Re: network adapters, IP addresses, ports, domain names
You wrote: > > On Thu, Nov 16, 2023 at 03:48:49PM +, Steve Blinkhorn wrote: > > In a situation where a NetBSD machine (9.2 amd64 if it matters) has > > multiple network adapters each with multiple IP addresses > > corresponding to diverse domain names, to what are port numbers > > uniquely attached? > > > > They're attached to IP addresses, either specific IP addresses or > unspecified IP address (0.0.0.0 or ::). If the server application > binds to the unspecified IP address the port is not bindable to specific > IP addresses by other servers. > So can two different IP addresses on the same adapter each use the same port number each for its own distinct purposes? I would assume they can since I run different web servers that use ports 80 and 443 in this way. (Obviously I have a debugging problem that's irking me, but I think is not strictly a NetBSD issue - I'm just trying to eliminate wilder possible sources). Thanks for the swift response, BTW. -- Steve Blinkhorn
network adapters, IP addresses, ports, domain names
In a situation where a NetBSD machine (9.2 amd64 if it matters) has multiple network adapters each with multiple IP addresses corresponding to diverse domain names, to what are port numbers uniquely attached? -- Steve Blinkhorn
getting xpdf etc. to display (a bit urgent)
I run a network of NetBSD machines, and until today accessed them by way of a VNC server accessed through a Windows 10 VNC viewer on a big screen. This afternoon we had a long thunderstorm and two power cuts, and the Windows machine won't reboot. So I configured an amd64 NetBSD 9.0 machine to run the stock out-of-the-box X11R7 server, but I find that applications like xpdf and gv just sit there, nothing of the document appears on screen. It has to be to do with the X11 server, because those application on this same machine worked perfectly when accessed through the Windows machine over VNC. I'm under some pressure, because i have tax returns to file, and I can't read the PDF invoices that need entering into accounting software. I imagine this is something very obvious I'm missing in X11 configuration - suggestions please. -- Steve Blinkhorn
Re: help with cron/rsync error message
Spot oon, thank you. The upgrade fro 7.x/8.x to 9.2 is proving by far the most gruesome I've been through (I started with 2.x IIRC). Because I use NetBSD as a public service delivery platform in remote data centres as well as for software development, standard network services and general office work, upgrade time is scary. The Guide is not all that helpful if you only upgrade once for every major release. much more helpful when doing a clean installation. Anything to do with system configuration or services - mostly concentrated in /etc but also including, for instance, /var/cron/tabs - needs protection in the upgrade process. What would be ideal would be a process that never overwrites a customised configuration file with a fresh new default. I have yet to upgrade the machines that provide primary DNS, mail service, printing services and VNC connectivity because I cannot afford to have them out of action for an extended period, which is what happened with the three machines I have upgraded so far. Thanks again, -- Steve Blinkhorn You wrote: > > On Wed, 16 Nov 2022, Steve Blinkhorn wrote: > > > Results are: > > 1. cron: in pam_vprompt(): no conversation function > > > > I think when you upgraded your machines, you may have extracted all the sets > except {,x}etc (and, not used sysinst to do the update?). > > In 8.x, cron doesn't use PAM, so no /etc/pam.d/cron is present. The cron in > 9.x is built with PAM support and therefore comes with a PAM config. file. > When this new cron runs but doesn't find a /etc/pam.d/cron, it spits out > these errors: > > ``` > cron[3913]: (CRON) pam_authenticate failed (System error) > cron: in pam_vprompt(): no conversation function > ``` > > Install the cron PAM file from the 9.2 etc set; and, to forestall any more > issues of this sort, get etc.tar.xz (and xetc.tar.xz if you've installed X) > and merge it using etcupdate: > > ``` > # etcupdate -s /tmp/etc.tar.xz -s /tmp/xetc.tar.xz > ``` > > > File: /usr/lib/libpam.so.4.0 > > > > String dump of section '.comment': > > [ 0] GCC: (NetBSD nb2 20150115) 4.8.4 > > > > sysinst should've removed all these older versions when it upgraded the > system, but as none of the symlinks point to it, having it around it shouldn't > cause any problems. > > -RVP >
Re: help with cron/rsync error message
Thx for picking up my query. Results are: 1. cron: in pam_vprompt(): no conversation function (many, many entries - I should have thought to look here first) 2. File: /usr/lib/libpam.so String dump of section '.comment': [ 0] GCC: (NetBSD nb4 20200810) 7.5.0 File: /usr/lib/libpam.so.4 String dump of section '.comment': [ 0] GCC: (NetBSD nb4 20200810) 7.5.0 File: /usr/lib/libpam.so.4.0 String dump of section '.comment': [ 0] GCC: (NetBSD nb2 20150115) 4.8.4 File: /usr/lib/libpam.so.4.1 String dump of section '.comment': [ 0] GCC: (NetBSD nb4 20200810) 7.5.0 3. String dump of section '.comment': [ 0] GCC: (NetBSD nb4 20200810) 7.5.0 4. /usr/lib/security/pam_rootok.so.4: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, for NetBSD 9.2, not stripped 5. -r--r--r-- 1 root wheel 8184 May 12 2021 /usr/lib/security/pam_rootok.so.4 Kind regards, -- Steve Blinkhorn You wrote: > > On Tue, 15 Nov 2022, Steve Blinkhorn wrote: > > > the cron/rsyncd.conf etc. config in place. I checked that everything > > ran normally back in July, but now I find /var/log/cron is full of > > lines like this: > > > > Nov 14 22:02:00 trafalgar cron[3913]: (CRON) pam_authenticate failed > > (System error) > > > > PAM System errors should've been logged. What's the output of these: > > ``` > $ fgrep cron /var/log/messages > $ readelf -p .comment /usr/sbin/cron /usr/lib/libpam.so* > $ readelf -p .comment /usr/lib/security/pam_rootok.so.4 > $ file /usr/lib/security/pam_rootok.so.4 > $ ls -l /usr/lib/security/pam_rootok.so.4 > ``` > > -RVP > >
help with cron/rsync error message
I have two servers next to each other in a data centre. I use cron jobs to back up data each way betwen the two, using rsync. In the course of this year I have upgraded both to amd64/9.2, but leaving all the cron/rsyncd.conf etc. config in place. I checked that everything ran normally back in July, but now I find /var/log/cron is full of lines like this: Nov 14 22:02:00 trafalgar cron[3913]: (CRON) pam_authenticate failed (System error) hosts allow is set in a [global] module to include the address range that encompasses both machines in both machines'.rsyncd.conf files. Where to start? -- Steve Blinkhorn
Expanding email aliases
Is there a simple way of expanding an email alias, for instance imagine utility called dealias which takes an email alias and returns the list of corresponding email addresses to stdoutr? I imagine it could be done with a clever-enough use of grep on /etc/mail/aliases and any included files, though whether I'm clever enough with grep to write a RE for "a line starting with an alphanumeric followed by any number of trailing lines beginning with a space character" is to be doubted. Any suggestions? -- Steve Blinkhorn
Re: how to limit /etc/daily to local only, and cleasring bad nfs
You wrote: > > On 27/05/2022 17:18, Steve Blinkhorn wrote: > > 1. How to limit /etc/daily,weekly,monthly so they do not cross nfs mount > > points? One of my development systems crashes occasionally when left > > running a long job after hours. It reboots itself, but nfs > > connections to it are not restored. What I don't notice is that > > /etc/daily now hangs on a public-facing machine. Gradually the humber > > of processes increases day by day until I have numerous find, tee, > > sendmail and sh proceses all stuck. > > > What paths have you got NFS mounted on the client? > > I've got 2 BSD system both 9.2-STABLE one of which provides an NFS /home > and a few other odd paths as well to the other. The /etc/daily process > on the client isn't scanning the server filesystems in my setup and I'm > not aware of any specific setting I had to turn on to get that behaviour. > > Mike > Some off-list discussion has clarified matters. The fundamental problem is that nfs mounts are not restored automatically when an nfs server is rebooted - and that may happen automatically so the sysadmin is unaware. The connection with /etc/daily (etc.) is that find(1) hangs when it encounters a broken nfs mount point, gets stuck in tstile, and can't be killed. So the process table grows by 4 processes/day (/bin/sh /etc/daily, find, tee, sendmail -t). I run 6 NetBSD servers, 3 of them public-facing, with numerous nfs cross-mounts for convenience in rapid deployment, and have hit this issue several times since NetBSD-3.0, without realising the root of the problem. The fix is essentially on the rebooted server, though clearing out all the /bin/sh, tee nd sendmail processes on the nfs client speeds the resolution. -- Steve Blinkhorn
Re: how to limit /etc/daily to local only, and cleasring bad nfs mounts
More by chance than from a deep understanding of the issue, I found a way of restoring sanity when this happens. As superuser: 1. pkill -9 sendmail tee /bin/sh 2. on each server providing nfs service: nfsd -r Step 1 just speeds everything up - Step 2 might resolve the issue on its own, but could take quite some time if there is a backlog of stalled processes. I went from around 660 processes per affected server to around 66. I wish I were clearer about the relationship between nfsd, mount_nfs and rpcbind, because of the implications of a server auto-rebooting after, say, a power cut, when there is significant nfs service between sites. -- Steve Blinkhorn You wrote: > > On Fri, 27 May 2022 at 17:18, Steve Blinkhorn wrote: > > > > 1. How to limit /etc/daily,weekly,monthly so they do not cross nfs mount > > points? One of my development systems crashes occasionally when left > > running a long job after hours. It reboots itself, but nfs > > connections to it are not restored. What I don't notice is that > > /etc/daily now hangs on a public-facing machine. Gradually the humber > > of processes increases day by day until I have numerous find, tee, > > sendmail and sh proceses all stuck. > > > > I can kill some of the /etc/daily related processes, but > > not the instances of find. In the past I have been able to resolve > > the problem by remounting the remote filesystems using mount_nfs, or > > restarting a crashed rpcbind, but not this time. BTW, these > > processes all have a PPID of 1. > > Well one option would be to disable all the finds by setting the > various find_*=NO in /etc/{daily,weekly,monthly,security}.conf :-p > Some options have a little more granularity such as find_core_ignore_paths > > It's a pity that the stat() from "find -x" would trigger the nfs mount hang... > > > 2. Attempts to do anything involving mountd, mount or df results in a > > hung process that kill -9 will not remove. I need to find a way of > > restoring normality that is sure-fire, and based on an understanding > > of nfs clien-side behaviour. I can, of course, reboot, but this is a > > customer-facing server in a remote data centre, which otherwise is > > functioning properly. > > > > This is 9.2 on amd64, but I don't belkieve for a moment that this is > > version-related. > > Does switching between tcp and udp mounts make any difference? > Would using mount_psshfs possibly be an option? > > David >
how to limit /etc/daily to local only, and cleasring bad nfs mounts
1. How to limit /etc/daily,weekly,monthly so they do not cross nfs mount points? One of my development systems crashes occasionally when left running a long job after hours. It reboots itself, but nfs connections to it are not restored. What I don't notice is that /etc/daily now hangs on a public-facing machine. Gradually the humber of processes increases day by day until I have numerous find, tee, sendmail and sh proceses all stuck. I can kill some of the /etc/daily related processes, but not the instances of find. In the past I have been able to resolve the problem by remounting the remote filesystems using mount_nfs, or restarting a crashed rpcbind, but not this time. BTW, these processes all have a PPID of 1. 2. Attempts to do anything involving mountd, mount or df results in a hung process that kill -9 will not remove. I need to find a way of restoring normality that is sure-fire, and based on an understanding of nfs clien-side behaviour. I can, of course, reboot, but this is a customer-facing server in a remote data centre, which otherwise is functioning properly. This is 9.2 on amd64, but I don't belkieve for a moment that this is version-related. -- Steve Blinkhorn
TrueType fonts not showing up
I would be grateful for a pointer to a description of how to ensure TrueType fonts in /usr/X11R7/lib/X11/fonts/TTF are available for use. I have some, but they don't show up with xlsfonts, so I imagine there's some misconfiguration or lack of configuration. I last tangled with X11 fonts a looong time ago. -- Steve Blinkhorn
Re: groff issue after upgrade to NetBSD-9.2
