Re: where does pkg_admin come from?
On Wed, 15 May 2024, Riccardo Mottola wrote: > I upgraded from 8.2 to 9.4 > To conserve space, I had to clean up obsolete libraries in /lib, by > sparcstation is old and has a small disk) > > whenI try to upgrade packages, i get this error: > > /usr/pkg/sbin/pkg_admin: Shared object "libssl.so.12" not found > > we are now at /usr/lib/libssl.so.14.0 > > where does pkg_admin come from? a set that did not install or is outdated or > some of the pkg ? > I cannot update/replpace packages because make_replace complains with > pkg_admin error, but maybe I can find the beginning of this vicious loop. Do you also have /usr/sbin/pkg_* ? Your /usr/pkg/ versions are from the pkg_install package. Maybe just remove that package, maybe with: /usr/sbin/pkg_delete pkg_install
fake daemons, honeypots?
Any suggestions for fake daemons to use to see scanners or malicious connections? Maybe some services I can run via inetd? They don't need to actually attempt user authentication, so just some that have greeting banners as appropriate to initiate use. I was looking for fake telnetd, imapd, ftpd for example.
Re: pkgconf freetype and flags
On Fri, 20 Oct 2023, Riccardo Mottola wrote:
> Hi!
>
> who sets what pkgconf returns for the packages? Is it upstream or does it come
> from NetBSD?
See the .pc files under:
/usr/pkg/lib/pkgconfig
/usr/pkg/share/pkgconfig
/usr/lib/pkgconfig
/usr/X11R7/lib/pkgconfig
See the manpage about the environment variables which may be used to
find the pc files.
> I think there is an issue with freetype, missing the other part.
>
> Here:
> osgiliath: {64} pkg-config --libs freetype2
> -L/usr/pkg/lib -lfreetype
> osgiliath: {65} pkg-config --libs-only-other freetype2
>
See
pkg-config --path freetype2
and read that pc file to see how configured.
> if I compare it with nettle, which works fine:
> osgiliath: {72} pkg-config --libs nettle
> -Wl,-R/usr/pkg/lib -L/usr/pkg/lib -lnettle
> osgiliath: {73} pkg-config --libs-only-other nettle
> -Wl,-R/usr/pkg/lib
>
> we see that for freetype -Wl,-R/usr/pkg/lib is missing and this causes me
> various issues during configures and builds.
I assume you are talking about configures/builds outside of pkgsrc.
Since pkgsrc wrappers add linking flags as needed for pkgsrc builds but
may not always end up in the generated/installed pc files.
mount -u use fstab options and wapbl log questions
I saw in mount(8): "The set of options is determined by first extracting the options for the file system from the fstab(5) file ..." But when I did mount -u / Then mount didn't show the "log". t1:reed$ grep ffs /etc/fstab NAME=8ab393d0-4743-11e8-9359-b8ac6fdf499d / ffs rw,log 1 1 So then I did mount -u -o log / mount then showed: /dev/dk0 on / type ffs (log, local) Does the mount -u used the fstab options? (Sorry I didn't read the code or look at newer versions.) By the way, are there recommendations for journal sizing? The manpage hints "1MB of journal per 1GB of file system" but I am unsure if that is optimum. Is there a tool to show how the journal is being used? What journal size is used? Where is the journal (special file vs end of partition)? How much of the journal is being used? I am using defaults so I assume I am using 64M for my 291G filesystem. Also the wapbl(4) manpage has odd grammar: "If there is adequate space between the end of the file system and the end of the partition, then unless the journal size has been specified with tunefs(8) then the journal will be created after the file system." Is something worded wrong? (See "then ... then") The manual also mentions using disklabel to adjust partition to get journal after filesystem. Any examples? (Note I am using dk.) I am using NetBSD 9.3.
Re: cctlds in wtf
Also see /usr/share/misc/domains /usr/share/misc/country
Re: making man-pages
On Wed, 19 Apr 2023, Todd Gruhn wrote: > If I write a program, and a man-page with it; where do I install this > man-page ?? See the manpath on your NetBSD system: man -p That shows what directories actually currently has manuals. So also see: /etc/man.conf A common place to install your own manpage is /usr/local/man/man1/ The man manpage or man itself has a bug: the man.c comments say -p prints the directories containing manpages. The manpage says -p prints the path. But actually -p prints the directories from the search path that exist regardless if contain manpages or not. Okay if I commit this? .It Fl p Print the search path for the manual pages. +This excludes cat page directories and non-existent directories. Fix man.c comments too? Or should the code be fixed to only -p print directories containing a man page?
npf NAT stops working on external interface IP changed
Last week, my NetBSD NPF router got a new IP address via DHCP.
npfctl list showed many entries with the nat-addr:port with the old
address.
