I'm assuming it is "worse" now, and worse yet on > amd64. > For the record, my VPS had 256 MB RAM and another 256 MB of swap. Seems like I can easily provision a new VPS - beefier and for the same price - using their dashboard, so the solution is pretty trivial. Thanks to all who replied! --david --david
Slow relink in 7.4
I have an underpowered amd64 VPS and attempted to (auto)upgrade it to 7.4. Everything went swimmingly until it attempted to relink the kernel, at which point it (seemingly) hung. With previous releases, I would expect the host to become unresponsive for a few minutes, and eventually recover. I chalked the issue up to insufficient RAM and hitting swap - however, my upgrade has been in this state for more than 6 hours. I plan to consult the manual upgrade guide to hopefully figure out a way to successfully finish the install, and then disable relinking while I find a solution. Does anyone have tips for this situation, aside from throwing more hardware at it? Thanks! —david
Firefox hangs on sleep
I noticed for the past week or so that firefox hangs on return from a sleep on my Thinkpad X1 Carbon version 4. This is true on both 7.3 and 7.4 stable. Other processes eg chrome, epiphany, don't. Not sure what additional info to provide. David J. Raymond david.raym...@nmt.edu http://kestrel.nmt.edu/~raymond
Re: Webcam support on Lenovo Thinkpad T14 Gen3 (Intel)
On Sat, Oct 7, 2023 at 1:26 PM Jan Stary wrote: > > On Oct 07 07:08:21, kolip...@exoticsilicon.com wrote: > > On Sat, Oct 07, 2023 at 08:51:36AM +, Comte wrote: > > > The webcam seems well detected but no image is displayed... > > To be sure: you have kern.audio.record=1, right? kern.video.record, not kern.audio.record. Ciao, David -- "If you try a few times and give up, you'll never get there. But if you keep at it... There's a lot of problems in the world which can really be solved by applying two or three times the persistence that other people will." -- Stewart Nelson
Re: Bridging em and vlan
> On 6 Oct 2023, at 01:50, David Higgs wrote: > > Logically, I wanted three hosts in the same broadcast domain (ISP CPE, IoT > device, OpenBSD router), so tpmr(4) didn't seem appropriate - was I missing > something? No, you were right to reach for veb in your setup.
Re: Bridging em and vlan
On Thu, Oct 5, 2023 at 9:04 AM David Gwynne wrote: > > > > On 5 Oct 2023, at 11:17, David Higgs wrote: > > > > On Tue, Oct 3, 2023 at 10:10 AM David Higgs wrote: > > > >> On Mon, Oct 2, 2023 at 9:26 AM David Higgs wrote: > >> > >>> On Sun, Oct 1, 2023 at 9:13 AM Zé Loff wrote: > >>> > >>>> On Sat, Sep 30, 2023 at 11:39:36AM -0400, David Higgs wrote: > >>>>> All of my devices until now have been behind my OpenBSD NAT router, > >>>> but I > >>>>> recently acquired a Internet of Trash device that I would like to be > >>>>> accessible to the internet (yes, I know). > >>>>> > >>>>> My home configuration uses a Unifi AP to translate my various SSIDs > >>>> into > >>>>> VLANs which plug into one of my APU em(4) ports. The IoT thing > >>>> already has > >>>>> its own dedicated SSID/VLAN, but doesn't enjoy living behind my NAT. > >>>> > >>>> Define "doesn't enjoy". It absolutely requires a public IP? It needs > >>>> some ports to be forwarded? Has some sort of network connection > >>>> detection that fails because some ports are blocked for outgoing > >>>> traffic? > >>>> > >>> > >>> I'm still trying to determine ground truth with manufacturer support. > >>> Port forwarding doesn't seem sufficient. The device can reach out just > >>> fine but is not remotely controllable as advertised. > >>> > >>>> Is there a way for me to bridge just one of the vlan(4) logical > >>>> interfaces > >>>>> with my other em(4) uplink, so that my IoT item can speak DHCP > directly > >>>>> with my internet provider? > >>>> > >>> > >>>> Can this be done with veb/vport or bridge, or will I need to use > >>>> something > >>>>> more exotic to strip the 802.1q tags before they are sent to my ISP? > >>>> > >>> > >>> Self-replying here: I don't see many examples of veb(4) use online, but > >>> it seems as if I can add my physical uplink and the IoT VLAN both to a > >>> veb and attach a vport to become my new uplink. That should be > logically > >>> equivalent to putting a three-port switch between my router and my ISP > CPE, > >>> with the third port for the IoT device. Is anyone able to shoot holes > in > >>> this or suggest a superior alternative, before I attempt the > configuration > >>> later this week? > >>> > >> > >> I appreciate the previous replies/cluebats, but my initial attempt was > >> rushed and unsuccessful. > >> > >> In broad strokes, I created veb0 and added em0, vlan222, and vport0 to > >> it. Then I tried getting vport0 to speak DHCP with my upstream, but > >> nothing seemed to happen or appear in logs. > >> > >> I will have to spend more time on this to eliminate the possibility of > >> fat-fingering, remove various confounding variables, and produce a > better > >> result/report. > >> > > > > For the archives, this worked swimmingly once I paid closer attention to > > what I was doing. Based on my second attempt, I hadn't put my vport0 > > interface up. > > > > Of course, my ISP isn't handing out more than a single IPv4 address by > > default, so all this has been simply a good learning experience. > > For future reference, if you just want to join two ethernet interfaces on > an openbsd box together you can use tpmr(4). It was almost called xcon(4), > short for cross-connect. > > It's also worth noting the steps taken by the Ethernet stack when it > processes packets and which drivers can take packets at which point. Let's > assume an ethernet packet is coming in on a physical interface, em0 in this > case. > > 1: trunk/aggr processing > > If em0 is part of trunk/aggr, then those drivers will steal the packet and > start processing it again as if it was received on the relevant trunk/aggr > interface. > > 2. service delimited packet filtering, ie, vlan/svlan handling > > If em0 is a parent interface to vlan or svlan interfaces, this is when > they get taken and processing starts again as if they were received on the > virtual interfaces. > > If no vlan/svlan interface is configured, the packets are marked as now > marked as "service delimited".
