Re: Correct shebang for Python 3

[Eugene Yunak]

On 23 October 2016 at 03:01, john slee <indig...@oldcorollas.org> wrote:
> Meta: this "how do I manage multiple Pythons?" thing has come up a couple
> of times lately; are people interested in a FAQ section?
>
> On 23 October 2016 at 03:54, Eugene Yunak <e.yu...@gmail.com> wrote:
>> I'd set the shebang to `/usr/bin/env python3`, or `/usr/bin/env python` if
>> you
>> do not care whether 2 or 3 would be used.
>
> Use `virtualenv'
> if you need to use a mix of Python versions, and always use the latter
> shebang
> form.
>
> Hope this helps.

I fail to see how's virtualenv relevant to this question. Clearly, Ovidiu is the
*developer*, and he explores his options as a developer. It's up to the user (or
his sysadmin) to have the correct base python or a virtualenv set up - you say
so yourself.

-- 
The best the little guy can do is what
the little guy does right

Re: Correct shebang for Python 3

[Eugene Yunak]

On 22 October 2016 at 18:04, Ovidiu M  wrote:
> Hi everyone,
>
> I wrote a script which may end up as part of a package on various
> Linux and BSD flavors, and I have hit the problem of getting the
> shebang working everywhere. You might know that Python is installed in
> different locations, with the binary having different names (for
> example python sometimes points to python2.x, sometimes to python3.x
> etc.).
>
> Currently my code is compatible with both Python 2 and 3, but to keep
> things simple I'd rather use only one of them, probably 3.
>
> What is the correct way to write a shebang on OpenBSD? I thought that
> the following would work on most Unixes:
>
> #!/usr/bin/env python3
>
> or even this, with the risk of not knowing if it points to 2 or 3:
>
> #!/usr/bin/env python
>
> Unfortunately when I install the python3 package with pkg_add
> (actually 3.5) on OpenBSD, no symlink is created from python3 to 3.5,
> so this fails. I do not want to add a hard dependency on specifically
> 3.5 in the shebang of my script, since it may become obsolete in a
> couple of years, and it may be incompatible with other OSes which
> might not have 3.5, but maybe 3.4 or 3.6.
>
> Should I instead use an installation-time script that generates the
> right shebang?
>
> How about a wrapper shell script which searches for a python
> executable and then calls it with a path to the script? For example
> the following polyglot script would work:
>
>   #!/bin/sh
>   which python3 >/dev/null 2>&1 && exec python3 "$0" "$@" # '''
>   which python3.6 >/dev/null 2>&1 && exec python3.6 "$0" "$@" # '''
>   which python3.5 >/dev/null 2>&1 && exec python3.5 "$0" "$@" # '''
>   which python3.4 >/dev/null 2>&1 && exec python3.4 "$0" "$@" # '''
>   exec echo "fatal: cannot find python3 binary" # '''
>
> All these methods seem quite convoluted for doing something so simple.
> Please let me know what you think.
>
> Thanks in advance for your advice.
> Ovidiu
>

Hi Ovidiu,

Personally I expect the system administrator to configure the necessary
symlinks, it's something I always do on my systems. Most python software relies
on these to exist, and the OpenBSD package readme recommends their creation for
new users.

I'd set the shebang to `/usr/bin/env python3`, or `/usr/bin/env python` if you
do not care whether 2 or 3 would be used.

Cheers,
Eugene

-- 
The best the little guy can do is what
the little guy does right

Re: Turning off Nvidia GPU card in Optimus configuration

[Eugene Yunak]

On Sunday, November 9, 2014, Lampshade lampsh...@poczta.fm wrote:

 Hi
 I was trying half year ago to use OpenBSD 5.5, but system heated my
 laptop. I have Intel and Nvidia GPU in laptop. I can not disable Nvidia GPU
 via BIOS. Laptop always exposes and enables two GPUs by default.  OpenBSD
 does not disabled Nvidia GPU, so it heated laptop. I have tried OpenBSD 5.6
 and it still heats my laptop. On Linux Nvidia's GPU is disabled
 automatically. I wanted to find how to disable my card manually, I used
 acpi_call Linux module (on Linux of course). In my laptop script
 turn_off_gpu.sh is disabling GPU when I strip methods variable to:

 methods=
 \_SB.PCI0.PEG0.PEGP._OFF

 and enables when:
 methods=
 \_SB.PCI0.PEG0.PEGP._ON

 Is there any way in OpenBSD to send first (disabling) command to hardware?
 It is the only reason I don't use OpenBSD. Maybe somebody can write few
 lines of code and I will compile kernel for myself?

 References:
 http://linux-hybrid-graphics.blogspot.com/2010/07/u … ch-onoff.html
 https://github.com/mkottman/acpi_call


acpi_call support would be awesome!
Another use case for it is setting minimum and maximum
battery charge levels for thinkpads newer than xx30 line.


--
The best the little guy can do is what
the little guy does right

Re: videos in the browser

[Eugene Yunak]

Great idea. I think it would help if we all use the same destination email
addresses as in big companies there are plenty of different points of
contact
and if each one of them only gets 1 or 2 emails we will likely remain
unheard.

Marc can you please share the email addresses you used to reach out to
Facebook
and Youtube?


