Re: Serial console questions on i386 and amd64

[Nick Holland]

Nick Holland wrote:
 Don Jackson wrote:
 I use serial consoles on all my OpenBSD servers for remote serial
 access to the machines, both during initial install via pxeboot, and
 later on in regular use after the install.
 I'm currently running either 4.2 or 4.1 on all my machines.
 
 The FAQ states:
 
Only the first serial port (com0) is supported for console on
 amd64 and i386
 
http://www.openbsd.org/faq/faq7.html#SerCon
 
 Why is this the case?
 
 because that's the way the code was written...
 
 Why does OpenBSD care which serial port I use?
 
 because that's the way the code was written...
 
 Will it simply not work if I specify set tty com1 in /etc/boot.conf ?
 
 I certainly wouldn't plan on it working.  Feel free to try.  Don't
 whine if things work as advertised.

Well, I've been informed that at least for -current (and I'm pretty
sure that means for -recent :) it DOES (at least sometimes) work.

I just tried it on one of my machines with -current, it Just Worked.
(and on -current, it works Just Cool.  Set it up with com1, not only
does it install on com1, it sets the config files up for com1)

So, I'm happy to report that I and the FAQ are at least partly, and
very possibly completely wrong on this.  I'm pretty sure this was
true at one point, obviously that limitation was removed, and tom@
is probably going to pull up a list of 20 test cases I ran for him,
but I don't remember that.

FAQ will be fixed once I make sure deleting the warning is 100%
appropriate.

Nick.

Re: P2V with VMWare - ERR M

[Nick Holland]

RANT ALERT!!  RANT ALERT!!

Zlfar M. E. Johnson wrote:
 Thanks for the replay.  I was not sure which man page you were referring to,
 but I took a quick glance at installboot.
 I have often cloned linux systems at work with rsync.  I have also done
 bare-bone restores using system-rescue cd and backups from our backup system.
 I thought it would be interesting to see how others do it with openbsd.

very simply, actually. :)

 What exactly are you referring to  Diskimage route it's not so easy.?  Are
 you referring to cloning the system?  Similar to this example
 http://www.monkey.org/openbsd/archive/tech/0112/msg00079.html
 What tool does one use to Diskimage the system?
 You could probably try this tool if I understand what you mean by Diskimage
 http://sanbarrow.com/moa-video-vdiskmanager-as-ghost.html

All the P2V (and imaging) stuff is really missing a big
point:
  If the target machines weren't hopelessly broke, it shouldn't
be a big deal to move to a VM system.  Just activate your DR
plan!  Ah, but the problem is...lots of broken designs exist,
running with obsolete apps on obsolete and over-complex OSs
that can't run on modern HW and no one can figure out how to
reload the apps on a new system.

Why are there no tools for P2V for OpenBSD?  Why would you
need them?  The tools you need are in the OS: dump/restore,
tar, cpio, dd.  Granted, you might just have to spend a
couple hours understanding how your OS works..but MUCH better
to do that on your schedule than with 500 people sitting
around idle asking When are the computers going to be back
up?

These tools shouldn't need to exist for other OSs, either.
Just activate your Disaster Recovery plan on to the VM system.

Oh, you don't have a DR plan?  That means your system was
not well designed.  Migrating a system SHOULD be no more
difficult than restoring your backup...and you should have
tested that process.

Oh, your system is too old to run on modern HW?  Your system
was either not well designed or not well managed, in that it
was allowed to outlive its useful life.

Oh, no one knows how to recover your existing system?  Your
system was not well managed, as documentation wasn't kept,
people weren't cross-trained (or they were all driven away
faster than they could cross-train new people as happened at
my previous employer).

Oh, your system is too complicated or time consuming to migrate
through normal DR processes?  Perhaps sticking configuration
info in magical places that most backup systems never touch?
Bad decisions were made on the design and product selection.

Hey, these things happen, so P2V software for some OSs is pretty
close to mandatory for some tasks...but remember what it is --
it is a work around for a problem which should NEVER HAVE
EXISTED in the first place, and an indication of bad design, not
a proper way of doing things.

Quintuple bypass surgery and heart-lung machines are really
fantastic equipment...but it is better if you can admire them
from a distance...

It is easy to get into the cool tools mindset.  You should
have seen the first draft of the note I first posted to this
thread -- I had a really cool process of using dd and growfs
and then I realized I was solving a problem that didn't exist
(there are times when you might want to use dd and growfs, and
at least one time when I seem to have NEEDED to, but that's
pretty unusual).  Backup!  Restore!  Ta-Da!  Failure to be
able to do this should be your first warning sign that something
is very wrong, and rather than migrating or virtualizing your
problems, be a real engineer and FIX the real problem, don't
just change it.  Remember, virtualized systems can need Disaster
Recovery, too...

(end Rant)

Nick.

Re: [bug fix] Problem installing OpenBSD 4.2

[Nick Holland]

Saulo Bozzi Daleprane wrote:
 I have a problem installing OpenBSD 4.2 in old machines.
 
 The bug fix instructs to use disc 2 of amd64, but what's the name of 
 this ISO?!

lots of responses, all wrong.

This issue ONLY impacted the official, purchased CD sets, not the
downloadable images.  If you have the official CD set, you just use
the disk labeled amd64, not the one labeled i386.  That's pretty
painfully obvious if you own the CDs, so I think you are referring
to the downloaded images.

So, if you can't install from the downloads, you have a problem other
than what you are looking at.

Provide useful info, we can provide guidance.

Note: i386 machines I call old can't boot from CD. :)

Nick.

Re: Is there a tool or a deamon that documented a change in the /etc directory?

[Nick Holland]

Stephan Andreas wrote:
 The problem is clear, I think.
 But a simple example: 
 You are an operator for e.g. a OBSD Firewall.
 Yesterday everything was ok,
 Today a person phoned me and want that I open a tcp port for him. Ok I open.
 Tomorrow, I notice problems that I never have had before. But I have 
 forgotten 
 the new open port. Now it is nice to have a ChangeLog. 
 
 Because it is faster than restore an Backup.

...and more productive, as you may be able to see what is wrong, rather
than simply roll back to what was...

This functionality is built into and turned on by default in OpenBSD.

If you set up the root user's e-mail to forward or otherwise be
delivered to your inbox every morning, you will find this is already
being done for you.  If you didn't do this, you have a pile of these
things waiting for you to read through in /var/mail/root.

Every night, as part of the /etc/daily script, it looks for changes to
the files listed in /etc/changelist, and stores a backup of those files.
If it finds a change, it mails you a diff of that file in an insecurity
report.  If you keep those, you have a very good record of the history
of changes on your machine.

Ta-da!  Just what you asked for, by simply creating a /root/.forward
with just your e-mail address in it. :)  Within a few days, you will
be reinventing this on every Unix machine you work with.

That being said...  I'm also fond of this little entry in my
/etc/daily.local file:
   TGZFILE=/backup/`date +backup%Y-%m-%d`.tgz
   cd /
   tar czf $TGZFILE etc var

On firewalls and DNS servers I have done this with, you get many
YEARS of this backup files on the spare space on a 40G drive.

Another trick that works well for firewalls is to have a script
which you use to synchronize the pf.conf (and other) files between
machines.  I wrote one which:
* did a diff -u against the other machine
* Recorded that diff into a file, tossed the user into an editor
to both review and explain/document the diff
* Saved that file to /bkup/history
* copy the compared files AND the change log file to the other
machine and install them
* run pfctl -f on that other machine.

(this was all done in shell script and base tools, no packages
were added to the machine)

Yes, you could say I reinvented cvs for this, but I liked this
specialized script over a general CMS for a few reasons, including
the fact it stuffed the diff in your face and had it there while
you were making the change message, and I found the dated change
files much easier to grep through when looking for when something
changed and why.

Nick.

Re: Move hard disks in soft raid to new machine

[Nick Holland]

klemen wrote:
 Hello
 
 I have new computer in which I would like to have same things as on old 
 one (OpenBSD 4.2). In old one have software raid with two 500g ide drives.
 How will raid react if I move both disks to new computer with 
 completely different hardware.

depends how completely different you are talking about. :)

If you are going from an amd64 system to a Sparc64, it won't work for a
lot of reasons long before you get to RAID.

However, I suspect by completely different, you mean 80% the same,
such as from an AMD64 to another AMD64 or i386 to another i386, (or
even i386 to a newer amd64) in which case, it should just work, again
having nothing to do with the (unspecified) software RAID system in use.

Granted, since we are missing all specifics here, you win nothing for
coming up with a wacked scenario that it won't work in (I can think of
a few), but since the software RAID partition is just a partition of
the disk, if the system boots (indicating the partitioning is good),
RAID will usually just work, and it will almost always boot when
moving around on the same platform.

Nick.

Re: AMD Geode

[Nick Holland]

Nicolas Legrand wrote:
 Damien Miller [EMAIL PROTECTED] writes:
 
 On Mon, 17 Mar 2008, Dimitri wrote:

 Hello all.
 
 My cuestion is simply.
 
 OpenBSD run over AMD Geode,

 Yes.

 specificly over Packard
 Bell S18P?.
 
 I've read it's an AMD Geode LX800, so yes.


ONCE AGAIN, the processor on an PC-like machine is one of the least
important parts to the question of compatibility.

The question is, what are all the other chips around the thing, how
are they hooked up, and how badly did the designers screw it up in
ways that haven't already been dealt with already.

Unfortunately, until someone tests a machine, it is pretty close to
impossible to find out.

Load OpenBSD on a USB flash drive, stick it in the thing, boot from
it and see what happens...

Nick.

Re: [OT] Pursuing Management to adopt OpenBSD

[Nick Holland]

Chris wrote:
 I been trying (rather unsuccessfully) to convince various clients and
 employers to adopt OpenBSD. Most people, I find, are resistent to
 change and would not use anything they are not familiar with. Others
 would say that if I leave the job, it would be hard to find people who
 can use (or even heard of) OpenBSD and in some places Management never
 heard of OpenBSD and have very little clue as to how good or bad it is
 compared to Linux/ Solaris and Windows thus they will just knock off
 the proposal in 2 seconds.
 
 Is there any way I could convince these people to make the move to
 OpenBSD? Suggestions, tips and tricks along with real life examples
 would be much appreciated. Thanks.

*) Respect the work that has come before you.  No one likes someone
who walks in and says, Let's change everything, because this is what
I know!.  Wait until you know the real problems...then deliver
solutions based on the problem, not based on your desires.

*) Prove to them that you know what you are doing on OTHER things.
Solve real problems, make things work better, document existing
systems.  Give them reason to trust your judgment and quality of
work.

*) Prove to them that you can (and do) document the systems you are
responsible for.

*) Point out the relative unknownness of various products already
in your environment.  I.e., if you have a SAN that only one person
in the office knows how to configure, you have just won the not
familiar argument.  Even if it is the Indu$try $andard $olution,
the How you configured it in your environment is critical.

*) Point out that people who know OpenBSD may not be falling out of
trees, people who REALLY know Linux, Solaris, Cisco, Juniper, EMC,
Xiotech, Windows, etc. WELL (i.e., not just a hack with a sheet of
paper that would be more useful in the bathroom than on the wall)
are not common, either...and if they are really good at what they
do, they already have jobs, and you will pay THROUGH THE NOSE and
every other orifice you have to get them to come work for you.  The
ones sitting around waiting for the phone to ring aren't that good.
I recently heard a guy enjoying the idea of a $150k/yr job he had
heard about to maintain an industry standard firewall.  Why so
much?  Because there weren't very many good people available to
maintain this standard device.  AND, the ability to grow-your-own
expert was about zero, because you could not grab an old junk
machine and build a demo or test machine, you had to shell out big
money for their box and their training.  And, if you don't pay
them a lot, your expert will go elsewhere once you make them an
expert.

*) Show how easy it is to BUILD your own experts.  If you want to
learn Solaris, you will be looking at buying some newish computers
to run it on.  If you want to learn OpenBSD, you can do it on old
junk!  You can teach your co-workers, they can work with old
company equipment to learn more.  Try that with the big name
products.  (funny story: former employer, we built a very nice set
of OpenBSD firewalls.  Massive redundancy, DR, etc., ALL out of
spare parts.  An ex-boss got a bug up his butt about having Juniper
on his resume, so he brought in a pair of probably $40k Juniper
firewalls.  But...I don't speak Juniper.  Fine, we'll have E.
do it!.  E. wasn't quite up to the task, and he got fed up
with the BS and quit.  Now the boss had NO one who could bring up
his babies.  He was later fired, and the new resume-stuffing boss
didn't like Juniper, but liked Cisco, so in come a new pair of
$50k boxes. The never-used Junipers are currently sitting in a
warehouse somewhere, and a consultant made a LOT of money
replacing our OpenBSD firewalls with the Ciscos that accomplished
the EXACT SAME THING).

*) Point out that there are a lot of people LOOKING for
experts in these industry standard systems, and they are not
finding good ones.  Lots of people looking is BAD for your
company, not good!  That bids up the prices and that discourages
long-term employment.

*) Demonstrate, don't talk.  Don't say, it would be nice if you
handed me $4000 for this project, grab an old junk machine and
build a demonstrator.  Do it right -- include the disaster recovery,
the backup, the repair and the documentation in your demonstrator.
IF it proves that's all you need, you are done!

*) Hook your co-workers.  OpenBSD is fun, and it is very easy to
learn (not just load).  I managed to get a co-worker interested,
he's now got an OpenBSD machine at home, which has been doing real
work for him and solving problems (and the Windows box puked its
guts, but the data was stored on Samba on the OpenBSD box, and now
his wife is a fan, too! :)  Guess what?  We now have TWO OpenBSD
experts in the office. (which is probably more than we have of the
official company solution).

*) Solve real problems with OpenBSD.  On my second day on the job,
the guy I was replacing told me about one problem he had -- a mail
server would collect huge amounts of mailer 

Re: BSD Documentation License?

[Nick Holland]

Lars Noodin wrote:
 If one has to identify a specific license (or licenses) for OpenBSD
 documentation, which is/are recommended?
 
 Is there a generic BSD-Documenation License anymore?
 
 I wasn't able to spot anything in either the OpenBSD FAQ or the Misc
 mailing list archive.
 
 Regards,
 -Lars

I'm not entirely sure what you are asking...if you are asking what the
license is for a PARTICULAR bit of existing documentation, the source
file is your clue.  It's not only a clue, of course, it's the law.

The man pages tend to follow the application they are documenting,
pretty much out of necessity.  You don't want to have the official
documentation having different distribution rules than the app.

The OpenBSD website, for the most part, has no license, which means
it falls under standard copyright law.  Parts of the FAQ are under
a BSD-style license.

For stuff you publish on other people's site, you follow their rules
or guidelines.  This is actually pretty critical, as your docs will
go out of date quickly, and if history is an indicator, you will
probably not bother to update it, so someone else will need to step
in and either delete it or update it (or at least, modify it to say,
this is great historical information about this five year old
problem, the writing is sublime, but completely pointless now.)

For stuff you write and publish yourself?  Why are you asking us?
Decide what you want done with it, and act accordingly!  Why should
someone else decide how YOU license YOUR work??  If you really want
others to tell you how to distribute your work, may I suggest the
GNUbies...

Anyway, cheap shots aside, for many, many uses, you should probably
just stick with standard copyright law.  If you want something
other than that, ask yourself why, what you hope to accomplish, and
how you and others will benefit from a license.  Think long and hard
about it.  Are you going to be upset if someone takes your BSD'd
webpages, prints them on their laser printer, binds them in book
form and sells 'em for $40/ea, and ends up on the New York Times
Best Seller List without forwarding a dime to you?  If not, don't
BSD-license your text.  It happened to us, a lot of people were all
bent out of shape over it, but Joel and I had already discussed that
probability and we were ok with it, both as a hypothetical and after
it actually happened.

How do you or the world benefit from having your writing in
slightly different form at 700 different sites around the Web?

I don't have a good suggestion, really, other than be careful.  I
admit that third-party documentation for free software sounds like
it should be free at first thought, but /practically/, I don't
see the benefit to anyone.  When we BSD'd parts of the FAQ, we had
what we (Joel and I...I think it is should be pointed out that Theo
thought we were a bit nuts) thought was good reason, and we have no
regrets about doing it.  BUT it isn't for everyone or everything.

I've not even looked too closely at free documentation licenses.
I just don't know what I want them to say in general.  Usually, I
prefer that what I write either stay under regular copyright law,
so I can determine how it is distributed, modified, etc. or should
be spread as widely as possible with nothing more than attribution,
and much of what I write would probably be best for me if spread
without attribution or buried and never seen again :).

Nick.

Re: Intel Core2 Dual/Quad - i386 or amd64?

[Nick Holland]

Alexander Hall wrote:

What is the recommended architecture to use for Intel's Core2
(Dual/Quad) processors?

I have two computers I'm considering going amd64 on:

...

I've found the following (likely incomplete) list of things that may
affect the choice, or might be affected by it, are:

- Memory (4GB limit)
- W^X


W^X is available on most OpenBSD platforms, including i386 and amd64.


- 64-bit instructions


as a user, you don't execute instructions directly, so this is mostly
just bigger is better hype, the same reason people get excited about
seeing all their cores in their dmesg on an app that a 100MHz Pentium
could do just fine on.  Most of the same apps work on i386 as on amd64,
you really don't care what instructions are being executed (or how
many bits are in 'em) to make them run.

http://www.openbsd.org/faq/faq12.html#amd64Intel

To be honest, most users probably won't see a difference.  Me?  I'd
probably go with amd64, as practically speaking, i386 is slowly
moving into the legacy category.  I say probably, because I would
very possibly forget and accidentally install i386 on it. :)
Ok, based on the fact that I did that today already, let's say I'd
SUGGEST going with amd64, even though I'd probably forget and go with
i386 myself. :)

Nick.

Re: File System Corrupted Due to didn't Umount cause by power failure

[Nick Holland]

Peter_APIIT wrote:
 Hello all expect openbsd user, i have encountered this incident before where
 previously i can solve it easily but not this time. 
 
 
 My openbsd is running for 24 X 7 but my mother going off the power and i
 didn't know about that for few times. After that, file is not properly
 unmount. 
 
 OpeBSD asked me to check fschk_ffs manually but i cannot read man pages
 anymore but before i can. It just stop scrolling at 13%. 

man pages are available on-line, see front page of website.

 Enter shell path name or return to sh : I press enter 
 Terminal type ? i enter tty220 

what did you do to change that?  It should prompt you with a
default thatworks.

 Return me unknow terminal type, i tried it with tty00 and others No use.
 Then i ctrl + c to force it to terminal. 

you can't type random things there, at least the wrong random things.
Assuming it is an i386 or amd64 with a monitor attached, it would
be vt220

 After that, i try ffschk_ffs and ffschk but still cannot solve it. 

(no error message, but we can pretty well guess what it would be)

AGAIN, typing random stuff isn't how you solve computer problems.
The command is fsck or fsck_ffs (either will work), and that
command was told to you in the error message (which was probably
scrolled off the screen due to your bumbling the terminal type
question).

 OpenBSD drop me to single user and kernel security level is . 
 
 I think is just for read and not for write. 
 
 I need your help.  
 
 Your help is greatly appreciated by me and others. 
 
 A billion thanks for your help. 

If things are really messed up, you may prefer (or need) to boot
from bsd.rd, either from your disk or from a CD or floppy, then
fsck all your partitions.

Easiest way to proceed would be to look at the error message you
get at boot, it will be complaining about a particular partition,
let's assume it is /dev/wd0d.  You will enter in the following
command:
   fsck /dev/wd0d
When it finds errors, it will ask you if you want to fix them,
say y.  If it starts irritating you with how many things it is
asking you to fix, hit F (upper case!), and it will just assume
y for all remaining questions.

Once this fsck is done, it may ask you if you want to write the
fixes to disk.  If so, DO SO!  Otherwise, you just wasted your
time. :)  (I'm drawing a blank at the moment if OpenBSD is one
of the OSs I've worked with that asks that question).

Now, do a mount -a.  The system may now report another
partition needs to be cleaned, so repeat the process with the
next partition, and so on, until your system comes up with a
mount -a.  Note, this mount -a trick attempts to mount
everything in your /etc/fstab file, so if you booted from
bsd.rd, this doesn't work.  In that case, you need to look at
your disklabel or the etc/fstab file on your disk.