Re: Bridging em and vlan
> On 5 Oct 2023, at 11:17, David Higgs wrote: > > On Tue, Oct 3, 2023 at 10:10 AM David Higgs wrote: > >> On Mon, Oct 2, 2023 at 9:26 AM David Higgs wrote: >> >>> On Sun, Oct 1, 2023 at 9:13 AM Zé Loff wrote: >>> >>>> On Sat, Sep 30, 2023 at 11:39:36AM -0400, David Higgs wrote: >>>>> All of my devices until now have been behind my OpenBSD NAT router, >>>> but I >>>>> recently acquired a Internet of Trash device that I would like to be >>>>> accessible to the internet (yes, I know). >>>>> >>>>> My home configuration uses a Unifi AP to translate my various SSIDs >>>> into >>>>> VLANs which plug into one of my APU em(4) ports. The IoT thing >>>> already has >>>>> its own dedicated SSID/VLAN, but doesn't enjoy living behind my NAT. >>>> >>>> Define "doesn't enjoy". It absolutely requires a public IP? It needs >>>> some ports to be forwarded? Has some sort of network connection >>>> detection that fails because some ports are blocked for outgoing >>>> traffic? >>>> >>> >>> I'm still trying to determine ground truth with manufacturer support. >>> Port forwarding doesn't seem sufficient. The device can reach out just >>> fine but is not remotely controllable as advertised. >>> >>>> Is there a way for me to bridge just one of the vlan(4) logical >>>> interfaces >>>>> with my other em(4) uplink, so that my IoT item can speak DHCP directly >>>>> with my internet provider? >>>> >>> >>>> Can this be done with veb/vport or bridge, or will I need to use >>>> something >>>>> more exotic to strip the 802.1q tags before they are sent to my ISP? >>>> >>> >>> Self-replying here: I don't see many examples of veb(4) use online, but >>> it seems as if I can add my physical uplink and the IoT VLAN both to a >>> veb and attach a vport to become my new uplink. That should be logically >>> equivalent to putting a three-port switch between my router and my ISP CPE, >>> with the third port for the IoT device. Is anyone able to shoot holes in >>> this or suggest a superior alternative, before I attempt the configuration >>> later this week? >>> >> >> I appreciate the previous replies/cluebats, but my initial attempt was >> rushed and unsuccessful. >> >> In broad strokes, I created veb0 and added em0, vlan222, and vport0 to >> it. Then I tried getting vport0 to speak DHCP with my upstream, but >> nothing seemed to happen or appear in logs. >> >> I will have to spend more time on this to eliminate the possibility of >> fat-fingering, remove various confounding variables, and produce a better >> result/report. >> > > For the archives, this worked swimmingly once I paid closer attention to > what I was doing. Based on my second attempt, I hadn't put my vport0 > interface up. > > Of course, my ISP isn't handing out more than a single IPv4 address by > default, so all this has been simply a good learning experience. For future reference, if you just want to join two ethernet interfaces on an openbsd box together you can use tpmr(4). It was almost called xcon(4), short for cross-connect. It's also worth noting the steps taken by the Ethernet stack when it processes packets and which drivers can take packets at which point. Let's assume an ethernet packet is coming in on a physical interface, em0 in this case. 1: trunk/aggr processing If em0 is part of trunk/aggr, then those drivers will steal the packet and start processing it again as if it was received on the relevant trunk/aggr interface. 2. service delimited packet filtering, ie, vlan/svlan handling If em0 is a parent interface to vlan or svlan interfaces, this is when they get taken and processing starts again as if they were received on the virtual interfaces. If no vlan/svlan interface is configured, the packets are marked as now marked as "service delimited". 3. bridge processing This is where bridge/veb/tpmr can take a packet. 4. dropping service delimited packets This is where vlan/svlan tagged packets are dropped that all the preceding aggr/trunk/vlan/svlan/bridge/veb/tpmr drivers declined. The exception is packets send to vlan 0, because vlan 0 isn't real and is only used to carry priority information on the wire for the native vlan. This means that you can set up a bridge/veb/tpmr that forwards vlan tagged packets, but optionally slice specific vlans off for other processing by configuring a vlan interface with em0 as a parent to take those packets away first. 5. carp If the destination address is for a carp interface on em0, it's at this point it's taken away. 6. Ethernet procotol handling This is when the arp/ipv4/ipv6 protocols are checked and the packets are fed into the layer 3 stacks.
Re: Bridging em and vlan
On Tue, Oct 3, 2023 at 10:10 AM David Higgs wrote: > On Mon, Oct 2, 2023 at 9:26 AM David Higgs wrote: > >> On Sun, Oct 1, 2023 at 9:13 AM Zé Loff wrote: >> >>> On Sat, Sep 30, 2023 at 11:39:36AM -0400, David Higgs wrote: >>> > All of my devices until now have been behind my OpenBSD NAT router, >>> but I >>> > recently acquired a Internet of Trash device that I would like to be >>> > accessible to the internet (yes, I know). >>> > >>> > My home configuration uses a Unifi AP to translate my various SSIDs >>> into >>> > VLANs which plug into one of my APU em(4) ports. The IoT thing >>> already has >>> > its own dedicated SSID/VLAN, but doesn't enjoy living behind my NAT. >>> >>> Define "doesn't enjoy". It absolutely requires a public IP? It needs >>> some ports to be forwarded? Has some sort of network connection >>> detection that fails because some ports are blocked for outgoing >>> traffic? >>> >> >> I'm still trying to determine ground truth with manufacturer support. >> Port forwarding doesn't seem sufficient. The device can reach out just >> fine but is not remotely controllable as advertised. >> >> > Is there a way for me to bridge just one of the vlan(4) logical >>> interfaces >>> > with my other em(4) uplink, so that my IoT item can speak DHCP directly >>> > with my internet provider? >>> >> >> > Can this be done with veb/vport or bridge, or will I need to use >>> something >>> > more exotic to strip the 802.1q tags before they are sent to my ISP? >>> >> >> Self-replying here: I don't see many examples of veb(4) use online, but >> it seems as if I can add my physical uplink and the IoT VLAN both to a >> veb and attach a vport to become my new uplink. That should be logically >> equivalent to putting a three-port switch between my router and my ISP CPE, >> with the third port for the IoT device. Is anyone able to shoot holes in >> this or suggest a superior alternative, before I attempt the configuration >> later this week? >> > > I appreciate the previous replies/cluebats, but my initial attempt was > rushed and unsuccessful. > > In broad strokes, I created veb0 and added em0, vlan222, and vport0 to > it. Then I tried getting vport0 to speak DHCP with my upstream, but > nothing seemed to happen or appear in logs. > > I will have to spend more time on this to eliminate the possibility of > fat-fingering, remove various confounding variables, and produce a better > result/report. > For the archives, this worked swimmingly once I paid closer attention to what I was doing. Based on my second attempt, I hadn't put my vport0 interface up. Of course, my ISP isn't handing out more than a single IPv4 address by default, so all this has been simply a good learning experience. --david
Re: Bridging em and vlan