On 19 September 2014 13:48, Marc Espie es...@nerim.net wrote:

 with a recent configuration, videos work fine in the browser.
 *however* a lot of websites still give you only flash videos.
 Or do they ?

 There's this nifty extension in chrome to fudge the user-agent
 (called user-agent switcher) where you can play at browsing from
 a tablet. Surprise: those video sites work again (in some cases,
 you have to fight a bit more, go explicitly to the mobile version
 and not let them switch you back to the desktop mode).

 It's obvious those guys aren't testing on OpenBSD. It's also obvious
 they know how to switch to a non flash version on given user-agents.

 So what about a little mail your favorite website campaign. Figure out
 one website where you can't watch videos, and send some kind of email
 feedback to them.  Tell them in no uncertain terms that flash does not
 exist on OpenBSD, and if they see OpenBSD in the user-agent, then they
 should go to plain h264 videos, which they have.

 Offenders include youtube (sometimes, mostly VEVO stuff), wimp.com,
 facebook.
 Probably some others.

 I don't think they will notice if I'm the only guy doing that. But if they
 get a few pointed emails over the coming weeks, maybe they might fix their
 act, and hey, maybe we'll get videos mostly everywhere...




-- 
The best the little guy can do is what
the little guy does right

Re: videos in the browser

[Eugene Yunak]

As a webdeveloper, I don't care what you think. I have strong suspicion
OpenBSD devs don't care either.

On 19 September 2014 15:36, Matti Karnaattu mkarnaa...@gmail.com wrote:

 Hi,

 I don't think that any web developer care OpenBSD because OpenBSD
 doesn't have graphical browser in base system. They don't care even if
 1000 OpenBSD users complain.

 Flash material will disappear from web less than three years and Flash
 videos will get replaced by Mpeg-4 AVC and WebM.

 I personally think that OpenBSD should embrace HTML5/ECMA Script by
 adding Web component + minimalistic browser around it to the base
 system in some point of future. Major reason for this is that web has
 become both defacto and dejure technology for graphical remote use and
 also it is standard way to create GUI. X clients are legacy today.
 This is even possible to do, because needed software components are
 almost completely available in BSD licenses.

 After all, I think top secure system should also allow running
 applications in secured manner, but it may cause challenges to avoid
 security holes.




-- 
The best the little guy can do is what
the little guy does right

Re: libmessage (New crazy sh*t)

[Eugene Yunak]

Can you even read? Can you please stay away from public mailing lists for
sane people?


On 6 July 2014 16:25, Gustav Fransson Nyvell gus...@nyvell.se wrote:

 On 07/06/14 15:20, Thomas Adam wrote:

 On 6 July 2014 14:09, Gustav Fransson Nyvell gus...@nyvell.se wrote:

 This imsg looks pretty much like what I've done, however, libmessage does
 not require any bounds checking whatsoever. It's way easier to use. I'm

 I think you meant to say does not require any error checking.  ;)
 Don't get me wrong, I don't wish to sound discouraging, but this sort
 of thing is just an academic exercise at this point.  Just use imsg. I
 see absolutely no benefit to what you're doing, and this whole backend
 thing with sqlite seem proposterous.

 Good luck, just don't let others use this.  Ever.

 -- Thomas Adam

 Other way around, libmessage is very dangerous, but it will take any
 buffer. If they use it, it's their own d*mn fault. :D

 --
 This e-mail is confidential and may not be shared with anyone other than
 recipient(s) without written permission from sender. misc@openbsd.org
 Exempt




-- 
The best the little guy can do is what
the little guy does right

Re: ViewVC

[Eugene Yunak]

It fails to create a socket (_sock is None). This can be an indicator of
you hitting fd limits.
On 2 Jul 2014 17:23, Predrag Punosevac punoseva...@gmail.com wrote:

 Stefan Sperling s...@openbsd.org wrote:

  On Tue, Jul 01, 2014 at 08:36:29PM -0400, Predrag Punosevac wrote:
   I am trying to run ViewVC in the stand alone server mode on the new svn
   server (OpenBSD 5.5 amd64).  Since ViewVC is not in ports I downloaded
   1.1.22 package from CollabNet website. ViewVC keeps crashing when
   while I browse my SVN repos. They are rather large. I am not using any
   kind a proxy but rather forcing built in server to listen on the port
   80.
 
  IIRC viewvc uses Subversion's python bindings. Did you install them?
  pkg_add py-subversion

