Re: curious about where system is spinning

2024-08-05 Thread Stuart Henderson 
On 2024-08-05, Geoff Steckel  wrote:
> This is not a complaint.
> I'm very happy with 400MB/sec through a cheap power efficient system.
> I'm trying to deduplicate some of my 10,000,000+ files.
>
> Top reports spin (mostly on CPU0) up to 10%.
> I'm curious which resource is being competed for.

My wild guess would be filesystem access.

> If a waterfall graph would answer my question
> any pointers to instructions would be gratefully taken.

I can probably dig out more details if needed, but you might have
enough in /usr/src/share/btrace/kprofile.bt to get started.

curious about where system is spinning

2024-08-05 Thread Geoff Steckel 

This is not a complaint.
I'm very happy with 400MB/sec through a cheap power efficient system.
I'm trying to deduplicate some of my 10,000,000+ files.

Top reports spin (mostly on CPU0) up to 10%.
I'm curious which resource is being competed for.

If a waterfall graph would answer my question
any pointers to instructions would be gratefully taken.

Running 3 instances of
   find  -type f -exec cksum {} + > 
each searching a different physical drive and resultfile is on
yet another physical drive.
CPU is AMD 5600G w/6 cores & 64MB

top says:
  -
CPU00 states: 15.9% user,  0.0% nice,  5.5% sys,  3.4% spin,  3.0% intr, 
72.1% idle
CPU01 states: 16.8% user,  0.0% nice,  4.5% sys,  1.3% spin,  0.0% intr, 
77.4% idle
CPU02 states: 17.3% user,  0.0% nice,  5.9% sys,  0.5% spin,  0.0% intr, 
76.3% idle
CPU03 states: 11.9% user,  0.0% nice,  4.9% sys,  0.3% spin,  0.0% intr, 
82.9% idle
CPU04 states:  9.1% user,  0.0% nice,  2.4% sys,  0.5% spin,  0.0% intr, 
88.1% idle
CPU05 states:  5.5% user,  0.0% nice,  1.2% sys,  0.2% spin,  0.0% intr, 
93.1% idle


iostat says:

 tty    sd2 sd3 sd4    cpu
 tin tout  KB/t  t/s    MB/s   KB/t  t/s    MB/s   KB/t  t/s MB/s  us 
ni sy sp in id
 519   89 64.00 2496  156.00  64.00 1991  124.44  64.00 2061 128.81  
12  0  4  0  1 83
 519  267 64.00 2551  159.44  64.00 2087  130.44  64.00 2142 133.88  
13  0  4  1  0 82


Secondary question:
This scenario hits some transfer rate limit.
It's not obviously a chipset/memory system limit.
I think that combination can deliver above 1GB/sec to the SATA controller.
All of the drives can transfer at least 140MB/sec, some as high as 180.
I believe that sd3 and sd4 can transfer faster than sd2.
Is it likely that the kernel services interrupts, etc. in drive # order?
(Reading the Source doesn't give an obvious answer.
There are interactions with scheduling)

   thanks
   Geoff Steckel

Re: About pf Rule ( pf.conf

2024-08-05 Thread Souji Thenria 

On Mon Aug 5, 2024 at 8:24 PM BST, Mike Fischer wrote:


> Am 05.08.2024 um 20:22 schrieb WATANABE Takeo :
> 
> Hi,Souji-SAN.
> 
> Thank you so much for your advice.

> We will reply to you in due course.
> 
> 
> on Sun, 04 Aug 2024 19:56:38 +0100
> "Souji Thenria"  wrote: 
> 
>> On Sun Aug 4, 2024 at 4:36 PM BST, WATANABE Takeo wrote:

>>> I am having trouble because all packets are blocked.
>>> Please see below for a description of the problem.
>>> I would appreciate it if you could point out any problems.
>> 
>> The config looks ok so far; I don't see any problems.
>> 
>> Can you run 'pfctl -s rules' and send the command output?

>> You can also run 'tcpdump' on the interface. Can you see in-coming or
>> out-coming packages for your specified ports?
> 
> We are sending you the results of the "pfctl -s rules" run,

> the results of the "pfctl -vnf /etc/pf.conf" run
> and the original "pf.conf" as attachments, just in case.
> 
> The results of "pfctl -s rules" were difficult for me to understand,

> I am ashamed to say. As an example of what I understood,
> I also send you the result of "pfctl -vnf /etc/pf.conf".
> 
> I found the result of "tcpdump -n -e -ttt -r /var/log/pflogd" to be

> Most of them were DNS packets (IN/OUT).
> # This host is an authoritative DNS server, so I think it is natural.
> 
> Is it possible to understand the situation with these results?

> We look forward to your reply.
> 
> Best regards,
> 
> ---

> WATANABE, Takeo
> t...@kasaneiro.jp

Your config, the result of `pfctl -vnf /etc/pf.conf` and the result of `pfctl 
-sr` do not match. Did you actually load your config (`pfctl -f /etc/pf.conf`, 
i.e. without -n)? -n only checks the config without loading it.


+1 that you probably forgot to reload your config, and I agree with
everything else Mike mentioned below.

I mostly wanted to add that I tried to load the pf.conf file you sent;
it looks like it works. (I did a quick test to see if the HTTP- and
SMTP-server are reachable.)


The loaded rules as returned by `pfctl -sr` would not allow much of your 
desired traffic. However they do allow NDP traffic.

Your vio0 interface seem to have IPv6 and IPv4 addresses. So you probably need 
to to allow NDP traffic and your probably want to allow ICMPv6 echo as well.

One more debugging tip: Temporarily turn off pf to see if your issues are 
caused by your pf rules. `pfctl -d`. Then test and turn it back when done 
testing (`pfctl -e`).
Note (mainly for other readers): This tip works in your case, but not if NAT or 
forwarding rules are used.

PS. Do you have console access to the host? If not there is a good chance that 
you might shoot yourself in the foot with incorrect rules and loose access to 
the machine.

PPS. Your loaded rules allow SSH on port 22. Your desired rules would allow SSH 
on port 1522. Is your sshd actually listening on these ports? Oh and if you 
want to access other hosts from your machine that use port 22 using SSH then 
your new rules are missing an outgoing rule for that. One reason for mostly 
allowing all outgoing traffic and only deal with incoming packets in the rules.


HTH
Mike


Regards,
Souji

--
Souji Thenria
Website: www.souji-thenria.net


signature.asc
Description: PGP signature

Re: Unable to Mount NFS Share

2024-08-05 Thread Aric Gregson 

On 05.08.2024 09:57, Mike Larkin wrote:

On Sat, Aug 03, 2024 at 01:35:11PM -0700, Aric Gregson wrote:

Hello,

I am having a great deal of difficulty mounting a NFS shared folder on my local 
network. The share is from a TrueNAS server. I am able to mount the same share 
on Armbian without difficulty.

The error that I receive is:

mount_nfs: bad MNT RPC: RPC: Timed out

I have tried many variations of the mount and all fail with the same error.

  doas mount address:/mnt/share /mnt/nfs
  doas mount_nfs address:/mnt/share /mnt/nfs
  doas mount_nfs -T -i address:/mnt/share /mnt/nfs
  doas mount_nfs -2 -T -i address:/mnt/share /mnt/nfs
  doas mount_nfs -3 -T -i address:/mnt/share /mnt/nfs

This is not new for me, it has been going on for years. Just getting around to 
trying it again. Any help is greatly appreciated.



You could try these commands from the openbsd client (replace server_ip with
server's IP address or FQDN)

rpcinfo -p server_ip
showmount -e server_ip

These should show you what RPC services are running on the server (and if they
are even reachable from the client), and what mounts are exported.

My guess is you either have NFSv4 only on the server, or it's not reachable
for some reason.


Thank you. Output is below.

rpcinfo -p 192.168.1.21
   program vers proto   port
104   tcp111  portmapper
103   tcp111  portmapper
102   tcp111  portmapper
104   udp111  portmapper
103   udp111  portmapper
102   udp111  portmapper
104 7111  portmapper
103 7111  portmapper
102 7111  portmapper
151   udp935  mountd
153   udp935  mountd
151   tcp935  mountd
153   tcp935  mountd
132   udp   2049  nfs
133   udp   2049  nfs
132   tcp   2049  nfs
133   tcp   2049  nfs
1000241   udp605  status
1000241   tcp605  status

showmount -e 192.168.1.21
Exports list on 192.168.1.21:
/mnt/XFree/Photos  192.168.1.0
/mnt/XFree/backup  192.168.1.0
/mnt/XFree/MiniEnvPublic   192.168.1.0 192.168.1.12 192.168.1.14 
192.168.1.127 192.168.1.19
192.168.1.20 192.168.1.23 192.168.1.121 192.168.1.224
/mnt/XFree/FNMusic Everyone
/mnt/XFree/backups/aorchidbk   192.168.1.12 192.168.1.14 192.168.1.121
/mnt/XFree/nfsshareEveryone

I am 192.168.1.121.

Aric

Re: About pf Rule ( pf.conf

2024-08-05 Thread Mike Fischer 


> Am 05.08.2024 um 20:22 schrieb WATANABE Takeo :
> 
> Hi,Souji-SAN.
> 
> Thank you so much for your advice.
> We will reply to you in due course.
> 
> 
> on Sun, 04 Aug 2024 19:56:38 +0100
> "Souji Thenria"  wrote: 
> 
>> On Sun Aug 4, 2024 at 4:36 PM BST, WATANABE Takeo wrote:
>>> I am having trouble because all packets are blocked.
>>> Please see below for a description of the problem.
>>> I would appreciate it if you could point out any problems.
>> 
>> The config looks ok so far; I don't see any problems.
>> 
>> Can you run 'pfctl -s rules' and send the command output?
>> You can also run 'tcpdump' on the interface. Can you see in-coming or
>> out-coming packages for your specified ports?
> 
> We are sending you the results of the "pfctl -s rules" run,
> the results of the "pfctl -vnf /etc/pf.conf" run
> and the original "pf.conf" as attachments, just in case.
> 
> The results of "pfctl -s rules" were difficult for me to understand,
> I am ashamed to say. As an example of what I understood,
> I also send you the result of "pfctl -vnf /etc/pf.conf".
> 
> I found the result of "tcpdump -n -e -ttt -r /var/log/pflogd" to be
> Most of them were DNS packets (IN/OUT).
> # This host is an authoritative DNS server, so I think it is natural.
> 
> Is it possible to understand the situation with these results?
> We look forward to your reply.
> 
> Best regards,
> 
> ---
> WATANABE, Takeo
> t...@kasaneiro.jp
> tcp_services="{ http, https, domain, smtp, smtps, msa, imaps, 1522 }"
> udp_services="{ domain, ntp }"
> 
> set block-policy drop
> set loginterface vio0
> 
> # don't filter on loopback interface
> set skip on lo0
> 
> # set up a default deny policy
> block all
> 
> # Blocking Spoofed Packets
> antispoof quick for vio0
> 
> # Allow packets
> pass log quick on vio0 proto tcp to any port $tcp_services keep state
> pass log quick on vio0 proto udp to any port $udp_services keep state
> 
> # Allow ICMP Packets
> pass quick on vio0 proto icmp to any keep state
> 
> moegi# pfctl -vnf /etc/pf.conf
> tcp_services = "{ http, https, domain, smtp, smtps, msa, imaps, 1522 }"
> udp_services = "{ domain, ntp }"
> set block-policy drop
> set loginterface vio0
> set skip on { lo0 }
> block drop all
> block drop in quick on ! vio0 inet6 from 2001:e42:102:1808::/64 to any
> block drop in quick on vio0 inet6 from fe80::9ea3:baff:fe02:a73 to any
> block drop in quick inet6 from 2001:e42:102:1808:160:16:212:251 to any
> block drop in quick on ! vio0 inet from 160.16.212.0/23 to any
> block drop in quick inet from 160.16.212.251 to any
> pass log quick on vio0 proto tcp from any to any port = 80 flags S/SA
> pass log quick on vio0 proto tcp from any to any port = 443 flags S/SA
> pass log quick on vio0 proto tcp from any to any port = 53 flags S/SA
> pass log quick on vio0 proto tcp from any to any port = 25 flags S/SA
> pass log quick on vio0 proto tcp from any to any port = 465 flags S/SA
> pass log quick on vio0 proto tcp from any to any port = 587 flags S/SA
> pass log quick on vio0 proto tcp from any to any port = 993 flags S/SA
> pass log quick on vio0 proto tcp from any to any port = 1522 flags S/SA
> pass log quick on vio0 proto udp from any to any port = 53
> pass log quick on vio0 proto udp from any to any port = 123
> pass quick on vio0 proto icmp all
> moegi#moegi# pfctl -s rules
> block drop all
> pass out inet proto icmp all icmp-type echoreq
> pass out inet proto udp from any port = 68 to any port = 67
> pass out proto tcp from any to any port = 53 flags S/SA
> pass out proto udp from any to any port = 53
> pass out inet6 proto ipv6-icmp all icmp6-type neighbrsol
> pass in proto tcp from any to any port = 22 flags S/SA
> pass in inet proto udp from any port = 67 to any port = 68
> pass on lo0 all flags S/SA
> pass inet6 proto ipv6-icmp all icmp6-type neighbradv no state
> pass out inet6 proto ipv6-icmp all icmp6-type routersol
> pass out inet6 proto udp from any port = 546 to any port = 547
> pass in inet6 proto ipv6-icmp all icmp6-type routeradv
> pass in inet6 proto udp from any port = 547 to any port = 546
> pass in proto carp all keep state (no-sync)
> pass out proto carp all !received-on any keep state (no-sync)
> moegi#

Your config, the result of `pfctl -vnf /etc/pf.conf` and the result of `pfctl 
-sr` do not match. Did you actually load your config (`pfctl -f /etc/pf.conf`, 
i.e. without -n)? -n only checks the config without loading it.

The loaded rules as returned by `pfctl -sr` would not allow much of your 
desired traffic. However they do allow NDP traffic.

Your vio0 interface seem to have IPv6 and IPv4 addresses. So you probably need 
to to allow NDP traffic and your probably want to allow ICMPv6 echo as well.

One more debugging tip: Temporarily turn off pf to see if your issues are 
caused by your pf rules. `pfctl -d`. Then test and turn it back when done 
testing (`pfctl -e`).
Note (mainly for other readers): This tip works in your case, but not if NAT or 
forwarding rules are used.

PS. Do you

Re: About pf Rule ( pf.conf

2024-08-05 Thread WATANABE Takeo 
Hi,Souji-SAN.

Thank you so much for your advice.
We will reply to you in due course.


on Sun, 04 Aug 2024 19:56:38 +0100
"Souji Thenria"  wrote: 

> On Sun Aug 4, 2024 at 4:36 PM BST, WATANABE Takeo wrote:
>> I am having trouble because all packets are blocked.
>> Please see below for a description of the problem.
>> I would appreciate it if you could point out any problems.
> 
> The config looks ok so far; I don't see any problems.
> 
> Can you run 'pfctl -s rules' and send the command output?
> You can also run 'tcpdump' on the interface. Can you see in-coming or
> out-coming packages for your specified ports?

We are sending you the results of the "pfctl -s rules" run,
the results of the "pfctl -vnf /etc/pf.conf" run
and the original "pf.conf" as attachments, just in case.

The results of "pfctl -s rules" were difficult for me to understand,
I am ashamed to say. As an example of what I understood,
I also send you the result of "pfctl -vnf /etc/pf.conf".

I found the result of "tcpdump -n -e -ttt -r /var/log/pflogd" to be
Most of them were DNS packets (IN/OUT).
# This host is an authoritative DNS server, so I think it is natural.

Is it possible to understand the situation with these results?
We look forward to your reply.

Best regards,

---
WATANABE, Takeo
t...@kasaneiro.jp
tcp_services="{ http, https, domain, smtp, smtps, msa, imaps, 1522 }"
udp_services="{ domain, ntp }"

set block-policy drop
set loginterface vio0

# don't filter on loopback interface
set skip on lo0

# set up a default deny policy
block all

# Blocking Spoofed Packets
antispoof quick for vio0

# Allow packets
pass log quick on vio0 proto tcp to any port $tcp_services keep state
pass log quick on vio0 proto udp to any port $udp_services keep state

# Allow ICMP Packets
pass quick on vio0 proto icmp to any keep state

moegi# pfctl -vnf /etc/pf.conf
tcp_services = "{ http, https, domain, smtp, smtps, msa, imaps, 1522 }"
udp_services = "{ domain, ntp }"
set block-policy drop
set loginterface vio0
set skip on { lo0 }
block drop all
block drop in quick on ! vio0 inet6 from 2001:e42:102:1808::/64 to any
block drop in quick on vio0 inet6 from fe80::9ea3:baff:fe02:a73 to any
block drop in quick inet6 from 2001:e42:102:1808:160:16:212:251 to any
block drop in quick on ! vio0 inet from 160.16.212.0/23 to any
block drop in quick inet from 160.16.212.251 to any
pass log quick on vio0 proto tcp from any to any port = 80 flags S/SA
pass log quick on vio0 proto tcp from any to any port = 443 flags S/SA
pass log quick on vio0 proto tcp from any to any port = 53 flags S/SA
pass log quick on vio0 proto tcp from any to any port = 25 flags S/SA
pass log quick on vio0 proto tcp from any to any port = 465 flags S/SA
pass log quick on vio0 proto tcp from any to any port = 587 flags S/SA
pass log quick on vio0 proto tcp from any to any port = 993 flags S/SA
pass log quick on vio0 proto tcp from any to any port = 1522 flags S/SA
pass log quick on vio0 proto udp from any to any port = 53
pass log quick on vio0 proto udp from any to any port = 123
pass quick on vio0 proto icmp all
moegi#moegi# pfctl -s rules
block drop all
pass out inet proto icmp all icmp-type echoreq
pass out inet proto udp from any port = 68 to any port = 67
pass out proto tcp from any to any port = 53 flags S/SA
pass out proto udp from any to any port = 53
pass out inet6 proto ipv6-icmp all icmp6-type neighbrsol
pass in proto tcp from any to any port = 22 flags S/SA
pass in inet proto udp from any port = 67 to any port = 68
pass on lo0 all flags S/SA
pass inet6 proto ipv6-icmp all icmp6-type neighbradv no state
pass out inet6 proto ipv6-icmp all icmp6-type routersol
pass out inet6 proto udp from any port = 546 to any port = 547
pass in inet6 proto ipv6-icmp all icmp6-type routeradv
pass in inet6 proto udp from any port = 547 to any port = 546
pass in proto carp all keep state (no-sync)
pass out proto carp all !received-on any keep state (no-sync)
moegi#

Re: Unable to Mount NFS Share

2024-08-05 Thread Mike Larkin 
On Sat, Aug 03, 2024 at 01:35:11PM -0700, Aric Gregson wrote:
> Hello,
>
> I am having a great deal of difficulty mounting a NFS shared folder on my 
> local network. The share is from a TrueNAS server. I am able to mount the 
> same share on Armbian without difficulty.
>
> The error that I receive is:
>
> mount_nfs: bad MNT RPC: RPC: Timed out
>
> I have tried many variations of the mount and all fail with the same error.
>
>   doas mount address:/mnt/share /mnt/nfs
>   doas mount_nfs address:/mnt/share /mnt/nfs
>   doas mount_nfs -T -i address:/mnt/share /mnt/nfs
>   doas mount_nfs -2 -T -i address:/mnt/share /mnt/nfs
>   doas mount_nfs -3 -T -i address:/mnt/share /mnt/nfs
>
> This is not new for me, it has been going on for years. Just getting around 
> to trying it again. Any help is greatly appreciated.
>
> Thanks, Aric
>

You could try these commands from the openbsd client (replace server_ip with
server's IP address or FQDN)

rpcinfo -p server_ip
showmount -e server_ip

These should show you what RPC services are running on the server (and if they
are even reachable from the client), and what mounts are exported.

My guess is you either have NFSv4 only on the server, or it's not reachable
for some reason.

Re: radiusd

2024-08-05 Thread Mike 
Thanks for the reply and the freeradius update.


On 8/5/2024 8:21 AM, Stuart Henderson wrote:
> On 2024-08-04, Mike  wrote:
>>
>> authentication method was not PAP
>>  (radiusd_bsdauth(8) supports only PAP)
>>
>> OK, that's the likely problem.  My WiFi access point is an old Linksys,
>> an LAPN600.  When I go to the "Wireless Security" screen on the access
>> point, I see nothing to choose a protocol to use.
> 
> For WPA-Enterprise, wifi access points typically tunnel EAP
> authentication (coming from the *client*, not the AP) to the RADIUS
> server. As well as handling auth, the RADIUS server also generates
> keying material for the session. OpenBSD radiusd doesn't support EAP or
> this key material generation. (The EAP method used is as chosen between
> client and RADIUS server).
> 
>> So, it seems I have to stick with freeradiusd (and OpenBSD's insecure
>> version of it) for the nonce.
> 
> I presume you're talking about "BlastRADIUS". This affects PAP, CHAP, or
> MS-CHAP over RADIUS/UDP, not EAP, so a typical WPA-Enterprise config
> is unaffected. It also requires that an attacker can view and modify
> RADIUS packets in transit, clearly a big issue where somebody runs
> the protocol over open internet connections (though this is something
> that has never really been OK with RADIUS anyway), but much less of
> a problem where it's run on a private network.
> 
> While it is a serious issue, it certainly doesn't affect all
> configurations, and I can't help feeling that it's slightly overblown -
> there was a lot of publicity from inkbridge (recently rebranded from
> "network radius") who I note sell verification tools, upgrade guide and
> Excel worksheet. Certainly useful in some situations but people should
> read to see if they're actually vulnerable.
> 
> The version of FreeRADIUS with fixes requires an additional function
> from libssl that libressl doesn't support yet. It's been added but
> not exposed until we're ready for a library bump. Once that's done
> I have an update ready to go. It won't be committed to -stable due to
> the need for that libssl change and another change to libcrypto that
> already went in.
> 
> See https://www.inkbridgenetworks.com/blastradius/faq and
> https://www.freeradius.org/security/ for more info and mitigations that
> can be done via config until the software is uodated.
> 
> 
> 
>

Re: Automatic Disk Partitioning

2024-08-05 Thread Kenneth Gober 
On Sun, Aug 4, 2024 at 6:24 PM David Uhden Collado  wrote:

> I would like to understand the rationale behind this design choice. Is
> there a specific reason why the automatic partitioning is limited to
> around 350GB for system partitions? Any insights or explanations you can
> provide would be greatly appreciated.
>

The rationale is that the installer is not able to make a reasonable guess
about
how you plan to use the system.  It knows the minimum required filesystem
sizes, and if you have a moderate amount of extra disk it has rules on how
to allocate the extra.

But if you have an extremely large amount of extra space there's no way to
tell what you have planned for it.  Are you going to run a database? Maybe
the extra space should go into /var.  Or better yet, use that extra space to
make a new filesystem like /var/mariadb or /var/postgresql.  Or maybe you
are setting up a web server and you'll want /var/www enlarged.  Maybe you
will want the extra space in an entirely new directory like /nfs.