On Mon, Oct 2, 2023 at 9:26 AM David Higgs wrote: > On Sun, Oct 1, 2023 at 9:13 AM Zé Loff wrote: > >> On Sat, Sep 30, 2023 at 11:39:36AM -0400, David Higgs wrote: >> > All of my devices until now have been behind my OpenBSD NAT router, but >> I >> > recently acquired a Internet of Trash device that I would like to be >> > accessible to the internet (yes, I know). >> > >> > My home configuration uses a Unifi AP to translate my various SSIDs into >> > VLANs which plug into one of my APU em(4) ports. The IoT thing already >> has >> > its own dedicated SSID/VLAN, but doesn't enjoy living behind my NAT. >> >> Define "doesn't enjoy". It absolutely requires a public IP? It needs >> some ports to be forwarded? Has some sort of network connection >> detection that fails because some ports are blocked for outgoing >> traffic? >> > > I'm still trying to determine ground truth with manufacturer support. > Port forwarding doesn't seem sufficient. The device can reach out just > fine but is not remotely controllable as advertised. > > > Is there a way for me to bridge just one of the vlan(4) logical >> interfaces >> > with my other em(4) uplink, so that my IoT item can speak DHCP directly >> > with my internet provider? >> > > > Can this be done with veb/vport or bridge, or will I need to use >> something >> > more exotic to strip the 802.1q tags before they are sent to my ISP? >> > > Self-replying here: I don't see many examples of veb(4) use online, but it > seems as if I can add my physical uplink and the IoT VLAN both to a veb and > attach a vport to become my new uplink. That should be logically > equivalent to putting a three-port switch between my router and my ISP CPE, > with the third port for the IoT device. Is anyone able to shoot holes in > this or suggest a superior alternative, before I attempt the configuration > later this week? > I appreciate the previous replies/cluebats, but my initial attempt was rushed and unsuccessful. In broad strokes, I created veb0 and added em0, vlan222, and vport0 to it. Then I tried getting vport0 to speak DHCP with my upstream, but nothing seemed to happen or appear in logs. I will have to spend more time on this to eliminate the possibility of fat-fingering, remove various confounding variables, and produce a better result/report. Silly question, does it even make sense to add a single vlan interface to a veb? Is there maybe parent confusion between veb0 and em2 (Wifi AP iface)? Thanks. --david
Re: Bridging em and vlan
On Sun, Oct 1, 2023 at 9:13 AM Zé Loff wrote: > On Sat, Sep 30, 2023 at 11:39:36AM -0400, David Higgs wrote: > > All of my devices until now have been behind my OpenBSD NAT router, but I > > recently acquired a Internet of Trash device that I would like to be > > accessible to the internet (yes, I know). > > > > My home configuration uses a Unifi AP to translate my various SSIDs into > > VLANs which plug into one of my APU em(4) ports. The IoT thing already > has > > its own dedicated SSID/VLAN, but doesn't enjoy living behind my NAT. > > Define "doesn't enjoy". It absolutely requires a public IP? It needs > some ports to be forwarded? Has some sort of network connection > detection that fails because some ports are blocked for outgoing > traffic? > I'm still trying to determine ground truth with manufacturer support. Port forwarding doesn't seem sufficient. The device can reach out just fine but is not remotely controllable as advertised. > Is there a way for me to bridge just one of the vlan(4) logical interfaces > > with my other em(4) uplink, so that my IoT item can speak DHCP directly > > with my internet provider? > > Assuming your WAN connection also gets its IP address by DHCP, will your > ISP assign you multiple IP addresses, one for your uplink, one for the > IoT device? > Hopefully so, but that's orthogonal to the question I'm asking. If you absolutely need the IoT device to have unfiltered connection to > the internet, you can just create a DMZ of sorts for that VLAN, let all > traffic pass out, forward the necessary ports for incoming traffic, and, > assuming you don't trust the device at all, block all traffic from that > VLAN to the rest of the network (or be very selective about it), and > maybe also from other VLANs to that VLAN. Putting it in a different > rdomain altogether might also be a good idea. I've already tried that without success. > Can this be done with veb/vport or bridge, or will I need to use something > > more exotic to strip the 802.1q tags before they are sent to my ISP? > Self-replying here: I don't see many examples of veb(4) use online, but it seems as if I can add my physical uplink and the IoT VLAN both to a veb and attach a vport to become my new uplink. That should be logically equivalent to putting a three-port switch between my router and my ISP CPE, with the third port for the IoT device. Is anyone able to shoot holes in this or suggest a superior alternative, before I attempt the configuration later this week? Related question: It doesn't appear that veb (and bridge) are part of either amd64 RAMDISK. Does this create any added complexity with (sys)upgrades or does it somehow Just Work(tm)? Thanks again, --david
Bridging em and vlan
All of my devices until now have been behind my OpenBSD NAT router, but I recently acquired a Internet of Trash device that I would like to be accessible to the internet (yes, I know). My home configuration uses a Unifi AP to translate my various SSIDs into VLANs which plug into one of my APU em(4) ports. The IoT thing already has its own dedicated SSID/VLAN, but doesn't enjoy living behind my NAT. Is there a way for me to bridge just one of the vlan(4) logical interfaces with my other em(4) uplink, so that my IoT item can speak DHCP directly with my internet provider? Can this be done with veb/vport or bridge, or will I need to use something more exotic to strip the 802.1q tags before they are sent to my ISP? Thanks in advance, --david
Re: mount invalid argument
On Thu, 2023-09-28 at 22:41 +0200, Daniele B. wrote: > > Hello, > > wiz$ mount -t ffs /dev/sd1i /mnt/stick > > mount_ffs: /dev/sd1i on /mnt/stick: Invalid argument Hi, mount_ffs uses mount(2) which reports errors as errno constants, there are no one for a specified filesystem type that is not the one on the device/partition you're trying to mount. Note that BUGS section seems to match your message precisely your suggestion. BUGS Some of the error codes need translation to more obvious messages. -- David
Re: OpenBSD Wireguard implementation not copying ToS from inner to outer WG header
On Mon, Sep 18, 2023 at 12:47:52PM -, Stuart Henderson wrote: > On 2023-09-17, Andrew Lemin wrote: > > I have been testing the Wireguard implementation on OpenBSD and noticed > > that the ToS field is not being copied from the inner unencrypted header to > > the outer Wireguard header, resulting in ALL packets going into the same PF > > Prio / Queue. > > > > For example, ACKs (for Wireguard encrypted packets) end up in the first > > queue (not the priority queue) despite PF rules; > > > > queue ext_iface on $extif bandwidth 1000M max 1000M > > queue pri on $extif parent ext_iface flows 1000 bandwidth 25M min 5M > > queue data on $extif parent ext_iface flows 1000 bandwidth 100M default > > > > match on $extif proto tcp set prio (3, 6) set queue (data, pri) > > > > All unencrypted SYNs and ACKs etc correctly go into the 'pri' queue, and > > payload packets go into 'data' queue. > > However for Wireguard encrypted packets, _all_ packets (including SYNs and > > ACKs) go into the 'data' queue. > > > > I thought maybe you need to force the ToS/prio/queue values, so I also > > tried sledgehammer approach; > > match proto tcp flags A/A set tos lowdelay set prio 7 set queue pri > > match proto tcp flags S/S set tos lowdelay set prio 7 set queue pri > > > > But sadly all encrypted SYNs and ACKs etc still only go into the data queue > > no matter what. > > This can be confirmed with wireshark that all ToS bits are lost > > > > This results in poor Wireguard performance on OpenBSD. > > Here's a naive untested diff that might at least use the prio internally > in OpenBSD... > > Index: if_wg.c > === > RCS file: /cvs/src/sys/net/if_wg.c,v > retrieving revision 1.29 > diff -u -p -r1.29 if_wg.c > --- if_wg.c 3 Aug 2023 09:49:08 - 1.29 > +++ if_wg.c 18 Sep 2023 12:47:02 - > @@ -1525,6 +1525,8 @@ wg_encap(struct wg_softc *sc, struct mbu >*/ > mc->m_pkthdr.ph_flowid = m->m_pkthdr.ph_flowid; > > + mc->m_pkthdr.pf.prio = m->m_pkthdr.pf.prio; > + > res = noise_remote_encrypt(&peer->p_remote, &data->r_idx, &nonce, > data->buf, plaintext_len); > nonce = htole64(nonce); /* Wire format is little endian. */ > > i think this should go in, ok by me. implementing txprio and rxprio might be useful too, but requires more plumbing than i have the energy for now.
