Re: softraid i/o errors, crypto blocks

2020-02-22 Thread freda_bundchen 
>> plugged in and just run /sbin/bioctl -c C -l softraid0 
>> DUIDHERE.a on.  
> The last two arguments in that command are reversed. Fixing
> that should solve at least part of your problem.  

Thank you very much. I apologize, I did reverse the arguments in my
email. However, I was using them correctly in a script when I ran the
commands. To summarize the problem, after I mount one encrypted
(following the OpenBSD FAQ instructions) USB drive, it works fine,
until I mount a second encrypted USB drive. At that point I get errors
like

Feb 18 09:04:14 freda /bsd: softraid0: chunk sd4a already in use 
Feb 18 09:04:22 freda /bsd: softraid0: sd5: i/o error 0 @ CRYPTO
block 27xxx

It doesn't happen every time. I switched to new drives but the same
thing happened. I will just chalk it up to bad drives or cables for
now, and I'll send more complete error records if it happens again.

softraid i/o errors, crypto blocks

2020-02-18 Thread freda_bundchen 
I've had Postgresql data on an encrypted external USB drive 
(encrypted via the OpenBSD FAQ instructions) for about a year
and it's worked great. 

Recently, I started gettting dmesg messages
saying softraid i/o error and it listed various crypto blocks:

Feb 18 09:04:14 freda /bsd: softraid0: chunk sd4a already in use
Feb 18 09:04:22 freda /bsd: softraid0: sd5: i/o error 0 @ CRYPTO block 27xxx
Feb 18 09:04:22 freda /bsd: softraid0: sd5: i/o error 0 @ CRYPTO block 6xx
Feb 18 09:04:31 freda /bsd: softraid0: sd5: i/o error 0 @ CRYPTO block 
1624932xxx
Feb 18 09:04:31 freda /bsd: softraid0: sd5: i/o error 0 @ CRYPTO block 
1624811xxx

In this case, it happened when I tried to mount a second external encrypted 
drive.
(I don't recall if this is what always triggers the problem.) 

My  drive with Postgresql running was sd5i. I always mount the drives with the 
DUID
after running bioctl. The sd4a above refers to RAID on the second encrypted 
drive I had 
plugged in and just run /sbin/bioctl -c C -l softraid0 DUIDHERE.a on.

I'm running
OpenBSD 6.6-current (GENERIC.MP) #648: Sun Feb 16 13:54:33 MST 2020
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

Currently, I have Postgresql 12.1p1 but it happened when the previous external
drive had 11.6 data also.

At this point of course I can no longer access my data. If I reboot then / also 
fails
to unmount. Rebooting is successful  though after filesystem checks. Next time 
it happens
I will take a picture of the messages.

I thought my external drive was bad so I switched to a new one, but the same 
thing
happened today.

So I am just wondering if anyone else has recently started experiencing this 
sort
of problem. I haven't lost any data since I backup early and often, and in any 
case,
fsck has fixed things so far.

Re: IPv6 problems

2019-08-18 Thread freda_bundchen 
> From:   list 

> my /etc/hostname looks exactly like you proposed:

> inet6 autoconf autoconfprivacy soii 
> inet6 

> when i enter the default IPv6 gateway manually. I can ping stuff 
> but don't get a reply.  When I don't: "No route to host"

> (With route to fe80::1%vio added and the normal hostname.vio0)

I would suggest not specifying any routes or link-local addresses, and
instead in /etc/hostname.vio0 make sure the IPv6 address in 
is the public IPv6 address given by your provider (I know there's a
/64, but I'm just going by the example of my own provider.)

Then make sure /etc/mygate doesn't have any IPv6 addresses. Then
perhaps reboot everything to make sure you've cleared out references
to fe80::1, if /bin/sh /etc/netstart doesn't get everything working.

My provider's configuration examples said to use -autoconfprivacy and
-soii so you might try that also. But mine works with autoconfprivacy
and soii.

What is the output of slaacctl show interface vio0?

Re: IPv6 problems

2019-08-17 Thread freda_bundchen 
> From:   list  
> I've restarted my VM over the official 
> Webinterface but still...

> When trying to ping the gateway on fe80::1 I don't get any icmp
> echoreplies.

> What is the behavior of pf when disabled ? Is there some kind of
> default blocking rule that is still active ?

Have you tried /etc/hostname.vio0 with 
inet6 autoconf autoconfprivacy soii 
inet6 

instead of specifying a LL route?

Just in case, you could try /etc/pf.conf with only 

pass log all

instead of disabling pf.

Is the installion of OpenBSD provider by your VPS, or do they let
you use a custom ISO? Maybe a trial installation using a differnt
VPS but a similar configuration would indicate it's a problem with
the VPS.

Re: IPv6 problems

2019-08-14 Thread freda_bundchen 
Hi, I just thought since the interface was vio that you're running in a virtual
environment. Providers like Vultr say "Important Note: If you add an IPv6 
subnet to an existing machine, you must restart the server via the Vultr 
control panel before IPv6 will work. Restarting via SSH or similar is not 
sufficient. IPv6 would not work at all until the server has been restarted."

Re: IPv6 problems

2019-08-14 Thread freda_bundchen 
Hi, since your interface is vio0 your virtual service provider might
require a hard restart of your server -- separate from rebooting 
from your installed OpenBSD.

I know you disabled pf, but once it's working, I think the rules
you need to add would be something like:

# ip6
#   man icmp6 has the types and descriptions used below
pass log on $ext_if inet6 proto icmp6 \
to any icmp6-type \
{133 134 135 136 137} modulate state
# rfc 4890 section 4.3
pass log inet6 proto icmp6 icmp6-type {unreach toobig} modulate state
pass log inet6 proto icmp6 icmp6-type timex code 0 modulate state
pass log inet6 proto icmp6 icmp6-type paramprob code 1 modulate state
pass log inet6 proto icmp6 icmp6-type paramprob code 2 modulate state
pass log inet6 proto icmp6 icmp6-type echoreq modulate state

For the hostname.vio0 file, all I have is
inet6 autoconf autoconfprivacy soii
inet6 alias 

You may also want to look at the Book of PF third edition which
mentions other relevant RFCs.

question about man starttls and linking to cert.pem

2019-08-10 Thread freda_bundchen 
Synopsis:man starttls linking new certificate to cert.pem problem
Category:documentation
Environment:
System  : OpenBSD 6.5
Details : OpenBSD 6.5-current (GENERIC.MP) #184: Wed Aug  7 21:37:16 
MDT 2019
 
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

Architecture: OpenBSD.amd64
Machine : amd64
Description:
man starttls says one can link a new certificate to cert.pem with
ln -s /etc/ssl/mail.example.com.crt /etc/ssl/cert.pem if one does not 
intend
but link will
fail since /etc/ssl/cert.pem exists already
How-To-Repeat:
man starttls

I apologize, maybe it's not an error at all, so I'm writing to misc instead 
of bugs.
I don't understand why one create this link, and I haven't been able to find an 
explanation 
on the lists or elsewhere. Any explanation would be greatly appreciated.

The reason I am asking about it is  that I am forwarding all mail from
one server to another using starttls and opensmtpd, and it works fine with tls 
no-verify
without creating the link to cert.pem. Also, if one does create the
link (perhaps backing up cert.pem first) then sysupgrade will fail
since it expects the original cert.pem. Also if running unbound, one
would need to use the original cert.pem (or whatever it was renamed to)
if using tls-bundle and DNS-over-TLS, I think.