Re: ld on startup - wish to disable

[James Cook]

On Tue, Sep 10, 2024 at 02:39:55PM +0200, Luca Di Gregorio wrote:

Hi,

I'm running very little OpenBSD VMs for simple services and testing
environments.

I really don't need security on these VMs, I already disabled library_aslr
(rcctl disable library_aslr) to avoid reordering libraries at boot, but, at
startup, I still see ld and ctfconv running and consuming a lot of CPU.

As the VMs are little, ld and ctfconv takes a lot of time to finish.

Is there a way to disable them as well?

Luca


I think you can set library_aslr=NO in /etc/rc.conf.local. See 
rc.conf(8).


Mizsei's answer is about kernel relinking, which I think happens 
in the background after every boot. It might slow things down too.


--
James

Re: Installer cannot open hd0a

[James Cook]

On Sun, Jun 23, 2024 at 11:50:31AM GMT, Anon Loli wrote:

On Sun, Jun 23, 2024 at 11:44:30AM +, Anon Loli wrote:

On Sat, Jun 22, 2024 at 06:34:19PM +, James Cook wrote:
> On Sat, Jun 22, 2024 at 03:46:16PM GMT, Anon Loli wrote:
> > On Sat, Jun 22, 2024 at 03:11:50PM +, Anon Loli wrote:
> > > (I sent this a few hours ago, but I didn't see it in the mailing list, I 
think
> > > you aren't allowed to have a ':' in the subject title)
> > >
> > > Hello list and fellow wizards
> > >
> > > I have a problem installing OpenBSD on one of my computers
> > > I tried 7.3 and 7.5 installs, both(I think, not sure if both share same 
"hd0a"
> > > part) give me this right after BOOT command is
> > > initiated in the initial OpenBSD screen:
> > > cannot open hd0a:/etc/random.seed: No such file or directory
>
> It's normal for that message to appear when you're booting from an install
> image. I guess /etc/random.seed is not included because it would be the same
> for everyone, defeating the purpose of the file.
>
> > > And I can't use DD on other drives such as a SD or a WD device
> > >
> > > Do you know what the issue is? It could be just some BIOS option, but I 
loaded
> > > EFI defaults so IDK
> >
> > I also forgot to mention that during installation I used auto-partitioning, 
and
> > that seems to have gone well, except that the / partition was like 130% full
> > because /dev/rsd1 which was the other drive, was like 600M in size or 
something
> > like that, and I was even able to `rm /dev/rsd1` without problem and that 
freed
> > up the negative storage space.. so I'm sure that it's something related to
> > storage, maybe a BIOS setting, or maybe my USB drive was corrupted or
> > something?
>
> /dev/rsd1 should not exist. Probably it is a regular file you created with a
> command like cat image > /dev/rsd1. This is a great way to accidentally fill
> up your root partition. If you want to overwrite the contents of sd1, the
> device you want is /dev/rsd1c.
>
> --
> James
>

Every time I tried it, be it 7.3 or 7.5 install*.img, or I now tried a CD/DVD
7.5 iso and got "cannot open cd0a.\n booting cd0a", I always went to SHELL
and typed this:
`dd if=/dev/urandom of=/dev/rsd0c bs=1m` the sd0 or sd1 being 2 of my drives
I always get the exact following message:
"uid 0 on /: file system full

/: write failed, file system is full
dd: /dev/rsd0c: No space left on device
1+0 records in
0+0 records out
0 bytes transferred in 0.003 seconds (0 bytes/sec)"

Okay, dmesg seems to see them well, but I don't see them in /dev/ at all, I
just now realized this

There is another message which looked like an error message, right after the
"booting cd0a", it has something similar to "0x00", but it goes away way
too fast for me to read it, is there a logfile of the full boot sequence
output that I can take a look at or something?



So it's after "booting cd0a (or hd0a)", but before "OpenBSD 7.5" aka the 1st
line in dmesg
There was a logfile with these kind of logs, but I forgot where it is ._.


Sorry, I missed this. (Feel free to cc me to get my attention next 
time.)


The bootloader prints a sequence of numbers before it boots the 
kernel. I think it's reporting on pieces of the kernel being loaded 
into memory. Perhaps that is the message that you are seeing.


As for "dd: /dev/rsd0c: No space left on device": two things.

1. If you are following the normal installation steps without going
   into the shell, this sort of thing shouldn't happen. So I guess you
   are trying to do something manually through the shell. I'm curious
   what that is.

2. Why you're getting that error:

The installer image does not have the device file /dev/rsd0c. You 
need to first create it like this (in the install image's shell):


cd /dev
sh MAKEDEV sd0

Otherwise, writing to /dev/rsd0c will create a regular file with 
that name, which can quickly fill up the ramdisk filesystem.


--
James

Re: Installer cannot open hd0a

[James Cook]

On Sat, Jun 22, 2024 at 03:46:16PM GMT, Anon Loli wrote:

On Sat, Jun 22, 2024 at 03:11:50PM +, Anon Loli wrote:

(I sent this a few hours ago, but I didn't see it in the mailing list, I think
you aren't allowed to have a ':' in the subject title)

Hello list and fellow wizards

I have a problem installing OpenBSD on one of my computers
I tried 7.3 and 7.5 installs, both(I think, not sure if both share same "hd0a"
part) give me this right after BOOT command is
initiated in the initial OpenBSD screen:
cannot open hd0a:/etc/random.seed: No such file or directory


It's normal for that message to appear when you're booting from an 
install image. I guess /etc/random.seed is not included because it 
would be the same for everyone, defeating the purpose of the file.



And I can't use DD on other drives such as a SD or a WD device

Do you know what the issue is? It could be just some BIOS option, but I loaded
EFI defaults so IDK


I also forgot to mention that during installation I used auto-partitioning, and
that seems to have gone well, except that the / partition was like 130% full
because /dev/rsd1 which was the other drive, was like 600M in size or something
like that, and I was even able to `rm /dev/rsd1` without problem and that freed
up the negative storage space.. so I'm sure that it's something related to
storage, maybe a BIOS setting, or maybe my USB drive was corrupted or
something?


/dev/rsd1 should not exist. Probably it is a regular file you 
created with a command like cat image > /dev/rsd1. This is a great 
way to accidentally fill up your root partition. If you want to 
overwrite the contents of sd1, the device you want is /dev/rsd1c.


--
James

Re: advice debugging lockups with swap-thrashing symptoms?

[James Cook]

You are probably haunted by a bad issue with DMA memory and running out of
it. Your top is missing -SH since then you would probably see the
pagedameon go bananas. The problem is you have not enough memory below 4G
but the pagedaemon is not able to properly free memory there since it has
no proper tracking for that condition. It only knows memory is short and
tries to drop as much as possible over and over again. As a result your
system becomes unresponsive.

The boot loader can print the memory map. Which should show you
how much memory is below 4G (I think the command is machine mem).

This is a known issue and there is some work going on to fix the problem.
--
:wq Claudio


Thanks, Claudio. Let me know if I can help by testing anything.

In case it's useful, here is the output of "machine memory" at the 
boot prompt. Transcribed by hand so there are probably errors.


boot> machine memory
Region 0: type 1 at 0x0 for 609KB
Region 1: type 2 at 0xf for 64KB
Region 2: type 2 at 0xfec0 for 20480KB
Region 3: type 2 at 0xe000 for 262144KB
Region 4: type 2 at 0x98400 for 31KB
Region 5: type 2 at 0xcfdf for 64KB
Region 6: type 1 at 0x10 for 3404292KB
Region 7: type 3 at 0xcfde3000 for 52KB
Region 8: type 4 at 0xcfde for 12KB
REgion 9: type 1 at 0x1 for 13369344KB
Low ram: 609KB  High ram: 3404292KB
Total free memory: 16774245KB

--
James

Re: advice debugging lockups with swap-thrashing symptoms?

[James Cook]

On Thu, May 23, 2024 at 08:00:37AM GMT, Nick Holland wrote:

On 5/23/24 03:18, Stuart Henderson wrote:

On 2024-05-22, James Cook  wrote:

One of my OpenBSD boxes sometimes gets in a weird locked-up or
almost-locked-up state. I'm wondering what I can do to debug it
further next time it happens.

...

I would also expect the cache number to be much higher. E.g. on
this occasion, I was running "git annex fsck", which reads plenty
of data from disk.


Heavy filesystem access can result in this sort of thing, I used to
have unpacked ports source on one of my machines for grepping over,
the machine was pretty much unusable for anything else while that was
running.

Might be worth trying some noatime mount flags if you don't already have
them, at least then you can avoid turning some reads into writes.



Definitely a possibility.  Long time ago, I think I asked about the
possibility of a "disknice" to throttle disk access on individual
tasks.  TedU@ came through for me with something that definitely solved
my problem, and I use it from time to time since -- basically, it just
suspends a particular program occasionally, which lets other programs
have a chance to get disk access.  I saved it (and made a tiny update
that is needed now) and put it here:

https://holland-consulting.net/scripts/disknice.html


Also...
I've seen disks "fail" where they get super-slow.  The failure modes
seems to be difficulty reading data...but after enough retries, it
succeeds, resetting the retry counter back to zero, and then the next
read encounters the same problem.  You may be able to hear lots of
activity on the drive with little obvious progress.   I'm not convinced
this is your problem, but ... something to consider.

Nick.


Thanks for the pointers. disknice sounds useful. However I am 
skeptical that this can be explained away as a normal consequence 
of intense filesystem access, for a few reasons.


1. In the past, even the mouse pointer has frozen. (I'm 95% sure 
of this from memory. Will note it more carefully next time this 
happens.) Surely that shouldn't depend on disk access? See also 
tmux/xterm updating very slowly; does that depend on the filesystem?


2. The low 165M cache number makes me suspicious. With 14G free 
and plenty of data being read, shouldn't that grow? E.g. right now 
it's at 11G (and I'm running git annex fsck like I was before; I 
have a lot of data to fsck). I believe I've seen similar small cache 
numbers in the past.


3. The git annex fsck was running on a different hard disk. (Normally 
it sits in a cubpoard; I've hooked it up temporarily.) Swap, /, /home 
etc are all on a different SSD. I am running the same thing now 
(different disk) and perceive no impact on performance. That's not 
to say there wasn't intense access to the SSD, though; Firefox is 
a suspect here.


Nonetheless, if I can't make any other progress, I'll look into 
noatime and/or disknice. (I really wish I could reliably reproduce 
this, but unfortunately it just happens every few days or weeks 
with no apparent pattern other than the system being under some 
load when it happens.)


(I'll note one other thing, just in case: I also experience random 
crashes and restarts with this machine that seem to be hardware-related. 
Very different from what I'm describing here; has even happened 
during BIOS POST, and with no disks inside the machine. I just 
mention it because it opens the possibility of unreliable hardware 
involved, in case that changes things.)


--
James

advice debugging lockups with swap-thrashing symptoms?

[James Cook]

Hi,

One of my OpenBSD boxes sometimes gets in a weird locked-up or
almost-locked-up state. I'm wondering what I can do to debug it
further next time it happens.

It feels like swap thrashing, but top reports plenty of memory free.


Symptoms:


1. top reports lots of free memory, small act/tot and cache amounts,
   and some swap space used.

See example output of "top -ud1" below. Note I ran pkill -9 firefox
before running that command, so apparently it's taking a while even
for kill -9 to have an effect.

It's weird the act/tot amounts are so small when free is so high.

I would also expect the cache number to be much higher. E.g. on
this occasion, I was running "git annex fsck", which reads plenty
of data from disk. With my vague understanding of the vm system I
would expect this to result in lots being cached.


3. Hard disk light is constantly active. (Swapping?)


2. System is completely or almost completely unresponsive.

Usually when this happens the X11 display appears completely frozen
and I can't ssh to the machine, switch to another virtual terminal,
or otherwise interact. (I think pinging the box still works in
this case.) I will sometimes notice the system slowing down for
a minute or so, and hard disk activity increasing, before it
completely grinds to a halt.

The most recent time I got lucky, and I could still use ssh and run
simple commands like top and dmesg. After several minutes, I even
saw the X11 display update. My tmux-in-xterm windows were still
trying to redraw themselves for several minutes after being resized:
a few lines were displayed but many were still missing.

Just now, about 40 minutes after the lock-up, my system started
responding quickly again, as if nothing was ever wrong. Maybe it
hepled that I killed some processes including firefox, but I did
that probably more than 10 minutes ago.


below dmesg is from when it was in the almost-locked-up state. I
think the filesystem full messages at the end can be ignored; that
was an issue I resolved earlier. I'm pretty sure I've observed this
on 7.4 and/or 7.5 before I switched to current.

-- 
James


angel ~ $ top -ud1
load averages:  8.17, 10.86, 10.03angel.falsifian.org 18:44:22
200 processes: 1 starting, 6 running, 171 idle, 1 stopped, 18 dead, 3 on 
processor  up 0 days 04:10:10
CPU0 states:  7.6% user,  0.0% nice,  8.4% sys,  6.6% spin,  2.6% intr, 74.8% 
idle
CPU1 states: 10.1% user,  0.0% nice, 10.6% sys,  4.8% spin,  0.0% intr, 74.5% 
idle
CPU2 states:  9.8% user,  0.0% nice, 10.3% sys,  4.9% spin,  0.0% intr, 75.0% 
idle
Memory: Real: 88K/1197M act/tot Free: 14G Cache: 165M Swap: 1046M/32G

  PIDUID   PRI NICE  SIZE   RES STATE WAIT  TIMECPU COMMAND
77712   1000620   39M   20K run/1 - 3:21 30.52% tmux
79301   1000600 1752K   20K run/1 - 0:42 29.59% sshd-session
96911 48620   10M   20K run/2 - 1:30 26.56% unwind
 9794 35610  133M 3156K onproc/2  - 8:12 25.20% Xorg
59778   1000100  610M   20M run/1 thrdeat  19:05 10.84% firefox
27864   1000180 1308K4K sleep/0   sigsusp   0:31  4.98% sh
48161   1000-60 1308K4K sleep/2   piperd0:31  4.59% sh


dmesg:


OpenBSD 7.5-current (GENERIC.MP) #77: Sun May 19 16:08:08 MDT 2024
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 17160474624 (16365MB)
avail mem = 16619134976 (15849MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xf0100 (59 entries)
bios0: vendor Award Software International, Inc. version "F7" date 11/20/2009
bios0: Gigabyte Technology Co., Ltd. GA-MA790XT-UD4P
acpi0 at bios0: ACPI 1.0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT HPET MCFG TAMG APIC
acpi0: wakeup devices PCI0(S5) USB0(S3) USB1(S3) USB2(S3) USB3(S3) USB4(S3) 
USB5(S3) USB6(S3) SBAZ(S4) P2P_(S5) PCE2(S4) PCE3(S4) PCE4(S4) PCE5(S4) 
PCE6(S4) PCE7(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpihpet0 at acpi0: 14318180 Hz
acpimcfg0 at acpi0
acpimcfg0: addr 0xe000, bus 0-255
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Phenom(tm) II X3 710 Processor, 2611.93 MHz, 10-04-02, patch 01db
cpu0: cpuid 1 
edx=178bfbff
 ecx=802009
cpu0: cpuid 8001 
edx=efd3fbff 
ecx=37ff
cpu0: cpuid 8007 edx=1f9
cpu0: 64KB 64b/line 2-way D-cache, 64KB 64b/line 2-way I-cache
cpu0: 512KB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 0
cpu0: AMD erratum 721 detected and fixed
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 200MHz
cpu0: mwait min=64, max=64, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD Phenom(tm) II X3 710 Processor, 2611.94 MHz, 10-04-02, patch 01db
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 2 (application processor)

Re: smtpd outgoing mail configuration

[James Watt]

On 17/05/24 11:42, fr...@lilo.org wrote:

How to forward outgoing mail to a remote SMTP server with smtpd?

I found this page, but it's out of date I think.
https://romanzolotarev.com/openbsd/smtpd-forward.html

Tks
Pascal





The config looks fine,

use:  man smtpd.conf


-James

Re: How to use the tun0 interface (VPN)?

[James Colderwood]

If you want to route all traffic over the VPN. You need to configure 
your default gateway to correctly.


On 2024-05-09 14:16, Sadeep Madurange wrote:

Hello,

I am trying to use the openvpn client. I have a .ovpn file I got from 
my
vpn provider. I installed the openvpn package and ran the openvpn 
client

using the following command:

$ doas openvpn --config client.ovpn --auth-user-pass auth.txt

Above command appears to succeed. ifconfig shows:

lo0: flags=2008049 mtu 32768
index 4 priority 0 llprio 3
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff00
iwx0: flags=808843 
mtu 1500

lladdr d8:3b:bf:b5:ea:b9
index 1 priority 4 llprio 3
groups: wlan egress
media: IEEE802.11 autoselect (VHT-MCS1 mode 11ac)
status: active
ieee80211: join gcat chan 44 bssid 9c:53:22:fc:16:22 98% wpakey 
wpaprotos wpa2 wpaakms psk wpaciphers ccmp wpagroupcipher ccmp

inet 192.168.0.14 netmask 0xff00 broadcast 192.168.0.255
em0: flags=808843 mtu 
1500

lladdr 00:2b:67:60:ff:6d
index 2 priority 0 llprio 3
media: Ethernet autoselect (none)
status: no carrier
enc0: flags=0<>
index 3 priority 0 llprio 3
groups: enc
status: active
pflog0: flags=141 mtu 33136
index 5 priority 0 llprio 3
groups: pflog
tun0: flags=8051 mtu 1500
index 9 priority 0 llprio 3
groups: tun
status: active
inet 10.73.0.30 --> 10.73.0.29 netmask 0x

However, it doesn't look like my internet traffic is going through the
vpn. Following is the output of 'netstat -nr -f inet':

Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio 
 Iface
default192.168.0.1UGS5 1075 -12 
 iwx0
224/4  127.0.0.1  URS0 1175 32768 8 
 lo0
127/8  127.0.0.1  UGRS   00 32768 8 
 lo0
127.0.0.1  127.0.0.1  UHhl   12 32768 1 
 lo0
192.168.0/24   192.168.0.14   UCn1  536 - 8 
 iwx0
192.168.0.19c:53:22:fc:16:20  UHLch  2  771 - 7 
 iwx0
192.168.0.14   d8:3b:bf:b5:ea:b9  UHLl   019244 - 1 
 iwx0
192.168.0.255  192.168.0.14   UHb0   32 - 1 
 iwx0


--
Kind Regards
James B Colderwood
M0ZAH

Re: Hardware recommendation for small form factor, noiseless, server

[James Johnson]

Thanks a lot to you all for these recommendations.

Hardware recommendation for small form factor, noiseless, server

[James Johnson]

Hi all,

can anyone please advise on what computer I can purchase with the following 
requirements:

- fully supports OpenBSD
- no noise
- good quality wifi
- small form factor preferably
- processor does not need to be fast (no highly intensive compute load)
- low RAM need
- needs 1 TB of hard drive at least
- will be used only remotely, for basic and low-intensity server-type 
applications (no desktop use)
- under $500

Thanks!
James

Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps

[James Huddle]

When X11 came to my attention, in the 1980's, it was called X11.  "What," I
wondered back then, "could that mean?"
Back then, we would get to know new software long before version 11, so it
seemed an odd name.  Back then.
It's been X11 for millennia.  I discovered Exfiltrator (or Exfiltration,
'ex'+10) about a year ago. LOL.
I actually did not know about the vulnerability.  Thanks, Matthew.
And yes, I was voicing the untested theory of precisely what you
articulated, Luke.
I live in post-2016 USA and have essentially given up hope of any sort of
computer security.
The mantra I developed, as my coworkers insisted on using (for instance)
the React JS package
that had "Exfil" as a dependency, was:

   "When in Rome."


On Fri, Mar 29, 2024 at 4:44 PM  wrote:

> Luke A. Call writes:
> >
> > On 2024-03-29 09:01:07-0400, James Huddle 
> wrote:
> > > Exfiltrator.  There's an 11-letter word that starts with "ex".  X11.
> >
> > After a quick web search, I'm not sure I follow.  Is that a reference to
> > a program that exfiltrates data after a computer is compromised? Can you
> > elaborate a little? I realize this is an ignorant question.
>
> In short, there is a well known shortcoming or feature depending
> on who you ask inherent in the X protocol's design where any
> application which uses the X server (ie. can access the tcp port
> or unix socket and has the correct xauth key, which is to say all
> of them) can request (and get) the ability to read all of the X
> events, which includes every key press and mouse movement in every
> application.
>
> Exfiltrator is 11 letters and we are at X protocol version 11.
>
> There are common mitigations against this problem, such as not
> giving strangers the ability to run unknown programs on your console.
>
> Matthew
>
>

Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps

[James Huddle]

Exfiltrator.  There's an 11-letter word that starts with "ex".  X11.