If the installer can't reasonably guess, it is better to leave the space
unused
as it's easy to add space somewhere if you have extra, but hard if you
don't.
The idea here is to start with sane defaults, not immediately paint you into
a corner.

-ken

Re: radiusd

2024-08-05 Thread Stuart Henderson 
On 2024-08-04, Mike  wrote:
>
> authentication method was not PAP
>  (radiusd_bsdauth(8) supports only PAP)
>
> OK, that's the likely problem.  My WiFi access point is an old Linksys,
> an LAPN600.  When I go to the "Wireless Security" screen on the access
> point, I see nothing to choose a protocol to use.

For WPA-Enterprise, wifi access points typically tunnel EAP
authentication (coming from the *client*, not the AP) to the RADIUS
server. As well as handling auth, the RADIUS server also generates
keying material for the session. OpenBSD radiusd doesn't support EAP or
this key material generation. (The EAP method used is as chosen between
client and RADIUS server).

> So, it seems I have to stick with freeradiusd (and OpenBSD's insecure
> version of it) for the nonce.

I presume you're talking about "BlastRADIUS". This affects PAP, CHAP, or
MS-CHAP over RADIUS/UDP, not EAP, so a typical WPA-Enterprise config
is unaffected. It also requires that an attacker can view and modify
RADIUS packets in transit, clearly a big issue where somebody runs
the protocol over open internet connections (though this is something
that has never really been OK with RADIUS anyway), but much less of
a problem where it's run on a private network.

While it is a serious issue, it certainly doesn't affect all
configurations, and I can't help feeling that it's slightly overblown -
there was a lot of publicity from inkbridge (recently rebranded from
"network radius") who I note sell verification tools, upgrade guide and
Excel worksheet. Certainly useful in some situations but people should
read to see if they're actually vulnerable.

The version of FreeRADIUS with fixes requires an additional function
from libssl that libressl doesn't support yet. It's been added but
not exposed until we're ready for a library bump. Once that's done
I have an update ready to go. It won't be committed to -stable due to
the need for that libssl change and another change to libcrypto that
already went in.

See https://www.inkbridgenetworks.com/blastradius/faq and
https://www.freeradius.org/security/ for more info and mitigations that
can be done via config until the software is uodated.




-- 
Please keep replies on the mailing list.

Re: Automatic Disk Partitioning

2024-08-05 Thread Nick Holland 

On 8/4/24 15:16, David Uhden Collado wrote:

Hello,

I have observed that the automatic partitioning feature of disklabel(8)
does not allocate more than approximately 350GB to system partitions
[1]. In my opinion, the tool should have been designed to use all
available space on the storage device when partitioning.


I'd say, your opinion is wrong.


I would like to understand the rationale behind this design choice. Is
there a specific reason why the automatic partitioning is limited to
around 350GB for system partitions? Any insights or explanations you can
provide would be greatly appreciated.


It is basically impossible to buy a conventional (and because it is 2024,
let's include SSDs in "conventional") hard disk which is too small for
OpenBSD (or any other OS, really).  And especially since most modern OSs
have at least some ability to expand into unused space,

Honestly, I would prefer if the /home partition capped out at 20G or so.
After that, whatever is being done with the system should dictate where
space goes.

Unused space is a valuable resource on any computer.  Over the life of a
machine, initial decisions almost always turn out to need revision.  With
unused space, I can do amazing remote rebuilds of systems remotely (or
at least, without getting out of my chair).  But if you are building a
firewall, you need maybe 20G of space, but the smallest "disk" you can
get is 120G...there's ZERO reason to allocate all 120G.  Allocate what you
need, and then you can adjust later if needed.  Yes, I practice what I
preach.  Here's a firewall of mine:

sd0> p g
OpenBSD area: 64-312576705; size: 149.0G; free: 0.0G
#size   offset  fstype [fsize bsize   cpg]
  a: 0.5G   64  4.2BSD   2048 16384  8032 # /
  b: 6.0G  1028160swap# none
  c:   149.1G0  unused
  d: 5.0G 13623136  4.2BSD   2048 16384 12960 # /usr
  e: 1.0G 24113536  4.2BSD   2048 16384 12960 # /tmp
  f:10.0G 26218080  4.2BSD   2048 16384 12960 # /var
  g: 2.0G 57689408  4.2BSD   2048 16384 12960 # /usr/local
  h: 5.0G 47198944  4.2BSD   2048 16384 12960 # /home
  o:   117.5G 66107456  4.2BSD   2048 16384 12960


yes, there's a 117G partition to show me quickly how much I have available
should I someday decided to move things around.  Delete it, change what I
want.

(and yes, I did basically all custom partitioning on this system.  That, I
don't recommend.  Follow the defaults (except for size of /home) until you
are good enough that you can deal with the issues when you find out you were
not as smart as the OpenBSD devs after all.  I like hitting those issues,
because then I learn something).

Nick.

Re: About pf Rule ( pf.conf

2024-08-05 Thread Marko Cupać 
On Mon, 05 Aug 2024 00:36:18 +0900 (JST)
WATANABE Takeo  wrote:

> Dear Sirs,
> 
> Would you be willing to discuss how to write pf.conf?

Having only one network interface, I assume this firewall protects
machine it resides on (a server), not network behind it (a router /
firewall), which rules out the need for net.inet.ip.forwarding sysctl.

My general rule of the thumb is to log all blocked packets, at least
until I get functionality I want. I have busy firewalls which block and
log ~300 packets per second, pf handles it really well.

Try something like:

(temporarily remove `antispoof quick` until rest works, keep it above)
block log all
pass in  on vio0 (what you want to pass to the server)
pass out on vio0 (what you want the server to be able to reach)

Check with `pfctl -(vv)sr` if loaded ruleset corresponds to what you
intend.

Check `tcpdump -neqtttr /var/log/pflog` for history of blocked packets
and `tcpdump -neqttti pflog0` for real-time log.

Make sure to read complete PF FAQ:
https://www.openbsd.org/faq/pf/

There's even more in Peter N. M. Hansteen's "Book of PF".

HTH,


-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Unable to Mount NFS Share

2024-08-05 Thread Aric Gregson 

Hello,

I am having a great deal of difficulty mounting a NFS shared folder on my local 
network. The share is from a TrueNAS server. I am able to mount the same share 
on Armbian without difficulty.

The error that I receive is:

mount_nfs: bad MNT RPC: RPC: Timed out

I have tried many variations of the mount and all fail with the same error. 


  doas mount address:/mnt/share /mnt/nfs
  doas mount_nfs address:/mnt/share /mnt/nfs
  doas mount_nfs -T -i address:/mnt/share /mnt/nfs
  doas mount_nfs -2 -T -i address:/mnt/share /mnt/nfs
  doas mount_nfs -3 -T -i address:/mnt/share /mnt/nfs

This is not new for me, it has been going on for years. Just getting around to 
trying it again. Any help is greatly appreciated.

Thanks, Aric

Re: Automatic Disk Partitioning

2024-08-05 Thread Crystal Kolipe 
On Mon, Aug 05, 2024 at 03:42:48AM +0200, David Uhden Collado wrote:
> > Why not just use a custom disklabel template that suits your needs? This
> is the -t option to /sbin/disklabel.
> 
> How is it possible to use a custom template from the OpenBSD installer?

You'll need to drop to the shell and invoke the disklabel utility manually.

I've included a transcript from a sample console session below.

Whilst probably not ideal for someone who is new to OpenBSD, if you've got
experience of other unix-like operating systems it's not too much trouble.

> On
> the other hand, this workaround is not the most convenient since one
> typically does not reinstall OpenBSD frequently. New users often do not
> realize this issue and only discover after installing and configuring their
> system that they are utilizing less than half of the available storage on
> their hard drive, which nowadays is typically around 1TB in capacity.

Generally I would expect somebody who is new to OpenBSD to do a scratch
install on a spare machine to try out the system, but then re-install at
least once rather than continue using that scratch system as their 'final'
installation.  For nothing else, because generally people fiddle with all
sorts of settings that have effects beyond what they realise, (including
security related effects), and it's not always obvious how to twiddle the
knobs back.  Also, some people install without FDE and later want it.  A
re-install is not a bad thing.

(In fact, part of my job is to re-install our servers from scratch for every
release - we never use the upgrade tools.)

But more specifically to the issue of disk partitioning, there are three other
points here:

Firstly, the physically last partition that the installer automatically creates
is mounted on /home, and this is usually the one that the average home user
is going to want to expand in to free space that follows.

Secondly, having an enormous /home or any other standard system partition is
not necessarily desirable for various reasons, some of which have already been
pointed out.  So adding a separate partition using the free space and mounting
it on, say, /storage, might also be a better idea.

Thirdly, unless you are on a machine with hardware constraints, (laptop, SBC,
etc), why would you want a boot/system disk larger than 512 Gb?

Keeping the boot/system disk small and installing a separate drive for bulk
data storage has the benefits of easy replacement in case of failure, (you're
only replacing and re-installing the system drive, not all of your data), and
it's also convenient if you want to swap out the drive for another to install
a new release, but keep the option of returning to the old system without the
hassle of restoring.

Console transcript follows:

Welcome to the OpenBSD/amd64 7.5 installation program.
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell? s
# cd /dev
# sh ./MAKEDEV sd0 sd1
# mkdir /mnt3
# mount /dev/sd1d /mnt3
# ls /mnt3
custom_template
# cat /mnt3/custom_template
/   150M-1G 5
SWAP80M-16G 10
/tmp120M-4G 8
/var80M-40G 13
/usr1500M-30G   10
/usr/X11R6  384M-1G 3
/usr/local  1G-20G  15
/usr/src2G-5G   2
/usr/obj5G-6G   4
/home   1G-*30
# fdisk -e sd0
Enter 'help' for information
sd0: 1> reinit
Disk: sd0   geometry: 133674/255/63 [2147483648 Sectors]
Offset: 0   Signature: 0xAA55
Starting Ending LBA Info:
 #: id  C   H   S -  C   H   S [   start:size ]
---
 0: 00  0   0   0 -  0   0   0 [   0:   0 ] Unused
 1: 00  0   0   0 -  0   0   0 [   0:   0 ] Unused
 2: 00  0   0   0 -  0   0   0 [   0:   0 ] Unused
*3: A6  0   1   2 - 133674 172   2 [  64:  2147483584 ] OpenBSD
Use 'write' to update disk.
sd0*: 1> update
Machine code updated.
sd0*: 1> w
Writing MBR at offset 0.
sd0: 1> q
# disklabel -T /mnt3/custom_template -E sd0
Label editor (enter '?' for help at any prompt)
sd0> p
OpenBSD area: 64-2147483648; size: 2147483584; free: 2147483584
#size   offset  fstype [fsize bsize   cpg]
  c:   21474836480  unused
sd0> A
sd0*> p g
OpenBSD area: 64-2147483648; size: 1024.0G; free: 0.0G
#size   offset  fstype [fsize bsize   cpg]
  a: 1.0G   64  4.2BSD   2048 16384 1 # /
  b:16.0G  2097216swap
  c:  1024.0G0  unused
  d: 4.0G 35651648  4.2BSD   2048 16384 1 # /tmp
  e:40.0G 44040256  4.2BSD   2048 16384 1 # /var
  f:30.0G127926336  4.2BSD   2048 16384 1 # /usr
  g:

failing to boot amd64 macbook pro

2024-08-05 Thread Peter J. Philipp 
Hi,

kern.version=OpenBSD 7.5-current (GENERIC.MP) #121: Sat Jun  8 18:02:54 MDT 2024
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

This is the last working kernel for me.  I tried to upgrade last week as well
and it failed as well.

Looking for Best Current practice on how to bisect working kernels.  Is there
an FTP site with daily bsd.rd's from snapshots?

Is compiling the source the only option here?

Best Regards,
-pjp

-- 
** all info about me:  lynx https://callpeter.tel, dig loc delphinusdns.org **

Re: misbehaving localtime zone link

2024-08-04 Thread Philip Guenther 
On Sun, Aug 4, 2024 at 5:26 AM Shadrock Uhuru  wrote:
> hi everyone
> i have two raspberry pi's setup as dns servers running unbound and nsd
> both are installed with the latest snapshots
> both are configured the same (os and dns)
> both sync off the ntpd at firewall.mydomain
> even though i have set the local time link on both to Europe/London
> ivy insist on returning the time for localzone AEST,
> i've tried deleting and recreating the link, rebooting
> but no joy,
> any pointers to why ivy is misbehaving ?

Is the TZ environment variable set (to the wrong value) on the one
box?  That's the only remaining factor I can think of...

Philip Guenther

Re: Automatic Disk Partitioning

2024-08-04 Thread David Uhden Collado 
> Why not just use a custom disklabel template that suits your needs? 
This is the -t option to /sbin/disklabel.


How is it possible to use a custom template from the OpenBSD installer? 
On the other hand, this workaround is not the most convenient since one 
typically does not reinstall OpenBSD frequently. New users often do not 
realize this issue and only discover after installing and configuring 
their system that they are utilizing less than half of the available 
storage on their hard drive, which nowadays is typically around 1TB in 
capacity.


> I don't know if I'm misreading your inquiry but if I have more than 
enough storage space why would I allocate way too much space to system 
partitions by allocating it proportionally?


The only partition that I believe does not benefit from an increase in 
size is the one mounted on /usr/X11R6. For the rest, there may be 
reasons to consider increasing their sizes.

Re: Automatic Disk Partitioning

2024-08-04 Thread Greg Thomas 
I don't know if I'm misreading your inquiry but if I have more than enough
storage space why would I allocate way too much space to system partitions
by allocating it proportionally?

On Sun, Aug 4, 2024 at 12:18 PM David Uhden Collado  wrote:

> Hello,
>
> I have observed that the automatic partitioning feature of disklabel(8)
> does not allocate more than approximately 350GB to system partitions
> [1]. In my opinion, the tool should have been designed to use all
> available space on the storage device when partitioning. To address this
> limitation, I had to write a custom program that calculates partition
> sizes to maintain their initial proportions while occupying the entire
> storage device.
>
> I would like to understand the rationale behind this design choice. Is
> there a specific reason why the automatic partitioning is limited to
> around 350GB for system partitions? Any insights or explanations you can
> provide would be greatly appreciated.
>
> References:
> 1. https://man.openbsd.org/disklabel#AUTOMATIC_DISK_ALLOCATION
>
> Best regards,
> David.
>
>

Re: Automatic Disk Partitioning

2024-08-04 Thread Åke Nordin 
On 2024-08-04 21:16, David Uhden Collado wrote:

> Hello,
> I have observed that the automatic partitioning feature of disklabel(8) 
> does not allocate more than approximately 350GB to system partitions 
> [1]. In my opinion, the tool should have been designed to use all 
> available space on the storage device when partitioning. To address this 
> limitation, I had to write a custom program that calculates partition 
> sizes to maintain their initial proportions while occupying the entire 
> storage device.
> I would like to understand the rationale behind this design choice. Is 
> there a specific reason why the automatic partitioning is limited to 
> around 350GB for system partitions? Any insights or explanations you can 
> provide would be greatly appreciated.

There is at least one quite prevalent problem with using Really Large
filesystems that is a good reason for this: when you need to boot a
system that wasn't shut down orderly enough that all filesystems got
properly unmounted, the amount of time it takes for the fsck (file
system repair tool) that is automatically triggered at the next
reboot to finish will be a nuisance long before it completes.

A few other, possibly less convincing reasons to cap the sizes
of filesystems is backups and restores get cumbersome, solving
problems where you need to grow a partition is far easier if
you have unused disk space, and solid state disk reliability
improves when a decent fraction of available storage is unused.

MfG,
-- 
Åke Nordin , resident Net/Lunix/telecom geek.
Netia Data AB, Stockholm SWEDEN *46#7O466OI99#

pkg_add and partial installs

2024-08-04 Thread J Doe 

Hello list,

I updated one of my OpenBSD 7.5 servers via: pkg_add today using the
following:

$ pkg_add -uvi

... and the installation progressed until it reached PHP 8.2.  My server
had been using PHP 8.2.21 from packages, so this was an upgrade to the
latest release.

During install I noted the following via the terminal:

pkg_add: Installation of php-apache-8.2.22 failed, partial
installation recorded as partial-php-apache-8.2.22

I then re-ran: pkg_add and the upgrade process completed.  I verified
this via WordPress (as this server runs it), via the Site Health page
which showed an upgraded PHP version of 8.2.22.

While I have had updates fail in the past, I've never seen the output
"partial installation recorded ...".

Am I correct that the best way of dealing with this is via re-running:
pkg_add ?  Are any manual steps required for dealing with the "partial
install" ?

Thanks,

- J

Re: About pf Rule ( pf.conf

2024-08-04 Thread Crystal Kolipe 
On Mon, Aug 05, 2024 at 12:36:18AM +0900, WATANABE Takeo wrote:
> Dear Sirs,
> 
> Would you be willing to discuss how to write pf.conf?
> 
> I'm using OpenBSD 7.5 AMD.
> I want to limit the packets going in and out as follows
> 
> 1. reject in principle : block all
> 2. when rejecting packets, do not log them.
> 3. there is only one interface (vio0) that goes in and out of the host.
> Take necessary logs on this interface. 3.
> 4. do nothing on the local loopback (lo0) interface.
> 5. reject anti-spoofing packets on vio0.
> 6. Allow the following protocols to pass.
>TCP ( http, https, domain, smtp, smtps, msa, imaps, 1522 )
>* Port 1522 is SSH.
> 
>UDP ( domain, ntp )
> 
> I've written these rules (pf.conf) in my own way
> I am having trouble because all packets are blocked.

Are you using IPv6?

If so, you will need to pass icmp6 so that NDP works correctly.

Re: Automatic Disk Partitioning

2024-08-04 Thread Crystal Kolipe 
On Sun, Aug 04, 2024 at 09:16:52PM +0200, David Uhden Collado wrote:
> To address this limitation, I had to
> write a custom program that calculates partition sizes to maintain their
> initial proportions while occupying the entire storage device.

Why not just use a custom disklabel template that suits your needs?

This is the -t option to /sbin/disklabel.

As a starting point, the following template is broadly equivalent to the
defaults that are hard-coded in to /sbin/disklabel for 'large' volumes:

/   150M-1G 5
SWAP80M-256M10
/tmp120M-4G 8
/var80M-4G  13
/usr1500M-30G   10
/usr/X11R6  384M-1G 3
/usr/local  1G-20G  15
/usr/src2G-5G   2
/usr/obj5G-6G   4
/home   1G-300G 30

Although note that /sbin/disklabel has code to modify the swap and var
partitions based on the physical memory of the machine, and this logic
cannot, (currently), be expressed in such a template.

Whilst we're here, there is still a comment in editor.c that says that
the swap and var entries are further adjusted from the defined values
in editor_allocspace().

In fact, this code was moved out to allocate_physmemincr() in revision
1.412 last year.  Maybe the comment should be updated to reflect this.

subscribe

2024-08-04 Thread normal_max 
subscribe

Chromium and microphone at slack

2024-08-04 Thread Kirill A . Korinsky 
misc@,

I'm having a strange problem with Cromium and Slack: I can't use my
microphone. Webcam and sound work, but not the microphone. Wired things that
google meet work perfectly with microphone on the next tab.

I run -current which I update once-twice per week, and I defently had used
microphone in Slack in June.

I have no idea how to dig this out, so any advice is welcome.

-- 
wbr, Kirill

Automatic Disk Partitioning

2024-08-04 Thread David Uhden Collado 

Hello,

I have observed that the automatic partitioning feature of disklabel(8) 
does not allocate more than approximately 350GB to system partitions 
[1]. In my opinion, the tool should have been designed to use all 
available space on the storage device when partitioning. To address this 
limitation, I had to write a custom program that calculates partition 
sizes to maintain their initial proportions while occupying the entire 
storage device.


I would like to understand the rationale behind this design choice. Is 
there a specific reason why the automatic partitioning is limited to 
around 350GB for system partitions? Any insights or explanations you can 
provide would be greatly appreciated.


References:
1. https://man.openbsd.org/disklabel#AUTOMATIC_DISK_ALLOCATION

Best regards,
David.

Re: About pf Rule ( pf.conf

2024-08-04 Thread Souji Thenria 

On Sun Aug 4, 2024 at 4:36 PM BST, WATANABE Takeo wrote:

I am having trouble because all packets are blocked.
Please see below for a description of the problem.
I would appreciate it if you could point out any problems.


The config looks ok so far; I don't see any problems.

Can you run 'pfctl -s rules' and send the command output?
You can also run 'tcpdump' on the interface. Can you see in-coming or
out-coming packages for your specified ports?


pf.conf

tcp_services="{ http, https, domain, smtp, smtps, msa, imaps, 1522 }"
udp_services="{ domain, ntp }"

set block-policy drop
set loginterface vio0

# don't filter on loopback interface
set skip on lo0

# set up a default deny policy
block all

# Blocking Spoofed Packets
antispoof quick for vio0

# Allow packets
pass log quick on vio0 proto tcp to any port $tcp_services keep state
pass log quick on vio0 proto udp to any port $udp_services keep state

# Allow ICMP Packets
pass quick on vio0 proto icmp to any keep state

---


Regards,
Souji

--
Souji Thenria
Website: www.souji-thenria.net


signature.asc
Description: PGP signature

Re: Optimization Advice for High Resource Utilization PostgreSQL Query on OpenBSD

2024-08-04 Thread j 

On 30.07.24 14:04, Kihaguru Gathura wrote:


Hi,

I am seeking advice on optimizing a PostgreSQL query that is consuming
a significant amount of CPU resources on my Dell PowerEdge T340
server. The server has an Intel Xeon E-2124 CPU @ 3.30GHz (4 cores, no
Hyper-Threading) and 16GB RAM, running OpenBSD 7.3 (GENERIC.MP
) #1125.


This is a reasonably fast CPU and there is lots of RAM. No issues there.



The query in question occasionally utilizes around 40% of the CPU,
with CPU1 and CPU2 being more utilized compared to CPU0 and CPU3. This
suggests that the workload might not be well-balanced across all cores.



As long as the CPU work is getting done, you don't care (or shouldn't
care) which CPU is doing the work.

"top" is not a great tool for measuring CPU consumption of a process.  
It

filters the measurements, resulting in a slow change approaching the
actual.  The overall cpu consumption (top row or rows) is good.


I am monitoring the system to ensure that CPU usage by PostgreSQL does
not lead to performance issues, especially if more queries are
executed simultaneously. Other processes (such as httpd, relayd, etc.)
are consuming minimal CPU time, indicating they are not contributing
significantly to the overall load.



The critical assumption you have made is that CPU consumption is bad. 
This

is not necessarily true, it all depends on your circumstances.  If
it is a "monthly summary", no big deal, you run it once a month.

But if it is a "customer summary" and you have hundreds of customers all
running it concurrently that might be something to adjust or adapt to.

Consider the point of view of the end-user.  Is the query performance 
OK?

If it actually OK then you have nothing to do.  CPU measurements are
not visible to the end user and they don't care about them.

If query performance is not "OK" then memory is the first thing to
adjust, followed by indexing (as you've started already).