Thanks, helpful and enlightening, and I am pursuing the Heirloom distribution. Shame about the name, though, sounds like 'legacy' which has come to mean out-of-date. Troff is one of those software designs that far exceeded in its capabilities the purposes for which it was originally designed. But I have to dispute the matter of ordinary users not needing to modify files. The DESC file as distributed supposes a North American user base, with the papersize variable set to letter. This has a number of minor implications for layout specification, but also results in printers either demanding that letter-size paper be loaded, which means at the least fiddling with printer settings to pretend that A4 paper is really letter size paper, or in some cases the document just not printing in my experience. And are people generally happy with the standard PostScript fonts? I find them ugly and old-fashioned for the most part. We dropped Palatino as our standard house style once PostScript printers came along - its version of Palatino is much uglier than the one we used with DEC LN03 laser printers way back. The fact that the Heirloom release has much more flexible font-file handling is a real benefit: it was sweated labour converting our font collection to be usable with groff (but it is a big collection). -- Steve Blinkhorn You wrote: > > --pgp-sign-Multipart_Fri_Mar__4_13:00:52_2022-1 > Content-Type: text/plain; charset=US-ASCII > > At Fri, 4 Mar 2022 17:26:23 + (UTC), st...@prd.co.uk (Steve Blinkhorn) > wrote: > Subject: Re: groff issue after upgrade to NetBSD-9.2 > > > > Unpacking the textproc set overwrites files like > > /usr/share/groff_font/devps/DESC and devps/download, and maybe other > > files which have been adapted or expanded locally. The unpacking > > process follows any symbolic link that devps has been set to rather > > than overwriting the symbolic link with a hard directory. Fortunately > > I have backups. Would this not be worth a warning in the installation > > guide - it's a similar issue to /etc, where precious lolcalisations > > risk being lost? > > Yeah, I would say most of those are not normally files that any end user > would be expected to localise. > > I think the best you can hope for is, perhaps, in a future upgrade > if/when syspkgs are used, that there may someday be some conflict > detection for locally modified system files. > > That said, you could also add any system files you've customised to > /etc/mtree/special.local and they'll be backed up, with complete daily > automatic version control, into /var/backups by /etc/security. See > "check_changelist" in security.conf(5). > > > > I know thered is a move not to includee groff etc. in the main > > distribution, but some of us use it extensively: I have substantial > > software systems which emit *roff source files, it's not just a > > manpage generator. > > Perhaps you would be a lot happier with a more modern troff? > > I would suggest trying out pkgsrc/textproc/heirloom-doctools > > Despite the name, these are quite modernised versions of the original > true AT&T Troff and related tools from what was effectively the > Documenter's Workbench. These tools even have a special "groff" > compatability mode if indeed you depend on any Groff extensions. > > See https://n-t-roff.github.io/heirloom/doctools.html > > (There is also a port of old DWB-3 (3.3b) in pkgsrc/textproc/DWB, but it > has not been modernised nearly so much.) > > One potentially huge advantage of using doctools over the base-system > groff would be that you can much more easily customise (and test!) the > tools and their configuration by applying local patches via pkgsrc. > > That said I've long argued for these heirloom-doctools to be used to > replace the base system Groff, and I would still strongly suggest that > be done. > > -- > Greg A. Woods > > Kelowna, BC +1 250 762-7675 RoboHack > Planix, Inc. Avoncote Farms > > --pgp-sign-Multipart_Fri_Mar__4_13:00:52_2022-1 > Content-Type: application/pgp-signature > Content-Transfer-Encoding: 7bit > Content-Description: OpenPGP Digital Signature > > -BEGIN PGP SIGNATURE- > > iF0EABECAB0WIQRuK6dmwVAucmRxuh9mfXG3eL/0fwUCYiJ+CgAKCRBmfXG3eL/0 > f0oRAKDMqBxxElSggKN/9RYKEQvdclC5RQCgoKe1rCm1eWYuravXT4YPc6hprP8= > =TQ7D > -END PGP SIGNATURE- > > --pgp-sign-Multipart_Fri_Mar__4_13:00:52_2022-1-- >
Re: groff issue after upgrade to NetBSD-9.2
Answer: Unpacking the textproc set overwrites files like /usr/share/groff_font/devps/DESC and devps/download, and maybe other files which have been adapted or expanded locally. The unpacking process follows any symbolic link that devps has been set to rather than overwriting the symbolic link with a hard directory. Fortunately I have backups. Would this not be worth a warning in the installation guide - it's a similar issue to /etc, where precious lolcalisations risk being lost? I know thered is a move not to includee groff etc. in the main distribution, but some of us use it extensively: I have substantial software systems which emit *roff source files, it's not just a manpage generator. -- Steve Blinkhorn You wrote: > > This is on amd64, but I doubt that that's relevant. > > I have an extensive collection of fonts for PostScript, so > /usr/share/groff_font/devps is a symbolic link to a /fonts directory. It > has been so since NetBSD-1.x and before that on BSD/OS and before that > into the mists of time. > > I upgraded to NetBSD-9.2 several days ago, and suddenly my standard > document formats come out all wrong. The glyphs for the > variously-acquired (e.g. bought from Linotype) fonts do not seem to be > available, and the font metrics are wrong for the glyphs that do > appear. > > I have a practical solution for the moment: if I mount_nfs a backup > copy of the same fonts directory on a remote server and point > groff_font/devps at that instead, everything goes back to normal. > > Anyone have any insight into why migrating from 7.0 to 9.2 might cause > such a problem? > > -- > Steve Blinkhorn > > -- Steve Blinkhorn This email is for the addressee only. If you are not the addressee you should immediately delete this email from your system(s) and inform us. It may contain information that is confidential or otherwise privileged, and should not be copied or redistributed to recipients not originally specified as addressees without permission. S F Blinkhorn MA PhD CPsychol FBPsS, Managing Director, Psychometric Research & Development Ltd. PO Box 1143, St Albans, Herts, AL1 9UT, UK Registered in England No. 1909571 Registered Office: Verulam Point, Station Way, St Albans, Herts, AL1 5HE Phone: +44 (0)1727 841455 http://www.prd.co.uk
groff issue after upgrade to NetBSD-9.2
This is on amd64, but I doubt that that's relevant. I have an extensive collection of fonts for PostScript, so /usr/share/groff_font/devps is a symbolic link to a /fonts directory. It has been so since NetBSD-1.x and before that on BSD/OS and before that into the mists of time. I upgraded to NetBSD-9.2 several days ago, and suddenly my standard document formats come out all wrong. The glyphs for the variously-acquired (e.g. bought from Linotype) fonts do not seem to be available, and the font metrics are wrong for the glyphs that do appear. I have a practical solution for the moment: if I mount_nfs a backup copy of the same fonts directory on a remote server and point groff_font/devps at that instead, everything goes back to normal. Anyone have any insight into why migrating from 7.0 to 9.2 might cause such a problem? -- Steve Blinkhorn
Re: where is device manufacturer/model kept?
You wrote: > > On Mon, Jun 28, 2021 at 04:27:33PM +, Steve Blinkhorn wrote: > > FWIW this is what I put in my (Tcl) script: > > > > set vendorprod [split [exec /sbin/sysctl -n machdep.dmi.system-vendor \ > > machdep.dmi.system-product machdep.dmi.system-version] "\n"] > > > > It turns out that different machines may have either of the last two > > blank but not empty, with the product's name arbitrarily in one position or > > the other. > > If you are not restricted to x86, another popular sysctl for this kind > of information is hw.model. > > Martin > All my NetBSD systems (8 machines, 3 manufacturers) are currently amd64 and all report identically: %/sbin/sysctl hw.model hw.model = Intel 686-class whereas, for instance: %/sbin/sysctl machdep.dmi. machdep.dmi.system-vendor = FUJITSU machdep.dmi.system-product = ESPRIMO Q520 machdep.dmi.system-version = machdep.dmi.system-serial = YLRX022851 machdep.dmi.system-uuid = 8f38d6c8-9d4b-bd4f-af96-1c5477d1d160 machdep.dmi.bios-vendor = FUJITSU // American Megatrends Inc. machdep.dmi.bios-version = V4.6.5.4 R1.17.0 for D3223-A1x machdep.dmi.bios-date = 20140306 machdep.dmi.board-vendor = FUJITSU machdep.dmi.board-product = D3223-A1 machdep.dmi.board-version = S26361-D3223-A1 machdep.dmi.board-serial = 44524519 machdep.dmi.board-asset-tag = This information is not avaiable in a Xen-virtualised environment, where, for instance: %/sbin/sysctl machdep. machdep.fpu_present = 1 machdep.osfxsr = 1 machdep.sse = 1 machdep.sse2 = 1 machdep.cpu_brand = AMD EPYC 7402P 24-Core Processor machdep.sparse_dump = 1 machdep.tsc_freq = 0 machdep.pae = 1 machdep.fpu_save = 3 machdep.fpu_save_size = 832 machdep.xsave_features = 0 machdep.idle-mechanism = xen machdep.xen.suspend = 0 machdep.xen.balloon.current = 1278984 machdep.xen.balloon.target = 1278984 machdep.xen.balloon.min = 1024 machdep.xen.balloon.max = 1278984 -- Steve Blinkhorn
Re: where is device manufacturer/model kept?
You wrote: > > Date:Mon, 28 Jun 2021 12:18:50 + (UTC) > From:RVP > Message-ID: <556bb7f-3792-635e-86ed-6d7c6b752...@sdf.org> > > | echo $(sysctl -n machdep.dmi.system-vendor) > > That's a convoluted way of writing > sysctl -n machdep.dmi.system-vendor > and one which could fail if the string just happened to contain > the "wrong" characters (depending upon which version of echo is > being used for which are "wrong" for this purpose). > > kre > FWIW this is what I put in my (Tcl) script: set vendorprod [split [exec /sbin/sysctl -n machdep.dmi.system-vendor \ machdep.dmi.system-product machdep.dmi.system-version] "\n"] It turns out that different machines may have either of the last two blank but not empty, with the product's name arbitrarily in one position or the other. -- Steve Blinkhorn
Re: where is device manufacturer/model kept?
Thanks for this. I had just got there myself when your email came in - sysctl(8) is not in my habitual foraging territory, but the (?new) online version of the manual guided me once I'd worked out that section 8 was the most likely home for something like this. Grabbing the line from /var/run/dmesg.boot itself isn't guaranteed to work - on one of my curently-running machines the file starts with many lines reflecting an arp problem, and continues thus: uhub2: port 2 reset failed uhub4 at uhub2 port 2: Terminus Technology USB 2.0 Hub, class 9/0, rev 2.00/1.11, addr 3 uhub4: single transaction translator uhub4: 4 ports with 4 removable, self powered uhidev0 at uhub4 port 3 configuration 1 interface 0 uhidev0: Logitech USB Receiver, rev 1.10/15.00, addr 4, iclass 3/1... -- Steve Blinkhorn You wrote: > > On Mon, 28 Jun 2021, Steve Blinkhorn wrote: > > > Is there some way of accessing this string from a shell-level command? > > > > echo $(sysctl -n machdep.dmi.system-vendor) > echo $(sysctl -n machdep.dmi.system-product) > > -RVP >
where is device manufacturer/model kept?
I can see in /var/run/dmesg.boot, immediately before the line beginning "mainbus 0" a string identifying the machine's manufacturer and model name. Is there some way of accessing this string from a shell-level command? -- Steve Blinkhorn
groff, utf-8, preconv, -k
Why does NetBSD not have either the preconv preprocessor or the -k option to groff to cope with utf-8 input, the way Linux and MacOS distros have? Or is one or the other present in a NetBSD version I haven't installed yet? -- Steve Blinkhorn
Re: .cshrc elm and PIDs
You wrote: > >/dev/null to the pgrep line. > > To track down the cause... > Are you running this script in the background, or re-running it > periodically (at a time which would account for the PID showing up in > the text)? > Maybe add a "date >> $HOME/log" to the script to record when it gets run > > On the ~ - is that form within elm or within vi-in-elm? (Sorry, its > been too long since I switched to pine for my elm neurons :-p > > David > Do you have any of your setup conditionalised on being in an interactive > shell? > Blackholing the output of pgrep seems to have fixed it. Without that the PID of any running elm process on that account shows up on a line by itself after the "you have mail" notification before the first csh prompt, before the ~ if trying to read from a file in vi, or running an external program over part of a vi buffer. It's not restricted to vi-in-elm, so elm itself is probably not implicated. I imagine it's left hanging around in a buffer in the shell and never gets cleared deown. Thanks for spending so many action potentials (and glial cell support - never forget the glia) on my issue. -- Steve Blinkhorn
.cshrc elm and PIDs
I monitor incoming emails on several user accounts in xterms stacked in one icewm workspace. Being long in the tooth I use elm for email and csh as my shell, and have done since the Dawn of Time. If a system reboot is needed, setting these (and various other workspaces) up by hand can be laborious. So my X startup files are configured to start a whole bunch of xterms in a handful of workspaces, and elm is started for the first xterm for each user account from .cshrc thus: pgrep -u `id -u` elm if ($status == 1) then elm if ($status == 1) then CM elm endif endif So we: - check for the existence of an elm PID, failing which run elm - if elm fails (always because a temporary file alread exists), use CM (a local alias that removes the temporary file) - run elm This makes a restart to the point where I can work very much faster. BUT the PID for the successful elm process keeps showing up in the text when I'm writing emails, and ~ substitution doesn't work within elm, e.g. fro reading in the content of signature files (I use vi as my editor, but I suppose you guessed that). There is only one further line in the .cshrc files, which is umask 022 I'm guessing that umask is internal to csh, so elm is the last process to be started from .cshrc. But I'd like to understand what's going on as well as fix it. -- Steve Blinkhorn
utf-8, Englush, Japanese
What is current best practice for working with UTF-8 encoding? I have a project which requires editing of mixed English and Japanese text. Setting LC_ALL to en_GB.UTF-8 cause the warning: Warning: locale not supported by C library, locale unchanged with every X-related command, but I do not know which C library. Vim fails to display Japanese characters in an xterm, but will if it is called via a uxterm, which seems to have no manpage for NetBSD. -- Steve Blinkhorn
MAC addresses
Is there any way to access the MAC addresses of network interface devices programmatically? -- Steve Blinkhorn
remote printing.