On Thu, Mar 28, 2024 at 7:39 PM Luke A. Call  wrote:

> On 2024-03-28 17:28:56+0100, Jan Stary  wrote:
> > > (2) I've learned that X11 allows locally running malware to sniff the
> > > keystrokes input to any other X11-using app running under any user.
> >
> > I don't believe that's true.
> > Where have you "learned" that, and how does that work?
> > "Dear X11, what is $user typing into his firefox textarea"?
>
> I'm no X expert, but I think what you are saying is technically correct
> across users, but I believe it is possible for one application to
> sniff the keystrokes input to another app running under the *same* user, at
> least, and under different users in the same X session depending on how
> they connect.  Specifically:
>
> 1) Under `man xterm' in the "SECURITY" section it says some related
> things that sound like that is what they are saying.  I can't elaborate
> on what it says there but that made me want to be cautious.
>
> 2) running
>xinput list
> ...shows some devices, where on my system the /dev/wskbd has "id=6".
> Then taking that number 6 and doing
>xinput test 6
> ...and typing in a separate xterm window shows the keystrokes from the
> second window, in the first.   I believe the same would be true for any
> X application running as the *same* user.
>
> 3) I did some experimenting in the past with "ssh -X user@..." and
> "ssh -Y user@...", and only when using -Y were keystrokes visible across
> users.  Similar things can be done with less cpu overhead using xauth
> and magic cookies etc (I played with that, with help from people on this
> list, scripted it for myself using what they and man pages helped me
> learn, and haven't
> thought about it much since then, except to use the scripts--but it is very
> handy for me to have things running as different users within the same X
> session, because of these boundaries around keyboard sniffing and also
> filesystem etc restrictions across users).
>
> 4) I am under the impression that the clipboard sharing between X users is
> not restricted as the above things are.  Ie, one can spy on another
> freely.
>
> Luke Call
>
>

Re: pdftotext

[James Cass]

pkg_info poppler-utils
-
Information for 
https://cdn.openbsd.org/pub/OpenBSD/7.5/packages/amd64/poppler-utils-24.02.0.tgz

Comment:
PDF conversion tools and utilities

Description:
This package contains xpdf-workalike command line utilities for getting
information of PDF documents, convert them to other formats, or
manipulate them:

* pdfattach -- file creator
* pdfdetach -- file extractor
* pdffonts -- font analyzer
* pdfimages -- image extractor
* pdfinfo -- document information extractor
* pdfseparate -- page extractor
* pdftocairo -- PDF to PNG/JPEG/PDF/PS/EPS/SVG converter using cairo
* pdftohtml -- PDF to HTML/XML/PNG converter
* pdftoppm -- PDF to PPM converter
* pdftops -- PDF to PostScript (PS) converter
* pdftotext -- PDF to text converter
* pdfunite -- PDF merging tool

Maintainer: Matthias Kilian 
WWW: https://poppler.freedesktop.org/

Sent from [ProtonMail](https://protonmail.ch), encrypted email based in 
Switzerland.

On Wednesday, March 20th, 2024 at 7:42 AM, soko.tica  
wrote:

> Hallo list,
>
> There used to be pdftotext package, but I couldn't have found him now. I am 
> running OpenBSD -stable 7.4 amd64.
>
> I guess it is located in some other package, but can't find it.
>
> Please let me now which package I should install. Thanks in advance.

Re: "FollowSymLinks" equivalent in httpd?

[James Cook]

On Fri, Mar 08, 2024 at 04:28:52PM +0300, Mark wrote:
> Greetings.
> 
> Trying to figure out the mailman configuration on OpenBSD.
> 
> What is the equivalent of the following server block in httpd?
> 
> "
> Options FollowSymLinks
> AllowOverride None
> "
> 
> Does the httpd even support following symlinks?
> 
> Regards,
> Mark

httpd follows symlinks for me. I just tried making a text file a.txt
in /var/www/htdocs, and making a symlink with ln -s b.txt a.txt,
and http://localhost/b.txt gets the content of a.txt.

Keep in mind httpd by default runs chrooted to /var/www, so if you
want to use absolute paths you will need to leave out /var/www. For
example if you want c.txt to be a a symlink pointing to
/var/www/htdocs/a.txt you could run

    ln -s /htdocs/a.txt symlink_file_name.txt

-- 
James

Re: Manpages offline?

[James Grey]

Awesome, thanks for the info!

On Fri, Dec 22, 2023 at 4:09 PM William Demchick 
wrote:

> Kia ora James,
>
> I believe that service is currently down for maintenance, with a
> planned restoration in around 12 hours:
> https://marc.info/?l=openbsd-tech&m=170301840617581&w=2
>
> Regards,
>
> William
>
> On Sat, Dec 23, 2023 at 1:03 PM James Grey  wrote:
> >
> > Hi,
> >
> > I'm not sure if this is the place for this, but I noticed that
> > https://man.openbsd.org/ seems to be offline.
> >
> > Does anyone know if these manpages are hosted somewhere else, or maybe if
> > this will be fixed?
> >
> > Thanks
>

Manpages offline?

[James Grey]

Hi,

I'm not sure if this is the place for this, but I noticed that
https://man.openbsd.org/ seems to be offline.

Does anyone know if these manpages are hosted somewhere else, or maybe if
this will be fixed?

Thanks

relayd not retrying relay's server-side connections

[James Cook]

I'm running relayd with the following relayd.conf on OpenBSD 7.3.

relay forward_http {
listen on ::1 port 7200
forward to 127.0.0.1 port 7204 retry 30
}

I was hoping it would do this:

- Listen for connections on ::1 port 7200.
- Each time a connection comes in, try up to 31 times to connect
  to 127.0.0.1, and if one of those tries succeeds, forward the
  connection.

(My goal is to smooth over intervals where the 127.0.0.1:7204 service
is restarting: I want connections from outside to stall rather than
fail.)

The forwarding is working, but as far as I can tell relayd is only
trying once to connect to 127.0.0.1:7204. My evidence is that if
nothing is listening on 127.0.0.1:7204 when I try to connect to ::1
port 7200, I get a failure instantly, and "tcpdump -ilo0 tcp" only
shows a couple of messages exchanged rather than 31 attempts.

Am I doing something wrong, or misunderstanding what that "retry"
option is supposed to do?



Optional bonus question:

Even if get that working, I have a further problem: I actually want
to use "forward to " syntax, but there doesn't seem to be a
place for a "retry" option there. The reason I want to use "forward
to " syntax is that want to direct the connection based on
http parameters, and as far as I know that's not possible with
"forward to address" syntax.

Here's a more complete version of what I'm trying to do. It does
what I want, except for retrying when connecting to . (In
practice I add three more "relay" stanzas, for all combinations of
http/https and inet/inet6.)

Is there some way to add retries to this?


table  { ::1 }
table  { 127.0.0.1 }

http protocol reverse_proxy {
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "X-Forwarded-Port" value "$SERVER_PORT"
pass forward to 
pass request header "Host" value "fossil.falsifian.org" \
forward to 
tls { keypair "falsifian.org" }
}

relay reverse_proxy_https_6 {
listen on ::1 port 7201 tls
protocol reverse_proxy
forward to  port 7203
forward to  port 7204
}


-- 
James

Re: How to set up a data disk of 4TB?

[James Johnson]

Perfect, thanks a lot. It worked like a charm.

> On 9 Dec 2022, at 17:23, Crystal Kolipe  wrote:
> 
> On Fri, Dec 09, 2022 at 04:19:49PM +0000, James Johnson wrote:
>> Hi all,
>> 
>> I have installed an internal hard drive of 4TB. This drive will be used for 
>> storing data only. It will not contain the OpenBSD system itself.
>> 
>> Knowing the limitations of MBR, I have opted for a GPT partitioning system : 
>> fdisk -A sd0
> 
> If the disk is to be used exclusively with OpenBSD, you can use an MBR 
> partitioning system, even though it's 4 TB.
> 
>> Following this, I am trying to add the partition with disklabel.
>> 
>> I have created the a partition, of 2TB (the size suggested by the system).
>> Then I try to add another partition, but disklabel tells me I have no space 
>> remaining.
>> 
>> I am stuck. The only option that seems relevant in the man page is to modify 
>> the boundary with the -b option. I am scared to do so without specific 
>> advice though, as it could corrupt the OS if done improperly, from what the 
>> manual says.
>> 
>> I just want to be able to use the full size of the disk. Ideally, I would 
>> like a single 4TB partition, but if not possible, I am fine with 2 
>> partitions of 2TB.
>> 
>> Any recommendation?
> 
> For use with OpenBSD only, create a single MBR partition covering as much of 
> the disk as is possible with MBR, something like:
> 
> Disk: sd1 geometry: 267349/255/63 [4294961685 Sectors]
> Offset: 0 Signature: 0xAA55
>Starting Ending LBA Info:
> #: id  C   H   S -  C   H   S [   start:size ]
> ---
> 0: 00  0   0   0 -  0   0   0 [   0:   0 ] unused 
>  
> 1: 00  0   0   0 -  0   0   0 [   0:   0 ] unused 
>  
> 2: 00  0   0   0 -  0   0   0 [   0:   0 ] unused 
>  
> *3: A6  0   1   2 - 267348 254  63 [  64:  4294961621 ] OpenBSD   
>   
> 
> Then invoke disklabel -E, and adjust the bounds to fill the whole disk with 
> the b option, giving * as the size.
> 
> Finally, add a single large partition covering the whole disk in the normal 
> way.

How to set up a data disk of 4TB?

[James Johnson]

Hi all,

I have installed an internal hard drive of 4TB. This drive will be used for 
storing data only. It will not contain the OpenBSD system itself.

Knowing the limitations of MBR, I have opted for a GPT partitioning system : 
fdisk -A sd0

Following this, I am trying to add the partition with disklabel.

I have created the a partition, of 2TB (the size suggested by the system).
Then I try to add another partition, but disklabel tells me I have no space 
remaining.

I am stuck. The only option that seems relevant in the man page is to modify 
the boundary with the -b option. I am scared to do so without specific advice 
though, as it could corrupt the OS if done improperly, from what the manual 
says.

I just want to be able to use the full size of the disk. Ideally, I would like 
a single 4TB partition, but if not possible, I am fine with 2 partitions of 2TB.

Any recommendation?

Thanks!

Re: Configure OpenBSD for remote server rarely used

[James Johnson]

Ah, pretty cool, I'll keep it in mind for my next project ;)

On 28.11.2022 10:36, Bodie wrote:

And if you really need low consumption, rugged computer and do not mind
about the costs you can go eg. this way :-)

https://teguar.com/ip67-box-pc-twb-2945 
/

Re: Configure OpenBSD for remote server rarely used

[James Johnson]

Thanks a lot for all the great advice, that is very useful. It all makes sense.

> On 27 Nov 2022, at 21:10, Tomasz Rola  wrote:
> 
> On Sun, Nov 27, 2022 at 09:37:19AM +0000, James Johnson wrote:
>> Hi all,
>> 
>> OpenBSD is amazing. But I need help in configuring it correctly as a
>> remote server, rarely used. 
>> 
>> 
>> The main thing I am trying to do is to make it sleep every now and
>> then to protect resources. I am very flexible on how to do this, but
>> have been unable to do so.
>> Here's what I tried :
> [...]
> 
> So to sum up your requirements, you want a self driving box which
> waits, and once every month or six wakes up, does something, then goes
> idle again.
> 
> I would avoid power down/up completely - boot takes time, and fsck
> takes some more time. Also, AFAIK electronics wears down every time it
> goes on-off.
> 
> Modern HDD are said to live to 5 on-off cycles, so assume 2
> cold boots. But random things can happen, because on-off means power
> spike. If you have no problem with eletricity, I would keep it going
> all the time. I would however minimise writes. Work on temporary data
> in ramdisk, write results to disk. Something like this.
> 
> BIOS battery goes down faster when computer is powered down. When it
> is up, clock gets power from the wall and saves the battery. I assume
> the modern CMOS battery will only keep the clock for about a year
> without power and it will not recharge when you power up. After that
> time (and before that time, too, but less necessary), every boot
> should include query to time server and adjusting the hardware clock.
> 
> I would buy a decent PSU. Last time I wanted to know, Seasonic was the
> maker of best ones a mortal could buy. Their last unit I bought came
> with 10 years warranty. AND, according to description, it was built
> with classic electronic art, analog parts, no digital. So if you are
> so inclined, you can ask your electronic buddy to inspect it and
> perhaps even replace some parts with better ones. Or repair it. If
> microcontroller goes bunk, you are out of luck, I assume they somehow
> protect their eproms.
> 
> If you plan to store some long term data on this box, I would avoid
> SSD. They are fast but they also can go bunk and when they do, chance
> of recovering data is close to nil (from what I have read).
> 
> I would consider putting the box in a plastic bag to protect from dust
> and humidity. Dust will clog into radiators, make chips go hotter,
> ventillators work harder. I have not tested this, however. I assume
> thermal exchange with loose bag over the box should go ok, but you
> need to test it very carefully, monitoring temps all the time - all
> temps.
> 
> HTH
> 
> -- 
> Regards,
> Tomasz Rola
> 
> --
> ** A C programmer asked whether computer had Buddha's nature.  **
> ** As the answer, master did "rm -rif" on the programmer's home**
> ** directory. And then the C programmer became enlightened...  **
> ** **
> ** Tomasz Rola  mailto:tomasz_r...@bigfoot.com **

Re: Configure OpenBSD for remote server rarely used

[James Johnson]

Thank you for this interesting perspective. 

Combined with the previous advice, I am convinced. I will not try to have the 
machine sleep, or even try to put the drives in spun down. From what you guys 
are saying, it seems doing so would be over-engineering.

What are your thoughts regarding reboots? Should I do a daily, weekly, monthly 
reboot?


> On 27 Nov 2022, at 20:00, Bodie  wrote:
> 
> 
> 
> On 27.11.2022 10:37, James Johnson wrote:
>> Hi all,
>> OpenBSD is amazing. But I need help in configuring it correctly as a
>> remote server, rarely used.
>> The main thing I am trying to do is to make it sleep every now and
>> then to protect resources. I am very flexible on how to do this, but
>> have been unable to do so.
>> Here's what I tried :
>> 1) Make it sleep and wake up when woken up remotely
>> I investigated Wake On Lan, which I enabled via ifconfig. However,
>> this system is deployed remotely, and I have no access to other
>> computers on the LAN, so I am unable to make this work.
>> 2) Make it sleep for a few hours and then wake up
>> After 3hours+ of research in man pages and the internet, I have not
>> seen any solution for that.
>> 3) hard drives Spin down, CPU lower freq
>> I have been able to lower the CPU speed by running `apm -L`.
>> I haven't been able to spin down the hard drives.
>> How important is it to manually send a command to spin down the unused
>> harddrives? Will it be down by the system automatically?
>> I am trying to get info on the drives from the system but `atactl sd0
>> checkpower ` always shows `standby` even after I have just written on
>> the disk. I understand this does not work because my drives are SCSI
>> and not ATA.
>> I read the man page for scsi, and I see the command to spin down hard
>> drives : `scsi -f /dev/rsd2c -c "1b 0 0 0 0 0"`
>> However, I see no command to spin them back up. Is it automatic?
>> How can I request information on the spin state of the drive. I am
>> just a little worried about starting to send low levels instructions
>> to the hard drive, with little understanding of it. Is it safe to send
>> this command?
>> Thanks all !
>> PS : dmesg : I cannot share the full dmesg for security reasons, but
>> it is a fairly standard i386 machine, with 2 drives mounted as SCSI.
> 
> As already pointed out by others. Don't do that ;-) Unless you explain
> why you need to do that (I'm sure it is possible without disclosing much)
> 
> I build systems running for eg. 12 years, amd64 architecture, SATA disks,
> DDR RAM and so on. Serving number of virtual machines with constantly
> higher number of utilizations and in dozens of them only 2 problems
> during those years - battery for internal RAID run out :-)
> 
> Saw systems which were running for over 30 years and nothing wrong with
> them.
> 
> Can't talk about electricity as those are basically underground cities
> and there are different problems then if CPU is running 3 or 1GHz ;-)
> 
> Sounds like maybe some IoT solution, but then go for ARM or use virtual
> machine in eg. OpenBSD Amsterdam or you really need compute power on
> demand then go for free options in eg. Azure (12 months free basic Linux)
> or Oracle Cloud Infrastructure or whatever else you find fit.
> 
> Either it is so important, need to be physically under your control and
> then small differences in electricity does not matter or solutions above
> are perfectly fine for your needs.
> 
> Just one hint. No matter if own machine or something rented you want that
> machine to be worth the money that means to do something on it and not
> have it shut down ;-)

Re: Configure OpenBSD for remote server rarely used

[James Johnson]

"Does it just need to wake up to run a script and then shut down again" -> yes, 
that's basically that. Of course, requirements might evolve.
"Why does it even have to be a separate machine?" -> There are benefits to 
this, including data safety (different location).

Thank you for your help, have a great day.



> On 27 Nov 2022, at 18:09, Jan Stary  wrote:
> 
>>> As for rotating metal disks, they have a lifetime;
>>> that's why replacing them with SSD might be your best bet.
>> 
>> In the case of an SDD, is there no consideration of turning them off,
>> if they are unused for some time?
> 
> No.
> 
>> In the case of HDD, are you saying that putting them in "spun down"
>> mode actually would not increase their lifetime?
> 
> It might, at least they recognize (in smarttools)
> the number of hours spent rorating.
> 
> But as I said, I don;t thnik it's even worth it.
> 
>>> Wait, so you know in advance for how many _months_
>>> the machine can sleep?
>> 
>> Yes...
> 
> So how often is the machine up (per year) and for how long?
> Does it just need to wake up to run a script and then shut down again?
> (Why does it even have to be a separate machine?)
> 

Re: Configure OpenBSD for remote server rarely used

[James Johnson]

> On 27 Nov 2022, at 17:28, Jan Stary  wrote:
> 
> On Nov 27 17:10:11, mytraddr...@gmail.com wrote:
>> I am not intending to switch the machine.
> 
> Why?

It is just not an option for this specific project.

> 
>> In terms of resources, I am mainly concerned about hard drives
>> and cpu being worn down unnecessarily. I am not sure how much
>> of a concern this should be though.
> 
> The CPU is not being "worn down" by running.
> 
> As for rotating metal disks, they have a lifetime;
> that's why replacing them with SSD might be your best bet.

In the case of an SDD, is there no consideration of turning them off, if they 
are unused for some time?
In the case of HDD, are you saying that putting them in "spun down" mode 
actually would not increase their lifetime?

> 
> But even regular disks are dirt cheap now.
> I don't believe this concern is even worth the time spent on this.
> 
>> Yes, I do know in advance when the machine needs to run and when it can 
>> sleep.
> 
> Then you can set a wakeup alarm in the BIOS (if it has one),
> and simply shutdown -p via cron, at the appropriate time.

Ok, thanks for that. I will explore whether the bios has a wake alarm

> 
>> "How much resources would that save?" -> My thoughts was that
>> it would be better for hard drive longevity to have them spun down,
>> rather than them being up for months without any access needed.
> 
> Wait, so you know in advance for how many _months_
> the machine can sleep?

Yes...

> 
> 
>> 
>>> On 27 Nov 2022, at 15:50, Jan Stary  wrote:
>>> 
>>> On Nov 27 09:37:19, mytraddr...@gmail.com wrote:
 The main thing I am trying to do is to make it sleep
 every now and then to protect resources.
>>> 
>>> How much eletricity does the machine eat?
>>> (What other "resources" are you concerned about?)
>>> 
 1) Make it sleep and wake up when woken up remotely
 I investigated Wake On Lan, which I enabled via ifconfig. However, this 
 system is deployed remotely, and I have no access to other computers on 
 the LAN, so I am unable to make this work.
 
 2) Make it sleep for a few hours and then wake up
>>> 
>>> Do you know in advance at what hours the machine
>>> needs to run, and when it can sleep?
>>> 
 After 3hours+ of research in man pages and the internet,
 I have not seen any solution for that.
>>> 
>>> Some machines have a wake option in their BIOS.
>>> 
 3) hard drives Spin down, CPU lower freq
 I have been able to lower the CPU speed by running `apm -L`.
>>> 
>>> How much electricity have you saved by that?
>>> 
 I haven't been able to spin down the hard drives.
>>> 
>>> How much resources would that save?
>>> 
>>> I you are concerned about resources, wouldn't you be better off
>>> getting a low-power machine, with SSD disks?  There are machines
>>> out there that eat around 10W and get the job done (dependeing
>>> on the job of course); and SSD doesn't need to spin down.
>>> 
 I cannot share the full dmesg for security reasons
>>> 
>>> Bullshit.
>>> 
>> 
>> 

Re: Configure OpenBSD for remote server rarely used

[James Johnson]

Thank you for the pointer, I will look into that.