 Of course :) Built in stand alone server which comes with ViewVC runs
 fine until I start browsing repositories agresively. Than it crashes as
 in
 # uname -a
 OpenBSD svnhub.int.autonlab.org 5.5 GENERIC.MP#315 amd64
 # /usr//local/bin/viewvc-1.1.22/bin/standalone.py -d -p 80 -h \
 svnhub.int.autonlab.org

 server ready at http://svnhub.int.autonlab.org:80/viewvc
 # 10.8.0.6 - - [02/Jul/2014 11:16:47] GET /viewvc HTTP/1.1 200 -
 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok
 10.8.0.6 - - [02/Jul/2014 11:16:47] GET /viewvc/*docroot*/styles.css
 HTTP/1.1 200 -
 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok
 10.8.0.6 - - [02/Jul/2014 11:16:47] GET
 /viewvc/*docroot*/images/viewvc-logo.png HTTP/1.1 200 -
 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok
 10.8.0.6 - - [02/Jul/2014 11:16:47] GET
 /viewvc/*docroot*/images/dir.png HTTP/1.1 200 -
 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok
 10.8.0.6 - - [02/Jul/2014 11:16:47] GET
 /viewvc/*docroot*/images/favicon.ico HTTP/1.1 200 -
 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok
 10.8.0.6 - - [02/Jul/2014 11:16:49] GET /viewvc/cvs/ HTTP/1.1 200 -
 10.8.0.6 - - [02/Jul/2014 11:16:49] ViewVC exited ok
 10.8.0.6 - - [02/Jul/2014 11:16:49] GET /viewvc/*docroot*/images/up.png
 HTTP/1.1 200 -
 10.8.0.6 - - [02/Jul/2014 11:16:49] ViewVC exited ok
 10.8.0.6 - - [02/Jul/2014 11:16:57] GET /viewvc/cvs/trunk/ HTTP/1.1
 200 -
 Traceback (most recent call last):
   File /usr/local/bin/viewvc-1.1.22/bin/standalone.py, line 879, in
 module
 main(sys.argv)
   File /usr/local/bin/viewvc-1.1.22/bin/standalone.py, line 874, in
 main
 serve(options.host, options.port, ready)
   File /usr/local/bin/viewvc-1.1.22/bin/standalone.py, line 421, in
 serve
 ViewVCHTTPServer(host, port, callback).serve_until_quit()
   File /usr/local/bin/viewvc-1.1.22/bin/standalone.py, line 356, in
 serve_until_quit
 self.handle_request()
   File /usr/local/lib/python2.7/SocketServer.py, line 280, in
 handle_request
 self._handle_request_noblock()
   File /usr/local/lib/python2.7/SocketServer.py, line 297, in
 _handle_request_noblock
 self.handle_error(request, client_address)
   File /usr/local/lib/python2.7/SocketServer.py, line 350, in
 handle_error
 print '-'*40
   File /usr/local/lib/python2.7/socket.py, line 324, in write
 self.flush()
   File /usr/local/lib/python2.7/socket.py, line 303, in flush
 self._sock.sendall(view[write_offset:write_offset+buffer_size])
 AttributeError: 'NoneType' object has no attribute 'sendall'


 Any clues Stefan from the kernel hacker point of view?


 Most Kind Regards,
 Predrag


 
   Does anyone have any experience running ViewVC on OpenBSD recently? I
 am
   tempted to try to use Nginx as a proxy or install Apache 2 and use CGI
   mode via ScriptAlias for ViewVC. The latter is running fine in out
   current setup on Scientific Linux 6.2 which I am trying to migrate to
   OpenBSD. Unfortunately moving to Trac (which would be my strong
   preference) or WebSVN will probably cause ruffle feathers, a condition
 I
   want to avoid.
  
   Predrag
 
  WebSVN is fairly broken with SVN 1.8. Don't bother. (Which reminds me
  I've been meaning to remove it but was still waiting for patches
  promised by someone, which never arrived).

Re: a sftp user can enter into a directory which he does not have rights

[Eugene Yunak]

On 21 May 2013 22:52, Jiri B ji...@devio.us wrote:

 I'm very surprised to see something like this. Comparing with
 normal unix filesystem, 'sftpuser' would not even enter such
 directory. Is this OK?

 * sftpuser has only group 'sftpuser'

 $ sftp sftpuser@localhost
 Connected to localhost.
 sftp cd /
 sftp ls -l
 drwxr-xr-x2 00 512 May 21 18:43 dev
 drwx-x   12 1000 1000  512 May 21 18:32 jirib
 drwxr-xr-x   10 1000 1000  512 May 21 18:32 pub
 sftp cd jirib
 sftp pwd
 Remote working directory: /jirib
 sftp ls -al
 remote readdir(/jirib): Permission denied

 j.


You should (re)read your unix manuals. Execution permission on a directory
means it can be traversed. What you observe is the correct behaviour for
any system with POSIX file permissions.

-- 
The best the little guy can do is what
the little guy does right

Re: OpenBSD forked

[Eugene Yunak]

On Sunday, 24 June 2012, Anonymous Remailer (austria) wrote:

 Marc Espie wrote:

  W. Richard Stevens was THE best unix books author *ever*, bar none.
 
  He's on a par with such CS giants as Don Knuth, writing-wise.
 
  Advanced Unix programming is *the* best book to understand how
  to write Unix code, PERIOD.

 Are you saying the 1992 edition is still worthwhile now in 2012?


Absolutely.
One book that i always recommend people to get to accompany Stevens'
masterpiece is The Art of Unix Programming.
These two books plus KR really is everything you need to get a good start.

Cheers,
Eugene



-- 
The best the little guy can do is what
the little guy does right

Re: AMD Zacate E350 (ASUS E35M1-M) dmesg/experiences?

[Eugene Yunak]

On 1 June 2012 13:49, Manolis Tzanidakis mtzanida...@gmail.com wrote:

 On Fri (01/06/12), Marc Peters wrote:
  Be aware, that OpenBSD cannot boot from softraid. / needs to be on a
  single disk, but can be automatically backuped to an altroot device.