Nick.

Re: Dangers to upgrading without install kernel

[Nick Holland]

Juan Miscaro wrote:
 Hello,
 
 The online upgrade documentation [1] is fairly vehement about its
 recommendation regarding the use of the install kernel when upgrading. 
 I was wondering why?  What dangers await someone going down the remote
 upgrade path?
 
 /juan
 
 [1] http://www.openbsd.org/faq/upgrade42.html#upgrade

IF you follow the remote upgrade process properly, it works.

When I write it, I test first on a machine in my lab, then one in my
basement, then one across town that is my mail and web server, and then
a bunch of other machines.  So, by the time I remove the warning notes
from the new version of the file, it's ready for use.  I don't recall
anyone reporting that they followed the upgradeXX.html and their
system died because of it.  However, I don't get a lot of test reports
for the process, a lot more testing goes on for the install kernel
process.

HOWEVER, there is stuff that can happen.  If you are in front of the
machine running the install kernel, you have a much better chance of
dealing with it.

The number of ways things can go right is very finite, typically.
The number of ways things can go bad is...big.  Really big.  Here
are just a few things that could go wrong:

IF you were doing 4.1 - 4.2 upgrade and your machine happened to be
one of the five that someone estimated might be impacted by the ahci
driver change, you would be really unhappy if you had no serial console
on the system, as your machine would suddenly refuse to boot, because
your HD became sd(4) devices instead of wd(4) devices.  Same goes
if you were any of the twenty or so people who guessed their machines
would do that, and didn't.

If your hard disk developed a bad spot that didn't impact operation
and yet prevented booting, you will be unhappy when you reboot (been
there, done that.  In my case, I saw the warning signs in dmesg, and
knew the machine would probably not come back up.  You might not be
so lucky or observant).

You could easily fat-finger something, installing (say) the new kernel
in the wrong place and finding out the old kernel doesn't support the
new userland.

You could be trying to install i386 file sets on your sparc64 system.
(been there, done that, too.  Works great, until you hit reboot)

Your system will be semi-functional during the upgrade,
this may be bad, or may be good, or may be completely indifferent.
When you use the install kernel, the system is in a known state: it
is DOWN, and it will stay that way until you reboot it AFTER the
upgrade.  However, there are several interesting time periods on
the live system upgrade -- early on, you are running with the
new kernel and old userland.  PF doesn't always come up in that
situation...so you may be running without any filters for any apps
on the machine.  Those apps may be running or maybe not.  Those apps
may start out running, then blow up once you start unpacking the
userland files (hello, Sendmail!).  Maybe your machine is involved
in a CARP set, during the upgrade maybe it is, maybe it isn't, and
maybe it shouldn't be while mid-upgrade but maybe it is anyway.

In other words, you will get to your destination, but the states
in the between start and finish may not be fully understood by
you, and you may not be happy with the impact of that interim
time.

Again, this is not intended to be a complete list of what could
go wrong for you.  The remote upgrade process is here because
a lot of people who understand their systems need it, and I need
it, so I spend the time working on it.  However, it's not
officially recommended process, rebuilding a live system remotely
is just not quite as error tolerant as using an install kernel
locally.  We'd be nuts to try to tell you otherwise.

Nick.

Re: RAMdisk, not for boot, how?

[Nick Holland]

chefren wrote:
 On 3/28/08 1:20 AM, Rod Whitworth wrote:
 
 The CF wearout meme needs to die.
 
 Specs, it's all about specs, it seems a fact to me that standard CF 
 cards, as used in camera's, often without any technical specification 
 other than size, cannot be written as often as ordinary harddisks.

maybe, maybe not.
Rod's right, though...  I've never seen a flash media die from write
fatigue.

I have seen and heard of a fair number die for other reasons.

There are reasons to use flash media.  Reliability is not one of them
in my mind.  They are small, they are quiet, they are low power, they
are vibration resistant.  They last a long time...usually.  But they
can fail.

 The foreseeable future people need to be really careful while choosing 
 memory cards as hard disk replacements.

I agree, but not for the reasons usually given.

If you are using a flash drive to avoid worrying about failures, you
are fooling yourself..even if the flash drives were PERFECT, there are
other parts of the computer that fail, and there are user errors.  SO,
you still need the EXACT SAME recovery processes in place for flash
drives as you do for disks.  Using flash doesn't let you dodge recovery
and backup needs.

If you try to shoe-horn a big system into a small flash drive and make
something you don't properly maintain (key issue is DO YOU maintain it,
not COULD you maintain it.  Doesn't matter what you could do if you
don't), the system will be less reliable.

If you have an app where you need or want low power, quiet or small,
go ahead, use flash media, but for goodness sake, don't screw up a
really good OS by trying to meet some goal that is completely bogus.
Just use it as normal, and maintain it as normal.  Odds are, something
else will take your system down long before write fatigue does, most
likely, it will be your butchery of a working solution.

It's the unexpected downtime that counts, not the reason.  Who the
frick cares that you tried to avoid a one-in-five-year hypothetical
failure if you caused several days of very non-hypothetical downtime
as a result?  A simple, standard install will out-perform your
hacked up mess every time.

Someone posted an article recently about people liking to use Linux
because they like tweaking and adjusting and working with the system.
I've worked with people like that -- they are smart and clever and
will cause hours of downtime to avoid a totally non-problem (or on
really cool technology.  This don't write to flash is a perfect
example.  If you wish to set a goal for yourself of I don't wish to
ever write to this disk, great.  BUT don't tell yourself or anyone
else this frankensystem is better than the normal installation.

So, if your goal is a reliable system, keep it simple.  If your goal
is to have fun, do so.  But don't confuse having fun with doing
good work.  Yes, you learn more by breaking things, but you impress
people more if you break 'em off-line, and use that knowledge to
keep your production stuff running and repaired quickly when it
breaks.

Nick.

Re: i have lost /etc

[Nick Holland]

Rafael Morales wrote:
 Hi list,
 
 Please someone help me I have deleted my /etc dir (rm
 -rf /etc), is there any way to recover it, or there is
 a way to recover  my data stored in /home ??? 
 
 Rergards

restore from backup? :)
something tells me this is not an option.  Actually, even if
it is an option, you probably need to get the system up enough
to do your restore...

Several ways.  Easiest might just be to reinstall OpenBSD from
scratch, but don't touch your /home partition (when it asks
where to mount it, say none), then add it to /etc/fstab after
reboot.  You did put /home in a separate partition, right? :)

You could also boot bsd.rd, and do something like:
mount /dev/wd0a /mnt
cd /mnt
tar xzpf /path/etc.tgz

then go through and re-customize it.  You will be worried about
hostname.if, hosts, myname, mygate, resolv.conf, but also other
files, too.

(now you can restore from your backup. :)

Once you get the system gimping along, take a look in /var/backups.
Now, vow to kiss the feet of the person who did that person should
you ever meet them.  Or buy them a beer, which they will probably
prefer anyway.  This doesn't apply if you reloaded the whole system
and blew away your /var partition.  You did have /var in a separate
partition, right?

Nick.

Re: i have lost /etc

[Nick Holland]

forgot something:

Nick Holland wrote:
...
 You could also boot bsd.rd, and do something like:
 mount /dev/wd0a /mnt
 cd /mnt
 tar xzpf /path/etc.tgz

er.. one potential problem with that: it will overwrite parts of
your /var partition, which may or may not be a problem for you
(i.e., if you have a really complex httpd configuration, it is
will get overwritten with the default).  Again, /var/backups
is your friend.

Nick.

Re: configuring the GENERIC kernel (was Re: Issue compiling a program on OpenBSD)

[Nick Holland]

Douglas A. Tutty wrote:
...
 One thing I'm not clear on: if the only issue is kernel size based on
 having an old box with low memory, where every MB counts, does
 deactivating unnecessary drivers with config actually result in a
 smaller kernel or just a kernel with deactivated drivers?  Shrinking the
 kernel would be the only reason I would have of touching the kernel as
 I'm not into trying out experimental features.  It would be too bad if
 config doesn't do this.

config strictly deactivates the drivers, it doesn't reduce memory
consumption or disk footprint.

WELL...there MIGHT be a small savings in data structures not allocated
for drivers, but that would most likely only be the case if you had such
a device in the machine, but deactivated the driver. (i.e., em(4) (the
driver) might allocate a RAM buffer for each em(4) card in the machine,
but only for the cards in the machine...disable the driver, you don't
allocate the buffers, but you can't use the card).

Since OpenBSD uses a monolithic kernel, it is outside the ability of
config to physically remove the deactivated drivers.  That would be a
funky kind of relinking, or a bunch of loadable modules, ala Windows or
Linux, which is why Windows and Linux needs so much less RAM than
OpenBSD.  Oh..wait... ;)

Removing drivers for reduced memory is really a for advanced users
only task, and you VERY QUICKLY run into diminishing returns.  One
problem is you almost certainly need another computer -- if you have
16M RAM, you want to whittle down the kernel a lot...but $DEITY help
you if you need to build that new kernel on that machine, since just
sitting at the shell prompt will have you into swap.  HOWEVER, by
the time you get to 32M, I doubt you will appreciate the time and
effort required to build and reboot off a new kernel (even if compiled
on another machine).  You just won't be adding much functionality to
the machine -- there won't be something major you will suddenly be
able to do that you couldn't do before.

Nick.

Re: configuring the GENERIC kernel (was Re: Issue compiling a program on OpenBSD)

[Nick Holland]

Douglas A. Tutty wrote:
...
 So perhaps to add to this entry for the FAQ, something that address this
 desire to shrink the kernel to save memory:
 
   ... For standard i386 old computers with little ram,
   recompiling the kernel does not provide enough free memory to
   affect what you can then do with that old computer.  You are far
   better to just add a bit more ram.

much closer to something I'd consider adding. :)

 I know that other distros have dropped actual 386 CPUs from their
 supported list so that i386 actually needs minimum 486.  The reasoning
 I've heard is that the amount of memory required is too much for any
 remaining actual 386 boxes to actually have.

Same thing was done recently with OpenBSD, actually.  There are better
reasons, however... The big one was the 80386 was a first generation
32 bit processor for Intel, and there were a lot of ugly work-arounds
in the OpenBSD kernel for 80386 systems that didn't need to be there
for 80486 and later systems. Dropping support for the 80386 simplified
the kernel code, and as we know, that's a very good thing.

There were some practical reasons why you don't want to use OpenBSD on
an 80386 system:

1) OpenBSD /requires/ a hardware FPU.  The 80386 chip did not have it,
you needed to add-on an 80387 Math coprocessor, and a relatively small
number of 80386 machines had this.

2) There are things we just do today that were big deals back in the
80386 and before days, simple little things like compressing a file.
Simply loading an 80386 system with OpenBSD was an all-day affair, due
mostly to the time required to uncompress the *.tgz files!

3) IDE disks were not common on 80386 systems.  You don't want to try
to install OpenBSD on an MFM or ESDI drive.  Even what should have
been an easy retrofit was complicated by inflexible BIOSs.

4) 16M RAM was almost unheard of back then...and many of the 80386
systems of the day were using different RAM than more modern systems
do, so the likelihood that you had an OpenBSD-capable 80386 was
very low, and upgrading it to being OpenBSD-capable was cost-prohibitive.


When this was done, no one had been sending in 80386 dmesg's for a long
time.  Even before then...the 80386 code spent some time broken around
the 3.3 days..and only a couple people had even noticed (we didn't even
realize it wasn't broke machines until we realized that several people
were seeing the exact same problem!).


 I know that my old PS/2 Model 70-A21 was a 386 with 4 MB Ram (at $1K per
 MB) and I think it could take a maximum 16 MB (but my memory from 1988
 is very fuzzy).  Where there any 386 boxes that could take 32MB ram, and
 do any still exist?

oh, most certainly.
The VERY FIRST generation of non-IBM-brand 80386 (i.e., Zenith, Compaq,
AST, etc.) systems were basically 80286 systems with a faster processor
and almost everything else carried over from the 80286 siblings.
However, by the time the second generation rolled around, the systems
were starting to make use of the 80386 potential (though the OS and apps
were still treating the 80386 as a really, really fast 8088, for the
most part.  I'm most familiar with the Zenith systems, as that's where
I was at the time, but the second generation Zenith 80386 systems were
capable of 20M on board (supposed to be 32M, but a bug was found with
support for actual production 4M 72 pin SIMMs (which didn't even exist
when the machine was first shipped!) that limited their use to only the
lower four slots, so limit was 20M, though later boards fixed that and
were able to use all 32M.  I recall no customers complaining about this
bug. :)

I've got several of these second generation Zenith machines still, one
of which was, according to the dmesg log, the last systems to run
OpenBSD on an 80386.  I also have a no-name clone board which I'd put
8x4M 30 pin SIMMs in for 32M, as well.

By the time I had the resources to do this, I'd long got and retired
much better machines that were capable of running OpenBSD.

I'd actually be surprised if the IBM Model 70 was design limited to
16M, though it is likely there was just no physical way to put more
than that in.  The PS/2 MCA machines were much more advanced than the
ISA-standard machines of the day, though a pain in the butt to work
with and incompatable, but I'm pretty sure all 32 bits of address
lines made it out to the bus.

HOWEVER, the 80386sx was a non-starter for a long time: these machines
only had 24 bit address buses, so it had a max of 16M, and being they
were cheap machines, the actual potential of most of the hardware
they were used in was 12M, 8M, or way, way less.  I don't know that
I have ever seen an 80387SX chip -- kinda bizarre thing, an expensive
accelerator for a machine you bought because you didn't need much
speed...

Nick.

Re: creating FAT32 partitions?

[Nick Holland]

Fred Snurd wrote:
I apologize for the newbie question, 


the lack of line wraps is mighty annoying, too.

 but how is one supposed to add a FAT32 partition?  The following shows
 where I have verified the partitioning of a USB flash drive containing
 two partitions through fdisk.  One for OpenBSD (type A6)  the rest
 FAT32.  Yet when entering the disklabel, I am not seeing the FAT32
 partition (typically partition 'i'), and disklabel doesn't allow adding
 it either.  What is the trick for making this visible?


$ sudo fdisk sd0
Disk: sd0   geometry: 124/255/63 [2002944 Sectors]
Offset: 0   Signature: 0xAA55
  Starting EndingLBA Info:
 #: id  C   H  S -  C   H  S [   start:size ]

 0: 06 26   0  1 -123 254 63 [  417690: 1574370 ] DOS  32MB  
 1: 00  0   0  0 -  0   0  0 [   0:   0 ] unused  
 2: 00  0   0  0 -  0   0  0 [   0:   0 ] unused  
*3: A6  0   0 33 - 25 254 63 [  32:  417658 ] OpenBSD 
$  sudo disklabel -E sd0

# Inside MBR partition 3: type A6 start 32 size 417658
Treating sectors 32-417690 as the OpenBSD portion of the disk.
You can use the 'b' command to change this.

Initial label editor (enter '?' for help at any prompt)

p

device: /dev/rsd0c
type: SCSI
disk: SCSI disk
label: Flash Voyager  
bytes/sector: 512

sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 124
total sectors: 2002944
free sectors: 0
rpm: 3600

16 partitions:
#size   offset  fstype [fsize bsize  cpg]
  a:   417658   32  4.2BSD   2048 163841 
  c:  20029440  unused  0 0  

a i

No space left, you need to shrink a partition

q

No label changes.
$ 


I assume you want to be able to access the FAT32 partition from Windows.
I've found that W2k and XP both seem to require that the FAT32 partition
be physically first on the disk.

Zero your drive (dd if=/dev/zero of=/dev/rsdXc count=200.  Replace the X
as appropriate, of course), then start over.
Create a FAT partition first, then an OpenBSD partition, then disklabel.
Since both partitions will be there when disklabel is first invoked, it
will give you what you are after automatically.

IF you want the OpenBSD partition to be bootable, set that in OpenBSD's
fdisk, too.  Windows really gets unhappy when it sees multiple partitions
on removable media, so it won't help you at all.

Once the FAT partition is created in OpenBSD, however, it can (and probably
should be) formatted in Windows.  Windows does that ok, as long as it is the
first partition on the disk.

Nick.

Re: Optimising OpenBSD

[Nick Holland]

Matthew Smith wrote:
 Quoth Rod Whitworth at 2008-04-09 08:04...
 Matthew, you are pretty new here so I'll be kind.
 Read http://www.openbsd.org/faq/faq5.html#Why
 For this, I apologise.  I am currently in the situation that I don't 
 know where to look for what.  I might try writing a OpenBSD for Linux 
 escapees somewhere down the track, because that's what I really need.

http://www.openbsd.org/faq/faq9.html  :)
Don't re-invent, improve. :)
(It used to be called migrating from Linux or something like that,
but there are a lot of other non-Linux Unixes that people might be
coming from).

 Also Search The Fine Archives 
 I now discover that they are under a different domain - which is why the 
 site search wasn't pulling up much.  I must pull out my copy of 'Google 
 Hacks' and see if there is a way that an aggregated site search can be 
 done that pulls in the list archives as well.

there's a bunch of archives out there, each has their own search
functions, and that's really a good thing.  Very often, when looking
for something and one search engine strikes out, another will pop up
the answer for you.  As wonderful as Google is, it isn't the Final
Word on knowledge retrieval.  Often, when the best answer is don't,
search engines do a much better job of coming up with more long-
winded and incorrect answers.

 The GENERIC kernel has been compiled with all the right flags. The
 article you cite was never good advice and furthermore it is going on 8
 years old.
 It's going to take me a while to get used to having a kernel that I 
 don't HAVE to touch - not that I'm complaining!

wait until you get used to working on your projects rather than
tweaking your OS... It will raise your expectations on everything.


Nick.

Re: install42.iso hangs....any ideas?

[Nick Holland]

Redirected from ports@ to [EMAIL PROTECTED]
An explanation of what lead you to post it to ports@ would be
interesting, second one of those in a couple days, starting to
sound like something is unclear somewhere.

[EMAIL PROTECTED] wrote:
 Hey All,
   I'm trying to install OpenBSD 4.2 and have created an ISO image using
 ISORecorder for XP. The creation of the image on the CD completed with no
 errors. When I boot from the CD to install...the script begins and I get
 some white text on blue background...but then the install stops at the
 following message:
 
 cd0 at scsibus0 targ 1 lun 0: HL-DT_ST, DVDRAM GSA-E50L, NE01 SCSI0
 5/cdrom removalable
 
 any ideas would be greatly appreciated.
 
 Thanks in advance.

You have given us almost nothing to go on.

however...

I notice you have a DVDRAM there.  I've only had one of those, and I
pulled it out of the machine it was in because it seemed to be defective.
I could be wrong..it may be that only two people have ever tried to
install OpenBSD on a machine with a DVDRAM drive into OpenBSD, you and
me.  Or maybe you and I are the only owners of defective DVDRAM drives.

SO, first thing I'd try is to pull the DVDRAM drive out and use a
CD or DVD drive, see if that works better.  If so, let us know, I'll
look into my defective DVDRAM drive more.

If not, tell us SOMETHING about your computer, or (much) better yet,
just put a serial console on it and snag the boot output and let us
look.  Or type out a lot more of what you see on the screen.  Put the
digicam down, I'm not looking.

Nick.

Re: Logging failed SSH users and the passwords they typed

[Nick Holland]

Sam Fourman Jr. wrote:
  Is there a way to login the passwords that were used in the bruteforce
 attack?
 
 I am siting trying to come up with a good reason why you would give a
 damn what passwords they tried?

Actually, I have a reason why a list of PWs that the brute-force apps
use would be interesting:  to show people how bad their PWs typically
are.

Ok, everyone, pick a creative password for the all-powerful root
account.  Now...let's look at a brute force list, and see how original
you aren't.  Wow, look, five of you picked 'iamgod' for your root PW,
and here it is on the brute-force list!

However, a much better way to this would be simply snag a copy of the
program.  (one way, perhaps: honeypot machine, with a firewall that
cuts off all net connections after it makes, say, ten outgoing ssh
connections in a minute).

Nick.

Re: Problems reading CD during install

[Nick Holland]

Wade, Daniel wrote:
 The installer can't mount the cd to read the files from it.  I'm using a
 recent install43.iso.  I'll try to use ftp for the install sets, but it would
 be nice if I could do it all from the CD.
 