I have vasrious NetBSD machines in different physical locations and network segments, and one printer by my desk. With previous printers I was able to access them directly from remote machines over their network interfaces, but the latest one will not accept a connection from outside the local network. I'm trying to get a local machine (currently 7.0) to allow access to its queues. I have appropriate settings in hosts.equiv, hosts.allow and hosts.lpd. On a sample remote machine, jobs are in appropriate queues, with the message from `lpc status`: waiting for queue to be enabled on yourmachine.prd.co.uk. I have restarted lpd on the target machine without the -s option. In the remote /etc/printcap rp=colour, which is the printer name on the local machine. What am I missing? -- Steve Blinkhorn
setup for English/Japanese
I would welcome advice on the sequence of steps needed to get vim to work on files that are mixed English and Japanese, utf-8. I run stock NetBSD 7.0 on amd64, and habitually (it's a long-standing habit) use csh. There are several vim versions in pkgsrc; there is a tutorial document on netbsd.org that seems to recommend using urxvt, and makes mentions a few shells but not csh. I've spent half a day trying to get things to work without success (on MS Windows I just call up gvim and it works out of the box, but that's very inconvenient in other ways). Is there a step-by-step guide anywhere? -- Steve Blinkhorn
Re: Letsencrypt certificates
Problem resolved. The issue turned out to be unwanted quotation marks around the key name in named.conf. The errors messages in both acme.sh and nsupdate were less than helpful (even with an enhanced debug level), but Dima's simple but effective example of how to add and delete an RR gave me an easier way forward than other examples I had seen that were more complex and error prone. I suppose having had a go at Python I might turn my gaze to Perl... -- Steve Blinkhorn You wrote: > > On 10/22, Steve Blinkhorn wrote: > > > On 10/22, Andreas Gustafsson wrote: > > > FWIW, certbot from pkgsrc works for me (py27-certbot-0.27.0 on NetBSD > > > 7.2). > > Isn't it a strange idea to have packages named first for the language > > they're written in and only second by a name that suggests their > > function? Is Python a cult, I begin to wonder, forcing people to read > > through lists of unwanted names in the hope of finding what they want. > > That is rather strange. If it were a library, I could understand, but > when the software is clearly called Certbot at > > https://certbot.eff.org/ > > and the distfile is certbot-.tar.gz, it's surprising that the > pkgsrc package name is not just certbot. > > I don't think it's a Python thing since there are packages for programs > in pkgsrc written mostly in Python that have not done that. For > example, there's > > devel/mercurial > > But wait, what?! It seems that > > devel/mercurial > > is a meta package that includes > > devel/py-mercurial > > So, maybe it *is* a Python thing! That seems really bizarre. > > pkgsrc Masters, what's the story? > > Lewis >
Re: Letsencrypt certificates
Isn't it a strange idea to have packages named first for the language they're written in and only second by a name that suggests their function? Is Python a cult, I begin to wonder, forcing people to read through lists of unwanted names in the hope of finding what they want. Come back, L. Ron Hubbard, all is forgiven. Thanks, may give it a try if current approach fails. -- Steve Blinkhorn You wrote: > > Steve Blinkhorn wrote: > > I run multiple web servers on several distinct machines in each of four > > different domains, which makes the Letsencrypt proposition very > > attractive. After trying Certbot without much success, I lit upon > > acme.sh, which offers the possiblity of authentication using > > nsupdate(1). > > FWIW, certbot from pkgsrc works for me (py27-certbot-0.27.0 on NetBSD 7.2). > -- > Andreas Gustafsson, g...@gson.org >
Letsencrypt certificates
I run multiple web servers on several distinct machines in each of four different domains, which makes the Letsencrypt proposition very attractive. After trying Certbot without much success, I lit upon acme.sh, which offers the possiblity of authentication using nsupdate(1). However the process fails, and the relevant error messages says: Error add txt for domain:_acme-challenge.prd.co.uk I note that the man page for nsupdate(1) says: To use a SIG(0) key, the public key must be stored in a KEY record in a zone served by the name server. nsupdate does not read /etc/named.conf. I am trying to work out whether that means that the keyfile contents must be manually added to the zone file, because in named.conf I have an include line for update.key which contains the path to that key, so it should be there already. I note that on the acme.sh site there is a long list of *nix-style OSs on which success has been reported, but not NetBSD. -- Steve Blinkhorn
mailcap and Microsoft OOXML
Can a mailcap entry make an attachment with these headers: Content-Type: application/octet-stream Content-Transfer-Encoding: base64 Content-Description: Microsoft OOXML Content-Disposition: attachment; filename="acctkey.xlsx" be read with scalc? More generally, is there a way of parsing the Content-Description header along with the Content-Type to cope with application/octet-stream attachyments? I get a lot of spreadsheet attachments, some of which start up scalc and some don't and have to be manually saved and opened outside the mail reader. Or is this something specific to individual mail readers (being of Jurassic vintage I use elm). -- Steve Blinkhorn
Re: combining /var/mail files
Well because of the well-defined date/time of the inaccessibility of our regular mail server, I was able to split the target /var/mail files and drop in the files from the remote VPS without difficuilty. Thanks for the help. -- Steve Blinkhorn You wrote: > > Steffen Nurpmeso wrote in <20180823233749.gtg7b%stef...@sdaoden.eu>: > |st...@prd.co.uk wrote in <20180823174137.6b0ef46...@monroe.prd.co.uk>: > ... > |Otherwise you could my BSD Mail clone which also tries to get the > |former right -- the POSIX standard and Unix traditional only use > |"From xy", whereas the standard RFC 4155 is more strict, and that > |can cause misinterpretations by some software. > ... > > I have to point out that we do _not_ reencode mail messages yet, > which we will be able to do in a few years from now on. I.e., the > correct way to deal with that would be to detect the mess, then > recreate the message from scratch as necessary, and use some kind > of MIME encoding to prevent misinterpretation. > > But for now we unfortunately only use the most basic and only > truly portable form of the traditional "From " quoting mechanism, > and prepend a ">" to any "^From " that happens to exist inside > a message body. > It may nonetheless be better than "cat && echo && cat" for such > cases. > > --steffen > | > |Der Kragenbaer,The moon bear, > |der holt sich munter he cheerfully and one by one > |einen nach dem anderen runter wa.ks himself off > |(By Robert Gernhardt) > -- Steve Blinkhorn This email is for the addressee only. If you are not the addressee you should immediately delete this email from your system(s) and inform us. It may contain information that is confidential or otherwise privileged, and should not be copied or redistributed to recipients not originally specified as addressees without permission. S F Blinkhorn MA PhD CPsychol FBPsS, Managing Director, Psychometric Research & Development Ltd. PO Box 1143, St Albans, Herts, AL1 9UT, UK Registered in England No. 1909571 Registered Office: Verulam Point, Station Way, St Albans, Herts, AL1 5HE Phone: +44 (0)1727 841455 http://www.prd.co.uk
Re: Reading older disks
You wrote: > > On 2018-08-23 09:03 PM, John Nemeth wrote: > > On Aug 23, 5:36pm, st...@prd.co.uk wrote: > > } I cheated - I found a memory medule that fitted and got the system to > > } boot. Did we really once find 356MBytes adequate? > > > > 365MB?!? My first hard drive was 40MB and that was considered > > fairly large for the day. > > My first HD was 5MB. Later the systems came with 11MB. Then one day I > scored a brand new 20MB drive. I had to patch the CP/M binary in order > to access it. > > -- > D'Arcy J.M. Cain > http://www.NetBSD.org/ IM:da...@vex.net > This could rapidly become the "Four Yorkshiremen" sketch from Monty Python. I had an early IBM PC with *two* floppy drives, but the first Unix box I ran rather than just used was an NCR Tower which started off with 512KBytes of RAM, later upgraded to a whole MByte, with a 40MByte drive. Eventually I ran twelve dumb terminals off it, and it worked, but that was 35 years ago. But then I go back to the time when dropping your deck of punch cards was tantamonnt to a "short sharp shock" jail sentence. -- Steve Blinkhorn -- Steve Blinkhorn This email is for the addressee only. If you are not the addressee you should immediately delete this email from your system(s) and inform us. It may contain information that is confidential or otherwise privileged, and should not be copied or redistributed to recipients not originally specified as addressees without permission. S F Blinkhorn MA PhD CPsychol FBPsS, Managing Director, Psychometric Research & Development Ltd. PO Box 1143, St Albans, Herts, AL1 9UT, UK Registered in England No. 1909571 Registered Office: Verulam Point, Station Way, St Albans, Herts, AL1 5HE Phone: +44 (0)1727 841455 http://www.prd.co.uk
Re: swap space in file on inconsistent file system
You wrote: > > > One useful tool to keep to hand is a USB key with a standard install > that runs dhcpcd and sshd (and optionally openvpn back to a known > server), so as long as the BIOS is set to boot USB first and you can > get someone to plug it in you always have a remote accessible fallback > boot option > > David > Yes, and why not? Only that the current colo provider won't do that kind of thing (or anything other than a power cycle). The original provider (now swallowed up four or five times over) provided excellent competent support and backup. But when I asked to have a replacement server in the space (which I have paid for on an annual contract) previously occupied by this machine's defunct twin, I was referred to a sales team in Sofia, Bulgaria, who now say there is no record of my having colo space. On the new replacement machines I have four distinct ways of booting, including from a DVD-RAM as a last resort, plus a proper remote management console independent of the motherboard. Thanks for the thoughtful suggestions (and to the others who replied off-list). -- Steve Blinkhorn
Re: swap space in file on inconsistent file system
You wrote: > > On 7 June 2018 at 14:03, Steve Blinkhorn wrote: > > I have a remote server (about to be replaced, but still in service and > > needs to stay that way until a replacement is fully commissioned) that > > has just developed a single bad sector. The result has been that > > automatic backups using rsync have failed, and manual intervention is > > needed. > > > > There are also numerous sleeping processes that refuse to be killed, > > almost all in the 'tstile' state (this is i386 7.0). >>snip<< > > How should I proceed? > > First action might be to add a --exclude to the rsync (or move the > affected file to a different location on the filesystem excluded from > rsync). > > You could work out the affected block and dd zeros to it via the raw > device, but if the system is going away I'd probably not worry about > that. > > Other questions which might affect approach include: > - How long before the new system is deployed > - Do you know if the system would reboot cleanly > - Is the root filesystem clean > > David > The root filesystem is clean, but /var is not. I'm arranging a new colo provider for the replacement servers after shockingly bad service from Easynet/Interoute (now GTT) - they emailed me today to say they have no record of our having colo space with them, but that they are "progressing internally" our request to replace our servers with new ones, two and a half *months* since we had to remove one after it failed. I am calculating the risks associated with a reboot, and contemplating editing /etc/fstab so that /var and /opt (where the bad sector is) are not fsck'd at reboot. If it drops down to single-user mode I have no way of recovering the situation (no remote console), so for the time being I'm nursing the system along - and to be fair to it it is running normally from a user's point of vie. -- Steve Blinkhorn
swap space in file on inconsystent file system
I have a remote server (about to be replaced, but still in service and needs to stay that way until a replacement is fully commissioned) that has just developed a single bad sector. The result has been that automatic backups using rsync have failed, and manual intervention is needed. There are also numerous sleeping processes that refuse to be killed, almost all in the 'tstile' state (this is i386 7.0). #top 140 processes: 133 sleeping, 5 zombie, 2 on CPU CPU states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle Memory: 107M Act, 63M Inact, 6968K Wired, 13M Exec, 11M File, 160M Free Swap: 1128M Total, 345M Used, 783M Free Most of the swap space is in a file on the file system concerned. fsck -n on the other file systems shows a small handful of unreferenced files in /var (a separate file system), but no other issues. I need to get this machine into a sane condition without being able to access it in single user mode (because there is no remote console access). How should I proceed? -- Steve Blinkhorn
Re: X11R7 on amd64: Undefined PLT symbol "_XGetRequest" (symnum = 99)
You wrote: > > --=-=-= . . . > Not what you asked, but 7.0 is old relative to the netbsd-7 branch (and > 7.1.x), and unless you have an existing 7.0 install in > large-customer-facing production (doesn't sound like that :), you are > probably better off with newer. Really I want to move to 8.0 (and have had to put 8.0 RC1 on some new servers for the sake of USB drivers), but a release upgrade is a significant upheaval (8 machines to migrate), and there is the possibility of unintended breakages, as with the move from 5.x to 7.0. > . . . > > Make really sure there are no extra/newer X libraries. And that you > don't have modular X installed from pkgsrc (X11_TYPE=modular). X is stock off-the-ISO-image. Is there an efficient way to check for extra/newer libraries? Of course what would be really nice would be if someone else had had the same problem and resolved it. -- Steve Blinkhorn > > --=-=-= > Content-Type: application/pgp-signature; name="signature.asc" > > -BEGIN PGP SIGNATURE- > > iEYEARECAAYFAlsIGwIACgkQH9p66AmO1g7lUwCeIEqYHIR2Yeo6Ec3OnvZ1hOEl > tZAAn1wJrAptE6oYAnoXTx51vT9YtXdS > =PjwI > -END PGP SIGNATURE- > --=-=-=-- >
Re: X11R7 on amd64: Undefined PLT symbol "_XGetRequest" (symnum = 99)