Re: Does openBSD come with a web browser?
On Wed, 2023-09-13 at 07:23 +1000, David wrote: > On Mon, 2023-09-11 at 23:21 -0700, Eric Demer wrote: > > > > (I am considering getting a laptop with openBSD, but have > > > > not yet done so, which is why I can't easily check on my own.) > > > > > > > > Does openBSD come with a web browser? > > > > The "the FAQ and" parts of https://www.openbsd.org/mail.html > > > > suggest that it does, but I haven't found any more > > > > detail regarding this at https://www.openbsd.org/ . > > > > > > Quite frankly, if you're incapable of using one, I'd steer clear. > > > The answer to this is the result of a very basic web search. > > > Cheers! > > > > > > > > Perhaps I should steer clear anyway, but what's probably > > the reason I didn't find that answer may change things. > > > > Specifically, do you find that information with a basic web search > > while using none of Stackexchange , Reddit , Youtube , Google ? > > I use Duckduckgo. > Yes, a search engine is required. > > I often find information of value in all the above mentioned sources, > along with a substantial level of crap. > Welcome to the freedom of the Internet. > Long may it rain on us. > > > For the reasons explained in the following paragraphs, I am > > not willing to use those four sites. I still got into results > > saying > > that one _can easily install_ Firefox on openBSD, and remember at > > least one result saying that some people _use_ Lynx _on_ it, but > > those > > didn't address whether there's one that comes _already_ installed. > > $ grep _flags /etc/rc.conf | cut -d '_' -f 1 Oh, and as an aside, I don't even have OpenBSD installed yet. I'm just a lurker on the list. I got the above off a site I discovered on Duckduckgo. I have no idea what the `Terms' are. If you feel the investment in time is worth it, you can do that for yourself. https://dataswamp.org/~solene/2021-02-16-openbsd-base-services.html > > I did go into results saying that one _can easily install_ > > Firefox on openBSD, and remember at least one result saying > > that some people _use_ Lynx _on_ it, but those didn't > > address whether there's one that comes _already_ installed. > > The other search results (from using duckduckgo) I found > > that mentioned openBSD - as opposed to just freeBSD - > > were all from stackexchange and reddit and youtube. > > > > I left Stackexchange when it adopted Terms according to which, > > them changing those terms other than the arbitration clause > > as I am scrolling a page on their site would result in > > me being bound by whatever they changed the Terms to. > > Since the trigger for those Terms was something like, > > using their Network in any way, I have never intentionally > > gone back there, and have left immediately when I've > > accidentally when I've accidentally gone back there. > > (In particular, if they no longer have > > such Terms then I don't know that.) > > Stackexchange is an excellent source. > I'm a regular part of the LaTeX mob there. > Play a minor role in other categories. > > > My brief search for Reddit's Terms brought up Reddit > > result previews suggesting that Reddit's Terms are also > > such that according to them, using their site to view > > their terms would constitute acceptance of those terms. > > Furthermore, according to > > https://github.com/OpenTermsArchive/contrib-versions > > /blob/main/Reddit/Terms%20of%20Service.md > > , the changes provision in Reddit's Terms manages > > to be even worse than that of Stackexchange's Terms: > > Its change-acceptance is from access to or use of "the Services on > > or > > after the Effective Date of the revised Terms", and it does not say > > the Effective Date can't be _before_ the revised Terms were posted. > > > > Youtube's Terms are better, but (0) it's Google, and > > (1) the "launch a new product or feature" exception is > > merely a timing restriction: It's not limited to changes > > that have anything else to do with the new product or feature. > > Google's Terms seem to have the same changes provision. > > If you spent as much time chasing down the information you need > rather > than being obsessed with `Terms', you would have had your answers > some > considerable time ago. > It's information you're after. > There will always be `Terms' involved with any level of social > interaction. > Cheers! > -- `One day, the great European war will come out of some damned foolish thing in the Balkans'. -- Otto von Bismarck (1888)
Re: Does openBSD come with a web browser?
On Mon, 2023-09-11 at 23:21 -0700, Eric Demer wrote: > > > (I am considering getting a laptop with openBSD, but have > > > not yet done so, which is why I can't easily check on my own.) > > > > > > Does openBSD come with a web browser? > > > The "the FAQ and" parts of https://www.openbsd.org/mail.html > > > suggest that it does, but I haven't found any more > > > detail regarding this at https://www.openbsd.org/ . > > > > Quite frankly, if you're incapable of using one, I'd steer clear. > > The answer to this is the result of a very basic web search. > > Cheers! > > > > Perhaps I should steer clear anyway, but what's probably > the reason I didn't find that answer may change things. > > Specifically, do you find that information with a basic web search > while using none of Stackexchange , Reddit , Youtube , Google ? I use Duckduckgo. Yes, a search engine is required. I often find information of value in all the above mentioned sources, along with a substantial level of crap. Welcome to the freedom of the Internet. Long may it rain on us. > For the reasons explained in the following paragraphs, I am > not willing to use those four sites. I still got into results saying > that one _can easily install_ Firefox on openBSD, and remember at > least one result saying that some people _use_ Lynx _on_ it, but > those > didn't address whether there's one that comes _already_ installed. $ grep _flags /etc/rc.conf | cut -d '_' -f 1 > I did go into results saying that one _can easily install_ > Firefox on openBSD, and remember at least one result saying > that some people _use_ Lynx _on_ it, but those didn't > address whether there's one that comes _already_ installed. > The other search results (from using duckduckgo) I found > that mentioned openBSD - as opposed to just freeBSD - > were all from stackexchange and reddit and youtube. > > I left Stackexchange when it adopted Terms according to which, > them changing those terms other than the arbitration clause > as I am scrolling a page on their site would result in > me being bound by whatever they changed the Terms to. > Since the trigger for those Terms was something like, > using their Network in any way, I have never intentionally > gone back there, and have left immediately when I've > accidentally when I've accidentally gone back there. > (In particular, if they no longer have > such Terms then I don't know that.) Stackexchange is an excellent source. I'm a regular part of the LaTeX mob there. Play a minor role in other categories. > My brief search for Reddit's Terms brought up Reddit > result previews suggesting that Reddit's Terms are also > such that according to them, using their site to view > their terms would constitute acceptance of those terms. > Furthermore, according to > https://github.com/OpenTermsArchive/contrib-versions > /blob/main/Reddit/Terms%20of%20Service.md > , the changes provision in Reddit's Terms manages > to be even worse than that of Stackexchange's Terms: > Its change-acceptance is from access to or use of "the Services on or > after the Effective Date of the revised Terms", and it does not say > the Effective Date can't be _before_ the revised Terms were posted. > > Youtube's Terms are better, but (0) it's Google, and > (1) the "launch a new product or feature" exception is > merely a timing restriction: It's not limited to changes > that have anything else to do with the new product or feature. > Google's Terms seem to have the same changes provision. If you spent as much time chasing down the information you need rather than being obsessed with `Terms', you would have had your answers some considerable time ago. It's information you're after. There will always be `Terms' involved with any level of social interaction. Cheers! -- `One day, the great European war will come out of some damned foolish thing in the Balkans'. -- Otto von Bismarck (1888)
Re: Does openBSD come with a web browser?