> On 27 Nov 2022, at 14:13, T K  wrote:
> 
> "I have been able to lower the CPU speed by running `apm -L`."
> For automation purposes consider using obsdfreqd (pkg_add obsdfreqd) instead.
> 
> niedz., 27 lis 2022, 10:39 użytkownik James Johnson  <mailto:mytraddr...@gmail.com>> napisał:
> Hi all,
> 
> OpenBSD is amazing. But I need help in configuring it correctly as a remote 
> server, rarely used.
> 
> 
> The main thing I am trying to do is to make it sleep every now and then to 
> protect resources. I am very flexible on how to do this, but have been unable 
> to do so.
> Here's what I tried :
> 
> 1) Make it sleep and wake up when woken up remotely
> I investigated Wake On Lan, which I enabled via ifconfig. However, this 
> system is deployed remotely, and I have no access to other computers on the 
> LAN, so I am unable to make this work.
> 
> 2) Make it sleep for a few hours and then wake up
> After 3hours+ of research in man pages and the internet, I have not seen any 
> solution for that.
> 
> 3) hard drives Spin down, CPU lower freq
> 
> I have been able to lower the CPU speed by running `apm -L`.
> I haven't been able to spin down the hard drives.
> How important is it to manually send a command to spin down the unused 
> harddrives? Will it be down by the system automatically?
> 
> I am trying to get info on the drives from the system but `atactl sd0 
> checkpower ` always shows `standby` even after I have just written on the 
> disk. I understand this does not work because my drives are SCSI and not ATA.
> I read the man page for scsi, and I see the command to spin down hard drives 
> : `scsi -f /dev/rsd2c -c "1b 0 0 0 0 0"`
> However, I see no command to spin them back up. Is it automatic?
> How can I request information on the spin state of the drive. I am just a 
> little worried about starting to send low levels instructions to the hard 
> drive, with little understanding of it. Is it safe to send this command?
> 
> Thanks all !
> 
> 
> PS : dmesg : I cannot share the full dmesg for security reasons, but it is a 
> fairly standard i386 machine, with 2 drives mounted as SCSI.
> 
> 
> 

Re: Configure OpenBSD for remote server rarely used

[James Johnson]

Thanks for your response.

I am not intending to switch the machine. In terms of resources, I am mainly 
concerned about hard drives and cpu being worn down unnecessarily. I am not 
sure how much of a concern this should be though.

Yes, I do know in advance when the machine needs to run and when it can sleep.

"Some machines have a wake option in their BIOS." -> thanks for the pointer, I 
will look into that.

"How much electricity have you saved by that?" -> I don't know. The main 
concern is not using the hardware unnecessarily, to hopefully increase its 
lifetime. Though less electricity usage is a nice side bonus.

"How much resources would that save?" -> My thoughts was that it would be 
better for hard drive longevity to have them spun down, rather than them being 
up for months without any access needed. I don't know in practice if that 
matters for life expectancy of the drive?






> On 27 Nov 2022, at 15:50, Jan Stary  wrote:
> 
> On Nov 27 09:37:19, mytraddr...@gmail.com wrote:
>> The main thing I am trying to do is to make it sleep
>> every now and then to protect resources.
> 
> How much eletricity does the machine eat?
> (What other "resources" are you concerned about?)
> 
>> 1) Make it sleep and wake up when woken up remotely
>> I investigated Wake On Lan, which I enabled via ifconfig. However, this 
>> system is deployed remotely, and I have no access to other computers on the 
>> LAN, so I am unable to make this work.
>> 
>> 2) Make it sleep for a few hours and then wake up
> 
> Do you know in advance at what hours the machine
> needs to run, and when it can sleep?
> 
>> After 3hours+ of research in man pages and the internet,
>> I have not seen any solution for that.
> 
> Some machines have a wake option in their BIOS.
> 
>> 3) hard drives Spin down, CPU lower freq
>> I have been able to lower the CPU speed by running `apm -L`.
> 
> How much electricity have you saved by that?
> 
>> I haven't been able to spin down the hard drives.
> 
> How much resources would that save?
> 
> I you are concerned about resources, wouldn't you be better off
> getting a low-power machine, with SSD disks?  There are machines
> out there that eat around 10W and get the job done (dependeing
> on the job of course); and SSD doesn't need to spin down.
> 
>> I cannot share the full dmesg for security reasons
> 
> Bullshit.
> 

Configure OpenBSD for remote server rarely used

[James Johnson]

Hi all,

OpenBSD is amazing. But I need help in configuring it correctly as a remote 
server, rarely used.


The main thing I am trying to do is to make it sleep every now and then to 
protect resources. I am very flexible on how to do this, but have been unable 
to do so.
Here's what I tried :

1) Make it sleep and wake up when woken up remotely
I investigated Wake On Lan, which I enabled via ifconfig. However, this system 
is deployed remotely, and I have no access to other computers on the LAN, so I 
am unable to make this work.

2) Make it sleep for a few hours and then wake up
After 3hours+ of research in man pages and the internet, I have not seen any 
solution for that.

3) hard drives Spin down, CPU lower freq

I have been able to lower the CPU speed by running `apm -L`.
I haven't been able to spin down the hard drives.
How important is it to manually send a command to spin down the unused 
harddrives? Will it be down by the system automatically?

I am trying to get info on the drives from the system but `atactl sd0 
checkpower ` always shows `standby` even after I have just written on the disk. 
I understand this does not work because my drives are SCSI and not ATA.
I read the man page for scsi, and I see the command to spin down hard drives : 
`scsi -f /dev/rsd2c -c "1b 0 0 0 0 0"`
However, I see no command to spin them back up. Is it automatic?
How can I request information on the spin state of the drive. I am just a 
little worried about starting to send low levels instructions to the hard 
drive, with little understanding of it. Is it safe to send this command?

Thanks all !


PS : dmesg : I cannot share the full dmesg for security reasons, but it is a 
fairly standard i386 machine, with 2 drives mounted as SCSI.

Re: inet6 autoconf fails; "slaacd[##]: sendmsg: Can't assign requested address"

[James Cook]

>   but it's with unmodified 7.0 release source. (I lost the original

Oops, I mean 7.0 stable. I followed the anoncvs FAQ instructions using
the OPENBSD_7_0 tag.

-- 
James

inet6 autoconf fails; "slaacd[##]: sendmsg: Can't assign requested address"

[James Cook]

Hi misc@,

My OpenBSD VPSs hosted by ramnode.com can't get ipv6 addresses using
autoconf. I don't know if this is an OpenBSD bug or if ramnode.com is
behaving badly.

In /var/log/messages, after the kernel boot messages, I see
"slaacd[34007]: sendmsg: Can't assign requested address". ifconfig
doesn't show any inet6 addresses except the link-local fe80::... one.

Any idea what might be happening?


More details:

I tried with 6.9, 7.0 and a recent snapshot, and see the above
behaviour. With 6.9 and the snapshot, I started with a fresh vm image,
entering "autoconf" for the ipv6 config.

I've confirmed (by some fiddling) that
the log message is printed by the log_warn("sendmsg") call in
sbin/slaacd/frontend.c, but that's all I've figured out.

Other information:

- Ramnode has a note [0] about needing to fiddle with
  sys/netinet6/nd6_nbr.c to get ipv6 working, at least for those using
  "SolusVM". But I suspect that's not the issue here, for two reasons:
  1. I tried (more or less) that patch, and it didn't help.
  2. Separately, I tried setting sysctl net.inet6.icmp6.nd6_debug=1, and
 I didn't see the "nd6_ns_input: ..." log message.

- I had ipv4 troubles with the same provider last year [1] which led to
  a change in dhclient [2].

- Here's some info from one of my 7.0 vms:

h0 ~ $ tail -n 5 /var/log/messages
Dec 27 02:22:16 h0 /bsd: root on sd0a (62fb94c1e2005462.a) swap on sd0b dump on 
sd0b
Dec 27 02:22:16 h0 /bsd: fd0 at fdc0 drive 1: density unknown
Dec 27 02:22:16 h0 slaacd[50539]: sendmsg: Can't assign requested address
Dec 27 02:22:16 h0 slaacd[50539]: sendmsg: Can't assign requested address
Dec 27 02:22:17 h0 savecore: no core dump
h0 ~ $ ifconfig vio0
vio0: 
flags=a48843
 mtu 1500
lladdr fa:16:3e:88:70:93
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect
status: active
inet6 fe80::f816:3eff:fe88:7093%vio0 prefixlen 64 scopeid 0x1
inet 168.235.111.250 netmask 0xff00 broadcast 168.235.111.255
h0 ~ $ ifconfig vio1
vio1: 
flags=a48843
 mtu 1500
lladdr fa:16:3e:fd:3c:a3
index 2 priority 0 llprio 3
media: Ethernet autoselect
status: active
inet6 fe80::f816:3eff:fefd:3ca3%vio1 prefixlen 64 scopeid 0x2
inet 10.168.0.1 netmask 0xff00 broadcast 10.168.0.255
h0 ~ $ cat /etc/hostname.vio0
autoconf
inet6 autoconf
h0 ~ $ cat /etc/hostname.vio1
autoconf
inet6 autoconf

- I put dmesg at the end of this email. I compiled the kernel myself
  but it's with unmodified 7.0 release source. (I lost the original
  kernel after trying out ramnode's patch.)


[0] 
https://clientarea.ramnode.com/knowledgebase.php?action=displayarticle&id=120
[1] https://marc.info/?l=openbsd-misc&m=158860746708443&w=2
[2] https://marc.info/?l=openbsd-cvs&m=15825831624&w=2

-- 
James


OpenBSD 7.0-stable (GENERIC.MP) #1: Mon Dec 27 02:20:30 UTC 2021
falsif...@h0.falsifian.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 1056817152 (1007MB)
avail mem = 1008812032 (962MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf6860 (10 entries)
bios0: vendor SeaBIOS version "1.10.2-1ubuntu1" date 04/01/2014
bios0: OpenStack Foundation OpenStack Nova
acpi0 at bios0: ACPI 1.0
acpi0: sleep states S3 S4 S5
acpi0: tables DSDT FACP APIC
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel Xeon E3-12xx v2 (Ivy Bridge, IBRS), 2600.46 MHz, 06-3a-09
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,VMX,SSSE3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,SSBD,ARAT,XSAVEOPT,MELTDOWN
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 
16-way L2 cache
cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 1000MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel Xeon E3-12xx v2 (Ivy Bridge, IBRS), 2600.02 MHz, 06-3a-09
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,VMX,SSSE3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,SSBD,ARAT,XSAVEOPT,MELTDOWN
cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 
16-way L2 cache
cpu1: ITLB 255 4KB 

Re: Disk partition not recognized

[James Cook]

On Wed, Dec 22, 2021 at 07:21:41AM -0300, Crystal Kolipe wrote:
> On Tue, Dec 21, 2021 at 06:04:28PM -0500, Rob Whitlock wrote:
> > A problem seems to be that there is no disklabel entry for the ExFAT
> > partition.
> 
> You probably wrote a BSD disklabel to the disk before creating the ExFAT 
> partition.
> 
> If there is no on-disk disklabel, the kernel will create one in memory based 
> on information from other partitioning schemes, (MBR, GPT).  So in this case, 
> as you change those MBR or GPT partitions, those changes will be reflected in 
> the disklabel that the kernel sees.
> 
> Once you actually write a disklabel to the disk, that on-disk disklabel is 
> then used in place of calculating one each time the disk is attached, and the 
> automatic parsing of MBR and GPT partition information stops.
> 
> To solve your problem, you need to add the details of the ExFAT partition to 
> the BSD disklabel.  You can either do that manually with the disklabel 
> command, or since you do not have any OpenBSD partitions on the disk, you 
> could overwrite the on-disk disklabel, allow the kernel to generate one 
> automatically with the correct information, then optionally force it to be 
> written to the disk by running disklabel and entering 'w' at the interactive 
> prompt.

I thought the disklabel lives at the start of the OpenBSD partition.
Since that disk has no OpenBSD partition, it can't have a disklabel,
right?

Could the in-memory disklabel be out of sync? Does the problem persist
if you reboot, or detach/re-attach the disk?

-- 
James

Re: suspend/resume kills X

[James Cook]

On Sat, Dec 18, 2021 at 12:25:26PM +0100, Jan Stary wrote:
> On Dec 18 08:49:33, h...@stare.cz wrote:
> > This is current/amd64 on a PC (dmesg below).
> > 
> > After boot, I log into X, running cwm,
> > an xterm, and a script(1) of this.
> > 
> >  |-+= 14944 root /usr/X11R6/bin/xenodm
> >  | |-+= 56178 _x11 /usr/X11R6/bin/X :0 vt05 -auth 
> > /etc/X11/xenodm/authdir/authf
> >  | | \--- 57333 root X: [priv] (Xorg)
> >  | \-+= 91925 root xenodm: :0 (xenodm)
> >  |   \-+= 68368 hans /bin/sh /etc/X11/xenodm/Xsession
> >  | \-+- 25576 hans /bin/sh /home/hans/.xsession
> >  |   \-+- 91387 hans cwm
> >  | \-+= 20802 hans /usr/X11R6/bin/xterm
> >  |   \-+= 19542 hans -ksh (ksh)
> >  | \-+= 28689 hans script /tmp/suspend
> >  |   \-+- 11621 hans script /tmp/suspend
> >  | \-+= 52575 hans /bin/ksh -i
> >  |   \-+= 27287 hans pstree
> >  | \-+- 12714 hans sh -c ps -kaxwwo user,pid,ppid,pgid,comm
> >  |   \--- 07440 hans ps -kaxwwo user
> > 
> > 
> > >From that same xterm, I suspend with zzz.
> > The messages of devices being detached are also below.
> > 
> > Upon resume (messages also below), the xenodm login screen
> > is there again - the session has been killed.
> > None of the above processes is running.
> > The xenodm login does not take keyboard input.
> 
> The same thing happens when zzz is called from cron
> while I am in X.
> 
> But it does not happen whne I am switched to the console:
> both zzz from the command line and zzz from cron
> resume back to the console just fine;
> swithing back to X then, it's all still there.
> 
> What is it that makes the difference,
> apparently resulting in killing the X session?
> 
>   Jan

This sounds a lot like the following known bug:

https://marc.info/?l=openbsd-bugs&m=148447759618744&w=2
https://marc.info/?l=openbsd-bugs&m=149005961017985&w=2

I work around it by switching to a different virtual console before
suspending.

This is the command I use to lock my X session, switch vts, and sleep:

xlock -startCmd 'wsconsctl -f /dev/ttyCcfg display.focus=0 && zzz'

For that to work, I need to have access to /dev/ttyCcfg. I added
/dev/ttyCcfg to /etc/X11/xenodm/{Give,Take}Console (handled the same
way as the other devices files in those scripts) to solve that. I can't
comment on the security implications of doing that.

-- 
James

Re: nvme boot

[James Cook]

red
hid at ihidev0 reportid 10 not configured
hid at ihidev0 reportid 11 not configured
hid at ihidev0 reportid 12 not configured
hid at ihidev0 reportid 13 not configured
hid at ihidev0 reportid 14 not configured
"Intel 400 Series MEI" rev 0x00 at pci0 dev 22 function 0 not configured
ppb0 at pci0 dev 28 function 0 "Intel 400 Series PCIE" rev 0xf0: msi
pci1 at ppb0 bus 1
rtsx0 at pci1 dev 0 function 0 "Realtek RTS525A Card Reader" rev 0x01: msi
sdmmc0 at rtsx0: 4-bit, dma
ppb1 at pci0 dev 28 function 6 "Intel 400 Series PCIE" rev 0xf0: msi
pci2 at ppb1 bus 2
iwx0 at pci2 dev 0 function 0 "Intel Wi-Fi 6 AX200" rev 0x1a, msix
ppb2 at pci0 dev 29 function 0 "Intel 400 Series PCIE" rev 0xf0: msi
pci3 at ppb2 bus 3
ppb3 at pci3 dev 0 function 0 "Intel JHL6540 Thunderbolt" rev 0x02
pci4 at ppb3 bus 4
ppb4 at pci4 dev 0 function 0 "Intel JHL6540 Thunderbolt" rev 0x02: msi
pci5 at ppb4 bus 5
"Intel JHL6540 Thunderbolt" rev 0x02 at pci5 dev 0 function 0 not configured
ppb5 at pci4 dev 1 function 0 "Intel JHL6540 Thunderbolt" rev 0x02: msi
pci6 at ppb5 bus 6
ppb6 at pci4 dev 2 function 0 "Intel JHL6540 Thunderbolt" rev 0x02: msi
pci7 at ppb6 bus 59
xhci1 at pci7 dev 0 function 0 "Intel JHL6540 Thunderbolt" rev 0x02: msi, xHCI 
1.10
usb1 at xhci1: USB revision 3.0
uhub1 at usb1 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00 
addr 1
ppb7 at pci4 dev 4 function 0 "Intel JHL6540 Thunderbolt" rev 0x02: msi
pci8 at ppb7 bus 60
ppb8 at pci0 dev 29 function 4 "Intel 400 Series PCIE" rev 0xf0: msi
pci9 at ppb8 bus 113
nvme0 at pci9 dev 0 function 0 vendor "SanDisk", unknown product 0x5009 rev 
0x01: msix, NVMe 1.4
nvme0: WDC WDS100T2B0C-00PXH0, firmware 211210WD, serial 21120S802759
scsibus1 at nvme0: 2 targets, initiator 0
sd0 at scsibus1 targ 1 lun 0: 
sd0: 953869MB, 512 bytes/sector, 1953525168 sectors
pcib0 at pci0 dev 31 function 0 "Intel 400 Series LPC" rev 0x00
azalia0 at pci0 dev 31 function 3 "Intel 400 Series HD Audio" rev 0x00: msi
azalia0: codecs: Realtek ALC299, Intel/0x280b, using Realtek ALC299
audio0 at azalia0
ichiic0 at pci0 dev 31 function 4 "Intel 400 Series SMBus" rev 0x00: apic 2 int 
16
iic2 at ichiic0
"Intel 400 Series SPI" rev 0x00 at pci0 dev 31 function 5 not configured
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
vmm0 at mainbus0: VMX/EPT
efifb at mainbus0 not configured
dt: 445 probes
uvideo0 at uhub0 port 5 configuration 1 interface 0 "CN09357G8LG0098MAFA2A01 
Integrated_Webcam_HD" rev 2.01/80.08 addr 2
video0 at uvideo0
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
sd1 at scsibus3 targ 1 lun 0: 
sd1: 125903MB, 512 bytes/sector, 25784 sectors
root on sd1a (44a8e9daa00bd12b.a) swap on sd1b dump on sd1b
inteldrm0: 1920x1080, 32bpp
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation), using wskbd0
wsdisplay0: screen 1-5 added (std, vt100 emulation)
iwx0: hw rev 0x340, fw ver 63.c04f3485.0, address 4c:1d:96:49:90:03
video0 detached
uvideo0 detached
uhub0 detached
uhub1 detached
uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00 
addr 1
uhub1 at usb1 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00 
addr 1
uvideo0 at uhub0 port 5 configuration 1 interface 0 "CN09357G8LG0098MAFA2A01 
Integrated_Webcam_HD" rev 2.01/80.08 addr 2
video0 at uvideo0
iwx0: unhandled firmware response 0x3fd/0x200c rx ring 64[10]

-- 
James

Re: Server certs expired higher up the chain, imaps and https

[James Cook]

On Thu, Sep 30, 2021 at 10:02:17AM -0700, Chris Bennett wrote:
> Hi,
> 
> I'm getting that the certs are expired, but https works fine in Firefox,
> including when looking at the full chain.
> 
> 
> openssl s_client -servername mail.strengthcouragewisdom.rocks -connect 
> mail.strengthcouragewisdom.rocks:imaps
> 
> openssl s_client -servername mail.strengthcouragewisdom.rocks -connect 
> mail.strengthcouragewisdom.rocks:https
> 
> However are not happy. I force updated my ssl certs, syspatch, pkg_add
> -u and rebooted.
> 
> I didn't rebuild dh.pem for dovecot.
> 
> Is this just a DNS propagation issue?
> Or should I do something further myself?
> 
> Thanks
> Chris Bennett

A certificate in LetsEncrypt's chain expired today or yesterday. The
issue is a bit complicated.


There's a page here:

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

and a forum thread here:

https://community.letsencrypt.org/t/help-thread-for-dst-root-ca-x3-expiration-september-2021/149190


Summary: generally, newer clients and web browsers will not give the
cert expired error, because the middle certificate on the chain is a
root cert in its own right. Other clients, including as far as I can
tell the LibreSSL version included in OpenBSD 6.9, are more strict and
reject the whole chain because the last certificate in the chain
expired.

E.g. I just tried "ftp -o x
'https://mail.strengthcouragewisdom.rocks/'" on -current and it
worked.

LetsEncrypt does not want to remove that last one from the chain
because older Android phones don't have that middle certificate as a
root CA.

Some post(s) in the thread claim it is possible to request an alternate
chain from LetsEncrypt, if you want one that doesn't end with the
expired one. I couldn't find this functionality in OpenBSD's
acme-client. However, I tried manually editing the fullchain pem file
downloaded by acme-client, deleting the third of three certificates in
the file, and now my older clients are happy (but presumably old
Android phones will not be happy).