#nm libX11.so | grep _XGetRequest 0006cabc T _XGetRequest # file libX11.so.7.0 libX11.so.7.0: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, for NetBSD 7.0, not stripped # file /netbsd /netbsd: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, for NetBSD 7.0, not stripped -- Steve Blinkhorn You wrote: > > On Fri, May 25, 2018 at 11:48:36AM +, Steve Blinkhorn wrote: > > Libreoffice I have both done as a pkg_add from the binary on the > > netbsd.org ftp site and as a local pkgsrc build. Firefox-59.0.2 just > > from the netbsd.org ftp site. I don't think it's as simple as just > > not being linked with -lX11 because the libreoffice banner shows up > > and only then is there the fatal error. Also, if it weren't linked > > Myabe a dlopen'ed module ? Or maybe symbols are resolved leasily (I don't > know such details of shared libraries). > > > with -lX11, why would the error message specify the libXext shared > > library (which is present and apparently the correct version for > > NetBsd 7.0). But > > > > # strings /usr/X11R7/lib/libXext.so.7 | grep XGetRequest > > _XGetRequest > > nm /usr/X11R7/lib/libXext.so|grep _XGetRequest > U _XGetRequest > nm /usr/X11R7/lib/libX11.so| grep _XGetRequest > 0006d971 T _XGetRequest > > XGetRequest is used in libXext but defined in libX11 > > -- > Manuel Bouyer > NetBSD: 26 ans d'experience feront toujours la difference > -- > -- Steve Blinkhorn This email is for the addressee only. If you are not the addressee you should immediately delete this email from your system(s) and inform us. It may contain information that is confidential or otherwise privileged, and should not be copied or redistributed to recipients not originally specified as addressees without permission. S F Blinkhorn MA PhD CPsychol FBPsS, Managing Director, Psychometric Research & Development Ltd. PO Box 1143, St Albans, Herts, AL1 9UT, UK Registered in England No. 1909571 Registered Office: 45 Grosvenor Rd., St Albans, Herts, AL1 3AW Phone: +44 (0)1727 841455 http://www.prd.co.uk
Re: X11R7 on amd64: Undefined PLT symbol "_XGetRequest" (symnum = 99)
Libreoffice I have both done as a pkg_add from the binary on the netbsd.org ftp site and as a local pkgsrc build. Firefox-59.0.2 just from the netbsd.org ftp site. I don't think it's as simple as just not being linked with -lX11 because the libreoffice banner shows up and only then is there the fatal error. Also, if it weren't linked with -lX11, why would the error message specify the libXext shared library (which is present and apparently the correct version for NetBsd 7.0). But # strings /usr/X11R7/lib/libXext.so.7 | grep XGetRequest _XGetRequest -- Steve Blinkhorn You wrote: > > On Fri, May 25, 2018 at 10:18:18AM +, Steve Blinkhorn wrote: > > This problem has plagued me since I moved to 7.0 on amd64 from 5.x > > on i386, and I can't get any traction on it from scanning various > > sites where the same or very similar reports are to be found. > > > > "/usr/X11R7/lib/libXext.so.7: Undefined PLT symbol "_XGetRequest" (symnum = > > 99)" > > prevents me from using libreoffice5 and firefox-59.0.2 to name two > > How did you build these packages ? It looks like they were linked without > -lX11 ... > > -- > Manuel Bouyer > NetBSD: 26 ans d'experience feront toujours la difference > -- >
X11R7 on amd64: Undefined PLT symbol "_XGetRequest" (symnum = 99)
This problem has plagued me since I moved to 7.0 on amd64 from 5.x on i386, and I can't get any traction on it from scanning various sites where the same or very similar reports are to be found. "/usr/X11R7/lib/libXext.so.7: Undefined PLT symbol "_XGetRequest" (symnum = 99)" prevents me from using libreoffice5 and firefox-59.0.2 to name two packages I would otherwise use on a daily basis, but there are several others I have tried with the same outcome. For a long time I thought the problem was because I mostly work over vnc, and that maybe I needed to move from vanilla vncserver to tigervnc. But tigervnc built locally has the same problem. So I set up a machine with a directly-connected console using stock X11 from the 7.0 distribution - same problem. I can't believe I'm the only person to run into this, so either I'm too dumb to recognise something obvious to most, or I'm just no using the right search terms to identify the issue. -- Steve Blinkhorn
samba and Windows 10
The Windows 10 box I use alongside a clutch of NetBSD boxes is suddenly refusing to map my samba shares as disks, and refusing smbclient connections, saying they are SMBv1 which is insecure. This happened without any warning, and has left me scratching around with ftp to do necessary transfers. I normally have a couple of share permanently mounted, and my guess is, reading what information I can find, that somehow I have made no active use over the past couple of weeks, so Windows has silently disabled the relevant module. So is the standard samba distribution (NetBSD 7.0.1) insecure? Remedies? -- Steve Blinkhorn
cloning RAIDframe config
I have two identical servers, each with two identical disks, front-panel swappable. One now has a working RAID-1 setup, fully populated. Can I clone it on the other machine by disk-swapping and reconstructing (with the first machine cleanly shutdown, obvously)? The only difference I need on the two are quick changes in /etc. -- Steve Blinkhorn
Re: consdeev, com0 and remote management of servers
Hi Dima, First of all, let me say how helpful I have found your input on this. oComments interspersed below: You wrote: > > Hello, Steve, > > As a person which have lot of serial consoles (NetBSD, FreeBSD, Solaris, > Linux) working on very different platforms (Sun, IBM, HP) I can add > something: . . > > 2. Can you tell us why installboot way do not work for you? I wish I could. What I have found is that it is necessary to drop out of the install system after partitioning and do an installboot -f on /dev/wd0a to get the system to boot at all. I have not been able to discover why using " - o console=com0 " fails to work, nor why "consdev=com0" in boot.cfg does not work whereas adding "consdev com0" to tje command section of individual boot.cfg menu items does. I have wondered if the man page is out of step with the state of the software in a way that those very familiar with the process would not necessarily notice. > > 3. 115200 vs 9600 is really helps, mostly when you manage file systems > and lot of kernel output. I never set speed less than 115200. Some of the Fujitsu on-screen prompts say it must be 38400. Not so. > > 4. All this process is frustrating only first times when you are > understanding all the logic in this piece of software. After some > experience you will do anything as a piece of cake. > The NetBSD documentation in general is sane. I'm not sure the same can be said for the Fujitsu documentation. In part it share what I (as a former academic) think of as American textbookitis. Roughly the philosophy is not "here is a succinct exposition with some helpful examples and exercises" but "in this chapter you will learn how to do X,Y and Z: you probably don't want to do any of these, but tough, that's what you're getting". It suggests that the authors don't have a real command of their material but only know some concrete operations. Also the BIOS on these machines behave oddly: you can have a device that shows up in the list of SATA devices, but in the boot menu is on a different port; the BIOS boot menu works only sporadically; it can take several power cycles and quiescent periods for these things to correct themselves. I had more words with Fujitsu tech support this morning and they suggest that there may be an issue concerning the boot filter (UEFI/Legacy) which I shall pursue - although so far as I am aware I have done everything in Legacy mode. -- Steve Blinkhorn > On Fri, Apr 27, 2018 at 05:31:28PM +, Steve Blinkhorn wrote: > > After various helpful discussions off-list, I have come to a point where > > there remains an issue concerning how to set the redirection of the > > console over a remote management console. > > > > It boils down to where and how to set consdev to com0, and how to > > ensure that a remote session behaves nicely through the boot process > > and into a multi-user login seamlessly. There are three stagers to > > this: > > > > 1. how to ensure that one can choose from the initial boot menu - it's > > not much use if you can see the boot menu but not choose from it. > > > > 2. how to be sure that the hardware probe and rc.conf output can be > > viewed remotely in real time. > > > > 3. how to end up with a usable login session via the remote management > > console. > > > > I have found that setting consdev=com0 in boot.cfg defeats choice from > > the boot menu as does `installboot -e -v -o console=com0 ...` . What > > is more, no output from the hardware probe and rc.conf is visible > > remotely. Since my prime objective is to be able to fsck in > > single-user mode, this was bad news. > > > > However, dropping to the boot prompt and setting consdev to com0 does > > allow you to boot and see all the initial diagnostics (and get to a > > single-user shell). Adding the following line in boot.cfg has the > > same effect: > > > > menu=Boot single user:rndseed /etc/entropy-file;consdev com0; boot netbsd > > -s > > > > The fact that consdev=com0 in boot.cfg does not have the same effect > > does not align with the man page for boot.cfg(5). > > > > Additionally, an entry in /etc/ttys for /dev/tty00 is needed to give a > > clean multi-user terminal connection through the remote console. I > > have set all relevant line speeds to 115200 baud, and found no benefit > > is using 9600 baud at any point. > > > > I don't know how much of this is peculiar to the Fujitsu Primergy 1330 > > M3 R8 servers I am working on, but it's been a long and frustrating > > journey, alleviated only by the customary kindly helpfulness of the NetBSD > > community. > > > > -- > > Steve Blinkhorn > > -- > Sincerely yours, > Dima Veselov > Physics R&D Establishment of Saint-Petersburg University >
consdeev, com0 and remote management of servers
After various helpful discussions off-list, I have come to a point where there remains an issue concerning how to set the redirection of the console over a remote management console. It boils down to where and how to set consdev to com0, and how to ensure that a remote session behaves nicely through the boot process and into a multi-user login seamlessly. There are three stagers to this: 1. how to ensure that one can choose from the initial boot menu - it's not much use if you can see the boot menu but not choose from it. 2. how to be sure that the hardware probe and rc.conf output can be viewed remotely in real time. 3. how to end up with a usable login session via the remote management console. I have found that setting consdev=com0 in boot.cfg defeats choice from the boot menu as does `installboot -e -v -o console=com0 ...` . What is more, no output from the hardware probe and rc.conf is visible remotely. Since my prime objective is to be able to fsck in single-user mode, this was bad news. However, dropping to the boot prompt and setting consdev to com0 does allow you to boot and see all the initial diagnostics (and get to a single-user shell). Adding the following line in boot.cfg has the same effect: menu=Boot single user:rndseed /etc/entropy-file;consdev com0; boot netbsd -s The fact that consdev=com0 in boot.cfg does not have the same effect does not align with the man page for boot.cfg(5). Additionally, an entry in /etc/ttys for /dev/tty00 is needed to give a clean multi-user terminal connection through the remote console. I have set all relevant line speeds to 115200 baud, and found no benefit is using 9600 baud at any point. I don't know how much of this is peculiar to the Fujitsu Primergy 1330 M3 R8 servers I am working on, but it's been a long and frustrating journey, alleviated only by the customary kindly helpfulness of the NetBSD community. -- Steve Blinkhorn
Re: redirect console to com0
Many thanks for this. My new servers are Fujitsu Primergy 1330 M3 R8 with iRMC S4 remote management, so if you know your way around the setup utility for these machines your further guidance would be appreciated. The BIOS information is: BIOS Vendor American Megatrends Customized by Fujitsu Core Version5.0.0.11 Compliancy UEFI 2.4; PI 1.3 I can't see a "redirection after POST" option,, but I do have remote access to the BIOS setup and to the inital boot option menu. What I don't see is the hardware probe nor can I login remotely in single-user mode (the real aim of this exercise). -- Steve Blinkhorn > > Hi, > > lets take a tour into these things: > > Server have serial port and a special option to redirect screen. > When redirection is on - BIOS is instructed to send all data from > screen to serial port. When operating system is loading it try > to open port natively as a device and oops - port is busy. It > is busy (locked or even absent) by BIOS redirection function, which > mangle serial port by its own, because serial port is usually not > a device with ability of concurrent usage. > > Consider that remote management is just another computer inside > server, which have serial port connected to server's serial port > and nothing more. That means at least that remote management > do not and may not know anything happening in server - not the > speed of serial port, nor any other information. > > BIOS and OS collision is the reason why all such BIOSes have a > special option that usually named "redirection after POST" This > option tell BIOS to turn redirection off and free serial port > upon starting OS, so OS can use it as it wants. This option can > be named in different ways, you can search through or let us know > what server model you have to point you out. > > If you will turn it off - I expect bootloader will not work > through remote management, because redirection will be not active > at the moment, however kernel will work (if you added consdev to > boot.cfg and remote management speed is 9600). > > You should find option, test it (you can test all BIOS options > in working unix/linux OS by cu). If you can't load any OS but > have consdev in boot.cfg - just try loading it not forgetting > to check serial speed in remote management board settings. > > After you manage to load NetBSD kernel you should make this > permanent - remove consdev from boot.cfg and put com0 option > into bootloader instead. This is done by installboot: > > This is regular bootloader options > > [root@gloria kab00m]$ installboot -v -e /dev/rraid0a > File system: /dev/rraid0a > Boot options:timeout 5, flags 0, speed 9600, ioaddr 0, console pc > > This is proper settings for remote management > > [root@maia ~]$ installboot -v -e /dev/rld0a > File system: /dev/rld0a > Boot options:timeout 5, flags 0, speed 115200, ioaddr 0, console com0 > > You can change it this way: > > installboot -v -e -o console=com0,speed=115200 /dev/rld0a > (or whatever other speed and hard disk) > > Kernel will pick up console settings from bootloader. > > PS: I advise to avoid using same ethernet port for server > and remote management. Not always, but its common for such a > setup to put link down on initialization process. That means > that you may have lags or even to reconnect your telnet/ssh > session every time the server is booting up. > > On Thu, Apr 26, 2018 at 03:07:29PM +, Steve Blinkhorn wrote: > > I'm not clear exactly what you mean here. I'm still not getting > > redirection once the NetBSD boot sequence gets past the boot.cfg menu > > (the line of numebrs that is the first sign that a kernel is booting > > shows, but is generally truncate), but something changed because whils > > I was originally using the shared LAN port for bot remote management > > and normal usage, I had to connect to the dedicated LAN port because > > the user name and password for the ssh session to the management > > console no longer worked. > > > > The point of this operation is to be able to do remote fsck in > > single-user mode. For that I need network access to the console in > > single-user mode. > > > > -- > > Steve Blinkhorn > > > > You wrote: > > > > > > On Thu, Apr 26, 2018 at 03:15:55PM +0200, Martin Husemann wrote: > > > > On Thu, Apr 26, 2018 at 03:12:39PM +0200, Manuel Bouyer wrote: > > > > > You have to tell NetBSD to use the serial port as console. > > > > > You can do this with > > > > >
Re: redirect console to com0
