Microcode guide
Hi, Is there guide somewhere on how to load custom microcode for CPU on OpenBSD? _ Zbyszek Żółkiewski
M:Tier
Hi, Anyone know what is going on with M:Tier ? There was no updates since two and the half month now. Also no news on their twitter. _ Zbyszek Żółkiewski
Re: APU2 and Spectre
> Wiadomość napisana przez Consus w dniu 25.08.2018, o godz. > 17:08: > > Seems like APU2 board is vulnerable to Spectre: seems there is microcode update with mitigations but looks like none want to claim where that microcode comes from: https://github.com/pcengines/apu2-documentation/issues/75 did someone try to load it from obsd? is it possible? _ Zbyszek Żółkiewski
Re: Vultr hosting of OpenBSD
> Wiadomość napisana przez Ken M w dniu 08.09.2018, o godz. > 20:55: > > 2. Is vultr a good place to host an openbsd box? If not interested in hearing > alternatives. my own experience: 1) Vultr gave me very bad support experience. If you restore from snapshot you have to open support ticket - otherwise OpenBSD won’t boot. Network performance is poor. 2) Exoscale is my favorite - but also most expensive (kvm). Swiss only, no EU, US influences. 3) AWS: what I use: most flexible, and unbeaten in terms of features. I often replace root drives if i want to perform some more advanced stuff (modify partitions etc) - you simply as in real world just replace EBS volumes. Downside: you pay for traffic and drive storage _ Zbyszek Żółkiewski
Re: Running your own mail server
> Wiadomość napisana przez Ken M w dniu 08.09.2018, o godz. > 17:23: > > Just curious how many of you use openbsd to run your own personal email > server? another here - running my own server since long time (OpenBSD). If you choose dovecot you can nicely encrypt backend store mails: https://blog.onefellow.com/post/167267172603/server-side-email-encryption-with-dovecot and keep private key safe: https://blog.onefellow.com/post/173796677183/how-to-obfuscate-dovecot-encryption-key good luck! _ Zbyszek Żółkiewski
Re: Resize keydisk (softraid) partition...
> Wiadomość napisana przez Thomas Bohl w dniu > 08.09.2018, o godz. 03:41: > > Like the FAQ says, make a backup of the key with > # dd bs=8192 skip=1 if=/dev/rsd1a of=backup-keydisk.img > > Verify that backup-keydisk.img start with the string "marcCRAM". > > Reformat sd1 or whatever to your likings (with size 960 for example). > Restore the key with > # dd bs=8192 seek=1 if=backup-keydisk.img of=/dev/rsd1a thanks for the tips, I will test that and let you know _ Zbyszek Żółkiewski
Re: Resize keydisk (softraid) partition...
> Wiadomość napisana przez Marcus MERIGHI w dniu > 07.09.2018, o godz. 18:09: > > $ dd bs=8192 skip=1 if=/dev/rsd99z of=backup-keydisk.img > $ dd bs=8192 seek=1 if=backup-keydisk.img of=/dev/rsd99z thanks for answers but that will make dump of whole 14GB - i would like to shrink it to reasonable size… _ Zbyszek Żółkiewski
Resize keydisk (softraid) partition...