Configuring and tuning Postgresql is a lifelong ambition.  There are
dozens if not hundreds of advice pages available.  The first things
to do (you don't say if these are done, or not):

- setup sysctl.conf to larger numbers,  for example
  kern.seminfo.semmni=60
  kern.seminfo.semmns=1024
  kern.shminfo.shmall=32768

  Consult postgres documents for advice according to number of users
  and database size.

- setup postgres for suitable max_connections (leaving lots of margin)

- setup postgres for lots of memory in use, shared_buffers=3GB for 
example

   Do not use more than about a quarter of RAM.  Be sure that login.conf
   entries for _postgresql user are suitable for this number.

- setup postgres for temp_buffers larger; but seek tuning advice on 
this.


- setup postgres for random_page_cost = 1.0 provided that you have SSD 
not

  rotating disks.

This is probably the wrong forum for detailed postgresql advice.  You
might have to search elsewhere.

good luck

J

About pf Rule ( pf.conf

2024-08-04 Thread WATANABE Takeo 
Dear Sirs,

Would you be willing to discuss how to write pf.conf?

I'm using OpenBSD 7.5 AMD.
I want to limit the packets going in and out as follows

1. reject in principle : block all
2. when rejecting packets, do not log them.
3. there is only one interface (vio0) that goes in and out of the host.
Take necessary logs on this interface. 3.
4. do nothing on the local loopback (lo0) interface.
5. reject anti-spoofing packets on vio0.
6. Allow the following protocols to pass.
   TCP ( http, https, domain, smtp, smtps, msa, imaps, 1522 )
   * Port 1522 is SSH.

   UDP ( domain, ntp )

I've written these rules (pf.conf) in my own way
I am having trouble because all packets are blocked.
Please see below for a description of the problem.
I would appreciate it if you could point out any problems.

Best regards,

---
WATANABE, Takeo
t...@kasaneiro.jp


pf.conf

tcp_services="{ http, https, domain, smtp, smtps, msa, imaps, 1522 }"
udp_services="{ domain, ntp }"

set block-policy drop
set loginterface vio0

# don't filter on loopback interface
set skip on lo0

# set up a default deny policy
block all

# Blocking Spoofed Packets
antispoof quick for vio0

# Allow packets
pass log quick on vio0 proto tcp to any port $tcp_services keep state
pass log quick on vio0 proto udp to any port $udp_services keep state

# Allow ICMP Packets
pass quick on vio0 proto icmp to any keep state

---

misbehaving localtime zone link

2024-08-04 Thread Shadrock Uhuru 



hi everyone
i have two raspberry pi's setup as dns servers running unbound and nsd
both are installed with the latest snapshots
both are configured the same (os and dns)
both sync off the ntpd at firewall.mydomain
even though i have set the local time link on both to Europe/London
ivy insist on returning the time for localzone AEST,
i've tried deleting and recreating the link, rebooting
but no joy,
any pointers to why ivy is misbehaving ?


candace$ uname -a
OpenBSD candace.mydomain 7.5 GENERIC #118 arm64
candace$ ls -l /etc/localtime
lrwxr-xr-x  1 root  wheel  33 Jul 22  2023 /etc/localtime -> 
/usr/share/zoneinfo/Europe/London
candace$ date
Sun Aug  4 11 :13 :16 BST 2024
candace$ doas rdate firewall.mydomain
Sun Aug  4 11 :13 :57 BST 2024
candace$ date
Sun Aug  4 11 :14 :30 BST 2024
ls -l /usr/share/zoneinfo/Europe/London
-r--r--r--  4 root  bin  3661 Mar  7 08 :19 /usr/share/zoneinfo/Europe/London

candace$ cat /etc/ntpd.conf
# $OpenBSD : ntpd.conf,v 1.16 2019/11/06 19 :04 :12 deraadt Exp $
#

server 10.2.1.1 trusted
#sensor *

constraint from "9.9.9.9"  # quad9 v4 without DNS
constraint from "2620:fe::fe"  # quad9 v6 without DNS
constraints from "www.google.com   # intentionally not 8.8.8.8

-

ivy$ uname -a
OpenBSD ivy.mydomain 7.5 GENERIC #118 arm64
ivy$ ls -l /etc/localtime
lrwxr-xr-x  1 root  wheel  33 Aug  4 05 :21 /etc/localtime -> 
/usr/share/zoneinfo/Europe/London
ivy$ date
Sun Aug  4 20 :15 :23 AEST 2024
ivy$ doas rdate firewall.mydomain
Sun Aug  4 20 :15 :51 AEST 2024
ivy$ date
Sun Aug  4 20 :16 :08 AEST 2024
ivy$ doas rm /etc/localtime
ivy$ date
Sun Aug  4 10 :17 :43 GMT 2024
ivy$ doas ln -sf /usr/share/zoneinfo/Europe/London /etc/localtime
ivy$ date
Sun Aug  4 20 :18 :51 AEST 2024
ivy$ ls -l /usr/share/zoneinfo/Europe/London
-r--r--r--  4 root  bin  3661 Mar  7 19 :19 /usr/share/zoneinfo/Europe/London

ivy$ cat /etc/ntpd.conf
# $OpenBSD : ntpd.conf,v 1.16 2019/11/06 19 :04 :12 deraadt Exp $
#

server 10.2.1.1 trusted
#sensor *

constraint from "9.9.9.9"  # quad9 v4 without DNS
constraint from "2620:fe::fe"  # quad9 v6 without DNS
constraints from "www.google.com""



thanks shadrock

Re: Unable to Mount NFS Share RPC Timeout

2024-08-04 Thread void 

Hi,

On Sat, Aug 03, 2024 at 06:32:13PM -0700, Aric Gregson wrote:

Hello,

I have been experiencing difficulty mounting a NFS share from a TrueNas server 
on my home network. The operation works on a local computer running Armbian 
and, usually, on a Mac.

The error I receive is the following, which just keeps coming until I stop the 
connection attempt:

   mount_nfs: bad MNT RPC: RPC: Timed out
I have tried many variations of the mount 
and all fail with the same error. Whether I use doas or as root there 
is no change. mount host:/mnt/share 
/mnt/nfs

 mount_nfs host:/mnt/share /mnt/nfs
 mount_nfs -T -i host:/mnt/share /mnt/nfs
 mount_nfs -2 -T -i host:/mnt/share /mnt/nfs
 mount_nfs -3 -T -i host:/mnt/share /mnt/nfs
This is not new for me, it has been going on for years. Just getting around to 
trying it again. I have included a dmesg, but it happens on my other OpenBSD 
computer, which is a ThinkPad. Any help is greatly appreciated.


I've seen the same problem. See 
https://marc.info/?l=openbsd-misc=172191444915091=2
I was not able to fix it. For testing, I disabled pf on the openbsd client 
instance.

On the client, do you get output from "rpcinfo -p server_ip" ?

--

Re: (Fork) "IP rights" bullshit, philosophy & OpenBSD compatibility with this

2024-08-04 Thread hahahahacker2009 
Vào Chủ Nhật, 4 tháng 8, 2024, Anon Loli  đã viết:

> On Sat, Aug 03, 2024 at 08:25:22PM +0700, hahahahacker2009 wrote:
> > Vào Thứ Sáu, 2 tháng 8, 2024, Mihai Popescu  đã viết:
> >
> > > > [...] such a evil that it affects humanity [...]
> > >
> > > Just one question, please: who put you in charge to defend humanity?
> > > I don;t care about the answer, but go defend the humanity out of the
> misc@
> > > .
> > > Please.
> > >
> > > Be quiet!
> >
> > -- Thư đã chuyển tiếp --
> > Từ: *Anon Loli* 
> > Ngày: Thứ Hai, 15 tháng 7, 2024
> > Tiêu đề: (Fork) "IP rights" bullshit, philosophy & OpenBSD compatibility
> > with this
> > Đến: hahahahacker2009 
> >
> >
> > It's good to know that, and it's okay if people get disrupted, especially
> > if it
> > might in the future benefit OpenBSD community, it's okay to get a few
> > imperfect
> > feelings, fucking snowflages
> > I posted this in @misc, not @tech, stop being full of your bullshit,
> please
>
>
> Feelings don't matter because positive changes are not only urgently
> necessary,
> but also superior than someone's feelings.
> There are things that I've probably been wrong half of my life about, but I
> don't give a shit about my feelings because I know that it's okay to be
> wrong,
> especially if you find out the truth or at least something closer to it.
>
>
> TL;DR: it's okay to be wrong even if you've been wrong for a long time.
>

This is a thread where you can find Anon Loli's trolling behaviors:
https://marc.info/?t=17211487322=1=2

For you all, I forgot to include this.
>From Anon Loli:

"I don't need to go to any country, I'm anonymous and as such I face no
consequences."

Don't feed the troll.

Re: radiusd

2024-08-04 Thread Mike 
Thank-you for the reply.

The username/password is correct.  I know that because I run the
radiusctl program from a different OpenBSD box,and I see

% radiusctl test 10.0.1.1 secretstuff stuff password stuffpswd
Sending:
Id= 67
Code  = Access-Request(1)
User-Name = "stuff"
User-Password = "stuffpswd"
NAS-Port  = 0
NAS-IP-Address= 10.0.1.1

Received:
Id= 67
Code  = Access-Accept(2)
Authenticator = Verified
Message-Authenticator = Verified
Reply-Message = "Authentication succeeded"




OK, I mangled the IP addresses  and the name/password stuff.

But the important point, to me, is that from another OpenBSD box, the
RADIUS query is verified and accepted.

So, the username/password seem to be OK.

That leaves the second comment you stated...

authentication method was not PAP
 (radiusd_bsdauth(8) supports only PAP)

OK, that's the likely problem.  My WiFi access point is an old Linksys,
an LAPN600.  When I go to the "Wireless Security" screen on the access
point, I see nothing to choose a protocol to use.

So, it seems I have to stick with freeradiusd (and OpenBSD's insecure
version of it) for the nonce.

{sigh}

btw, I can ~play and test things here~ if that is helpful for you.  It's
my home network, and I am always willing to help OpenBSD.

In any case, many thanks for your quick replies.

Most appreciated.



On 8/3/2024 11:43 PM, YASUOKA Masahiko wrote:
> Hello,
> 
> On Sat, 3 Aug 2024 21:37:12 -0400
> Mike  wrote:
>> OK, in that endeavor, I get an error message when I run radiusd -d, one
>> for which I cannot find any explanation.
>>
>> 2024-08-03 21:22:42:INFO: Received Access-Request(code=1) from
>> 10.11.4.234:45955 id=22 username=e5 q=1: `bsdauth' authentication is
>> starting
>>
>> 2024-08-03 21:22:42:INFO: Sending Access-Reject(code=3) to
>> 10.11.4.234:45955 id=22 q=1
>>
>> What, exactly, is that "reject" error message trying to tell me?
> 
> It shows radiusd(8) sends "Access-Reject" to the RADIUS client.
> 
>> What was incorrect?
> 
> username or password was incorrect
> 
> or
> 
> authentication method was not PAP
> (radiusd_bsdauth(8) supports only PAP)
> 
> ?
>

Re: (Fork) "IP rights" bullshit, philosophy & OpenBSD compatibility with this

2024-08-03 Thread Raul Miller 
On Sat, Aug 3, 2024 at 11:56 PM David Uhden Collado  wrote:
> I think that discussing the legitimacy of intellectual "property" from a
> philosophical rather than a practical standpoint is highly constructive
> and beneficial.

The scope of this issue is quite large. I can talk to you about that
off-list if you like..

But misc@ does not have the mandate nor the capacity to adequately
treat those issues, nor are most people inclined to adequately
research these issues.

-- 
Raul

Re: (Fork) "IP rights" bullshit, philosophy & OpenBSD compatibility with this

2024-08-03 Thread David Uhden Collado 

> Go defend the humanity out of the misc@.

I think that discussing the legitimacy of intellectual "property" from a 
philosophical rather than a practical standpoint is highly constructive 
and beneficial.


The reason I completely reject the so-called copyleft "free" software 
licenses and fully support the copyright policy of the OpenBSD project 
[1] is that I am fundamentally opposed to any form of "ownership" over 
intangible goods. I do not consider it ethical. I believe that I should 
only have control over the original work hosted on my hardware. What 
comes out of there should not be under my control. I find the 
restrictions imposed by copyleft "free" software licenses to be just as 
unethical as those used in proprietary software licenses. For me, the 
end does not justify the means under any circumstances; it is a matter 
of ethics. Since I don't want to make this email too long, I recommend 
reading this article to learn about the arguments that support my (and 
others') position on this issue [2].


Setting aside the philosophical aspects and focusing on practical 
matters, I am content with avoiding legal complications by adding a 
disclaimer clause and waiving any legal action, even if the sole 
condition of retaining the license and copyright notice is violated.


> I meant CC0 specifically.

The main practical problem with dedicating a work to the public domain 
under the current system is that some jurisdictions do not recognize an 
author's right to relinquish their intellectual "property" "rights" 
before the expiration of the term established by law. In cases where 
public domain dedication is not legally possible, the author (by name) 
must explicitly authorize the use of a work for any exceptions to the 
standard intellectual "property" restrictions to apply. In summary, a 
license is necessary to waive any copy "rights" privileges. As a result, 
if someone in the U.S. dedicates a work to the public domain, it can 
theoretically be used without restrictions in the U.S., but in another 
country, it may be illegal for a recipient to use it without obtaining 
explicit permission from the copyright holder (by name) [3].


References:

1. https://www.openbsd.org/policy.html
2. https://gist.github.com/LiquidZulu/a269df658060c9e9e358c3ad43b6b736
3. 
https://cubicspot.blogspot.com/2014/03/writing-software-without-copyright.html

Re: radiusd

2024-08-03 Thread YASUOKA Masahiko 
Hello,

On Sat, 3 Aug 2024 21:37:12 -0400
Mike  wrote:
> OK, in that endeavor, I get an error message when I run radiusd -d, one
> for which I cannot find any explanation.
> 
> 2024-08-03 21:22:42:INFO: Received Access-Request(code=1) from
> 10.11.4.234:45955 id=22 username=e5 q=1: `bsdauth' authentication is
> starting
> 
> 2024-08-03 21:22:42:INFO: Sending Access-Reject(code=3) to
> 10.11.4.234:45955 id=22 q=1
> 
> What, exactly, is that "reject" error message trying to tell me?

It shows radiusd(8) sends "Access-Reject" to the RADIUS client.

> What was incorrect?

username or password was incorrect

or

authentication method was not PAP
(radiusd_bsdauth(8) supports only PAP)

?

radiusd

2024-08-03 Thread Mike 
I'm baffled.

I am trying to move towards OpenBSD's radiud program instead of the
freedaius program I have been using.

Freeradius looks way complex (kind of surprised that I got it to work on
my network.)

But with Freeradius, there has been a security issue
(https://www.freeradius.org/security/), bring its version to 3.2.5.

But the OpenBSD port seems to be stuck at the 3.2.3 version that has the
security issue.

So


I'm looking to move towards radiusd.

OK, in that endeavor, I get an error message when I run radiusd -d, one
for which I cannot find any explanation.

2024-08-03 21:22:42:INFO: Received Access-Request(code=1) from
10.11.4.234:45955 id=22 username=e5 q=1: `bsdauth' authentication is
starting

2024-08-03 21:22:42:INFO: Sending Access-Reject(code=3) to
10.11.4.234:45955 id=22 q=1

What, exactly, is that "reject" error message trying to tell me?

What was incorrect?

radiusd

2024-08-03 Thread Mike 
I'm baffled.

I am trying to move towards OpenBSD's radiud program instead of the
freedaius program I have been using.

Freeradius looks way complex (kind of surprised that I got it to work on
my network.)

But with Freeradius, there has been a security issue
(https://www.freeradius.org/security/), bring its version to 3.2.5.

But the OpenBSD port seems to be stuck at the 3.2.3 version that has the
security issue.

So


I'm looking to move towards radiusd.

OK, in that endeavor, I get an error message when I run radiusd -d, one
for which I cannot find any explanation.

2024-08-03 21:22:42:INFO: Received Access-Request(code=1) from
10.11.4.234:45955 id=22 username=e5 q=1: `bsdauth' authentication is
starting

2024-08-03 21:22:42:INFO: Sending Access-Reject(code=3) to
10.11.4.234:45955 id=22 q=1

What, exactly, is that "reject" error message trying to tell me?

What was incorrect?


thanks.

Unable to Mount NFS Share RPC Timeout

2024-08-03 Thread Aric Gregson 

Hello,

I have been experiencing difficulty mounting a NFS share from a TrueNas server 
on my home network. The operation works on a local computer running Armbian 
and, usually, on a Mac.

The error I receive is the following, which just keeps coming until I stop the 
connection attempt:

mount_nfs: bad MNT RPC: RPC: Timed out

I have tried many variations of the mount and all fail with the same error. Whether I use doas or as root there is no change. 
 
  mount host:/mnt/share /mnt/nfs

  mount_nfs host:/mnt/share /mnt/nfs
  mount_nfs -T -i host:/mnt/share /mnt/nfs
  mount_nfs -2 -T -i host:/mnt/share /mnt/nfs
  mount_nfs -3 -T -i host:/mnt/share /mnt/nfs
 
This is not new for me, it has been going on for years. Just getting around to trying it again. I have included a dmesg, but it happens on my other OpenBSD computer, which is a ThinkPad. Any help is greatly appreciated.

Thanks, Aric



OpenBSD 7.5 (GENERIC.MP) #82: Wed Mar 20 15:48:40 MDT 2024
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 33701584896 (32140MB)
avail mem = 32658747392 (31145MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.2 @ 0xeacc0 (43 entries)
bios0: vendor American Megatrends Inc. version "5.16" date 07/13/2022
bios0: Simply NUC LLM2v8CY
efi0 at bios0: UEFI 2.7
efi0: American Megatrends rev 0x50010
acpi0 at bios0: ACPI 6.0Undefined scope: \\_SB_.PCI0.GPP4.WLAN

acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT IVRS FIDT MCFG HPET SSDT BGRT SSDT CRAT CDIT SSDT 
SSDT SSDT SSDT WSMT APIC SSDT SSDT FPDT
acpi0: wakeup devices GPP0(S4) GPP1(S4) GPP2(S4) GPP3(S4) GPP4(S4) GPP5(S4) 
GP17(S4) XHC0(S4) XHC1(S4) GP18(S4) GP19(S4)
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimcfg0 at acpi0
acpimcfg0: addr 0xf000, bus 0-127
acpihpet0 at acpi0: 14318180 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Ryzen Embedded V2748 with Radeon Graphics, 2900.00 MHz, 17-60-01, 
patch 08600103
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,HWPSTATE,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,PQM,RDSEED,ADX,SMAP,CLFLUSHOPT,CLWB,SHA,UMIP,IBPB,IBRS,STIBP,IBRS_PREF,IBRS_SM,SSBD,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 512KB 64b/line 
8-way L2 cache, 4MB 64b/line 16-way L3 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 100MHz
cpu0: mwait min=64, max=64, C-substates=1.1, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD Ryzen Embedded V2748 with Radeon Graphics, 2900.00 MHz, 17-60-01, 
patch 08600103
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,HWPSTATE,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,PQM,RDSEED,ADX,SMAP,CLFLUSHOPT,CLWB,SHA,UMIP,IBPB,IBRS,STIBP,IBRS_PREF,IBRS_SM,SSBD,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu1: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 512KB 64b/line 
8-way L2 cache, 4MB 64b/line 16-way L3 cache
cpu1: smt 1, core 0, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: AMD Ryzen Embedded V2748 with Radeon Graphics, 2900.00 MHz, 17-60-01, 
patch 08600103
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,HWPSTATE,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,PQM,RDSEED,ADX,SMAP,CLFLUSHOPT,CLWB,SHA,UMIP,IBPB,IBRS,STIBP,IBRS_PREF,IBRS_SM,SSBD,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu2: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 512KB 64b/line 
8-way L2 cache, 4MB 64b/line 16-way L3 cache
cpu2: smt 0, core 1, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: AMD Ryzen Embedded V2748 with Radeon Graphics, 2900.01 MHz, 17-60-01, 
patch 08600103
cpu3:

Re: orosound tilde pro headset over usb-c - microphone issue

2024-08-03 Thread Divan Santana 
> The headset works great to play audio over usb-c, however the microphone
> is not working.

Update, when it's connected via the usb dongle (which ships with the
headset) the microphone and audio output just work.  Great.

Only, it would be nice to be able to get the mic to work over usb-c too.
I prefer it connected over usb-c because it charges the headset and the
noice cancelling functions still work.

And to figure out how to toggle between in-call mode (red led) and
normal audio mode (which seems to have better quality) would be nice.

Below is the full dmesg.