I'm not clear exactly what you mean here. I'm still not getting redirection once the NetBSD boot sequence gets past the boot.cfg menu (the line of numebrs that is the first sign that a kernel is booting shows, but is generally truncate), but something changed because whils I was originally using the shared LAN port for bot remote management and normal usage, I had to connect to the dedicated LAN port because the user name and password for the ssh session to the management console no longer worked. The point of this operation is to be able to do remote fsck in single-user mode. For that I need network access to the console in single-user mode. -- Steve Blinkhorn You wrote: > > On Thu, Apr 26, 2018 at 03:15:55PM +0200, Martin Husemann wrote: > > On Thu, Apr 26, 2018 at 03:12:39PM +0200, Manuel Bouyer wrote: > > > You have to tell NetBSD to use the serial port as console. > > > You can do this with > > > consdev com0 > > > at boot prompt or in the /boot.cfg file > > > > You also want to enable the console entry in /etc/ttys and disable all ttyE* > > entries. > > Do not forget to set BIOS redirection to "BIOS only" or "off after > POST" mode. This should be used to prevent redirection when OS starts, > because OS use native serial console. > > -- > Sincerely yours, > Dima Veselov > Physics R&D Establishment of Saint-Petersburg University >
redirect console to com0
I think some kind person answered this for me some time ago, but I can't locate the email. I need to set up console redirection on Fujitsu Primergy servers with iRMC S4 remote management console hardware. I ssh to the management IP address, and all goes well up to the NetBSD boot menu - i.e. I can use setup remotely over an SSH connection and modify BIOS settings, and can choose from the default boot choices. But as soon as netbsd starts up I lose the connection. IIRC I need to change entries in /etc/ttys and one other place. The BIOS is set to redirect to Serial Port 1 (there is only one, so I assume this is com0). I this /dev/constty? Might I need to change its permissions? The remote management controller believes I am called admin, but at the point where I initially connect there is no access to the NetBSD passwd file. Thanks, -- Steve Blinkhorn
Re: NetBSD MBR boot / Error no operating system
The cause of this problem is: Apr 21 15:52:52 /netbsd: vendor 0x8086 product 0xa12f (USB serial bus, xHCI, re vision 0x31) at pci0 dev 20 function 0 not configured No USB functionality meant attempts to use install media failed at the point where a root device is asked for (because no keyboard, and there's no PS/2 socket on these servers). I got the system to a multi-user login (but can't login) by building an installation on one of the hot-swappable drives taken out of its frame and stuck in a USB caddy on a different machine. I'm planning to enable the LAN that may allow me to carry on configuring with an rlogin - it's very tricky via the USB caddy because all the device names are wrong. Does anyone know if this chip is supported/likely to be supported? -- Steve Blinkhorn You wrote: > > Date:Fri, 20 Apr 2018 15:52:43 + (UTC) > From: st...@prd.co.uk (Steve Blinkhorn) > Message-ID: <20180420155243.1aebeb35...@viking.prd.co.uk> > > | But returning it to the server, it gives the message: > | > | NetBSD MBR boot > | Error No operating system > > This all comes from the MBR boot code (the 400 or so bytes that > follow the MBR partition table). "No operating system" seems to > mean that the magic number of the bootable partition was not > correct. > > That all was OK on the other system suggests that perhaps there's > a drive geometry mapping problem - to be as portable to ancient > systems as possible, the MBR boot code uses CHS addressing if > it believes that it should work (there's not much space there to allow > for fallbacks, and alternatives,...) > > What does fdisk report about the MBR, and is that likely to be what > the system you want to boot from implements? > > Also beware of sector size issues - drives in USB caddies sometimes > do not act the same way as when directly SATA connected (or so I > have read). > > kre > >
NetBSD MBR boot / Error no operating system
Machine: Fujitsu Primergy RX1330 M3 server OS: NetBSD 7.0.1 amd64 I have loaded a full distribution onto the primary disk, having failed completely to install from installation media on the machine itself, whether by USB stick, DVD-ROM, or a partable USB drive, by extracting the disk and using a USB caddy to connect to another machine (by chance also a Fujitsu), then doing an install using sysinst. At the installboot phase, the "Old PBR too big" message appeared, so I used -f with a manual installboot, after which sysinst proceeded normally. I was then able to boot from this disk in its USB caddy without difficulty on the second machine and run in multi-user mode. But returning it to the server, it gives the message: NetBSD MBR boot Error No operating system Fujitsu tech support is of the opinion that there is a conflict between the BIOS and the boot code. We have enabled CSM (compatibility support) and set everything to Legacy mode, hardware RAID is disabled, the disk is first in the boot priority list, and clearly something is being read from it, else the "NetBSD MBR boot" line would not appear. Any suggestions? -- Steve Blinkhorn
Re: boot issues
Thanks Maya - really helpful steer. But it turned out that the real problem was that etc/fstab on the new disk referred everything to /dev/wd0 rather than /dev/wd2, and the layout of the two disks is different. Elementary, really, but easily overlooked (epecially when your fighting off bombardment from .cn and .ru). /etc/gettytab needed :sp#9600: adding to the Pc entry, and /etc/ttys needed constty to be edited out. Kind regards, -- Steve Blinkhorn You wrote: > > After paying more attention: > > things think that libc.so. is in /usr/lib sometimes, e.g. > /usr/bin/login: > -lutil.7 => /usr/lib/libutil.so.7 > -lc.12 => /usr/lib/libc.so.12 > -lcrypt.1 => /usr/lib/libcrypt.so.1 > -lpam.4 => /usr/lib/libpam.so.4 > > > /usr/lib/libc.so.12 is a symlink to the one in /lib, but that is where > the binary thinks it should be. >
boot issues
I am in the process of replacing a failed disk drive on a server. It is an i386 machine, and has been running 7.0.1 for the past 18 months or so. It took a massive hammering from .ru and .cn addresses a couple of weeks back which finally did for the disk drive (which deserved a long-service medal anyway and was intended to be replace). It lost /usr and /var, which were on separate partitions, but the rest was preserved and passed fsck checks when I got it back here and ran it single user. So I have copied over everything but /var and /usr onto a new, shiny, bigger disk, and re-installed all the /usr and /var files from the 7.0.1 distribution .iso, selectively from the .tgz sets using tar xvhpkfC. Before I install the disk in the server box (a 1U rack unit) I want to check that I'm not going to have to take it out again, because it's physically fiddly and tightly packed. So I've put it in an old system I have here where it is configured as wd2, and I try booting it with boot hd2a:netbsd -a. I get two issues: the first is an error report that libc.so.12 cannot be found (but it's there in /dev/wd2a); the second is that it reports that getty is repeating too quickly on /dev/console. It proceeds to displaying the date and time banner, but does not produce a login prompt. I have tried changing /etc/ttys in ways relating to stuff on the web reporting similar errors but to no avail. The /etc/ttys I have on the new disk was dimply copied over from the old disk, but I tried changing to match what is on the old machine. I have vague memories of seeing a similar problem around 15 years ago, but I have no real grasp of what the issue may be. -- Steve Blinkhorn
advice on disk replacement
I got really helpful advice last year concerning bad disk sectors on my remote servers (Fujitsu Primergy Rx100 D1483). The opportunity has come to replace the disks (currently one Seagate ST380011A 80 GByte 7200rpm per machine - the size is adequate to the task), and I an mindful of the advice to use RAID. The smallest replacement I can find is 500Gbyte, and there are only two disk bays in the chassis. I'm taking the opportunity to put much more RAM on them at the same time. Any advice as to the best way to proceed? -- Steve Blinkhorn
Re: fixing a bad sector
Is there a way of identifying the file that's affected from the fsbn? Because it's the boot partition and the server is far away I need to be sure the machine will come up in multi-user mode if I have to reboot. -- Steve Blinkhorn You wrote: > > On Tue, Sep 05, 2017 at 05:35:07PM +, Steve Blinkhorn wrote: > > I have discovered a problem on a live server (i386) I run - this > > is filling up /var/log/messages so that it has turned over more than > > 10 times today. > > > > The message: > > > > Sep 5 16:56:49 trafalgar /netbsd: wd0a: error reading fsbn 1005056 of > > 1005056-1005087 (wd0 bn 1005119; cn 997 tn 2 sn 17), retrying > > Sep 5 16:56:49 trafalgar /netbsd: wd0: (uncorrectable data error) > > > > The fsbn is mostly 1005056 but sometimes 1005086. > > > > Server response time is impacted. > > > > I've never had, so never tackled, this kind of issue before. Advice > > much appreciated. > > 1) backup your data ;-) > 2) check the drive's SMART status with atactl smart status > 3) try to write to the affected sectors, that usually will cause the drive >to remap it (if it still has spares available) > > Martin >
Re: fixing a bad sector
On this server: # atactl wd0 smart status SMART supported, SMART enabled id value thresh crit collect reliability description raw 1 446 yes online positiveRaw read error rate 221273574 3 980 yes online positiveSpin-up time0 4 100 20 no online positiveStart/stop count0 5 97 36 yes online positiveReallocated sector count 145 7 75 30 yes online positiveSeek error rate 39182171 9 10 no online positivePower-on hours count 99097 10 100 97 yes online positiveSpin retry count0 12 100 20 no online positiveDevice power cycle count 75 194 310 no online positiveTemperature 31 195 440 no online positiveHardware ECC Recovered 221273574 197 1000 no online positiveCurrent pending sector 1 198 1000 no offline positiveOffline uncorrectable 1 199 2000 no online positiveUltra DMA CRC error count 0 200 1000 no offline positiveWrite error rate0 202 1980 no online positiveData address mark errors 158 Might be worth mentioning that this server has been under heavy attack (ssh mostly) for a couple of days from addresses in China. -- Steve Blinkhorn
fixing a bad sector
I have discovered a problem on a live server (i386) I run - this is filling up /var/log/messages so that it has turned over more than 10 times today. The message: Sep 5 16:56:49 trafalgar /netbsd: wd0a: error reading fsbn 1005056 of 1005056-1005087 (wd0 bn 1005119; cn 997 tn 2 sn 17), retrying Sep 5 16:56:49 trafalgar /netbsd: wd0: (uncorrectable data error) The fsbn is mostly 1005056 but sometimes 1005086. Server response time is impacted. I've never had, so never tackled, this kind of issue before. Advice much appreciated. -- Steve Blinkhorn
carp(4)
Does anyone have experience of using carp(4) with multiple aliased addresses on the same interface? We provide various application servers for a range of customers where usage of any one server is sporadic, with dedicated IP addresses aliased onto the same physical interface. Anything oin particular to watch out for (apart from getting the config files right of course)? -- Steve Blinkhorn
Re: configuring remote headless servers
I'm grateful for the sharing of wisdom and experience.I have worked out that the servers most likely do have IPMI (they are Fujitsu Siens Primergy RX100 GSO1), but given their age I suspect it will prove to be an early version. I saw something in the BIOS setup that looked related, but given the urgent need to get them back into service I did not have time to experiment at base and dare not set them into a novel configuration (for me). I have this problem of physical disability which prevents me working on the machines directly in the machine room. Perhaps if the ISP who provided them in the first place had thought to configure IPMI then, my life would have been significantly easier these past few weeks. But for now my original question still stands: what about using /fastboot? I'm not ignoring the other suggestions, e.g. cross-connecting serial ports, but at the moment they're not practical. o -- Steve Blinkhorn > > st...@prd.co.uk (Steve Blinkhorn) writes: > > > Following on from the recent saga of upgrading from 2.0 to 7.0 which > > assiduous readers may recall, the servers were re-installed in their > > racks in the data centre. All was well with one of them but the > > other apparently failed. It took three days for an engineer with > > sufficiently developed skills to become available: He solved the > > problem by switching the server on. > > > > But this led me to wonder how I would cope if, for instance, a server > > came up in single-user mode requiring an fsck. Once upon a time I > > was able to assume that this would be a circumstance familiar to data > > centre staff, but no longer. What I would need would be a boot > > sequence that started the network before any file system checking and > > allowed remote login. Alternatively, file system checking could be > > disabled by default - even if the system went down by power cycling > > the machine. > > > > I can see from the man pages for shutdown(8) and fastboot(8) that > > there is provision related to this kind of circumstance. Would it > > simply be a matter of having an empty file named /fastboot in the root > > directory? If it matters, these are i386 machines. > > > > Any gotchas with this approach? > > > Hello... There has been several good responses to this, so I doubt that > I will add much... but anyway... > > You will really want some sort of remote console, for real and true. > This means either a serial console or some sort of internal or external > console redirection. > > For the serial console route, there is support in NetBSD to redirect to > a serial port all of the console output when the kernel boots. This > would take care of your fsck example. Couple this with a PDU that is > network connected and can cycle plugs and you can power cycle the system > and pretty much watch it boot up. As for the device that is on the > other end of the serial port, use your other system and cross connect > them together. This would require two serial ports per system and will > work except when BOTH systems are down and nonfunctional. > > Internal console redirection comes in the form of DRAC [Dell], iLO [HP] > or IPMI [in some cases]. This works well and will provide total console > redirection even of the BIOS boot process. There may be an additional > license required for advanced features, but you may not need those. > Also, Amazon and ebay often sell the bits and pieces cheaply. This > arrangement is, by far, the most functional. DRAC and iLO will allow > you to power cycle the systems without using an external PDU and you can > pretty much see everything. > > External console redirection is in the form of a network connected KVM > box that sits on the video output and keyboard output of the system. It > is possible to get very cheap versions of these that MAY just work out > for you, as long as you keep the arrangement simple [don't chain KVMs to > KVMs, and the like]. Couple this with a network connected PDU and you > can hard power cycle the systems pretty simply. > > In a number of these cases it is required that the network connected > device have Internet access of some form or that there be a jump box / > VPN arrangement that will allow incoming connections to the PDUs and > etc.. > > Someone mentioned the use of a thumb drive to boot up a minimal kernel > with openssh running. That was clever in a number of ways. It would > require, probably, someone who can place the thumb drive in the system, > but they would not have to be any more talented than that. You could > probably tie the thumb drive to the system physically such that all > someone would have to do is place it in a USB port