-- 
James

Re: snapshot miniroot69.img not bootable anymore

[James Cook]

at dwiic1
ihidev0 at iic1 addr 0x2c irq 51, vendor 0x6cb product 0x76af, CUST0001
ihidev0: 14 report ids
imt0 at ihidev0: clickpad, 5 contacts
wsmouse0 at imt0 mux 0
ims0 at ihidev0 reportid 2: 2 buttons
wsmouse1 at ims0 mux 0
hid at ihidev0 reportid 6 not configured
hid at ihidev0 reportid 7 not configured
hid at ihidev0 reportid 9 not configured
hid at ihidev0 reportid 10 not configured
hid at ihidev0 reportid 11 not configured
hid at ihidev0 reportid 12 not configured
hid at ihidev0 reportid 13 not configured
hid at ihidev0 reportid 14 not configured
"Intel 400 Series MEI" rev 0x00 at pci0 dev 22 function 0 not configured
ppb0 at pci0 dev 28 function 0 "Intel 400 Series PCIE" rev 0xf0: msi
pci1 at ppb0 bus 1
rtsx0 at pci1 dev 0 function 0 "Realtek RTS525A Card Reader" rev 0x01: msi
sdmmc0 at rtsx0: 4-bit, dma
ppb1 at pci0 dev 28 function 6 "Intel 400 Series PCIE" rev 0xf0: msi
pci2 at ppb1 bus 2
iwx0 at pci2 dev 0 function 0 "Intel Wi-Fi 6 AX200" rev 0x1a, msix
ppb2 at pci0 dev 29 function 0 "Intel 400 Series PCIE" rev 0xf0: msi
pci3 at ppb2 bus 3
ppb3 at pci3 dev 0 function 0 "Intel JHL6540 Thunderbolt" rev 0x02
pci4 at ppb3 bus 4
ppb4 at pci4 dev 0 function 0 "Intel JHL6540 Thunderbolt" rev 0x02: msi
pci5 at ppb4 bus 5
"Intel JHL6540 Thunderbolt" rev 0x02 at pci5 dev 0 function 0 not configured
ppb5 at pci4 dev 1 function 0 "Intel JHL6540 Thunderbolt" rev 0x02: msi
pci6 at ppb5 bus 6
ppb6 at pci4 dev 2 function 0 "Intel JHL6540 Thunderbolt" rev 0x02: msi
pci7 at ppb6 bus 59
xhci1 at pci7 dev 0 function 0 "Intel JHL6540 Thunderbolt" rev 0x02: msi, xHCI 
1.10
usb1 at xhci1: USB revision 3.0
uhub1 at usb1 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00 
addr 1
ppb7 at pci4 dev 4 function 0 "Intel JHL6540 Thunderbolt" rev 0x02: msi
pci8 at ppb7 bus 60
ppb8 at pci0 dev 29 function 4 "Intel 400 Series PCIE" rev 0xf0: msi
pci9 at ppb8 bus 113
nvme0 at pci9 dev 0 function 0 vendor "SanDisk", unknown product 0x5009 rev 
0x01: msix, NVMe 1.4
nvme0: WDC WDS100T2B0C-00PXH0, firmware 211210WD, serial 21120S802759
scsibus1 at nvme0: 2 targets, initiator 0
sd0 at scsibus1 targ 1 lun 0: 
sd0: 953869MB, 512 bytes/sector, 1953525168 sectors
pcib0 at pci0 dev 31 function 0 "Intel 400 Series LPC" rev 0x00
azalia0 at pci0 dev 31 function 3 "Intel 400 Series HD Audio" rev 0x00: msi
azalia0: codecs: Realtek ALC299, Intel/0x280b, using Realtek ALC299
audio0 at azalia0
ichiic0 at pci0 dev 31 function 4 "Intel 400 Series SMBus" rev 0x00: apic 2 int 
16
iic2 at ichiic0
"Intel 400 Series SPI" rev 0x00 at pci0 dev 31 function 5 not configured
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
vmm0 at mainbus0: VMX/EPT
efifb at mainbus0 not configured
dt: 445 probes
uvideo0 at uhub0 port 5 configuration 1 interface 0 "CN09357G8LG0098MAFA2A01 
Integrated_Webcam_HD" rev 2.01/80.08 addr 2
video0 at uvideo0
axen0 at uhub1 port 3 configuration 1 interface 0 "ASIX Elec. Corp. AX88179" 
rev 3.00/1.00 addr 2
axen0: AX88179, address 00:90:9e:9d:0f:34
rgephy0 at axen0 phy 3: RTL8169S/8110S/8211 PHY, rev. 5
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
sd1 at scsibus3 targ 1 lun 0: 
sd1: 125903MB, 512 bytes/sector, 25784 sectors
root on sd1a (44a8e9daa00bd12b.a) swap on sd1b dump on sd1b
inteldrm0: 1920x1080, 32bpp
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation), using wskbd0
wsdisplay0: screen 1-5 added (std, vt100 emulation)
iwx0: hw rev 0x340, fw ver 48.1335886879.0, address 4c:1d:96:49:90:03

-- 
James

Re: autofs

[James Cook]

On Fri, Jun 11, 2021 at 11:04:15PM -0300, Gustavo Rios wrote:
> Hi folks!
> 
> I have a questions regarding OpenBSD. Does it supports autofs  ?
> Any reference regarding how to implement it?
> 
> Thanks in advance.
> 
> -- 
> The lion and the tiger may be more powerful, but the wolves do not perform
> in the circus

See amd(8). I have not used it or Linux's autofs, but I think they have the
same purpose.

-- 
James

Re: openrsync manpage error

[James Cook]

On Fri, May 14, 2021 at 11:02:23AM +0200, Claudio Jeker wrote:
> On Fri, May 14, 2021 at 12:44:45AM +0300, Irshad Sulaiman wrote:
> > Hi 
> > 
> > I have modified error in openrsync(1) manpage in Example section isn’t
> > that ‘openrsync -t'  instead of 'rsync -t ‘
> > And without --rsync-path= it gives an following error 'openrsync: error:
> > unexpected end of file’
> 
> I did try all three examples and they do work for me without adding
> --rsync-path=. On which command did you get the unexpected result.
> Can you share the exact way to reproduce this issue?

Did you have rsync installed on the remote machine?

My understanding was that by default, openrsync expects "rsync" to be
installed on the destination machine. Probably "rsync" can just be a
symlink to openrsync; I'm not sure.

It would be nice if the openrsync man page described how things are
expected to work. Something like the following (I don't know if it's
correct):

By default, openrsync expects the command "rsync" to be available
on the remote machine. You can override it to use openrsync with
--rsync-path=/usr/bin/openrsync. It is also sufficient to make
rsync an alias for openrsync on the remote machine.

-- 
James

Re: VMM 6.9amd64 host video acceleration

[James Cook]

On Thu, May 13, 2021 at 10:00:11AM +, Martin wrote:
> By the way,
> 
> While running Firefox on OpenBSD host I have repeatedly appearing console 
> messages like below:
> 
> ###!!! [Parent][MessageChannel] Error: 
> (msgtype=0x6A0008,name=PMessagePort::Msg___delete__) Channel closing: too 
> late to send/recv, messages will be lost
> 
> ###!!! [Parent][RunMessage] Error: Channel closing: too late to send/recv, 
> messages will be lost
> 
> LibGl error: MESA-LOADER: failed to open radeonsi (search path 
> /usr/X11R6/lib/modules/dri
> LibGl error: failed to load driver: radeonsi
> LibGl error: MESA-LOADER: failed to open swrast (search path 
> /usr/X11R6/lib/modules/dri)
> LibGl error: failed to load driver: swrast
> 
> Any advice is this normal or not?
> 
> Martin

On my system at least, firefox tends to output some errrors on the
console. I think some involved "Channel closing". If it would help, I
can keep more careful track and report them to the list.

The LibGl errors look less familiar. Stab in the dark: are your ports
and system in sync? (I always run pkg_add -u after upgrading to a new
snapshot.)

-- 
James

Re: CWM + Web Browser Navigation

[James Cook]

On Fri, Apr 23, 2021 at 10:13:45AM -0300, Gleydson Soares wrote:
> On Fri, Apr 23, 2021 at 08:56:00AM -0400, David Anthony wrote:
> > Hello,
> > 
> > I'm curious how CWM users mange to "Go Back" in Firefox / Chromium when the
> > Alt key has been assigned usage within CWM. I've found Alt+LeftArrow was a
> > keyboard shortcut I relied upon when browsing the web. Is there a mechanism
> > / workaround, or how do others accomplish this?
> > 
> > Respectfully,
> > 
> > -David
> > 
> 
> David,
> 
> 1. You can remap the alt key to other mod, see cwn(1);
> 2. Shift+H does not work?
> 3. maybe adding vimium addon, most of us use it since we hate
>   mouse at all.
> 
>   - gsoares

As an emacs user, I remapped pretty much all cwm bindings to use at
least the Mod4 key. So if I type something that doesn't involve Mod4,
cwm won't intercept it.

Also for some reason the Firefox keyboard shortcut ctrl-[ for back is
stuck in my head so I can always use that.

-- 
James

Re: help debug NFS

[James Stark]

Hi Maxim,

I ran into the problem with the nfs mounts on linux hanging a few
months ago, when the Linux distro that I'm running (Void) on the NFS
client dropped UDP NFS mounts.  At the time I found this post that
explains the situation:

http://openbsd-archive.7691.n7.nabble.com/nfsd-hangs-Linux-tcp-clients-after-5-minutes-idle-td402844.html

As a work around, I've set up a cron script that stat's the mount
point every four minutes.  That stops the mount from hanging.

I hope that helps.

James

On Sun, Apr 11, 2021 at 2:04 AM Родин Максим  wrote:
>
> Hello
> I have an NFS server on OpenBSD 6.8 stable
> which exports a folder with default settings.
> I have a linux mint client which mounts a share from this NFS server
> with these settings:
> sudo mount -o wsize=8192,rsize=8192 192.168.1.65:/big
> /home/user/store
>   which gives a decent speed at about 50-60MB/s both sides which seem ok
> for me.
> The problem is: when the mount point is not used for a while (5 minutes
> and more) the share becomes unresponsive and the only way to unmount the
> share is to do
> sudo umount -lf /home/user/store
> After that I can mount the share once again.
> When I imitate using the share on client using
> while :; do ls /home/user/store/ && echo "OK" && sleep 3 ; done;
> the share remains responsive all the time and shows no problems.
>
> What tweaks(settings) on the client(server) am I missing in my setup
> to keep the mount point responsive?
> --
> Best regards
> Maksim Rodin
>

Relayd cannot load keypair

[James Chase]

I'm on openbsd 6.8, ran syspatch today.
relayd.conf:

table  { 192.168.1.158 }
http protocol "httpproxy" {
pass request quick header "Host" value "nextcloud.mydomain.com" \
forward to 
block
}
relay "proxy" {
   listen on 192.168.1.156 port 80
   protocol "httpproxy"
   forward to  port 80
}
http protocol "https" {
  tls keypair nextcloud.mydomain.com
  return error
  pass
}
relay "secure_proxy" {
listen on 192.168.1.156 port 443 tls
protocol https
forward to  port 80
}

Works for regular http, but when I try adding the https blocks I get:

/etc/relayd.conf:25: cannot load keypair nextcloud.mydomain.com
for relay secure_proxy

The keys are in /etc/ssl/ and /etc/ssl/private, and I got them from
acme-client via lets encrypt. Named:
nextcloud.mydomain.com:443.fullchain.crt
and
nextcloud.mydomain.com:443.key

Also tried generating them without the ports and with .pem,
etc.

Also, I've tried replacing 192.168.1.156 in the listen on
line in secure_proxy with "nextcloud.mydomain.com"
I've tried various examples online as well. Any help would
be appreciated! At this point it feels like a bug, but apparently
others have it working.

Re: Default partitions allocate only 1GB to /

[James Cook]

On Sat, Feb 27, 2021 at 11:21:45PM +, tetrahe...@danwin1210.me wrote:
> On Sat, Feb 27, 2021 at 08:27:07PM +0000, James Cook wrote:
> > Something's strange about your setup. The installer normally creates a
> > separate partition for /usr and maybe /usr/local. If you're using
> > pkg_add, then packages go in /usr/local, so they shouldn't end up on
> > your root partition.
> > 
> > If your disk is really tiny the installer won't create a separate /usr
> > partition, but in that case it won't make a separate /home either.
> 
> As far as I know everything was installed using defaults.
> 
> Doing `pkg_add libreoffice` the installer is definitely looking at both /
> and /usr/local/ ... and it gives an odd bytecount for /:
> 
> ```
> Error: /dev/sda1 on / is not large enough (/etc/mke2fs.conf)

Sorry, you're right, pkg_add can add files to /. But generally those
will be quite small (/etc/make2fs.conf sounds like a configuration
file).

How big is your root partition, and how much space is used? For example
mine is like this after several months of use and many packages
installed, indicating the installer's default behaviour has worked well
for me:


falsifian angel ~ $ df -h /
Filesystem SizeUsed   Avail Capacity  Mounted on
/dev/sd2a  989M199M741M21%/


If you have a lot more space used, you could try to figure out what's
using it. My go-to command is "du -xah /|sort -h|less"


> /dev/sda1 on /: 956 bytes (missing 86470 blocks)
> /dev/sd1h on /usr/local: 4513435 bytes
> ```
> 
> Later it gives different byte counts for both values.

-- 
James

Re: Default partitions allocate only 1GB to /

[James Cook]

On Sat, Feb 27, 2021 at 03:32:44PM +, tetrahe...@danwin1210.me wrote:
> When installing OpenBSD, the default partition layout only allocates 1GB to
> / ... most of the disk space is allocated to /home.
> 
> Once you start installing packages, / quickly grows beyond 1GB, and it looks
> like even some large packages exceed the available space on their own:
>   Error: /dev/sda1 on / is not large enough
> 
> Is there an easy fix for this that I'm missing somewhere, or is this a
> poorly chosen default?

Something's strange about your setup. The installer normally creates a
separate partition for /usr and maybe /usr/local. If you're using
pkg_add, then packages go in /usr/local, so they shouldn't end up on
your root partition.

If your disk is really tiny the installer won't create a separate /usr
partition, but in that case it won't make a separate /home either.

-- 
James

Re: Unknown process modifying routing table

[James]

I've disabled my VPN on the machine as well as dhclient, connecting via 
a fixed static IP address and DNS servers. My routing table is still 
being modifed by PID 0 (which I assume to be the kernel) every 30 
minutes or so. Ntpd is also disabled.


I have also caught my machine communicating to one the of the IPs via 
TCP and have a pcap dump from wireshark. No actual data was sent other 
than a TCP timestamp.



If your default route is a VPN,
please show how you establish the VPN to be your default route.

The default route is established mannually in a script that is run after 
the VPN starts. Essentially it does the following:


    route add $VPN_HOST $DEFAULT_GW

    route change default $VPN_HOST


I do not belive the VPN to be the cause of this problem.


Any tips on debugging the kernel to track the cause of these route 
changes would be greatly appreciated.



Thanks,

Re: Keyboard on raspberry pi rpi3b not working

[James]

I have a similar situation with a Logitech G series keyboard. From
reading man pages for usb, usbhid, wscons, ect. I'm able to get the
keyboard input using usbhidctl(8) and if I leave this program running I
I'm able to use my external keyboard. 


Does anyone know how to have the keyboard automatically work?

bash-5.0 # usbhidctl -f /dev/uhid5 -v -r
Report descriptor:
Collection page=Consumer usage=Consumer_Control
Input   size=1 count=1 page=Consumer usage=Scan_Next_Track, logical range 0..1
Input   size=1 count=1 page=Consumer usage=Scan_Previous_Track, logical range 
0..1
Input   size=1 count=1 page=Consumer usage=Stop, logical range 0..1
Input   size=1 count=1 page=Consumer usage=Play/Pause, logical range 0..1
Input   size=1 count=1 page=Consumer usage=Mute, logical range 0..1
Input   size=1 count=1 page=Consumer usage=Volume_Increment, logical range 0..1
Input   size=1 count=1 page=Consumer usage=Volume_Decrement, logical range 0..1
Input   size=1 count=1 Const page=0x usage=0x, logical range 0..1
End collection
Total   input size 1 bytes
Total  output size 0 bytes
Total feature size 0 bytes

bash-5.0 # usbhidctl -f /dev/uhid5 -a -v
usbhidctl: USB_GET_REPORT (probably not supported by device): Input/output error

bash-5.0 # usbhidctl -f /dev/uhid5 -l
Consumer_Control.Scan_Next_Track=0
Consumer_Control.Scan_Previous_Track=0
Consumer_Control.Stop=0
Consumer_Control.Play/Pause=0
Consumer_Control.Mute=0
Consumer_Control.Volume_Increment=0
Consumer_Control.Volume_Decrement=0

Hello world, from USB external keyboard!

bash-5.0 # #keyboard now works in a new terminal



Here's my relevant dmesg output:

uhub9 at uhub8 port 2 configuration 1 interface 0 "GenesysLogic USB2.0 Hub" rev 
2.00/22.16 addr 3
uhub9: device problem, disabling port 2
uhidev0 at uhub9 port 1 configuration 1 interface 0 "Logitech Gaming Mouse 
G402" rev 2.00/90.02 addr 4
uhidev0: iclass 3/1
ums0 at uhidev0: 16 buttons, Z and W dir
wsmouse1 at ums0 mux 0
uhidev1 at uhub9 port 1 configuration 1 interface 1 "Logitech Gaming Mouse 
G402" rev 2.00/90.02 addr 4
uhidev1: iclass 3/0, 17 report ids
ukbd0 at uhidev1 reportid 1: 8 variable keys, 6 key codes
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
uhid0 at uhidev1 reportid 3: input=4, output=0, feature=0
uhid1 at uhidev1 reportid 4: input=1, output=0, feature=0
uhid2 at uhidev1 reportid 16: input=6, output=6, feature=0
uhid3 at uhidev1 reportid 17: input=19, output=19, feature=0



On Sun, Jun 21, 2020 at 03:34:44PM -0700, openbsdtai123 wrote:


Dear Theo,
Hello,

I would like that my keyboard G213 works, but unfortunately, it doesnt.
Please find my dmesg.

I am looking forward to reading you.

Best regards
Openbsd user


OpenBSD 6.7 (GENERIC.MP) #602: Thu May  7 13:45:48 MDT 2020
   dera...@arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/GENERIC.MP
real mem  = 958754816 (914MB)
avail mem = 899207168 (857MB)
mainbus0 at root: Raspberry Pi 3 Model B Rev 1.2
cpu0 at mainbus0 mpidr 0: ARM Cortex-A53 r0p4
cpu0: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1 D-cache
cpu0: 512KB 64b/line 16-way L2 cache
efi0 at mainbus0: UEFI 2.8
efi0: Das U-Boot rev 0x20200100
apm0 at mainbus0
simplefb0 at mainbus0: 1824x984, 32bpp
wsdisplay0 at simplefb0 mux 1
wsdisplay0: screen 0-5 added (std, vt100 emulation)
"system" at mainbus0 not configured
"axi" at mainbus0 not configured
simplebus0 at mainbus0: "soc"
bcmdmac0 at simplebus0: DMA0 DMA2 DMA4 DMA5 DMA8 DMA9 DMA10
bcmclock0 at simplebus0
bcmmbox0 at simplebus0
bcmgpio0 at simplebus0
bcmaux0 at simplebus0
bcmintc0 at simplebus0
bcmdog0 at simplebus0
bcmrng0 at simplebus0
pluart0 at simplebus0: console
bcmsdhost0 at simplebus0: 250 MHz base clock
sdmmc0 at bcmsdhost0: 4-bit, sd high-speed, mmc high-speed, dma
"dsi" at simplebus0 not configured
dwctwo0 at simplebus0
bcmtemp0 at simplebus0
"local_intc" at simplebus0 not configured
sdhc0 at simplebus0
sdhc0: SDHC 3.0, 200 MHz base clock
sdmmc1 at sdhc0: 4-bit, sd high-speed, mmc high-speed
simplebus1 at simplebus0: "firmware"
"expgpio" at simplebus1 not configured
"power" at simplebus0 not configured
"mailbox" at simplebus0 not configured
"gpiomem" at simplebus0 not configured
"fb" at simplebus0 not configured
"vcsm" at simplebus0 not configured
"virtgpio" at simplebus0 not configured
simplebus2 at mainbus0: "clocks"
"clock" at simplebus2 not configured
"clock" at simplebus2 not configured
"phy" at mainbus0 not configured
"arm-pmu" at mainbus0 not configured
agtimer0 at mainbus0: tick rate 19200 KHz
"leds" at mainbus0 not configured
"fixedregulator_3v3" at mainbus0 not configured
"fixedregulator_5v0" at mainbus0 not configured
cpu1 at mainbus0 mpidr 1: ARM Cortex-A53 r0p4
cpu1: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1 D-cache
cpu1: 512KB 64b/line 16-way L2 cache
cpu2 at mainbus0 mpidr 2: ARM Cortex-A53 r0p4
cpu2: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1 D-cache
cpu2: 512KB 64b/line 16-way L2 cache
cpu3 at mainbus0 mpidr 3: ARM Cortex-A53 r0p4
cpu

Unknown process modifying routing table

[James]

Hi all, 

My routing table is being modified by an unknown process. 