I did a npfctl reload and my NAT started working again.
Today it happened again.
"npfctl show" shows the current IP address in the map.
Part of my /etc/npf.conf follows:
$ext_if = "re1"
$int_if = "re0"
$ext_addrs = { ifaddrs($ext_if) }
$localnet = { 172.16.1.0/24 }
# Allow pings
alg "icmp"
# Perform IPv4 NAT
map inet4($ext_if) dynamic $localnet -> inet4($ext_if)
group "external" on $ext_if {
# Allow all outbound traffic
pass stateful out all
# Block all incoming traffic
block in all
}
group "internal" on $int_if {
# Pass everything to internal networks,
# should be ok, because we are nat'ed.
pass final all
}
# default group is mandatory
group default {
# Loopback interface should allows packets to traverse it.
pass final on lo0 all
# Block everything by default.
block all
}
When the problem began my logs had:
Jan 16 18:28:24 t1 unbound: [210:0] error: event_add failed. in cpsl.
Jan 16 18:28:25 t1 syslogd[189]: last message repeated 2 times
Jan 16 18:28:25 t1 unbound: [210:0] error: could not event_del on close
Jan 16 18:28:25 t1 unbound: [210:0] error: event_add failed. in cpsl.
...
Jan 16 18:28:49 t1 unbound: [210:0] error: could not event_del on close
Jan 16 18:28:49 t1 unbound: [210:0] error: event_add failed. in cpsl.
Jan 16 18:28:50 t1 dhcpcd[152]: re1: probing for an IPv4LL address
Jan 16 18:28:50 t1 dhcpcd[152]: re1: using IPv4LL address 169.254.77.128
Jan 16 18:28:50 t1 dhcpcd[152]: re1: DHCP lease expired
Then it was offered a new IP, added route, changed default route.
I did a "sudo npfctl reload" to get NAT to work again.
How can I get it to automatically reload on external interface changes?
Re: timers slow (sleep 1 taking five seconds)
On Sat, 3 Dec 2022, Michael van Elst wrote: > >timecounter: Timecounter "ACPI-Fast" frequency 3579545 Hz quality 1000 > >hpet0 at acpi0: high precision event timer (mem 0xfed0-0xfed00400) > >timecounter: Timecounter "hpet0" frequency 14318180 Hz quality 2000 > > >attimer1 at acpi0 (TMR, PNP0100): io 0x40-0x43 irq 0 > > >t1:reed$ date ; time sleep 1 ; date > >Sat Dec 3 00:31:40 UTC 2022 > >5.01s real 0.00s user 0.00s system > >Sat Dec 3 00:31:45 UTC 2022 > > > Can you check > > sysctl kern.timecounter.choice > sysctl kern.timecounter.hardware > > Maybe you use a mis-calibrated TSC ? The ACPI-Fast and hpet0 counters > look reasonable. $ sysctl kern.timecounter.choice kern.timecounter.choice = TSC(q=-100, f=2992621950 Hz) clockinterrupt(q=0, f=100 Hz) ichlpcib0(q=1000, f=3579545 Hz) hpet0(q=2000, f=14318180 Hz) ACPI-Fast(q=1000, f=3579545 Hz) lapic(q=-100, f=997371786 Hz) i8254(q=100, f=1193182 Hz) dummy(q=-100, f=100 Hz) $ sysctl kern.timecounter.hardware kern.timecounter.hardware = hpet0 I looked at sysctl(7) and I set it to ACPI-Fast, ichlpcib0, i8254, TSC, and back to hpet0 but no noticable change.