OpenBSD 7.5 (GENERIC.MP) #82: Wed Mar 20 15:48:40 MDT 2024
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 34131861504 (32550MB)
avail mem = 33075978240 (31543MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.3 @ 0x76333000 (18 entries)
bios0: vendor 3mdeb version "Dasharo (coreboot+UEFI) v1.7.2" date 12/21/2023
bios0: Notebook NV4xPZ
efi0 at bios0: UEFI 2.8
efi0: EDK II rev 0x1
acpi0 at bios0: ACPI 6.0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT MCFG TPM2 LPIT APIC DMAR HPET BGRT FPDT
acpi0: wakeup devices XHCI(S3) GLAN(S4) TXHC(S4) TDM0(S4) TRP0(S4) PXSX(S4) 
PXSX(S4) PXSX(S4) PXSX(S4) CNVW(S3) PWRB(S3) SLPB(S3) LID0(S3)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0
acpimcfg0: addr 0xc000, bus 0-255
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 120 pins
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: 12th Gen Intel(R) Core(TM) i7-1260P, 2100.05 MHz, 06-9a-03, patch 0433
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,PKU,WAITPKG,PKS,MD_CLEAR,IBT,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,TAA_NO,MISC_PKG_CT,ENERGY_FILT,DOITM,SBDR_SSDP_N,FBSDP_NO,PSDP_NO,RRSBA,OVERCLOCK,GDS_NO,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu0: 48KB 64b/line 12-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 
10-way L2 cache, 18MB 64b/line 12-way L3 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 38MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.2.0.1.0.1, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: 12th Gen Intel(R) Core(TM) i7-1260P, 2095.36 MHz, 06-9a-03, patch 0433
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,PKU,WAITPKG,PKS,MD_CLEAR,IBT,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,TAA_NO,MISC_PKG_CT,ENERGY_FILT,DOITM,SBDR_SSDP_N,FBSDP_NO,PSDP_NO,RRSBA,OVERCLOCK,GDS_NO,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu1: 48KB 64b/line 12-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 
10-way L2 cache, 18MB 64b/line 12-way L3 cache
cpu1: smt 1, core 0, package 0
cpu2 at mainbus0: apid 8 (application processor)
cpu2: 12th Gen Intel(R) Core(TM) i7-1260P, 2095.35 MHz, 06-9a-03, patch 0433
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,PKU,WAITPKG,PKS,MD_CLEAR,IBT,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,TAA_NO,MISC_PKG_CT,ENERGY_FILT,DOITM,SBDR_SSDP_N,FBSDP_NO,PSDP_NO,RRSBA,OVERCLOCK,GDS_NO,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu2: 48KB 64b/line 12-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 
10-way L2 cache, 18MB 64b/line 12-way L3 cache
cpu2: smt 0, core 4, package 0
cpu3 at mainbus0: apid 9 (application processor)
cpu3: 12th Gen Intel(R) Core(TM) i7-1260P, 2095.34 MHz, 06-9a-03, patch 0433
cpu3:

Re: RockPro64 with Intel I225V Nic (Info #2)

2024-08-03 Thread Georg Bege 
Ok I figured my mistake, this card has a switch-port chip/adapter which enables 
the two NICs to be used - a Linux lspci says:

06:00.0 PCI bridge: ASMedia Technology Inc. ASM1182e 2-Port PCIe x1 Gen2 Packet 
Switch
07:03.0 PCI bridge: ASMedia Technology Inc. ASM1182e 2-Port PCIe x1 Gen2 Packet 
Switch
07:07.0 PCI bridge: ASMedia Technology Inc. ASM1182e 2-Port PCIe x1 Gen2 Packet 
Switch
08:00.0 Ethernet controller: Intel Corporation Ethernet Controller I225-V (rev 
03)
09:00.0 Ethernet controller: Intel Corporation Ethernet Controller I225-V (rev 
03)

And I bet we don’t support this. :-(

> Am 03.08.2024 um 20:05 schrieb Jo MacMahon :
> 
> Have you tried the NIC with another operating system? I have heard that the 
> RockPro64's PCIe support is somewhat hit-and-miss, so it may be that the 
> hardware is incompatible.
> 
> On Sat, 3 Aug 2024, at 18:17, Georg Bege wrote:
>> Hi,
>> 
>> Sorry but I want to add some more information.
>> 
>> I have another PCI-E card which is an SATA extension card (6x sata port)
>> I think it’s an PCI-E x4 card.
>> 
>> This one does get detected, I know for sure that it was working on 
>> FreeBSD though with this card.
>> 
>> ——— snip ———
>> # pcidump
>> 
>> Domain /dev/pci0:
>> 
>> 0:0:0: Rockchip RK3399
>> 
>> 1:0:0: ASMedia unknown
>> 
>> 
>> 
>> rkpcie0 at mainbus0
>> 
>> pci0 at rkpcie0
>> 
>> ppb0 at pci0 dev 0 function 0 "Rockchip RK3399" rev 0x00: msi
>> 
>> pci1 at ppb0 bus 1
>> 
>> ahci0 at pci1 dev 0 function 0 vendor "ASMedia", unknown product 0x1166 
>> rev 0x02: msi, AHCI 1.3.1
>> 
>> ——— snip ———
>> 
>> 
>> 
>> 
>> 
>> I think ASMedia is correct here, the interesting thing is now - if I 
>> use the Intel NIC I225V, it’s get detected as ASMedia card too (which 
>> should be wrong?):
>> 
>> 
>> 
>> ——— snip ———
>> 
>> gateway# pcidump
>> 
>> 
>> Domain /dev/pci0:
>> 
>> 0:0:0: Rockchip RK3399
>> 
>> 1:0:0: ASMedia ASM1182e
>> 
>> 
>> 
>> gateway# dmesg|grep pci
>> 
>> "pcie-phy" at syscon27 not configured
>> 
>> rkpcie0 at mainbus0
>> 
>> pci0 at rkpcie0
>> 
>> ppb0 at pci0 dev 0 function 0 "Rockchip RK3399" rev 0x00: msi
>> 
>> pci1 at ppb0 bus 1
>> 
>> ppb1 at pci1 dev 0 function 0 "ASMedia ASM1182e" rev 0x00
>> 
>> pci2 at ppb1 bus 2
>> 
>> ——— snip ———
>> 
>> 
>> 
>> I don’t understand why this happens, does this mean that the igc driver 
>> doesn’t detect the card on. The RockPro64 PCI-E bus?
>> 
>> Is this a mistake in the driver?
>> 
>> 
>> 
>> Regards,
>> 
>> Georg
>> 
>> 
>> 
>> 
>>> Am 03.08.2024 um 18:53 schrieb Georg Bege :
>>> 
>>> Hi OpenBSD folks,
>>> 
>>> Im having issue with an Intel I225-V dual port NIC and Rockpro64,
>>> the card isn’t being detected despite the kernel detects pci0,1,2 devices.
>>> 
>>> Since the card itself is supported according to igc(4) I guess its a 
>>> problem on the Rockpro64 board?
>>> I only need a single or dual-port card, any idea what other card I could 
>>> use?
>>> 
>>> Or is there a solution?
>>> 
>>> Below I copy a dimesg output.
>>> 
>>> Regards,
>>> 
>>> Georg
>>> 
>>> — snip —
>>> OpenBSD 7.5 (GENERIC.MP) #138: Wed Mar 20 19:42:15 MDT 2024
>>>dera...@arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/GENERIC.MP
>>> real mem  = 4123770880 (3932MB)
>>> avail mem = 3912286208 (3731MB)
>>> random: good seed from bootblocks
>>> mainbus0 at root: Pine64 RockPro64 v2.1
>>> psci0 at mainbus0: PSCI 1.1, SMCCC 1.2, SYSTEM_SUSPEND
>>> efi0 at mainbus0: UEFI 2.10
>>> efi0: Das U-Boot rev 0x20240700
>>> smbios0 at efi0: SMBIOS 3.7.0
>>> smbios0: vendor U-Boot version "2024.07" date 07/01/2024
>>> smbios0: Pine64 RockPro64
>>> cpu0 at mainbus0 mpidr 0: ARM Cortex-A53 r0p4
>>> cpu0: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1 D-cache
>>> cpu0: 512KB 64b/line 16-way L2 cache
>>> cpu0: CRC32,SHA2,SHA1,AES+PMULL,ASID16
>>> cpu1 at mainbus0 mpidr 1: ARM Cortex-A53 r0p4
>>> cpu1: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1 D-cache
>>> cpu1: 512KB 64b/line 16-way L2 cache
>>> cpu2 at mainbus0 mpidr 2: ARM Cortex-A53 r0p4
>>> cpu2: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1 D-cache
>>> cpu2: 512KB 64b/line 16-way L2 cache
>>> cpu3 at mainbus0 mpidr 3: ARM Cortex-A53 r0p4
>>> cpu3: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1 D-cache
>>> cpu3: 512KB 64b/line 16-way L2 cache
>>> cpu4 at mainbus0 mpidr 100: ARM Cortex-A72 r0p2
>>> cpu4: 48KB 64b/line 3-way L1 PIPT I-cache, 32KB 64b/line 2-way L1 D-cache
>>> cpu4: 1024KB 64b/line 16-way L2 cache
>>> cpu4: CRC32,SHA2,SHA1,AES+PMULL,ASID16
>>> cpu5 at mainbus0 mpidr 101: ARM Cortex-A72 r0p2
>>> cpu5: 48KB 64b/line 3-way L1 PIPT I-cache, 32KB 64b/line 2-way L1 D-cache
>>> cpu5: 1024KB 64b/line 16-way L2 cache
>>> apm0 at mainbus0
>>> agintc0 at mainbus0 sec shift 3:3 nirq 288 nredist 6 ipi: 0, 1, 2: 
>>> "interrupt-controller"
>>>

orosound tilde pro headset over usb-c - microphone issue

2024-08-03 Thread Divan Santana 
Greetings :)

Hopefully someone can assist with getting the mic to work on this
orosound tilde pro headset connected over usb-c.  Any suggestions is
welcome. :)

The headset works great to play audio over usb-c, however the microphone
is not working.

When I connect the headset to a Linux PC, the headset left cup LED
goes red, indicating "call ongoing" mode and the microphone and audio
both work fine.

When I connect it to OpenBSD the microphone doesn't work and the
headset LED doesn't turn red.

I have checked kern.audio.record which is 1.

here is mixerctl

  ds@swift ~ $ doas mixerctl -f /dev/audioctl1
  outputs.dac=0
  inputs.record=0
  record.enable=sysctl

The mixerctl values changes from time to time.  Sometimes it's like this:

  outputs.dac=85
  inputs.record=85
  record.enable=sysctl

sndioctl:

  ds@swift ~ $ sndioctl
  input.level=1.000
  output.level=0.333
  server.device=1
  app/aucat0.level=1.000
  app/chrome0.level=1.000
  app/chrome1.level=1.000
  app/mpv0.level=1.000

Here is dmesg

  Aug  3 19:43:21 swift /bsd: uhidev6 at uhub1 port 6 configuration 1 interface 
0 "Orosound TildePro 0D:1B USB" rev 2.00/2.01 addr 11
  Aug  3 19:43:21 swift /bsd: uhidev6: iclass 3/0, 13 report ids
  Aug  3 19:43:21 swift /bsd: uhid3 at uhidev6 reportid 4: input=2, output=0, 
feature=0
  Aug  3 19:43:21 swift /bsd: uhid4 at uhidev6 reportid 5: input=0, output=2, 
feature=0
  Aug  3 19:43:21 swift /bsd: ucc2 at uhidev6 reportid 10: 3 usages, 3 keys, 
enum
  Aug  3 19:43:21 swift /bsd: wskbd6 at ucc2 mux 1
  Aug  3 19:43:21 swift /bsd: wskbd6: connecting to wsdisplay0
  Aug  3 19:43:21 swift /bsd: uhid5 at uhidev6 reportid 11: input=1, output=1, 
feature=0
  Aug  3 19:43:21 swift /bsd: uhid6 at uhidev6 reportid 12: input=63, output=0, 
feature=0
  Aug  3 19:43:21 swift /bsd: uhid7 at uhidev6 reportid 13: input=0, output=63, 
feature=0
  Aug  3 19:43:21 swift /bsd: uaudio0 at uhub1 port 6 configuration 1 interface 
4 "Orosound TildePro 0D:1B USB" rev 2.00/2.01 addr 11
  Aug  3 19:43:21 swift /bsd: uaudio0: class v1, full-speed, async, channels: 2 
play, 1 rec, 2 ctls
  Aug  3 19:43:21 swift /bsd: audio1 at uaudio0
  Aug  3 19:43:21 swift /bsd: ugen1 at uhub1 port 6 configuration 1 "Orosound 
TildePro 0D:1B USB" rev 2.00/2.01 addr 11

I test the microphone like so:

  ds@swift ~ $ aucat -o file.wav
  ds@swift ~ $ aucat -i file.wav

I've got the microphone working with other headsets, but not this one
oddly.

Any ideas what I can try?  If you need more info from the Linux or
OpenBSD machine please let me know.

Thanks

Re: RockPro64 with Intel I225V Nic (Info #2)

2024-08-03 Thread Jo MacMahon 
Have you tried the NIC with another operating system? I have heard that the 
RockPro64's PCIe support is somewhat hit-and-miss, so it may be that the 
hardware is incompatible.

On Sat, 3 Aug 2024, at 18:17, Georg Bege wrote:
> Hi,
>
> Sorry but I want to add some more information.
>
> I have another PCI-E card which is an SATA extension card (6x sata port)
> I think it’s an PCI-E x4 card.
>
> This one does get detected, I know for sure that it was working on 
> FreeBSD though with this card.
>
> ——— snip ———
> # pcidump
>
> Domain /dev/pci0:
>
>  0:0:0: Rockchip RK3399
>
>  1:0:0: ASMedia unknown
>
>
>
> rkpcie0 at mainbus0
>
> pci0 at rkpcie0
>
> ppb0 at pci0 dev 0 function 0 "Rockchip RK3399" rev 0x00: msi
>
> pci1 at ppb0 bus 1
>
> ahci0 at pci1 dev 0 function 0 vendor "ASMedia", unknown product 0x1166 
> rev 0x02: msi, AHCI 1.3.1
>
> ——— snip ———
>
>
>
>
>
> I think ASMedia is correct here, the interesting thing is now - if I 
> use the Intel NIC I225V, it’s get detected as ASMedia card too (which 
> should be wrong?):
>
>
>
> ——— snip ———
>
> gateway# pcidump
>
>
> Domain /dev/pci0:
>
>  0:0:0: Rockchip RK3399
>
>  1:0:0: ASMedia ASM1182e
>
>
>
> gateway# dmesg|grep pci
>
> "pcie-phy" at syscon27 not configured
>
> rkpcie0 at mainbus0
>
> pci0 at rkpcie0
>
> ppb0 at pci0 dev 0 function 0 "Rockchip RK3399" rev 0x00: msi
>
> pci1 at ppb0 bus 1
>
> ppb1 at pci1 dev 0 function 0 "ASMedia ASM1182e" rev 0x00
>
> pci2 at ppb1 bus 2
>
> ——— snip ———
>
>
>
> I don’t understand why this happens, does this mean that the igc driver 
> doesn’t detect the card on. The RockPro64 PCI-E bus?
>
> Is this a mistake in the driver?
>
>
>
> Regards,
>
> Georg
>
>
>
>
>> Am 03.08.2024 um 18:53 schrieb Georg Bege :
>> 
>> Hi OpenBSD folks,
>> 
>> Im having issue with an Intel I225-V dual port NIC and Rockpro64,
>> the card isn’t being detected despite the kernel detects pci0,1,2 devices.
>> 
>> Since the card itself is supported according to igc(4) I guess its a problem 
>> on the Rockpro64 board?
>> I only need a single or dual-port card, any idea what other card I could use?
>> 
>> Or is there a solution?
>> 
>> Below I copy a dimesg output.
>> 
>> Regards,
>> 
>> Georg
>> 
>> — snip —
>> OpenBSD 7.5 (GENERIC.MP) #138: Wed Mar 20 19:42:15 MDT 2024
>> dera...@arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/GENERIC.MP
>> real mem  = 4123770880 (3932MB)
>> avail mem = 3912286208 (3731MB)
>> random: good seed from bootblocks
>> mainbus0 at root: Pine64 RockPro64 v2.1
>> psci0 at mainbus0: PSCI 1.1, SMCCC 1.2, SYSTEM_SUSPEND
>> efi0 at mainbus0: UEFI 2.10
>> efi0: Das U-Boot rev 0x20240700
>> smbios0 at efi0: SMBIOS 3.7.0
>> smbios0: vendor U-Boot version "2024.07" date 07/01/2024
>> smbios0: Pine64 RockPro64
>> cpu0 at mainbus0 mpidr 0: ARM Cortex-A53 r0p4
>> cpu0: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1 D-cache
>> cpu0: 512KB 64b/line 16-way L2 cache
>> cpu0: CRC32,SHA2,SHA1,AES+PMULL,ASID16
>> cpu1 at mainbus0 mpidr 1: ARM Cortex-A53 r0p4
>> cpu1: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1 D-cache
>> cpu1: 512KB 64b/line 16-way L2 cache
>> cpu2 at mainbus0 mpidr 2: ARM Cortex-A53 r0p4
>> cpu2: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1 D-cache
>> cpu2: 512KB 64b/line 16-way L2 cache
>> cpu3 at mainbus0 mpidr 3: ARM Cortex-A53 r0p4
>> cpu3: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1 D-cache
>> cpu3: 512KB 64b/line 16-way L2 cache
>> cpu4 at mainbus0 mpidr 100: ARM Cortex-A72 r0p2
>> cpu4: 48KB 64b/line 3-way L1 PIPT I-cache, 32KB 64b/line 2-way L1 D-cache
>> cpu4: 1024KB 64b/line 16-way L2 cache
>> cpu4: CRC32,SHA2,SHA1,AES+PMULL,ASID16
>> cpu5 at mainbus0 mpidr 101: ARM Cortex-A72 r0p2
>> cpu5: 48KB 64b/line 3-way L1 PIPT I-cache, 32KB 64b/line 2-way L1 D-cache
>> cpu5: 1024KB 64b/line 16-way L2 cache
>> apm0 at mainbus0
>> agintc0 at mainbus0 sec shift 3:3 nirq 288 nredist 6 ipi: 0, 1, 2: 
>> "interrupt-controller"
>> agintcmsi0 at agintc0
>> syscon0 at mainbus0: "qos"
>> syscon1 at mainbus0: "qos"
>> syscon2 at mainbus0: "qos"
>> syscon3 at mainbus0: "qos"
>> syscon4 at mainbus0: "qos"
>> syscon5 at mainbus0: "qos"
>> syscon6 at mainbus0: "qos"
>> syscon7 at mainbus0: "qos"
>> syscon8 at mainbus0: "qos"
>> syscon9 at mainbus0: "qos"
>> syscon10 at mainbus0: "qos"
>> syscon11 at mainbus0: "qos"
>> syscon12 at mainbus0: "qos"
>> syscon13 at mainbus0: "qos"
>> syscon14 at mainbus0: "qos"
>> syscon15 at mainbus0: "qos"
>> syscon16 at mainbus0: "qos"
>> syscon17 at mainbus0: "qos"
>> syscon18 at mainbus0: "qos"
>> syscon19 at mainbus0: "qos"
>> syscon20 at mainbus0: "qos"
>> syscon21 at mainbus0: "qos"
>> syscon22 at mainbus0: "qos"
>> syscon23 at mainbus0: "qos"
>> syscon24 at mainbus0: "qos"
>> syscon25 at mainbus0:

Re: (Fork) "IP rights" bullshit, philosophy & OpenBSD compatibility with this

2024-08-03 Thread hahahahacker2009 
Vào Thứ Sáu, 2 tháng 8, 2024, Mihai Popescu  đã viết:

> > [...] such a evil that it affects humanity [...]
>
> Just one question, please: who put you in charge to defend humanity?
> I don;t care about the answer, but go defend the humanity out of the misc@
> .
> Please.
>
> Be quiet!

-- Thư đã chuyển tiếp --
Từ: *Anon Loli* 
Ngày: Thứ Hai, 15 tháng 7, 2024
Tiêu đề: (Fork) "IP rights" bullshit, philosophy & OpenBSD compatibility
with this
Đến: hahahahacker2009 


It's good to know that, and it's okay if people get disrupted, especially
if it
might in the future benefit OpenBSD community, it's okay to get a few
imperfect
feelings, fucking snowflages
I posted this in @misc, not @tech, stop being full of your bullshit, please

Re: avrdude can't find usbasp

2024-08-03 Thread Sadeep Madurange 
On 2024-08-03 15:39:14, Sadeep Madurange wrote:
> I'm trying to flash a atmega328p using avrdude using
> 
> avrdude -p atmega328p -c usbasp -P /dev/cuaU0 -D -U
> flash:w:blink.ihex:i
> 
> The command fails with error
> 
> avrdude: error: could not find USB device with vid=0x16c0 pid=0x5dc
> vendor='www.fischl.de' product='USBasp'

I managed to get things working with the arduino programmer instead of
usbasp.

-- 
Sadeep Madurange
PGP: 103BF9E3E750BF7E

Re: Optimization Advice for High Resource Utilization PostgreSQL Query on OpenBSD

2024-08-03 Thread Christian Schulte 
On 30.07.24 19:29, Kihaguru Gathura wrote:
> Hi Claudio,
> 
> Yes, I did run 'Explain Analyze' on the query to diagnose the
> performance issues. Based on the analysis, I created indexes on the
> relevant columns and ran a VACUUM on the tables. This resulted in an
> improvement, reducing CPU utilization from 40% to 30%.

Out of curiosity. How many records (table rows) are you talking about?
Maybe partitioning is the way to go, if you are dealing with huge
amounts of data. Indexing a couple of billions of records still makes
selecting expensive and you maybe want to partition things?

-- 
Christian

avrdude can't find usbasp

2024-08-03 Thread Sadeep Madurange 
Hello,

I'm trying to flash a atmega328p using avrdude using

avrdude -p atmega328p -c usbasp -P /dev/cuaU0 -D -U flash:w:blink.ihex:i

The command fails with error

avrdude: error: could not find USB device with vid=0x16c0 pid=0x5dc 
vendor='www.fischl.de' product='USBasp'

I tried with 'usbasp-clone' programmer and got back the same error. Does
anyone have an idea what I'm doing wrong?

Also, when I attach a serial device like this, how do I know which port
it was attached to? Right now, I have to search the internet and guess
based on 'standard port' used by a board. I'd love to figure this out
without having to search the internet.

dmesg after attaching the usbasp programmer (also attached an Arduino
after the usbasp and then again the usbasp):

### AML PARSE ERROR (0x279a7): Undefined name:
\\_SB_.PCI0.RP09.PEGP.NVDN
error evaluating: \\_SB_.PCI0.LPCB.EC__._Q26
ugen3 at uhub0 port 4 "www.fischl.de USBasp" rev 1.10/1.04 addr 7
ugen3 detached
ugen3 at uhub0 port 4 "www.fischl.de USBasp" rev 1.10/1.04 addr 7
ugen3 detached
umodem0 at uhub0 port 4 configuration 1 interface 0 "Arduino
(www.arduino.cc) product 0x0043" rev 1.10/0.01 addr 7
umodem0: data interface 1, has no CM over data, has break
umodem0: status change notification available
ucom0 at umodem0: usb0.0.4.1
ucom0 detached
umodem0 detached
umodem0 at uhub0 port 4 configuration 1 interface 0 "Arduino
(www.arduino.cc) product 0x0043" rev 1.10/0.01 addr 7
umodem0: data interface 1, has no CM over data, has break
umodem0: status change notification available
ucom0 at umodem0: usb0.0.4.1
ucom0 detached
umodem0 detached
ugen3 at uhub0 port 4 "www.fischl.de USBasp" rev 1.10/1.04 addr 7
ugen3 detached
ugen3 at uhub0 port 4 "www.fischl.de USBasp" rev 1.10/1.04 addr 7

-- 
Sadeep Madurange
PGP: 103BF9E3E750BF7E

stuck at boot on aarch64 device(Qualcomm sc8280xp)

2024-08-03 Thread Py 
Hi,

I can't boot on my device
, this tablet
is shipped with sc8280xp(qualcomm 8cx gen3). When I startup, the screen
shows the following

```

disk: sd0* sd1 sd2

>> OpenBSD/arm64 BOOTAA64 1.18

boot>

cannot open sd0a:/etc/random.seed: No such file or directory

booting sd0a:/bsd: 3023768+1214656+12712936+633232
[269381+91+701664+287051]=0x13edb50

FACP SSDT BGRT CSRT DBG2 GTDT IORT APIC MCFG PPTT SPCR TPM2 MSDM DLUT BGRT FPDT


```

But I found the post of OpenBSD, it mentioned that OpenBSD has supported
SC8280xp devices since 7.2 .

The acpi tables which show on the screen(FACP SSDT ... ), you can find here
.

Any comments are welcome.

Thanks.

Re: (Fork) "IP rights" bullshit, philosophy & OpenBSD compatibility with this

2024-08-02 Thread Mihai Popescu 
> [...] such a evil that it affects humanity [...]

Just one question, please: who put you in charge to defend humanity?
I don;t care about the answer, but go defend the humanity out of the misc@.
Please.