 Nowadays it does. My server's / is on a softraid(4) RAID-1 array.
 The basic idea is to have a small 'a' slice for the kernel on each
 disk and a 'd' (or whatever) for the raid.
 installboot(8) does the right thing automatically these days.

 I think there is an article on undeadly with more detailed instructions
 / explanations.

 A raid on USB devices is not a good idea for a whole lot of other
 reasons though.

 --
 Manolis Tzanidakis
 http://mtzanidakis.com/
 mtzanidakis[at]gmail[dot]com


Oh you are obviously such a seasoned OpenBSD expert, please tell us
more about your USB RAID experience and why it is a bad idea.

It would be great if you could also go into deeper detail about / on
softraid - you must be the first one to mention it here on misc and
i'm sure everyone reading this is eager to learn how to make it work.


Best regards

Re: AMD Zacate E350 (ASUS E35M1-M) dmesg/experiences?

[Eugene Yunak]

On 1 June 2012 17:11, Manolis Tzanidakis mtzanida...@gmail.com wrote:
 On Fri (01/06/12), Eugene Yunak wrote:
 On 1 June 2012 13:49, Manolis Tzanidakis mtzanida...@gmail.com wrote:
  A raid on USB devices is not a good idea for a whole lot of other
  reasons though.

 Oh you are obviously such a seasoned OpenBSD expert, please tell us
 more about your USB RAID experience and why it is a bad idea.

 The most obvious is that NAND flash devices have shorter lifespan than
 hard disks. Imagine wearing out both devices simultaneously with the
 RAID-1.
 I think it's better to have a USB stick for /, /usr and dumprestore or
 rsync it to the 2nd stick for redundancy. You should repeat this on
 updates. You should keep /var, /usr/{obj,ports,src}, /home and any other
 fs with frequent writes on the hard disks to extend the life of the USB
 stick.


Thank you for sharing your wisdom, now i know what i *should do*, you
made it pretty clear. Have you considered three-way mirror? What do
you think about mounting filesystems read-only? Have you heard of NFS
and remote syslog? I'm sure you will grant us the mercy of knowing why
all these are not a good idea.

 It would be great if you could also go into deeper detail about / on
 softraid - you must be the first one to mention it here on misc and
 i'm sure everyone reading this is eager to learn how to make it work.

 I guess Stuart covered this on this thread. You should also read this:
 http://undeadly.org/cgi?action=articlesid=20111002154251


Oh yes Stuart knows what he's talking about.

Re: umask in chroot'ed internal-sftp

[Eugene Yunak]

On 29 March 2012 21:37, Rodolfo Gouveia rgouv...@cosmico.net wrote:

 On Wed, Mar 28, 2012 at 06:33:16PM +0200, Stefan Sieg wrote:
  are you overwriting existing files that have the previous file mode?

 No, these are new files. Let me explain better.
 When I copy a file over with sftp, the permissions of the file created
 on the server, are replicated from the client.
 This is in contrast, when I'm logged in on the server with that same
 account
 and create a file, the umask is correct as per /etc/login.conf.
 Even though reading sftp-server(8):
 -u umask
 Sets an explicit umask(2) to be applied to newly-created files
 and directories, instead of the user's default mask.
 I would assume that the files copied over by the client which don't exist
 on the server should be honor this flag.
 Are my assumptions correct?


This is because your client *asks* the server to set the specific
permissions.

Regards,
Eugene

-- 
The best the little guy can do is what
the little guy does right

Re: Is there a kernel walkthough for newbies?

[Eugene Yunak]

On 26 July 2011 21:13, Jordi Espasa Clofent jespa...@minibofh.org wrote:

  
 http://www.atmnis.com/~proger/**openkyiv/openkyiv2009_proger_**sys.pdfhttp://www.atmnis.com/~proger/openkyiv/openkyiv2009_proger_sys.pdf


 Wow Stuart, what a great doc. Is it listed in OpenBSD website papers
 section? It should!


 --
 I will face my fear. I will permit it to pass over me and through me. And
 when it has gone past I will turn the inner eye to see its path. Where the
 fear has gone there will be nothing. Only I will remain.


As far as i remember, it was listed, but now it's not.

For anyone who can do a bit of russian, the video from this talk might be
helpful too - http://uaoug.org.ua/openkyiv/2009/materials/.


-- 
The best the little guy can do is what
the little guy does right

Re: vmware remote console

[Eugene Yunak]

On 10 January 2011 21:56, Robert Yuri robert.yu...@gmail.com wrote:
 does anyone have running the vmware remote console on openbsd, or
 suggest anyway to connect to a vmware server to manager the virtual
 machines from an openbsd box ?

 thanks,


If you mean ESX(i) and VMWare Infrastructure Client or VMWare VCenter
Client (remote console), then beware that this client only runs on
Windows, but you can use a VM to deploy it and manage your host.