 Here is what I get if I try to mount the CD
 
 cd0(ahci0:1:0): Check Condition (error 0x70) on opcode 0x8
 SENSE KEY: Illegal Request
 cd0(ahci0:1:0): Check Condition (error 0x70) on opcode 0x8
 SENSE KEY: Illegal Request
 cd0(ahci0:1:0): Check Condition (error 0x70) on opcode 0x8
 SENSE KEY: Illegal Request

My first reaction: Looks like a bad media, a bad drive, or a bad
burner used to create the disk.
Do you have any reason to believe otherwise?

Looks like a SATA DVD ROM drive attached to an ahci controller,
which is kinda new stuff (at least for me! :), so I'm not going
to say there ISN'T an OpenBSD problem, at least until I get some
better HW in production here to try it, but I'd certainly start
with the obvious.

Nick.

Re: Upgrade 4.1-4.2-4.3

[Nick Holland]

Damon McMahon wrote:
 Greetings,
 
 Can anyone enlighten me as to why DHCP clients are no longer  
 retrieving their domain name from my OpenBSD DHCP/DNS server which I  
 recently upgraded from 4.1 to 4.3 via 4.2? DHCP and DNS seems to  
 functioning normally otherwise...
 
 Any advice appreciated (as always),
 Damon

it is your DHCP /SERVER/ machine which was upgraded, not the clients
(I say this because I started out the note thinking it was a client
that was upgraded and no longer fetching from the DHCP server)

Show us what is happening, what you expected to happen, why you expected
etc., rather than diagnosing the problem for us. :)

Contents of dhcpd.conf would be interesting, as well as any message
in /var/log/daemon regarding dhcpd.

More details on what you did for the upgrade might also be interesting,
as a fair number of people (including me) have upgraded their DHCP
servers from 4.1 (and before) to 4.2 to 4.3 without reporting this
problem, so my guess at this point is either something strange was done
during the upgrade process or the problem is not directly related to
the upgrade.

There isn't much to dhcpd: dhcpd.conf and /usr/sbin/dhcpd are about it.
Some other files launch it, but if it is running, it will be mostly
those two files.  dhcpd was replaced in the upgrade process, dhcpd.conf
/should/ be untouched.  Looking at the dates on those files will tell
a few things, I suspect.

Nick.

Re: OpenBSD 4.3 released May 1, 2008

[Nick Holland]

Rich Healey wrote:
...
 I've been finding it a bit slow, but nice enough, bnut with the release
 realeased as it were, I should now rebuild the kernel/userland to
 incorporate the changes?
 
 Sorry if this is in the FAQ somewhere, I've been unable to find it.

http://www.openbsd.org/faq/faq5.html

Nick.

Re: Double 4-port NIC happiness

[Nick Holland]

Stefek Zaba wrote:
I've just brought 3.8-RELEASE up on an oldie-but-goody machine - ASUS 
P3B-F - into which a total of 10 NICs have been thrust. 4 are on an 
Adaptec AHA-62044, whose NICs get named sf0 .. sf3 (note that as per the 
i386 info at http://www.openbsd.org/i386.html, these are recognised by 
the GENERIC kernel but not by the one on the boot CD-ROM); 4 more are on 
a D-LINK DFE 570TX, whose NICs get named dc0 .. dc3. (That's a minor 
documentation bug in the i386 web page - it says the 570TX NICs will get 
driven by the de(4) driver, but it's the dc(4) which does the job in 
point of fact. The dc(4) and de(4) man pages get this right).


That's a whoops.  Once, that was true.  That was..uh..long ago.  Fixed.

No massive stress tests done yet, but basic ping and nc of 10MB in 
sensible barely-over-a-second time suggests basic functionality working 
well. (Actual performance for nc sending a 10MB testfile is about 0.98 
seconds on the dc ports of the 570TX, and more like 1.4 seconds on the 
sf ports on the Adaptec; both going through one otherwise unloaded 
switch to a Windows box.)


Hope that's encouraging/useful to anyone else setting up a multizone 
setup with an OpenBSD box as the spider / hydra / Fat Controller / 
piggy-in-the-middle / Network Policy Device / whatever you want to call 
it...


dmesg sent to openbsd.org's 'dmesg' address, not appended here; shout if 
you feel you must see it.


For a test, I once ... well, I'll just jump right to the punch line:


dc19 at pci7 dev 7 function 0 DEC 21142/3 rev 0x41: irq 10, address 
00:60:f5:08:54:27
lxtphy11 at dc19 phy 1: LXT971 10/100 media interface, rev. 1


Hardest part was finding which port was which so I could install the OS 
on it. :)


Later, I found I had a six-PCI slot machine, but I never got around to 
repeating the test...   In case anyone is wondering, that was 3.6-beta, 
from Aug. 2004.


Nick.

Re: updating the kernel to CURRENT

[Nick Holland]

Spruell, Darren-Perot wrote:
From: [EMAIL PROTECTED] 
When updating the kernel to CURRENT (in the case, 3.9), do I 
have to update

ports and already installed packages?


I think the OP is using words in non-standard ways.
The kernel is one file, /bsd.
Ports and packages are the add-on stuff.
Missing from the question is the userland -- the utilities and such that 
makes OpenBSD (or any OS) go.


OpenBSD is the combination of the userland and kernel.  I'm going to 
guess that's what the OP meant by kernel.



Packages and ports should stay in sync with the rest of the userland. The OS
should stay in synch with the kernel since there are important dependencies
on kernel interfaces.

So I would guess if you want to run CURRENT kernel, you will be best served
running CURRENT userland as well, and subsequently ports will need to follow
CURRENT as well.

Maybe you should consider a snapshot.

(hoping I'm not misleading on this...)


Technically, you are somewhat wrong, practically, you are mostly correct. :)

The kernel and userland must be kept in sync for a fully functioning 
system (though a brief new kernel, old userland usually works for the 
middle of the remote upgrade process).  Newly installed packages must 
match the rest of the OS.  Packages built from ports must be from a 
ports tree that matches the OS.


HOWEVER... as the upgrade process does not remove the old library files, 
old packages will (usually) continue to run on an UPGRADED system 
(however, don't try to install an old package on a newly-installed (not 
upgraded) system).  So, technically, you are wrong, you could keep using 
old ports on new systems.


Practically, you are right.  Try to live with that concept, you run into 
at least a couple issues:
* Dependancies: new packages may be dependent upon newer versions of 
packages you already have installed.  Might as well upgrade them on your 
schedule.
* Security: third party software seems to have a non-trivial rate of 
security issues.  You probably want to keep it up to date.  You will 
probably have more reason to worry about updating the apps than the OS 
itself.


As long as you are updating the system, just update the ports and packages.

And yes, always use a snapshot (or release, or other prepared binary). 
Compiling is for customizing (which you probably don't need to do) or 
for -stable.  Upgrading is done using binaries.


Nick.

Re: Utilisation of free memory as disc cache: tweaking is required?

[Nick Holland]

On Mon, Feb 20, 2006 at 02:49:01PM +, Constantine A. Murenin wrote:
... 
 Although the documentation says that it defaults to 5%, it actually
 seems to default to 10% on amd64, alpha, hppa and hppa64.
 
 Why it's not made to default to 10% on i386 too if enough memory is available?
 
because 5% more of 24M or 16M makes a big difference, perhaps?

yes, we care about OpenBSD working well on Really Small Machines.

 Also, it looks like Filesystem Buffer was in the FAQ in 2003-05-01
 (http://www.se.openbsd.org/faq/faq11.html), stating option
 BUFCACHEPERCENT=30 for config(8), but now it no longer appears in
 today's version (http://www.openbsd.org/faq/faq11.html). Is there a
 reason for that?

Yes, because people who thought they knew more than the programmers 
kept twisting knobs to the max and expected things to ALWAYS be better,
and we spent too much time reading and answering IT BROKE! questions.

This way, we can laugh at people who break their systems in clear
conscience.

Come on, think.
Do you really think OpenBSD developers LIKE to have things go slower
than they could Just Because they like to watch people twist knobs?  Do
you think if they felt there was a better OVER ALL value, they wouldn't 
set it?  Not all the world shares your design criteria.

... 
 True, I was making a generalisation to mean any modern PC/mac. :-) It
 was almost a year ago that 512MB became the minimum even for most
 entry models.

How about this:
Consider i386 a legacy platform.
All modern stuff is amd64 compatable, anyway, right?
Wow, look at that.  amd64 (which probably will never be seen with less
than 256M due to the memory design) has a default of 10%.

The developers are ahead of you on that. :)

Nick.

Re: SCSI tape drive hanging

[Nick Holland]

Marcus Barczak wrote:
...

-- dmesg output --
ahc0 at pci0 dev 9 function 0 Adaptec AHA-2940U rev 0x00: irq 11
scsibus2 at ahc0: 16 targets
st0 at scsibus2 targ 4 lun 0: HP, C1537A, L706 SCSI2 1/sequential removable
st0: density code 0x8c, variable blocks, write-enabled

Has anyone seen this problem before or have any suggestions as to how I may fix 
it?


wow, never seen a dmesg like that before.  No wonder it doesn't work, 
most of your computer is missing!



Alternate response:
If you know what parts of a dmesg we need to fix your problem, you 
obviously can fix your own problem.


Nick.

Re: Pf questions for larger implementation

[Nick Holland]

Steve D. wrote:

Hi,

I'm setting up a gateway (1.7 Ghz machine with 1 Gig of ram) for 700+ 
users using pf with NAT and BINAT's (90% NAT).I would like to know 
if anyone has any recommendations on tweaking the runtime options in 
PF.  This box will pretty much just be handling the natting with a bare 
minimum of filtering, just enough to keep the box secure.


Yes:
DON'T TOUCH ANYTHING UNTIL YOU KNOW WHAT THE GOAL IS.

Apparently, there are some OSs people are used to that ship in a nearly 
useless state, at least judging by the queries like this.  With OpenBSD, 
you aren't supposed to have to tweak things..it should Just Work.


See if you run into a problem.  Don't start twisting knobs until you see 
if there is a reason to do so, and until you know what the desired 
outcome is.  The defaults are set pretty darned well to start with -- 
you are much more likely to break something by tweaking than you are 
to improve anything.


For comparison: we have ~850 people, hiding behind a CARP'd pair of 
machines -- primary is a Celeron 600, 384M RAM.  Failover box is a 
PIII-750, 512M RAM, in an otherwise identical box.  Hooked to a 45Mbps 
DS3.  We aren't exercising the system much at this point (neither the 
box nor the DS3).  I suspect some day, we'll start seeing some limits 
hit on this thing, we'll worry about it then...assuming these boxes 
haven't died of old age by the time that happens. :)


Nick.

Re: In chroot: /dev/stdin: Device not configured

[Nick Holland]

On Fri, Feb 24, 2006 at 10:38:13PM +0100, Matthias Kilian wrote:
 Hi,
 
 can anyone tell me wtf I'm missing in the commands below?
 
 # mkdir foo
 # cd foo
 # mkdir bin dev
 # cp -p /bin/cat bin
 # cd dev
 # /dev/MAKEDEV std
 # cd ..
 # chroot . /bin/cat /dev/stdin
 cat: /dev/stdin: Device not configured
 
 The reason I ask is that I need to run tar -czf within a chroot
 environment, but gzip(1) tries to open /dev/stdin and fails (as the
 contrived invocation of cat(1) in the example above).

~ $ mount
/dev/wd0a on / type ffs (local, softdep)
/dev/wd0h on /home type ffs (local, nodev, nosuid, softdep)
/dev/wd0e on /tmp type ffs (local, nodev, nosuid, softdep)
/dev/wd0d on /usr type ffs (local, nodev, softdep)
/dev/wd0f on /var type ffs (local, nodev, nosuid, softdep)
/dev/wd0o on /open type ffs (local, softdep)

Any possibility your FSs are mounted like mine are?
There are only two places above where I could drop a /dev
directory, and that would be wd0a and wd0o...

Nick.

Re: Dependancies with make search key=

[Nick Holland]

Harry Putnam wrote:
...

So shouldn't `X' appear as a dependancy?  Or whatever package supplies
X?


No.
X is not a package.  It is a file set, not part of the ports tree.


Assuming I need to backup and get the installation package *x*.tgz.  I'm not
sure how to proceed.


http://www.openbsd.org/faq/faq4.html#AddFileSet


I've installed from a recent snapshot and then built from src to
follow current.  So what is the normal way to backup and get something
basic like X?


Get the X files from a snapshot, install those as above.
Or, boot an install media, install all file sets.

Nick.

Re: Nothing in FAQ about X ?

[Nick Holland]

Harry Putnam wrote:

I haven't seen any section of FAQ devoted to setting up X.  Is it
supposed to just work after installing the base tgz files?


it would be nice.  But they have not reached that goal yet, at least on 
some very popular platforms.



Or maybe I'm just blindly overlooking the section?

The part about building X doesn't have anything to say about setting
it up.  Is it covered somewhere else?


see
   /usr/X11R6/README
on your installed system for some tips on getting X up and running.

Yes, the FAQ is sadly deficient on setting up and using X at the moment. 
 Hopefully, that will be changing in the future.


Nick.

Re: make build error on 3.9 (-current) i386

[Nick Holland]

Reza Muhammad wrote:

Hi guys,

I was just updating my source tree through cvsup, and I've been 
following -current for a while.  There hadn't been any problems before.  
But today, make build returned errors.

...

Can anyone help me with it?


What seems to be missing from your process is the words, I downloaded 
and installed the most recent snapshot before I started the 'make build'


Always Start From A Snapshot.
Usually, you can stop right there, too.  There is very little reason to 
build from source after installing a snapshot.


Nick.

Re: Sun Ultra 1 and Ultra 5

[Nick Holland]

On Fri, Mar 03, 2006 at 12:51:31PM -0300, Gustavo Rios wrote:
 Hey folks,
 
 i have an sun workstation in hand and had never had a previous
 experience with sun hardare before. I would like redirect console to
 serial port. These machine are very old, and hardware documentation
 has been lost. It has a serial port, doesn't it?
 
already covered by someone else, though I'll put in a plug for 
  http://www.openbsd.org/faq/faq7.html#SerCon

 I was trying to get X working, but no lucky. Does anybody have openbsd
 3.8 running on such hardware? Could you send your xorg.conf file?

Read /usr/X11R6/README on your installed system.

Take the sample xorg.conf file as a starting point, BUT DON'T EXPECT IT
TO WORK.

Now, edit it as indicated by the rest of the README file for your
particular system.  You will be looking at your dmesg several times.  It
should be pretty straight forwardr, but you WILL NOT be able to just use
the sample config.  (well, I can't say that's true on everything, there
may be some system where the sample config Just Works, but the U5 is not
it.  Not sure about the U1.  Just treat the sample as a starting point,
a framework where you hang your system's details).

Nick.

Re: OpenBSD has bad security

[Nick Holland]

Damien Miller wrote:

Please,

This troll is several years old, let it go already.


Not only that, the number of times you guys repeated the links will 
raise Google's interest (and that site's profile) the next time it digs 
through a mail archive.  I'm sure the author of that site will thank 
you guys.


Nick.

Re: OptiPlex GX620n - OpenBSD

[Nick Holland]

Mark Pecaut wrote:

On 3/6/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:

- Are they suitable to run OpenBSD on them.


Here is a dmesg from a GX620.  I can report that everything works
quite well, including X.


You prompted me to go back and take another shot at X on a Optiplex 620. 
 I've (again) had no luck getting it to work with the standard, 
on-board video.  What did you do to configure X on it? (I didn't see an 
extra video card in your dmesg).


I can report that with a Pentium-D chip in them, a recent OpenBSD/i386 
snapshot will use both cores on an O620 (I should test OpenBSD/amd64, I 
guess).  SATA support seems to work pretty well, though I haven't really 
put it through its paces much with OpenBSD yet.


The Minitower case will take an Accusys box nicely, though you have to 
leave off (or cut) the plastic bezel (it actually doesn't look all bad 
off) and you will not get an internal CD.  Spend the extra $9 to get the 
PS/2 and second serial port adapter...even if you don't care now, you 
will wish you had it at SOME time in the future, and the $9 is cheaper 
than the USB converters that don't work as well.  In spite of the case 
size, there are only two PCI slots in the minitower case, which is the 
same number as the smaller desktop case (and if you need that PS/2 
adapter, you lost one of them...or the PCI Express slot).


Nick.

Re: crash: savecore - saves core dump every day?

[Nick Holland]

Stefan Drexleri wrote:

Hi,

from the faq: Upon reboot, savecore(8)will attempt to save the
contents of the swap partition to a file in /var/crash

savecore would be called by /etc/rc.
So which criterias must be fulfilled to make core dump upon reboot?
Does savecore look for special file names at special places? Who makes
the rule?


I'm not entirely sure I understand your question, the subject and the 
body of your message don't seem to be completely related.


However, I think you may find the answers to your questions in
  man 8 crash

Third paragraph (more or less, depending what one counts) tells what 
conditions cause the in-RAM image to be written to disk in the swap 
partition.  If that happens, an attempt will be made to dump it to 
physical disk upon reboot.


Note that on a modern system, /var is very often not large enough to 
hold a core dump.  If this is something you care about, you will need to 
deal with it accordingly.  (aren't we all glad that attachments are 
stripped from misc@ postings now?  Hi, here's my 2G core dump.  why did 
it happen?)


Nick.

Re: crash: savecore - saves core dump every day?

[Nick Holland]

Stefan Drexleri wrote:

2006/3/10, Nick Holland [EMAIL PROTECTED]:

I'm not entirely sure I understand your question, the subject and the
body of your message don't seem to be completely related.

However, I think you may find the answers to your questions in
   man 8 crash

Third paragraph (more or less, depending what one counts) tells what
conditions cause the in-RAM image to be written to disk in the swap
partition.  If that happens, an attempt will be made to dump it to
physical disk upon reboot.


Will try to ask more clearly: How does savecore work in sense of
detecting that condition to save core dump to swap space has been
accomplished?
Does it get message from kernel (which IPC technique?) or does it
something like polling for special event (eg. newly created file)?


Savecore is running after a reboot.  It isn't getting a message from the 
now dead kernel through traditional techniques.  After a kernel panic, 
it is generally not a great idea to write a normal file to a normal file 
system.


As man 8 savecore indicates, it looks at the swap space to see if it 
looks like a valid core dump.  If so, it dumps to disk.  If you need 
more info on how it determines that, I'd suggest a read of the source 
code.  If you really need that kind of information, you will probably 
have no problem with the source code (pretty small and contained, too -- 
about 16k in size).


I suspect there is a question you are trying not to ask.  What is 
prompting your questions?  Are you having a problem?  Trying to 
accomplish something?


Nick.

Re: OpenBSD 3.8 ports quality?

[Nick Holland]

Ramiro Aceves wrote:
...
Yes, WM also works fine here. But again, it is not a solution. GNOME 
should not be released in such buggy state.


I don't follow your logic here.

Ok, let's say GNOME was removed from ports by your suggestion.
In that case, you WOULD need to find another solution.

In the mean time, no one would be attempting to isolate and repair 
problems with GNOME, which means nothing would get better, and you would 
still have to find another solution.


From your original post:
Do the porters check that the ports work before a release? 


uh...yes.
But...YOU also have to be involved.
Don't wait for a new release, then whine that it is broken.  TOO LATE! 
You missed your chance.  Quit letting other people do your testing and 
work, and then whining about the results.



I find it entertaining (in a morbid sort of way) when people come from 
Linux when they realize some of the same things that drove them to Linux 
in the first place take place there, too.  So then they go hunting 
around for an alternative, and then they try to make their alternative 
look just like what they gave up on.  *sigh*


Nick.

Re: Install defaults

[Nick Holland]

Bruno Carnazzi wrote:

  Hi all,

Why not use soft update as a default for created file system on
install ? It seems to be a good practice, no ?


Well...assuming you:
  * Have some extra RAM to spare.
  * Don't mind added complexity
  * aren't running on a Sun4c

sure, soft updates are a fine idea for most people to use on most of 
their systems.


However, no one's system is broke because of not having softdeps on.  No 
one's system will crash because of no softdeps.


Softdeps is an added complexity.  You don't add complexity and get a 
more solid result.