configuring remote headless servers
Following on from the recent saga of upgrading from 2.0 to 7.0 which assiduous readers may recall, the servers were re-installed in their racks in the data centre. All was well with one of them but the other apparently failed. It took three days for an engineer with sufficiently developed skills to become available: He solved the problem by switching the server on. But this led me to wonder how I would cope if, for instance, a server came up in single-user mode requiring an fsck. Once upon a time I was able to assume that this would be a circumstance familiar to data centre staff, but no longer. What I would need would be a boot sequence that started the network before any file system checking and allowed remote login. Alternatively, file system checking could be disabled by default - even if the system went down by power cycling the machine. I can see from the man pages for shutdown(8) and fastboot(8) that there is provision related to this kind of circumstance. Would it simply be a matter of having an empty file named /fastboot in the root directory? If it matters, these are i386 machines. Any gotchas with this approach? -- Steve Blinkhorn
Result: upgradiong from 2.0 to 7.0
This story has come to a satisfactory conclusion. In retrospect, the importance of the p flag to tar in un[acking the installation sets has been seared into my mind for future reference. The servers proved to have a Promise RAID BIOS, and the current GENERIC kernel picks up the ataraid pseudo-device and attaches ld*, but the disk have not been configured properly for this. So I built a custom kernel, installed new bootblocks, and everything is runing fine now. Thanks to all who helped -- Steve Blinkhorn
Re: still upgrading from 2.0 to 7.0
So I installed new bootbocks and new boot code. What I need to do now is force the system to boot from /dev/wd0a, swap to /dev/wd0b and use /sbin/init without needing console interaction.What it does at present at the end of the hardware probe (still in green screen) is say that the boot device is unknown, then prompts for a root device with /dev/ld0a as the default.If I disable ld* in autoconf then the system proceeds to boot normally. Here is the relevant bit of dmesg.boot: Kernelized RAIDframe activated ataraid0: found 1 RAID volume ld0 at ataraid0 vendtype 0 unit 0: Promise ATA SPAN array ld0: 76319 MB, 9729 cyl, 255 head, 63 sec, 512 bytes/sect x 156301425 sectors ld0: mbr partition exceeds disk size ld0: mbr partition exceeds disk size ld0: mbr partition exceeds disk size ld0: mbr partition exceeds disk size ld0: mbr partition exceeds disk size boot device: ld0 root on ld0a dumps on ld0b ld0: mbr partition exceeds disk size Supported file systems: union umap tmpfs smbfs puffs ptyfs procfs overlay null n tfs nfs msdos mfs lfs kernfs fdesc ext2fs ffs coda cd9660 no file system for ld0 (dev 0x1300) cannot mount root, error = 79 It must surely be possible to specify root and swap partitions somewhere in a configuration file. But I have read and reread so many man pages now that I think I must just be missing something terroibly obvious. You wrote: > > --=-=-= > Content-Type: text/plain > > > note that you may be better off with newer first-stage bootblocks > (e.g. bootxx_ffsv1). I sent you a script earlier that updates my > system; read boot(8) and installboot(8) carefully, and figure out your > root fs type. My script may well be wrong for you. > > #!/bin/sh > > installboot -v /dev/rwd0a /usr/mdec/bootxx_ffsv1 > > cp -p /usr/mdec/boot / > > --=-=-= > Content-Type: application/pgp-signature; name="signature.asc" > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1 > > iEYEARECAAYFAle174EACgkQ+vesoDJhHiUo6gCgio7KLFvUm+L6xnuQmmfJmW5r > tKcAoK55mI/ir/YQwT4OHEND75B+ECAb > =OvTm > -END PGP SIGNATURE- > --=-=-=-- > -- Steve Blinkhorn
Re: still upgrading from 2.0 to 7.0
I don't know: They are Fujitsu Primergy RX100 servers with dual-core Pentium 4 processors. Fujitsus UK are looking for the appropriate datasheet. If there is a hardware RAID controller, would this connect with the ld0 device dtected in the hardware probe? You wrote: > > st...@prd.co.uk (Steve Blinkhorn) writes: > > > If I replace the old copy oof boot with the one that comes from 7.0 > > then an attempt is made to boot from a dvice called ld0 - which I never > > kne was there, which fails with a message about RAID, the master boot > > record and the size of the partition. I'm wholly out of my depth > > here. All I need is for the system to boot non-interactively from > > wd0 with root on wd0a, swap on wd0b and init from /sbin/init. Always > > happened automatically for me before. > > ld0 would be a member of the logical block driver: man 4 ld > > The system doesn't have a hardware raid controller on it does it?? > > > > -- > Brad Spencer - b...@anduin.eldar.org - KC8VKS > http://anduin.eldar.org - & - http://anduin.ipv6.eldar.org [IPv6 only] > -- Steve Blinkhorn
Re: still upgrading from 2.0 to 7.0
If I replace the old copy oof boot with the one that comes from 7.0 then an attempt is made to boot from a dvice called ld0 - which I never kne was there, which fails with a message about RAID, the master boot record and the size of the partition. I'm wholly out of my depth here. All I need is for the system to boot non-interactively from wd0 with root on wd0a, swap on wd0b and init from /sbin/init. Always happened automatically for me before. I wrote: > > I thhink this was the issue. I took Brad's advice and re-installed > the sets making sure I included a p in the tar options. > > So now I have just one issue to solve before packing these beasts back > off to work in the data centre. When I reboot I get - in green screen > mode - prompts for root filesystem, swap device etc., whereas I need > them to boot non-interactively. > > I see in my other 7.0 systems a /kern in the filesystem and in > /etc/fstab. Should I be setting this up (and how)> > > -- > Steve Blinkhorn > > You wrote: > > > > On August 18, 2016 9:45:31 AM EDT, st...@prd.co.uk wrote: > > >Still upgrading from 2.0 to 7.0, I have a running system and I can > > >login as root at the console using the password I have set. I can > > >login as an ordinary user across the network, but I cannot su from > > >there, and on the console if I su to an ordinary account and then try > > >to su from there, I gent authentication failure. > > > > Does su have the setuid bit set? > > > > > > > > > > > -- Steve Blinkhorn This email is for the addressee only. If you are not the addressee you should immediately delete this email from your system(s) and inform us. It may contain information that is confidential or otherwise privileged, and should not be copied or redistributed to recipients not originally specified as addressees without permission. S F Blinkhorn MA PhD CPsychol FBPsS, Managing Director, Psychometric Research & Development Ltd. PO Box 1143, St Albans, Herts, AL1 9UT, UK Registered in England No. 1909571 Registered Office: 45 Grosvenor Rd., St Albans, Herts, AL1 3AW Phone: +44 (0)1727 841455 http://www.prd.co.uk
Re: still upgrading from 2.0 to 7.0
I thhink this was the issue. I took Brad's advice and re-installed the sets making sure I included a p in the tar options. So now I have just one issue to solve before packing these beasts back off to work in the data centre. When I reboot I get - in green screen mode - prompts for root filesystem, swap device etc., whereas I need them to boot non-interactively. I see in my other 7.0 systems a /kern in the filesystem and in /etc/fstab. Should I be setting this up (and how)> -- Steve Blinkhorn You wrote: > > On August 18, 2016 9:45:31 AM EDT, st...@prd.co.uk wrote: > >Still upgrading from 2.0 to 7.0, I have a running system and I can > >login as root at the console using the password I have set. I can > >login as an ordinary user across the network, but I cannot su from > >there, and on the console if I su to an ordinary account and then try > >to su from there, I gent authentication failure. > > Does su have the setuid bit set? > > > >
still upgrading from 2.0 to 7.0
Still upgrading from 2.0 to 7.0, I have a running system and I can login as root at the console using the password I have set. I can login as an ordinary user across the network, but I cannot su from there, and on the console if I su to an ordinary account and then try to su from there, I gent authentication failure. I very much suspect that this is a PAM issue of some kind but I have little familiarity with this sort of configuration. So far as I can see, /etc/pam.d/su is not different from the same file on other 7.0 systems I have running. I have checked, and su is /usr/bin/su. I'm about to start upgrading the 3.0 system to 7.0 - this already had a working PAM configuration, which I don't want to trash... -- Steve Blinkhorn
Re: upgrading an old system
I have progresses as far as having oinstalled the binary sets and running postinstall. However I hit a problem when I set a password for root, namely while I could login as another user (in group wheel) I get an authentication error when I try to su, and I can't get back to a condition where there is no superuser passwd. So I daren't for the moment swith the box off. I remember that therre were various gotchas when PAM was introduced in release 3.0. Is there a step I may have missed out? Also, would someone please remind me where the boot-time configuration lives (boot device, root device, swap device etc.)? It's been a long day, and I don't get to do this sort of thing very often. -- Steve Blinkhorn
Re: upgrading an old system
Very gratefule for all the good advice.Here's the story so far. First of all, I was able to boot a 7.0 kernel with no difficulty - and in the process discovered that there have been 2 CPUs all along. But the disk layout is sorely in need of revision. So I have tried everything I can find: in summary, cutting a new install image CD failed to producenything that worked in the CD-ROM drive. I have a 2.02 install CD that goes into sysinst, but skips the disk layout process and goes straight to installing sets. Other bootable media I have don't boot in this drive. I do remember the days when CD-ROM drives could be very fussy about CD-R and CD-RW media. The 3.0 machine has a much saner disk layout - very possibly because I configured it, whereas the 2.0 was configured by data centre staff way back when. So I think I can move that forwad straightforwardly. Is the disk layout configuration tool accessible other than through running sysinst, or will I have to bite the bullet and edit the disk label by hand? I think there is a sensibly sized root partition on the 2.0 machine, so it might be possible to leave that untouched, adjust the (insanely small) swap partition, and set up a sensible layour for the rest of the disk while keeping a bootable root partition. All thoughts welcome. -- Steve Blinkhorn You wrote: > > st...@prd.co.uk (Steve Blinkhorn) writes: > > [snip] > > > While I have them here I want to upgrade them to 7.0 (i386). But one is > > 2.0, the other 3.0 at present. > > > > It looks as though they will not boot from their USB ports, the > > CD-ROM drives seem not to be DVD-compatible (and I'm not sure I can > > find any blank CD-ROM disks). They have floppy drives, but I'm not > > sure I have a working floppy drive on a working machine any more. > > [snip] > > A lot of good advise has been given. I performed an upgrade from NetBSD > 4.0_STABLE to 7.0 this year on two of my systems. Basically all I ended > up doing was building a new 7.0 kernel and booting that up. The 4.0 > boot blocks were able to deal with a 7.0 kernel without any issues. > Then I unpacked the tar ball sets onto the system and rebooting again. > Then ran postinstall and reboot again. It all worked well, except for > one thing... 7.0 does not support schedular activations and anything > compiled against the old libpthreads failed. This effected packages > from package source, so I also had to recompile everything from package > source that I needed. This was a bit unexpected, but not fatal, and I > was going to do that anyway. This is one place where the extremely good > binary compatibility that NetBSD has will probably fall over. > > Going from 2.0 or 3.0 it might be simpler to find another hard drive and > install it in the system and just reload everything onto the new drive > and swap it in. You probably can install it on another system, if > needed, but assuming that the CD-ROM is bootable everything should fit > on a CD on the target system [sans a lack of blank media...]. You > mentioned that the filesystems were doing to be resized... this will > almost certainly need to be done anyway. With the addition of /stand, > which I don't think was in 2.0 or 3.0, you may not have enough room in / > to unpack the system. I nearly ran into this with an ancient laptop > that went from 4.0_STABLE to 7.0. The size of /stand was larger and > things just barely fit. > > > > > > -- > Brad Spencer - b...@anduin.eldar.org - KC8VKS > http://anduin.eldar.org - & - http://anduin.ipv6.eldar.org [IPv6 only] > -- Steve Blinkhorn This email is for the addressee only. If you are not the addressee you should immediately delete this email from your system(s) and inform us. It may contain information that is confidential or otherwise privileged, and should not be copied or redistributed to recipients not originally specified as addressees without permission. S F Blinkhorn MA PhD CPsychol FBPsS, Managing Director, Psychometric Research & Development Ltd. PO Box 1143, St Albans, Herts, AL1 9UT, UK Registered in England No. 1909571 Registered Office: 45 Grosvenor Rd., St Albans, Herts, AL1 3AW Phone: +44 (0)1727 841455 http://www.prd.co.uk
Re: upgrading an old system
My memory us that whne booting an installation floppy the first stages involve setting up an MFS and proceeding to the resst of the installation over FTP, NFS or whatever. Is there not a way of setting up this MFS from the existing file system? I seem to remember warnings not to power cycle before a certain stage had been reached. -- Steve Blinkhorn You wrote: > > => I have two servers I have just retrieved from their regular home in a > => data centre some distance away. (Less tha opportune interventions by > => the staff there meant they would not accept remote logins). > => > => While I have them here I want to upgrade them to 7.0 (i386). But one is > => 2.0, the other 3.0 at present. > >Wow. > > => It looks as though they will not boot from their USB ports, the > => CD-ROM drives seem not to be DVD-compatible (and I'm not sure I can > => find any blank CD-ROM disks). They have floppy drives, but I'm not > => sure I have a working floppy drive on a working machine any more. > >I would think CD-ROM would be the way to go. Surely someone in the area > has a stack in the back closet. > > => I have both the machines running normally, and I've backed up everything I > => need to keep. Is there a way of upgrading these machines by placing > => initial installation files on their hard drives, say in a /altboot > => directory, bootin from there and doing the rest over NFS or FTP? I > => have to do an install because I think both machines need new boot > => blocks to even boot newer releases. I also need to change the disk > => layout to add more swap space and create /tmp on disk rather than in an > => MFS. > >Upgrading via installer from the hard drive was easier up to NetBSD 6, > as you could boot an INSTALL kernel and point it at the sets on your > hard drive as /targetroot. Since NetBSD 7 I've just dumped an install > image on USB flash and booted that. That still wouldn't help > restructuring the partitions, though; you want to boot from alternate > media for that. > > => I am under time pressure because these two machines form the backbone > => of live 24/7/365 services, now being run on VPSs in their absence. > >This seems exactly the sort of thing you don't want to do under time > pressure. > >Good luck... > > >Gary Duzan > > > => -- > => Steve Blinkhorn > => > => > > >