-- 
The best the little guy can do is what
the little guy does right

Re: rtsp q

[Eugene Yunak]

On 28 October 2010 15:14, Gregory Edigarov g...@bestnet.kharkov.ua wrote:
 Hello,

 Just wondering what is the best way to organize stream video
 translation from multiple rtsp enabled cameras? The thing that bother me
 most is that we need to let user to record (not just play) that stream
 at its pc. Is there anything ready for the user side? The users are all
 sitting on Windows, so may be some good person will share his/her
 thoughts or point me to the flash application with record capabilities?

 Thanks a lot.

 --
 With best regards,
 B  B  B  B Gregory Edigarov




Hi Gregoryj,

AFAIR, VLC is capable of recording RTSP stream. It is available for
windows as well.


Cheers,
Eugene

--
The best the little guy can do is what
the little guy does right

Re: Happy Birthday OpenBSD

[Eugene Yunak]

On 18 October 2010 20:13, STeve Andre' and...@msu.edu wrote:

  15 years!


Happy happy birthday!!

-- 
The best the little guy can do is what
the little guy does right

Re: jconsole - no connection possible

[Eugene Yunak]

On 13 September 2010 17:36, Elmar Bschorer
elmar.bscho...@bugconsulting.de wrote:
 Samir SAADA wrote:

 On Sun, Sep 12, 2010 at 11:37:37AM +0200, Elmar Bschorer wrote:

 hi list,

 when i try to connect to a jvm pid with jconsole for debugging i end
 up with a connection failed.

 i also tried connecting to a remote process ending up with the same
 error. when i try to connect with jconsole to the same remote
 process from a linux system it works. so it seems that jmx is
 configured successfully on the remote side.

 are there any security related issues on 4.7 that prevent me from
 establishing a connection with jconsole?


 you do not give detailed description of your problem,
 anyway, it works ok here,
 check your network settings including /etc/hosts.

 I didn't make any changes to /etc/hosts.

 I am running a fresh installation of OpenBSD 4.7 (stable). I installed
 tomcat5.5 via pkg_add.
 I start tomcat with startup.sh (as root) and then i start jconsole (as root
 as well). jconsole starts up and i can choose a process-id to connect to
 (localy running). I choose tomcat's pid but the connection fails after a
 minute or so.



pfctl -d ?



-- 
The best the little guy can do is what
the little guy does right

Re: which monitoring do you use (on OpenBSD)

[Eugene Yunak]

On 15 August 2010 00:16, Jiri B. ji...@live.com wrote:
 On Sat, 14 Aug 2010 13:08:57 + (UTC)
 Stuart Henderson s...@spacehopper.org wrote:

 I'm occasionally working on a port of icinga which looks quite
 interesting (forked from nagios a while ago, it's still compatible
 but has diverged quite a bit now - many problems have been fixed
 and improvements made, in particular the UI has been totally
 replaced). Would have been done sooner, but despite its
 general crappiness and the many improvements that could be made,
 nagios actually works surprisingly well...

 There's another fork of Nagios - http://opsview.com/ - which looks they
 gets huge list of enterprise users (just checking the web only).

 jirib



Don't even bother to try - it's basically just a shitty web-frontend
for nagios. It does not sort any of it's problems, and brings new
ones. Did i mention it's shit and brings a lot of configuration and
performance pain?
Our monitoring solutions team wanted to switch to it from nagios
(after all the pain of going to nagios from BigBrother), thanks god
we've convinced them not to do that. But it does have nice support.

-- 
The best the little guy can do is what
the little guy does right

Re: which monitoring do you use (on OpenBSD)

[Eugene Yunak]

On 15 August 2010 01:06, Stuart Henderson s...@spacehopper.org wrote:
 On 2010/08/14 23:59, Eugene Yunak wrote:
 On 15 August 2010 00:16, Jiri B. ji...@live.com wrote:
  On Sat, 14 Aug 2010 13:08:57 + (UTC)
  Stuart Henderson s...@spacehopper.org wrote:
 
  I'm occasionally working on a port of icinga which looks quite
  interesting (forked from nagios a while ago, it's still compatible
  but has diverged quite a bit now - many problems have been fixed
  and improvements made, in particular the UI has been totally
  replaced). Would have been done sooner, but despite its
  general crappiness and the many improvements that could be made,
  nagios actually works surprisingly well...
 
  There's another fork of Nagios - http://opsview.com/ - which looks they
  gets huge list of enterprise users (just checking the web only).
 
  jirib
 
 

 Don't even bother to try - it's basically just a shitty web-frontend
 for nagios. It does not sort any of it's problems, and brings new
 ones. Did i mention it's shit and brings a lot of configuration and
 performance pain?

 heh, it wouldn't be the first time... icinga looks quite a different
 thing, they do actually appear to be improving things.


Sorry for the confusion, i was talking about opsview. As to icinga, i
haven;t tried it myself but heard some positive feedback from a
colleague of mine.

-- 
The best the little guy can do is what
the little guy does right

Re: which monitoring do you use (on OpenBSD)

[Eugene Yunak]

On 10 August 2010 02:28, Jiri B. ji...@live.com wrote:
 Hello,

 I'm thinking to choose a monitoring tool which would run on OpenBSD
 of course.