Re: random-id / modulate state help

2024-07-31 Thread Brian Conway 
On Wed, Jul 31, 2024, at 6:10 PM, Marcus Oldman wrote:
> I have an OpenBSD router at home that uses a few PF lines like the following:
>
> match in all scrub (no-df random-id reassemble tcp)
> (...)
> pass out quick inet modulate state
>
> I've read the pf.conf man page and have a mild understanding of the 
> "random-id" and "modulate state" bits, but still don't fully understand 
> when and why they should be used or not used.
>
> The router is in front of a mix of devices and different OSes. Should I 
> be using these 2 features for security purposes?

There's nothing wrong with them, even if the devices behind your firewall are 
modern and less likely to benefit from them. The pf.conf man page will better 
explain the pros/cons than I could here.

> I'm trying to diagnose some slowness and inconsistency in my home 
> internet and didn't know if these might be slowing things down. The 
> hardware is just an APU2, so nothing very powerful. Less than 1gbit 
> connection.

I would remove 'reassemble tcp'. I've found it causes more problems than it 
solves.

Brian Conway
Owner
RCE Software, LLC

random-id / modulate state help

2024-07-31 Thread Marcus Oldman 
I have an OpenBSD router at home that uses a few PF lines like the following:

match in all scrub (no-df random-id reassemble tcp)
(...)
pass out quick inet modulate state

I've read the pf.conf man page and have a mild understanding of the "random-id" 
and "modulate state" bits, but still don't fully understand when and why they 
should be used or not used.

The router is in front of a mix of devices and different OSes. Should I be 
using these 2 features for security purposes?

I'm trying to diagnose some slowness and inconsistency in my home internet and 
didn't know if these might be slowing things down. The hardware is just an 
APU2, so nothing very powerful. Less than 1gbit connection.

Re: xfreerdp / remmina won't connect to Win11 RDP with NLA

2024-07-31 Thread Lévai , Dániel 
On Wednesday, July 31st, 2024 at 16:11, Stuart Henderson 
 wrote:
> > What I also wanted to try was building 2.11.7 linked with OpenSSL on OpenBSD
> > but couldn't figure out the magic build option combination, yet. There's a
> > -DWITH_LIBRESSL flag in 3.x, but it's 3.x and I'm afraid it works the other
> > way around (i.e. forcing LibreSSL instead of disregarding it).
> 
> 
> I've not tried it with freerdp - in general you'll need something like
> 
[...]

Hah, thanks for the hints!

Ultimately managed to find the cmake script(?) that searches for OpenSSL.
Replaced the pkg-config (.pc) name it searches for.

===8<===
diff --git a/x11/freerdp/Makefile b/x11/freerdp/Makefile
index 2fa4551fce3..720c1cc37e9 100644
--- a/x11/freerdp/Makefile
+++ b/x11/freerdp/Makefile
@@ -35,7 +35,8 @@ COMPILER_LANGS =  c
 MODULES =  devel/cmake

 CFLAGS +=  -I${X11BASE}/include \
-   -I${LOCALBASE}/include
+   -I${LOCALBASE}/include \
+   -I${LOCALBASE}/include/eopenssl33/

 BUILD_DEPENDS =security/pcsc-lite \
textproc/xmlto
===8<===

Not even sure if I need *all* of that... And I just turned things off 

===8<===
$ cat patches/patch-cmake_FindOpenSSL_cmake
--- cmake/FindOpenSSL.cmake.origWed Jul 31 17:21:02 2024
+++ cmake/FindOpenSSL.cmake Wed Jul 31 17:21:17 2024
@@ -26,7 +26,7 @@

 if (UNIX AND NOT ANDROID)
   find_package(PkgConfig QUIET)
-  pkg_check_modules(_OPENSSL QUIET openssl)
+  pkg_check_modules(_OPENSSL QUIET eopenssl33)
 endif (UNIX AND NOT ANDROID)

 # http://www.slproweb.com/products/Win32OpenSSL.html
===8<===

(Installed OpenSSL 3.3.1 from ports, that goes without saying.)

Interestingly enough, NLA works to this Windows 11 machine while using OpenSSL.
I bet if I rebuilt remmina linking to OpenSSL it would start working as well.

Not sure if this is a surprise or something worth noting in the port's 
description, though.


Daniel

xwd -name how to use?

2024-07-31 Thread Peter J. Philipp 
Hi,

I tried getting the contents of a window with xwd -name "xearth" -out file.png
but it never finds it..what am I doing wrong?

(Yes, I'm aware of the -ppm and -gif output, it doesn't allow markerfile's)

Alternatively, if everything is supposed to be right here.  I have a suggestion
to replace the dsimple.c Window_With_Name() with 
/usr/xenocara/app/xwininfo/dsimple.c's Window_With_Name() because 
That one works(tm).

There may be some adjusting needed.  Want patch?

-pjp

-- 
** all info about me:  lynx https://callpeter.tel, dig loc delphinusdns.org **

Re: xfreerdp / remmina won't connect to Win11 RDP with NLA

2024-07-31 Thread Stuart Henderson 
On 2024-07-31, Lévai  Dániel  wrote:
>
>> Have you tried the same freerdp version on e.g. Linux to see how that
>> works?
>
> I haven't, admittedly. 2.11.7 fails to build here on arch, there's an
> issue reported for the compilation error but upstream treats 2.x as
> oldstable and would only provide security fixes.
>
> What I also wanted to try was building 2.11.7 linked with OpenSSL on OpenBSD
> but couldn't figure out the magic build option combination, yet. There's a
> -DWITH_LIBRESSL flag in 3.x, but it's 3.x and I'm afraid it works the other
> way around (i.e. forcing LibreSSL instead of disregarding it).

I've not tried it with freerdp - in general you'll need something like

-I/usr/local/include/eopensslXX in CPPFLAGS or CFLAGS/CXXFLAGS

-Wl,-rpath /usr/local/lib/eopensslXX -L/usr/local/lib/eopensslXX in LDFLAGS

Also need to make sure that it find /usr/local/include/eopensslXX
_before_ /usr/include/openssl which often needs patches. I suggest
temporarily adding #error in some strategic file like
/usr/include/openssl/opensslconf.h to make sure that it doesn't get
included by mistake - mismatching headers and libraries is guaranteed
to cause trouble.

You'll also need to disable linking to any libraries that pull in
libressl - this includes at least cups-libs.

(btw https://junkpile.org/freerdp320.diff is the latest I have if anyone
is interested in trying to do something with timer_*.)

Re: xfreerdp / remmina won't connect to Win11 RDP with NLA

2024-07-31 Thread Lévai , Dániel 
On Wednesday, July 31st, 2024 at 00:43, Stuart Henderson 
 wrote:
> On 2024-07-30, Lévai Dániel l...@ecentrum.hu wrote:
> 
> > Hi all,
> > 
> > I'm noticing that xfreerdp and remmina fails to connect to a Windows 11 
> > machine while using NLA:
[...]
> 
> I'm able to connect to a W2022 DC using "xfreerdp /u:username
> /d:somedomain /v:xx.xx.xx.xx:3389 /sec:nla" and typing the password at
> the Password: prompt. I'm not sure how to tell if it's really using NLA
> but I suspect that non-NLA logins are probably disabled on the Windows
> side.

Well, a pretty good indication - as far as I know - is freerdp sending
the credentials while connecting.
Anything else is the legacy logon screen where you're greeted
with a Windows logon screen and typing in the user name + password.

> Have you tried the same freerdp version on e.g. Linux to see how that
> works?

I haven't, admittedly. 2.11.7 fails to build here on arch, there's an
issue reported for the compilation error but upstream treats 2.x as
oldstable and would only provide security fixes.

What I also wanted to try was building 2.11.7 linked with OpenSSL on OpenBSD
but couldn't figure out the magic build option combination, yet. There's a
-DWITH_LIBRESSL flag in 3.x, but it's 3.x and I'm afraid it works the other
way around (i.e. forcing LibreSSL instead of disregarding it).
 
> (Better to compare the same version if possible otherwise there is an
> extra complication - the old workaround for lack of posix timers is
> no longer enough, we cannot update to freerdp 3.x, so maybe missing
> upstream fixes - it's possible they may have fixed something for newer
> versions of Windows).

Got it; noticed this in the Makefile, that's why I didn't even try to update 
the port.

Thanks anyway, will just going to work around it by not using NLA for the time 
being.


Daniel

Re: iked authentication logging ?

2024-07-31 Thread Crystal Kolipe 
On Tue, Jul 30, 2024 at 11:39:39PM -, Stuart Henderson wrote:
> On 2024-07-30, J Doe  wrote:
> > As a result with continuing to experiment with my configuration, I ran
> > into a new issue.  I followed the instructions in the OpenBSD FAQ[0] for
> > an X.509 configuration - in particular the following (with hostnames for
> > my server and Mac):
> >
> >  server1# ikectl ca vpn certificate client1.domain create
> >  server1# cp /etc/ssl/vpn/client1.domain.crt /etc/iked/certs/
> >  server1# ikectl ca vpn certificate client1.domain export
> 
> BTW this is a shortcut that ikectl implements to make things easy,
> although it does mean that the client's "private" key actually ends
> up on the server.
> 
> The traditional way of doing this is exactly like an X509 cert for a
> web server, i.e. the client generates a private key and cert signing
> request, the key is never transferred off the machine, only the CSR
> which is taken to the CA. The CA then uses that to produce a cert
> which is signed by the CA and sent back.
> 
> See the X.509 AUTHENTICATION section in isakmpd(8) for some gory
> details which are mostly hidden if you use "ikectl ca".

It's worth reading and understanding the process even you continue using
ikectl to generate the certs.

We also published some info on this a couple of years ago:

https://research.exoticsilicon.com/series/reckless_guide_to_openbsd/keys_and_certificates

There is a shell script at the end of that article which generates keys and
certs in a similar way to 'ikectl ca', but using the openssl command line
tool.  This might make it easier to look inside the process and adapt it for
your own needs.

> >  server1# tar -C /tmp -xzf client1.domain.tgz *pfx
> >  server1# cp /tmp/export/client1.domain.pfx \
> >  /var/www/htdocs/client1.domain.pfx
> >
> > ...so on my OpenBSD server I have the client's X.509 certificate and the
> > CA certificate at: /etc/iked/certs.
> >
> > I then removed the _client_ certificate from this location on the server
> > and attempted connecting from the Mac and it authenticated.
> >
> > My new question is - shouldn't the server reject a X.509 authentication
> > attempt if the _client_ certificate is not on the server ?
> 
> No, that's not how it is expected to work, you don't need the client cert
> on the server, just a way to validate that it's correct (by checking the
> CA's signature and, IIUC, checking the subjectAltName against srcid).

Yep, the srcid should be present in the SAN field, but note that if you look
at iked logs, especially if it's invoked in verbose mode, you'll see
references to certs based on their Common Name field in diagnostic and error
messages.

This actually makes sense, because the CN should ideally be a unique
identifier amongst the certs you have loaded, whereas the SANs can obviously
include multiple hostnames and literal IP addresses.  So for error message
reporting the CN is more useful.

But authentication, (at least with iked), doesn't really care about the CN.

Re: iked authentication logging ?

2024-07-30 Thread J Doe 


> On Jul 30, 2024, at 20:34, Stuart Henderson  wrote:
> 
> On 2024/07/30 20:19, J Doe wrote:
>>> On 2024-07-30 19:39, Stuart Henderson wrote:
>>> 
>>> On 2024-07-30, J Doe  wrote:
 As a result with continuing to experiment with my configuration, I ran
 into a new issue.  I followed the instructions in the OpenBSD FAQ[0] for
 an X.509 configuration - in particular the following (with hostnames for
 my server and Mac):
 
  server1# ikectl ca vpn certificate client1.domain create
  server1# cp /etc/ssl/vpn/client1.domain.crt /etc/iked/certs/
  server1# ikectl ca vpn certificate client1.domain export
>>> 
>>> BTW this is a shortcut that ikectl implements to make things easy,
>>> although it does mean that the client's "private" key actually ends
>>> up on the server.
>>> 
>>> The traditional way of doing this is exactly like an X509 cert for a
>>> web server, i.e. the client generates a private key and cert signing
>>> request, the key is never transferred off the machine, only the CSR
>>> which is taken to the CA. The CA then uses that to produce a cert
>>> which is signed by the CA and sent back.
>>> 
>>> See the X.509 AUTHENTICATION section in isakmpd(8) for some gory
>>> details which are mostly hidden if you use "ikectl ca".
>>> 
  server1# tar -C /tmp -xzf client1.domain.tgz *pfx
  server1# cp /tmp/export/client1.domain.pfx \
  /var/www/htdocs/client1.domain.pfx
 
 ...so on my OpenBSD server I have the client's X.509 certificate and the
 CA certificate at: /etc/iked/certs.
 
 I then removed the _client_ certificate from this location on the server
 and attempted connecting from the Mac and it authenticated.
 
 My new question is - shouldn't the server reject a X.509 authentication
 attempt if the _client_ certificate is not on the server ?
>>> 
>>> No, that's not how it is expected to work, you don't need the client cert
>>> on the server, just a way to validate that it's correct (by checking the
>>> CA's signature and, IIUC, checking the subjectAltName against srcid).
>> 
>> 
>> Hi Stuart,
>> 
>> Thanks for your reply.
>> 
>> Ok, I will make a note to read through the X.509 AUTHENTICATION section
>> in: man 8 isakmpd.
>> 
>> In regards to your last paragraph, where you state:
>> 
>>"... just a way to validate that it's correct (by checking the CA's
>>signature ..."
>> 
>> ... does that mean if I remove my: ca.crt file from: /etc/iked/ca on the
>> _server_ that the client should _not_ be able to authenticate, or is
>> validating the CA's signature not dependent on that ?
> 
> As far as I know that's correct, I don't think there's anywhere else
> that it should be picking up the CA cert from.

Hi,

Interesting.  I moved the: ca.crt file from: /etc/iked/ca on the server to the 
home directory and re-started iked and the client is still able to authenticate.

Is it possible that iked can authenticate the client based on the server 
certificate ?  In my iked.conf configuration it is specified via:

   srcid server.home.arpa 

… and the server certificate: server.home.arpa.crt is stored in: 
/etc/iked/certs on the server.

Is it possible that the: ca.crt is bundled in there and that is what it is 
using in the absence of: /etc/iked/ca/ca.crt ?

Thanks again,

- J

Re: iked authentication logging ?

2024-07-30 Thread J Doe 

On 2024-07-30 19:39, Stuart Henderson wrote:


On 2024-07-30, J Doe  wrote:

As a result with continuing to experiment with my configuration, I ran
into a new issue.  I followed the instructions in the OpenBSD FAQ[0] for
an X.509 configuration - in particular the following (with hostnames for
my server and Mac):

  server1# ikectl ca vpn certificate client1.domain create
  server1# cp /etc/ssl/vpn/client1.domain.crt /etc/iked/certs/
  server1# ikectl ca vpn certificate client1.domain export


BTW this is a shortcut that ikectl implements to make things easy,
although it does mean that the client's "private" key actually ends
up on the server.

The traditional way of doing this is exactly like an X509 cert for a
web server, i.e. the client generates a private key and cert signing
request, the key is never transferred off the machine, only the CSR
which is taken to the CA. The CA then uses that to produce a cert
which is signed by the CA and sent back.

See the X.509 AUTHENTICATION section in isakmpd(8) for some gory
details which are mostly hidden if you use "ikectl ca".


  server1# tar -C /tmp -xzf client1.domain.tgz *pfx
  server1# cp /tmp/export/client1.domain.pfx \
  /var/www/htdocs/client1.domain.pfx

...so on my OpenBSD server I have the client's X.509 certificate and the
CA certificate at: /etc/iked/certs.

I then removed the _client_ certificate from this location on the server
and attempted connecting from the Mac and it authenticated.

My new question is - shouldn't the server reject a X.509 authentication
attempt if the _client_ certificate is not on the server ?


No, that's not how it is expected to work, you don't need the client cert
on the server, just a way to validate that it's correct (by checking the
CA's signature and, IIUC, checking the subjectAltName against srcid).



Hi Stuart,

Thanks for your reply.

Ok, I will make a note to read through the X.509 AUTHENTICATION section
in: man 8 isakmpd.

In regards to your last paragraph, where you state:

"... just a way to validate that it's correct (by checking the CA's
signature ..."

... does that mean if I remove my: ca.crt file from: /etc/iked/ca on the
_server_ that the client should _not_ be able to authenticate, or is
validating the CA's signature not dependent on that ?

Thanks,

- J

Re: iked authentication logging ?

2024-07-30 Thread Stuart Henderson 
On 2024/07/30 20:19, J Doe wrote:
> On 2024-07-30 19:39, Stuart Henderson wrote:
> 
> > On 2024-07-30, J Doe  wrote:
> > > As a result with continuing to experiment with my configuration, I ran
> > > into a new issue.  I followed the instructions in the OpenBSD FAQ[0] for
> > > an X.509 configuration - in particular the following (with hostnames for
> > > my server and Mac):
> > > 
> > >   server1# ikectl ca vpn certificate client1.domain create
> > >   server1# cp /etc/ssl/vpn/client1.domain.crt /etc/iked/certs/
> > >   server1# ikectl ca vpn certificate client1.domain export
> > 
> > BTW this is a shortcut that ikectl implements to make things easy,
> > although it does mean that the client's "private" key actually ends
> > up on the server.
> > 
> > The traditional way of doing this is exactly like an X509 cert for a
> > web server, i.e. the client generates a private key and cert signing
> > request, the key is never transferred off the machine, only the CSR
> > which is taken to the CA. The CA then uses that to produce a cert
> > which is signed by the CA and sent back.
> > 
> > See the X.509 AUTHENTICATION section in isakmpd(8) for some gory
> > details which are mostly hidden if you use "ikectl ca".
> > 
> > >   server1# tar -C /tmp -xzf client1.domain.tgz *pfx
> > >   server1# cp /tmp/export/client1.domain.pfx \
> > >   /var/www/htdocs/client1.domain.pfx
> > > 
> > > ...so on my OpenBSD server I have the client's X.509 certificate and the
> > > CA certificate at: /etc/iked/certs.
> > > 
> > > I then removed the _client_ certificate from this location on the server
> > > and attempted connecting from the Mac and it authenticated.
> > > 
> > > My new question is - shouldn't the server reject a X.509 authentication
> > > attempt if the _client_ certificate is not on the server ?
> > 
> > No, that's not how it is expected to work, you don't need the client cert
> > on the server, just a way to validate that it's correct (by checking the
> > CA's signature and, IIUC, checking the subjectAltName against srcid).
> 
> 
> Hi Stuart,
> 
> Thanks for your reply.
> 
> Ok, I will make a note to read through the X.509 AUTHENTICATION section
> in: man 8 isakmpd.
> 
> In regards to your last paragraph, where you state:
> 
> "... just a way to validate that it's correct (by checking the CA's
> signature ..."
> 
> ... does that mean if I remove my: ca.crt file from: /etc/iked/ca on the
> _server_ that the client should _not_ be able to authenticate, or is
> validating the CA's signature not dependent on that ?

As far as I know that's correct, I don't think there's anywhere else
that it should be picking up the CA cert from.

Re: iked authentication logging ?

2024-07-30 Thread Stuart Henderson 
On 2024-07-30, J Doe  wrote:
> As a result with continuing to experiment with my configuration, I ran
> into a new issue.  I followed the instructions in the OpenBSD FAQ[0] for
> an X.509 configuration - in particular the following (with hostnames for
> my server and Mac):
>
>  server1# ikectl ca vpn certificate client1.domain create
>  server1# cp /etc/ssl/vpn/client1.domain.crt /etc/iked/certs/
>  server1# ikectl ca vpn certificate client1.domain export

BTW this is a shortcut that ikectl implements to make things easy,
although it does mean that the client's "private" key actually ends
up on the server.

The traditional way of doing this is exactly like an X509 cert for a
web server, i.e. the client generates a private key and cert signing
request, the key is never transferred off the machine, only the CSR
which is taken to the CA. The CA then uses that to produce a cert
which is signed by the CA and sent back.

See the X.509 AUTHENTICATION section in isakmpd(8) for some gory
details which are mostly hidden if you use "ikectl ca".

>  server1# tar -C /tmp -xzf client1.domain.tgz *pfx
>  server1# cp /tmp/export/client1.domain.pfx \
>  /var/www/htdocs/client1.domain.pfx
>
> ...so on my OpenBSD server I have the client's X.509 certificate and the
> CA certificate at: /etc/iked/certs.
>
> I then removed the _client_ certificate from this location on the server
> and attempted connecting from the Mac and it authenticated.
>
> My new question is - shouldn't the server reject a X.509 authentication
> attempt if the _client_ certificate is not on the server ?

No, that's not how it is expected to work, you don't need the client cert
on the server, just a way to validate that it's correct (by checking the
CA's signature and, IIUC, checking the subjectAltName against srcid).

Re: iked authentication logging ?

2024-07-30 Thread J Doe 

On 2024-07-30 18:13, J Doe wrote:


On 2024-07-25 03:11, Crystal Kolipe wrote:


On Wed, Jul 24, 2024 at 06:20:26PM -0400, J Doe wrote:

My hypothesis is that iked does not name an identity because this is
certificate based authentication vs. MSCHAPv2 for EAP authentication
which would provide an identity (ie: a username).

Is that correct ?


No.

The identity that would be printed is the srcid of the peer.  By
default this
would be it's hostname, and should be present in the SAN field of any
certificate used for iked.

You can see that error message displayed both with and without a named
ID when
using certificate authentication, depending on the cause of the error.

It will also display without an ID even if one if known, if the
printing code
in iked fails some internal consistency checks, (which is unlikely but
possible).



Hi Crystal,

Thank you for your reply.

I had a chance to experiment a bit with this, this past weekend.  The
client OS was mac OS Sonoma (macOS 14.5).

Firstly, I configured my Mac to connect to my OpenBSD server with a
local ID of nothing (empty string), using shared secret and
username/password authentication.

As my OpenBSD server is configured for x.509 certificate authentication,
these two logon attempts were rejected and the OpenBSD server logs noted
what I mentioned in my original message: "authentication failed for"
without listing an identity.

Secondly, I then repeated this but specified an arbitrary identity for
the local ID (ie: whatever.com).  This also produced the same log
results: "authentication failed for" without listing an identity.

Lastly, I repeated this with the local ID on the Mac set to the same
value as the: dstid in my: iked.conf file:


     kev2 "VPN" passive ipcomp tunnel esp \
     from any to dynamic \
     local egress peer any \
     srcid server.home.arpa \
     dstid client.home.arpa \
     config address 10.0.5.0/24 \
     tag "ROADW"


... so the local ID on the Mac was: "client.home.arpa".  I then
attempted to logon with a shared secret and username/password and noted
the following in my logs: "authentication failed for FQDN/client.home.arpa"

This replicated what you said in your reply:

     "No.  The identity that would be printed is the srcid of the peer"

... which clears up my original question - thank you!