IF you always want softdeps on the systems you work with, it is two 
lines of shell script in a siteXX.tgz file (or less if you know what you 
are doing, or more if you know of some edge cases I didn't think of). 
However, I don't think it will be defaulting to on anytime in the next 
release (and probably not the one after that). :)


Nick.

Re: kernel panic

[Nick Holland]

Joe Advisor wrote:
...

Can anybody provide any insight for me as to what I
might be doing wrong?  I am not sure where to be even
begin to debug.  Thanks in advance.


http://www.openbsd.org/faq/faq2.html#Bugs

Nick.

Re: sudo nopasswd rm

[Nick Holland]

Marco Fretz wrote:

hello

i've got a little problem. i have to remove some files in a shell script
that or not owned or writable by the user the shell script runs. 


is there a way to give this user write access only to the files needed
to remove by the shell script (with sudo nopasswd)?


With sudo, you can spell out very explicit command lines which can be 
stuck in scripts, but variations of the commands are not.  For example:



dvd ALL= NOPASSWD: /sbin/mount /drv0,/sbin/mount /drv1, /sbin/umount 
/drv0,/sbin/umount /drv1


So, yes, I suspect you can use sudo to accomplish your desired deletion, 
without granting write access to those files to the user in question.


HOWEVER, be careful of undesired side effects -- holes you leave that 
a malicious user could use to their advantage.  And don't assume my line 
above is very correct, I'm not a sudo expert and I can't recall how 
carefully I tested that. :)


Nick.

Re: Problems with X in OpenBSD (3.9) -current with LCD WideScreen Monitor

[Nick Holland]

Francisco Valladolid wrote:

Hi folks.

Recently I bougth a new LCD display, it is a ViewSonic 19 WideScreen, i
have proble with xorg in -current, for correct display mode only 1024x768 is
displayed.

The X windows is so wrong.

Some have some tips about the X under xorg.

This monitor work fine in other OS running xfree86.


Unfortunately, you have provided no hard information, so you will get no 
hard answers.


In short, however, you need to hand-tweak your /etc/X11/xorg.conf file, 
apparently.


Under 'Section Monitor', make sure you have accurate HorizSync and 
VertRefresh lines.


Under 'Section Screen', add/alter a couple lines:
Default Depth 24
and under 'SubSection Display' add:
Modes 1280x1024
(correct the Depth and Modes to the values you want, of course).

You may be in business.
You may not be, if your video card or X driver is incapable of driving 
your monitor at the desired depth and resolution, or if there is some 
other quirk in your hardware we can't see.  Or if I'm forgetting 
something, which is possible. :)


You can also try to use DDC, apparently it was default for 3.8, now for 
3.9, DDC is disabled by default, and I'm glad (worked great when it 
worked, sucked big time when it didn't).


Nick.

Re: 3ware 9500 and large drive issues

[Nick Holland]

Vincent Meanie wrote:
I am attempting to use a 3ware 9500s, the problem is how it displays the 
8 disks as one large 2.3tb disk.
There are documented issues with disks over 1tb, will partitioning under 
this limit prevent further issues, or will I have to look forward to 
errors in the future from the filesystem?


http://www.openbsd.org/faq/faq14.html#LargeDrive
says it pretty clear, I hope.  One large 2.3 TB disk is unlikely to work.

Granted 3.9 will be out soon, but I am just going off of the information 


3.9 won't change this.  4.0 probably won't.
Work is being done, but slowly and carefully, just as I'm sure you would 
want something so critical to be done.  No one wants to lose data on 
their 256M flash device because of a sloppy addition of multi-T support.


There are some kinds of work that are just plain terrifying to do, file 
systems are way up there, if not top of the list.


I have at hand. I attempted to use an unsupported card that could 
present sized luns to the OS, but it was an unreliable production 
sample, and the 3ware card is what I have.


...speaking of unreliable...
3ware isn't anyone's favorite around here...

Nick.

Re: Theo opinion of Plan 9

[Nick Holland]

Andris Delfino wrote:

I would like to know what does Theo think about Plan 9. Just curiosity, :P.


Not curious enough to Google for it?

First page of hits for 'deraadt plan 9' gets you some interesting 
reading.  You get more interesting stuff if you play with the spaces in 
various combinations: de Raadt and Plan9.


Nick.

Re: Questions about 3.9 Installation on External USB Disk

[Nick Holland]

Dave Feustel wrote:

I got my 3.9 Cdrom set yesterday and today started installing
it on an external usb disk so as not to wipe out my existing
3.8 setup. When I got to the disk partition, I erased the existing
'a' partition (dos) and created a new bsd 'a' partition. The partition
had a default offset of 32 which looked odd to me, so I changed
it to 64 and sized it to 1G. Then I created a 'b' partition. Again,
the default offset was 32. That looked even odder to me, so
I aborted the installation. A dmesg of the 3.8 boot (with external
usb drive attached) follows at the end of this post.

So is it possible to install 3.9 on an external usb drive and then to
boot from that drive? Is the default 32 offset for a and b partitions
on the usb drive correct? (I don't think so, but I am asking anyways
since I have not used usb hard drives with OpenBSD before).


The point is not a 32 block or 63 block offset, but rather, a ONE TRACK 
offset for the first partition on i386 and some other systems.  This 
leaves room for the master boot record (MBR) which is in sector 0.


Your dmesg showed this:

sd0 at scsibus2 targ 1 lun 0: WDC WD60, 0UE-22HCT0,  SCSI0 0/direct fixed
sd0: 57231MB, 57231 cyl, 64 head, 32 sec, 512 bytes/sec, 117210240 sec total


so the layout for this disk connected this way is 32 sectors per track 
so YES, it should be starting at 32.


If you override this, you left a 32 sector gap at the beginning of the 
disk, and disklabel will start looking for space at the start of the 
disk, so again, it will offer you that same starting address.


Most modern IDE and SATA disks will use a track size of 63 sectors, so 
yes, that's your offset.  HOWEVER, if you were to bring OpenBSD up on an 
old MFM drive, you would be looking at 17 sectors per track, so THAT 
would be your offset.


Your disklabel offsets should match your fdisk offsets, though if you 
answered yes to the use entire disk option, that was done for you in 
the install program.


Can this all work?  Certainly, assuming a machine that boots off an 
external USB HD, but most new machines can.  You can even set up the 
disk with funny offsets if you take full responsibility for doing the 
math accurately. :)


I would recommend disconnecting the normal disk from the machine for 
testing, however.  Keeps life easier...


Nick.

Nick.

Re: OpenBSD 3.9 stable from cvs

[Nick Holland]

On Wed, Apr 12, 2006 at 01:03:58PM +0200, Piotrek Kapczuk wrote:
 Hi
 
   I have a new server to deploy and I don't want to wait unlit official
   release. So I'd like to compile 3.9 stable from source and I've faced a
   problem.
 
   I have a machine which runs 3.8-stable
   I've wiped out /usr/src
   then, as http://www.openbsd.org/faq/faq5.html says I did

No, you completely ignored the Install or upgrade to closest available 
binary step.  You can't do that.

If you had started from a 3.9-beta, you might have got lucky.  But
jumping from 3.8 to 3.9 is NOT an easy process, and is completely
unsupported.  This looks like it will be a particularly difficult
jump to make this release (though, as I recall, that's been true for
a LOT of releases lately).  You can't just download a new release's 
source and build on an old release.

Further, what happens if there is a critical security issue in 3.9-rel
before 3.9 is officially released?  -stable commits do NOT get made 
until 3.9 is official (hint: sendmail bug).

Your choices:
1) Start with 3.8, and upgrade to 3.9 later (actually, pretty easy).
2) start with 3.9-current, and then jump to 4.0-stable in about
seven months or so, when it becomes available.  This could be either
very easy or a pain in the butt, depending on how many additional
packages you end up installing after first install.

Nick.

Re: OpenBSD 3.9 stable from cvs

[Nick Holland]

Ted Unangst wrote:

On 4/12/06, Geof Crowl [EMAIL PROTECTED] wrote:

Unless I am reading something wrong, isn't this:


If you had started from a 3.9-beta, you might have got lucky.  But
jumping from 3.8 to 3.9 is NOT an easy process, and is completely
unsupported.


[building 3.9 source on 3.8]


and this:

1) Start with 3.8, and upgrade to 3.9 later (actually, pretty easy).


[install 3.9 binaries]


totally contradictory?


yeah, except i think what nick was getting at was that upgrading via
source is going to be bad, upgrading via sets is easy.


yeah, and one of these days, Nick will learn what everyone else has long 
figured out: don't give long, detailed answers, as someone will try to 
pick it apart and take it out of context, analyzing the text as if it 
were a fine novel, rather than a quick I need a break from helping 
people at work, let's see if I can help someone on the mail list posting.


Yes:
Upgrading from source = difficult, if even possible by ordinary people, 
and certainly not supported by developers.

Upgrading by binaries = easy.

Nick.

Re: OpenBSD 3.9 stable from cvs

[Nick Holland]

Piotrek Kapczuk wrote:
...

It was fixed.  First time I've seen it happen before official release
though.



Well, security problems just before releases are not that common. ;-)


If I understand this right. This commit is in OPENBSD_3_9_BASE in cvs but it's
not on CD's. Isn't it ?


n...


Anyway, to answer the original question: download a src.tgz from
somewhere, the 3.8 version from your local mirror should do, and cvs up
it to OPENBSD_3_9.


Instead of this, can I checkout full src with tag OPENBSD_3_9_BASE ? The
result should be the same.


N...

http://www.openbsd.org/cgi-bin/cvsweb/src/gnu/usr.sbin/sendmail/libsm/fflush.c

OPENBSD_3_9_BASE is tagged...and that's it.  (well..usually.  I'm sure 
there's some exception somewhere...)


The patches were put into OPENBSD_3_9 (a.k.a., stable), it turns out. 
That's not at all usual, and rather surprised me.  Apparently, this is a 
Special Case.


Nick.

Re: OpenBSD 3.9 stable from cvs

[Nick Holland]

On Fri, Apr 14, 2006 at 01:16:17PM +0200, Srebrenko Sehic wrote:
 On 4/14/06, Nick Holland [EMAIL PROTECTED] wrote:
 
  http://www.openbsd.org/cgi-bin/cvsweb/src/gnu/usr.sbin/sendmail/libsm/fflush.c
 
  OPENBSD_3_9_BASE is tagged...and that's it.  (well..usually.  I'm sure
  there's some exception somewhere...)
 
  The patches were put into OPENBSD_3_9 (a.k.a., stable), it turns out.
  That's not at all usual, and rather surprised me.  Apparently, this is a
  Special Case.
 
 No. All patches past the _BASE tag always go into -STABLE. In this
 case, correctly into OPENBSD_3_9. This is not special AFAIK.
 
*sigh*
HELLO...  Topic is WHEN they go in.
3.9 is not official yet.  This patch set went into -stable already.
That *is* unusual.

Nick.

Re: SMP support for Sun E450 Sparc64?

[Nick Holland]

David B. wrote:

Hi,

are there any plans to release a bsd.mp version for sparc64?  My box 
currently can only use cpu0; I have 4 processors, and it seems a shame 
to waste all of that power.


thanks


There is, of course, desire to support SMP on mvme88k, sparc, sparc64,
Alpha, and just about anything else it could be supported on.

By plans, however, I suspect you want some kind of time schedule.
No, there is none.  When code is ready for testing, announcements will
be made.  After many crashes and data loss events, it will be ready
for use.  People who are making plans based on this are foolish.  You
can't make plans on vaporware, whether it is a commercial or free
product.  Until it exists, you can't use it.  There is no effective way
to accurately predict when it will happen.

Once SMP is available on these machines, you will discover that your
E450 is still a fraction of the speed and many times the power
consumption of a modern computer.

So: If you need more performance, get a faster computer.
If you are satisfied with the performance you get now, seeing all
four processors in the dmesg won't change your life much.  Sure, there
is a wow, that's cool factor, but beware of how much that that's
cool costs you in electricity.

Nick.

Re: LZMA and the Install Sets?

[Nick Holland]

curiosity got the best of me here.  Found I had a machine with several
major compression programs on it, and while this tired argument isn't
worth this, I found it the idea of a comparison interesting, so I
thought I'd share...

[EMAIL PROTECTED] wrote:

you obviously missed the part about the preposterously slow compression

times.

Well..
You missed my point. I know you don`t crosscompile but you can compress
all Archives on a stronger Computer. So a VAX isn`t the best hardware to
start with LZMA compressing. Yes..


ick.  no.


Something else: You compress install Sets for CDs mostly just once but
they get decompressed many times. :)


depends.  I build sets often on slow machines.  More often than I install
'em.  In OpenBSD, I don't get much of a vote, but I get more than you. :)


And if somebody wanna change these install Sets he could use another Box
for the compression. But I don4t think there`s anybody out there who just
owns a 486 and a VAX.


As a NATIVE BUILDING OS, we assume you have only one machine.  OpenBSD
does not need a second machine to build, and hopefully will not.  When
you need a second machine, you might as well be cross building.  Heck,
you ARE cross-building.


You would save a lot Bandwith and also storage space on the CDs.


Bandwidth is cheap.
If you can cut the time to download from 30 minutes to 3 minutes, you
have accomplished something.  Changing it from 30 minutes to 15 minutes,
I don't think that changes a thing.  You will still get up and go do
something else (or you need a job).

Far less painful to all than changing compression would probably be
DVD media.  If you are going to inconvience some people, heck, at least
give them a REAL benefit, not 20% more.


E.g. the src gets compressed very well and the decompression isn`t that
much slower.


Oh?  Where are your numbers?

Being you have brought this topic up in the past, I'm going to show you
some real numbers.

Took comp39.tgz for i386 and ran these tests on a slow amd64 system (yeah,
choice of an i386 file for running the test on an amd64 is kinda strange,
but it really doesn't matter much).  Unzipped it, and copied it several
times, ran these compressions and watched RAM usage using top:

~/comptest $ time bzip2 comp39b.tar
1m7.03s real 0m55.97s user 0m0.43s system
(maximum RAM used: around 8M)

~/comptest $ time rzip comp39c.tar
0m36.42s real 0m26.62s user 0m1.14s system
(maximum RAM used: around 118M)

~/comptest $ time lzma e comp39d.tar comp39d.tar.lz
7m5.59s real 6m54.79s user 0m0.59s system
(maximum RAM used: around 80M, I think)

~/comptest $ time gzip -9 comp39e.tar
1m16.87s real 1m15.28s user 0m0.42s system
(maximum RAM used: around 700k)

Results:
~/comptest $ ls -l comp*
-rw-r--r--  1 njholland  njholland   75288260 Apr 17 19:20 comp39.tgz
-rw-r--r--  1 njholland  njholland  218347520 Apr 17 19:25 comp39a.tar
-rw-r--r--  1 njholland  njholland   50369737 Apr 17 19:26 comp39b.tar.bz2
-rw-r--r--  1 njholland  njholland   25860279 Apr 17 19:29 comp39c.tar.rz
-rw-r--r--  1 njholland  njholland   20849017 Apr 17 19:38 comp39d.tar.lz
-rw-r--r--  1 njholland  njholland   75288272 Apr 17 19:45 comp39e.tar.gz

Comments:
rzip and lzma turned in some good numbers (REALLY good numbers),
but the RAM required was absolutely absurd (at least, for this
application).  Your average mac68k or 486 would be in swap hell for
a week, and many good firewall systems would take many times as long
to load.  I'm rather amazed that rzip was such a screamer in
compression speed for this app, I've never seen it outrun anything
before.  I repeated the test, btw, consistent.

bzip2 seems to be an answer in search of a problem.  It does things a
little better for a big price.

gzip is the only one with a RAM footprint that is acceptable for a
multi-platform OS.  Really, the amount of change in our lives that
switching to a better compressor would make is not worth the
difference here.

HOWEVER, I did spot one interesting thing...first time I ran the gzip
test, I got a funny answer:

~/comptest $ time gzip comp39e.tar
0m29.39s real 0m26.70s user 0m0.44s system

[EMAIL PROTECTED]
~/comptest $ ls -l comp39   
   ~/comptest $ ls -l comp39*
-rw-r--r--  1 njholland  njholland   75288260 Apr 17 19:20 comp39.tgz
  ...
-rw-r--r--  1 njholland  njholland   75990958 Apr 17 19:26 comp39e.tar.gz

Since the size didn't line up, I figured that was probably due the
wrong compression factor specified -- apparently, the file sets are
built with a -9.  Note that in my humble opinion, the -9 on gzip that
tar and/or the build process uses is Just Not Worth It -- for a tiny
improvement in file size, you wait well over twice as long.  You think
that doesn't matter?  Re-pack a mac68k build some day.

ok, one last nail:
~ $ ls -l `which rzip` `which lzma` `which bzip2` `which gzip`
-r-xr-xr-x  6 root  bin 29248 Feb 

Re: dual port ethernet (DP83816-based)

[Nick Holland]

[EMAIL PROTECTED] wrote:

I would like to add a DMZ for a webserver and need to add another ethernet 
port. My 3.5-
based box 


upgrade.

 has limited card space, so I thought of using a dual port card to add the 3rd
ethernet port. I have access to a NS DP83816-based dual port card. I see that I would have 
to update my OS version for the DP83816 chip, which is not a problem. However, I see that 
the compatible cards are limited to 3 Netgear FA3xx. 


usually, what matters is the chips on the card, not the sticker
on the box.  You are almost always better off going by the
chips than the sticker on the box.


First, are there particular issues with multi-port cards and OpenBSD?


nope.
normally, they are just a PCI-PCI bridge and a bunch of NICs.

WELL...some older machines don't seem to like PCI-PCI bridges
on their expansion bus.  However, that's not an OpenBSD issue...they
don't seem to boot ANY OS when you stuff these cards into them.


Second, outside of just trying the card, is there anything to review/prepare 
for?


stick it in, it will probably work just fine.

The chip you have is no model of quality or efficiency,
but it will work for many apps.  probably.  Only way to
find out is to try it.

Nick.

Re: upgrade halted

[Nick Holland]

Jasper Bal wrote:
After nummerous advices on the list that I should upgrade, I decided to 
try remote upgrading.


there is reason we suggest practicing on an identical LOCAL box first!


At the folowing step:

Reboot on the new kernel: This might be a tempting step to skip, but it 
should be done now, as usually, the new kernel will run old userland 
apps (such as the soon to be important reboot!), but often a new 
userland will NOT work on the old kernel.


something went wrong. I issued a reboot. And when the system came back 
up, SSH didn't recognize any of my passwords. All the services seem to 
be running though. I even have unchrooted access through FTP. I'm in 
wheel group but have no access as root with FTP. Already checked 
ftpusers, but root is hashed (yes, I know this is wrong). Either I 
forgot the password, or something has changed.


Any hints? Did I do something wrong? Is there a fix? Or do I have to 
travel 400 km?


Well, assuming there is a human being on the other end that you share a
common language with, I doubt you need to travel.

You provide basically no information about what you did, what you started
with or where you tried to go, so you aren't going to get a certain answer
here.  However, the only time something like that happened to me is when I
tried to take a system from 3.1 to 3.5 or similar by remote.  Being the
system was completely wrong by that point, I did a remote reinstall,
including unpacking etcXX.tgz (which you will note, you are told not to do)
which clobbered my existing passwd file (which I expected), but I forgot to
change the password before reboot.  I ended up with a completely functional
system with no root password, and sshd is smart enough to keep people out
of root if there is no pw.  Oops.

That's assuming ssh is really responding to you.
If you are just getting slapped away, rather than getting a login prompt,
it could be a problem with your PF configuration, most likely one that was
going to bite you on reboot anyway, reboot or not.  Can you log in as any
other user via ssh?  Got sudo set up?

With FTP access to the box, your only hope is a configuration error
you can exploit.  Hopefully, that's not gonna happen.

Most likely, you will just have someone local force the box for you:
   http://www.openbsd.org/faq/faq8.html#LostPW

and then log in (or have them disable PF or ...).  You can also look at
/var/log/authlog for clues as to why you can't log in as you wish now.

Nick.

Re: pf blocking nets in a way like *.google.com ?

[Nick Holland]

Falk Husemann wrote:

[EMAIL PROTECTED] wrote:

That doesn`t mean I can use *.google.com but I would be able to use
www.google.com if I understood the FAQ and the manual correctly.
Because I may not be bale to know every Hostname in a foreign network a
Joker would be a neat solution.