 I have been working with Tivoli and Netview for couple of years so my
 idea is:

 * clients

 - heartbeats of course
 - simple interface to give a client some input as alert
 - text configuration on client node (can be pushed from central repo)
 - light

 * infrastructure nodes

 - proxy feature for far networks or dmz
 - filtering rules (thresholds, time filters ...)
 - text configuration
 - light

 * main server(s)

 - good filtering
 - surveillance console for monitoring center
 - be able to change status of an alert (acknowledge, closed, solved...)
 - be able to have some categories of clients based on roles

 I'm watching zabbix... not sure...

 If I wouldn't want event console I would probably check snmp - sec -
 snmptt.

 jirib



Definitely nagios/cacti pair or zabbix. Having used nagios for a year
or so, i would never want to get back to Tivoli. It also gives you
lots of flexibility in how you setup your monitoring, and can neatly
work with snmp as well.

Eugene

-- 
The best the little guy can do is what
the little guy does right

Re: 302 redirection doesn't work ?

[Eugene Yunak]

On 10 July 2010 16:06, Aaron Lewis aaron.lewis1...@gmail.com wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Hi,
 B  B  B  B I'm trying to configure apache like this: when pages were not
found on
 server , it returns a document moved message (301 or 302) , rather than
 a 404 error.

 B  B  B  B So i put those:

 B  B  B  B  B  B  B  B ErrorDocument 404 /error.html
 B  B  B  B  B  B  B  B Rediret 302 /error.html http://my.host/

 B  B  B  B But still , it's a 404 error , additionally , a 302 Found error
was
 encountered while trying to handle the request.

 B  B  B  B Any ideas will appreciate , thanks !


Apart from the suggestion to check the spelling from Peter, you might
also think of putting a javascript-based redirect in your custom
error-404.html
This is not the-best-way-to-do-it, because it won't work if you have
js disabled or not present at all, but it's very simple and might
serve your need.

--
The best the little guy can do is what
the little guy does right

Re: iked(8) and ikectl(8)

[Eugene Yunak]

On 4 June 2010 00:06, Reyk Floeter r...@openbsd.org wrote:
 Hi!

 Today I imported iked(8) that is another automatic keying daemon for
 IPsec. B In difference to isakmpd(8), which supports the ISAKMP/Oakley
 a.k.a. IKEv1 protocol, iked(8) only supports the IKEv2 protocol at
 present. B The IKEv2 protocol in RFC 4306 has been simplified and
 provides many benefits over ISAKMP/IKEv1.

 iked(8) itself has been designed to fit the style of all the recent
 OpenBSD daemons and comes with a tool ikectl(8) for runtime
 configuration, status, working reloads, and integrated commands to
 maintain a simple X.509 CA for IKEv2. B I also have some important
 design goals that I will describe later.

 The current state is that iked(8) still lacks a few important features
 but works as a responder against different peer implementations. B That
 means, you can set up a running VPN with Windows 7 or libstrongswan
 libcharon clients connecting to iked(8) running as the server or
 security gateway. B I will add initiator (client) mode next.

 This is a very brief summary, more information will follow.

 reyk


Good stuff Reyk! Will try it shortly.
Looking forward to the details as well.

--
The best the little guy can do is what
the little guy does right

Re: Mysql connection from within php

[Eugene Yunak]

On 1 June 2010 16:30, What you get is Not what you see
wygin...@gmail.com wrote:
 Freshly installed on openbsd 4.6 mysql,php and php5-mysql packages.
 Done the configs. Now php and mysql works. But I couldnt make it
 connect to mysql from within php with such a command
 mysql_connect(localhost,user,pass)
 It used to give Cant connect to mysql through socket error till I
 change the command to
 mysql_connect(127.0.0.1,user,pass)
 I want to learn why?


As you've been already told, this is because default apache is
chrooted and thus cannot access mysql socket.
To correct it, just do

# mkdir -p /var/www/var/run/mysql
# ln -f /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock


-- 
The best the little guy can do is what
the little guy does right

Re: Mysql connection from within php

[Eugene Yunak]

On 2 June 2010 20:48, Liviu Daia liviu.d...@imar.ro wrote:
 On 2 June 2010, Eugene Yunak e.yu...@gmail.com wrote:
 On 1 June 2010 16:30, What you get is Not what you see
 wygin...@gmail.com wrote:
  Freshly installed on openbsd 4.6 mysql,php and php5-mysql packages.
  Done the configs. Now php and mysql works. But I couldnt make it
  connect to mysql from within php with such a command
  mysql_connect(localhost,user,pass)
  It used to give Cant connect to mysql through socket error till I
  change the command to
  mysql_connect(127.0.0.1,user,pass)
  I want to learn why?
 

 As you've been already told, this is because default apache is
 chrooted and thus cannot access mysql socket.
 To correct it, just do

 # mkdir -p /var/www/var/run/mysql
 # ln -f /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock

 B  B Please, stop perpetrating this nonsense. B This only works until you
 restart mysqld. B The reason is mysqld removes the socket when it starts
 before creating it anew.

 B  B If you really must use a socket instead of TCP then move the socket
 to jail and give programs different views to it from inside and outside
 the jail, using my.cnf. B Not tested:

 - in /etc/my.cnf:

 socket = /var/www/var/run/mysql/mysql.sock

 - in /var/www/etc/my.cnf:

 socket = /var/run/mysql/mysql.sock


I fail to see how this is nonsense or what stops one from creating
this hardlink in rc.local (which would be normally used to start mysql
anyway). Your solution however works as well, of course.