As a result with continuing to experiment with my configuration, I ran
into a new issue.  I followed the instructions in the OpenBSD FAQ[0] for
an X.509 configuration - in particular the following (with hostnames for
my server and Mac):

     server1# ikectl ca vpn certificate client1.domain create
     server1# cp /etc/ssl/vpn/client1.domain.crt /etc/iked/certs/
     server1# ikectl ca vpn certificate client1.domain export
     server1# tar -C /tmp -xzf client1.domain.tgz *pfx
     server1# cp /tmp/export/client1.domain.pfx \
     /var/www/htdocs/client1.domain.pfx

...so on my OpenBSD server I have the client's X.509 certificate and the
CA certificate at: /etc/iked/certs.

I then removed the _client_ certificate from this location on the server
and attempted connecting from the Mac and it authenticated.

My new question is - shouldn't the server reject a X.509 authentication
attempt if the _client_ certificate is not on the server ?  I was under
the impression that X.509 authentication with iked would be the same as
SSH - that the _client_ public key MUST be on the server (as stored in
the certificate) ?

Thanks,

- J

Links:
==

[0]  https://www.openbsd.org/faq/faq17.html#authx509



Hi again Crystal and list,

Apologies - near the end of my last message where I wrote:

> ...so on my OpenBSD server I have the client's X.509 certificate
and the
>> CA certificate at: /etc/iked/certs.

I meant that I have the client's certificate and the _server_
certificate under: /etc/iked/certs whereas the CA certificate is under:
/etc/iked/ca

- J

Re: xfreerdp / remmina won't connect to Win11 RDP with NLA

2024-07-30 Thread Stuart Henderson 
On 2024-07-30, Lévai  Dániel  wrote:
> Hi all,
>
> I'm noticing that xfreerdp and remmina fails to connect to a Windows 11 
> machine while using NLA:
>
> $ xfreerdp /v:host /u:u...@example.com /d:MicrosoftAccount /sec:nla
> [17:04:04:954] [26344:92f3b640] [WARN][com.freerdp.crypto] - Certificate 
> verification failure 'unable to get local issuer certificate (20)' at stack 
> position 0
> [17:04:04:954] [26344:92f3b640] [WARN][com.freerdp.crypto] - CN = 
> daniell-kvm-windows11
> Password:
> [17:04:08:675] [26344:92f3b640] [ERROR][com.freerdp.core.transport] - 
> BIO_read returned an error: error:1404C438:SSL routines:ST_OK:tlsv1 alert 
> internal error
> [17:04:08:675] [26344:92f3b640] [ERROR][com.freerdp.core] - 
> transport_read_layer:freerdp_set_last_error_ex 
> ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
> [17:04:08:823] [26344:92f3b640] [ERROR][com.freerdp.core.transport] - 
> BIO_read returned an error: error:1404C438:SSL routines:ST_OK:tlsv1 alert 
> internal error
> [17:04:08:823] [26344:92f3b640] [ERROR][com.freerdp.core] - 
> transport_read_layer:freerdp_set_last_error_ex 
> ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
> [17:04:08:823] [26344:92f3b640] [ERROR][com.freerdp.core] - 
> freerdp_post_connect failed
>
> Remmina just says "Cannot connect to the RDP server" after a couple of 
> seconds.
>
> Funny thing is, every attempt results in a successful logon event on Windows.
>
> Switching off NLA on the Windows machine and trying /sec:tls with xfreerdp 
> (or switching to TLS security in Remmina) shows the usual graphical logon 
> screen where I can login without a problem. Same clients on other OSes also 
> work (Android, Linux, etc...).
>
> Is this something to do with LibreSSL, maybe? Has this ever worked on OpenBSD?

I'm able to connect to a W2022 DC using "xfreerdp /u:username
/d:somedomain /v:xx.xx.xx.xx:3389 /sec:nla" and typing the password at
the Password: prompt. I'm not sure how to tell if it's really using NLA
but I suspect that non-NLA logins are probably disabled on the Windows
side.

Have you tried the same freerdp version on e.g. Linux to see how that
works?

(Better to compare the same version if possible otherwise there is an
extra complication - the old workaround for lack of posix timers is
no longer enough, we cannot update to freerdp 3.x, so maybe missing
upstream fixes - it's possible they may have fixed something for newer
versions of Windows).

Re: iked authentication logging ?

2024-07-30 Thread J Doe 

On 2024-07-25 03:11, Crystal Kolipe wrote:


On Wed, Jul 24, 2024 at 06:20:26PM -0400, J Doe wrote:

My hypothesis is that iked does not name an identity because this is
certificate based authentication vs. MSCHAPv2 for EAP authentication
which would provide an identity (ie: a username).

Is that correct ?


No.

The identity that would be printed is the srcid of the peer.  By default this
would be it's hostname, and should be present in the SAN field of any
certificate used for iked.

You can see that error message displayed both with and without a named ID when
using certificate authentication, depending on the cause of the error.

It will also display without an ID even if one if known, if the printing code
in iked fails some internal consistency checks, (which is unlikely but
possible).



Hi Crystal,

Thank you for your reply.

I had a chance to experiment a bit with this, this past weekend.  The
client OS was mac OS Sonoma (macOS 14.5).

Firstly, I configured my Mac to connect to my OpenBSD server with a
local ID of nothing (empty string), using shared secret and
username/password authentication.

As my OpenBSD server is configured for x.509 certificate authentication,
these two logon attempts were rejected and the OpenBSD server logs noted
what I mentioned in my original message: "authentication failed for"
without listing an identity.

Secondly, I then repeated this but specified an arbitrary identity for
the local ID (ie: whatever.com).  This also produced the same log
results: "authentication failed for" without listing an identity.

Lastly, I repeated this with the local ID on the Mac set to the same
value as the: dstid in my: iked.conf file:


kev2 "VPN" passive ipcomp tunnel esp \
from any to dynamic \
local egress peer any \
srcid server.home.arpa \
dstid client.home.arpa \
config address 10.0.5.0/24 \
tag "ROADW"


... so the local ID on the Mac was: "client.home.arpa".  I then
attempted to logon with a shared secret and username/password and noted
the following in my logs: "authentication failed for FQDN/client.home.arpa"

This replicated what you said in your reply:

"No.  The identity that would be printed is the srcid of the peer"

... which clears up my original question - thank you!

As a result with continuing to experiment with my configuration, I ran
into a new issue.  I followed the instructions in the OpenBSD FAQ[0] for
an X.509 configuration - in particular the following (with hostnames for
my server and Mac):

server1# ikectl ca vpn certificate client1.domain create
server1# cp /etc/ssl/vpn/client1.domain.crt /etc/iked/certs/
server1# ikectl ca vpn certificate client1.domain export
server1# tar -C /tmp -xzf client1.domain.tgz *pfx
server1# cp /tmp/export/client1.domain.pfx \
/var/www/htdocs/client1.domain.pfx

...so on my OpenBSD server I have the client's X.509 certificate and the
CA certificate at: /etc/iked/certs.

I then removed the _client_ certificate from this location on the server
and attempted connecting from the Mac and it authenticated.

My new question is - shouldn't the server reject a X.509 authentication
attempt if the _client_ certificate is not on the server ?  I was under
the impression that X.509 authentication with iked would be the same as
SSH - that the _client_ public key MUST be on the server (as stored in
the certificate) ?

Thanks,

- J

Links:
==

[0]  https://www.openbsd.org/faq/faq17.html#authx509

Re: doas tab completion

2024-07-30 Thread Страхиња Радић 
Дана 24/07/30 05:32PM, Kirill A. Korinsky написа:
> I think this way is cleaner, isn't it?
> 
> set -A complete_doas_1 -- $(echo $PATH | tr ':' '\n' | xargs ls)

Or, to limit the types of files to regular files or symlinks with 
execute bit set and avoid parsing the output of ls[1]:

set -A complete_doas_1 -- $(find $(echo $PATH | tr : ' ') -perm -100 \
\( -type f -o -type l \) -maxdepth 1 )

or to just output the command names:

set -A complete_doas_1 -- $(find $(echo $PATH | tr : ' ') -perm -100 \
\( -type f -o -type l \) -maxdepth 1 -exec basename {} ';' )

In any case, this fills up memory in the shell by creating fairly large 
arrays.

Alternative: type a command using normal Tab completion but without 
the doas "prefix", Ctrl-A, type "doas ", press Enter.

[1]: 
https://unix.stackexchange.com/questions/128985/why-not-parse-ls-and-what-to-do-instead

Re: Optimization Advice for High Resource Utilization PostgreSQL Query on OpenBSD

2024-07-30 Thread Matthias Pfeifer 




On 30.07.24 14:04, Kihaguru Gathura wrote:


Hi,

I am seeking advice on optimizing a PostgreSQL query that is consuming 
a significant amount of CPU resources on my Dell PowerEdge T340 
server. The server has an Intel Xeon E-2124 CPU @ 3.30GHz (4 cores, no 
Hyper-Threading) and 16GB RAM, running OpenBSD 7.3 (GENERIC.MP 
) #1125.


The query in question occasionally utilizes around 40% of the CPU, 
with CPU1 and CPU2 being more utilized compared to CPU0 and CPU3. This 
suggests that the workload might not be well-balanced across all cores.


I am monitoring the system to ensure that CPU usage by PostgreSQL does 
not lead to performance issues, especially if more queries are 
executed simultaneously. Other processes (such as httpd, relayd, etc.) 
are consuming minimal CPU time, indicating they are not contributing 
significantly to the overall load.


The *top output* and *dmesg output* are included below. Given this 
setup, could someone please provide guidance on the best practices for 
optimizing PostgreSQL performance under OpenBSD? Are there specific 
kernel or PostgreSQL configurations that might help distribute the 
load more evenly across all CPU cores, or is this a case that requires 
a more powerful CPU?


Thank you in advance for your assistance.

Best regards,

Kihaguru

*top Output:*

load averages: 0.27, 0.07, 0.02 if.my.domain 14:11:35 63 processes: 61 
idle, 2 on processor up 63 days 06:11:29 CPU0 states: 3.0% user, 0.0% 
nice, 1.6% sys, 0.0% spin, 0.0% intr, 95.4% idle CPU1 states: 47.9% 
user, 0.0% nice, 6.2% sys, 0.6% spin, 0.0% intr, 45.3% idle CPU2 
states: 33.0% user, 0.0% nice, 4.0% sys, 0.0% spin, 0.0% intr, 63.0% 
idle CPU3 states: 5.8% user, 0.0% nice, 0.6% sys, 0.0% spin, 0.0% 
intr, 93.6% idle Memory: Real: 199M/3048M act/tot Free: 12G Cache: 
1672M Swap: 0K/16G PID USERNAME PRI NICE SIZE RES STATE WAIT TIME CPU 
COMMAND 77669 _postgre 58 0 169M 80M onproc/2 - 0:10 35.60% postgres 
1 _relayd 2 0 5112K 8456K sleep/0 kqread 17:38 0.05% relayd 16136 
www 2 0 8272K 12M sleep/1 kqread 40:05 0.00% httpd 15178 www 2 0 8140K 
11M sleep/3 kqread 39:43 0.00% httpd 41797 www 2 0 7892K 11M sleep/3 
kqread 39:40 0.00% httpd 30439 _relayd 2 0 1572K 4176K sleep/2 kqread 
36:41 0.00% relayd 48133 _relayd 2 0 1564K 4148K sleep/1 kqread 35:55 
0.00% relayd 84898 _relayd 2 0 1572K 4164K sleep/1 kqread 35:34 0.00% 
relayd 88687 _relayd 2 0 5076K 8440K sleep/2 kqread 17:29 0.00% relayd 
1500 _relayd 2 0 5276K 8600K sleep/0 kqread 16:52 0.00% relayd 58290 
www 2 0 1612K 2556K sleep/1 kqread 6:24 0.00% slowcgi 86189 _pflogd 4 
0 764K 1588K sleep/2 bpf 3:40 0.00% pflogd 5982 root 2 0 1120K 1584K 
idle kqread 2:58 0.00% sshd 45035 www 2 0 2388K 4532K sleep/2 kqread 
1:21 0.00% httpd 82363 _syslogd 2 0 1228K 1648K sleep/2 kqread 1:10 
0.00% syslogd 38604 _relayd 2 0 1624K 4040K sleep/2 kqread 1:08 0.00% 
relayd 59324 _postgre 2 0 146M 7596K sleep/1 kqread 1:02 0.00% 
postgres 58070 _postgre 2 0 146M 15M sleep/3 kqread 1:01 0.00% 
postgres 11204 _relayd 2 0 1468K 3816K sleep/1 kqread 0:29 0.00% 
relayd 1 root 10 0 644K 632K idle wait 0:22 0.00% init 68961 _postgre 
2 0 146M 8984K sleep/2 kqread 0:13 0.00% postgres 28371 _postgre 2 0 
146M 61M idle kqread 0:10 0.00% postgres 12040 _postgre 2 0 146M 5604K 
idle kqread 0:07 0.00% postgres 45123 _ntp 2 0 1060K 2748K idle kqread 
0:07 0.00% ntpd 67766 root 2 0 888K 1516K idle kqread 0:06 0.00% cron 
11185 root 2 -20 992K 1296K idle kqread 0:05 0.00% ntpd 48084 kihaguru 
28 0 2792K 4904K onproc/0 - 0:02 0.00% top 33981 _postgre 2 0 146M 
4908K idle kqread 0:01 0.00% postgres 9380 _ntp 2 -20 1132K 2876K idle 
kqread 0:01 0.00% ntpd 3091 kihaguru 2 0 1412K 3576K sleep/2 kqread 
0:00 0.00% sshd 61657 root 2 0 3024K 5120K idle kqread 0:00 0.00% 
relayd 44011 kihaguru 3 0 1764K 6332K idle ttyin 0:00 0.00% psql 88332 
www 2 0 2616K 2720K sleep/1 kqread 0:00 0.00% ShelveAssortItem 57595 
kihaguru 18 0 880K 904K idle sigsusp 0:00 0.00% ksh 64781 kihaguru 2 0 
1412K 3572K idle kqread 0:00 0.00% sshd 1477 root 2 0 1220K 4348K idle 
kqread 0:00 0.00% sshd 52393 _smtpq 2 0 1676K 3548K idle kqread 0:00 
0.00% smtpd 43301 _dhcp 2 0 868K 1760K idle kqread 0:00 0.00% 
dhcpleased 6184 _dhcp 2 0 856K 1780K idle kqread 0:00 0.00% dhcpleased 
31249 root 2 0 728K 1480K idle netio 0:00 0.00% pflogd 20367 root 2 0 
752K 2492K idle netio 0:00 0.00% syslogd 85654 _smtpd 2 0 2128K 4916K 
idle kqread 0:00 0.00% smtpd 30336 root 2 0 1728K 2296K idle kqread 
0:00 0.00% smtpd 31500 _postgre 2 0 147M 14M idle kqread 0:00 0.00% 
postgres 58901 root 2 0 3640K 5068K idle kqread 0:00 0.00% httpd 54630 
root 2 0 848K 1552K idle kqread 0:00 0.00% dhcpleased 87873 root 2 0 
828K 1500K idle kqread 0:00 0.00% slaacd 72058 root 2 0 1204K 4312K 
idle kqread 0:00 0.00% sshd 94363 _smtpd 2 0 1548K 3480K idle kqread 
0:00 0.00% smtpd 33820 root 3 0 508K 1524K idle ttyin 0:00 0.00% getty 
35003 _smtpd 2 0 1724K 3580K idle kqread 0:00 0.00% smtpd 78288 
_slaacd 2 0 848K 1720K idle

Re: Optimization Advice for High Resource Utilization PostgreSQL Query on OpenBSD

2024-07-30 Thread Kihaguru Gathura 
Hi Claudio,

Yes, I did run 'Explain Analyze' on the query to diagnose the performance
issues. Based on the analysis, I created indexes on the relevant columns
and ran a VACUUM on the tables. This resulted in an improvement, reducing
CPU utilization from 40% to 30%.

I haven't yet delved into explicit Common Table Expressions (CTEs) or
extensive query refactoring as this query is currently running in a
production environment. While these optimizations are on my radar,
implementing them requires careful consideration to avoid disrupting
ongoing operations. I also considered creating indexes affecting views, but
this requires creating materialized views first, which in turn necessitates
extensive query refactoring. Given the production environment constraints,
I opted to defer this step for now to avoid any disruptions.

However, I am not sure if these additional steps would bring the
utilization significantly down to a point where more queries can be
executed simultaneously.

Thank you for your input and assistance.

Best regards,

Kihaguru


On Tue, Jul 30, 2024 at 3:42 PM Claudio Jeker 
wrote:

> On Tue, Jul 30, 2024 at 03:04:54PM +0300, Kihaguru Gathura wrote:
> > Hi,
> >
> > I am seeking advice on optimizing a PostgreSQL query that is consuming a
> > significant amount of CPU resources on my Dell PowerEdge T340 server. The
> > server has an Intel Xeon E-2124 CPU @ 3.30GHz (4 cores, no
> Hyper-Threading)
> > and 16GB RAM, running OpenBSD 7.3 (GENERIC.MP) #1125.
> >
> > The query in question occasionally utilizes around 40% of the CPU, with
> > CPU1 and CPU2 being more utilized compared to CPU0 and CPU3. This
> suggests
> > that the workload might not be well-balanced across all cores.
> >
> > I am monitoring the system to ensure that CPU usage by PostgreSQL does
> not
> > lead to performance issues, especially if more queries are executed
> > simultaneously. Other processes (such as httpd, relayd, etc.) are
> consuming
> > minimal CPU time, indicating they are not contributing significantly to
> the
> > overall load.
> >
> > The *top output* and *dmesg output* are included below. Given this setup,
> > could someone please provide guidance on the best practices for
> optimizing
> > PostgreSQL performance under OpenBSD? Are there specific kernel or
> > PostgreSQL configurations that might help distribute the load more evenly
> > across all CPU cores, or is this a case that requires a more powerful
> CPU?
>
> Did you EXPLAIN ANALYZE your query to see why it performs so bad?
> In other words: Are you using the right indexes?
>
> --
> :wq Claudio
>

Re: doas tab completion

2024-07-30 Thread Kirill A . Korinsky 
On Mon, 29 Jul 2024 17:32:06 +0200,
Florian Obser  wrote:
> 
> in .kshrc:
> 
> set -A complete_doas_1 -- $(ls /sbin /usr/sbin /bin /usr/bin /usr/X11R6/bin \
> /usr/local/sbin /usr/local/bin)
>

I think this way is cleaner, isn't it?

set -A complete_doas_1 -- $(echo $PATH | tr ':' '\n' | xargs ls)

-- 
wbr, Kirill

Re: doas tab completion

2024-07-30 Thread Kirill A . Korinsky 
On Mon, 29 Jul 2024 17:32:06 +0200,
Florian Obser  wrote:
> 
> again, in .kshrc:
> 
> HOST_LIST=`awk '{print $1}' < ~/.ssh/known_hosts | cut -f 1 -d, \
> | egrep -v '^[[:digit:]]|^$|\:\:' | sort -u`
> 
> set -A complete_ssh -- ${HOST_LIST}
> set -A complete_ping -- ${HOST_LIST}
> set -A complete_ping6 -- ${HOST_LIST}
> set -A complete_traceroute -- ${HOST_LIST}
> set -A complete_traceroute6 -- ${HOST_LIST}
> 

Thanks for this pice. I love it.

-- 
wbr, Kirill

xfreerdp / remmina won't connect to Win11 RDP with NLA

2024-07-30 Thread Lévai , Dániel 
Hi all,

I'm noticing that xfreerdp and remmina fails to connect to a Windows 11 machine 
while using NLA:

$ xfreerdp /v:host /u:u...@example.com /d:MicrosoftAccount /sec:nla
[17:04:04:954] [26344:92f3b640] [WARN][com.freerdp.crypto] - Certificate 
verification failure 'unable to get local issuer certificate (20)' at stack 
position 0
[17:04:04:954] [26344:92f3b640] [WARN][com.freerdp.crypto] - CN = 
daniell-kvm-windows11
Password:
[17:04:08:675] [26344:92f3b640] [ERROR][com.freerdp.core.transport] - BIO_read 
returned an error: error:1404C438:SSL routines:ST_OK:tlsv1 alert internal error
[17:04:08:675] [26344:92f3b640] [ERROR][com.freerdp.core] - 
transport_read_layer:freerdp_set_last_error_ex 
ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[17:04:08:823] [26344:92f3b640] [ERROR][com.freerdp.core.transport] - BIO_read 
returned an error: error:1404C438:SSL routines:ST_OK:tlsv1 alert internal error
[17:04:08:823] [26344:92f3b640] [ERROR][com.freerdp.core] - 
transport_read_layer:freerdp_set_last_error_ex 
ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[17:04:08:823] [26344:92f3b640] [ERROR][com.freerdp.core] - 
freerdp_post_connect failed

Remmina just says "Cannot connect to the RDP server" after a couple of seconds.

Funny thing is, every attempt results in a successful logon event on Windows.

Switching off NLA on the Windows machine and trying /sec:tls with xfreerdp (or 
switching to TLS security in Remmina) shows the usual graphical logon screen 
where I can login without a problem. Same clients on other OSes also work 
(Android, Linux, etc...).

Is this something to do with LibreSSL, maybe? Has this ever worked on OpenBSD?

Daniel

Re: Optimization Advice for High Resource Utilization PostgreSQL Query on OpenBSD

2024-07-30 Thread Claudio Jeker 
On Tue, Jul 30, 2024 at 03:04:54PM +0300, Kihaguru Gathura wrote:
> Hi,
> 
> I am seeking advice on optimizing a PostgreSQL query that is consuming a
> significant amount of CPU resources on my Dell PowerEdge T340 server. The
> server has an Intel Xeon E-2124 CPU @ 3.30GHz (4 cores, no Hyper-Threading)
> and 16GB RAM, running OpenBSD 7.3 (GENERIC.MP) #1125.
> 
> The query in question occasionally utilizes around 40% of the CPU, with
> CPU1 and CPU2 being more utilized compared to CPU0 and CPU3. This suggests
> that the workload might not be well-balanced across all cores.
> 
> I am monitoring the system to ensure that CPU usage by PostgreSQL does not
> lead to performance issues, especially if more queries are executed
> simultaneously. Other processes (such as httpd, relayd, etc.) are consuming
> minimal CPU time, indicating they are not contributing significantly to the
> overall load.
> 
> The *top output* and *dmesg output* are included below. Given this setup,
> could someone please provide guidance on the best practices for optimizing
> PostgreSQL performance under OpenBSD? Are there specific kernel or
> PostgreSQL configurations that might help distribute the load more evenly
> across all CPU cores, or is this a case that requires a more powerful CPU?

Did you EXPLAIN ANALYZE your query to see why it performs so bad?
In other words: Are you using the right indexes?

-- 
:wq Claudio

Optimization Advice for High Resource Utilization PostgreSQL Query on OpenBSD

2024-07-30 Thread Kihaguru Gathura 
Hi,

I am seeking advice on optimizing a PostgreSQL query that is consuming a
significant amount of CPU resources on my Dell PowerEdge T340 server. The
server has an Intel Xeon E-2124 CPU @ 3.30GHz (4 cores, no Hyper-Threading)
and 16GB RAM, running OpenBSD 7.3 (GENERIC.MP) #1125.