I have system accounting enabled and I'm monitoring route changes
but the PID of the process reported by `route monitor` is always 0
for these unknown changes.

I've seen my default route (VPN) being deleted and new routes being
added for specific IPs. I'm out of ideas how to find out what process
is modifying my routing table.

Here are the logs:

bash-5.0# route -n show
Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
default10.0.0.1   UGS   15  635 - 8 pair1
224/4  127.0.0.1  URS00 32768 8 lo0
10.0.0/24  10.0.0.2   UCn10 - 4 pair1
10.0.0.1   xx:xx:xx:xx:xx:xx  UHLch 20   76 - 3 pair1
10.0.0.2   xx:xx:xx:xx:xx:xx  UHLl   0  251 - 1 pair1
10.0.0.255 10.0.0.2   UHb00 - 1 pair1
10.2.0.1   10.0.0.1   UGHD   1  599 - L   8 pair1
13.35.193.117  10.0.0.1   UGHD   1  616 - L   8 pair1
13.224.227.64  10.0.0.1   UGHD   1  611 - L   8 pair1
52.48.109.111  10.0.0.1   UGHD   1  614 - L   8 pair1
52.84.91.7 10.0.0.1   UGHD   1  574 - L   8 pair1
99.84.5.23010.0.0.1   UGHD   1  620 - L   8 pair1
104.16.9.251   10.0.0.1   UGHD   0  289  1350 8 pair1
104.16.241.18  10.0.0.1   UGHD   1  610 - L   8 pair1
104.18.26.20   10.0.0.1   UGHD   1  609 - L   8 pair1
104.21.22.28   10.0.0.1   UGHD   1  617 - L   8 pair1
108.177.120.13610.0.0.1   UGHD   1  625 - L   8 pair1
127/8  127.0.0.1  UGRS   00 32768 8 lo0
127.0.0.1  127.0.0.1  UHhl   8 7322 32768 1 lo0
140.82.121.3   10.0.0.1   UGHD   1  636 - L   8 pair1
142.250.186.12910.0.0.1   UGHD   1  604 - L   8 pair1
157.230.120.63 10.0.0.1   UGHD   1  596 - L   8 pair1
172.67.203.118 10.0.0.1   UGHD   1  607 - L   8 pair1
172.217.169.86 10.0.0.1   UGHD   1  632 - L   8 pair1
185.199.111.15410.0.0.1   UGHD   2  633 - L   8 pair1
216.58.206.132 10.0.0.1   UGHD   1  624 - L   8 pair1
216.58.212.227 10.0.0.1   UGHD   1  629 - L   8 pair1

Internet6:
DestinationGatewayFlags   Refs  
Use   Mtu  Prio Iface
::/96  ::1UGRS   0  
  0 32768 8 lo0
::1::1UHhl  10  
 32 32768 1 lo0
:::0.0.0.0/96  ::1UGRS   0  
  0 32768 8 lo0
2002::/24  ::1UGRS   0  
  0 32768 8 lo0
2002:7f00::/24 ::1UGRS   0  
  0 32768 8 lo0
2002:e000::/20 ::1UGRS   0  
  0 32768 8 lo0
2002:ff00::/24 ::1UGRS   0  
  0 32768 8 lo0
fe80::/10  ::1UGRS   0  
  0 32768 8 lo0
fec0::/10  ::1UGRS   0  
  0 32768 8 lo0
fe80::1%lo0fe80::1%lo0UHl0  
  0 32768 1 lo0
ff01::/16  ::1UGRS   5  
  5 32768 8 lo0
ff01::%lo0/32  fe80::1%lo0Um 0  
  1 32768 4 lo0
ff02::/16  ::1UGRS   5  
  5 32768 8 lo0
ff02::%lo0/32  fe80::1%lo0Um 0  
  1 32768 4 lo0


The routes for 216.58.212.227, 216.58.206.132, 185.199.111.154,
172.217.169.86, 172.67.203.118, 157.230.120.63, 142.250.186.129,
140.82.121.3, 108.177.120.136, 104.21.22.28, 104.18.26.20,
104.16.241.18, 104.16.9.251, 99.84.5.230, 52.48.109.111, 52.84.5.230,
13.224.227.64, 13.35.193.117 are completely unknown and not added by
myself. 


bash-5.0# route monitor
got message of size 176 on Tue Jan 26 13:13:16 2021
RTM_DELETE: Delete Route: len 176, priority 8, table 0, if# 8, name pair1, pid: 
0, seq 0, errno 0
flags:
fmask:
use:0   mtu:0expire:0
locks:  inits:
sockaddrs: 
 172.67.203.118 10.0.0.1 xx:xx:xx:xx:xx:xx 10.0.0.2
got message of size 176 on Tue Jan 26 13:13:16 2021
RTM_DELETE: Del

Re: Issues with Teclast F7 Plus

[James Hastings]

On 13 Dec 2020, 13:27:48 +, Joel Carnat wrote:
> Hello,
>
> I just got a Teclast F7 Plus laptop and installed OpenBSD 6.8-current on
> it. Most things works except apm and touchpad
>
> Using zzz or ZZZ, it seems suspend/hibernation start but are never
> achieved. The backlight keyboard and power led are still on. On Linux,
> keyboard goes black and power led slowly blinks.
> Plus, there is no way to resume the laptop. I have to force a poweroff
> using the power button.
>
> Regarding the touchpad, it doesn't work ; neither with wsmoused(8) nor
> in Xorg. It seems to be identified and attached to pms0. Looking at a
> Linux dmesg, it references I2C:
> [5.462957] kernel: input: HTIX5288:00 0911:5288 Touchpad as
> /devices/pci:00/:00:17.3/i2c_designware.7/i2c-8/i2c-HTIX5288:00/0018:0911:5288.0001/input/input11
> So I guess OpenBSD should rather attach it to imt(4)?


This diff should activate I2C touchpad on your laptop:

Index: dev/pci/dwiic_pci.c
===
RCS file: /cvs/src/sys/dev/pci/dwiic_pci.c,v
retrieving revision 1.14
diff -u -p -u -r1.14 dwiic_pci.c
--- dev/pci/dwiic_pci.c 7 Oct 2020 11:17:59 -   1.14
+++ dev/pci/dwiic_pci.c 23 Dec 2020 00:02:50 -
@@ -117,6 +117,14 @@ const struct pci_matchid dwiic_pci_ids[]
{ PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_6 },
{ PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_7 },
{ PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_8 },
+   { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_GLK_I2C_1 },
+   { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_GLK_I2C_2 },
+   { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_GLK_I2C_3 },
+   { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_GLK_I2C_4 },
+   { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_GLK_I2C_5 },
+   { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_GLK_I2C_6 },
+   { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_GLK_I2C_7 },
+   { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_GLK_I2C_8 },
 };
 
 int

Re: Dissing Misks

[James Cook]

> > If you're starting fresh, isn't it simpler to use a GPT partition
> > table if you want to go past that limit?
> > 
> 
> IF your computer supports GPT, that's certainly an option.
> However, I've yet to find anything "simpler" about GPT setups.
> Whatever GPT was supposed to make better, I think they missed.
> 
> (to be fair: I understand the OpenBSD MBR boot process very well, and
> I can fix just about anything that goes wrong with it.  I have NOT
> figured out all of GPT booting all that well -- I can make it work,
> (more accurately: I can let the OpenBSD devs make it work) but I
> can't exactly tell you what is going on under the hood.  I have got
> multibooting to work with GPT, and if I ever figure out all of how
> THAT worked, it might be a better way of doing multibooting than
> the usual MBR solutions.)
> 
> I've never regretted setting up a MBR boot system on an "either will
> do" machine.  I have regretted setting up a GPT system on a machine
> that became unreliable, and thus had to be replaced, and I spent too
> long trying to find a new used system that was also GPT capable.

Oops; fair enough; I forgot about booting.

-- 
James

Re: Dissing Misks

[James Cook]

On Wed, Dec 23, 2020 at 10:21:08AM -0500, Nick Holland wrote:
> On 2020-12-22 23:58, Allan Streib wrote:
> > Duncan Patton a Campbell  writes:
> > 
> >> fdisk seems unwilling to allow more than 2T in the partition:
> > 
> > Look at the b command for disklabel(8) to set the OpenBSD disk
> > boundaries.
> > 
> > Allan
> > 
> 
> yep.
> fdisk can't do bigger than 2T because that's as big as the MBR tables
> allow. But fdisk is only used to mark off the OpenBSD part of the disk
> to keep other OSes from stomping on its space. If you are running an
> exclusively OpenBSD system or otherwise keep the OSes from getting
> confused, fdisk isn't used for much.  Make it as big as you can, and
> you are fine.
> 
> disklabel, by default, only uses the OpenBSD fdisk partition, but you
> can blow through that barrier with the 'b' command, as Allan indicated.
> 
> If you are using softraid, you will have to repeat the disklabel 'b'
> thing for the softraid disks, too.  I usually forget that part.
> 
> Nick.

If you're starting fresh, isn't it simpler to use a GPT partition
table if you want to go past that limit?

-- 
James

Predict which changes will be in snapshot pulled by sysupgrade?

[James Cook]

My question:

If I see a recent change in CVS, is there any way to know whether it
will be included if I run sysupgrade right now?

More info:

Usually this comes up when I see errata announced: I can find the
corresponding change in CVS, but if I run sysugprade on a -current
system, I have no idea whether that change made it in, so I don't know
if the problem is fixed on my system.

I found a couple of old (pre-2010) documents [0] [1] saying this
information is not available, but was wondering (a) whether that's
changed in the past 10 years, or (b) is there a heuristic that's likely
to work anyway, e.g. take the timestamps of the files in the
pub/OpenBSD/snapshots directory and subtract X hours.

I also had a strange experience recently where I ran sysupgrade several
times on the same machine within a few hours, and each time, got a
different #xxx in the output of uname -a (like "GENERIC.MP#206"). I
know the #xxx isn't very meaningful, but I expected it to at least
match if I download the same snapshot, and I'd expect to get the same
snapshot unless a new build has been completed in the meantime.
/etc/installurl contained https://cdn.openbsd.org/pub/OpenBSD . Is my
mental picture of what's going on too simple? Or do new builds really
appear every couple of hours? (I was trying to reproduce a bug I got on
another computer; I think it was the issue reported here:
https://marc.info/?l=openbsd-tech&m=160694869915567&w=2 .)

[0] https://undeadly.org/cgi?action=article;sid=2008094306
[1] https://ftp.openbsd.org/pub/OpenBSD/doc/history/obsd-faq43.pdf ("It
is sometimes asked...")

-- 
James

Re: softraid0 errors after 6.8 upgrade

[James Cook]

On Sun, Nov 22, 2020 at 12:04:29PM +0100, Leo Unglaub wrote:
> Hi,
> i upgraded my desktop to the latest 6.8 release. I uses sysupgrade to do the
> upgrade and everything worked fine. But now i noticed in my dmesg the
> following error messages:
> 
> > softraid0: sd6: i/o error 5 @ CRYPTO block 475440376
> > softraid0: sd6: i/o error 5 @ CRYPTO block 475440376
> > softraid0: sd6: i/o error 5 @ CRYPTO block 473833936
> > softraid0: sd6: i/o error 5 @ CRYPTO block 473833936
> > softraid0: sd6: i/o error 5 @ CRYPTO block 473833936
> > softraid0: sd6: i/o error 5 @ CRYPTO block 473833936
> > softraid0: sd6: i/o error 5 @ CRYPTO block 473833936
> > softraid0: sd6: i/o error 5 @ CRYPTO block 473833936
> > softraid0: sd6: i/o error 5 @ CRYPTO block 473833936
> > softraid0: sd6: i/o error 5 @ CRYPTO block 473833936
> > softraid0: sd6: i/o error 5 @ CRYPTO block 473833936
> > softraid0: sd6: i/o error 5 @ CRYPTO block 477298832
> 
> This only happens when i want to read certain files in /home. I checked with
> fsck but it reports the partition to be fine. Has this something todo with
> the upgrade? I did not find anything in the changelog.

Could this happen if there's a problem with the disk blocks backing the
content of those files? I don't think fsck tries to read blocks that
only store file content.

-- 
James

Re: System auditing and logging

[James]

Thanks. I have enabled system accounting.

acct(5) seems to be limited by the fact that it is triggered on process
exit, doesn't contain the process ID or parent process ID and can only
store 10 characters for the command name.

ktrace could work but it's far too slow without limiting syscalls
recorded to a specific subset.

Is there any interest in modifying ktrace to allow for specifying
individual names of syscalls to trace?

e.g. ktrace -t c -u execve,sendmsg

On Fri, Nov 13, 2020 at 07:57:54AM -0700, Theo de Raadt wrote:

man accton

James  wrote:


Recently a machine running OpenBSD 6.8 had its configuration changed and I
believe it to have been subject to a malicious attack.

This change is completely unexplainable, compromised security, and would
have required root access.

The log files reveal nothing out of the ordinary except for wtmp
indicating 0 users are logged in:

-bash-5.0# who
-bash-5.0# w
 1:49PM  up  2:21, 0 users, load averages: 1.35, 1.38, 1.50
USERTTY FROM  LOGIN@  IDLE WHAT
-bash-5.0#


I would like to be able to log every exec syscall with the details of the
current timestamp, calling PID, program path, arguments, and new PID.

Ideally this would be implemented in the kernel. Are there any
existing solutions?

Thanks,

System auditing and logging

[James]

Recently a machine running OpenBSD 6.8 had its configuration changed and I
believe it to have been subject to a malicious attack.

This change is completely unexplainable, compromised security, and would
have required root access. 


The log files reveal nothing out of the ordinary except for wtmp
indicating 0 users are logged in:

-bash-5.0# who
-bash-5.0# w
 1:49PM  up  2:21, 0 users, load averages: 1.35, 1.38, 1.50
USERTTY FROM  LOGIN@  IDLE WHAT
-bash-5.0#


I would like to be able to log every exec syscall with the details of the
current timestamp, calling PID, program path, arguments, and new PID.

Ideally this would be implemented in the kernel. Are there any
existing solutions?

Thanks,

Re: Approved way to update installed ports after system upgrade?

[James Cook]

On Tue, Oct 20, 2020 at 05:32:48PM -0700, Andrew Robertson wrote:
> What's the standard way to upgrade installed ports after a system upgrade?
> 
> 
> I've been trying to figure out how to do this properly, and it doesn't seem
> to
> 
> have any mention in the FAQ. Thanks in advance.

>From https://www.openbsd.org/faq/upgrade68.html , I think this is your
answer:

"Finish up by upgrading the packages using pkg_add -u."

-- 
James

No longer can change brightness

[james . luigy]

Hello,

The latest snapshots (maybe 1 week ago) have made wsconsctl(8) no longer 
functional for changing display brightness on my MacBook Pro mid 2014.

The expected behavior would be to `wsconsctl display.brigthness=X` to change 
the value for the desired percentage, but it always return `display.brightness 
-> 0.00%` while keeping the brightness at the highest possible.

Is anyone else having the same issue? Did anyone solve it?

Thanks!


OpenBSD 6.8-current (GENERIC.MP) #107: Mon Oct 12 13:26:31 MDT 2020
    dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8475721728 (8083MB)
avail mem = 8203788288 (7823MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0x8ad14000 (43 entries)
bios0: vendor Apple Inc. version "162.0.0.0.0" date 06/10/2020
bios0: Apple Inc. MacBookPro11,1
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP HPET APIC SBST ECDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT 
SSDT SSDT DMAR MCFG
acpi0: wakeup devices P0P2(S3) EC__(S3) HDEF(S3) RP01(S3) RP02(S3) RP03(S4) 
ARPT(S4) RP05(S3) RP06(S3) XHC1(S3) ADP1(S3) LID0(S3)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-4308U CPU @ 2.80GHz, 2700.41 MHz, 06-45-01
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SRBDS_CTRL,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 100MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i5-4308U CPU @ 2.80GHz, 2700.02 MHz, 06-45-01
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SRBDS_CTRL,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Core(TM) i5-4308U CPU @ 2.80GHz, 2700.02 MHz, 06-45-01
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SRBDS_CTRL,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 1, core 0, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i5-4308U CPU @ 2.80GHz, 2700.02 MHz, 06-45-01
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SRBDS_CTRL,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 40 pins
acpiec0 at acpi0
acpimcfg0 at acpi0
acpimcfg0: addr 0xe000, bus 0-155
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (P0P2)
acpiprt2 at acpi0: bus 1 (RP01)
acpiprt3 at acpi0: bus 2 (RP02)
acpiprt4 at acpi0: bus 3 (RP03)
acpiprt5 at acpi0: bus 5 (RP05)
acpiprt6 at acpi0: bus 4 (RP06)
acpisbs0 at acpi0: SBS0 model "bq20z451" serial 35657 type LION oem "DP"
acpipci0 at acpi0 PCI0: 0x0004 0x0011 0x0001
acpicmos0 at acpi0
asmc0 at acpi0: SMC_ (smc-huronriver) addr 0x300/0x20: rev 2.16f616, 571 keys
"ACPI0008" at acpi0 not configured
"ACPI0001" at acpi0 not configured
acpiac0 at acpi0: AC unit offline
acpibtn0 at acpi0: LID0
acpibtn1 at acpi0: PWRB
abl0 at acpi0: PNLF (backlight)
acpibtn2 at acpi0: SLPB
acpicpu0 at acpi0: C3(200@506 mwait.1@0x60), C2(200@148 mwait.1@0x33), 
C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C3(200@506 mwait.1@0x60), C2(200@148 mwait.1@0x33), 
C1(1000@1 mwait.1), PSS
acpicpu2 a

Re: time_t

[James Cook]

On Mon, Oct 05, 2020 at 03:16:24PM +, Roderick wrote:
> 
> The result of time() has type time_t and we know what kind of number
> goes there: seconds since 0 hours, 0 minutes, 0 seconds, January 1,
> 1970, Coordinated Universal Time.
> 
> In my FreeBSD running on a 64 bit processor this type is: int (__32_t).
> It considers this size enough for above information.
> 
> In my OpenBSD running on a 32 bit processor this type is: long long
> (__64_t).
> 
> None of both has an unsigned type, although time moves forward
> (more or less fast!!!).

I don't know if these are the real reasons, but I can think of two ways
having a signed type helps:

(a) Sometimes, you might want to represent times before 1970. Not in the
return value of time(), of course, but maybe in other places your
program is reasoning about times.

(a) Working with unsigned types can be error-prone. For example,
consider:

if (deadline - time() < TIME_NEEDED) {
  printf("There's not enough time left.\n");
}

You probably want the condition to be triggered even when
time() > deadline, but that's not what the above code would do if
they were unsigned. There are probably more compelling examples
where it's even more obvious unsigned ints will not do what you
probably wanted, but that's what came to me on the spot. In any
case, my previous employer's (C++) style guide strongly discouraged
use of unsigned integer types for this reason.

-- 
James

Re: Microsoft's war on plain text email in open source

[James Huddle]

She never really says how old her "partner" is.
Perhaps he is a developer who has literally "...grown up in the
last five or ten years..."

On Wed, Aug 26, 2020 at 9:50 AM Rafael Possamai  wrote:

> >- Original message -
> >From: Greg Thomas 
> >
> >"... he had to set up an entirely new mail client which didn’t mangle his
> >email message to HTML-ise... That’s a barrier to entry that’s pretty
> >high..."
> >
> >Wow.  Life's rough.
>
> Most desktop/web email clients I've ever used have plain-text mode for
> composing.
>
>

Re: multiple simultaneous X sessions?

[James Cook]

Rather, I'm looking for a full separation between the users,
nothing shared but the obsd kernel and hardware, and no more overhead for
each one than X normally has, since each user is just running
flat normal X, but fully and independently of the other X user.  Am I
mistaken in how I understand Xnest and Xephyr?


Right, I think the vnc / Xnest / Xephyr suggestions assume you've got 
one "main" user accessing the sessions that belong to the other users.


I don't really know enough to comment on how much any of this helps with 
security.


--
James

Re: multiple simultaneous X sessions?

[James Cook]

On 2020-08-24 15:24, Luke A. Call wrote:

What would it take for me to run more than one simultanous X session, each
as a different user? -- I tried once a few years ago, searching, reading
man pages, and chasing error messages, and failed at the time.
Is it known whether it is reasonably possible with the current code?