timers slow (sleep 1 taking five seconds)
I think I saw this some months ago, but then problem disappeared. But today: $ time sleep 1 5.03s real 0.00s user 0.01s system $ time sleep 2 10.01s real 0.00s user 0.00s system $ date ; timeout 5 sleep 10 ; date Fri Dec 2 23:56:42 UTC 2022 Fri Dec 2 23:57:07 UTC 2022 $ date ; sleep 0.5 ; date Fri Dec 2 23:58:24 UTC 2022 Fri Dec 2 23:58:27 UTC 2022 timecounter: Timecounter "i8254" frequency 1193182 Hz quality 100 Dell Inc. Inspiron 560s (00) ACPI: HPET 0xBDD6A640 38 (v01 111010 OEMHPET 20101110 MSFT 0097) acpi0: fixed power button present timecounter: Timecounter "ACPI-Fast" frequency 3579545 Hz quality 1000 hpet0 at acpi0: high precision event timer (mem 0xfed0-0xfed00400) timecounter: Timecounter "hpet0" frequency 14318180 Hz quality 2000 attimer1 at acpi0 (TMR, PNP0100): io 0x40-0x43 irq 0 t1:reed$ date ; time sleep 1 ; date Sat Dec 3 00:31:40 UTC 2022 5.01s real 0.00s user 0.00s system Sat Dec 3 00:31:45 UTC 2022 $ cat /kern/hz 100 $ uname -mrsv NetBSD 9.2 NetBSD 9.2 (GENERIC) #0: Wed May 12 13:15:55 UTC 2021 mkre...@mkrepro.netbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64 $ uptime 1:48AM up 94 days, 11:49, 4 users, load averages: 0.12, 0.38, 0.22 The system is continually used without any other noticable issues. Any ideas on how to tune this? Possible to fix without reboot? Troubleshoot? Thanks
Re: Upgrading software with pkgsrc
On Fri, 30 Sep 2022, Ottavio Caruso wrote: > I don't understand why NetBSD must have an additional tool like pkgin > to perform full upgrades whereas in OpenBSD you can just upgrade the > whole lot with "pkg_add -u". It looks like a case of "not invented > here" that plagues the *BSD ecosphere. It would be "an additional tool" here too. Perl. Their pkg_add is not our pkg_add.
Re: NPF/interface tuning? shell unusable on gateway
On Mon, 28 Mar 2022, Greg Troxel wrote: > I am surprised that anything is paying attention to DSCP codepoints > (said as someone who has implemented multiple research systems with new > prioritization controls). I am even further surprised that the > codepoint used for ssh low delay would lead to bad behavior especially > in the absence of congestion. > > It will be very interesting if you figure out what's going on; please > post a followup. Well I thought my Tenda P1000 Powerline adapter was somewhat dumb. I didn't know it had a management interface and now I see very brief docs that it has QoS. https://www.tendacn.com/faq/2673.html Maybe it handles tos 0x48 different than expected. With tos 0x10, it is adequate. I may replace these paired devices. Any suggestions? I am using ethernet-over-power until I can get a strong NetBSD based wifi access point.
Re: NPF/interface tuning? shell unusable on gateway
On Mon, 28 Mar 2022, RVP wrote: > On Mon, 28 Mar 2022, Jeremy C. Reed wrote: > > > Any ideas why telnet works slowly but ssh does not at all in these > > cases? telnet is usable but cannot even see one character sent over ssh > > when ssh locks up (again it restores about 5 to 10 seconds after I stop > > or suspend a speedtest or rsync job). > > > > Could be a QoS issue when a lot of packets are being xferred. > > Try out a few different QoS options (explicitly) in ssh (though it should > already be setting some kind of low-delay one by default): > > ssh -oIPQoS='lowdelay' ... Thank you! That did not work for me for the client, but gave me a hint. The two clients I tried this from were Ubuntu Linux. At least one of them defaulted to that already. I don't think the QoS tagging or DCSP is honored on NetBSD by default. All of these work: 1) Connect to NetBSD router via telnet, then connect to itself again using ssh (so NetBSD ssh using defaults for ssh/sshd). 2) Run the NetBSD sshd with sshd_config "IPQoS none" instead of default of "af21 cs1" (first is for interactive) and use ssh (as is) from my Linux client. 3) Run the NetBSD sshd with sshd_config "IPQoS lowdelay throughput" instead of default of "af21 cs1" and use ssh from my Linux client. I wonder if the "af21" default on NetBSD sshd doesn't work as expected. Thanks again for the hint. I will need to understand the Ubuntu side better as it doesn't appear to have any iptables rules other than default ACCEPTs so I don't think it has any QoS. Maybe the ssh client (even when set to none) also honors the server-side sshd tagging and not the Linux kernel. > Adding QoS rules to PF/NPF might also help. pf.conf(5) has a bare-bones > example. I may try it later, but now I think the QoS is done on the Linux system. (I had done lots of testing with dscp with BIND named and also extensively tested and wrote about it for pfsense. I had no idea it was in sshd/ssh nor did I think I had anything utilizing it.)
