Re: softraid i/o errors, crypto blocks
>> plugged in and just run /sbin/bioctl -c C -l softraid0 >> DUIDHERE.a on. > The last two arguments in that command are reversed. Fixing > that should solve at least part of your problem. Thank you very much. I apologize, I did reverse the arguments in my email. However, I was using them correctly in a script when I ran the commands. To summarize the problem, after I mount one encrypted (following the OpenBSD FAQ instructions) USB drive, it works fine, until I mount a second encrypted USB drive. At that point I get errors like Feb 18 09:04:14 freda /bsd: softraid0: chunk sd4a already in use Feb 18 09:04:22 freda /bsd: softraid0: sd5: i/o error 0 @ CRYPTO block 27xxx It doesn't happen every time. I switched to new drives but the same thing happened. I will just chalk it up to bad drives or cables for now, and I'll send more complete error records if it happens again.
softraid i/o errors, crypto blocks
I've had Postgresql data on an encrypted external USB drive (encrypted via the OpenBSD FAQ instructions) for about a year and it's worked great. Recently, I started gettting dmesg messages saying softraid i/o error and it listed various crypto blocks: Feb 18 09:04:14 freda /bsd: softraid0: chunk sd4a already in use Feb 18 09:04:22 freda /bsd: softraid0: sd5: i/o error 0 @ CRYPTO block 27xxx Feb 18 09:04:22 freda /bsd: softraid0: sd5: i/o error 0 @ CRYPTO block 6xx Feb 18 09:04:31 freda /bsd: softraid0: sd5: i/o error 0 @ CRYPTO block 1624932xxx Feb 18 09:04:31 freda /bsd: softraid0: sd5: i/o error 0 @ CRYPTO block 1624811xxx In this case, it happened when I tried to mount a second external encrypted drive. (I don't recall if this is what always triggers the problem.) My drive with Postgresql running was sd5i. I always mount the drives with the DUID after running bioctl. The sd4a above refers to RAID on the second encrypted drive I had plugged in and just run /sbin/bioctl -c C -l softraid0 DUIDHERE.a on. I'm running OpenBSD 6.6-current (GENERIC.MP) #648: Sun Feb 16 13:54:33 MST 2020 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP Currently, I have Postgresql 12.1p1 but it happened when the previous external drive had 11.6 data also. At this point of course I can no longer access my data. If I reboot then / also fails to unmount. Rebooting is successful though after filesystem checks. Next time it happens I will take a picture of the messages. I thought my external drive was bad so I switched to a new one, but the same thing happened today. So I am just wondering if anyone else has recently started experiencing this sort of problem. I haven't lost any data since I backup early and often, and in any case, fsck has fixed things so far.
Re: IPv6 problems
> From: list > my /etc/hostname looks exactly like you proposed: > inet6 autoconf autoconfprivacy soii > inet6 > when i enter the default IPv6 gateway manually. I can ping stuff > but don't get a reply. When I don't: "No route to host" > (With route to fe80::1%vio added and the normal hostname.vio0) I would suggest not specifying any routes or link-local addresses, and instead in /etc/hostname.vio0 make sure the IPv6 address in is the public IPv6 address given by your provider (I know there's a /64, but I'm just going by the example of my own provider.) Then make sure /etc/mygate doesn't have any IPv6 addresses. Then perhaps reboot everything to make sure you've cleared out references to fe80::1, if /bin/sh /etc/netstart doesn't get everything working. My provider's configuration examples said to use -autoconfprivacy and -soii so you might try that also. But mine works with autoconfprivacy and soii. What is the output of slaacctl show interface vio0?
Re: IPv6 problems
> From: list > I've restarted my VM over the official > Webinterface but still... > When trying to ping the gateway on fe80::1 I don't get any icmp > echoreplies. > What is the behavior of pf when disabled ? Is there some kind of > default blocking rule that is still active ? Have you tried /etc/hostname.vio0 with inet6 autoconf autoconfprivacy soii inet6 instead of specifying a LL route? Just in case, you could try /etc/pf.conf with only pass log all instead of disabling pf. Is the installion of OpenBSD provider by your VPS, or do they let you use a custom ISO? Maybe a trial installation using a differnt VPS but a similar configuration would indicate it's a problem with the VPS.
Re: IPv6 problems
Hi, I just thought since the interface was vio that you're running in a virtual environment. Providers like Vultr say "Important Note: If you add an IPv6 subnet to an existing machine, you must restart the server via the Vultr control panel before IPv6 will work. Restarting via SSH or similar is not sufficient. IPv6 would not work at all until the server has been restarted."
Re: IPv6 problems
Hi, since your interface is vio0 your virtual service provider might require a hard restart of your server -- separate from rebooting from your installed OpenBSD. I know you disabled pf, but once it's working, I think the rules you need to add would be something like: # ip6 # man icmp6 has the types and descriptions used below pass log on $ext_if inet6 proto icmp6 \ to any icmp6-type \ {133 134 135 136 137} modulate state # rfc 4890 section 4.3 pass log inet6 proto icmp6 icmp6-type {unreach toobig} modulate state pass log inet6 proto icmp6 icmp6-type timex code 0 modulate state pass log inet6 proto icmp6 icmp6-type paramprob code 1 modulate state pass log inet6 proto icmp6 icmp6-type paramprob code 2 modulate state pass log inet6 proto icmp6 icmp6-type echoreq modulate state For the hostname.vio0 file, all I have is inet6 autoconf autoconfprivacy soii inet6 alias You may also want to look at the Book of PF third edition which mentions other relevant RFCs.
question about man starttls and linking to cert.pem
Synopsis:man starttls linking new certificate to cert.pem problem Category:documentation Environment: System : OpenBSD 6.5 Details : OpenBSD 6.5-current (GENERIC.MP) #184: Wed Aug 7 21:37:16 MDT 2019 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP Architecture: OpenBSD.amd64 Machine : amd64 Description: man starttls says one can link a new certificate to cert.pem with ln -s /etc/ssl/mail.example.com.crt /etc/ssl/cert.pem if one does not intend but link will fail since /etc/ssl/cert.pem exists already How-To-Repeat: man starttls I apologize, maybe it's not an error at all, so I'm writing to misc instead of bugs. I don't understand why one create this link, and I haven't been able to find an explanation on the lists or elsewhere. Any explanation would be greatly appreciated. The reason I am asking about it is that I am forwarding all mail from one server to another using starttls and opensmtpd, and it works fine with tls no-verify without creating the link to cert.pem. Also, if one does create the link (perhaps backing up cert.pem first) then sysupgrade will fail since it expects the original cert.pem. Also if running unbound, one would need to use the original cert.pem (or whatever it was renamed to) if using tls-bundle and DNS-over-TLS, I think.