--
The best the little guy can do is what
the little guy does right

Re: PF: antispoof vs URPF

[Eugene Yunak]

On 4 April 2010 18:56, Pete Vickers p...@systemnet.no wrote:
 On 31. mars 2010, at 20.01, Claudio Jeker wrote:

 On Wed, Mar 31, 2010 at 08:08:01PM +0300, Eugene Yunak wrote:
 On 31 March 2010 19:27, N. Arley Dealey arley.dea...@gmail.com wrote:
 It would appear to me that antispoof and URPF achieve similar results. Is
 there a reason to prefer one over the other?

 Not at all. antispoof blocks ip packets that came in from the wrong
 interface, while URPF blocks packets from aliens (no entry in
 routing table for the source address). Just look at the output of
 pfctl -sr


 Not at all. URPF does not only check if a route exists it also checks that
 the route is pointing to the interface the packet came in.

 Antispoof is only for the LAN while URPF is actually capable of tracking
 stuff further down. This is at the same time the problem of URPF if you
 have asymetric routing URPF fails. Antispoof works in this case since it
 is hard to get asymetric routing on the LAN.

 --
 :wq Claudio



 uRPF (at least recent incarnations of it) can be /configured/ to drop packets
 based of presence of /either/ :

 - a matching FIB prefix outbound on the same interface the packet arrived on
 (strict mode)
 - a matching FIB prefix outbound on any interface (loose mode)

 you can also mask uRPF effect to only a subset of packets/prefixes with an
 ACL.


 pretty extensive explanation here:

 http://www.cisco.com/web/about/security/intelligence/urpf.pdf


Do you realise that this is an OpenBSD mailing list, and we are
discussing OpenBSD's pf implementation of uRPF?


-- 
The best the little guy can do is what
the little guy does right

Re: PF: antispoof vs URPF

[Eugene Yunak]

On 31 March 2010 19:27, N. Arley Dealey arley.dea...@gmail.com wrote:
 It would appear to me that antispoof and URPF achieve similar results. Is
 there a reason to prefer one over the other?

Not at all. antispoof blocks ip packets that came in from the wrong
interface, while URPF blocks packets from aliens (no entry in
routing table for the source address). Just look at the output of
pfctl -sr

-- 
The best the little guy can do is what
the little guy does right

Re: any known working configuration of OpenBGPd and CARP ?

[Eugene Yunak]

On 7 March 2010 11:22, Claudio Jeker cje...@diehard.n-r-g.com wrote:
  When your new master is promoted, it will set up a new session with
  your peers. This is probably not the sort of failover you want to see
  happening in production.
 
 
  That's why you have multiple bgpd routers with redundant pathes.

 from the network point of view, packets will come from the same MAC an
 IP address (because of CARP), so ... if BACKUP will just continue to
 maintain a session, established by MASTER, B nobody will even know, 1
 sec is nothing in terms of BGP


 You can not just continue to maintain a session, established by MASTER.
 That implies that you can migrate a running TCP session plus all the
 necessary state information of the session engine from one system to
 another.

 --
 :wq Claudio

Time for the bgpdsync (as in pfsync)? Sounds like a nice idea to me.
On the other hand, i fail to see a problem with having two separate
routers connect to your bgp peer(s), without carp on the outgoing
interface. why would one want carp them? does your peer only allow for
one session at a time from your side?

--
The best the little guy can do is what
the little guy does right

Re: PF log parser and dynamic PF rules...

[Eugene Yunak]

2010/2/16 Per-Olov SjC6holm p...@incedo.org:
 Hi misc

 I am looking for a tool  use as a trigger for dynamically open PF ports
from
 certain IP:s.

 I will access non critical info but want at least a port knocker as
security.

 If I access an IP on my DMZ that is not in use on a port that is fake I
want
 to dynamically add a PF rule for a totally different purpose. Let's say I
 access http://1.2.3.4:45321 which is blocked and logged in PF, what is the
 easiest way to create a trigger from the PF log or the PF log device?

 A cron job with grep in the PF log and then run pfctl to add the rule is
from
 many points of view a bad choice... I don't want to dig through the PF log
as
 it can be huge, and I don't want to use a cron job as it takes to long..

 Any suggestions appreciated.


 Thanks in advance
 /Per-Olov


As many people have already suggested to you in this thread, you are
doing it wrong. But if you _really_ want to do it that way, then
probably you can simplify your configuration a bit.

You can use log (to pflog10) to have a separate pflog device with
only log entries about port-knocking attempts. Then you can have a
small shellscript reading from tcpdump pflog10 in a cycle and adding
IP addresses to a table of hosts with permitted access to your rss
feed. This is much simpler and quicker than a cron job with full pflog
parser.

I would strongly encourage you to use per-user http authentication
instead. Most rss readers i encountered actually _do_ support it, as
they are all based on standard libraries, so you can just give them
http://user:p...@host/path/file.rss url if they don't have a separate
authentication field.

--
The best the little guy can do is what
the little guy does right

Re: Is OpenBSD + PF accredited or certified in any way ?