(This is so I can take advantage of the privilege separation
provided by the OS, while doing different activities and programs
programs with different informal trust levels, as separate
users, but without the cpu overhead of using "ssh -[X|Y] ...".  This was
my normal practice in my Debian days, switching among them with
Ctrl-Alt-FN.)
  
Either way, thanks much for any info.


Luke Call


I don't know if it's possible to do exactly what you want, but as an 
alternative, maybe you could get a similar effect using Xnest or vnc.


--
James

Re: email attachments in firefox

[James Cook]

On 2020-08-21 16:51, Raymond, David wrote:
> I noticed that trying to load an attachment to Gmail in Firefox leads
> to a basically empty menu for selecting the file to be loaded?  What
> gives?  Is this something to do with pledge/unveil?  Is there a way to
> do this?
> 
> Dave Raymond

In practice, if I want to give Firefox access to a file, I move it to
~/Downloads and then it will appear in that chooser.

Yes, it's related to unveil. You can configure it. I think there's more
info under /usr/local/share/doc/pkg-readmes (I don't have access to my
OpenBSD system right now but probably look for "firefox" in that directory.)

-- 
James

pkg_add man page doesn't document default path properly

[James Cook]

Hi misc@,

(Sent here instead of bugs@ in case I'm missing something obvious.)

The pkg_add(1) man page claims the default path (if [TRUSTED_]_PKG_PATH 
are unset) is "./:installpath", where "‘installpath’ refers to the 
contents of installurl(5)".


As far as I can tell, the default path is actually something like 
"(content of /etc/installurl)/%c/packages/%a", or perhaps something 
involving %m.


Is this an error in the man page, or did I miss something? (And why is 
there a "./" before ":installpath"?)


(It would be nice if the pkg_add man page, and maybe 
https://www.openbsd.org/faq/faq15.html , said prominently that the 
packages downloaded depend on the OpenBSD flavour you have installed. I 
was trying to figure out whether that was the case or whether it just 
downloads "latest" packages by default whether or not I'm on a release. 
Neither page seems to give a straightforward answer. Eventually I 
figured it out by looking at the output of pkg_info.)


--
James (previously jc...@cs.berkeley.edu)

Re: mpd: failed to open default sndio device

[James]

Did you find a solution to this? Copying ~/.sndio/cookie into _mpd's
home directory did not fix this error for me.

On Fri, Oct 18, 2019 at 02:34:48PM +0300, Кирилл wrote:

Hello.
After install mpd:
$ mpc play
Antimatter - Over Your Shoulder
[paused]  #1/7   0:00/4:41 (0%)
volume:100%   repeat: off   random: off   single: off   consume: off
ERROR: Failed to open "sndio output" (sndio); Failed to open default sndio
device

dmesg:
https://pastebin.com/y5A81Cqh

Re: DNS and rdomains

[James]

Thanks. Your solution works but is not ideal for my situation. The
reason it's not ideal is that one of the rdomains gets its nameserver
from DHCP and I don't think unbound can read this information.

For example, In the case of a captive portal or floating between APs I 
would like DNS to work on different LANs where outbound DNS queries are
blocked. 


I'm trying to build an isolated network environment in which all traffic
is routed over an interface with a custom DNS server and no network leaks.

My solution so far is as follows:
 ___  ___
|   ||   |
| rdomain0  ||  rdomain1 |
|   pair0   ||pair1  |
|tun0   ||wlan0  |
|___||___|

with pf tagging and NAT'ing tun0 traffic behind wlan0.
rdomain0 DNS queries should be routed to a fixed address and
rdomain1 DNS queries should be sent to the nameserver as per
/etc/resolv.conf generated from dhclient.

Linux's implementation of network namespaces allows for custom
resolv.conf files per network namespace [1]. The problem I 
currently face is that only 1 rdomain can perform DNS queries at a 
time by modifying /etc/resolv.conf.


Thanks,



[1] https://www.man7.org/linux/man-pages/man8/ip-netns.8.html

On Wed, May 27, 2020 at 11:35:11PM +0100, Tom Smyth wrote:

howdy,

you can use symbolic links for /etc/rc.d/nsd   to /etc/rc.d/nsd1
and to/etc/rc.d/nsd2  to  /etc/rc.d/nsdn  where 1,2 n are your  r
domains for your
dns servers (authoritive) or you can use unbound instead of nsd
if it is just a forwarding  dns server

then use  for a dns server for rdomain1
rcctl enable nsd1
rcctl set nsd1 rtable=1

repeat the procedure for each domain configured
rcctl enable nsd2
rcctl set nsd2 rtable=2

then go back to rdomain0
route -T0 exec ksh
and then run the following to start each of your daemons

rcctl start nsd1
rcctl start nsd2

and so on and so fourth...

I used to have issues starting and stopping daemons if I was not in
the correct domain when running the rcctl command,
I saw a diff by  ajacoutot   a few months / (years ago that might have
fixed the rcctl starting domains from a shell in a different
Rdomain...
I just got into the habit...  of going to the correct rdomain of the
daemon or rdomain0 before running the rcctl command to start / stop or
restart the daemon

Hope this helps,

Tom Smyth


On Wed, 27 May 2020 at 23:24, James  wrote:


Hi all,

How can I allow different rdomains to use separate DNS nameservers?

Thanks




--
Kindest regards,
Tom Smyth.

DNS and rdomains

[James]

Hi all, 


How can I allow different rdomains to use separate DNS nameservers?

Thanks

dhcp dhcp problem with ramnode.com: "CLASSLESS_STATIC_ROUTES too long" (workaround included)

[James Cook]

Hi misc,

I'm mostly posting this so people doing a web search can find my
workaround. However, if someone's interested in debugging it, I'm
happy to cooperate. I don't know whether this is dhclient's fault or
ramnode's fault.

Here is my /etc/dhclient.conf ; the comment mostly explains the issue.
Without this, dhclient doesn't set up routing, so I can't access the
outside network.

-- BEGIN /etc/dhclient.conf

# OpenBSD's dhclient seems to play badly with ramnode's implementation of
# classless-static-routes, as shown in the following example. (I don't know if
# specifying -v a second time did anything.)
#
# # dhclient -vv vio0
# vio0: DHCPREQUEST to 255.255.255.255
# vio0: DHCPACK from 168.235.109.252 (fa:16:3e:60:7a:33)
# vio0: CLASSLESS_STATIC_ROUTES too long
# vio0: 168.235.109.198 lease accepted from 168.235.109.252
(fa:16:3e:60:7a:33)
#
# The below request line contains the default value with classless-static-routes
# removed (according to the default documented in the dhclient.conf(5) man
# page). This alone didn't fix the problem, so I added the ignore line. I guess
# the ignore on its own might be enough but there's a certain logic to not
# asking for something we're going to ignore.
request 
bootfile-name,broadcast-address,host-name,domain-name,domain-name-servers,domain-search,routers,subnet-mask,tftp-server-name,time-offset;
ignore classless-static-routes;

-- END /etc/dhclient.conf

A couple more notes:

* I set up my server by initializing its disk with install66.fs. I
needed the network for the install to work, since I overwrote the disk
with the new server's partition layout. To get the network to work
temporarily, I ran dhclient -v vio0, noted the IP address that the
DHCPACK came from, and simply ran "route add default (that IP)". It's
not the same IP that gets configured when I use the above workaround,
but it worked.

* Before I implemented the workaround, I remember /etc/hostname.vio0
had an entry for classless-static-routes, even though dhclient said
"CLASSLESS_STATIC_ROUTES too long". I haven't delved deep enough into
the code to understand the significance of that, but mentioning it in
case it's relevant.

BTW, this is my first time using OpenBSD, and I'm quite happy so far.

James

Re: Question regarding server hardware

[James Huddle]

On 2019-09-07, James Huddle  wrote:
>> I recently purchased a Dell T-330 server that I had intended to
>> install OpenBSD on and use as a serious web server.  My goal was to
>> have more control than would be (naturally) given with, say an AWS VM.
>> And by control, I mean what is *not* running on the box - security-wise.
>>
>> Apparently, Dell ships these with an abundance of "security features"
>> already on the box.  And not a lot of obvious opt-outs.  And a proclivity
>> not not understand that "no means no" in regard to turning off these
>> features.
>> One of which used 60% of (one of 8) processors, all the time.  Constantly
>> running
>> one of my processors at 60% - as long as it was powered up.

>I don't think that is from some hidden "security feature".
>Where is the CPU use showing up? Can you send output from "top -Sn",
>"vmstat -i" and a complete dmesg?

Is there something I could do (like top) to discover why my external HD
turns itself on every 5 seconds after powering down the main box?

-Jim

On Tue, Sep 10, 2019 at 8:47 AM Stuart Henderson 
wrote:

> On 2019-09-07, James Huddle  wrote:
> > I recently purchased a Dell T-330 server that I had intended to
> > install OpenBSD on and use as a serious web server.  My goal was to
> > have more control than would be (naturally) given with, say an AWS VM.
> > And by control, I mean what is *not* running on the box - security-wise.
> >
> > Apparently, Dell ships these with an abundance of "security features"
> > already on the box.  And not a lot of obvious opt-outs.  And a proclivity
> > not not understand that "no means no" in regard to turning off these
> > features.
> > One of which used 60% of (one of 8) processors, all the time.  Constantly
> > running
> > one of my processors at 60% - as long as it was powered up.
>
> I don't think that is from some hidden "security feature".
> Where is the CPU use showing up? Can you send output from "top -Sn",
> "vmstat -i" and a complete dmesg?
>
>
>

Question regarding server hardware

[James Huddle]

I recently purchased a Dell T-330 server that I had intended to
install OpenBSD on and use as a serious web server.  My goal was to
have more control than would be (naturally) given with, say an AWS VM.
And by control, I mean what is *not* running on the box - security-wise.

Apparently, Dell ships these with an abundance of "security features"
already on the box.  And not a lot of obvious opt-outs.  And a proclivity
not not understand that "no means no" in regard to turning off these
features.
One of which used 60% of (one of 8) processors, all the time.  Constantly
running
one of my processors at 60% - as long as it was powered up.

I understand that there are times when good security requires such measures.
I do.  And if I trusted Dell with 100% of my security needs, I'd be ok if
it phoned
home a lot, or repeatedly powered up my external HD after a total power
down,
etc.

But I am under-educated and over-paranoid, and so I'm hoping that the
people on this list can offer some suggestions of machines that they use
as internet servers.  I'm looking for *more* power and *less* stuff running
in the background when booting from a newly-installed OS (like obsd).
I can and will go with a 10-yr-old desktop model, if that's what it takes to
achieve "radio silence" when I'm not running anything.

Can you tell me what you like to use?
Thank you in advance.
-Jim Huddle

Re: Piping multiple lines of text via ssh

[James Cass]

On Monday, August 26, 2019 8:02 AM, Andreas Kusalananda Kähäri 
 wrote:

> On Sun, Aug 25, 2019 at 10:02:47PM +0300, Mario Galindez wrote:
>
> > hello,
> > i have set my own app as the shell of a user on a remote host. My app
> > reads from stdin, and prints output to stdout.
> > If I do:
> > ssh u...@remotehost.com
> > and manually type multiple lines of text,the app works as expected (i.e. it
> > processess each line, and outputs the result)
> > However, if I do this:
> > ssh -T u...@remotehost.com < file.txt
> > my tool only processes the first line, and then quits.
> > any clues?
> > thx, - m
>
> Hi,
>
> You asked this on both unix.stackexchange.com [1] and an askubuntu.com
> [2]. Are you running OpenBSD or Ubuntu Linux?
>
> You were asked questions about your application and your setup that
> you never answered. Are you going to say more about what your
> application is doing here on this list?
>
> [1] https://unix.stackexchange.com/questions/537363
> [2] https://askubuntu.com/questions/1168456
>
> Regards,
> Kusalananda


Hey Mario,

If I'm understanding your problem, take a look at the "-n" switch in the ssh 
man pages.  I ran in to a similar issue that you're having and this solved it.

I hope this helps...James

Re: PF firewall for desktop

[James Huddle]

Lots of miscommunications in these threads.  The original poster here was
talking about setting up a virtual firewall machine to deal with traffic on
a single box.
Most of the war stories are from sys admins protecting a corporate LAN (or
larger)
with lawyers and accountants weighing in.  Of course you need to consider
the
collective OpenBSD wisdom and up your game accordingly, when protecting
a multimillion dollar facility.

I could really go for a methanol, about now!

On Tue, May 28, 2019 at 6:58 AM Kevin Chadwick  wrote:

> On 5/24/19 8:30 PM, Jean-Francois Simon wrote:
> > Hi,
> >
> > Out of interest, I'd like to let you know a specific use of OpenBSD with
> PF, in
> > virtualbox, 2 virtual network card Bridged to physical NIC, and building
> up a
> > subnet with NAT and hence running Packet Filter as the
> machine's firewall.
> >
> >
> > That's the firewall I use under Win7, OpenBSD running in a VM, out of
> pure
> > interest into running BSD and let it purify the network access to
> > desktop (without need for additional hardware).
> >
> >
> > Works well, love it.
>
> I have done something similar in the past. My personal preference is
> hyper-v on
> windows 10 pro which seven can be upgraded to. I would hope hyper-V has
> inherited kernel sandboxing/mitigation protections and hardening from
> Windows
> kernel/azure.
>
> I assign the physical nick to the OpenBSD VM and remove all check boxes
> like
> ipv4/ipv6 support from that nick. Then I had an VNAT device for windows to
> talk
> to. Glasswire ontop gives a window into the why is it connecting there or
> obfuscating CDNs https certs without the other free windows firewall cruft.
>
> I assume communications to the windows box could be made from a foreign
> network
> via arp manipulation but a nice setup none the less, if you can be
> bothered with it.
>
>

Re: PF firewall for desktop

[James Huddle]

IP is a fairly high-order construct.  Beneath it , the data link and
physical layers remain almost unnoticed.  One thought that came to mind
would be to attack a machine on the same LAN, and then exploit an Ethernet
vulnerability to listen to "the wire".  Not sure how many (if any) Ethernet
vulnerabilities there are, but that would be one possible vector.  Also,
the nic card itself might have physical-layer vulnerabilities, such as
administrative backdoors.  That's all aimed at eavesdropping.  Escalating
that to an OS pwnership is beyond my imagination.  But I imagine it's not
beyond *somebody's* imagination.  And that's the beauty of the hack.
There's always someone in the rabble with a background in electronics or
orchid-growing or intergalactic imaging that has an insight that nobody
thought to defend.  Check...  No, wait, Checkmate!

On Sun, May 26, 2019 at 4:04 AM Walt  wrote:

> ‐‐‐ Original Message ‐‐‐
> On Friday, May 24, 2019 2:30 PM, Jean-Francois Simon <
> jfsimon1...@gmail.com> wrote:
>
> > Hi,
> >
> > Out of interest, I'd like to let you know a specific use of OpenBSD with
> > PF, in virtualbox, 2 virtual network card Bridged to physical NIC, and
> > building up a subnet with NAT and hence running Packet Filter as the
> > machine's firewall.
> >
> > That's the firewall I use under Win7, OpenBSD running in a VM, out of
> > pure interest into running BSD and let it purify the network access to
> > desktop (without need for additional hardware).
> >
> > Works well, love it.
> >
> > Jean-François
>
> I like having a firewall that would pretty much require someone physically
> entering the computer room in order to attack the firewall.  With OpenBSD,
> your firewall can control your network traffic without having an IP address
> at all.
>
> One thing that you could try is to use the OpenBSD VM as the firewall, but
> don't assign any IP address to the firewall.  The Win7 VM would have the
> actual IP address, but the OpenBSD VM would control the network.
>
> If I ever get around to getting enough IPv4 addresses so that I don't need
> a NAT, I'll go back to isolating access to the firewall with this approach.
>
> I am curious if there is any way to attack the firewall if it has no IP
> addresses.
>
> W
>
>

Re: PF firewall for desktop

[James Huddle]

I like your suggestion!  I am security paranoid to a fault.  For me, a
system is either rock solid or wide open.  obsd is the closest I've found
to rock solid, and frankly a virtualbox vm running on win7 feels wide
open.  But the more I thought about your idea, the more I liked it.  Win7
w/o the virtual firewall is more simply at risk, so why not?
Seeing as I am still new to OpenBSD, I would probably have 2 vms: bsd1
passes everything incoming to bsd2 (the firewall), then bsd1 quietly logs
what goes out to check for nefarious-looking packets.  That would take two
separate boxes to even start building, without vms.  The VMs can fight and
die and be replaced, and even a noob like myself can learn what works
better and harder.

Can't wait to set something up.
-Jim

On Fri, May 24, 2019 at 3:38 PM Jean-Francois Simon 
wrote:

> Hi,
>
> Out of interest, I'd like to let you know a specific use of OpenBSD with
> PF, in virtualbox, 2 virtual network card Bridged to physical NIC, and
> building up a subnet with NAT and hence running Packet Filter as the
> machine's firewall.
>
>
> That's the firewall I use under Win7, OpenBSD running in a VM, out of
> pure interest into running BSD and let it purify the network access to
> desktop (without need for additional hardware).
>
>
> Works well, love it.
>
>
> Jean-François
>
>

Re: single user question

[James Huddle]

Sorry.  Stefan.  Batting 1000.
-Jim

On Tue, May 21, 2019 at 1:20 PM James Huddle 
wrote:

> Just a quick shout-out to Roderick:
> Thank you for the paper reference.  It's probably perfect for my needs,
> but I've been a bit busy, as of late.  So no papers, regardless of year
> written.
> One of my favorite references is Thompson's "Reflections on Trusting Trust"
> so I'm hep to your SuperFly-Era ways.  No dateism or ageism from this
> child of the 60's.
> -jrh
>
> On Fri, May 17, 2019 at 2:36 PM Nathan Hartman 
> wrote:
>
>> On Fri, May 17, 2019 at 12:28 PM ropers  wrote:
>>
>> >
>> > In the history of the (Berkeley) Fast File System, has there ever been
>> > an attempt to implement DOS-like undelete for FFS/UFS?
>> > (I understand that for technical reasons, this could require running a
>> > daemon that remembers just enough metadata to keep data recoverable so
>> > long as it's not overwritten. I also understand that running a daemon
>> > that remembers things nominally deleted would have security
>> > implications, which may not keep me from running a daemond that w/o
>> > being perfect could protect me from myself at least some of the time.)
>> > I did find this:
>> >
>> https://lists.freebsd.org/pipermail/freebsd-questions/2016-May/271785.html
>> > -- which didn't seem to suggest that the answer was any yessier now
>> > than thirty years ago. So, that's a no, then? Anyone? Bueller?
>>
>>
>> Maybe that could work for "normal delete" while making available a
>> separate
>> "secure delete" that cannot be un-deleted and furthermore overwrites the
>> deleted data with random garbage. Administrators could optionally force
>> the
>> secure overwrite delete.
>>
>> >
>>
>

Re: single user question

[James Huddle]

Just a quick shout-out to Roderick:
Thank you for the paper reference.  It's probably perfect for my needs,
but I've been a bit busy, as of late.  So no papers, regardless of year
written.
One of my favorite references is Thompson's "Reflections on Trusting Trust"
so I'm hep to your SuperFly-Era ways.  No dateism or ageism from this
child of the 60's.
-jrh

On Fri, May 17, 2019 at 2:36 PM Nathan Hartman 
wrote:

> On Fri, May 17, 2019 at 12:28 PM ropers  wrote:
>
> >
> > In the history of the (Berkeley) Fast File System, has there ever been
> > an attempt to implement DOS-like undelete for FFS/UFS?
> > (I understand that for technical reasons, this could require running a
> > daemon that remembers just enough metadata to keep data recoverable so
> > long as it's not overwritten. I also understand that running a daemon
> > that remembers things nominally deleted would have security
> > implications, which may not keep me from running a daemond that w/o
> > being perfect could protect me from myself at least some of the time.)
> > I did find this:
> >
> https://lists.freebsd.org/pipermail/freebsd-questions/2016-May/271785.html
> > -- which didn't seem to suggest that the answer was any yessier now
> > than thirty years ago. So, that's a no, then? Anyone? Bueller?
>
>
> Maybe that could work for "normal delete" while making available a separate
> "secure delete" that cannot be un-deleted and furthermore overwrites the
> deleted data with random garbage. Administrators could optionally force the
> secure overwrite delete.
>
> >
>

Re: single user question

[James Huddle]

First of all, I must say that it is with genuine gratitude that I read your
responses!

Moving on...
On Wed, May 15, 2019 at 3:05 PM James Huddle 
wrote:
>> What I am trying to do (thank you Troy Martin), is work through
>> the standard answers and missteps toward a more secure OS,
>> starting with OpenBSD and a flashlight.  It is my humble opinion
>> that the optimal number of users for (say) a laptop is one.
>> And the optimal number for a server is zero.  I doubt many would
>> agree with that assessment, but I'm looking for solutions, regardless.