On Sun, 2023-09-10 at 18:27 -0700, Eric Demer wrote: > (I am considering getting a laptop with openBSD, but have > not yet done so, which is why I can't easily check on my own.) > > Does openBSD come with a web browser? The "the FAQ and" parts of > https://www.openbsd.org/mail.html suggest that it does, but I haven't > found any more detail regarding this at https://www.openbsd.org/ . Quite frankly, if you're incapable of using one, I'd steer clear. The answer to this is the result of a very basic web search. Cheers! -- A Kiwi in Australia, doing my bit toward raising the national standard.
Re: Netstat output
> On 7 Sep 2023, at 08:00, Steven Shockley wrote: > > When running netstat -I [interface], what do the "fails" and "errs" columns > mean? When my firewall is under network load, the output interface fails and > total errs increases. fails are the sum of qdrops and errs. qdrops are when the network stack drops packets getting packets on or off the driver, and errs are problems the driver has with packets. netstat -eI foo0 shows the errors on their own, netstat -dI foo0 shows the drops on their own. if it's qdrops then it's a software performance/configuration problem. if it's errs then it's something in the driver reporting errors. if the driver provides kstats then you might be able to figure out if it's a dodgy cable or something like that. dlg
Re: "OpenBSD Doc" App idea
After an issue with mangl, from ports, I discovered and configure man.cgi on localhost httpd after install - works great (online or offline)! Thanks, David Rinehart On 9/8/23 13:54, Amarendra Godbole wrote: > On Fri, Sep 8, 2023 at 8:02 AM Luke Call wrote: >> On 2023-09-07 22:47:47+0200, Daniele B. wrote: >>>> I don't know if Android has a similar feature, but at least on iOS you >>>> can save a particular website to your home as a webapp from Safari. >>> Thanks for the answer Shokara. My initiative was to call for the development >>> in the community of a serious app, with commands directory and full-text >>> search, >>> working offline on multiple device with different screen orientation. >>> >>> Beside the possibility to create an home link of the online site on Android. >>> >> If you need full-text search from the desktop, this does the job for me. >> I put it in my path and call the script "mank" since it resembles >> Linux's "man -K" well enough >> for me, and has been useful when I just know I read something but can't >> remember where well enough to use apropos. It is not fast. It assumes >> bash is installed from packages, but could easily be changed to use ksh >> instead. >> >> #!/usr/bin/env bash >> set -eux >> TMP=$(mktemp -t mank-tmp-output_XX) >> nice grep -irE -C "$1" /usr/share/man/* 2>&1 > $TMP || true >> nice grep -irE -C "$1" /usr/local/man/* 2>&1 >> $TMP || true >> less -p "$1" $TMP >> rm -f $TMP >> echo $? >> >> I also have used wget a couple of times in the past to locally mirror >> www.openbsd.org in case I needed something and can't get online, and >> then one could grep that also (or use google to do a full-text online search >> of that site), but I don't know whether that wget thing is a great idea. > [...] > > Alternately, you can also clone the www repo: https://github.com/openbsd/www > > Thanks. > > -ag >
Re: pf state-table-induced instability
On Thu, Aug 31, 2023 at 04:10:06PM +0200, Gabor LENCSE wrote: > Dear David, > > Thank you very much for all the new information! > > I keep only those parts that I want to react. > > > > It is not a fundamental issue, but it seems to me that during my tests not > > > only four but five CPU cores were used by IP packet forwarding: > > the packet processing is done in kernel threads (task queues are built > > on threads), and those threads could be scheduled on any cpu. the > > pf purge processing runs in yet another thread. > > > > iirc, the schedule scans down the list of cpus looking for an idle > > one when it needs to run stuff, except to avoid cpu0 if possible. > > this is why you see most of the system time on cpus 1 to 5. > > Yes, I can confirm that any time I observed, CPU00 was not used by the > system tasks. > > However, I remembered that PF was disabled during my stateless tests, so I > think its purge could not be the one that used CPU05. Now I repeated the > experiment, first disabling PF as follows: disabling pf means it doesnt get run for packets in the network stack. however, the once the state purge processing is started it just keeps running. if you have zero states, there wont be much to process though. there will be other things running in the system that could account for the "extra" cpu utilisation. > dut# pfctl -d > pf disabled > > And I can still see FIVE CPU cores used by system tasks: the network stack runs in these threads. pf is just one part of the network stack. > > load averages:?? 0.69,?? 0.29, > 0.13 dut.cntrg > 14:41:06 > 36 processes: 35 idle, 1 on processor up 0 days 00:03:46 > CPU00 states:?? 0.0% user,?? 0.0% nice,?? 0.0% sys,?? 0.2% spin, 8.1% intr, > 91.7% idle > CPU01 states:?? 0.0% user,?? 0.0% nice, 61.1% sys,?? 9.5% spin, 9.5% intr, > 19.8% idle > CPU02 states:?? 0.0% user,?? 0.0% nice, 62.8% sys, 10.9% spin, 8.5% intr, > 17.8% idle > CPU03 states:?? 0.0% user,?? 0.0% nice, 54.7% sys,?? 9.1% spin, 10.1% intr, > 26.0% idle > CPU04 states:?? 0.0% user,?? 0.0% nice, 62.7% sys, 10.2% spin, 9.8% intr, > 17.4% idle > CPU05 states:?? 0.0% user,?? 0.0% nice, 51.7% sys,?? 9.1% spin, 7.6% intr, > 31.6% idle > CPU06 states:?? 0.2% user,?? 0.0% nice,?? 2.8% sys,?? 0.8% spin, 10.0% intr, > 86.1% idle > CPU07 states:?? 0.0% user,?? 0.0% nice,?? 0.0% sys,?? 0.2% spin, 7.2% intr, > 92.6% idle > CPU08 states:?? 0.0% user,?? 0.0% nice,?? 0.0% sys,?? 0.0% spin, 8.4% intr, > 91.6% idle > CPU09 states:?? 0.0% user,?? 0.0% nice,?? 0.0% sys,?? 0.0% spin, 9.2% intr, > 90.8% idle > CPU10 states:?? 0.0% user,?? 0.0% nice,?? 0.0% sys,?? 0.2% spin, 10.8% intr, > 89.0% idle > CPU11 states:?? 0.0% user,?? 0.0% nice,?? 0.0% sys,?? 0.2% spin, 9.2% intr, > 90.6% idle > CPU12 states:?? 0.0% user,?? 0.0% nice,?? 0.2% sys,?? 0.8% spin, 9.2% intr, > 89.8% idle > CPU13 states:?? 0.0% user,?? 0.0% nice,?? 0.0% sys,?? 0.2% spin, 7.2% intr, > 92.6% idle > CPU14 states:?? 0.0% user,?? 0.0% nice,?? 0.0% sys,?? 0.8% spin, 9.8% intr, > 89.4% idle > CPU15 states:?? 0.0% user,?? 0.0% nice,?? 0.0% sys,?? 0.2% spin, 7.8% intr, > 92.0% idle > Memory: Real: 34M/1546M act/tot Free: 122G Cache: 807M Swap: 0K/256M > > I suspect that top shows an average (in a few seconds time window) and > perhaps one of the cores from CPU01 to CPU04 are skipped (e.g. because it > was used by the "top" command?), this is why I can see system load on CPU05. > (There is even some low amount of system load on CPU06.) > > > > > *Is there any way to completely delete its entire content?* > > hrm. > > > > so i just read the code again. "pfctl -F states" goes through the whole > > state table and unlinks the states from the red-black trees used for > > packet processing, and then marks them as unlinked so the purge process > > can immediately claim then as soon as they're scanned. this means that > > in terms of packet processing the tree is empty. the memory (which is > > what the state limit applies to) won't be reclaimed until the purge > > processing takes them. > > > > if you just wait 10 or so seconds after "pfctl -F states" then both the > > tree and state limits should be back to 0. you can watch pfctl -si, > > "systat pf", or the pfstate row in "systat pool" to confirm. > > > > you can change the scan interval with "set timeout interval" in pf.conf > > from 10s. no one fiddles with that though, so i'd put it back between > > runs to be representative of real world performance. > > I usually wait 10s between the