Is it maybe planed to add any joker to PF so that such stuff would be
possible in the future if it isn`t already possible?
  


Why isn't it feasible to use Googles allocated netblock (216.239.32.0/19)?


It is feasible to block any numeric network block.
What isn't feasible is to look at a DNS name and think that you can come
up with simple PF rules that will block it.

Maybe you could use a script to update a table in pf using whois and 
grep for the CIDR/Netrange in the reply.


Maybe you could for your application.
However, this is not a generic solution at all.

Here's an example:
at the office I work at, we used to have a firewall which claimed to block
by DNS name, just as is being discussed.  What it really did is exactly
what you propose: periodically, it would do some DNS queries, and populate
a table, and block those IP addresses.

It was decided that our users should not have access to webmail from our
offices, so mail.google.com was blocked, but www.google.com was ok.

Here's what happened (warning: vast oversimplifications here!):
A DNS query for mail.google.com returned a set of IP addresses.  A small
subset of the actual addresses that served mail.google.com.  That's the
way DNS can work: if there are five hundred machines that respond to a
particular name, a single DNS query might return eight.  Or one.
Whatever.

What this firewall didn't know is mail.google.com machines were the
EXACT same machines as www.google.com.  So, the results of the block was,
uh..entertaining.  Two people in the same department with the same
network privileges would try to go to google, and one would get what
the expected, the one next to them would get the This site is blocked!
page.  If I had thought to look for it, we'd have seen the same behavior
for people trying to get to gmail -- some would be blocked, most would get
through.  Took a while to debug that one, as I really never figured
someone would put such a clearly flawed feature in a commercial firewall
product. :) (silly me, work with OpenBSD too long, you forget to think
about buzzword compliance and management pressures to do something!, no
matter how idiotic.)


Today, many big sites use world-wide distributed front-end services
like Akamai.  Many of them use the SAME world-wide distributed
front-end service -- so what you do by IP address (for example) to
google.com might impact microsoft.com and apple.com, which is probably
not what you intend.  PF, can easily block every single address of every
single Akamai server, but that won't necessarily do what you want.

I've been a fan of DNS mangling to deal with this problem for some time.
Technically, it is a horribly flawed system.  Practically, it works, and
works very easily.  More:
   http://www.holland-consulting.net/tech/imblock.html

Nick.

Re: How will OpenBSD Defend against Virtual Rootkits?

[Nick Holland]

On Tue, Apr 25, 2006 at 07:32:41AM -0500, Dave Feustel wrote:
 This question comes to mind as a result of my reading just now 
 
 VM Rootkits: The Next Big Threat? 
 By Ryan Naraine 
 March 10, 2006
 
 http://www.eweek.com/article2/0,1895,193,00.asp
 
Not much that can be done.
As has always been said, if someone has physical access to the box, Game
Over.  VMs just give someone a new way to have physical access to the
box.

Now, if only we could do away with the myth that an OS can really find
problems within itself (such as malware scanners that claim to fix
problems on infested machines).  Since that won't go away, I guess it
isn't surprising that people expect that a guest OS can detect or deal
with a problem on the host OS.

Nick.

Re: X on Compact Flash

[Nick Holland]

Steve wrote:

Hi all,

I am currently using 3.8 release with a basic X install and rdesktop as 
a thin term

for a windows terminal server.

I would like to migrate this to compact flash or similar.

Flashdist and flashboot dont seem to be able to accomodate this.


as they were designed for tiny, non-X setups, I'd be surprised if they did.


Am I missing something or are there alternatives.


You seem to be missing the obvious: Install OpenBSD normally on a
sufficient sized flash media.  What is wrong with this solution?

You can't easily buy 16M CF devices anymore.  512M will probably do the job.
If starting a new project, start with 3.9, as things got a lot bigger due
to the addition of debugging symbols in libraries.  Might have to leave out
the compXX file set, not much desire to compile from source on flash anyway.

Nick.

Re: Why advocate Old daemon book?

[Nick Holland]

prad wrote:

On April 29, 2006 02:09 am, [EMAIL PROTECTED] wrote:

The state of the art of computer science has gone (steadily?) downhill
for the last 30 (maybe 40) years.
The computers are bigger and faster, but the knowedge of what to do with
them has decayed.

There are a few pockets of resistance to the decay.


what an interesting comment!

i'm from the past - 1980s (pascal era even recall doing stuff with punch 
cards) and while i am not particularly experienced with computers, i do 
recall that back then things were 'harder' and you did have to know more 
aspects of what you were doing. for instance, i was brought up to believe 
that it was a good thing to declare your variables before using them and that 
there is one way in and one way out of a loop. you don't have to do all this 
anymore ... i enjoy the convenience and fluidity, but do wonder if this is a 
good thing? writing precise compact code back then was not just a matter of 
pride, but a necessity too.


I've been watching them try to make programming easier and faster for almost
thirty years.  From what I have seen, good programmers are still desperately
needed and very rare.  And writing GOOD code is still a slow process.  Writing
crappy code has got a bit faster, maybe.  However, as the expectations get
lower and lower, few really seems to care much.

i have almost settled on openbsd as 'the system' for us after trying various 
linuxes and then the 3 'main' BSDs (couldn't get free and net to work the way 
we wanted to on our servers). i like the simplicity of openbsd and i 
especially like the fish!!


Funny, I agree completely. ;)

i do have a question about goals. 

i have been told that freebsd (which ran quite well on my personal system) 
strives for performance and stability. apparently, it achieves both quite 
well too from what i have heard.


openbsd, on the other hand, doesn't even mention performance or stability in 
its goals. (curiously, i've found on my system at least that some things seem 
to work faster on openbsd than freebsd.)


so are performance and stability a bit of panacean bravado? is it possible 
that all the bsds perform competitively and have similar robustness? is that 
why netbsd chose to focus on being able to run even on a toaster, while 
openbsd emphasized security?


Stability should just be: The natural result of quality code.

You can tell someone who has spent too long with Windows, they are the ones
bragging about uptime, thinking it is a wonderful and shocking thing when
you go over a year without rebooting.  Uh..what was supposed to happen?
Operating systems and applications aren't supposed to crash, they are supposed
to Just Work from the time you power 'em on to the time when you shut them
down or the power goes out, or you have to relocate the machine or ...
Exceptions to this are just plain wrong, sanity would dictate that this should
just be assumed.

Or as I tell people, when I first started working in this business (1982),
when a customer's computer crashed, they brought it in for me to FIX.  Sorry,
that just happens wasn't an acceptable answer back then.  When the thing
crashed, it was broke and needed repair.

Of course, the consumer machines often went from power-on to OS prompt in 15
seconds or less (I have an Osborne 1 which I timed going from power-on to
command prompt in five seconds... booting off a floppy disk!), and power-down
was flipping the power switch.  So, the idea uptime really didn't exist in
the consumer market...when we were done, we turned off the machine.  Wouldn't
surprise me if the fact that there was no reason or desire to leave your
computer on 24x7 hid a lot of memory leaks and other problems.

As for performance, that's not a key goal of OpenBSD, but when you code things
right (and that IS a goal), things will work pretty well.  For what most
people will do with their systems, you will need a stopwatch (or automated
timing!) to see the differences in performance between different OSs.  That's
silly -- if you can't FEEL the difference, the difference doesn't matter to
the HUMANS using your system.  This isn't drag racing or speed skating, a
fraction of a second in the total runtime of most tasks won't matter to anyone.

If improving security costs a bit of performance, OpenBSD views that as a fine
trade-off.  If doing something RIGHT means not being the first to market
with a new feature, that's not the end of the world.


And then...really funny things can happen when it comes to performance...
Someone optimizes the heck out of the code, make sure it will be able to pull
every last bit of performance out of the system possible...and then they say,
Oh, but it would be 'expedient' to incorporate binary drivers from vendors who
don't give a rat's butt about the project's goals, or about optimizing their
product performance on anything other than (maybe) Windows.  And suddenly, all
that work is now...pointless.


It's a funny thing about goals.  Lots of people have 

Re: Compilers make a system less secure?

[Nick Holland]

Anton Karpov wrote:

Maybe, because in some cases, it just takes a bit more time to 0wn your box
if it has no compiler installed.


Bull.

I've never heard of someone taking over a box using a compiler.  After all,
the compiler is not exposed to the outside world.  At most, they build some
tools on the system AFTER the takeover.  But that's hardly the only way to
get those tools on the system.

scp works very nicely.
ftp works very nicely.
http works very nicely.

After all...why download and compile tools when you can just download the
pre-compiled tools?  If you can't download the pre-compiled binaries, you
won't be downloading the source, either.

Proof: how many Windows boxes have development tools installed?
A: Almost none.
Conclusion: Windows is more secure.
...uh, wait a minute.

This isn't a matter of opinion.  This is a matter of easily disproved
nonsense.  I can show you lots of examples of compromise which had nothing
to do with the compiler.  Can you show me one example of compromise which
REQUIRED a compiler?  (i.e., could not be accomplished without the compiler
on the target machine, lack of hardware by the attacker doesn't count).
The only time when leaving off the compiler might help is if your
vulnerable machine is a non-mainstream platform...and relying on that for
security is kinda like moving the door of your house to the back, so
attackers can't find it.

Nick.

Re: www.openbsd.org defaults to Japanese

[Nick Holland]

[EMAIL PROTECTED] wrote:

From: Tan Dang [EMAIL PROTECTED]

Any reason why www.openbsd.org displays Japanese by default now?

Tan


I see English when accessing www.openbsd.org as I have always done 

 so.  You might want to look at your locale settings.

You might want to check your browser cache.  The site was certainly
was messed up at the moment you wrote that. :)

yeah, there was an incident...it's been fixed, but it will take a
while for the fix to replicate its way out...

Nick.

Re: AMD64 still broken...

[Nick Holland]

Ed V. wrote:

Thanks for all the suggestions (on list and off list).

At this point I have:


...provided vague, imprecise descriptions, with some details scattered
in a lot of different messages in multiple threads.

Here's the explanation, plain and simple:
you did something wrong.
amd64 is NOT broken, your system or process is.

Got a couple amd64 systems at work that needed a bit of evaluation,
I installed 3.9-release off CD, checked out the 3.9-stable source,
built the kernel, built the userland, no problems.

Either:
  1) You are not doing what you described
  2) you are doing something wrong you didn't describe
  3) You are doing something you aren't telling us that you assume
is completely unimportant.  And isn't.

It works.  Really.

Wish I had a few bucks for each and every time someone jumped up and
down and swore that release or stable was broke, and prompted me to
test it...and (of course) found no problem.

Fortunately, amd64 systems are fast.  One of these things had two
dual-cores...and a laptop hard disk.  The single-core system with the
multiple SCSI disks finished in half the time. 8-/

You might want to try faq5.html the build instructions, a bit more
detail there.

Nick.

Re: patch validation

[Nick Holland]

[EMAIL PROTECTED] wrote:
yea. i'll keep that in mind.  too bad it doesnt work in an audit.  

seriously,  is there anything that 
a) can be queried against?

sometimes

b) compared against?

sometimes

c) hashs of files?

don't count on it.

d) etc?

yes.

Seriously, tell us what your criteria is on the first question, then.

The nature of a patch is usually that it changes the absolute minimum
required to fix the problem.  That usually involves no version number
changes.  Some things embed the compile time in the binary, so hashes
are useless for this.


Still...how about a nice, simple ls -l?

For example:
Patch is released on Mar 25, 2006.
Look at your binary's date.  If your binary is dated May 2. 2006,
either it has the patch or your process is broken.  Why would you
build if you haven't recently updated the code (if that's your
purpose).  If it is dated Mar 24, 2006, it probably isn't patched.

Seems pretty simple to me.
If you are running on a VAX or mac68k, add the number of days it takes
you do a build.

Nick.

Re: i386 chroot on amd64 platform (obsd 3.9)

[Nick Holland]

Karel Gardas wrote:

Hello,

I've installed OpenBSD 3.9(amd64) on AMD64 box and now I thought about 
installing i386 OpenBSD minimal install into this installation just to 
be able to chroot from amd64 environment to i386 without a need to 
reboot computer. I tried this, but it seems at least on GENERIC kernels 
it's not supported:


# chroot `pwd`/i386/
chroot: /bin/ksh: Exec format error
# machine
amd64
# file i386/bin/ksh
i386/bin/ksh: ELF 32-bit LSB executable, Intel 80386, version 1, for 
OpenBSD, statically linked, stripped


OpenBSD/amd64 is a totally different platform than OpenBSD/i386.

Do you expect to be able to run sparc apps on alpha?

is this way supported in different kernel configuration? Is it 
recommended by you OpenBSD folks? I'm asking since this is how I test 
software on both platforms on debian.


And we all know OpenBSD is just another Linux variant.

Sounds like either they spent a lot of time putting in a compatibility
layer or very little time putting in 64 bit code support.  I'm guessing it
was something expedient to help compatibility with binary stuff that
wasn't available in 64 bit code.  You probably think this is a feature of
Debian.  As someone who watched the world spend over a decade running
8088 code and work around 8088 limitations (i.e., EMS)on 80286, 80386 and
80486 and later processors, I think this is a really bad idea.  I am SO
glad that OpenBSD has kept them separate.

Here's an interesting thought...wonder how one would handle the W^X on
your hypothetical OpenBSD/amd64-32.  Some code could use the NX bit,
others would have to play with the MMU...sounds unlikely to be done right.
ok, never mind...not that interesting at all.

Nick.

Re: Mouse problem

[Nick Holland]

Gabriel George POPA wrote:
...
Unfortunately, one day when I came to work the 
mouse pointer started to behave in a chaotic manner on the screen when I 
moved the mouse. Both in console and in X. Very nasty. I know it is a stupid 
problem and a stupid question, but that's it.

...

Could this be it?
http://www.openbsd.org/faq/faq12.html#i386smouse


Nick.

Re: www.openbsd.org defaults to Japanese

[Nick Holland]

On Fri, May 05, 2006 at 12:41:51PM +0200, Jacques wrote:
 Nick Holland wrote:
 You might want to check your browser cache.  The site was certainly
 was messed up at the moment you wrote that. :)
 
 yeah, there was an incident...it's been fixed, but it will take a
 while for the fix to replicate its way out...
 
 Nick.
 
 
 May we know, what kind of 'incident'?
 Sounds like a security issue.

Someone once said that life in the modern world requires a knowledge of
statistics and psychology, and those without will live in a world of
conspiracy theories.

I'd be tempted to add and the ability to do a little research on your
own.

Nick.

Re: Partition not showing up in disklabel

[Nick Holland]

Henrik Borgh wrote:

Hello there.

I have a laptop which dualboots Windows XP and OpenBSD. For each of
these i have a partition. Further more i have a partition, which
contains somekind of restore-information and at last another
partition.
The Windows XP-partition is FAT32, the restore-partition is some
Compaq-thingie and the last partition is also FAT32.
Unfortinately i apparently can not access the second FAT32-partition
from OpenBSD, and even after reading the manpages for fdisk(8) and
disklabel(8), i haven't found my solution. I fear that i may have
missed something very basical somewhere and would really like a hint,
for where to go.
The FAT32-partition is
3: 0C 3931   0  1 - 4862 254 63 [63151515:14972580 ] Win95 FAT32L
which was created _after_ the OpenBSD installation. My poroblem now
is, that i haven't been able to find a way to include this to the
existing disklabel, without clearing the entire disklabel and manually
create it again?



Don't clear anything!

Just add it.  That is something you have to do, however.  Nothing does it
automatically for you after the initial install.

http://www.openbsd.org/faq/faq14.html#foreignfs
Read the whole thing.  Carefully.
If you don't understand, start at the top of FAQ 14, and work back through
it.  When you understand what is going on (usually indicated by saying to
yourself, Oh, I get it! That's cool!), you are ready to do it.

As always, have a backup of important data before starting, though if you
understand what you are doing, recovery from most errors is pretty easy.
You win no points for finding the edge cases, however.

Nick.

Re: 3.9, Sparc64, and X issues (black screens)

[Nick Holland]

Chris wrote:

Are there issues with 3.9 and Sparc64's with ATI Mach64 cards and X?

I cant seem to find a happy place to have X running. All I get is a
black screen. I tried several diff mem settings, screen sizes, etc and
still nothing but black screens.

I ask becasue this is the same on both my Sparc 10's

Has someone have a working config?




Lots of people do.
Works fine on my U5.

see /usr/X11R6/README.

Read it, follow the instructions, look at your dmesg, take the proper
parts from the README file, and you will have no problem putting a
working config file together.

Nick.

Re: ftp-proxy isssues

[Nick Holland]

[EMAIL PROTECTED] wrote:

Hi All,

Until pf 3.9 i've had no problems with ftp-proxy and now it doesnt work
anymore because of the anchor stuff, very nice ..

...

How can i transform all this into the anchor stuff?


See at least the following:
  http://www.openbsd.org/faq/upgrade39.html
  http://www.openbsd.org/faq/pf/ftp.html#client
(might want to give the second one an hour or two, just found that I
forgot a very important line in it!)

Nick.

Re: /var filled up and can't login locally or remotely

[Nick Holland]

Tobias Ulmer wrote:

On Wed, May 10, 2006 at 10:50:14AM -0300, Giancarlo Razzolini wrote:

Paul de Weerd wrote:


Don't change root's shell.


It's set to a static shell (/bin/ksh these days) for a reason.



Changing the root shell doesn't hurt. But you have to install your shell
static. I use the bash-static from packages, and hadn't any problems. I
think that booting in single and cleaning some trash, might solve the
problem. Also you might want to consider installing the bash-static.

My 2 cents,


If you change it, fine. But don't tell others that this is not a
problem. It can be a very big one if a critical box is 500km
away in some datacenter and your remote upgrade failed because you
removed all packages without thinking that you still need to keep
bash... If you don't believe me that these things happen, search
the archive.


There's a more basic rule I like:

KEEP IT SIMPLE, KEEP IT LEAN.

The more stuff you slop into your system:
..The more stuff you have to keep up to date.
..The more complicated upgrades become.
..The more likely something will go wrong.
..The more things you have to worry about security holes in.
..The less often you will do updates/upgrades because it is difficult.
..The more ignorant you will look when confronted with a system without
   the slop.
and so on...

I doubt many people have had a non-responsive system and said to
themselves, Gee, if only I had installed bash on it.

Learn your base system.  If you really NEED something, where you can say
clearly why and what benefit there is to you that outweighs the risks,
well, fine.  But slopping your system with crud just to make it look like
something else or just because you can is not a good idea.

Nick.

Re: Manually naming Multiple NICs

[Nick Holland]

[EMAIL PROTECTED]@mgEDV.net wrote:

[you edited out discussion of *USB* devices]


Normally these devices come up in the same order each time.

It is not gauranteed, unfortunately, because device bring up can
race against other devices.  I've seen it be non-deterministic.



me, too. especially, if you plug in another nic on pci between 2
other nics. this is really confusing the box. also take care for
your bios interrupt settings - if you have a lot of traffic, it
sometimes can be smart to put all the nics on the same interrupt.


You creatively edited out the part that clearly indicated the topic
of the part you quoted was USB devices, not PCI.

PCI devices come up very predictably, if you understand how it works.
Nothing is confusing to the box at all.  YOU may be confused, but
the box is quite sure of what it is doing. :)

A little experimentation (which everyone should do before putting a
box into production) will make it very clear.  Assuming you have all
the same kind of NIC, it goes by slot number.  Yes, if you stuff a
card between two other cards, yes, the cards are EXPECTED to change
IDs, I can't think of anything else I would want it to do (being that
I really hate it when software or hardware tries to make guesses about
what I was intending).  If that isn't what you want, first move one
of the existing cards, then add the new card to the vacated slot.

I still recommend writing the last few digits of the MAC addr on the
spine of the NIC, as some machines number their slots in a curious
way.  A Dell GX1 will number its slots something like 2 3 4 0 1.
BUT...if you blow a NIC, pull one out and put a spare in, all stays
as it was.  If you change it out for a different type of NIC, things
will change, but you can easily predict what they will end up being,
and if you don't understand what is going on, dmesg and the label I
suggested putting on the card will clear it all up. :)

If you pull the NICs out of one machine and drop in another, you
have to take a little care to make sure you know where they end up,
but again, once you know where they are, they stay put, and you can
replace them and know what will end up happening predictively.