>I'm going to try to phrase this politely, but I might trigger other
>people to say some rude things (not sure if they'll be aimed at
>myself, or not). Anyways...  I have two hypothetical questions you
>should think about:

>1) Why do you doubt that many would agree with that assessment?
Probably the same reason that you would say "...I might trigger other
people to say some rude things..."  Often I feel that by merely stating
my opinion, here, I have opened the door to the proverbial darkroom.
Sorry!  That, and a multi-user system has been the heart and cornerstone
of Unix & co. for MILLENNIA.  That's fine.  But my laptop is not a 1985 VAX.
I just think that pushing the idea forward of using the most popular
multiuser OS in history - in single-user mode - might meet with a little
friction.

>2) Also, what is a "user"?
Good question.  I am a user.  Someone who has hacked into my multi-user
system as a different user is a user.  And apparently, so is the cups
daemon?

>If by "user" you mean "person", that leads to some lines of discussion.

>If by "user" you mean an integer value which appears under the label
>"user_id" (or some variant, such as perhaps "uid") in a C structure,
>that leads to other lines of discussion.

>If by "user" you mean a line in the /etc/passwd file which identifies
>a directory, that leads to yet other lines of discussion.

Although I have some understanding of the three discussions,
I feel that the "interchangeable parts" philosophy, which works great
for firearms technology, has created more problems than we should
be willing to accept in 21st century computing.  A user is *usually* a
human,
and might better be defined as an *owner*.  Not to be confused with
the thousands of visitors to a web site.

In short, If I am sitting at my laptop, no other humans should be
using my laptop at that time, without an arm-twisting amount of
authentication and my conscious awareness of said "other person".
Having a bunch of background processes doing human-user
things blurs that equation, unfavorably, IMO.
...

>From skimming this thread, I don't think you mean any of those. But if
>no one knows what you mean, it doesn't really matter whether they
>agree or disagree with you.

Hope that helps.
Weather's calling for rain.  Fingers crossed.
-Jim

On Wed, May 15, 2019 at 4:47 PM Raul Miller  wrote:

> On Wed, May 15, 2019 at 3:05 PM James Huddle 
> wrote:
> > What I am trying to do (thank you Troy Martin), is work through
> > the standard answers and missteps toward a more secure OS,
> > starting with OpenBSD and a flashlight.  It is my humble opinion
> > that the optimal number of users for (say) a laptop is one.
> > And the optimal number for a server is zero.  I doubt many would
> > agree with that assessment, but I'm looking for solutions, regardless.
>
> I'm going to try to phrase this politely, but I might trigger other
> people to say some rude things (not sure if they'll be aimed at
> myself, or not). Anyways...  I have two hypothetical questions you
> should think about:
>
> 1) Why do you doubt that many would agree with that assessment?
>
> 2) Also, what is a "user"?
>
> If by "user" you mean "person", that leads to some lines of discussion.
>
> If by "user" you mean an integer value which appears under the label
> "user_id" (or some variant, such as perhaps "uid") in a C structure,
> that leads to other lines of discussion.
>
> If by "user" you mean a line in the /etc/passwd file which identifies
> a directory, that leads to yet other lines of discussion.
>
> ...
>
> From skimming this thread, I don't think you mean any of those. But if
> no one knows what you mean, it doesn't really matter whether they
> agree or disagree with you.
>
> Thanks,
>
> --
> Raul
>

Re: single user question

[James Huddle]

>What I"m saying is that it takes less work overall to subtract from a
>system in a supportable way than it is to try and handcraft an
>unsupportable system.

If you know the supportable system well and your goal is only
a slight variation of that that system does, then that makes
perfect sense.

If, on the other hand, you are new to the system, and you
notice many examples of problems caused by what appears
to be the basic underpinnings of the system (things like
multiuser and TCP, itself, not to mention the open, welcoming
nature of open source), the kinds of things hard to avoid in a
modern OS,  then your argument is less convincing.

If what I've said sounds absurd or unsound, a calm reaction
might be, "try building you own OS!"  And I have tried, and it
is not trivial.  So I look for answers outside of that and of course
OpenBSD is the smallest, strongest, most popular alternative
(for people who seek a secure platform).

And I ask simple (sometimes *too* simple!) questions, and get
answers and move slowly forward.

What I am trying to do (thank you Troy Martin), is work through
the standard answers and missteps toward a more secure OS,
starting with OpenBSD and a flashlight.  It is my humble opinion
that the optimal number of users for (say) a laptop is one.
And the optimal number for a server is zero.  I doubt many would
agree with that assessment, but I'm looking for solutions, regardless.

And yes I do respect the decades and megahours that have gone
into Unix and OpenBSD, by people who are far superior to me
intellectually.  My flashlight is weak, but it still works.

Thanks to all (Rodrigo, esp.) for helping me to see straighter.

-Jim



On Fri, May 10, 2019 at 11:52 AM Misc User 
wrote:

> On 5/10/2019 1:28 AM, cho...@jtan.com wrote:
> > Misc User writes:
> >> It is theoretically possible to do that, but you'd have to do -a lot-
> >> of work to get it to do so.  It'd be much easier finding a proper
> >> way to accomplish what you want without running single-user.
> >
> > I wouldn't recommend using single user mode to do anything other than
> > repair but it's not true to say that doing so is a lot of work. /etc/rc
> > is only ~600 lines and a lot of that is unnecessary if the server is
> > going to run a single thing. In many cases you can probably get away
> > with just mount/fsck/pfctl/netstart.
> >
> > There is actually no such thing as "single user mode". All there is is a
> > kernel which hasn't done anything yet, and everything OpenBSD's does as
> > it "enters multi-user mode" is described clearly and comprehensively in
> > /etc/rc. Duplicating what little of it you want is, literally, as simple
> > as copy-paste.
> >
> > Matthew
> >
> What I'm saying is that it would take far more work to get something
> like httpd to run at that stage than it would take to make the changes
> to a fully booted, and supportable, system.  Making changes to rc is
> going to force the system's operator to make adjustments at every
> system upgrade.
>
> Besides, it is possible to build a very light-weight system to run a
> single thing while still be secure and supportable.  I have a VM
> template (Wel, a sitexx.tgz file) that just contains an rc.conf.local,
> a new crontab, a syslogd.conf, and a few trivial scripts.  The system
> weighs in at 8 MB of used RAM in normal operation and a load average of
> zero.  It is also trivial to upgrade, has all its protections, and I can
> remotely monitor it.  Took me two hours to build it, most of that spent
> modifying copies of daily/weekly/monthly to output via syslog instead of
> mail.
>
>
> What I"m saying is that it takes less work overall to subtract from a
> system in a supportable way than it is to try and handcraft an
> unsupportable system.
>

single user question

[James Huddle]

If the following questions trigger a sense of road rage, you may
safely assume they are not directed to you.

Is anyone running in single-user mode regularly?
Is anyone running a web server, for instance, in single-user mode?

Many thanks in advance.  Shields up.
-Jim

Re: When will be created a great desktop experience for OpenBSD?

[James Cass]

I love the default minimalism, simplicity and freedom of OpenBSD to make it
how I want it.
My "Perfect OpenBSD": spectrwm, dmenu, urxvt (with perl tabbing), tmux, etc.

On Wed, May 8, 2019 at 7:40 AM Peter N. M. Hansteen  wrote:

> > When will be created a great desktop experience for OpenBSD?
>
> I think it is important to keep in mind that in order to achieve
> *anything* in the OpenBSD project (or other open source projects for
> that matter) the way forward is to work *with*, not against, the
> developers and their code.
>
> The short version is, please present your ideas of what you want to do
> with sound reasoning and if at all possible supplement with patches
> posted to tech@.
>
> The patches stand a better chance of being accepted (perhaps along
> with their developer) if the submitter can take comments and valid
> criticisms from competent people (again mainly the developers) in
> stride and seems willing to stay around as maintainer in the longer
> haul (ie not slink back to the shadows after a release or two).
>
> For anyone considering taking up the theme of this thread, please
> consider whether this could somehow be made into the package with only
> minimal impact on the base system.
>
> Such a package could for example leverage all the tools already in the
> base systems to generate something like bsd.graphic.{rd,is,fs} and
> offer a skeleton for a site.tgz for the generated install medium.
>
> If this sounds a lot like what is very achievable with the tools
> already in the OpenBSD base system and seasoned OpenBSD admins would
> do comfortably with a relatively simple autoinstall, it's because that
> is exactly what it is.
>
> But if there is an actual use case spot we're missing, this would be
> the way to filling it with the least amount of extra work for everyone
> involved.
>
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
>
>

Re: Research and OpenBSD: How can I help?

[James Huddle]

Thank you, Mihai.  I needed that.
And honest, sincere thanks to Theo, for working hard, smart,
and continuously for decades.  You are unique.
-Jim Huddle

On Thu, Feb 21, 2019 at 8:31 AM Mihai Popescu  wrote:

> > Frankly, I'd settle for popping the BIOS out and replacing it
> with a 1970's EPROM
>
> Good luck in gathering together 70's EPROM to match the today capacity
> of a flash memory.
>
>

Re: Research and OpenBSD: How can I help?

[James Huddle]

>Curious as to what has been "started".  Looks like nothing.

Frankly, I'd settle for popping the BIOS out and replacing it
with a 1970's EPROM, if I thought I could do that without
melting everything.  So, yeah.  Nothing.  Starting with nothing.
Looks that way to me, too.

On Thu, Feb 21, 2019 at 1:03 AM Frank Beuth  wrote:

> On Wed, Feb 20, 2019 at 09:16:04PM -0500, James Huddle wrote:
> >Personally, I envision a sort of "open source BIOS"
> >library in the distant future.  Something we jack in on jtag
> >if we have to.  There is no harm in *starting.*  Meanwhile,
> >my super productive Dell laptop can't keep me from wondering
> >what the SMM is doing during the SMI, while obsd or any other
> >OS sleeps.
>
> There is Coreboot, but it's not a complete solution to the problem yet
> - it does address SMM/SMI but as far as I can tell not necessarily on all
>   platforms,
> - options for removing Intel ME/AMD PSP are limited,
> - and of course it does not cover e.g onboad ARM coprocessors, embedded
>   controllers, keyboard controllers, hard disk controllers which may be
> smart
>   enough to run a whole Linux kernel and edit your files behind your back
>   <http://spritesmods.com/?art=hddhack>, etc...
>

Re: Research and OpenBSD: How can I help?

[James Huddle]

>An area that I am personally interested in is running
>OpenBSD on fully open-source / binary-blob-free
>hardware: hardware where there is no proprietary
>firmware that could hide vendor backdoors, and
>ideally where even the design of the chip is available
>to the user for review.

(Heck yes)^2
Of course this is hours of deep conversation away
from something even approaching a realistic plan
of attack; but Paul, with his embedded sys leanings
might be in a good position to move things (slowly)
forward. To the benefit of all computer security, everywhere.
Personally, I envision a sort of "open source BIOS"
library in the distant future.  Something we jack in on jtag
if we have to.  There is no harm in *starting.*  Meanwhile,
my super productive Dell laptop can't keep me from wondering
what the SMM is doing during the SMI, while obsd or any other
OS sleeps.
-x*  every install.

On Tue, Feb 19, 2019 at 9:36 PM Frank Beuth  wrote:

> On Thu, Feb 14, 2019 at 04:22:05AM +, Paul Swanson wrote:
> >I have some general areas of interest, such as embedded
> >computing, but nothing is set in stone yet, so I thought it'd
> >be fun to hear from those in know about areas of priority need
> >within the OpenBSD community.
> >
> >Are there particular problems that could benefit from new
> >ideas or solutions?
>
> An area that I am personally interested in is running OpenBSD on fully
> open-source / binary-blob-free hardware: hardware where there is no
> proprietary
> firmware that could hide vendor backdoors, and ideally where even the
> design of
> the chip is available to the user for review.
>
> The trouble is it's VERY hard to find "fully open" hardware, and the
> hardware
> which is known to exist (loongson, OpenPOWER, RISC V) is difficult to get,
> expensive or not very good, and (except for loongson) not supported by
> OpenBSD.
>
>

Re: wscons API question: input handling?

[James Huddle]

is ncurses too high-level for your needs?  That might work.

On Tue, Feb 19, 2019 at 1:27 PM Leonid Bobrov  wrote:

> On Tue, Feb 19, 2019 at 04:01:08PM +, tfrohw...@fastmail.com wrote:
> > Is the package x11/xbindkeys what you are looking for?
> >
>
> No, I need a direct access to keyboard outside X11. If I understand
> wscons, I might help to port libinput to OpenBSD (and send patches to
> upstream) to have usable Wayland compositors, but before I do that, I
> need to start small.
>
>

Re: Firefox (and SeaMonkey) automatically creates a Desktop folder in $HOME

[James Anderson]

Xianwen,

If you create ~/.config/user-dirs.dirs with the following lines it will
prevent Firefox from creating those folders:

XDG_DESKTOP_DIR="$HOME"
XDG_DOCUMENTS_DIR="$HOME"
XDG_DOWNLOAD_DIR="$HOME"


Jim

On Wed, Feb 14, 2018 at 7:23 AM, Xianwen Chen  wrote:

> Dear OpenBSD users,
>
> I find that Firefox and SeaMonkey automatically create a Desktop folder in
> $HOME directory. I do not use Desktop folder in fvwm and I do not want it.
> You probably encountered the same problem. How can this behavior of Firefox
> be disabled?
>
> Sincerely,
> Xianwen
>

Re: password-free SSH was Re: [ot] Security of my bit coin wallet

[James]

On Wed, Nov 15, 2017 at 3:06 PM, Gareth Nelson  wrote:
> Use key-based authentication?
>

Okay, but that doesn't fit the requirement.
I want something iteratively password free.
AFAIK, somewhere along the line in key-based authentication you need
to enter a password to unlock the key.
The context of this email is a password-free SSH. (blank passwords do
not count as password-free)

What I want to find is a crypto mechanism that allows the use of no
passwords, but with the same guarantees of key-based authentication.

So my thoughts are that to start with something similar to Diffie
Hellman operating at the network layer, you could generate keys when
you wanted to communicate after an initial round of set up.

You wouldn't establish faith in the security of the connection until
proof was given that you are talking to the right host, and you could
get higher or lower levels of proof. Something functioning like the
Sieve of Eratosthenes.

For example. you just use one known fact from the network layer. a
beacon. ntp even. Each communication point in the network, remember
this is a recursive solver, would have different ping time to the
beacon over a large number of pings, or to be able to express the
confidence that this host is who it says it is. Each node has a
complete and different view. In this way you could "push"
Diffie-Hellman to the network layer.

I think it's similar in flavour to a blockchain, but it would
eliminate the need to use passwords when speaking the protocol and
establish some sort of reality to host mapping. Remember we can never
actually verify anything in the internet due to MITM. We can just
increase our probability of success while decreasing the attack
surface for dictionaries.

What do you think?


Cheers,
James








> On Wed, Nov 15, 2017 at 2:38 PM, James  wrote:
>>
>> On Wed, Nov 15, 2017 at 10:42 AM, Raul Miller 
>> wrote:
>> > Assumption is invalid. Flaws are widely documented (e.g. fixed
>> > supply). Probably wrong list, also.
>> >
>>
>> Ok a little more on topic then. SSH.
>>
>> How would you secure SSH without a password, iteratively password - free?
>> a blank password does not count as password-free.
>>
>> My motivation is turn the internet upside down.
>>
>> Does any current crypto mechanism come to mind?
>>
>> A possible example is the use of Diffie-Hellman at the network layer
>> to identify hosts. I think that would be password-free.
>>
>>
>> > Thanks,
>> >
>> > --
>> > Raul
>> >
>>
>> Thanks,
>> James
>>
>>
>>
>> > On Wed, Nov 15, 2017 at 8:46 AM, James  wrote:
>> >> While a little off topic it is security related so I hope you don't
>> >> mind.
>> >>
>> >> This is the misc list, right?
>> >>
>> >> Assumption 1.
>> >> bitcoin is a secure protocol without flaws.
>> >>
>> >> quote from
>> >> https://github.com/bitcoinbook/bitcoinbook/blob/second_edition/ch01.asciidoc
>> >>
>> >> With these keys they can sign transactions to unlock the value and
>> >> spend it by transferring it to a new owner. Keys are often stored in a
>> >> digital wallet on each user’s computer or smartphone. Possession of
>> >> the key that can sign a transaction is the only prerequisite to
>> >> spending bitcoin, putting the control entirely in the hands of each
>> >> user.
>> >>
>> >>
>> >> Is the security of a bitcoin wallet ultimately determined by it's
>> >> password?
>> >> The way I see it If an attacker had access to my computer, the only
>> >> thing protecting access to the wallet would be a password or some
>> >> iteration of a password scheme, if not mine than a centralized server
>> >> of trust somewhere, but eventually someone has a password that is used
>> >> to, unlock a bitcoin. Is that correct reasoning or are there
>> >> alternatives?
>> >>
>> >> Thanks,
>> >> James
>> >>
>>
>

password-free SSH was Re: [ot] Security of my bit coin wallet

[James]

On Wed, Nov 15, 2017 at 10:42 AM, Raul Miller  wrote:
> Assumption is invalid. Flaws are widely documented (e.g. fixed
> supply). Probably wrong list, also.
>

Ok a little more on topic then. SSH.

How would you secure SSH without a password, iteratively password - free?
a blank password does not count as password-free.

My motivation is turn the internet upside down.

Does any current crypto mechanism come to mind?

A possible example is the use of Diffie-Hellman at the network layer
to identify hosts. I think that would be password-free.


> Thanks,
>
> --
> Raul
>

Thanks,
James



> On Wed, Nov 15, 2017 at 8:46 AM, James  wrote:
>> While a little off topic it is security related so I hope you don't mind.
>>
>> This is the misc list, right?
>>
>> Assumption 1.
>> bitcoin is a secure protocol without flaws.
>>
>> quote from 
>> https://github.com/bitcoinbook/bitcoinbook/blob/second_edition/ch01.asciidoc
>>
>> With these keys they can sign transactions to unlock the value and
>> spend it by transferring it to a new owner. Keys are often stored in a
>> digital wallet on each user’s computer or smartphone. Possession of
>> the key that can sign a transaction is the only prerequisite to
>> spending bitcoin, putting the control entirely in the hands of each
>> user.
>>
>>
>> Is the security of a bitcoin wallet ultimately determined by it's password?
>> The way I see it If an attacker had access to my computer, the only
>> thing protecting access to the wallet would be a password or some
>> iteration of a password scheme, if not mine than a centralized server
>> of trust somewhere, but eventually someone has a password that is used
>> to, unlock a bitcoin. Is that correct reasoning or are there
>> alternatives?
>>
>> Thanks,
>> James
>>

[ot] Security of my bit coin wallet

[James]

While a little off topic it is security related so I hope you don't mind.

This is the misc list, right?

Assumption 1.
bitcoin is a secure protocol without flaws.

quote from 
https://github.com/bitcoinbook/bitcoinbook/blob/second_edition/ch01.asciidoc

With these keys they can sign transactions to unlock the value and
spend it by transferring it to a new owner. Keys are often stored in a
digital wallet on each user’s computer or smartphone. Possession of
the key that can sign a transaction is the only prerequisite to
spending bitcoin, putting the control entirely in the hands of each
user.


Is the security of a bitcoin wallet ultimately determined by it's password?
The way I see it If an attacker had access to my computer, the only
thing protecting access to the wallet would be a password or some
iteration of a password scheme, if not mine than a centralized server
of trust somewhere, but eventually someone has a password that is used
to, unlock a bitcoin. Is that correct reasoning or are there
alternatives?

Thanks,
James

Re: X710 10Gb card not configured

[James A. Peltier]

- On 26 Sep, 2017, at 20:25, Jonathan Gray j...@jsg.id.au wrote:

| On Tue, Sep 26, 2017 at 05:35:40PM -0700, James A. Peltier wrote:
|> Hi Misc,
|> 
|> I am running the latest OpenBSD snapshot and it appears that the 10Gb cards 
that
|> we have in the unit aren't recognized or configured properly.  I had a look 
at
|> pcidevs and pcidevs.h files in src/dev/pci and it appears that the device
|> should be found as
|> 
|> src/sys/dev/pcidevs
|> product INTEL X710_10G_SFP   0x1572  X710 SFP+
|> 
|> src/sys/dev/pcidevs.h
|> #define  PCI_PRODUCT_INTEL_X710_10G_SFP  0x1572  /* X710 SFP+ */
|> 
|> 
|> I have attached a pcidump -v below hoping someone might resolve this issue.
|> Please let me know if there is anything else I can provide and when I might 
be
|> able to try another snapshot.
| 
| There is currently no driver in the tree for Intel X710/XL710 10Gb/40Gb.