The query in question occasionally utilizes around 40% of the CPU, with
CPU1 and CPU2 being more utilized compared to CPU0 and CPU3. This suggests
that the workload might not be well-balanced across all cores.

I am monitoring the system to ensure that CPU usage by PostgreSQL does not
lead to performance issues, especially if more queries are executed
simultaneously. Other processes (such as httpd, relayd, etc.) are consuming
minimal CPU time, indicating they are not contributing significantly to the
overall load.

The *top output* and *dmesg output* are included below. Given this setup,
could someone please provide guidance on the best practices for optimizing
PostgreSQL performance under OpenBSD? Are there specific kernel or
PostgreSQL configurations that might help distribute the load more evenly
across all CPU cores, or is this a case that requires a more powerful CPU?

Thank you in advance for your assistance.

Best regards,

Kihaguru

*top Output:*

load averages:  0.27,  0.07,  0.02

if.my.domain 14:11:3563 processes: 61 idle, 2 on processor

   up 63 days 06:11:29CPU0
states:  3.0% user,  0.0% nice,  1.6% sys,  0.0% spin,  0.0% intr,
95.4% idleCPU1 states: 47.9% user,  0.0% nice,  6.2% sys,  0.6% spin,
0.0% intr, 45.3% idleCPU2 states: 33.0% user,  0.0% nice,  4.0% sys,
0.0% spin,  0.0% intr, 63.0% idleCPU3 states:  5.8% user,  0.0% nice,
0.6% sys,  0.0% spin,  0.0% intr, 93.6% idleMemory: Real: 199M/3048M
act/tot Free: 12G Cache: 1672M Swap: 0K/16G

  PID USERNAME PRI NICE  SIZE   RES STATE WAIT  TIMECPU
COMMAND77669 _postgre  580  169M   80M onproc/2  - 0:10
35.60% postgres1 _relayd20 5112K 8456K sleep/0   kqread
17:38  0.05% relayd16136 www20 8272K   12M sleep/1
kqread   40:05  0.00% httpd15178 www20 8140K   11M sleep/3
  kqread   39:43  0.00% httpd41797 www20 7892K   11M
sleep/3   kqread   39:40  0.00% httpd30439 _relayd20 1572K
4176K sleep/2   kqread   36:41  0.00% relayd48133 _relayd20
1564K 4148K sleep/1   kqread   35:55  0.00% relayd84898 _relayd2
 0 1572K 4164K sleep/1   kqread   35:34  0.00% relayd88687 _relayd
20 5076K 8440K sleep/2   kqread   17:29  0.00% relayd
 1500 _relayd20 5276K 8600K sleep/0   kqread   16:52  0.00%
relayd58290 www20 1612K 2556K sleep/1   kqread6:24
0.00% slowcgi86189 _pflogd40  764K 1588K sleep/2   bpf
3:40  0.00% pflogd
 5982 root   20 1120K 1584K idle  kqread2:58  0.00%
sshd45035 www20 2388K 4532K sleep/2   kqread1:21
0.00% httpd82363 _syslogd   20 1228K 1648K sleep/2   kqread
1:10  0.00% syslogd38604 _relayd20 1624K 4040K sleep/2
kqread1:08  0.00% relayd59324 _postgre   20  146M 7596K
sleep/1   kqread1:02  0.00% postgres58070 _postgre   20  146M
 15M sleep/3   kqread1:01  0.00% postgres11204 _relayd20
1468K 3816K sleep/1   kqread0:29  0.00% relayd
1 root  100  644K  632K idle  wait  0:22  0.00%
init68961 _postgre   20  146M 8984K sleep/2   kqread0:13
0.00% postgres28371 _postgre   20  146M   61M idle  kqread
0:10  0.00% postgres12040 _postgre   20  146M 5604K idle
kqread0:07  0.00% postgres45123 _ntp   20 1060K 2748K idle
 kqread0:07  0.00% ntpd67766 root   20  888K 1516K
idle  kqread0:06  0.00% cron11185 root   2  -20  992K
1296K idle  kqread0:05  0.00% ntpd48084 kihaguru  280
2792K 4904K onproc/0  - 0:02  0.00% top33981 _postgre   20
 146M 4908K idle  kqread0:01  0.00% postgres
 9380 _ntp   2  -20 1132K 2876K idle  kqread0:01  0.00% ntpd
 3091 kihaguru   20 1412K 3576K sleep/2   kqread0:00  0.00%
sshd61657 root   20 3024K 5120K idle  kqread0:00
0.00% relayd44011 kihaguru   30 1764K 6332K idle  ttyin
0:00  0.00% psql88332 www20 2616K 2720K sleep/1   kqread
 0:00  0.00% ShelveAssortItem57595 kihaguru  180  880K  904K idle
sigsusp   0:00  0.00% ksh64781 kihaguru   20 1412K 3572K idle
kqread0:00  0.00% sshd
 1477 root   20 1220K 4348K idle  kqread0:00  0.00%
sshd52393 _smtpq 20 1676K 3548K idle  kqread0:00
0.00% smtpd43301 _dhcp  20  868K 1760K idle  kqread
0:00  0.00% dhcpleased
 6184 _dhcp  20  856K 1780K idle  kqread0:00  0.00%
dhcpleased31249 root   20  728K 1480K idle  netio 0:00
 0.00% pflogd20367 root   20  752K 2492K idle  netio
0:00   0.00% syslogd85654 _smtpd 20 2128K 4916K idle
kqread0:00  0.00% smtpd30336 root   20 1728K 2296K

Re: doas tab completion

2024-07-30 Thread Alexander Hall 



On July 30, 2024 8:03:45 AM GMT+02:00, Jason McIntyre  
wrote:
>On Tue, Jul 30, 2024 at 12:42:04AM +0200, Alexander Hall wrote:
>> In this specific case, I believe
>> 
>> $ alias doas='doas ' # Note the space
>> 
>> might have done the trick as well, for ksh at least. 

>is that correct? as far as i know, adding a space after an alias is used
>to get the shell to expand the next item as an alias as well, not
>shell/tab expansion.

Hm. Yeah, it's quite possible that I'm misremembering. Apologies for the 
misinformation if so. 

/Alexander

Re: doas tab completion

2024-07-30 Thread Jason McIntyre 
On Tue, Jul 30, 2024 at 12:42:04AM +0200, Alexander Hall wrote:
> In this specific case, I believe
> 
> $ alias doas='doas ' # Note the space
> 
> might have done the trick as well, for ksh at least. 
> 
> /Alexander
> 

is that correct? as far as i know, adding a space after an alias is used
to get the shell to expand the next item as an alias as well, not
shell/tab expansion.

jmc

> On July 29, 2024 7:30:57 PM GMT+02:00, Robert Palm  
> wrote:
> >Thanks a lot for sharing all this great solutions!
> >
> >Am 29. Juli 2024, 17:37, um 17:37, Stuart Henderson 
> > schrieb:
> >>On 2024-07-29, Robert Palm  wrote:
> >>>
> >>> Hi,
> >>>
> >>> wonder how I can get TAB completion in the shell when using doas ...
> >>>
> >>> Do I need to add something to .profile ?
> >>
> >>pkg_add dmenu, then you can add this:
> >>
> >>set -A complete_doas `dmenu_path`
> >>
> >>(note it will not update automatically if a new program is installed;
> >>either restart the shell, or re-run the 'set' command)
> >
>

Re: doas tab completion

2024-07-29 Thread Alexander Hall 
In this specific case, I believe

$ alias doas='doas ' # Note the space

might have done the trick as well, for ksh at least. 

/Alexander

On July 29, 2024 7:30:57 PM GMT+02:00, Robert Palm  
wrote:
>Thanks a lot for sharing all this great solutions!
>
>Am 29. Juli 2024, 17:37, um 17:37, Stuart Henderson 
> schrieb:
>>On 2024-07-29, Robert Palm  wrote:
>>>
>>> Hi,
>>>
>>> wonder how I can get TAB completion in the shell when using doas ...
>>>
>>> Do I need to add something to .profile ?
>>
>>pkg_add dmenu, then you can add this:
>>
>>set -A complete_doas `dmenu_path`
>>
>>(note it will not update automatically if a new program is installed;
>>either restart the shell, or re-run the 'set' command)
>

Re: doas tab completion

2024-07-29 Thread Robert Palm 
Thanks a lot for sharing all this great solutions!

Am 29. Juli 2024, 17:37, um 17:37, Stuart Henderson  
schrieb:
>On 2024-07-29, Robert Palm  wrote:
>>
>> Hi,
>>
>> wonder how I can get TAB completion in the shell when using doas ...
>>
>> Do I need to add something to .profile ?
>
>pkg_add dmenu, then you can add this:
>
>set -A complete_doas `dmenu_path`
>
>(note it will not update automatically if a new program is installed;
>either restart the shell, or re-run the 'set' command)

Re: doas tab completion

2024-07-29 Thread Stuart Henderson 
On 2024-07-29, Robert Palm  wrote:
>
> Hi,
>
> wonder how I can get TAB completion in the shell when using doas ...
>
> Do I need to add something to .profile ?

pkg_add dmenu, then you can add this:

set -A complete_doas `dmenu_path`

(note it will not update automatically if a new program is installed;
either restart the shell, or re-run the 'set' command)

Re: doas tab completion

2024-07-29 Thread Florian Obser 
On 2024-07-29 12:05 +02, Jan Stary  wrote:
> On Jul 29 11:44:32, develo...@robert-palm.de wrote:
>> complete -cf doas
>> 
>> but I cannot figure out how to do this for ksh.
>> 

in .kshrc:

set -A complete_doas_1 -- $(ls /sbin /usr/sbin /bin /usr/bin /usr/X11R6/bin \
/usr/local/sbin /usr/local/bin)

> Why stop here? It would be "nice" if tab-completion would complete
> the hostnames from ~/.ssh/known_hosts when you have already said 'ssh';

again, in .kshrc:

HOST_LIST=`awk '{print $1}' < ~/.ssh/known_hosts | cut -f 1 -d, \
| egrep -v '^[[:digit:]]|^$|\:\:' | sort -u`

set -A complete_ssh -- ${HOST_LIST}
set -A complete_ping -- ${HOST_LIST}
set -A complete_ping6 -- ${HOST_LIST}
set -A complete_traceroute -- ${HOST_LIST}
set -A complete_traceroute6 -- ${HOST_LIST}

-- 
In my defence, I have been left unsupervised.

Re: doas tab completion

2024-07-29 Thread Robert Palm 



Quoting Marcus MERIGHI :


Hello Robert,

develo...@robert-palm.de (Robert Palm), 2024.07.29 (Mon) 09:47 (CEST):

wonder how I can get TAB completion in the shell when using doas ...
Do I need to add something to .profile ?


as I understand your other messages in this thread you are looking for a
solution for ksh(1).

What you are looking for is "set -A" (or set +A).

Example from my .kshrc:

set -A complete_ifstat_1 -- iwm0 em0 ure0 athn0 umb0 wg7
set -A complete_ifstat_2 -- up down

But, unless you are running a very short list of commands with doas, this
will become a fairly long list.

Marcus


Hi Marcus!

Many thanks for your suggestion. You nailed it :)

Included now as a starter

set -A complete_doas_1 -- sysupgrade pkg_add

After reloading with . ~/.kshrc it does exactly what I wanted.

Cool.

Re: doas tab completion

2024-07-29 Thread Marcus MERIGHI 
Hello Robert, 

develo...@robert-palm.de (Robert Palm), 2024.07.29 (Mon) 09:47 (CEST):
> wonder how I can get TAB completion in the shell when using doas ...
> Do I need to add something to .profile ?

as I understand your other messages in this thread you are looking for a
solution for ksh(1). 

What you are looking for is "set -A" (or set +A). 

Example from my .kshrc:

set -A complete_ifstat_1 -- iwm0 em0 ure0 athn0 umb0 wg7
set -A complete_ifstat_2 -- up down

But, unless you are running a very short list of commands with doas, this
will become a fairly long list. 

Marcus

[solved] sndiod: Cannot change bit depth and sample rate

2024-07-29 Thread rfabris 

Dear Alexandre

Am 2024-07-29 09:59, schrieb Alexandre Ratchov:

The -r and -e options are device properties, so they must precede the
-f option that adds the device. Try this:

rcctl set sndiod flags -e s24 -r 96000 -f rsnd/1 -m play

This is because there may be multiple devices with different
parameters. See the last paragraphs of the DESCRIPTION section of
sndiod(8).


Thanks a lot for your prompt reply and your explanation. Works
perfectly!

I had read sndiod(8) before writing to misc@openbsd.org, but apparently
not fully understood the implications of that particular passage
(placed `-m play` at the beginning of the command ...). My apologies -
lesson learnt.

I'm 68 and and using OpenBSD since April this year, but that's no
excuse for not reading the excellent man pages carefully enough (they
have already helped me a lot in configuring our home office PCs!).

Again, many thanks, and best regards

Rolf

Re: doas tab completion

2024-07-29 Thread Kirill A . Korinsky 
On Mon, 29 Jul 2024 09:47:39 +0200,
Robert Palm  wrote:
> 
> wonder how I can get TAB completion in the shell when using doas ...
> 
> Do I need to add something to .profile ?
> 

Depends on the shell you are using.

Assuming you are using BASH, you will probably get what you want by:

  complete -cf doas

but if you have bash-completion installed, you probably expect something
like this

  complete -F _command doas


-- 
wbr, Kirill

Re: doas tab completion

2024-07-29 Thread Robert Palm 



Zitat von Jan Stary :


On Jul 29 11:44:32, develo...@robert-palm.de wrote:

> On Jul 29 09:47:39, develo...@robert-palm.de wrote:
> > wonder how I can get TAB completion in the shell when using doas ...


echo $SHELL
Different shells do (or don't) this differently.


> tab completion is not specific to any command.

Hm, it does work, e.g. when I start typing

$sysu

it shows me the commands starting with "sysu"


Yes. That is not specific to sysupgrade.


But I would like this to happen even if I use

$doas sysu


If I am not mistaken, command names are only completed
as the first (zeroth) argument. Doing this for the second argument
would be doas-specific: the shell would need to know that while
a command (doas) has already been given, there is still another
command to be given, because the first is doas; in other words,
the shell would need to know the semantics of the (first) command,
which it doesn't. For the > first argument, file names are completed
instead, as that is a typical argument to a command (already given).


There seems to be a solution for the bash shell (adding following to
~/.bashrc)

complete -cf doas

but I cannot figure out how to do this for ksh.

My workaround is to type in the command (using autocompletion) and then jump
to the beginning of the shell again adding doas in front of the cmd.

But it would be nice to start with doas and then simply typing in the cmd...


Why stop here? It would be "nice" if tab-completion would complete
the hostnames from ~/.ssh/known_hosts when you have already said 'ssh';
some shells do that, the OpenBSD ksh doesn't.
It is the opposite of siplicity.


Understand, thanks. Just wanted to know whether I missed some optional  
settings.

Re: doas tab completion

2024-07-29 Thread Jan Stary 
On Jul 29 11:44:32, develo...@robert-palm.de wrote:
> > On Jul 29 09:47:39, develo...@robert-palm.de wrote:
> > > wonder how I can get TAB completion in the shell when using doas ...

echo $SHELL
Different shells do (or don't) this differently.

> > tab completion is not specific to any command.
> 
> Hm, it does work, e.g. when I start typing
> 
> $sysu
> 
> it shows me the commands starting with "sysu"

Yes. That is not specific to sysupgrade.

> But I would like this to happen even if I use
> 
> $doas sysu

If I am not mistaken, command names are only completed
as the first (zeroth) argument. Doing this for the second argument
would be doas-specific: the shell would need to know that while
a command (doas) has already been given, there is still another
command to be given, because the first is doas; in other words,
the shell would need to know the semantics of the (first) command,
which it doesn't. For the > first argument, file names are completed
instead, as that is a typical argument to a command (already given).

> There seems to be a solution for the bash shell (adding following to
> ~/.bashrc)
> 
> complete -cf doas
> 
> but I cannot figure out how to do this for ksh.
> 
> My workaround is to type in the command (using autocompletion) and then jump
> to the beginning of the shell again adding doas in front of the cmd.
> 
> But it would be nice to start with doas and then simply typing in the cmd...

Why stop here? It would be "nice" if tab-completion would complete
the hostnames from ~/.ssh/known_hosts when you have already said 'ssh';
some shells do that, the OpenBSD ksh doesn't.
It is the opposite of siplicity.

Re: doas tab completion

2024-07-29 Thread Robert Palm 



Zitat von Jan Stary :


On Jul 29 09:47:39, develo...@robert-palm.de wrote:

wonder how I can get TAB completion in the shell when using doas ...


tab completion is not specific to any command.


Hm, it does work, e.g. when I start typing

$sysu

it shows me the commands starting with "sysu"

But I would like this to happen even if I use

$doas sysu

There seems to be a solution for the bash shell (adding following to  
~/.bashrc)


complete -cf doas

but I cannot figure out how to do this for ksh.

My workaround is to type in the command (using autocompletion) and  
then jump to the beginning of the shell again adding doas in front of  
the cmd.


But it would be nice to start with doas and then simply typing in the cmd...

Re: doas tab completion

2024-07-29 Thread Jan Stary 
On Jul 29 09:47:39, develo...@robert-palm.de wrote:
> wonder how I can get TAB completion in the shell when using doas ...

tab completion is not specific to any command.

Re: sndiod: Cannot change bit depth and sample rate

2024-07-29 Thread Alexandre Ratchov 
On Sun, Jul 28, 2024 at 11:39:17PM +0200, rfab...@mhsmail.ch wrote:
> 
> `$ rcctl get sndiod`
> As expected:
> 
> sndiod_class=daemon
> sndiod_execdir=
> sndiod_flags=-f rsnd/1 -m play -e s24 -r 96000

The -r and -e options are device properties, so they must precede the
-f option that adds the device. Try this:

rcctl set sndiod flags -e s24 -r 96000 -f rsnd/1 -m play

This is because there may be multiple devices with different
parameters. See the last paragraphs of the DESCRIPTION section of
sndiod(8).

doas tab completion

2024-07-29 Thread Robert Palm 



Hi,

wonder how I can get TAB completion in the shell when using doas ...

Do I need to add something to .profile ?

Thank you.

sndiod: Cannot change bit depth and sample rate

2024-07-28 Thread rfabris 

Dear friends

I'm trying to follow the hint given in
https://marc.info/?l=openbsd-misc=167456556214809=2:


>>I found out that I have to restart sndiod with either
>>'sndiod_flags="-m play -r 44100"' or 'sndiod_flags="-m play -r 48000"'
>>flags in /etc/rc.conf.local depending on the files I am playing,
>>and then it gets to the receiver without issues.


However, I don't succeed in changing the bit depth and sample rate -
I am at a loss what to do and would be grateful for help.

My DAC can play 44100 Hz, 48000 Hz, 88200 Hz, 96000 Hz, 192000 Hz.
No issues with ALSA in Arch Linux, and same issue with another DAC.
So I don't think it's DAC related.

What I have done so far:

---
`$ ls /dev/ | grep audioctl`

audioctl0
audioctl1
audioctl2
audioctl3


`$ dmesg | grep audio`

audio0 at azalia1
uaudio0 at uhub3 port 2 configuration 1 interface 1 "Resolution Audio 
Cantata Music Center" rev 2.00/3.11 addr 2

uaudio0: class v2, high-speed, async, channels: 2 play, 0 rec, 1 ctls
audio1 at uaudio0


`audio0` doesn`t work with this particular motherboard, therefore
using `audio1`.

`# rcctl set sndiod flags -f rsnd/1`

Using the default settings for bit depth and sample rate shows the
expected values:

`$ rcctl get sndiod`

sndiod_class=daemon
sndiod_execdir=
sndiod_flags=-f rsnd/1
sndiod_logger=
sndiod_rtable=0
sndiod_timeout=30
sndiod_user=root


`# audioctl -f /dev/audioctl1`

name=uaudio0
mode=
pause=0
active=0
nblks=2
blksz=960
rate=48000
encoding=s16le
play.channels=2
play.bytes=0
play.errors=0
record.channels=2
record.bytes=0
record.errors=0


The DAC displays "48kHz".

---
Changing the `sndiod` settings:

`# rcctl set sndiod flags -f rsnd/1 -m play -e s24 -r 96000`
`# rcctl restart sndiod`

`$ rcctl get sndiod`
As expected:

sndiod_class=daemon
sndiod_execdir=
sndiod_flags=-f rsnd/1 -m play -e s24 -r 96000
sndiod_logger=
sndiod_rtable=0
sndiod_timeout=30
sndiod_user=root`


`# audioctl -f /dev/audioctl1`
Not as expected: I expected "encoding=s24" and rate=96000".

name=uaudio0
mode=
pause=1
active=0
nblks=16
blksz=480
rate=48000
encoding=s16le
play.channels=2
play.bytes=0
play.errors=0
record.channels=2
record.bytes=0
record.errors=0


The DAC still displays "48kHz".

---
Neither did
`# audioctl -f /dev/audioctl1 encoding=s24 rate=96000`
change anything.

---
How can I change encoding and sample rate for sndiod? Any hints would
be much appreciated.

Many thanks and best regards

Rolf

Re: exFAT & NTFS

2024-07-28 Thread YASUOKA Masahiko 
Hi,

On Sun, 28 Jul 2024 12:11:57 -0400
John McCue  wrote:
> On Sun, Jul 28, 2024 at 09:40:29AM -0400, openbsd_fr...@mail2tor.com
> wrote:
>>Can OpenBSD write to exFAT and NTFS partitions?
>>Thanks.
> 
> See 'man 8 mount_ntfs' (ro) and I think mount_msdos(8) for exfat.

mount_msdos(8) doesn't support exfat.  exfat-fuse in ports does.

# exFAT is not related to legacy FAT in format

Re: u-blox GPS card in Dell Latitude

2024-07-28 Thread Bryan Vyhmeister 
Thanks to those who responded. I finally have the laptop with the u-blox
card installed. It appears as:

umodem0 at uhub3 port 1 configuration 1 interface 0 "u-blox AG - www.u-blox.com 
u-blox GNSS receiver" rev 1.10/4.05 addr 4
umodem0: data interface 1, has CM over data, has no break
umodem0: status change notification available
ucom0 at umodem0: usb1.5.1.1

It looks me a little bit to figure out how to use ldattach(8) but
reading umodem(4), ucom(4), and then figuring out that ttyU0 and cuaU0
were the important interfaces was the key.

# ldattach -s 4800 nmea /dev/cuaU0

With that added, I have a sensor for ntpd.

$ ntpctl -s Sensors 
sensor
   wt gd st  next  poll  offset  correction
nmea0  
1  1  06s   15s   -45.090ms 0.000ms

Thanks for the pointers and feedback from everyone who responded.

Bryan

Re: exFAT & NTFS

2024-07-28 Thread John McCue 

On Sun, Jul 28, 2024 at 09:40:29AM -0400, openbsd_fr...@mail2tor.com wrote:

Can OpenBSD write to exFAT and NTFS partitions?
Thanks.