Michael Schmidt wrote:
Please allow a silly question: What4s the reason for put all the 

 nics on the same interrupt if one has a lot of traffic?

First, you start messing with your BIOS at that level, you are more
likely to break things than improve things.  The way people usually
shoot themselves in the foot is by forgetting that PCI was designed
to share interrupts, and trying to use the old ISA logic of each
device on its own IRQ.

Here is a massively over-simplified explaination of what happens:
Let's say you have five PCI devices which could trigger interrupts.
Again, the PCI bus was designed to share IRQs, so when an IRQ comes
through, the first thing that happens is you have to push a bunch of
stuff off to the stack before servicing the IRQ, then you have to
identify which device fired off the IRQ before you can do anything
about it.

If a lot of IRQs are happening, so the next is often coming in before
the previous one was finished, there are two ways things could happen:
  1) You return to what you were doing before the IRQ came in, but
then the IRQ fires again, sending you back to the IRQ service routine.
(this is how unshared ISA IRQs were handled)
  2) BEFORE returning, you check to see if any other device needs to be
serviced, which is possible if they are sharing the same IRQ channel.
In fact, if you are sharing the same IRQ, you have to do this.

Hopefully, it is moderately clear that you save two IRQ-caused context
switches by staying in the IRQ service routine and looking for more
work to do.  The more additional IRQs that come in, the more potential
savings.  This is possible if you are sharing IRQs.  IRQs are costly
things when it comes to processor time.

Reality check #1:
  This only matters on HIGHLY loaded systems, where IRQs are stacking
up. If your system is this loaded and you have less than the best HW,
you can probably get better gains by selecting different hardware.  A
machine which has multiple PCI buses or higher-quality NICs will
probably give you a MUCH larger benefit than IRQ sharing.  My wild-a**ed
guess of what IRQ sharing would do for you would be at most a few
percentage points, not enough that anyone would ever notice in the real
world of how it feels to the user results.

Reality check #2:
  I'm not a kernel hacker.  But in eight+ hours, no one else answered. :)
If you take what I said too seriously, you are nuttier than I am for
saying it.

Nick.

Re: PF references

[Nick Holland]

News Collector wrote:

Hello:

Where (what) is the canonical site (or book) for PF.


documentation-wise?
that would be the OpenBSD man pages.  They are authoritative.  When
things change, they get updated, or people get beaten.  In particular,
see pf.conf(5), pfct.(8), pf(4) and the SEE ALSOs in each.

Beyond that, there are several websites and books.  My personal favorite
website is the OpenBSD website itself, but I may be biased. :)


Are there any site where talk about PF is a application (like for OS X).


probably.  There's a website for just about everything.
Talk is cheap.

One Last, has anyone done any work on using CARP, 


Quite a few people have, yes. ;)

 I know

synchronizations depends
on similar cpus with similar clocks and constrained  clock drift. 


oh?  News to me.  And the Celeron 600 that I CARPed with a PIII-750.

Don't really have to even be the same platform, though it can create
administrative problems (On this machine, carp0 is on the dc0, on
that machine, it's on hme3).

Nick.

Re: ksh and X windows.

[Nick Holland]

Peter Fraser wrote:

If you install a new 3.9 system, and enable X windows
(The only package I installed was emacs)

Create a new userid with ksh as its shell
and sign on though X.

~/.profile does not get executed

Nor does ~/.profile get executed then a
new xterm is created using the left click
menu in the background.


http://www.openbsd.org/faq/


I expect this related to my earlier messages
about .profile and ksh.


Got me, I see you have asked a lot of questions, often in the tone
of a remarkable discovery that most of us already knew about.  A
little time doing some research on your own will be far more
educational.  For that reason, I deleted the rest of the link above.
The answer to your quest..er..statement is very much in there.

Start reading.

Nick.

Re: Help needed with 3.9 bandwidth/speed problem

[Nick Holland]

Adam wrote:

Hello,

I have an odd problem with my 3.9 server. I can not seem to push more 
than 2.5 - 3.0 mbps per connection over the Internet to hosts. I've 
tested this with scp, apache/httpd, and lighttpd. I've also tried this 
with PF on and off, resulting in no difference at all. I have tried 
filtering packets in PF and redirecting to another host. That works fine 
and I've been able to pull 8.3 mbps over the Internet without a problem.


Also, just for reference, the server is on a 100M line in a datacenter 
so I'm not running out of  bandwidth. When I did my tests, things were 
completely idle and I was the only client creating traffic at the time.


I'm quit stumped with this. There doesn't appear to be any errors, but 
there is definitely some sort of glass ceiling that I'm running in to. 


Try this:
http://www.openbsd.org/faq/faq6.html#Tuning
'specially 6.6.4...

As you indicated, it doesn't seem to improve performance when FILTERING
packets going between two other machines, only when OpenBSD machines are
the endpoints.  The difference can be dramatic over a WAN.  Or completely
non-existent for most people.

(thanks for the dmesg! :)

Nick.

Re: dual boot problem

[Nick Holland]

viq wrote:

On Thursday 25 May 2006 09:22, Jan Johansson wrote:

akonsu [EMAIL PROTECTED] wrote:

dd if=/dev/rwd0c of=mbr count=1

Here is your error

dd if=/dev/rwd0a of=pbr count=1

For the NTLDR you want the PBR (Partition Boot Record) not the
MBR (Master Boot Record). I changed the of= for correct the
terminology the important part is the if= device. I usually use

dd if=/dev/rwd0a of=/mnt/OpenBSD.pbr bs=512 count=1

where /mnt is the mountpoint of a small FAT partiton that is
active.


While at the subject, you need to run this every time you upgrade bootblocks. 
What would be the result of not updating bootblocks when upgrading from 
snapshot? 


depends.

The boot code doesn't change dramatically often.  Last time it happened, 
it was the changes that permitted OpenBSD to boot beyond the 8G point on 
BIOSs which permitted it.  I personally tested around 50 different 
machines to make sure it worked, and several hundred other reports were 
provided by other users and developers.  And when a last minute 
improvement was discovered, I had to re-run those tests. :)


So...avoiding updating the boot blocks is usually harmless...you would 
be replacing code with the exact same code.  Now that I've said that, it 
will probably change, and in an important way.


 Or not rerunning that command when updating them?

As indicated by others, the system won't boot.

The inode for the second-stage boot loader (/boot) is hard-coded in the 
PBR.  Change that inode, you have a problem, because what the NTLDR does 
is invoke the PBR that was saved...IN THE PAST.  So, that PBR will end 
up trying to pull in and run who-knows-what...and will likely fail.


Ugly?  Well, before that bootloader change, the actual physical blocks 
were coded in the PBR, which meant recopying the file /boot would break 
the boot process.  The current process is actually very robust, 
recopying the /boot file doesn't change the inode number normally.  The 
normal upgrade processes are done in such a way that the inode isn't 
changed, so this will rarely be a problem.


The good news, almost by definition, a multi-booting machine isn't at 
some remote location...it's in front of you, thus easy to repair. 
(yeah, I am sure someone has a weird setup.  whatever).



Nick.

Re: OpenBSD Newbie

[Nick Holland]

misiu wrote:

Hello all,

I'm new to OpenBSD, I installed it a few times but than did not know 
what to do realy. Right now I'm little more experienced with Linux and I 
thought give it a nother try.

Now I'm runnin an Openbsd 3.9 Box.
Default setup. I try to run a Webmailbox and later Openvpn.
It did not work so I searched long for an answer. I started httpd -u and
now Openwebmail is running. I read allso that it is insecure, how can I 
run httpd chrooted and Openwebmail? Did not find any (for me 
understandable) answer.


You are getting some good advice on chrooting in GENERAL, but kinda 
missing your specific case by a wide margine.


What does chroot do?  Confine an untrusted app within a section of your 
file system, preferably one in which they have no write access, so if 
the app has a security problem, the damage is minimized.  Doesn't make 
the app more secure by itself.


BUT...
you need write access.  So you grant it.
You need libraries, you copy them over.
You need programs, you copy them over.
You need root access, you grant it.

by this point, you have lost just about all the advantage of chroot, and 
spent a lot of time doing it.


Look at OpenWebmail.  Neat program for a basic webmail app (and 
considerably better than some commercial webmail programs).  Amazingly 
self-contained, doesn't need an IMAP server.  Just off the top of my 
head, having installed it in a trial environment a few years ago, it 
needs AT LEAST the following:

   access to sendmail binaries
   access to /var/mail
   access to /home
   root  (that's how it reads the mbox files in /var/mail and /home)
   perl

The thing needs root.  Gotta have root.  No root, no work.  If you got 
root, you can probably escape from a chroot.


Much better than worrying about chroot'ing OpenWebmail, just put it on a 
disposable box, with no other secure apps, and make sure you use 
passwords/keys on it that don't show up elsewhere on machines you 
maintain.  Box gets owned?  shut it down, figure out what went wrong, 
rebuild and repair.


Some places, chrooting is great.
However, simply tossing enough stuff in the chroot to make your app run 
does NOT automatically mean the app (or your box!) is any more secure 
when done than it was before.


By the time you copy everything over to the chroot, you have not really 
gained much advantage /in this case/.


Openwebmail is not good explained too. Has anyone installed it ? (I 
guess for shure) would that one please contact me offlist?

I don't whant step by step help just to shed a little light in


been a while...but a few hints:
var needs to be able to exec code and no nosuid, which IS there on 
default OpenBSD installs.  Put your home directories physically in /var 
if you expect quotas to work as expected, you can symlink them back to 
/home if that freaks you out excessively.


That's about all I remember.  Oh, and don't have 25 kids change their 
PWs all at the same time unless you have around 600M of RAM+Swap 
available.  Ouch...


Nick.

Re: Wondering about security...

[Nick Holland]

Peter Philipp wrote:

Hi,

I had this USB stick called CHEER, 


see message ID

Message-ID: [EMAIL PROTECTED]

here is a clip from messages showing the ID,

May 11 16:05:41 neptune /bsd: umass0: CHEER USB_DISK, rev 2.00/2.00, addr 2
May 11 16:05:41 neptune /bsd: sd1 at scsibus2 targ 1 lun 0: CHEER, USB_DISK, 
1.00 SCSI2 0/direct removable



bash-3.1$ grep sd1 /var/log/all | more
May 11 16:05:41 neptune /bsd: sd1 at scsibus2 targ 1 lun 0: CHEER, USB_DISK, 1.
00 SCSI2 0/direct removable
May 11 16:05:41 neptune /bsd: sd1: 1010MB, 1010 cyl, 64 head, 32 sec, 512 bytes/
sec, 2069760 sec total
May 11 16:06:12 neptune /bsd: sd1 detached
May 26 15:12:31 neptune /bsd: sd1 at scsibus2 targ 1 lun 0: SKYMEDI, USB Drive,
 1.0 SCSI2 0/direct removable
May 26 15:12:31 neptune /bsd: sd1(umass0:1:0): only the first 4,294,967,295 sect
ors will be used.
May 26 15:12:31 neptune /bsd: sd1: 2097151MB, 2097151 cyl, 64 head, 32 sec, 512 
bytes/sec, 4294967295 sec total

May 26 15:12:44 neptune /bsd: sd1 detached

Anyhow... yesterday was a holiday here in germany.  And I left my apartment
with the iBook turned off.  Someone musta done an exchange of my USB stick
drive while I was out.  Surprisingly it booted OpenBSD like usual and I 
did not notice a change until it blew up today and wiped itself.  When I

plugged it into my host neptune I noticed the different USB Id...

The USB drive looks exactly the same coincidentally.  So... 


To get to the point.  What are some recommendations by OpenBSD users for
physical security, other than run and don't look back (kidding, heh),


Keep my house a complete cluttered mess.  If you don't know where to 
step, you are dead.  Someone tries to break in, I'll probably find their 
remains sprawled across a pile of junk, with an old EISA FDDI card 
puncturing their lung. :)



As a hind thought, how possible is it for a device to blow up and change
its own ID but then still being detected by the USB protocol?


A lot more likely than you might think.

Somewhere around here, I have a Compaq SCSI hard disk...  Actually, it 
was made by IBM, didn't really even try to hide that on their stickers 
outside the drive.  I had at one point probably fifty of these things, 
all the same, all pulled from the same batch of computers (dealer's 
customer wanted 4G, not 2G drives).  Every one had the same ID string, 
saying COMPAQ and some model number.


Except this one.
For unknown reasons, this one forgot its Compaq programming, and 
reverted to being an IBM disk.  As I recall, it worked fine for a while 
like that, but I think it failed later (or maybe I noted the bizarre 
change after it failed).


So yes, Funny Things Happen.  I could attempt to make a wild guess as to 
why this drive shed its altered ID and reverted back to the ID it was 
originally engineered, but you are probably thinking the same thing, and 
we are probably both wrong.


I think I've seen this elsewhere, too.
And yes, I've seen various supposedly non-volatile EEPROMs and Flash 
devices spontaneously die.  Seen it so many times, I really do snicker 
when people try to use Flash because it is has no moving parts and is 
thus more reliable than disk (there are very valid reasons to use it. 
I just don't think reliability is one of them).



I really suspect that no one did the swap on you, your stick probably 
just died, and in the process, lost some custom programming the marketer 
did to it.  You would have to have some thing Really Valuable for 
someone to go through all that trouble.  Much easier to replace your 
good stick with a completely defective stick...you'd just think the 
thing failed, and never think that maybe someone somewhere now had your 
data.


Note also that your drive's size became very wrong.  I think the thing 
just died on you...and picked up another identity on the way.


Nick.

Re: dd problem

[Nick Holland]

akonsu wrote:

hello,

i wanted to create an ISO image of a CDROM, so i ran this command:

dd if=/dev/cd0a of=my.iso

and i waited and waited for about 30 minutes until i just gave up and
pressed ^C. the resulting iso file was much larger than the source disc.


try
   dd if=/dev/rcd0c of=disk.iso bs=32k

note the rcd0c instead of cd0a.  The 'a' vs. 'c' doesn't (seem to) 
matter, I just philosophically prefer the 'c' implying entire disk, 
rather than just one partition.  The raw mode of access makes a lot of 
difference here.


I put the bs=32k in there for a bit of additional performance, but it 
turns out that without the bs= line, it didn't work at all.  After a 
little thought (and testing), I remembered that on most modern 
platforms, CDROM drives have a 2k block size, so apparently dd has 
trouble moving 512 bytes at a time out of CDROM drives.  I confirmed 
that bs=2k worked, bs=1k does not, so I might possibly be not 
totally wrong on that.  bs=32k seemed to go about twice as fast as 
bs=2k.


Well, I learned something. :)

Nick.

Re: one drive in a raid 0 failed, can I save any data?

[Nick Holland]

On Thu, Jun 01, 2006 at 08:57:08AM -0700, John Brahy wrote:
 F.r.a.c.u.l. .e.k. . .a. .u.n.n. .i.h.u. .a.k.p. .n. .n. .f.t.e.d.i.e. .i.d.
 .s.t.e.e.a.w.y.t. .e.o.e. .n. .f.t.e.d.t. .r.m.t.e.d.i.e.?

 
N t l k l .   o r .  - Drive 0, RAID0
 o   i e y   S r y   - Drive 1, RAID0
 
Nick.  - Drive 0, RAID1   
Nick.  - Drive 1, RAID1

Re: A joke

[Nick Holland]

Sean Cody wrote:

On 1-Jun-06, at 10:22 AM, Andrew Pinski wrote:

On Jun 1, 2006, at 1:44 AM, Rico wrote:


Manager: George, I need a program to output the string Hello World!


You forgot one:
a lazy person

#!/bin/sh
echo Hello World!

Why waste an extra shell process not to mention all that extra typing?

#!/bin/echo 'Hello World!'

:P

--Sean


On the other extreme...

Hire a company to develop an app.
Add $18k Java application server license to make it easy to program.
Add $9k IDE to make the easy to program stuff easy to program.
Add five more programmers from the programming company (and five more
  IDE licenses) when timeline starts to slip.
Wonder why you never have to buy the carpenter's tools when they
  build your house.  Or the plumbers tools.  Or...
Notice that the $9k tool these carpenters use is made by the
  carpenters themselves.
Upgrade RAM in all the developers machines (which you ALSO  provided)
  to 2G of RAM, because the IDE takes 1.5G just to load.  Delete all
  emacs jokes from local disk).
Wonder why carpenters who built that IDE didn't know that it needed
  that much RAM.  Or couldn't diagnose why their machines were so slow
  without it.
Look at pathetic result.  Coulda been done in perl, Apache and vi, 'cept
  it would have worked, then.
Show development company the door.  Make sure it hits 'em in the butt.
Realize that after $63k in IDE licenses, the development company STILL
  made money on the deal, and trained a bunch of their people on their
  product (and our dime)

Bring in another dev. company...
(the good news is, this one seems to be MUCH better.)

Nick.
(who simply does not get Java Application Servers.  I did ask the 
vendor to demonstrate a hello world program.  I was not impressed).

Re: No-name NICs

[Nick Holland]

Lars Hansson wrote:

On Tuesday 06 June 2006 17:42, Martin Schrvder wrote:

Hi,
how likely is a no-name 100MBit NIC to just work with 3.9 stable?
In my experience, very. Most are using the same chipsets (ie rl) as the 
brand  NICs anyway.

I cant recall ever having a NIC, brand or non-brand, that didnt work.


Agreed.
Whatever chip they use, the manufacturer is usually more interested in 
selling product than keeping you from using it outside of the Windows 
environment.  Thus, we probably have docs, and the driver probably works 
pretty well (even if the chip itself is often resoundingly criticized).


Kinda silly how much effort some big-name companies put into making sure 
you CAN'T use their product anywhere and everywhere...


Nick.

Re: Custom /bsd.rd to send in dmesgs?

[Nick Holland]

vladas wrote:
Will devs ignore dmesgs from /bsd.rd that would resemble the -current 
GENERIC

/bsd (if it is possible to do so)?

I want to send in a few  dmesgs from the machines where I cannot install
OpenBSD, so I thought /bsd.rd would help.


There are a lot of reasons why developers want the dmesgs -- a major 
reason is to find out how the GENERIC kernel sees the hardware, another 
is to get reports of how it actually works with that hardware.


A custom kernel does neither of those tasks.  Simply booting bsd.rd 
(even an official one) doesn't answer either very well...what happens if 
a probe of something in GENERIC that isn't in bsd.rd causes the machine 
to lock?  What happens if the disk interface is properly recognized..but 
doesn't work properly?  You would never know if you didn't actually do 
the install.  The lack of a didn't work! message might cause someone 
to think it did...


Perhaps even more tantalizing, what if a problem IS seen in the 
dmesg...if you can't install, you can't test a fix.


So..I suspect you won't get a lot of excited responses from developers, 
in general.  Or I could be wrong...


Nick.

Re: Combining boot floppies

[Nick Holland]

When I saw your note, I figured Something Ain't Right here.  I wasn't 
the only one.  Theo noticed.


I'm on a mission from Theo.

Michael White wrote:

Hi all,

I'm attempting my first install of OpenBSD (version 3.9) on an HP Omnibook 
800CT (Pentium 166, 80 MB RAM, 4.3 GB HD, 3COM 3CXEM556 Carbus Ethernet 
card), coming over from RH9.0.  One peculiarity of the 800CTs is that the 
SCSI CDROM is not bootable, so I'm down to booting with floppies.


whoa.  SCSI.  (he's right on this, btw...  Symbios Logic 53C810, if the 
page I'm reading is to be believed.)


I first attempted to boot from floppyC39.fs, since that's supposed to be the 
image for laptops.  Well, it does recognize my Ethernet card, but seems to 
choke on the hard drive.  After recognizing the Ethernet card, I see the 
following:


--
wd0(wdc0:0:0): timeout
type: ata
c_bcount: 512
c_skip: 0
wd0(wdc0:0:0): timeout
type: ata
c_bcount: 512
c_skip: 0
WARNING: preposterous time in file system
WARNING: file system time much less than clock time
--

After that, the machine is locked up.  So I boot from floppy39.fs instead.  
That had no problem with the hard drive.  I was able to successfully 
partition the drive.  But that image does not recognize my Ethernet card, so 
I'm unable to retrieve any images (didn't see an option for PPP).