Hi, So i did something stupid: during creation of keydisk (https://www.openbsd.org/faq/faq14.html#softraid), i was in hurry and I allocated whole 14GB partition a for keydisk… Now i would like to shrink it somehow, what’s the best and safest way to do it… ? _ Zbyszek Żółkiewski
Re: Equipment for OBSD based firewall
for APU it’s worth mentioning there are 2 versions in regards of network performance: i210 and i211 NIC chip. i210 (apu2c4) suppose to be faster and more feature-rich, while i211 is “value product”. But since i have only i210AT version and never see head-to-head comparisons there is nothing to backup that claims… Ref (there are nice tables comparing chips): https://www.intel.com/content/dam/www/public/us/en/documents/datasheets/i210-ethernet-controller-datasheet.pdf?asset=9573 https://www.intel.com/content/dam/www/public/us/en/documents/datasheets/i211-ethernet-controller-datasheet.pdf?asset=9567 https://www.intel.com/content/dam/www/public/us/en/documents/faqs/ethernet-controller-i210-i211-faq.pdf?asset=9597 > Wiadomość napisana przez Shawn Webb w dniu > 04.09.2018, o godz. 02:00: > > The PC-Engines APU devices are wildly popular among the BSD networking > folk, and for good reason. I have a number of APU2 and APU3 systems > deployed. I have one APU4 device deployed. I'll likely deploy another > APU4 device within the next month or two. _ Zbyszek Żółkiewski
Re: Kernel memory leaking on Intel CPUs?
10 years passed, Theo de Raadt: https://marc.info/?l=openbsd-misc&m=118296441702631 _ Zbyszek Żółkiewski > > https://spectreattack.com/ >
Re: syspatch not updating kernel
I am not sure there was any debate on that, whether syspatch check of number of CPU OR what current kernel is running (MP or SP) I made a quick check and at last one cloud service that have OpenBSD uses MP by default - as a result syspatch do not work (on small instances) as it try to patch SP kernel where in-fact MP kernel is in use (that’s one is Swiss Exoscale, but i suspect others have same problem…) _ Zbyszek Żółkiewski > Wiadomość napisana przez Steven Surdock w dniu > 14.12.2017, o godz. 12:36: > > This was, in fact, the reason. I had an MP kernel running on a VM with a > single CPU. > > I ended up moving to an SP kernel, but I needed to copy > /usr/share/compile/GENERIC for a working i386 SP machine. To make sure > everything was updated I also reverted syspatches and then re-applied them. > Everything looks good now. > >> -Original Message- >> From: Zbyszek Żółkiewski [mailto:zbys...@onefellow.com] >> Sent: Thursday, December 14, 2017 6:24 AM >> To: misc@openbsd.org >> Cc: Steven Surdock >> Subject: Re: syspatch not updating kernel >> >> Hi, >> >> perhaps this might be a reason, syspatch, around line number 274: >> >> (($(sysctl -n hw.ncpufound) > 1)) && _BSDMP=true || _BSDMP=false >> >> your kernel looks like MP on i386 ? >> >> _ >> Zbyszek Żółkiewski >> >>> Wiadomość napisana przez Steven Surdock >> w dniu 13.12.2017, o godz. 14:33: >>> >>> I just ran syspatch on a 6.2/i386 host and the kernel did not change >> as it has on my other patched machines. It appears that >> pub/OpenBSD/syspatch/6.2 was updated on 12/10. >>> >>> root@rad03 [/root]# syspatch -l >>> 002_fktrace >>> 003_mpls >>> root@rad03 [/root]# uname -a >>> OpenBSD cts-rad03.ctstelecom.com 6.2 GENERIC.MP#166 i386 >>> >>> >>> -Steve S. >>> > smime.p7s Description: S/MIME cryptographic signature
Re: syspatch not updating kernel
Hi, perhaps this might be a reason, syspatch, around line number 274: (($(sysctl -n hw.ncpufound) > 1)) && _BSDMP=true || _BSDMP=false your kernel looks like MP on i386 ? _ Zbyszek Żółkiewski > Wiadomość napisana przez Steven Surdock w dniu > 13.12.2017, o godz. 14:33: > > I just ran syspatch on a 6.2/i386 host and the kernel did not change as it > has on my other patched machines. It appears that pub/OpenBSD/syspatch/6.2 > was updated on 12/10. > > root@rad03 [/root]# syspatch -l > 002_fktrace > 003_mpls > root@rad03 [/root]# uname -a > OpenBSD cts-rad03.ctstelecom.com 6.2 GENERIC.MP#166 i386 > > > -Steve S. > smime.p7s Description: S/MIME cryptographic signature
xnf0: tx stuck: prod
Hi,
OpenBSD 6.2 GENERIC.MP#134 amd64 running on Xen (AWS), anyone experienced this:
xnf0: tx stuck: prod 3722866 cons 3722866,3722865 evt 3722867,3722866
xnf0: tx stuck: prod 3903774 cons 3903774,3903773 evt 3903775,3903774
xnf0: tx stuck: prod 5736476 cons 5736476,5736475 evt 5736477,5736476
xnf0: tx stuck: prod 5796678 cons 5796678,5796677 evt 5796679,5796678
xnf0: tx stuck: prod 5821071 cons 5821071,5821070 evt 5821072,5821071
that is from if_xnf.c:
xnf_watchdog(struct ifnet *ifp)
{
struct xnf_softc *sc = ifp->if_softc;
struct xnf_tx_ring *txr = sc->sc_tx_ring;
printf("%s: tx stuck: prod %u cons %u,%u evt %u,%u\n",
ifp->if_xname, txr->txr_prod, txr->txr_cons, sc->sc_tx_cons,
txr->txr_prod_event, txr->txr_cons_event);
}
anyone had that problem and found cause of this “stucks” ?