[Eugene Yunak]

2010/2/2 Keith ke...@scott-land.net:
 I've used OpenBSD  PF for a number of years without issue and am now in the
 position that I want to create a dmz between the Internet and my
 organisations WAN. Our security people are asking if the firewall that we
 use is accreditated by ITSEC and I am pretty sure it isn't but it turns out
 that our security people will be happy is the firewall is accredited for use
 by another government !

 I am very happy with my PF firewalls and their reliability and don't want to
 be forced into purchasing some cisco / forenet comercial firewall that I've
 never used before so am desperate to find some details of any foreign
 governments that are using OpenBSD / PF as a firewall or any details of any
 certification of the PF firewall.

 Can anyone help me out ?

 Thanks
 Keith


Ukrainian government has certified a distribution called BBOS that
basically is a customised OpenBSD, modified for compatibility with
local security standards, for the use as servers and clients with
access to internet and protect information classified as government
secret.

http://www.atmnis.com/documents.php?lng=ENG
http://www.atmnis.com/files/user_files/BBOS.pdf
http://www.atmnis.com/files/user_files/BBOS_OS.pdf

-- 
The best the little guy can do is what
the little guy does right

Re: Disable SSH passwords per user

[Eugene Yunak]

2010/1/5 Ted t...@pobox.com:
 Had a quick google and search or marc, but came up with no answers.

 Is it possible to disable password based logins per user (like with
 the adduser --disabled-password in linux) on OpenBSD, and therefore
 have the user only use SSH Keys? I'm aware of the sshd_config setting
 PasswordAuthentication no which makes this occur system wide.

 I just wanted to ensure I'm not missing something else, in setting up
 a single user on a system that doesn't have PasswordAuthentication
 no set for system wide SSH logins. Maybe using login classes?

 The reason: I'm trying to setup gitosis
 (http://eagain.net/gitweb/?p=gitosis.git;a=blob;f=README.rst) on an
 OpenBSD server, but the README is linux centric.


You can use per user rules in sshd_config, just read the man page.

-- 
The best the little guy can do is what
the little guy does right

Re: Recommended laptop

[Eugene Yunak]

2009/12/22 Tomas Bodzar tomas.bod...@gmail.com:
 Don't know about Thinkpads, but Dell E6400 works great. But it's
 around 950 $ or so.


The benefits of western world... ;) My e6400 cost me almost $4000 here
in Ukraine. But i am very happy of that purchase, the notebook is
great and everything is supported by OpenBSD. I can recommend that one
to everyone, it's no worse than Lenovo stuff.

-- 
The best the little guy can do is what
the little guy does right

Re: vi in /bin

[Eugene Yunak]

2009/12/18 Gregory Edigarov g...@bestnet.kharkov.ua:
 On Fri, 18 Dec 2009 10:28:25 +0100
 Igor Sobrado igor.sobr...@gmail.com wrote:

 On Fri, Dec 18, 2009 at 6:07 AM, David Gwynne l...@animata.net
 wrote:
  On 18/12/2009, at 1:26 PM, Raymond Lillard wrote:
 
  Real men use cat. :-)
 
  real men use COPY CON PROGRAM.EXE

 real men use EDIT/TECO.

 real men use XEDIT.


REAL men use butterflies

// http://xkcd.com/378/

-- 
The best the little guy can do is what
the little guy does right

Re: mount /usr partition nosuid

[Eugene Yunak]

2009/12/3 Mark Romer romes...@gmail.com:
 Hello All,
 Sorry if it has been asked in the past, but is it ok to mount the /usr
 partition as nosuid?
 What if any default programs will that break? B And also does that give me
 any added security benefits?
 Running 4.6 release generic i386
 thanks, Mark

find /usr -perm 4555 -ls will solve the question re wether it will
break something.

--
The best the little guy can do is what
the little guy does right

Re: allow dhcp in pf

[Eugene Yunak]

2009/11/24 Andreas Mueller andr...@stapelspeicher.org:
 Clients most certainly don't send dhcp request packets to your gateway
 but to multicast, so set destination to 255.255.255.255.

 Andreas

Looks like someone doesn't even know how dhcp works, but keeps
suggesting silly things and ignoring wise man (@claudio) sayings. dhcp
clients may and will send requests directly to dhcp servers, apart
from the fact that dhcpd ignores pf at all.

-- 
The best the little guy can do is what
the little guy does right

Re: E17 wiki page for OpenBSD

[Eugene Yunak]

Thank you Dmitry for your great work in supporting E17 on OpenBSD!

2009/11/11 sda dmitry.serpok...@gmail.com:
 hello,

 http://trac.enlightenment.org/e/wiki/OpenBSD

 welcome to correct, improve, advise, etc...

 regards,
 sda

 [demime 1.01d removed an attachment of type application/pgp-signature]





-- 
The best the little guy can do is what
the little guy does right

Re: pf changes

[Eugene Yunak]

2009/9/1 Henning Brauer henn...@openbsd.org:


 and now it is your time. test this as much as you can, to avoid
 surprises in 4.7, and bugs showing up after release... we really want
 to find them beforehands, right?

Thanks a lot, guys!

I'll deploy it to production tommorow.


-- 
The best the little guy can do is what
the little guy does right