upgrading an old system
I have two servers I have just retrieved from their regular home in a data centre some distance away. (Less tha opportune interventions by the staff there meant they would not accept remote logins). While I have them here I want to upgrade them to 7.0 (i386). But one is 2.0, the other 3.0 at present. It looks as though they will not boot from their USB ports, the CD-ROM drives seem not to be DVD-compatible (and I'm not sure I can find any blank CD-ROM disks). They have floppy drives, but I'm not sure I have a working floppy drive on a working machine any more. I have both the machines running normally, and I've backed up everything I need to keep. Is there a way of upgrading these machines by placing initial installation files on their hard drives, say in a /altboot directory, bootin from there and doing the rest over NFS or FTP? I have to do an install because I think both machines need new boot blocks to even boot newer releases. I also need to change the disk layout to add more swap space and create /tmp on disk rather than in an MFS. I am under time pressure because these two machines form the backbone of live 24/7/365 services, now being run on VPSs in their absence. -- Steve Blinkhorn
Re: window managers
You wrote: > > On Thu, 28 Apr 2016, Steve Blinkhorn wrote: > > > Can anyone suggest a good way forward with X11 window managers using > > X11R& (I'm in the processw of moving to amd64 7.0). For many years I > > have used IceWM, but the pkgsrc binary fails with symbol _XGetRequest > > not found in libXext.so.7. If I compile from source I get a segfault. > > > > The pkgsrc mwm binary fails in the same way. But twm works (does > > anyone actually use twm these days?).o > > Sounds like you may have a mix of X11 packages built using different > dependencies (maybe built on different systems). It also sounds like you > may have multiple X11 libraries installed that are incompatible. > You may well be right, but everything I'm using comes from the pre-compiled binaries in 7.0/All using pkg_add. -- Steve Blinkhorn
window managers
Can anyone suggest a good way forward with X11 window managers using X11R& (I'm in the processw of moving to amd64 7.0). For many years I have used IceWM, but the pkgsrc binary fails with symbol _XGetRequest not found in libXext.so.7. If I compile from source I get a segfault. The pkgsrc mwm binary fails in the same way. But twm works (does anyone actually use twm these days?).o -- Steve Blinkhorn
Re: Realtek RTL8188EUS driver (urtwn)
Do you know when rtwn arrived in NetBSD? My 7.0 manual does not have the man page you excerpt, /usr/src/sys/dev/pci has no if_rtwn_pci.c (which I would have expected to see), and config -x | grep rtw yields: rtw*at pci? dev ? function ?# Realtek 8180L (802.11) rtw*at cardbus? function ? # Realtek 8180L (802.11) urtw* at uhub? port ? # Realtek RTL8187/RTL8187B 802.11b/g urtwn* at uhub? port ? # Realtek RTL8188CU/RTL8192CU 802.11b/g/n So at a guess I need something more recent than stock 7.0. Do I need just a nes kernel, or is there firmware to download as well? -- Steve Blinkhorn You wrote: > > Hello, > > On Wed, 27 Apr 2016 07:51:06 -0400 > Greg Troxel wrote: > > > st...@prd.co.uk (Steve Blinkhorn) writes: > > > > > vendor 0x10ec product 0x8179 (miscellaneous network, revision 0x01) at > > > pci3 dev 0 function 0 not configured > > > > > > refers to pci3, whereas from the driver name I would have thought it > > > should appear as a usb device. > > That's a PCI device, the urtwn driver is for USB devices. > > > It may be that the next step is to add this vendor/product to the PCI > > device list. (That won't make it attach or work, but it probably leads > > to a nicer message saying that it didn't attach.) > > I'd try the rtwn driver, it's supposed to handle this chip or at least > something similar ( not sure what the difference between 8188CE and > 8188EE is ). May just need an extra PCI ID. > > NAME > rtwn -- Realtek RTL8188CE/RTL8192CE PCIe IEEE 802.11b/g/n wireless net- > work device > > SYNOPSIS > rtwn* at pci? dev ? function ? > > DESCRIPTION > The rtwn driver supports PCIe wireless network devices based on the Real- > tek RTL8188CE and RTL8192CE chipset. > > > > Then, if you can find out how this chip works from some other OS, or > > From actually getting a programming guide from the manufacturer, you > > can add it as a match in a driver that might be able to handle it. > > It might be a similar chip to one netbsd supports, but that also has > > a USB interface, and in your case the USB interface isn't being used. > > If it was using USB it would probably appear as an ehci or something > with a USB device behind it. > > have fun > Michael > -- Steve Blinkhorn This email is for the addressee only. If you are not the addressee you should immediately delete this email from your system(s) and inform us. It may contain information that is confidential or otherwise privileged, and should not be copied or redistributed to recipients not originally specified as addressees without permission. S F Blinkhorn MA PhD CPsychol FBPsS, Managing Director, Psychometric Research & Development Ltd. PO Box 1143, St Albans, Herts, AL1 9UT, UK Registered in England No. 1909571 Registered Office: 45 Grosvenor Rd., St Albans, Herts, AL1 3AW Phone: +44 (0)1727 841455 http://www.prd.co.uk
Re: Realtek RTL8188EUS driver (urtwn)
The device is sealed so I can't look, but from Realtek's description there appear to be different versions of the same chipset for PCI and USB. I'm out of my comfort zone when it comes to knowing how the hardware probe operates. -- Steve Blinkhorn You wrote: > > 2016-04-27 11:56 GMT+02:00 Steve Blinkhorn : > > refers to pci3, whereas from the driver name I would have thought it > > should appear as a usb device. > > Strange, is this a PCI Express Mini Card which has both PCIe and USB > on the same connector? Could explain why the device is USB, but (also) > seen on PCI at least. > > Felix >
Realtek RTL8188EUS driver (urtwn)
I asked this on port-amd64 but got no positive responses. I have a number of nettop machines which contain a Realtek RTL8188EUS wireless NIC chipset with the device code 0x8179. With the GENERIC 7.0 kernel, during the hardware probe phase at boot time the chip is correctly recognised but does not attach to the driver. Running modstat shows that the driver is present, and the device code 0x8179 is present in the header files in src/sys. The only thing that looks like a clue to me at the moment is that the device probe report: vendor 0x10ec product 0x8179 (miscellaneous network, revision 0x01) at pci3 dev 0 function 0 not configured refers to pci3, whereas from the driver name I would have thought it should appear as a usb device. If there is a place more suited to the discussion of driver-wrangling, do please point me to it. -- Steve Blinkhorn
wireless configuration
I have a machine running amd64 7.0 that has an Intel Centrino type wireless device. This is recognised and configured at boot time at iwn0 as one would expect, but shows up in ifconfig -a with "No network". The router with the specified SSID is running properly, and other wireless devices access it normally. But the router is too modern to support WEP encryption. Is encryption likely to be the problem? Other suggestions? -- Steve Blinkhorn
Xvnc startup problem
II am in the process of configuring a number of amd64 machines with NetBSD-6.1.4, including Xvnc/vncserver. The software starts, and appears to be running, clients can connect and log in, but nothing appears on the remote screen. The first line of the log file says: Getting interface configuration (4): Device not configured which I imagine is the source oof the problem. Can someone enlighten me please? -- Steve Blinkhorn
Re: dovecot again/still again
/etc/ssl/certs/newpostfix.pem:-BEGIN CERTIFICATE- /etc/ssl/private/newpostfix.pem:-BEGIN PRIVATE KEY- You wrote: > > On Thu, Jun 11, 2015 at 06:34:25PM +0100, Steve Blinkhorn wrote: > > The Postfix error is particularly odd: apparently Postfix is looking in > > the ssl/certs directory for a private key, yet the main.cf file says: > > > > smtpd_tls_cert_file = /etc/ssl/certs/newpostfix.pem > > smtpd_tls_key = /etc/ssl/private/newpostfix.pem > > Can you please post the output of the following command? > > grep -i begin /etc/ssl/certs/newpostfix.pem /etc/ssl/private/newpostfix.pem > > Kind regards > > -- > Matthias Scheler https://zhadum.org.uk/ > -- Steve Blinkhorn This email is for the addressee only. If you are not the addressee you should immediately delete this email from your system(s) and inform us. It may contain information that is confidential or otherwise privileged, and should not be copied or redistributed to recipients not originally specified as addressees without permission. S F Blinkhorn MA PhD CPsychol FBPsS, Managing Director, Psychometric Research & Development Ltd. PO Box 1143, St Albans, Herts, AL1 9UT, UK Registered in England No. 1909571 Registered Office: 45 Grosvenor Rd., St Albans, Herts, AL1 3AW Phone: +44 (0)1727 841455 http://www.prd.co.uk
Re: dovecot again/still again
Thanks for this. I have been on a chase around lots of reports of similar issues with dovecot, and I think I now have a working configuration. But which of the several adjustments to files in dovecot/conf.d I made actually fixed things I cannot tell. The Postfix error is particularly odd: apparently Postfix is looking in the ssl/certs directory for a private key, yet the main.cf file says: smtpd_tls_cert_file = /etc/ssl/certs/newpostfix.pem smtpd_tls_key = /etc/ssl/private/newpostfix.pem It would seem strange to me if no-one else has encountered the same problem, but I haven't found a successful conjunction of Google search terms to throw up fellow-sufferers. -- Steve Blinkhorn You wrote: > > > > On June 10, 2015 1:07:48 PM EDT, st...@prd.co.uk wrote: > >I am trying once more to get dovecot working with TLS/SSL enabled, > >similarly postscript. > > > >I saw Greg Troxel's post about missing redirect < characters in the > >config file, but this doesn't fix my problem. The maillog file says: > > > >Jun 10 17:41:28 viking dovecot: imap-login: Fatal: Couldn't parse > >private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start > >line: Expecting: ANY PRIVATE KEY > >Jun 10 17:41:28 viking dovecot: master: Error: service(imap-login): > >command startup failed, throttling for 60 secs > > > >Postfix says: > > > >Jun 10 17:28:27 viking postfix/smtpd[534]: warning: cannot get RSA > >private key from file /etc/ssl/certs/viking.pem: disabling TLS support > >Jun 10 17:28:27 viking postfix/smtpd[534]: warning: TLS library > >problem: 534:error:0906D06C:PEM routines:PEM_read_bio:no start > >line:/usr/src/crypto/external/bsd/openssl/dist/crypto/pem/pem_lib.c:703:Expecting: > >ANY PRIVATE KEY: > >Jun 10 17:28:27 viking postfix/smtpd[534]: warning: TLS library > >problem: 534:error:140B0009:SSL > >routines:SSL_CTX_use_PrivateKey_file:PEM > >lib:/usr/src/crypto/external/bsd/openssl/dist/ssl/ssl_rsa.c:669: > > > >I have no real experience of what a parsing of the private key should > >show, but when I do: > >openssl asn1parse < private.pem > >I get: > >... > >I think there actually must be something wrong with the private key, > >but I can't work out what or why. > > Your private key should start with a line that looks like "-BEGIN RSA > PRIVATE KEY-" > > The command you can use to examine it is: > openssl rsa -in foo.pem -noout -text > > I've got mine in /etc/openssl/certs/dovecot.pem, simply after the > certificate, but that might just be the way I happen to have dovecot > configured. > My postfix config uses a different file with just the private key in it, and > AFAIK there's no inherent connection between the dovecot and postfix configs. > > Eric >
dovecot again/still again
I am trying once more to get dovecot working with TLS/SSL enabled, similarly postscript. I saw Greg Troxel's post about missing redirect < characters in the config file, but this doesn't fix my problem. The maillog file says: Jun 10 17:41:28 viking dovecot: imap-login: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY Jun 10 17:41:28 viking dovecot: master: Error: service(imap-login): command startup failed, throttling for 60 secs Postfix says: Jun 10 17:28:27 viking postfix/smtpd[534]: warning: cannot get RSA private key from file /etc/ssl/certs/viking.pem: disabling TLS support Jun 10 17:28:27 viking postfix/smtpd[534]: warning: TLS library problem: 534:error:0906D06C:PEM routines:PEM_read_bio:no start line:/usr/src/crypto/external/bsd/openssl/dist/crypto/pem/pem_lib.c:703:Expecting: ANY PRIVATE KEY: Jun 10 17:28:27 viking postfix/smtpd[534]: warning: TLS library problem: 534:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:/usr/src/crypto/external/bsd/openssl/dist/ssl/ssl_rsa.c:669: I have no real experience of what a parsing of the private key should show, but when I do: openssl asn1parse < private.pem I get: 0:d=0 hl=4 l= 631 cons: SEQUENCE 4:d=1 hl=2 l= 1 prim: INTEGER :00 7:d=1 hl=2 l= 13 cons: SEQUENCE 9:d=2 hl=2 l= 9 prim: OBJECT:rsaEncryption 20:d=2 hl=2 l= 0 prim: NULL 22:d=1 hl=4 l= 609 prim: OCTET STRING [HEX DUMP]:3082025D02010002818100C4DC77332949C3EB226D9503E8D072091868B6A2A5177F10D871B51864716AD629AA05B. (continues for several lines' worth) I think there actually must be something wrong with the private key, but I can't work out what or why. -- Steve Blinkhorn
Re: dovecot again/still
Matthias Scheler wrote: > > > > > But my certificate and key pass your tests, so I'm really beginning to > > wonder about the libraries. > > Me too. Is this Postfix from NetBSD's base system or "pkgsrc"? And > what about OpenSSL? And did you will them with any funky options > like "-mcpu=moaaarpowwr"? Stock Postfix that came with NetBSD. I encountered the same error message with the original OpenSSL libraries, and then tried the latest binaries for this release of NetBSD, fetched, IIRC, from NetBSD.org, or at worst from a mirror site. > > And what NetBSD version and port is this? NetBSD 4.01 on i386. I'm preparing for forthcoming upgrade of systems, and the idea was to learn the ropes on familiar territory so as not to go on wild goose chases in the uprated environment. -- Steve Blinkhorn
Re: dovecot again/still