_
Zbyszek Żółkiewski
Re: Fail2ban alternative for OpenBSD
that’s naive, did you trusted it when there were weak ssh keys generated back few years ago ? I am not here to teach anyone about good practices, but having ssh closed is just common-sense. _ Zbyszek Żółkiewski > Wiadomość napisana przez Kamil Cholewiński w dniu > 30.10.2017, o godz. 10:57: > >> I am wondering since years why the hell people left SSH port open to >> the word? > > Because I trust OpenSSH smime.p7s Description: S/MIME cryptographic signature
Re: Fail2ban alternative for OpenBSD
First of all, SSH access should be blocked - I am wondering since years why the hell people left SSH port open to the word? Seriously smallest VPC+openvpn cost $5 monthly… _ Zbyszek Żółkiewski > Wiadomość napisana przez Peter Hessler w dniu > 30.10.2017, o godz. 10:35: > > On 2017 Oct 30 (Mon) at 11:06:02 +0200 (+0200), Gregory Edigarov wrote: > :On 29.10.17 03:20, x9p wrote: > :> > :> Coming from the Linux world, I wonder if there is a better alternative to > :> fail2ban, already being used in OpenBSD servers by the majority. > :> > :I suggest you NEVER use such "solutions". It's security by obscurity model, > :and therefore a bad very very bad thing. > > On the contrary, it is a great way to identify bad actors. IMHO, > someone trying to bruteforce passwords deserves to be blocked at the > network level. > > > :You'd be much safer completely turning off password authentication, using > :keys instead. > : > > Who says password auth is enabled in the first place? > > > -- > Q: Why do ducks have flat feet? > A: To stamp out forest fires. > > Q: Why do elephants have flat feet? > A: To stamp out flaming ducks. >
Re: fuse version
Thanks for the clarification. Actually llfuse is needed by S3QL (http://www.rath.org/s3ql-docs/about.html). I am considering migration to OpenBSD but this is blocker for now. Do anyone know similar project that runs on OpenBSD? (needed options are: Immutable Trees, Copy-on-Write and Encryption) _ Zbyszek Żółkiewski > Wiadomość napisana przez Stefan Sperling w dniu 25.10.2017, > o godz. 12:01: > > On Tue, Oct 24, 2017 at 07:46:29PM +0200, Zbyszek Żółkiewski wrote: >> Hi, >> >> llfuse requires FUSE 2.9.0 or newer, i think OpenBSD uses 2.6, am I right? >> >> thanks, > > Yes, OpenBSD's API declares version 2.6. But it's not the same implementation > as on Linux. I don't know if even 2.6 support can be considered complete. > > Since llfuse seems to be a Python wrapper for fuse, it probably requires > a larger subset of the fuse API than most other fuse consumers. > > So what you're asking for requires a complete API and llfuse audit just > to document requirements, and then implementations of any missing APIs > in libfuse and/or the kernel. > That's quite a big project. The answer for now will probably be: > If you invest time and work into it, it might happen. Otherwise, no. > > More help on fuse support would certainly be welcome, I think. > It has not been actively maintained for some time. signature.asc Description: Message signed with OpenPGP
Re: fuse version