Re: pf state-table-induced instability
On Wed, Aug 30, 2023 at 09:54:45AM +0200, Gabor LENCSE wrote: > Dear David, > > Thank you very much for your detailed answer! Now I have got the explanation > for seemingly rather strange things. :-) > > However, I have some further questions. Let me explain what I do now so that > you can more clearly see the background. > > I have recently enabled siitperf to use multiple IP addresses. (Siitperf is > an IPv4, IPv6,?? SIIT, and stateful NAT64/NAT44 bechmarking tool > implementing the measurements of RFC 2544, RFC 8219, and this draft: > https://datatracker.ietf.org/doc/html/draft-ietf-bmwg-benchmarking-stateful > .) > > Currently I want to test (and demonstrate) the difference this improvement > has made. I have already covered the stateless case by measuring the IPv4 > and IPv6 packet forwarding performance of OpenBSD using > 1) the very same test frames following the test frame format defined in the > appendix of RFC 2544 > 2) using only pseudorandom port numbers required by RFC 4814 (resulted in no > performance improvement compared to case 1) > 3) using pseudorandom IP addresses from specified ranges (resulted in > significant performance improvement compared to case 1) > 4) using both pseudorandom IP addresses and port numbers (same results as in > case 3) > > Many thanks to OpenBSD developers for enabling multi-core IP packet > forwarding! > > https://www.openbsd.org/plus72.html says: "Activated parallel IP forwarding, > starting 4 softnet tasks but limiting the usage to the number of CPUs." > > It is not a fundamental issue, but it seems to me that during my tests not > only four but five CPU cores were used by IP packet forwarding: the packet processing is done in kernel threads (task queues are built on threads), and those threads could be scheduled on any cpu. the pf purge processing runs in yet another thread. iirc, the schedule scans down the list of cpus looking for an idle one when it needs to run stuff, except to avoid cpu0 if possible. this is why you see most of the system time on cpus 1 to 5. > > load averages:?? 1.34,?? 0.35, > 0.12 dut.cntrg > 20:10:15 > 36 processes: 35 idle, 1 on processor up 1 days 02:16:56 > CPU00 states:?? 0.0% user,?? 0.0% nice,?? 0.0% sys,?? 0.2% spin, 6.1% intr, > 93.7% idle > CPU01 states:?? 0.0% user,?? 0.0% nice, 55.8% sys,?? 7.2% spin, 5.2% intr, > 31.9% idle > CPU02 states:?? 0.0% user,?? 0.0% nice, 53.6% sys,?? 8.0% spin, 6.2% intr, > 32.1% idle > CPU03 states:?? 0.0% user,?? 0.0% nice, 48.3% sys,?? 7.2% spin, 6.2% intr, > 38.3% idle > CPU04 states:?? 0.0% user,?? 0.0% nice, 44.2% sys,?? 9.7% spin, 6.3% intr, > 39.8% idle > CPU05 states:?? 0.0% user,?? 0.0% nice, 33.5% sys,?? 5.8% spin, 6.4% intr, > 54.3% idle > CPU06 states:?? 0.0% user,?? 0.0% nice,?? 3.2% sys,?? 0.2% spin, 7.2% intr, > 89.4% idle > CPU07 states:?? 0.0% user,?? 0.0% nice,?? 0.0% sys,?? 0.8% spin, 6.0% intr, > 93.2% idle > CPU08 states:?? 0.0% user,?? 0.0% nice,?? 0.0% sys,?? 0.2% spin, 5.4% intr, > 94.4% idle > CPU09 states:?? 0.0% user,?? 0.0% nice,?? 0.0% sys,?? 0.2% spin, 7.2% intr, > 92.6% idle > CPU10 states:?? 0.0% user,?? 0.0% nice,?? 0.0% sys,?? 0.2% spin, 8.9% intr, > 90.9% idle > CPU11 states:?? 0.0% user,?? 0.0% nice,?? 0.0% sys,?? 0.2% spin, 7.6% intr, > 92.2% idle > CPU12 states:?? 0.0% user,?? 0.0% nice,?? 0.0% sys,?? 0.0% spin, 8.6% intr, > 91.4% idle > CPU13 states:?? 0.0% user,?? 0.0% nice,?? 0.0% sys,?? 0.4% spin, 6.1% intr, > 93.5% idle > CPU14 states:?? 0.0% user,?? 0.0% nice,?? 0.0% sys,?? 0.2% spin, 6.4% intr, > 93.4% idle > CPU15 states:?? 0.0% user,?? 0.0% nice,?? 0.0% sys,?? 0.4% spin, 4.8% intr, > 94.8% idle > Memory: Real: 34M/2041M act/tot Free: 122G Cache: 825M Swap: 0K/256M > > The above output of the "top" command show significant system load at CPU > cores form CPU1 to CPU5. > > *Has the number of softnet tasks been increased from 4 to 5?* no :) > What it more crucial for me, are the stateful NAT64 the measurements with > PF. > > My stateful NAT64 measurement are as follows. > > 1. Maximum connection establishment rate test uses a binary search to find > the highest rate, at which all connections can be established through the > stateful NAT64 gateway when all test frames create a new connection. > > 2. Throughput test also uses a binary search to find the highest rate > (called throughput) at which all test frames are forwarded by the stateful > NAT64 gateway using bidirectional traffic. (All test frames belong to an > already existing connection. This test requires to load the connections into > the connection tracking table of the stateful NAT64 gateway in a previous > step u
Re: pf state-table-induced instability
On Mon, Aug 28, 2023 at 01:46:32PM +0200, Gabor LENCSE wrote: > Hi Lyndon, > > Sorry for my late reply. Please see my answers inline. > > On 8/24/2023 11:13 PM, Lyndon Nerenberg (VE7TFX/VE6BBM) wrote: > > Gabor LENCSE writes: > > > > > If you are interested, you can find the results in Tables 18 - 20 of > > > this (open access) paper: https://doi.org/10.1016/j.comcom.2023.08.009 > > Thanks for the pointer -- that's a very interesting paper. > > > > After giving it a quick read through, one thing immediately jumps > > out. The paper mentions (section A.4) a boost in performance after > > increasing the state table size limit. Not having looked at the > > relevant code, so I'm guessing here, but this is a classic indicator > > of a hashing algorithm falling apart when the table gets close to > > full. Could it be that simple? I need to go digging into the pf > > code for a closer look. > > Beware, I wrote it about iptables and not PF! > > As for iptables, it is really so simple. I have done a deeper analysis of > iptables performance as the function of its hash table size. It is > documented in another (open access) paper: > http://doi.org/10.36244/ICJ.2023.1.6 > > However, I am not familiar with the internals of the other two tested > stateful NAT64 implementations, Jool and OpenBSD PF. I have no idea, what > kind of data structures they use for storing the connections. openbsd uses a red-black tree to look up states. packets are parsed into a key that looks up states by address family, ips, ipproto, ports, etc, to find the relevant state. if a state isnt found, it falls through to ruleset evaluation, which is notionally a linked list, but has been optimised. > > You also describe how the performance degrades over time. This > > exactly matches the behaviour we see. Could the fix be as simple > > as cranking 'set limit states' up to, say, two milltion? There is > > one way to find out ... :-) > > As you could see, the highest number of connections was 40M, and the limit > of the states was set to 1000M. It worked well for me then with the PF of > OpenBSD 7.1. > > It would be interesting to find the root cause of the phenomenon, why the > performance of PF seems to deteriorate with time. E.g., somehow the internal > data structures of PF become "polluted" if many connections are established > and then deleted? my first guess is that you're starting to fight agains the pf state purge processing. pf tries to scan the entire state table every 10 seconds (by default) looking for expired states it can remove. this scan process runs every second, but it tries to cover the whole state table by 10 seconds. the more states you have the more time this takes, and this increases linearly with the number of states you have. until relatively recently (post 7.2), the scan and gc processing effectively stopped the world. at work we run with about 2 million states during business hours, and i was seeing the gc processing take up approx 70ms a second, during which packet processing didnt really happen. now the scan can happen without blocking pf packet processing. it still takes cpu time, so there is a point that processing packets and scanning for states will fight each other for time, but at least they're not fighting each other for locks now. > However, I have deleted the content of the state table after each elementary > measurement step using the "pfctl -F states" command. (I am sorry, this > command is missing from the paper, but it is there in my saved "del-pf" > file!) > > Perhaps PF developers could advise us, if the deletion of the states > generate a fresh state table or not. it marks the states as expired, and then the purge scan is able to take them and actually free them. > Could anyone help us in this question? > > Best regards, > > G??bor > > > > > I use binary search to find the highest lossless rate (throughput). > Especially w > > > > > > --lyndon >
Re: Shotwell
Rafael, Thanks for replying about this. I have already set the permissions and uploading pictures to shotwell (which apparently uses libgphoto) used to work. However, I discovered a workaround. On the phone when setting up the usb connection, first click "no file transfer" then click " file transfer" and shotwell then loads the pictures. This may be a peculiarity of Pixel phones or Android 13 which libgphoto doesn't understand -- some initialization issue. Dave Raymond On 8/7/23, Rafael Sadowski wrote: > On Sun Jul 30, 2023 at 03:06:26PM -0600, Raymond, David wrote: >> Hello, >> >> I am trying to import photos using Shotwell over a usb connection with >> the file transfer option. When I connect my phone to the usb port with >> Shotwell running and select this option, Shotwell recognizes the phone >> but says that there are no photos to transfer. The transfer works on >> Arch Linux. >> >> Am I missing something? Some kind of permissions? The phone is a >> Pixel 7 and I am running openbsd 7.3 stable. I had the problem with >> 7.2 as well, but things worked before (I think with an earlier pixel >> phone). >> >> -- >> David J. Raymond >> david.raym...@nmt.edu >> http://kestrel.nmt.edu/~raymond >> > > I'm not a Shotwell user but it works with libgphoto. You may wish to > read /usr/local/share/doc/pkg-readmes/libgphoto > > Rafael > -- David J. Raymond david.raym...@nmt.edu http://kestrel.nmt.edu/~raymond
Re: ipsec hardware recommendation
> On 11 Aug 2023, at 21:08, Marko Cupać wrote: > > Hi, > > I have star topology network where dozens of spokes communicate with > other spokes through central hub over GRE tunnels protected with > transport-mode ipsec. > > This worked great for years, but lately all the locations got bandwidth > upgrade (spokes: 10Mbit -> 50Mbit, hub: 2x200Mbit -> 2x500Mbit), and I'm > starting to experience problems. > > Spokes have APU4D4s, and my tests show they can push up to 30Mbit/s of > ipsec bidirectionally. Hub has HPE DL360g9 with Xeon CPU E5-2623 v4 @ > 2.60GHz and bge NICs, and it seems it can push no more than 200Mbit/s > of ipsec bidirectionally (I have no chance to test this thoroughly in a > lab, but what I see in production indicate this strongly). > > Are there any commands I can run which would indicate ipsec traffic is > being throttled due to hardware being underspecced? top shows CPU is > more than 50% idle. netstat shows ~1 Ierrs / Ifail (no Oerrs / > Ifail) on interfaces that deal with ipsec for two months worth of > uptime. > > Would replacing Xeon box with AMD EPYC 7262 likely result in an > improvement? Should I go for some NICs other than bge? What hardware do > I need at Hub location to accomodate ~400Mbit/s of ipsec > bidirectionally? >From recent experience it looks like IPsec, and the crypto processing in >particular, still runs under the giant kernel lock. This means you're only >going to go as fast as a single core can go, and you'll be particularly >sensitive to contention on that lock. The things you can do Right Now(tm) are: - upgrade to a system with the fastest single core performance you can afford - upgrade to -current the pf purge code has been taken out from under the big kernel lock. if you have a lot of pf states, this will give more time to crypto. - pick faster crypto algorithms you might already be using the fastest, so maybe this wont help. - terminate ipsec on multiple hosts two kernels will be faster than one. however, this adds complexity to the network, so not an obvious benefit. - try wireguard? if it's a single tunnel IP tunnel (ie, one gre(4), and not egre(4)) between the hubs and spokes then wg might be simpler and faster. simpler because wg is less layers than gre over ipsec, and faster cos it should be able to do crypto in parallel. in the future i'm sure the ipsec stack will improve, but it's hard work that takes time. dlg > > Thank you in advance, > > > -- > Before enlightenment - chop wood, draw water. > After enlightenment - chop wood, draw water. > > Marko Cupać > https://www.mimar.rs/ >