The fact that floppy38.fs didn't see your network adapter is not 
unexpected, of course.


The fact that you had disk issues on floppyC39.fs is unexpected.  The 
fact that they go away on floppy39.fs is all the way to Just Plain Wrong.




Even after formatting the hard drive under the floppy39.s floppy, the 
floppyC39.fs floppy chokes on the hard drive.


Is there any way to combine the two capabilities? 


Not the way you are thinking.  But I have some ideas...

 The only reason I'm asking is because of a comment in the FAQ

(section 4.3):

Yes, there may be situations where one install disk is required to support 
your SCSI adapter and another disk is required to support your network 
adapter. Fortunately, this is a rare event, and can usually be worked 
around.


Worked around means combining hardware and install options in such a way 
that it is made to work...not fiddling with the boot media.  Usually.


I may have access to a Xircom network card - is that supported by the 
floppy39.s floppy?


No, the Xircom driver is not in floppy39.fs...
At least, not the Xircom driver I'm thinking of...they may have more 
than one. :)



Anyway...I'm sitting here looking at the config files that make up 
floppy39.fs and floppy39C.fs (RAMDISK and RAMDISKC, for those who want 
to follow along), and their diffs.


First, I see that the SCSI controller that is probably in your laptop is 
supported by the siop(4) driver, which is on floppy39.fs.  SO..the 
suggestion of dropping the file set on a CD and installing from that is 
probably workable.


But that's not what Theo sent me to ask.  We are interested in the 
reason for the problem more than a quick-and-dirty work-around. 
Besides, it is entirely possible the problem will be back with us when 
the full kernel loads.


So..back to the diff...  It sounds like there is something hurting the 
disk support on this thing.  So...we can try turning some drivers off, 
and see if that gets floppyC booting properly.  You do this using User 
Kernel Configuration, a.k.a., UKC:


  http://www.openbsd.org/faq/faq5.html#BootConfig

Here is a list of things to try disabling (disable bla at the ukc 
prompt):

   uhci*
   ohci*
   wdc*
Those you can do all at once.

h...  those were the only easy (a.k.a., mostly harmless) ones.

Well...if those don't improve things, let's try breaking some things:
   pciide*   (your disk performance now sucks)
   pcic* (that might kill your PCcard slot)
   cbb*  (if the above didn't, this will)
Do these one-at-a-time.

I'm not really sure what is going on...  You may have an issue with the 
PCcard/Cardbus support...which means your NIC may show up in the dmesg, 
but it may be just as non-functional as it is with floppy39.fs. 
Disabling pciide will cause a huge performance hit, but slow beats 
not working at all.


Might be interesting to see what happens if you boot without the NIC 
installed in the machine.  yeah, useless for your problem, but 
interesting for troubleshooting.



I'd love to see is a serial console capture of the output of the boot on 
this thing, from both the floppy39 and floppyC39 disks...but if you 
aren't fluent in serial, hooking one up for your first OpenBSD install 
might be a lot to ask for.  Ah, heck, if I don't ask, I won't get, right? :)


  http://www.openbsd.org/faq/faq4.html#getdmesg

You can probably at least get the dmesg from floppy39.fs to a floppy 
disk using the process there, but if you can get both by using a serial 
cable, all the better...


Nick.

Re: like the faq 14.16.1, partition is not in my disklabel ... need help anyway

[Nick Holland]

Joachim Schipper wrote:

On Thu, Jun 08, 2006 at 08:31:59PM +, Didier Wiroth wrote:

Hello,
My ntfs amd comaq diag. partition is not in the disklabel.


I presume this means you deleted them, and now want 'em back.  As they 
appear to have been there before the OpenBSD install, I'd have expected 
them to be in your disklabel.  Wait a minute...how'd you get the compaq 
partition THERE???  (ok, that's way OT).



Unfortunately I don't know how to add correctly in the disklabel.
I've read the faq 14.16.1 but it only shows a modification.

Here is my fdisk output, which shows id 0 the ntfs partition:

Disk: wd0   geometry: 12921/240/63 [195365520 Sectors]
Offset: 0   Signature: 0xAA55
 Starting   Ending   LBA Info:
 #: idC   H  S -C   H  S [   start:  size   ]

*0: 070   1  1 - 6800 239 63 [  63:   102831057 ] HPFS/QNX/AUX
 1: 12 12270   0  1 - 12920 239 63 [   185522400: 9843120 ] Compaq Diag.
 2: A6 6801   0  1 - 12269 239 63 [   102831120:82691280 ] OpenBSD
 3: 000   0  0 -0   0  0 [   0:   0 ] unused

Here is current my disklabel:
16 partitions:
# sizeoffset  fstype [fsize bsize  cpg]
  a:   2097648 102831120  4.2BSD   2048 16384  328 # Cyl 102015 -104095
  b:   1024128 104928768swap   # Cyl 104096 -105111
  c: 195371568 0  unused  0 0  # Cyl 0 -193820
  d:   4194288 105952896  4.2BSD   2048 16384  328 # Cyl 105112 -109272
  e:   1024128 110147184  4.2BSD   2048 16384  328 # Cyl 109273 -110288
  f:   4194288 71312  4.2BSD   2048 16384  328 # Cyl 110289 -114449
  g:  10486224 115365600  4.2BSD   2048 16384  328 # Cyl 114450 -124852
  h:   4194288 125851824  4.2BSD   2048 16384  328 # Cyl 124853 -129013
  i:   2097648 130046112  4.2BSD   2048 16384  328 # Cyl 129014 -131094
  j:   3072384 132143760  4.2BSD   2048 16384  328 # Cyl 131095 -134142
  k:  50306256 135216144  4.2BSD   2048 16384  328 # Cyl 134143 -184049


What do I have to add to disklabel to be able to access the ntfs and the compaq 
diag partition?

For ntfs something like:
l: 102831057 63 unknown # Cyl ???

I would really appreciate some help.


with what? You got it right there!  Do disklabel -E, you won't have to 
worry about the cyl part. :)

You probably want type to be ntfs.



Thank you very much !


Some noteworthy points:
1. Looks like you ran out of space in the disklabel (or in the
device namespace, or whatever): don't define this many disklabel slices
if you want to see the other partitions (which are typically numbered
from i). [I'm not 100% sure I'm correct here; please flame me, with the
correct answer if possible, if this is not the case.]


Grabbing the marshmallows and a stick here...
Yes, non-OpenBSD partitions which are recognized at install time are 
typically listed as partitions i and up, but there is NOTHING sacred 
about this.  a, b and c are sacred..don't misuse them.  d 
through p can be used however you wish.  Make d DOS.  Make p your 
/usr partition.  Whatever.


consider yourself flamed. :)


2. NTFS is not supported in GENERIC. This usually means the
implementation isn't really ready for prime time yet; you could build a
custom kernel, if you know what you are doing and have read most, if not
all, of FAQ 5.*.


right.  man -k ntfs


3. I don't know what you want to do with the Compaq diag
partition, but it might not be too useful.


agreed.
If you aren't planning on USING a partition, don't bother putting it in 
disklabel.  On the other hand, might be fun to find what is in that 
compaq partition.  (no idea why, but I've never looked closely.  Just a 
mislabeled msdos partiton, as I recall).


Nick.

Re: Mail Server configuration question(s)

[Nick Holland]

[re Dovecot as an IMAP server]
Adam wrote:

On Fri, 9 Jun 2006 20:39:24 +0200 Joachim Schipper [EMAIL PROTECTED] wrote:


Does it even work on openbsd yet?  Its got a long history of corrupting
indexes, and spinning out of control sucking up 100% of the CPU.


I first read this out-of-order...  sounds like they are talking about 
Dovecot was my first thought...



There is a port, and I've been running it for about a year now. Never
had any problems, except that upgrading 0.9.x to 1.0 beta y required
rm'ing all indices or strange things happened.

Of course, this is on two boxes with respectively 1 and about 20 users,
so it's not that good an indication; but it does not crash at every
opportunity.

I do use it with maildir, though; mbox support may be less good.



I used the packages too.  And with maildirs.  It didn't crash, it just
kept corrupting its indexes and then using 100% of the CPU.  It could be
fixed now, I don't know.

Adam


I haven't seen it do the CPU sit-and-spin in a long time (it did prompt 
me to put a dual processor machine in place for my IMAP server...it only 
killed one processor at a time! :), so I think that is fixed.  However, 
it still has issues.


Let's forgive the sit-and-spin.
Let's forgive the corrupted indexes (even though from the first day I 
used it, the author claimed its indexes were fail safe.  I can't tell 
you how safe I felt on many, many occasions with it).
Let's forgive the upgrades where I kept wondering, Is THIS going to fix 
things, or is this going to be even worse than the last upgrade?  How 
much mail will I lose THIS time?


It is much better than it was.  It is going in the right direction.  But 
it still has issues.


Want a seemingly reliable demo?  Try this:
Set it up on a machine to do IMAP/SSL.  Push 2000 e-mail messages from a 
local mail client to your IMAP server.  Somewhere between message 3 and 
1000, it will hang, then time out on you.  Switch to non-SSL, it will 
work fine.  Switch back, hang-time-out.  Exact same results on Outlook 
Express and Thunderbird, on multiple workstations, and multiple servers. 
 BTW: if you are trying to convert from local e-mail to centralized 
IMAP storage, that hang-and-timeout SUCKS BIG-TIME...you will either end 
up with duplicates in the IMAP server or spend hours trying to figure 
out which ones made it and which ones didn't.


After switching my purely in-house system from SSL to non-SSL with 
dovecot, I must say it Sucks Less, but I'm going to be doing at home 
what I did with the project I'm working on at work: Give up on Dovecot.


The last straw for me was seeing a note from someone seeing the same 
problem I was seeing, a reply from the author saying, I guess the SSL 
stuff still isn't working...then a new (and current) release, which had 
the exact same problem.  I give up.  I tried.  I really did.  Several 
years of patience.  It is getting better, but I'm not betting my 
reputation on it yet.


And yes, Maildir, packages when available, ports when testing new 
releases before packages were made.  The author says the right things. 
The results say the wrong things. 8-/


Yes, Courier IMAP is more complex.  However, it took far less time to 
get going than I spent fighting with the Dovecot SSL problem.  I really 
wish I hadn't believed all the Courier is too complex stuff before. 
It isn't that bad, and not only have I had no issues so far, some of the 
things I wasn't really blaming Dovecot for got a lot easier, too.


Yeah, I know, there are people using it without problem.  Great.  Didn't 
work for me...over and over.  Maybe I do cruel and unusual things with 
IMAP, but I didn't think THAT horrible...


Nick.

Re: Kernel panic ... Unknown source ...

[Nick Holland]

Scott Plumlee wrote:

o?= wrote:

Hello,

My OpenBSD 3.9-stable Box is quite unstable. I don't have physical 
access to

my box so I can't debug it directly.
I've recompiled a GENERIC kernel with DEBUG support and set ddb.panic 
to 0

in sysctl.conf so that it's rebooting automaticly. But no kernel dump is
made after a kernel panic. I searched on the web without finding a 
solution.


Everytime the kernel panic is different. I tried the -current (and 
also 3.8). The result is nearly the same: no more
kernel panics but the system freeze but it's still responding to the 
ping.


You totally lost me on that one.  Something panicked, something else didn't.

However, system freeze but still responds to ping can also be a memory 
exhaustion issue -- all RAM+swap got used, and all tasks end up getting 
deadlocked waiting for additional RAM to become available.




As I said before in another mail, this is NOT due to an hardware failure.
Many SAME machines work perfectly. The only difference is the revision of
the bios (vcore updated and Pstate disabled). I want to find the 
source of

the bug to correct it if I could.


I'm still awfully new to *nix, but isn't saying that it's not hardware 
just because other boxes like this don't fail the same as my car can't 
be out of gas because other cars of the same model are still driving by 
me?


pretty darned close.

I can understand if you mean that it's not due to an unsupported piece 
of hardware, in which case I would think the kernel panic would be the 
same, but how do you know it's not bad insert your choice of memory, 
disk, cables, processor, heatsink, fan, etc etc here?


Anyone who hasn't seen a broken piece of HW that works fine with X but 
not Y is new to the game.  Anyone who trusts a HW diagnostic to give 
them the answer is really, really new to the game.


By themselves, diagnostics are like a screwdriver: in the hands of a 
knowledgeable person, very useful.  In the hands of an idiot, dangerous. 
 Without a brain engaged in their use and analysis of the results, they 
are just an inert object.



The OP already answered his own question (and been told this by others).
The machine has a buggy BIOS.
One version works, another doesn't.

Why do you think there is more than one revision?  Because bugs were 
found.  Odds are, those bugs were NOT found on OpenBSD, they were 
probably found running Windows, maybe Linux.  OpenBSD *may* expose those 
bugs more clearly...but odds are, if you use that same buggy BIOS with 
another OS, you may learn to regret it.


Would it be possible to fix OpenBSD to work around this bug?  Maybe. 
Completely pointless and self-defeating, however.  Fix it for the buggy 
BIOS, you probably broke it for the correct BIOSand now you have a 
chunk of code usable on precisely one variant of one bad computer.  The 
code will not be properly maintained, and will probably do more bad than 
good some day in the future, if not immediately.  Sometimes buggy 
hardware has to be worked around, because no fix is available or 
possible from the manufacturer and there is a clear benefit to adding 
special case code.  When a proper fix IS available from the vendor, it 
is usually preferable to use it than to work around it.


Hey, if this problem turns out to expose a true logic bug in OpenBSD, go 
ahead, find it, show us, and get credit for the fix.  But if everytime 
the panic is different, it sounds like things are Just Plain Broke on 
the system, if a BIOS upgrade fixes it, sounds like the hardware wasn't 
set up properly, and the manufacturer figured that out, and FIXED THE 
PROBLEM.


Nick.

Re: ftp problems with OpenBSD 3.9

[Nick Holland]

Smith wrote:

This will answer two post:

It does work in 3.8 still.  As a matter a fact, I have two servers on 
the intranet.  The 3.8 works fine but not the 3.9.


I tried the passive/active and still the problem persist.

If I use the command line or filezilla (another windows ftp client 
that's open source), it works just fine in both versions.


At this point I'm thinking something change on the OpenBSD side, 
especially since 3.9 has the new ftp-proxy.  I don't use pf or ftp-proxy 
for this situation but maybe OpenBSD ftpd was modified to make ftp-proxy 
work.


If there really hasn't been any change in ftpd from 3.8 to 3.9, I'll 
focus the problem as being on Microsoft's side.


Curiously, I've noticed the MS-whatever-it-is feature didn't work with a 
3.9 FTP server, too.  I kinda figured it was just MS being stupid with 
something other than a MS FTP server on the other side.  I have not 
tried 3.8, however.


I was about to try to figure out how I'd find the time to take a look at 
this, both to verify your claim (which I'd always do first) then to try 
to troubleshoot it a bit.  But then I realized...HEY!  I can get YOU to 
do the work! :)


Here's what I'd do...

Install a 3.9 test machine, verify the problem exists.  Checkout the 
source tree, or at least, the src/libexec/ftpd section, but using the 
OPENBSD_3_8 tag, to get the 3.8 version, and see if it 1) compiles 
easily and 2) works on 3.9.  It just might.  Or it might not.  Assuming 
it does...do you still have a problem?  Or is it fixed?  If you still 
have a problem...there is something else going on (which COULD possibly 
be a library or some other system change...but I'd also look for a 
configuration difference.


IF changing the FTP source code from 3.9's to 3.8's Fixes the problem, 
just start putting in change after change until it breaks.  :)


Nick.

Re: ftp problems with OpenBSD 3.9

[Nick Holland]

Smith wrote:
how do I compile it.  I know I can look at previous patches and possible 
figure it out but I wouldn't know if it's the proper way to do it.  I 
have a test machine all setup and ready and my pwd is 
/usr/src/libexec/ftpd.


Just replied privately, but since you asked publicly also, should reply 
for the list, in case anyone else wants to try...


And since replying to you, I've tested it.  It at least seems to work. 
Not sure it fixes your problem, however.


   make obj
   make
   make install

Stop and restart ftpd if you are running it as a daemon (ftpd -D), and 
you should be able to test...


Nick.

Re: dmesg warning, ahc0: Illegal cable configuration!!

[Nick Holland]

Daniel Hammett wrote:
...

ahc0: Illegal cable configuration!!. Only two connectors on the adapter may be
used at a time!

[Full dmesg posted below]


yay! :)


This isn't unique to OpenBSD: I've seen similar reports in the dmesg from SuSE
Linux using the 2.4.xx series kernels and also from FreeBSD version 6.

It doesn't appear to affect the machine in anyway that I can tell, e.g. there
are no unexpected hangs, slowdowns, disk problems, etc.

The AIC-7880 wide SCSI is connnected to a single disk but there are multiple
(unused) connectors on the ribbon cable which end in a terminator block.

The AIC-7860 narrow SCSI is connected to a single CD-RW drive. Again, there are
multiple (unused) connectors on the ribbon cable and this, too, ends in a
terminator block.


this isn't the issue, as that's ahc1 according to the dmesg.


I have used multiple drives in the system and the same message appears.

It occurs to me that there might be some issue with the disk drive itself
providing SCSI termination, or some other jumper configuration error.

Alternatively, doe this message imply that I can only use either the AIC-7860
or the AIC-7880 but not both? I might try unplugging the CD-RW before booting
this evening.


nope, again, ahc0 and ahc1 are two different devices, if it is whining 
about X, the problem is with X.  Probably. :)


As I recall, there are some variants of the Adaptec cards that use the 
ahc(4) driver that are kinda...curious.  I think it is the 29160 (or 
some variant) which has both LVD U160 and a single-ended U2, plus a 50 
pin connector...and the rule is, you can use two of the three 
connectors, but not all three at the same time.  I may be misremembering 
this...it might involve the external connector on the spine of the card, 
rather than the 50 pin connector.  But the rule was..only two of the 
connectors.  And note: it's the connectors in use, not the number of 
devices attached.


As I recall, all it can do is look for terminators.  If it finds more 
terminators than it expects, it apparently sets a whine flag that the 
driver looks for.  Are there any extra terminators on the system?  You 
indicate the cable has a terminator...could the drive also be 
terminated?  Also make sure any unused SCSI connectors are just left 
unconnected.


Otherwise...if everything is correct, and performance is appropriate, 
don't worry about it...probably a quirk in implementation on this 
machine.  I don't recall ever seeing any ability to see messages like 
this under Windows, so I suspect HP may have been a little sloppy about 
how they implemented things.


Nick.



--- dmesg included ---

OpenBSD 3.9 (GENERIC.MP) #598: Thu Mar  2 02:37:06 MST 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel Pentium II (GenuineIntel 686-class, 512KB L2 cache) 300 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,MMX
real mem  = 536453120 (523880K)
avail mem = 482435072 (471128K)
using 4278 buffers containing 26927104 bytes (26296K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(a1) BIOS, date 10/28/98, BIOS32 rev. 0 @ 0xfd77d
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xfd710/0x8f0
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf20/192 (10 entries)
pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371FB ISA rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x4800
mainbus0: Intel MP Specification (Version 1.4) (HP   XU/XW   )
cpu0 at mainbus0: apid 1 (boot processor)
cpu0: apic clock running at 66 MHz
cpu1 at mainbus0: apid 0 (application processor)
cpu1: Intel Pentium II (GenuineIntel 686-class, 512KB L2 cache) 300 MHz
cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,MMX
mainbus0: bus 0 is type PCI   
mainbus0: bus 1 is type PCI   
mainbus0: bus 2 is type ISA   
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 24 pins

pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82443LX AGP rev 0x03
ppb0 at pci0 dev 1 function 0 Intel 82443LX AGP rev 0x03
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 Matrox MGA G400/G450 AGP rev 0x04
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 7 function 0 Intel 82371AB PIIX4 ISA rev 0x01
pciide0 at pci0 dev 7 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: MATSHITA, CD-ROM CR-585, ZP18 SCSI0 5/cdrom
removable
cd0(pciide0:0:0): using PIO mode 0, DMA mode 1
pciide0: channel 1 ignored (disabled)
uhci0 at pci0 dev 7 function 2 Intel 82371AB USB rev 0x01: apic 2 int 19 (irq
11)
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 

Re: latest sendmail patch

[Nick Holland]

Monah Baki wrote:

Hi all,

I'm trying to apply the latest patch for sendmail and on my make, I get
the following error:

...