Hi, llfuse requires FUSE 2.9.0 or newer, i think OpenBSD uses 2.6, am I right? thanks, _ Zbyszek Żółkiewski > Wiadomość napisana przez Stefan Sperling w dniu 24.10.2017, > o godz. 11:44: > > On Tue, Oct 24, 2017 at 11:21:17AM +0200, Zbyszek Żółkiewski wrote: >> Hi, >> >> Quick question: Any plans to support newer version of fuse? >> >> thanks, >> >> _ >> Zbyszek Żółkiewski >> > > Your question is not specific enough. signature.asc Description: Message signed with OpenPGP
fuse version
Hi, Quick question: Any plans to support newer version of fuse? thanks, _ Zbyszek Żółkiewski signature.asc Description: Message signed with OpenPGP
Re: Maintaining process clarification
Hi Ingo, thanks for the note, please find my notes below, >> Example: In 6.1 > > I assume that means you are using -stable. > >> there is package openvpn-2.4.1, how updates to the package are >> handled? If there is critical issue with the package, then >> "openvpn-2.4.1" is updated or it get new version numbering? > yes, that is stable > It gets a new version number, typically openvpn-2.4.1p0. > If the fix is done via a new upstream release, the number > may look something like openvpn-2.4.2. > > In this particular case, it actually is openvpn-2.4.3p1 in both > -stable and -current. > actually in -stable i see only 2.4.1 , 2.4.3 is in snapshot >> And yes - i know i can recompile by myself and i do not mind doing >> that, but i would avoid recompiling almost all all the time if there >> is already process > > Using -stable, you will have to compile port updates yourself: > > https://www.openbsd.org/faq/faq15.html#PortsSecurity so to get latest updates (binary) from the packages i should run -current ? > > Or use the third-party, but IMHO trustworthy third-party precompiled > stable packages fro MTier: > > https://stable.mtier.org/ thanks, i will check that out > That said, use the manual pages and the FAQ before asking questions, > and do not use web search engines to search for answers to questions > regarding OpenBSD. Unlike in Linux, almost everything is documented > precisely and concisely in the canonical places in the manual pages > or FAQ, and documentation is almost always up to date. yes, documentation quality is great, I need clarification on update process as it is very different from linux distributions. _ Zbyszek Żółkiewski
Maintaining process clarification
Hi, I am new to OpenBSD and after 15 years of work with linux i find OpenBSD as very refreshing experience among bloated server software platforms, so guys thanks for that. My questions is about updating packages using pkg_add -u , i am kind of confused about how it works. Example: In 6.1 there is package openvpn-2.4.1, how updates to the package are handled? If there is critical issue with the package, then "openvpn-2.4.1” is updated or it get new version numbering? I have used to that distros add own numbering like 2.4.1_u1 and so one - to give a clue that package was updated/patched. And yes - i know i can recompile by myself and i do not mind doing that, but i would avoid recompiling almost all all the time if there is already process thanks, _ Zbyszek Żółkiewski
Bug in dhclient, isc_named or misconfiguration ?