Re: Feedback on redesigned OpenBSD.org
On Wed, 2023-08-09 at 14:01 -0500, mich...@mlpdesign.com wrote: > Hi everyone > > WHAT: > = > I greatly respect OpenBSD; while I don't have OS tech level expertise > to contribute - I do have some design skills and wanted to contribute > to the community and project. > > So I created a new CSS (stylesheet) for OpenBSD.org > > It can be viewed at: > > https://www.openbsd.design/cvs/www/index.html > This is really great and modern. My only question is why other pages are centered while the front page isn't. -- David
Re: Feedback on redesigned OpenBSD.org
Great project and introduction - I think you are on the right path! A suggestion: Do like everyone here does with other code changes - Work in smaller steps. Simplify and minimize (a little more). Do not change any colors or images on an initial pass of the changes. Try only changing just the formatting, to support mobile. Once this is done, working as expected and approved, then try tweaking the colors and images (if needed). On 8/10/23 18:02, Daniele B. wrote: > I agree with the general thoughts around these last observations. > > The gui you are proposing is a little too black starting from the sidebar > logo and the font a little small. > Probably is that we like blood here but not the black color. (if not in > night mode) > > Also most of us are probably affectionated to the stylished standard html gui > and what > I mean with this are all the classic a and a:visited colors, the classic > browser font, _self on links etc > Sometimes appears more friendly and "honest" to the user leaving or adopting > these stylish standards. > The server pictures are also just a little geeky meaningful stuff. > > Possible sidebar logo solution: adopt the foreground color of the main > versioned logo (if you like that sidebar logo: it is however a repetition..); > fonts: under a certain screen size you can adopt a vw sized font, and over a > certain screen size a general px sized font, it is a trick commonly used by > me in my web apps. > > -- Daniele Bonini > > Aug 11, 2023 02:10:52 Matthew Ernisse : > >> The dark mode link colors are way too dark, especially in the case of >> previously visited links. They are nearly unreadable. I have not looked at >> light mode -- I don't use it. >> >> I don't know if it is font sizes or paddings but the index.html sidebar >> links feel cramped. One would imagine having a hard time tapping on them on >> mobile if one were inclined to such a thing. In fact I that comparing the >> versions side by side, all the font sizes are too small. >> >> I don't think removing the text-decoration: underline from links has served >> a purpose. If anything it makes it less usable. There are these random >> cases where you have blue mono-spaced fonts for some reason and it's not >> immediatly obvious to me if the color is supposed to indicate a clickable >> link or if the color + font change is supposed to indicate something else.
Re: Installing openBSD
On Thu, 2023-08-03 at 22:48 +0200, Karel Lucas wrote: > > Hi, > > My openBSD installation was successful! Have fun on OpenBSD. > I first removed all partitions > except for the EFI partition, which I left. Sure, the EFI partition isn't supposed to be formatted/recreated but shared among systems. -- David
Re: Installing openBSD
On Tue, 2023-08-01 at 01:00 +0800, ykla wrote: > Actually, I think it's a bug that OpenBSD cannot create EFI > partitions manually. I've installed OpenBSD many times in dualboot with linux (for some things we can't do right now on OpenBSD such as ESP32 development). And my take is to install Linux first, actually quite simple to go for a dual boot afterwards. I go back to linux and configure the bootloader (i.e. efibootmgr, grub, whatever you like). macOS and Windows are not really friendly in that area either. I can't blame an OS to not spend effort for those topics, being able to boot any OS from EFI is already good enough. -- David
Shotwell
Hello, I am trying to import photos using Shotwell over a usb connection with the file transfer option. When I connect my phone to the usb port with Shotwell running and select this option, Shotwell recognizes the phone but says that there are no photos to transfer. The transfer works on Arch Linux. Am I missing something? Some kind of permissions? The phone is a Pixel 7 and I am running openbsd 7.3 stable. I had the problem with 7.2 as well, but things worked before (I think with an earlier pixel phone). -- David J. Raymond david.raym...@nmt.edu http://kestrel.nmt.edu/~raymond
Re: veb and vport on apu2 -- config feedback
looks good to me after a quick read.
> On 23 Jun 2023, at 12:15, Amarendra Godbole
> wrote:
>
> I am planning to experiment with veb on my PC Engines apu2e4 board. It
> has three ports (em0, 1 and 2). Current configuration has em0 hooked
> up to cable modem, while em1 and em2 are internal LAN. I don't have a
> good ability to troubleshoot via a serial console, since the apu board
> sits in the garage on top of a cabinet -- running serial cable to a
> laptop is challenging, though not impossible. So I am looking for
> feedback so as to keep this troubleshooting time minimal.
>
> Any feedback is welcome. Configs below. Thanks in avance.
>
> -Amarendra
>
> $ cat hostname.em1
> mtu 9000
> up
>
> $ cat hostname.em2
> mtu 9000
> up
>
> $ cat hostname.veb0
> add em1
> add em2
> add vport0
> link0
> up
>
> $ cat hostname.vport0
> inet 192.168.1.1 255.255.255.0 192.168.1.255
> mtu 9000
> group internal
> up
>
> $ cat pf.conf
> ruckus= "192.168.1.10"
>
> table { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
> 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
> 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\
> 203.0.113.0/24 }
>
> set block-policy drop
> set loginterface egress
> set skip on lo0
> match in all scrub (no-df random-id max-mss 1440)
>
> # spoof protection
> antispoof quick for egress
> block in from no-route
> block in quick from urpf-failed
>
> # block martians!
> block in quick on egress from to any
> block return out quick on egress from any to
>
> # default deny
> block all
>
> # allow icmp
> match in on egress inet proto icmp icmp-type { echoreq } tag ICMP_IN
> block drop in on egress proto icmp
> pass in proto icmp tagged ICMP_IN max-pkt-rate 100/10
> pass in on egress inet proto icmp icmp-type { 3 code 4, 11 code 0}
>
> pass out quick on egress inet from internal nat-to (egress)
> pass out quick inet
> pass in on internal inet
>
> # block dns queries that are not destined for our dns server.
> block return in quick on internal proto { udp tcp } to ! internal port
> { 53 853 }
>
> # block Ruckus AP from "phoning home"
> block in quick on internal from $ruckus
>