Thank you for a very helpful response - five-finver exercises in kleys and certificates... But my certificate and key pass your tests, so I'm really beginning to wonder about the libraries. -- Steve Blinkhorn You wrote: > > On Wed, Oct 23, 2013 at 05:48:27PM +0100, Steve Blinkhorn wrote: > > But no - I shifted the certificate and key into > > /usr/pkg/etc/openssl/certs and private, > > That is definitely not necessary. I've got my key and certificate > stored in "/etc/postfix/certs" and it works fine. > > > The bit I don't get is that the private key is specified to be in the > > private subdirector, not the certs subdirectory, and it is specified > > as having the extension .key, not .pem. I used openssl asn1parse as > > > you suggested, and the key and certificate both make plausible > > reading. > > > > Permissions on the subdirectories are 0755. > > > > Have I got faulty libraries, faulty data, or both? > > I guess faulty data. Does the following command work? > > openssl rsa -in /etc/ssl/private/myname.key -text > > Please do *not* post the output of this command if it works because > it will *reveal your private key*. If the command prompts for a > password you have found the problem. You need to remove the password > in that case. > > If the key file passes the check you should check the certificate next: > > openssl x509 -in /etc/ssl/certs/myname.pem -text > > The output of this command is not sensitive. The "Modulus" section > of the cert should match the "modulus" section of the private key. > > Kind regards > -- > Matthias Scheler http://zhadum.org.uk/ >
Re: dovecot again/still
I Thought for a mom,ent that you had put your finger on it, the oldest Unix gotcha of all, bad permissions. But no - I shifted the certificate and key into /usr/pkg/etc/openssl/certs and private, and now the error message takes this form: Oct 23 17:34:30 body postfix/smtpd[20176]: warning: cannot get private key from file /usr/pkg/etc/openssl/certs/myserver.pem Oct 23 17:34:30 body postfix/smtpd[20176]: warning: TLS library problem: 20176:e rror:0906D06C:PEM routines:PEM_read_bio:no start line:/home/builds/ab/netbsd-4-0-1-RELEASE/src/crypto/dist/openssl/crypto/pem/pem_lib.c:647:Expecting: ANY PRIVATE KEY: Oct 23 17:34:30 body postfix/smtpd[20176]: warning: TLS library problem: 20176:e rror:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEMlib:/home/builds/ab/n etbsd-4-0-1-RELEASE/src/crypto/dist/openssl/ssl/ssl_rsa.c:669: Oct 23 17:34:30 body postfix/smtpd[20176]: cannot load RSA certificate and key d ata The bit I don't get is that the private key is specified to be in the private subdirector, not the certs subdirectory, and it is specified as having the extension .key, not .pem. I used openssl asn1parse as you suggested, and the key and certificate both make plausible reading. Permissions on the subdirectories are 0755. Have I got faulty libraries, faulty data, or both? -- Steve Blinkhorn You wrote: > > --=-=-= > Content-Type: text/plain > > > st...@prd.co.uk (Steve Blinkhorn) writes: > > > This is still a live issue - apologies, I missed your post last week. > > > > Here are the file specs from my /etc/postfix/main.cf: > > > > smtpd_tls_cert_file = /etc/ssl/certs/myname.pem > > smtpd_tls_key=/etc/ssl/private/myname.key > > > > > > It's clear from the runtime error message that the certificate is not, > > in effect, being read. But the current file names and contents > > produce the fewest errors. Could it be the .pem file extension, or > > is there a hard-coded location for the certificate and ley that I need > > to conform too? > > > > Or could it be that the content of the files is wrong? I found > > myself going round in circles and making no progres. > > > > This is NetBSD 4.01, with the SSL libraries updated to the latest > > version for that release. > > I put them in /usr/pkg/etc/postfix. Of course the snmp daemon needs to > be able to read the files - /etc/openssl/private on my systems are > root-owned 700. > > My key file is key.pem and starts like: > > -BEGIN RSA PRIVATE KEY- > > The certificate file is post.pem and starts > > -BEGIN CERTIFICATE- > > and both can be read with 'openssl ans1parse'. > > --=-=-= > Content-Type: application/pgp-signature > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.15 (NetBSD) > > iEYEARECAAYFAlJn8yAACgkQ+vesoDJhHiVi0gCfXu2AGdui5Sg+nd+5mnutBhkV > aN4An3TgjNoqysvs7bcnfRniC/t/ioE0 > =Z18R > -END PGP SIGNATURE- > --=-=-=-- > This email is for the addressee only. If you are not the addressee you should immediately delete this email from your system(s) and inform us. It may contain information that is confidential or otherwise privileged, and should not be copied or redistributed to recipients not originally specified as addressees without permission. Psychometric Research & Development Ltd. PO Box 1143, St Albans, Herts, AL1 9UT, UK Registered in England No. 1909571 Registered Office: 47 Holywell Hill, St Albans, Herts, AL1 1HD Phone: +44 (0)1727 841455 http://www.prd.co.uk
Re: dovecot again/still
Hi, This is still a live issue - apologies, I missed your post last week. Here are the file specs from my /etc/postfix/main.cf: smtpd_tls_cert_file = /etc/ssl/certs/myname.pem smtpd_tls_key=/etc/ssl/private/myname.key It's clear from the runtime error message that the certificate is not, in effect, being read. But the current file names and contents produce the fewest errors. Could it be the .pem file extension, or is there a hard-coded location for the certificate and ley that I need to conform too? Or could it be that the content of the files is wrong? I found myself going round in circles and making no progres. This is NetBSD 4.01, with the SSL libraries updated to the latest version for that release. -- Steve Blinkhorn You wrote: > > Hello again > > Having just now been confused by similar error to yours when setting up > postfix certificates on 6.1, I eventually managed to track it down to > wrong file name in main.cf... > > This is smtpd tls part from main.cf, in case it helps > > smtpd_tls_cert_file = /etc/localstuff/example.com.crt > smtpd_tls_key_file = /etc/localstuff/example.com.key > smtpd_use_tls = yes > smtpd_tls_security_level = may > smtpd_tls_loglevel = 1 > smtpd_tls_received_header = yes > > > On Mon, 14 Oct 2013 21:39:10 +0300 > Terho Uotila wrote: > > > Hello, > > > > On Wed, 9 Oct 2013 16:56:16 +0100 (BST) > > Steve Blinkhorn wrote: > > > > > Oct 8 22:15:20 body postfix/smtpd[27299]: warning: cannot get > > > private key from file /etc/ssl/certs/body.prd.co.uk.pem Oct 8 > > > 22:15:20 body postfix/smtpd[27299]: warning: TLS library problem: > > > 27299:e rror:0906D06C:PEM routines:PEM_read_bio:no start > > > line:/home/builds/ab/netbsd-4-0 > > > -1-RELEASE/src/crypto/dist/openssl/crypto/pem/pem_lib.c:647:Expecting: > > > ANY PRIVATE KEY: Oct 8 22:15:20 body postfix/smtpd[27299]: warning: > > > TLS library problem: 27299:error:140B0009:SSL > > > routines:SSL_CTX_use_PrivateKey_file:PEM lib:/home/builds/ab/n > > > etbsd-4-0-1-RELEASE/src/crypto/dist/openssl/ssl/ssl_rsa.c:669: Oct > > > 8 22:15:20 body postfix/smtpd[27299]: cannot load RSA certificate > > > and key d ata > > > > > I haven't seen anything further on list so I wonder if this is still > > a problem or has been resolved already. > > > > In case this is still unresolved, and you're willing to accept guesses > > too, from above log it looks to me like postfix might be trying to > > (unsuccessfully) use your certificate and key. Have you tried telling > > it where it can find those? > > > > smtpd_tls_cert_file > > smtpd_tls_key_file > > > > from http://www.postfix.org/TLS_README.html > > (and earlier agentoss link mentioned these too) > > > > > > > You wrote: > > > > > > > > http://agentoss.wordpress.com/2013/01/06/home-mail-server-with-postfix-dovecot-imap-squirrelmailroundcube-on-netbsd-6-0-1/ > > > > > > > > This was very helpful when I struggled with configuring a mail > > > > server. > > > > > > > > Regards, > > > > -- > > > > Bartek Krawczyk > > > > > > > > > > > > > >
Re: dovecot again/still
My problem appears to be with the ssl library. I've never had much to do with certificates and keys, but I wonder whether the ssl library is expecting to find a certificate and a private key in the same file. mkcert.sh generates two separate files. Here is a maillog extract: Oct 8 22:15:20 body postfix/smtpd[27299]: warning: cannot get private key from file /etc/ssl/certs/body.prd.co.uk.pem Oct 8 22:15:20 body postfix/smtpd[27299]: warning: TLS library problem: 27299:e rror:0906D06C:PEM routines:PEM_read_bio:no start line:/home/builds/ab/netbsd-4-0 -1-RELEASE/src/crypto/dist/openssl/crypto/pem/pem_lib.c:647:Expecting: ANY PRIVATE KEY: Oct 8 22:15:20 body postfix/smtpd[27299]: warning: TLS library problem: 27299:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:/home/builds/ab/n etbsd-4-0-1-RELEASE/src/crypto/dist/openssl/ssl/ssl_rsa.c:669: Oct 8 22:15:20 body postfix/smtpd[27299]: cannot load RSA certificate and key d ata You wrote: > > http://agentoss.wordpress.com/2013/01/06/home-mail-server-with-postfix-dovecot-imap-squirrelmailroundcube-on-netbsd-6-0-1/ > > This was very helpful when I struggled with configuring a mail server. > > Regards, > -- > Bartek Krawczyk > -- Steve Blinkhorn
Re: dovecot again/still
So I grabbed your tarball, moved everything under /usr/pkg/etc/dovecot into a subdirector, and replaced with your tarball contents. Small changes to the pathname and filenames for the cert and the key and - same error message. It's clearly the case that dovecot is providing at least some services, for instance what appear to be successful logins. But my postmaster mailbox is filling up with error reports, including transcripts that look like this: In: STARTTLS Out: 454 4.3.0 TLS not available due to local problem In: MAIL FROM:<> SIZE=6613 Out: 250 2.1.0 Ok In: RCPT TO: Out: 450 4.1.1 : Recipient address rejected: User unknown in local recipient table In: QUIT Out: 221 2.0.0 Bye I'm doing all this on a NetBSD 4.0.1 system that is destined to be replaced soon, so I thought I would get familiar with dovecot on a machine whose configuration I know well. I'm wondering whether this is maybe a bug in dovecot2 that has been corrected since the tarball I started from (off the NetBSD.org site) was created. -- Steve Blinkhorn You wrote: > > On Tue, Oct 8, 2013 at 11:43 AM, Steve Blinkhorn wrote: > > I am gradually getting dovecot to work with my established postfix > > configuration, but can't find a way past this error (from > > /var/log/maillog): > > > > Oct 8 16:26:52 body dovecot: master: Error: Error reading > > configuration: Invalid settings: No services defined > > > > I'm assuming that I should be looking in conf.d/10-master.conf for the > > error, but lack of familiarity with the syntax of the conf files is > > making it hard to see what's wrong. > > > > Is there a way of getting a report of which services are defined so I > > can test without exposing my live system to errors? > > -- > > Steve Blinkhorn > > > > > Hey I was just thinking about your previous email last night when I > had to re-do my dovecot install from scratch! :) > > Just to be 100% sure, you have mail/dovecot2 installed and not > mail/dovecot, right? > Anyway, you can find my entire config here: > www.mspo.com/nc/dovecot.tar.gz > > Also my postfix config has this kind of stuff: > #accepting mail - auth to dovecot > smtpd_sasl_type = dovecot > smtpd_sasl_path = private/auth > smtpd_sasl_auth_enable = yes > smtpd_sasl_security_options = noanonymous > smtpd_recipient_restrictions = permit_mynetworks, > permit_sasl_authenticated, reject_unauth_destination > -- Steve Blinkhorn This email is for the addressee only. If you are not the addressee you should immediately delete this email from your system(s) and inform us. It may contain information that is confidential or otherwise privileged, and should not be copied or redistributed to recipients not originally specified as addressees without permission. S F Blinkhorn MA PhD CPsychol FBPsS, Managing Director, Psychometric Research & Development Ltd. PO Box 1143, St Albans, Herts, AL1 9UT, UK Registered in England No. 1909571 Registered Office: 47 Holywell Hill, St Albans, Herts, AL1 1HD Phone: +44 (0)1727 841455 http://www.prd.co.uk
dovecot again/still
I am gradually getting dovecot to work with my established postfix configuration, but can't find a way past this error (from /var/log/maillog): Oct 8 16:26:52 body dovecot: master: Error: Error reading configuration: Invalid settings: No services defined I'm assuming that I should be looking in conf.d/10-master.conf for the error, but lack of familiarity with the syntax of the conf files is making it hard to see what's wrong. Is there a way of getting a report of which services are defined so I can test without exposing my live system to errors? -- Steve Blinkhorn
dovecot/postfix fconfiguration
Perhaps someone with experience of this would offer some advice - the various wikis and helpful howtos I have found so far all start with different assumptions, and there's the occasional "here's a sample script, but it's in an obsolete format, so don;t expect it to be of much help". The basic aim, as before, is to graft dovecot on to an existing email server to allow remote mail access from smartphones. I'm trying to get dovecot running, but when I start it up I get: Fatal: Error reading configuration: Invalid settings: No services defined Because the configuration files are legion, it's no easy matter to track down where the offending (lack of?) settings are located. >From postfix I get: Oct 1 18:14:53 body postfix/smtpd[25677]: warning: SASL: Connect to /var/spool/ postfix/private/auth failed: No such file or directory this is, I presume, a Unix socket that is not getting created. I'm hoping these two errors are sufficiently diagnostic for me not to have to bother the list with what I take to be consequential errors. -- Steve Blinkhorn
imap configuration
I have the need to configure my mail servers to accept remote mail from company smartphones, which will have unpredictable IP addresses at any given time. As I understand it, this is best done using port 587 and a suitably configured imapd, but it is not clear to me whether stock imapd can do the job. I get the impression that I need to build something like dovecot - but what is the difference between dovecot and dovecot2? I guess this is all obvious once you know it, but if there's a "how to get started with port 587" guide, that would be really helpful. -- Steve Blinkhorn
Re: ntpd and crond question
If I may reply to all in one: - the virtualisation technology is VMWare - yes it is crond that shows up as consuming CPU time, not cron - ktrace -p produces a huge amount of output very quickly. Insofar as I can make sense of it, it appears to relate to name service and to various rc and conf files in .etc - tcpdump produces vast amounts of output, also mostly to do with name service. I run a simple slave name server on this system (it's there as a fallback machine for when we have problems with our main colo servers in the UK, or when people say they have problems reaching us). -- Steve Blinkhorn > > > What VPS provider? > xen? > > Distance to peers is highly unlikely to be the issue, unless you are > complaining about 10 ms jitter in achieved timekeeping. > >
ntpd and crond question
I have NetBSD 5.1 running on a colocated virtual machine running on a remote (to me) site. I am having no success is getting the system clock to synchronise using ntpd, whereas all my various other systems are in lock step. And, at least when the system is idling, crond is reported as taking about 50% of available CPU time. The drift in the system clock is very substantial: could this be because if I use m other systems as peers or servers the distance (U.K. to California) is excessive? Perhaps someone could suggest/offer sites in the S.F. Bay Area to which I could synchronkise? I don't understand the crond behaviour - there is little in the crontabs, there's no queue of jobs wiating to be processed - and nothing I can seen in the results of a web search that seems to relate to my situation. Can anyone suggest a line of attack? -- Steve Blinkhorn