Hi group, Recently i come up with this problem: running isc_named + dhclient cause isc_named to periodically loose binding to TCP port: Sep 7 13:45:02 ns dhclient[12533]: DHCPREQUEST on vio0 to 169.254.169.254 Sep 7 13:45:02 ns dhclient[12533]: DHCPACK from 169.254.169.254 (fe:00:00:88:fe:63) Sep 7 13:45:02 ns named[76593]: no longer listening on XXX.XXX.XXX.XXX#53 Sep 7 13:45:02 ns named[76593]: listening on IPv4 interface vio0, XXX.XXX.XXX.XXX#53 Sep 7 13:45:02 ns named[76593]: binding TCP socket: address in use Sep 7 13:45:02 ns dhclient[12533]: bound to XXX.XXX.XXX.XXX -- renewal in 40027 seconds. XXX is redacted public IP. This is OpenBSD 6.1 In bind i have already configured interface-interval 0; - but this do not fix problem, any idea ? This problem looks like isolated to OpenBSD. Thanks, _ Zbyszek Żółkiewski
Re: Amazon AWS, OpenBSD and IPv6
why, wrong list ? _ Zbyszek Żółkiewski > Wiadomość napisana przez Mihai Popescu w dniu 05.09.2017, > o godz. 11:05: > >> Anyone on the list had problem with IPv6 on AWS? >> Image (AMI) build from https://github.com/kolargol/openbsd-aws/ (OpenBSD 6.1) > > Wrong list! That project should stop using openbsd in its name, I think. >
Re: Amazon AWS, OpenBSD and IPv6
That was my suspicion at the end. And i will have to use some other dhclient, thanks, _ Zbyszek Żółkiewski > Wiadomość napisana przez Mike Coddington w dniu > 05.09.2017, o godz. 20:56: > > On Vultr, IPv6 addresses are assigned via SLAAC, not via DHCP6. Back > when I had a need to use DHCPv6, I had good luck with the "wide-dhcpv6" > package. Try installing that and see if you're able to pick up an > address from the AWS servers.
Re: Amazon AWS, OpenBSD and IPv6
pretty much - yes - i use IPv6 on other OS-es where dhcpv6 is used on AWS... _ Zbyszek Żółkiewski > Wiadomość napisana przez Stephane HUC PengouinBSD w > dniu 05.09.2017, o godz. 12:23: > > Hi... > > Are you sure than AWS provide dhcpv6? or slaac?
Re: Amazon AWS, OpenBSD and IPv6
Thanks, but it also do not work: cat /etc/hostname.xnf0 dhcp inet6 autoconf ksh /etc/netstart DHCPREQUEST on xnf0 to 255.255.255.255 DHCPACK from 172.30.0.1 (06:21:2f:5e:51:4d) bound to 172.30.0.120 -- renewal in 1800 seconds. ifconfig xnf0 xnf0: flags=208843 mtu 1500 lladdr 06:e2:3b:b3:f6:52 index 1 priority 0 llprio 3 groups: egress media: Ethernet manual status: active inet6 fe80::4e2:3bff:feb3:f652%xnf0 prefixlen 64 scopeid 0x1 inet 172.30.0.120 netmask 0xff00 broadcast 172.30.0.255 as you can see only fe80 is there... _ Zbyszek Żółkiewski > Wiadomość napisana przez Janne Johansson w dniu > 05.09.2017, o godz. 11:30: > > That is not DHCPv6 but SLAAC. Perhaps that is why you get confused by people > saying openbsd doesn't have dhcpv6 in base. > > https://en.wikipedia.org/wiki/IPv6#Stateless_address_autoconfiguration_.28SLAAC.29 > > 2017-09-05 11:27 GMT+02:00 Zbyszek Żółkiewski : > AWS uses DHCP, so i need DHCP to configure it, when i do manually: > > ifconfig xnf0 inet6 2a05:d018:501:3802:82b7:5ec2:6403:992b/64 autoconf up > > then: > > # ping6 google.com > PING google.com (2a00:1450:400b:c03::66): 56 data bytes > 64 bytes from 2a00:1450:400b:c03::66: icmp_seq=0 hlim=49 time=1.148 ms > 64 bytes from 2a00:1450:400b:c03::66: icmp_seq=1 hlim=49 time=1.219 ms > > any other place to look for possible misconfiguration of DHCP? > > _ > Zbyszek Żółkiewski > > > Wiadomość napisana przez Stephane HUC PengouinBSD w > > dniu 05.09.2017, o godz. 11:20: > > > > Hi... > > Perhaps, It is possible that I did not understand the question! > > > > But : > > - for OpenBSD 6.1, use 'ipv6 autoconf' into your iface file > > - for oldiers OpenBSD, use 'rtsol'. > > > > > > Le 09/05/17 à 11:12, Zbyszek Żółkiewski a écrit : > >>> > >>> Wiadomość napisana przez Peter Hessler w dniu > >>> 05.09.2017, o godz. 11:05: > >>> > >>> OpenBSD's dhclient is IPv4 only. We do not have an IPv6 DHCP client in > >>> base. > >> > >> how does it works then on vultr for example where in same setup IPv6 is > >> leased from DHCP? I do not see any other daemons running there... > >> > >> _ > >> Zbyszek Żółkiewski > >> > > > > -- > > ~ " Fully Basic System Distinguish Life! " ~ " Libre as a BSD " +=<<< > > > > Stephane HUC as PengouinBSD or CIOTBSD > > b...@stephane-huc.net > > > > > > > -- > May the most significant bit of your life be positive.
Re: Amazon AWS, OpenBSD and IPv6
AWS uses DHCP, so i need DHCP to configure it, when i do manually: ifconfig xnf0 inet6 2a05:d018:501:3802:82b7:5ec2:6403:992b/64 autoconf up then: # ping6 google.com PING google.com (2a00:1450:400b:c03::66): 56 data bytes 64 bytes from 2a00:1450:400b:c03::66: icmp_seq=0 hlim=49 time=1.148 ms 64 bytes from 2a00:1450:400b:c03::66: icmp_seq=1 hlim=49 time=1.219 ms any other place to look for possible misconfiguration of DHCP? _ Zbyszek Żółkiewski > Wiadomość napisana przez Stephane HUC PengouinBSD w > dniu 05.09.2017, o godz. 11:20: > > Hi... > Perhaps, It is possible that I did not understand the question! > > But : > - for OpenBSD 6.1, use 'ipv6 autoconf' into your iface file > - for oldiers OpenBSD, use 'rtsol'. > > > Le 09/05/17 à 11:12, Zbyszek Żółkiewski a écrit : >>> >>> Wiadomość napisana przez Peter Hessler w dniu >>> 05.09.2017, o godz. 11:05: >>> >>> OpenBSD's dhclient is IPv4 only. We do not have an IPv6 DHCP client in >>> base. >> >> how does it works then on vultr for example where in same setup IPv6 is >> leased from DHCP? I do not see any other daemons running there... >> >> _ >> Zbyszek Żółkiewski >> > > -- > ~ " Fully Basic System Distinguish Life! " ~ " Libre as a BSD " +=<<< > > Stephane HUC as PengouinBSD or CIOTBSD > b...@stephane-huc.net >
Re: Amazon AWS, OpenBSD and IPv6
> > Wiadomość napisana przez Peter Hessler w dniu > 05.09.2017, o godz. 11:05: > > OpenBSD's dhclient is IPv4 only. We do not have an IPv6 DHCP client in > base. how does it works then on vultr for example where in same setup IPv6 is leased from DHCP? I do not see any other daemons running there... _ Zbyszek Żółkiewski
Amazon AWS, OpenBSD and IPv6
Hello all, Anyone on the list had problem with IPv6 on AWS? Image (AMI) build from https://github.com/kolargol/openbsd-aws/ (OpenBSD 6.1) cat /etc/hostname.xnf0 dhcp rtsol IPv6 address is not pulled from DHCP server. To get this working i had to manually add it with ifconfig. All errata were added to 6.1 Any idea why lease is not pulled from DHCP? This problem seems to affect only AWS. If someone is willing to help, image ID is: ami-3dd81c44 (eu-west-1) Thank you! _ Zbyszek Żółkiewski