OpenBSD 3.9-current (GENERIC) #685: Mon Apr 10 14:00:41 MDT 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC


Patches are for RELEASE.  Not -current.  You are running a -current, so 
you are committed to running -current, your (only) option is to upgrade 
to the most recent snapshot...which will have the fix, and you won't 
have to compile anything.



Nick.

Re: latest sendmail patch

[Nick Holland]

Nick Holland wrote:

Monah Baki wrote:

Hi all,

I'm trying to apply the latest patch for sendmail and on my make, I get
the following error:

...

OpenBSD 3.9-current (GENERIC) #685: Mon Apr 10 14:00:41 MDT 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC


Patches are for RELEASE.  Not -current.  You are running a -current, so 
you are committed to running -current, your (only) option is to upgrade 
to the most recent snapshot...which will have the fix, and you won't 
have to compile anything.


eh...
In *this case*, there are other options.
But I'm not going to detail those.  I don't like special cases... 
especially when it might encourage people to do things wrong and think 
they got away with it.


Nick.

Re: Errors with IDE DMA beyond FAQ 14.11

[Nick Holland]

[from a few days ago]

Chris Smith wrote:

I am a n00b.


you missed:
  http://www.openbsd.org/faq/faq2.html#Bugs
...

The system still chokes with a DMA timeout after ~30mins of
heavy stuff (I was compiling /usr/ports/x11/gnome as something I knew
would take forever).

Is this a self-inflicted wound?:


possibly, though sounds like a bug.  However, lack of dmesg and precise 
messages/symptoms leaves doubt.



OpenBSD is the only partition on wd0, and I hurried through the
partitioning, basically chunking the disk evenly across /,
/usr, /var, and /usr/x11 per the installation pamphlet.


If I got the disk, I got to allocate it.  Don't do that.  Allocate 
what you need, and save the rest for later.  Otherwise, you will spend 
lots of time watching your 99.9% empty partition fsck.


Do you have ANY IDEA how big 300G is?
Can you imagine how much paper tape it would take to back it up??
(years ago, when I first started working in the computer industry, a 
friend and I were drooling over the potential of a hard disk...and we 
asked that question.  The endless hard disk in question?  10M.  Hint: 
10 bytes per inch on paper tape).



Questions:
a) Could naive partitioning on a fat IDE drive put enough latency into
   the system that a DMA timeout will inevitably happen?


no.
Not even sure what you are saying, but no.
I have 500M partitions on 1T drives in production (three 500G drives in 
an Accusys RAID5 box).  Works great.



b) Should I punt and beg my wife for enough cash to replace the motherboard?


possibly.  Or a $30 add-on card that works better.  Or $5 for a better 
cable. :)



c) Given C/H/S values of 36481, 255, and 63 what would be a reasonable
   partition scheme for a home server box?  (Failing that, pointers
   to previous discussion would be great).


http://www.openbsd.org/faq/faq4.html#Partitioning
However, your partitioning can be a problem without it being the problem 
you are complaining about.


Nick.

Re: FYI SK(4) D-Link DGE-530T Rev B1 does not appear in dmesg.

[Nick Holland]

[EMAIL PROTECTED] wrote:
...

The dmesg with the B1 card only lacks the three appropriate lines which
appear for the Rev A1 card when it is inserted in the same PCI slot:


IF that is true, your card wasn't inserted properly.

PCI cards show up.  SOMETHING will show up...even if it isn't 
recognized.  The only exceptions are if the card is behind a broken or 
unrecognized bridge.


Nick.

Re: Doubts about OpenBSD security.

[Nick Holland]

Bob Beck wrote:
...

IMNSHO, a root password for single user makes the system *LESS*
secure, and I'm dead serious. I would object to any attempt to commit
changes to OpenBSD to have one by default. Why? Real simple: *because
you asked this question*. - Now I'm not just crapping on you, every
new sysadmin I know asks this. The point is, if OpenBSD put a root
password on single user, you might be tempted to think that somehow,
someway, a not-physically secured machine was secure, and be tempted
to deploy it that way. And don't laugh, I've seen the assumption made
(I work at a university). My point is that putting security measures
in place that do not do anything because of equivalent access make
people believe that they *do* do something, and therefore people make
incorrect assumptions and do things insecurely. 


Physical access is everything highness. Anyone who says differently
is selling something.

-Bob


Here's another example:

My boss feels that it is important that he have a list of administrative 
passwords to all servers in our company.


Now, call me no fun, but the idea of a password for the perimeter 
security firewalls sitting in an Excel spreadsheet on a laptop he 
selected because it was small and expensive and he likes to carry around 
to impress people scares the hell out of me..and thus, the PWs are not 
there.


Now, he's got a point...yes, we have multiple administrators, but we are 
friends outside of work, so we are not infrequently in the same place at 
the same time, so the possibility of us both being killed in the same 
Celtic Music Riot or explosion of the same Mongolian Grill can't be 
discounted.  If something happens to both of us, someone will need to be 
able to get into those systems.  So...I just wrote up and showed him 
(and had him try) the lost my PW process in the FAQ, and had him force 
the root PW.  And he was satisfied (other than the look on his face that 
seemed to be slightly pissed that I was denying him something he wanted, 
even though he knows I satisfied the goal of the demand he made).


NOW...if we had something that had some kind of master password that was 
required even with physical access, we'd probably have to have either 
created an unused account for him (bad idea) or recorded a master 
password on his magic Excel spreadsheet (another bad idea).  I don't 
think that would have improved security one bit.


Sometimes, you got to make it easy to get in in a controlled way to make 
it harder for the wrong people to get in in a less controlled way.


Nick.

Re: Crashes and HDD params

[Nick Holland]

Przemys3aw Pawe3czyk wrote:

Hi,

How to change HDD parameters like this:

wd1 at pciide0 channel 1 drive 0: FUJITSU MPD3084AT
wd1: 16-sector PIO, LBA, 8063MB, 16514064 sectors
wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2

to get rid off the crashes I register several times a day? With very bad 
results on my files.


What parameters are you trying to change?  Why do you think it will have 
ANYTHING to do with fixing your crashes?


The disk's parameters are what they are.  The disk knows what they are, 
the OS asks, the disk responds.  The OS reports and utilizes them. 
Other than the DMA and PIO modes, there isn't much to change.


Yes, crashes are bad on lots of things.
Altering the disk parameters is bad in much the same way...you will just 
add problems, not fix them.


Nick.

Re: FYI SK(4) D-Link DGE-530T Rev B1 does not appear in dmesg. (SOLVED)

[Nick Holland]

[EMAIL PROTECTED] wrote:

Quoting [EMAIL PROTECTED]:


Quoting Nick Holland [EMAIL PROTECTED]:


[EMAIL PROTECTED] wrote:
...

The dmesg with the B1 card only lacks the three appropriate lines which
appear for the Rev A1 card when it is inserted in the same PCI slot:

IF that is true, your card wasn't inserted properly.


I tried it in all the other slots and neither OpenBSD nor Windows
detected it.


PCI cards show up.  SOMETHING will show up...even if it isn't
recognized.  The only exceptions are if the card is behind a broken or
unrecognized bridge.


I tried it in a different PC and the card was shown in the dmesg as a
DGE-560T_2.

So it seems that first PC is a quirky one. Sorry about the bogus FYI.


ah.
ok...there's a reason why a PCI card won't show up, which I have 
experienced, but forgot about...


Apparently, some newer cards require PCI2.2 spec, and many machines of 
your vintage (PII) are only PCI2.1.


I should have remembered this, once spent many hours trying to figure 
out why a PCI wireless card (wi(4) based) didn't show up on the vast 
majority of the machines I have...finally found one computer that it 
worked in...the second newest, fastest machine I had (ok, I got a lotta 
old junk).


Kinda a special case of incompatible PCI bridge, sorta, kinda.

Nick.

Re: Partitions

[Nick Holland]

John Brahy wrote:
...

and over time I have learned to appreciate these, but lately I have been
creating more partitions
/usr/src
/usr/obj
are two of the ones that are suggested when rebuilding my system and I
definitely like the speed of doing a newfs to /usr/obj


Certainly handy.
On the other hand...I pretty much build by script files now, so I'm not 
waiting for the rm -r /usr/obj/* step anyway...just start and walk away 
for anywhere from an hour to a week. :)



I also have been putting mysql on it's own partition and then I got a little
crazier and added more partitions and my list has grown to this:

/
/home
/tmp
/var
/var/mysql
/usr
/usr/local
/usr/src
/usr/obj
/usr/Xbld
/usr/XF4
/usr/local
/virtualhosts

So am I going overboard? or am I missing any good partions.


yes, I'd say you are going a bit overboard.  On the other hand, you can 
make a case for most of the examples you list under some circumstances, 
and I don't see any Blatently Bad ones (here are some Bad Examples: 
/usr/X11R6, /root /etc), though I can't think of any benefit to src or 
XF4 on separate partitions (though I do have an NFS src directory on my 
mvme88k, due to 4G not being nearly enough to build on anymore)...nor do 
I see any real-life benefit to a /usr/local partition.


I also would not guess that you would be doing much building in /usr/src 
on the same system you had that was so busy you put mysql on its own 
partition...so again, just because you can make a case for a separate 
partition on system X doesn't mean every system will see any benefit 
from that same partition.



when I first posted Nick Holland replied with several reasons to have
multiple partions. Those being
security, fragmentation, protecting the filesystem from overfilling,
organization and space tracking.


I think I over-convinced you. :)


does increasing the amount of partitions increase access to the files on
that partition?


Not sure I know what you mean by this...

It COULD increase access time if you have partitions which are commonly 
being used together at opposite ends of the disk -- for example, perhaps 
src and obj, or src and /usr (where the compiler and libraries are), 
though if speed really matters that much to you, get more disks.



Any feedback would be appreciated.


As with most things in life, ask why, don't just do by formula.  There 
are still some cases where the / and swap solution fits for testing, 
even though I now use it rarely (though I've wished I did a couple 
times!).  A long time ago, I had a nice little webserver set up, then my 
friend Henning said, Here, try this chroot'ed Apache patch...which 
absolutely hosed my grand plans, as my /var partition was too small, as 
all the web documents were served from /home/user directories.  You 
may note the warnings about this in the FAQ are perhaps a little 
over-emphasized... if you read the FAQ carefully, you can sometimes 
guess when something has bitten me personally. :)



There are other reasons I've since found for partitioning, 
however...data partitions have become my favorite lately.  MULTIPLE data 
partitions, in fact.  And yes, multiple data partitions for one 
application.  Here's why: if your application can be forced to split 
data across multiple partitions, it can be easily expanded later. 
SO...you can start out with a 200G drive today, in a year add a 700G 
drive, and not have to migrate everything from one to the other (btw: it 
takes a long time for even a fast machine to migrate 200G of data).  It 
also means if something goes Horribly Wrong on one partition or drive, 
you can (probably) get away with recovering only that one partition from 
backup.


Just had that happen to me this week -- E-mail archive system with well 
over 1T of data blew out one of its drives in a most spectacular way 
(short across the power supply pins), blowing out a power supply and a 
RAID box in the process.  So..the survivors of this drive set had to be 
migrated to a spare RAID box, and then I made an error -- I missed the 
fact that the new box was set for RAID0 rather than RAID5, so after I 
beat on it a bit, it finally gave in and did what I apparently told it 
to: initialized the remaining data to zeros.  So, off to the backups we 
went.


FORTUNATELY, this system had several drive modules, and the one that 
failed (fortunately again!) was the least full of the bunch, so I only 
had 40 or so days of restore to do.  I'm rather glad the other nine 
months of data in the thing escaped injury!  Even if the same event 
happened on one of the other storage modules, it wouldn't have been as 
catastrophic as if I had it all in one pile.


Related reason: in the case of partitions that fill with data, then you 
move on to another, you can remount the filled partitions as RO, so 
if, for example, a disk tosses a dead short across the power supply and 
you have 2T of storage suddenly lose power, you don't have to fsck the 
entire 2T, just the part that was mounted RW

Re: openwebmail with chrooted apache

[Nick Holland]

FTP wrote:
I installed openwebmail from the ports and when trying to launch: 
http://your_server/cgi-bin/openwebmail/openwebmail.pl


I get a 500 error. I suppose that this is due to the chrooted apache
but how do I find the dependencies for a perl script?


1) you think really hard about what a program does and how it does it.
* It runs as setuid root, so it can jump to any logged in user to fetch 
their mail.  (hint: chrooting a suid root program is kinda pointless)

* It accesses /var/mail (can't recall if directly or via pop3)
* It accesses Sendmail binary directly (another setuid root program).
* it accesses /home/* directly
(that's from memory, from a few years back's version.  I suspect there 
is a lot more.  Some details may have changed, including my memory)


2) you think really hard about how much of the system you would have to 
pull into the chroot to do what you want.
* Too much dangerous stuff...and much of the file system.  The benefit 
of chrooting is mostly lost.


3) Decide if the effort is worth it.
* No, it isn't IN THIS CASE.  Give it up.

See the last sentence in:
  http://www.openbsd.org/faq/faq10.html#httpdchroot
OpenWebmail is one of these apps.  Making it work in a chroot would 
require a major rewrite and restructure, not simply copying files 
over...then you STILL have to trust the mechanism used to do those 
root-like things.


(contrast this to Squirrelmail, which does (amazingly) run in a chroot 
relatively easily...but then, Squirrelmail uses an IMAP server to move 
your mail data around...so instead of worrying about a hole in Apache 
or the web-app, you have to worry about a hole in your IMAP server)


Nick.

Re: openwebmail with chrooted apache

[Nick Holland]

FTP wrote:

On Mon, Jul 03, 2006 at 08:49:03PM +0200, Sigfred Heversen wrote:

Stuart Henderson wrote:

On 2006/07/03 13:52, Nick Holland wrote:


(contrast this to Squirrelmail, which does (amazingly) run in a
chroot


Same for Hastymail and Roundcube. I guess it's not too much of a 
stretch with IMP either (though I haven't actually used IMP

recently enough to have checked chroot).


In tree mail/imp depends on devel/horde that has exploit(s) in the
wild.

/Sigfred



I had a look on IMP and looks fine to me cause you can have POP3 too
as well. I actually dodn't intend to isntall an IMAP server.


Using IMP to avoid an IMAP server is like cutting off your hands because 
you don't wish to trim your fingernails.  A Bit Drastic, I do think. 
And similarly crippling, as IMP is less than 100% effective without 
IMAP, apparently:

   http://www.horde.org/imp/docs/?f=INSTALL.html
IMAP is recommended over POP3 in order to let users maintain mail 
folders other than INBOX and is required to allow messages to be 
flagged. IMAP is also much faster than POP3 in displaying a mailbox of 
messages. In short, do not use POP3 unless IMAP is not available.


If you want IMP, IMAP is the least of your tasks.  I think once you have 
IMP configured, you will forget that IMAP was even involved.



As a result is IMP a good solution for a small e-mail server?


I've never got IMP all the way running...but I very quickly came to the 
conclusion that small and IMP or any other Horde-based product have 
nothing to do with each other.


That's not to say that IMP isn't a (potentially) cool product, and I'd 
like to come back to it, but the setup and config is much more 
involved than I'd find justified for a small e-mail server.


OpenWebmail is very charming because of how very little it needs to 
bring into base OpenBSD to get working.  I set it up for a school of 
about 200 students on a PII-450, worked well (once I set up MASSIVE 
amounts of swap space...having 25 students change their PWs at the same 
time burned through something like 600M of RAM+swap very 
quickly...swap-to-file to the rescue!).  I must say, at this point, 
being not written in PHP is starting to look Really Nice, too.


Nick.

Re: Preventing password reuse

[Nick Holland]

Rod.. Whitworth wrote:
...

Test with well known cracker tools and weep. I have (as root) fed a
slice of master.passwd to John the Ripper with a few nologin users
added using dictionary words of 7 or 8 chars as passwords and after 10
days it had not cracked one of them. I bet it takes less time on lesser
hashes to get some results.


actually, I've had somewhat different results using ports/security/crack 
to look at how people entered a system.


A PII-450 was able to find an eight-letter dictionary PW (which was a 
particularly bad choice for a root PW) in a day or two, and at least one 
other trivial PW as well.  So there is potentially some difference in 
the tools used.


Nick.

Re: openwebmail with chrooted apache

[Nick Holland]

FTP wrote:
...

bottom line, your suggestion is to stick with openwebmail (if I don't
want to intsall IMAP) and run 'insecure' apache? Would that be a
'good' solution for a small e-mail server?


MY suggestion..yes.  Reasonable people may (and probably will) have 
differing opinions.


Here's a better idea: why don't you grab a bunch of different solutions 
and try 'em out?  Don't trust us, make your own decision.


Keep the Big Picture in mind... Yes, it's the insecure use of apache, 
but this eliminates a bunch of other programs that would have to do the 
same thing, creating similar potential holes, anyway.


Nick.

Re: Upgrading questions

[Nick Holland]

Rob Baldassano wrote:

I have been running OpenBSD 3.6 since the day it came out, and am now
in need up going to 3.9

The question is: What upgrade issues have folks run into?


Very few, myself.  I've got at least one machine running which started 
out with OpenBSD 3.1, and has been remotely upgraded to 3.9, and will be 
to 4.0 (unless I replace it for other reasons, and as it is a P1, there 
is a lot of merit to doing so)  (and yes, the upgrade over the 3.3 - 
3.4 ELF conversion was darned scary, but done without a trip to the box).



I'm running it on a DELL desktop.


you realize that doesn't help much, right?
However, I've found few desktop Dell machines that have difficulty with 
OpenBSD, and can't think of any reason why a machine that ran 3.6 fine 
would do anything other than run 3.9 at least as well (and likely, better).



BTW, some of the reasons I want to upgrade:

  ...
you missed the important reasons.  A biggie being that 3.6 is no longer 
supported by security patches.


You do need to upgrade.
Whether that means start over and reload from scratch, or follow the 
upgrade process, that's for you to decide, but you need to stop running 
3.6 and start running 3.9.



So... Any hints, pitfalls, suggestions that people have run into
before? in general is it safe to do an Upgrade? a former co-worker
says NO don't do that, never trust upgrades. I tend to disagree.


On most systems, upgrades work Just Fine.
On the other hand...you haven't upgraded this machine in three releases, 
so you have a bit of work to do (three separate upgrade processes). 
Some thoughts, mostly without conclusions:


* If your disk layout is perfect, or at least sufficient, upgrade, don't 
reload.  If the disk layout turned out to be wrong, good time to fix 
it with a reload, rather than upgrade.  (warning: your /usr partition 
will grow by a huge amount for 3.9, 'specially if you have to build 
-stable from source on this machine).
* New applications may need a new disk layout.  On the other hand, you 
may not know what that disk layout should be until after you are testing.
* Disk is cheap.  Buying a new disk, install fresh and test on that.  If 
things go right, you are done, if they go wrong, you can easily revert 
to your existing config until you figure out what went wrong.
* Used computers that run OpenBSD well for many apps are also 
cheap...you could just swap out the whole machine...downtime measured in 
minutes, and a fully tested replacement at that (and very fast reversion 
if your testing sucks)...  Granted, you mentioned Java...so this may not 
apply.
* Look at why you have rejected the advice about keeping your machine 
up-to-date with a supported version of OpenBSD (recommended upgrades 
every six months, no less frequently than annually).  Fix that.
* If you have installed a lot of software without the packages 
mechanism, you may have stuff all over the place that you have no idea 
how to get rid of.
* In your case, you will end up dumping all your installed packages due 
to the 3.6-3.7 compiler upgrade.  Not that this is bad, your installed 
packages usually need to be updated more critically than the base system 
anyway, but something to be aware of.  It does give you a chance to say, 
THIS is what I want on the system, and not that.



As for your co-worker's advice about not doing upgrades, he's wrong.  Of 
course, there is some risk of doing anything to a running system, but 
there is also a risk to doing nothing.  You need to have the systems in 
place to contain the risk of doing the upgrades, so that when there is a 
security hole which turns out to be important, you can IMMEDIATELY and 
without issue implement a practiced and understood process, not a oh, 
sh*t, now what do we do?.  The upgrade process must be part of your plans.


Nick.