Can I get a recommendation on a comparable 10Gb/40Gb card that will work?  
Specific card or model numbers so I can get them in ASAP

-- 
James A. Peltier
IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone   : 604-365-6432
Fax : 778-782-3045
E-Mail  : jpelt...@sfu.ca
Website : http://www.sfu.ca/itservices
Twitter : @sfu_rcg
Powering Engagement Through Technology

X710 10Gb card not configured

[James A. Peltier]

Hi Misc,

I am running the latest OpenBSD snapshot and it appears that the 10Gb cards 
that we have in the unit aren't recognized or configured properly.  I had a 
look at pcidevs and pcidevs.h files in src/dev/pci and it appears that the 
device should be found as 

src/sys/dev/pcidevs
product INTEL X710_10G_SFP  0x1572  X710 SFP+

src/sys/dev/pcidevs.h
#define PCI_PRODUCT_INTEL_X710_10G_SFP  0x1572  /* X710 SFP+ */


I have attached a pcidump -v below hoping someone might resolve this issue.  
Please let me know if there is anything else I can provide and when I might be 
able to try another snapshot.

 1:0:0: Intel X710 SFP+
0x: Vendor ID: 8086 Product ID: 1572
0x0004: Command: 0006 Status: 0010
0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 01
0x000c: BIST: 00 Header Type: 80 Latency Timer: 00 Cache Line Size: 00
0x0010: BAR mem prefetchable 64bit addr: 0x9200/0x0100
0x0018: BAR empty ()
0x001c: BAR mem prefetchable 64bit addr: 0x93008000/0x8000
0x0024: BAR empty ()
0x0028: Cardbus CIS: 
0x002c: Subsystem Vendor ID: 8086 Product ID: 0006
0x0030: Expansion ROM Base Address: 
0x0038: 
0x003c: Interrupt Pin: 01 Line: 0b Min Gnt: 00 Max Lat: 00
0x0040: Capability 0x01: Power Management
State: D0
0x0050: Capability 0x05: Message Signalled Interrupts (MSI)
0x0070: Capability 0x11: Extended Message Signalled Interrupts (MSI-X)
0x00a0: Capability 0x10: PCI Express
Link Speed: 5.0 / 8.0 GT/s Link Width: x8 / x8
0x0100: Enhanced Capability 0x01: Advanced Error Reporting
0x0140: Enhanced Capability 0x03: Device Serial Number
0x0150: Enhanced Capability 0x0e: Alternate Routing ID
0x01a0: Enhanced Capability 0x17: TPH Requester
0x01b0: Enhanced Capability 0x0d: Access Control Services
0x01d0: Enhanced Capability 0x19: Secondary PCIe Capability
0x00e0: Capability 0x03: Vital Product Data (VPD)
 1:0:1: Intel X710 SFP+
0x: Vendor ID: 8086 Product ID: 1572
0x0004: Command: 0006 Status: 0010
0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 01
0x000c: BIST: 00 Header Type: 80 Latency Timer: 00 Cache Line Size: 00
0x0010: BAR mem prefetchable 64bit addr: 0x9100/0x0100
0x0018: BAR empty ()
0x001c: BAR mem prefetchable 64bit addr: 0x9300/0x8000
0x0024: BAR empty ()
0x0028: Cardbus CIS: 
0x002c: Subsystem Vendor ID: 8086 Product ID: 
0x0030: Expansion ROM Base Address: 
0x0038: 
0x003c: Interrupt Pin: 01 Line: 0b Min Gnt: 00 Max Lat: 00
0x0040: Capability 0x01: Power Management
State: D0
0x0050: Capability 0x05: Message Signalled Interrupts (MSI)
0x0070: Capability 0x11: Extended Message Signalled Interrupts (MSI-X)
0x00a0: Capability 0x10: PCI Express
Link Speed: 5.0 / 8.0 GT/s Link Width: x8 / x8
0x0100: Enhanced Capability 0x01: Advanced Error Reporting
0x0140: Enhanced Capability 0x03: Device Serial Number
0x0150: Enhanced Capability 0x0e: Alternate Routing ID
0x01a0: Enhanced Capability 0x17: TPH Requester
0x01b0: Enhanced Capability 0x0d: Access Control Services
0x00e0: Capability 0x03: Vital Product Data (VPD)

-- 
James A. Peltier
IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone   : 604-365-6432
Fax : 778-782-3045
E-Mail  : jpelt...@sfu.ca
Website : http://www.sfu.ca/itservices
Twitter : @sfu_rcg
Powering Engagement Through Technology

Re: OpenBSD-based ISP

[James Shupe]

Have you raised states? 10K is the default I believe, the most likely
culprit.

On 8/16/2017 12:55 PM, Juan Guillermo Narvaez wrote:
> Hello everyone!
> 
> I'm relative new using OpenBSD, I have just 4 years using this OS for dhcp
> servers.
> Today I have the mission of implement this OS in a cablemodem headend, in
> my first try I get negative results with this rules:
> 
> *pass all flags S/SA*
> 
> *#LAN*
> *match out log on bge0 inet from 192.168.254.0/24 <http://192.168.254.0/24>
> to any nat-to 200.91.35.55*
> *pass on bge0 inet from 192.168.254.0/24 <http://192.168.254.0/24> to any
> flags S/SA*
> *#CPE Network*
> *match out on bge0 inet from 172.21.0.0/19 <http://172.21.0.0/19> to any
> nat-to 200.91.35.55*
> *pass on bge0 inet from 172.21.0.0/19 <http://172.21.0.0/19> to any flags
> S/SA*
> 
> This is a basic PF that I use for this try, the CPE network has 900 active
> customers.
> When I put the whole customer network traffic through my OpenBSD router the
> traffic tend to fall slowly and the LAN network is really slow too. I read
> about a lot of 'tweaks' the high performance configurations but I think
> that OpenBSD can handle 400mbps without tweaking.
> 
> I'm wrong?
> What am I doing bad?
> 
> Thank you!
> 
> 
> 
> 

-- 
James Shupe, HermeTek
developer/ engineer
BSD/ Linux support & hosting
jsh...@hermetek.com | www.hermetek.com
Office 5127922525 | Mobile 5122846350

Re: KERNEL PANIC: HP 250 G5 Notebook PC (W4M67EA)

[James Hastings]

On Sat, Jan 07, 2017 at 03:32:22PM -0800, Mike Larkin wrote:
> Also, this is the third time (that I recall) that HP has thrown us a curveball
> in their ACPI implementation (although at least this time they seem to be
> spec-compliant and it's us missing stuff). Toshiba is another vendor that
> tends to do bizarre things.
>
> -ml
>

I own many buggy HP machines; This is a starting point / placeholder.

Index: dev/acpi/acpi.c
===
RCS file: /cvs/src/sys/dev/acpi/acpi.c,v
retrieving revision 1.317
diff -u -p -r1.317 acpi.c
--- dev/acpi/acpi.c 25 Oct 2016 06:48:58 -  1.317
+++ dev/acpi/acpi.c 8 Jan 2017 18:10:22 -
@@ -419,6 +419,10 @@ acpi_gasio(struct acpi_softc *sc, int io
else
acpiec_write(sc->sc_ec, (u_int8_t)address, len, buffer);
break;
+
+   case GAS_CMOS:
+   printf("Unsupported RegionSpace CMOS\n");
+   break;
}
return (0);
 }
Index: dev/acpi/acpireg.h
===
RCS file: /cvs/src/sys/dev/acpi/acpireg.h,v
retrieving revision 1.36
diff -u -p -r1.36 acpireg.h
--- dev/acpi/acpireg.h  10 Jul 2016 20:36:41 -  1.36
+++ dev/acpi/acpireg.h  8 Jan 2017 18:10:23 -
@@ -86,6 +86,7 @@ struct acpi_gas {
 #define GAS_PCI_CFG_SPACE  2
 #define GAS_EMBEDDED   3
 #define GAS_SMBUS  4
+#define GAS_CMOS   5
 #define GAS_FUNCTIONAL_FIXED   127
u_int8_tregister_bit_width;
u_int8_tregister_bit_offset;
Index: dev/acpi/dsdt.c
===
RCS file: /cvs/src/sys/dev/acpi/dsdt.c,v
retrieving revision 1.228
diff -u -p -r1.228 dsdt.c
--- dev/acpi/dsdt.c 18 Dec 2016 15:59:22 -  1.228
+++ dev/acpi/dsdt.c 8 Jan 2017 18:10:25 -
@@ -2470,6 +2470,7 @@ aml_rwfield(struct aml_value *fld, int b
case ACPI_OPREG_SYSIO:
case ACPI_OPREG_PCICFG:
case ACPI_OPREG_EC:
+   case ACPI_OPREG_CMOS:
aml_rwgas(ref1, fld->v_field.bitpos + bpos, blen,
val, mode, fld->v_field.flags);
break;

Re: DigitalOcean and OpenBSD

[James Pole]

I second the recommendation for Vultr. Loading an OpenBSD ISO and using that
to install OpenBSD is a very straightforward process and it works very well in
my experience. I have had a Vultr VPS running OpenBSD 5.9 for the last few
months. It is part of a test to see whether it will function as a replacement
for my exisiting FreeBSD and Debian VPS instances. I have been impressed
enough that I plan to replace my FreeBSD and Debian instances with OpenBSD
instances before the end of the year.

- James

> On 25/08/2016, at 8:25 AM, Pedro Tender  wrote:
>
> Not helping to the question but...
>
> Regarding similar cheap vps service you could try vultr where one can
> install a custom ISO and have a clean OpenBSD install without
> pre-installing other OSes - from what I can see it makes everything a big
> mess.
> I run a 5.9 stable (updated since original 5.7 install) there without any
> problems but I don't have HD encryption so I don't have any idea and can
> only suppose it should work without problems being a clean install.
> While installing with their webKVM I can only have my keyboard layout (PT)
> working if I use MSWindows, nor OSX nor OpenBSD make correct keyboard
> attribution (and I cannot remove X packages on install because I don't have
> the - key anywhere). I don't know if other keyboards will have similar
> problems.
>
> Just wanted to share my experience so you could try alternatives if you
> DOcean experience leaves you hanging.
>
> On Aug 24, 2016 20:52, "R0me0 ***"  wrote:
>
>> Hey Adam,
>>
>> I have had this issue for the third time in different regions on the last
>> 30 days and my procedure was getting minirootfs like Tubsta procedure.
>>
>> the only thing different was  get openbsd 5.9 stable branch, recompiled
>> kernel, rebooted and then recompiled userland tools and rebooted . ( Works
>> like a charm ) and as expected :P
>>
>> Procedures from here https://www.openbsd.org/stable.html
>>
>> But suddenly like today the same # reboot
>> I have NO O/S found .
>>
>> That's it
>>
>>
>>
>>
>>
>> 2016-08-24 16:12 GMT-03:00 Adam Taylor :
>>
>>> I have not run into any issues with reboots on my encrypted OpenBSD
>>> droplet on DO.
>>>
>>> It's running a 5.9 snapshot, not quite current.
>>>
>>> I followed the Tubsta instructions on getting it running.  But deviated
>>> since I wanted encryption just for fun.
>>>
>>> On Aug 24, 2016 9:42 AM, "R0me0 ***"  wrote:
>>>
>>>> Hello everybody !
>>>>
>>>> Please,
>>>>
>>>> Anyone  already had a disk corruption running OpenBSD @ DigitalOcean
>> with
>>>> disk encryption ?
>>>>
>>>> I had this issue for the third time running OpenBSD 5.9 stable branch
>> and
>>>> a
>>>> simple "reboot" == No O/S
>>>>
>>>>
>>>> Thanks in advance,

httpd.conf(5) macros not expanding for tls options

[James Pole]

Hello again,

Given the following httpd.conf(5) configuration on an OpenBSD 5.9-stable
machine…

server "pole.net.nz" {
hsts preload
hsts subdomains
listen on egress tls port 443
root "/htdocs/pole.net.nz"
tls certificate "/etc/letsencrypt/live/cellsites.nz/fullchain.pem"
tls key "/etc/letsencrypt/live/cellsites.nz/privkey.pem”
}

…all works as expected (or in other words, `httpd -n` doesn’t complain).

I will be using the same certificate for several websites since httpd(8) does
not yet support SNI. So I thought I would create a macro for the path to the
TLS certificate and key file and refer to it. So I changed my httpd.conf as
follows…

abc="/etc/letsencrypt/live/cellsites.nz/fullchain.pem"
def="/etc/letsencrypt/live/cellsites.nz/privkey.pem"
server "pole.net.nz" {
hsts preload
hsts subdomains
listen on egress tls port 443
root "/htdocs/pole.net.nz"
tls certificate $abc
tls key $def
}

…however `httpd -n` fails with the following error …

$ doas httpd -n
/etc/httpd.conf:8: syntax error
no actions, nothing to do

A similar error occurs if I explicitly define the path for the certificate
(i.e. without using the macro) and use the macro for the key.

Are macros not supported for the 'tls certificate' and 'tls key' options?

Regards,
James

Re: Weird errors during install.site

[James Pole]

> On 29/07/2016, at 12:59 AM, trondd  wrote:
> I do most everything in rc.firsttime.  I think you're going to be better
> off just moving your stuff to rc.firsttime rather than trying to
> manipulate the rd environment.  Is that really going to be easier than
> copy/pasting lines out of a script?
>
> I have an rc.firsttime.tail file in the site tarball, and in install.site,
> I 'cat' it onto the end of any existing rc.firsttime assuming that the
> official install process might want to use it sometimes and I don't want
> to blow it away.

My initial thought was I would have to echo all the scripted commands I wanted
to make to >> rc.firsttime. But your suggestion of creating a separate
rc.firstime.tail script and then appending the whole thing to rc.firsttime at
once seems like an elegant solution which I will adopt.

Thank you,
James

Weird errors during install.site

[James Pole]

Hello,

I have an install.site script which calls (among others) these commands:-
[…]
packages="git letsencrypt postgresql-server vim—no_x11"
[…]
pkg_add $packages
[…]

When the script is executed, the following errors appears:-
[…]
git-2.7.0:libiconv-1.14p3 (installing) […] 3%
ldconfig: /var/run/ld.so.hints: No such file or directory
[…]
postgresql-server-9.4.6:libxml-2.9.3 (installing) […] 100%
/usr/local/bin/xmlcatalog: can’t load library ‘libxml2.so.15.1’
[…]

I am not sure if these are harmful errors, but I am operating on the
assumption they are (particularly the second one).

My thinking at this stage is either to:
(1) Move the pkg_add(1) command to /etc/rc.firsttime. This which would also
mean moving a whole lot of other scripted commands that depends on these
packages to /erc/rc.firsttime as well so I am keen to avoid this approach if
possible.
(2) Figure out a way to fix ldconfig(8) so it works during the execution of
install.site. I’ve read the ldconfig(8) man page. Despite that I’m still
not confident that it’s wise to call ldconfig(8) during the execution of
install.site. And even if would work, I am not sure which flags, if any, would
be appropriate.

I would appreciate any tips. :)

Regards,
James

producing SHA256 & release(8)?

[James Hartley]

Before proposing a diff, I need clarification.

The release(8) manpage states:

"xenocara uses DESTDIR and RELEASEDIR as described above.
While they may be set to the values used to build the rest of the
system, be aware that the existing contents of DESTDIR will be
removed as part of the xenocara build (this is necessary for
release checklist processing)."

Building the system release collects the SHA256 values of each fileset in
(traditionally) /usr/rel/SHA256.  This can be seen in /usr/src/etc/Makefile
as:

cksum -a sha256 BUILDINFO INSTALL.`arch -ks` \
${ALL_KERNELS} ${MDEXT} ${MISETS} | sort > SHA256

Building xenocara's release will overwrite the existing /usr/rel/SHA256
with the
SHA256 values of its base installation filesets if the same value of
$RELEASEDIR is used.  This can be seen in /usr/xenocara/Makefile:

 cksum -a sha256 x*tgz > SHA256

While this is not a showstopper & can easily be worked around, it seems
there is a mismatch between what the code does & what the manpage
specifies.  Is the intent now that building the system & xenocara releases
be done in separate directories, or should redirection be changed to
appending in the code?

Thanks!

support update

[James Shupe]

0
C USA
P Texas
T Pflugerville
Z 78691
O HermeTek Network Solutions
I James Shupe
A P.O. Box 2264
M sa...@hermetek.com
U https://www.hermetek.com/bsd-linux-support
B 512.792.2525
X 512.888.9889
N We provide open infrastructure design, development, deployment,
maintenance and training. We specialize in OpenBSD routing and firewall
platforms utilizing OpenBGPD, OpenOSPFD, PF, and other included
technologies.

Clarification on vhid/carpnode settings for load-balanced fw configuration

[James L Baker]

Hi, all.  I'm setting up a pair of load-balanced firewalls using carp.
I've got nearly everything going, but encountered this in the man page:

"If IP balancing is being used on a firewall, it is recommended to
configure the carpnodes in a symmetrical manner. This is achieved by simply
using the same carpnodes list on all sides of the firewall. This ensures
that packets of one connection will pass in and out on the same host and
are not routed asymmetrically."

I'm looking for clarification on the statement "using the same carpnodes
list on all sides of the firewall."  Does this mean that the same list of
carpnodes should appear on both external and internal interfaces?

i.e (configurations abbreviated for brevity):

firewall 1:
  ifconfig carp0 carpnodes 10:0,20:100,30:0,40:100  #external carp if
  ifconfig carp1 carpnodes 10:0,20:100  #internal carp if #1
  ifconfig carp2 carpnodes 30:0,40:100  #internal carp if #2

firewall 2:
  ifconfig carp0 carpnodes 10:100,20:0,30:100,40:0  #external carp if
  ifconfig carp1 carpnodes 10:100,20:0  #internal carp if #1
  ifconfig carp2 carpnodes 30:100,40:0  #internal carp if #2

This seems odd to me, and I can't find the practice referenced anyplace
else.

According to Hansteen's "Book of PF," I should configure the carp
interfaces as follows:

firewall 1:
  ifconfig carp0 carpnodes 10:0,20:100  #external carp if
  ifconfig carp1 carpnodes 30:0,40:100  #internal carp if #1
  ifconfig carp2 carpnodes 50:0,60:100  #internal carp if #2

firewall 2:
  ifconfig carp0 carpnodes 10:100,20:0  #external carp if
  ifconfig carp1 carpnodes 30:100,40:0  #internal carp if #1
  ifconfig carp2 carpnodes 50:100,60:0  #internal carp if #2

Which carpnodes configuration is correct?  Won't the former cause vhid
conflicts?

Thanks for any consideration you folks throw at me.

Re: Boot loader uses INT 13h [WAS BIOS call fallback]

[Read, James C]

>> a security consideration, as far as I can see the bootloader loads using
INT
>> 13h calls. How can the kernel be sure it is really operating in ring 0 and
not
>> in some VM given that this is the case?

>Hey, it looks like you are just trying to be a dick.

On the assumption that you are not suggesting I would like to change my name
to Richard I can only reply that I have never tried to stick my head into a
warm and wet but very smelly hole for pleasure and/or to attempt to reproduce
with it.

>Does your mother know?

Given that she is deceased I find that highly unlikely.

However, insults reminiscent of primary school days aside, you may or may not
be surprised to find that actually that was a genuine question.

Re: BIOS call fallback

[Read, James C]

>The OpenBSD process is quite well understood.  Use the best methods,
>doubt what you do, refractor.  Simple in concept, but it takes a lot
>of time.

>Therefore I am looking forward to seeing what you and James can do.

>How long do you think it will take you?  Can we expect to see working
>code in a year... maybe two?

I guess in the absence of a seriously thought out wish list such a project
could be open ended. The more care spent in hardware design choices I guess
the more likely we could avoid the mess that various legacies have caused.

And my name is...

0x00

Boot loader uses INT 13h [WAS BIOS call fallback]

[Read, James C]

Hi,


a security consideration, as far as I can see the bootloader loads using INT
13h calls. How can the kernel be sure it is really operating in ring 0 and not
in some VM given that this is the case?

Re: BIOS call fallback

[Read, James C]

>I guess in the absence of a seriously thought out wish list such a project
could be open ended. >The more care spent in hardware design choices I guess
the more likely we could avoid the mess >that various legacies have caused.

Here's a suggestion for a community that is base around the claim of a
'secure' OS.

Isn't an OS resident in RAM unsecure by default? The very fact that it is
physically possible for an OS to be modified merely by software it runs or
interacts with makes any claims of being 'secure' more than a little shaky.

I guess we could start with a design choice that our 'secure' OS is resident
in ROM only and cannot easily be modified by a user with a few software
commands.

0x00

Re: BIOS call fallback

[Read, James C]

> Well there you go.  Get to it.  See you in 10 years.

Seriously, though. The thought must have crossed your mind at least once
during all these years of mopping up the mess that MS/Intel seem to have
concocted over the years.

I wonder what a hardware system designed by BSD bootloader, kernel and driver
hackers would look like. I should expect that careful design choices in the
hardware could reduce the bloat considerably. Not to mention the complexity.

I do wonder if the best and most experienced BSD hackers got together and made
wish list for the new line of hardware that would run a next generation system
with no legacy baggage what would that wish list look like.

0x00