See 'man 8 mount_ntfs' (ro) and I think mount_msdos(8) for exfat.

The manuals on OpenBSD are very good and update to date :)

Regards

Re: trying to boot on HP EliteBook 820 G1

2024-07-28 Thread Jan Stary 
The point is exactly to point out that it is a speculation.

On Jul 28 16:31:14, mih...@gmail.com wrote:
> > So my current speculation is that OpenBSD has a problem booting _from_USB_ 
> > on this laptop.
> 
> I think it should be like this:
> "So my current speculation is that LAPTOP has a problem booting
> _from_USB_ on this OpneBSD."
> 
> As a note, every time i see "speculation" word my mind associates it
> with the speculum.
> Same with supposition, but this time the word in my mind is "suppository".
> 
> sorry for not intended offences/
> 
>

Re: exFAT & NTFS

2024-07-28 Thread Denis Fondras 
Le Sun, Jul 28, 2024 at 09:40:29AM -0400, openbsd_fr...@mail2tor.com a écrit :
> Can OpenBSD write to exFAT and NTFS partitions?
> 

OpenBSD has a ntfs-3g port to manage NTFS partitions.

Re: exFAT & NTFS

2024-07-28 Thread Crystal Kolipe 
On Sun, Jul 28, 2024 at 09:40:29AM -0400, openbsd_fr...@mail2tor.com wrote:
> Can OpenBSD write to exFAT and NTFS partitions?

Sure.  You can write random data to any partition with dd.

exFAT & NTFS

2024-07-28 Thread openbsd_freak 
Can OpenBSD write to exFAT and NTFS partitions?
Thanks.

Re: trying to boot on HP EliteBook 820 G1

2024-07-28 Thread Mihai Popescu 
> So my current speculation is that OpenBSD has a problem booting _from_USB_ on 
> this laptop.

I think it should be like this:
"So my current speculation is that LAPTOP has a problem booting
_from_USB_ on this OpneBSD."

As a note, every time i see "speculation" word my mind associates it
with the speculum.
Same with supposition, but this time the word in my mind is "suppository".

sorry for not intended offences/

Failed syspatch 75-003 on amd64 gzip i/o error

2024-07-28 Thread legrandouef 
Dear misc@,
 
 I do not know which mailing list is the best one for such report, so I
 start here.
 
 Syspatch worked properly for 75-001 on an earlier date but syspatch
 fails on 75-003 now.
 I tried with various different installurls with the same issue.
 

 $ doas syspatch -c
 gzip: stdin: Input/output error
 tar: End of archive volume 1 reached
 003_libcrypto
 

 $ doas syspatch
 gzip: stdin: Input/output error
 tar: End of archive volume 1 reached
 

 A very similar issue to this had previously raised here - curiously
 regarding a libcrypto patch:

https://marc.info/?l=openbsd-misc=152581309214272=2

 Also note that on syspatch -c 004_bgpd is not listed

 regards
 Ian

Re: headscale segfault on openbsd 7.5

2024-07-28 Thread Jona Joachim 

Hi again,

I didn't see this issue was reported and discussed on github by the 
maintainer who updated the port in -CURRENT:


https://github.com/juanfont/headscale/issues/1857

I successfully built the port from -CURRENT and got headscale up again.

The package in 7.5 is broken.


Best regards,

Jona


On 26/07/2024 11:43, Jona Joachim wrote:

Hi!

I upgraded my system to openbsd 7.5 today and headscale to 
headscale-0.22.1.


With openbsd 7.4, everything was running fine.

Now I get a segfault when I try to run headscale (see below).

I know nothing about golang so it's a bit hard to debug.

I tried to compile the software manually with "go build" with 
different options. I seems to compile fine but it doesn't generate a 
runnable binary.


I wonder if you can reproduce on 7.5.



$ sudo -u _headscale headscale serve
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x16ad5e8]

goroutine 1 [running]:
modernc.org/libc.(*TLS).setErrno(0x1c59020?, {0x292f80?, 0x656220?})
    modernc.org/libc@v1.22.2/etc.go:189 +0xa8
modernc.org/libc.Xmalloc(0x0, 0x334ec0?)
    modernc.org/libc@v1.22.2/mem.go:34 +0xc5
modernc.org/libc.init()
    modernc.org/libc@v1.22.2/libc_openbsd.go:49 +0x2a9





Best regards,

Jona JOACHIM

Re: failure to read huge .text section

2024-07-28 Thread Philip Guenther 
I think we’re saying that it’s been 30+ years since .rodata instead of
.text has been the section for read-only data and that your software will
be *more* portable (particularly looking to the future) if it uses .rodata
instead of .text for data it wants to read-and-not-execute.

I guess you could write a configure test for “doesn’t have working .rodata
so use .text instead” but it was the previous millenium when I last saw a
working system like that…

Philip Guenther

On Saturday, July 27, 2024, Shein Asker  wrote:

> Dear Mr. Claudio, @misc readers,
>
> Thank you for your prompt reply.
>
> I see, OpenBSD has a restriction that .text segments are executable-only
> mapped.
>
> In porting the software, I would like to make work-around modifications,
> preferably without modifying the source.
> Does OpenBSD provide a way to loosen these restrictions?
>
> On Sat, Jul 27, 2024 at 10:22 PM Claudio Jeker 
> wrote:
>
>> On Sat, Jul 27, 2024 at 08:14:42PM +0900, Shein Asker wrote:
>> > Dear @misc readers,
>> >
>> > I have recently started using OpenBSD and have encountered the problem
>> > shown in the subject when porting a software used on Linux to OpenBSD.
>> > The problem is outlined as follows: SEGV occurs when trying to read huge
>> > size data placed in a .text section that exceeds the `PAGE_SIZE` by a
>> large
>> > amount.
>> >
>> > My environments are as follows:
>> > machine:
>> >   1. QEMU/KVM x86_64 6.2.0
>> >   2. Dynabook R63/J (Intel Core i5-7300U)
>> > OS: OpenBSD 7.5
>> > compiler: clang 16.0.6
>> >
>> > Below is the minimal code that reproduces the problem.
>> > https://github.com/sheinasker/data-asm/tree/main
>> >
>> > What this code does is to copy the contents of a global string variable
>> > defined in the assembler to a dynamically allocated area and display the
>> > address, size, and leading and trailing data. The entity of
>> `sample_code`
>> > is defined in assembler and its content is a string of 12289 bytes
>> filled
>> > with 'A'. The SEGV occurs in the part of the code below that executes
>> > `memcpy`.
>> >
>> > ```cpp
>> > #include 
>> > #include 
>> > #include 
>> >
>> > extern "C" char sample_code[];
>> > extern "C" std::uint32_t sample_code_size;
>> >
>> > int main() {
>> > std::cout << "address: " << reinterpret_cast(sample_code) <<
>> > std::endl;
>> > char* buf = (char*)std::malloc(sample_code_size);
>> >
>> > // SEGV
>> > std::memcpy(buf, sample_code, sample_code_size);
>> >
>> > std::cout << "size: " << std::strlen(buf) << std::endl;
>> > std::cout << "head: " << std::string(buf, buf + 10) << std::endl;
>> > std::cout << "tail: " << std::string(buf + sample_code_size - 11,
>> buf +
>> > sample_code_size - 1) << std::endl;
>> > }
>> > ```
>> >
>> > Running it with `make run1`, you will see that it crashes with SIGSEGV.
>> >
>> > The log when debugging with `lldb` is as follows:
>> > ```
>> > openbsd-host$ lldb sample1
>> > (lldb) target create "sample1"
>> > Current executable set to '/home/asker/src/data-asm/sample1' (x86_64).
>> > (lldb) b main
>> > Breakpoint 1: where = sample1`main, address = 0x6410
>> > (lldb) run
>> > Process 8967 launched: '/home/asker/src/data-asm/sample1' (x86_64)
>> > Process 8967 stopped
>> > * thread #1, stop reason = breakpoint 1.1
>> > frame #0: 0x0befee364410 sample1`main
>> > sample1`main:
>> > ->  0xbefee364410 <+0>:  endbr64
>> > 0xbefee364414 <+4>:  movq   0x372d(%rip), %r11;
>> __retguard_831
>> > 0xbefee36441b <+11>: xorq   (%rsp), %r11
>> > 0xbefee36441f <+15>: pushq  %rbp
>> > (lldb) c
>> > Process 8967 resuming
>> > address: 0xbefee361400
>> > Process 8967 stopped
>> > * thread #1, stop reason = signal SIGSEGV
>> > frame #0: 0x0bf2b0c282b0
>> > libc.so.99.0`memcpy(dst0=0x0bf29066c000, src0=,
>> > length=12289) at memcpy.c:103:2
>> > (lldb) c
>> > Process 8967 resuming
>> > Process 8967 exited with status = 11 (0x000b)
>> > (lldb) q
>> > ```
>> >
>> > At the same time, the history of system calls was also recorded by
>> > `ktrace`, so that is also shown.
>> > ```
>> >   8967 sample1  CALL  kbind(0x6fe6698ee708,24,0x3e7ebd77b6a5befb)
>> >   8967 sample1  RET   kbind 0
>> >   8967 sample1  CALL  kbind(0x6fe6698ee6b8,24,0x3e7ebd77b6a5befb)
>> >   8967 sample1  RET   kbind 0
>> >   8967 sample1  CALL  kbind(0x6fe6698ee628,24,0x3e7ebd77b6a5befb)
>> >   8967 sample1  RET   kbind 0
>> >   8967 sample1  CALL  kbind(0x6fe6698ee608,24,0x3e7ebd77b6a5befb)
>> >   8967 sample1  RET   kbind 0
>> >   8967 sample1  CALL  kbind(0x6fe6698ee628,24,0x3e7ebd77b6a5befb)
>> >   8967 sample1  RET   kbind 0
>> >   8967 sample1  CALL  kbind(0x6fe6698ee5d8,24,0x3e7ebd77b6a5befb)
>> >   8967 sample1  RET   kbind 0
>> >   8967 sample1  CALL
>> >  mprotect(0xbf24ee36000,0x1000,0x3)
>> >   8967 sample1  RET   mprotect 0
>> >   8967 sample1  CALL  mprotect(0xbf24ee36000,0x1000,0x1)
>> >   8967 sample1  RET   mprotect 0
>> >   8967 sample1  CALL  fstat(1,0x6fe6698ee500)
>> >   8967

Re: failure to read huge .text section

2024-07-27 Thread Shein Asker 
Dear Mr. Claudio, @misc readers,

Thank you for your prompt reply.

I see, OpenBSD has a restriction that .text segments are executable-only
mapped.

In porting the software, I would like to make work-around modifications,
preferably without modifying the source.
Does OpenBSD provide a way to loosen these restrictions?

On Sat, Jul 27, 2024 at 10:22 PM Claudio Jeker 
wrote:

> On Sat, Jul 27, 2024 at 08:14:42PM +0900, Shein Asker wrote:
> > Dear @misc readers,
> >
> > I have recently started using OpenBSD and have encountered the problem
> > shown in the subject when porting a software used on Linux to OpenBSD.
> > The problem is outlined as follows: SEGV occurs when trying to read huge
> > size data placed in a .text section that exceeds the `PAGE_SIZE` by a
> large
> > amount.
> >
> > My environments are as follows:
> > machine:
> >   1. QEMU/KVM x86_64 6.2.0
> >   2. Dynabook R63/J (Intel Core i5-7300U)
> > OS: OpenBSD 7.5
> > compiler: clang 16.0.6
> >
> > Below is the minimal code that reproduces the problem.
> > https://github.com/sheinasker/data-asm/tree/main
> >
> > What this code does is to copy the contents of a global string variable
> > defined in the assembler to a dynamically allocated area and display the
> > address, size, and leading and trailing data. The entity of `sample_code`
> > is defined in assembler and its content is a string of 12289 bytes filled
> > with 'A'. The SEGV occurs in the part of the code below that executes
> > `memcpy`.
> >
> > ```cpp
> > #include 
> > #include 
> > #include 
> >
> > extern "C" char sample_code[];
> > extern "C" std::uint32_t sample_code_size;
> >
> > int main() {
> > std::cout << "address: " << reinterpret_cast(sample_code) <<
> > std::endl;
> > char* buf = (char*)std::malloc(sample_code_size);
> >
> > // SEGV
> > std::memcpy(buf, sample_code, sample_code_size);
> >
> > std::cout << "size: " << std::strlen(buf) << std::endl;
> > std::cout << "head: " << std::string(buf, buf + 10) << std::endl;
> > std::cout << "tail: " << std::string(buf + sample_code_size - 11,
> buf +
> > sample_code_size - 1) << std::endl;
> > }
> > ```
> >
> > Running it with `make run1`, you will see that it crashes with SIGSEGV.
> >
> > The log when debugging with `lldb` is as follows:
> > ```
> > openbsd-host$ lldb sample1
> > (lldb) target create "sample1"
> > Current executable set to '/home/asker/src/data-asm/sample1' (x86_64).
> > (lldb) b main
> > Breakpoint 1: where = sample1`main, address = 0x6410
> > (lldb) run
> > Process 8967 launched: '/home/asker/src/data-asm/sample1' (x86_64)
> > Process 8967 stopped
> > * thread #1, stop reason = breakpoint 1.1
> > frame #0: 0x0befee364410 sample1`main
> > sample1`main:
> > ->  0xbefee364410 <+0>:  endbr64
> > 0xbefee364414 <+4>:  movq   0x372d(%rip), %r11;
> __retguard_831
> > 0xbefee36441b <+11>: xorq   (%rsp), %r11
> > 0xbefee36441f <+15>: pushq  %rbp
> > (lldb) c
> > Process 8967 resuming
> > address: 0xbefee361400
> > Process 8967 stopped
> > * thread #1, stop reason = signal SIGSEGV
> > frame #0: 0x0bf2b0c282b0
> > libc.so.99.0`memcpy(dst0=0x0bf29066c000, src0=,
> > length=12289) at memcpy.c:103:2
> > (lldb) c
> > Process 8967 resuming
> > Process 8967 exited with status = 11 (0x000b)
> > (lldb) q
> > ```
> >
> > At the same time, the history of system calls was also recorded by
> > `ktrace`, so that is also shown.
> > ```
> >   8967 sample1  CALL  kbind(0x6fe6698ee708,24,0x3e7ebd77b6a5befb)
> >   8967 sample1  RET   kbind 0
> >   8967 sample1  CALL  kbind(0x6fe6698ee6b8,24,0x3e7ebd77b6a5befb)
> >   8967 sample1  RET   kbind 0
> >   8967 sample1  CALL  kbind(0x6fe6698ee628,24,0x3e7ebd77b6a5befb)
> >   8967 sample1  RET   kbind 0
> >   8967 sample1  CALL  kbind(0x6fe6698ee608,24,0x3e7ebd77b6a5befb)
> >   8967 sample1  RET   kbind 0
> >   8967 sample1  CALL  kbind(0x6fe6698ee628,24,0x3e7ebd77b6a5befb)
> >   8967 sample1  RET   kbind 0
> >   8967 sample1  CALL  kbind(0x6fe6698ee5d8,24,0x3e7ebd77b6a5befb)
> >   8967 sample1  RET   kbind 0
> >   8967 sample1  CALL
> >  mprotect(0xbf24ee36000,0x1000,0x3)
> >   8967 sample1  RET   mprotect 0
> >   8967 sample1  CALL  mprotect(0xbf24ee36000,0x1000,0x1)
> >   8967 sample1  RET   mprotect 0
> >   8967 sample1  CALL  fstat(1,0x6fe6698ee500)
> >   8967 sample1  STRU  struct stat { dev=0, ino=104192, mode=crw--w ,
> > nlink=1, uid=1000<"asker">, gid=4<"tty">, rdev=1283,
> atime=1722062206<"Jul
> > 27 15:36:46 2024">.276320559, mtime=1722062206<"Jul 27 15:36:46
> > 2024">.276320559, ctime=1722062206<"Jul 27 15:36:46 2024">.276320559,
> > size=0, blocks=0, blksize=65536, flags=0x0, gen=0x0 }
> >   8967 sample1  RET   fstat 0
> >   8967 sample1  CALL
> >
> mmap(0,0x1,0x3,0x1002,-1,0)
> >   8967 sample1  RET   mmap 13137847422976/0xbf2e4ba9000
> >   8967 sample1  CALL  fcntl(1,F_ISATTY)
> >   8967 sample1  RET   fcntl 1
> >   8967 sample1  CALL  kbind(0x6fe6698ee6b8,24,0x3e7ebd77b6a5befb)
> >

Re: failure to read huge .text section

2024-07-27 Thread Claudio Jeker 
On Sat, Jul 27, 2024 at 08:14:42PM +0900, Shein Asker wrote:
> Dear @misc readers,
> 
> I have recently started using OpenBSD and have encountered the problem
> shown in the subject when porting a software used on Linux to OpenBSD.
> The problem is outlined as follows: SEGV occurs when trying to read huge
> size data placed in a .text section that exceeds the `PAGE_SIZE` by a large
> amount.
> 
> My environments are as follows:
> machine:
>   1. QEMU/KVM x86_64 6.2.0
>   2. Dynabook R63/J (Intel Core i5-7300U)
> OS: OpenBSD 7.5
> compiler: clang 16.0.6
> 
> Below is the minimal code that reproduces the problem.
> https://github.com/sheinasker/data-asm/tree/main
> 
> What this code does is to copy the contents of a global string variable
> defined in the assembler to a dynamically allocated area and display the
> address, size, and leading and trailing data. The entity of `sample_code`
> is defined in assembler and its content is a string of 12289 bytes filled
> with 'A'. The SEGV occurs in the part of the code below that executes
> `memcpy`.
> 
> ```cpp
> #include 
> #include 
> #include 
> 
> extern "C" char sample_code[];
> extern "C" std::uint32_t sample_code_size;
> 
> int main() {
> std::cout << "address: " << reinterpret_cast(sample_code) <<
> std::endl;
> char* buf = (char*)std::malloc(sample_code_size);
> 
> // SEGV
> std::memcpy(buf, sample_code, sample_code_size);
> 
> std::cout << "size: " << std::strlen(buf) << std::endl;
> std::cout << "head: " << std::string(buf, buf + 10) << std::endl;
> std::cout << "tail: " << std::string(buf + sample_code_size - 11, buf +
> sample_code_size - 1) << std::endl;
> }
> ```
> 
> Running it with `make run1`, you will see that it crashes with SIGSEGV.
> 
> The log when debugging with `lldb` is as follows:
> ```
> openbsd-host$ lldb sample1
> (lldb) target create "sample1"
> Current executable set to '/home/asker/src/data-asm/sample1' (x86_64).
> (lldb) b main
> Breakpoint 1: where = sample1`main, address = 0x6410
> (lldb) run
> Process 8967 launched: '/home/asker/src/data-asm/sample1' (x86_64)
> Process 8967 stopped
> * thread #1, stop reason = breakpoint 1.1
> frame #0: 0x0befee364410 sample1`main
> sample1`main:
> ->  0xbefee364410 <+0>:  endbr64
> 0xbefee364414 <+4>:  movq   0x372d(%rip), %r11; __retguard_831
> 0xbefee36441b <+11>: xorq   (%rsp), %r11
> 0xbefee36441f <+15>: pushq  %rbp
> (lldb) c
> Process 8967 resuming
> address: 0xbefee361400
> Process 8967 stopped
> * thread #1, stop reason = signal SIGSEGV
> frame #0: 0x0bf2b0c282b0
> libc.so.99.0`memcpy(dst0=0x0bf29066c000, src0=,
> length=12289) at memcpy.c:103:2
> (lldb) c
> Process 8967 resuming
> Process 8967 exited with status = 11 (0x000b)
> (lldb) q
> ```
> 
> At the same time, the history of system calls was also recorded by
> `ktrace`, so that is also shown.
> ```
>   8967 sample1  CALL  kbind(0x6fe6698ee708,24,0x3e7ebd77b6a5befb)
>   8967 sample1  RET   kbind 0
>   8967 sample1  CALL  kbind(0x6fe6698ee6b8,24,0x3e7ebd77b6a5befb)
>   8967 sample1  RET   kbind 0
>   8967 sample1  CALL  kbind(0x6fe6698ee628,24,0x3e7ebd77b6a5befb)
>   8967 sample1  RET   kbind 0
>   8967 sample1  CALL  kbind(0x6fe6698ee608,24,0x3e7ebd77b6a5befb)
>   8967 sample1  RET   kbind 0
>   8967 sample1  CALL  kbind(0x6fe6698ee628,24,0x3e7ebd77b6a5befb)
>   8967 sample1  RET   kbind 0
>   8967 sample1  CALL  kbind(0x6fe6698ee5d8,24,0x3e7ebd77b6a5befb)
>   8967 sample1  RET   kbind 0
>   8967 sample1  CALL
>  mprotect(0xbf24ee36000,0x1000,0x3)
>   8967 sample1  RET   mprotect 0
>   8967 sample1  CALL  mprotect(0xbf24ee36000,0x1000,0x1)
>   8967 sample1  RET   mprotect 0
>   8967 sample1  CALL  fstat(1,0x6fe6698ee500)
>   8967 sample1  STRU  struct stat { dev=0, ino=104192, mode=crw--w ,
> nlink=1, uid=1000<"asker">, gid=4<"tty">, rdev=1283, atime=1722062206<"Jul
> 27 15:36:46 2024">.276320559, mtime=1722062206<"Jul 27 15:36:46
> 2024">.276320559, ctime=1722062206<"Jul 27 15:36:46 2024">.276320559,
> size=0, blocks=0, blksize=65536, flags=0x0, gen=0x0 }
>   8967 sample1  RET   fstat 0
>   8967 sample1  CALL
>  mmap(0,0x1,0x3,0x1002,-1,0)
>   8967 sample1  RET   mmap 13137847422976/0xbf2e4ba9000
>   8967 sample1  CALL  fcntl(1,F_ISATTY)
>   8967 sample1  RET   fcntl 1
>   8967 sample1  CALL  kbind(0x6fe6698ee6b8,24,0x3e7ebd77b6a5befb)
>   8967 sample1  RET   kbind 0
>   8967 sample1  CALL  kbind(0x6fe6698ee798,24,0x3e7ebd77b6a5befb)
>   8967 sample1  RET   kbind 0
>   8967 sample1  CALL  kbind(0x6fe6698ee738,24,0x3e7ebd77b6a5befb)
>   8967 sample1  RET   kbind 0
>   8967 sample1  CALL  kbind(0x6fe6698ee738,24,0x3e7ebd77b6a5befb)
>   8967 sample1  RET   kbind 0
>   8967 sample1  CALL  kbind(0x6fe6698ee668,24,0x3e7ebd77b6a5befb)
>   8967 sample1  RET   kbind 0
>   8967 sample1  CALL  kbind(0x6fe6698ee568,24,0x3e7ebd77b6a5befb)
>   8967 sample1  RET   kbind 0
>   8967 sample1  CALL  kbind(0x6fe6698ee738,24,0x3e7ebd77b6a5befb)
>   8967

  1   2   3   4   5   6   7   8   9   10   >