Re: NPF/interface tuning? shell unusable on gateway
On Sun, 27 Mar 2022, David Young wrote: > Are there any packet drops or other errors? `sysctl net.interfaces`, > `sysctl net.inet6.ip6.ifq`, `sysctl net.inet.ip.ifq`, and `netstat -dvI > re0; netstat -dvI re1` may be revealing. David, thank you for the feedback and hints. I switched re1 to outside and re0 to my WAN after my previous email just to see if there was any change. It still had same problem. But you helped me track down to what it appears to be one link and one service with a problem. I will provide answers below first: $ sysctl net.interfaces net.interfaces.athn0.rcvq.drops = 0 net.interfaces.athn0.sndq.len = 0 net.interfaces.athn0.sndq.maxlen = 256 net.interfaces.athn0.sndq.drops = 0 net.interfaces.re0.rcvq.drops = 0 net.interfaces.re0.sndq.len = 0 net.interfaces.re0.sndq.maxlen = 512 net.interfaces.re0.sndq.drops = 0 net.interfaces.re1.rcvq.drops = 0 net.interfaces.re1.sndq.len = 0 net.interfaces.re1.sndq.maxlen = 512 net.interfaces.re1.sndq.drops = 0 net.interfaces.lo0.rcvq.drops = 0 net.interfaces.lo0.sndq.len = 0 net.interfaces.lo0.sndq.maxlen = 256 net.interfaces.lo0.sndq.drops = 0 $ sysctl net.inet6.ip6.ifq net.inet6.ip6.ifq.len = 0 net.inet6.ip6.ifq.maxlen = 256 net.inet6.ip6.ifq.drops = 0 (I am not purposely using IPv6.) $ sysctl net.inet.ip.ifq net.inet.ip.ifq.len = 0 net.inet.ip.ifq.maxlen = 256 net.inet.ip.ifq.drops = 0 $ netstat -dvI re0; netstat -dvI re1 Name Mtu Network Address Ipkts Ierrs IdropsOpkts Oerrs Colls Odrops re0 1500 b8:ac:6f:df:49:9d 19529216 0 0 31150053 0 0 0 re0 1500 172.16/16 172.16.1.119529216 0 0 31150053 0 0 0 re0 1500 fe80::%re0/64 fe80::baac:6fff:fedf:499d%re0 19529216 0 0 31150053 0 0 0 Name Mtu Network Address Ipkts Ierrs IdropsOpkts Oerrs Colls Odrops re1 1500 f4:f2:6d:00:b7:57 30856346 0 0 19509672 0 0 0 re1 1500 fe80::%re1/64 fe80::200e:d2e4:6900:afc6%re1 30856346 0 0 19509672 0 0 0 re1 1500 47.185.18/24 47.185.18.2630856346 0 0 19509672 0 0 0 > What link speed is negotiated on WAN and LAN ports? > Is any flow-control negotiated? My LAN interface: $ ifconfig re0 re0: flags=0x8843 mtu 1500 capabilities=3f80 capabilities=3f80 enabled=0 ec_capabilities=3 ec_enabled=0 address: b8:ac:6f:df:49:9d media: Ethernet autoselect (1000baseT full-duplex) status: active inet 172.16.1.1/16 broadcast 172.16.255.255 flags 0x0 inet6 fe80::baac:6fff:fedf:499d%re0/64 flags 0x0 scopeid 0x2 My interface to outside: $ ifconfig re1 re1: flags=0x8843 mtu 1500 capabilities=3f80 capabilities=3f80 enabled=0 ec_capabilities=3 ec_enabled=0 address: f4:f2:6d:00:b7:57 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 47.185.18.26/24 broadcast 47.185.18.255 flags 0x0 > It sounds like the LAN is quite slow? I may have misunderstood. Is the > LAN all wired or is there any wireless involved? Currently the LAN goes to a wireless router (then is double NAT) and it is primarily used with wifi. It also has a few ethernet from it including to my main workstation (which happens to be over ethernet-over-power). So tried to reproduce problem on a laptop over wifi (second LAN router) and no problem. I bypassed both wifi and ethernet-over-power and had no problem. I bypassed second LAN router and did have problem over ethernet-over-power. I used a different computer over the second router and over ethernet-over-power and did have the problem. So the problem is over the ethernet-over-power (regardless if it goes through second router or not). The problem is: using shell on the netbsd router is basically locked up, not just slow but entirely unusable, for the same client over ethernet-over-power that is also doing some downloads/uploads. I have had a ethernet-over-power fail before and I replaced it. I am confused by some things: - I didn't see the problem before my change to NetBSD as the router. Maybe I didn't use it enough before to notice it (but had used it over 5+ years). Maybe ethernet-over-power just started failing recent so was a coincidence. - While the ssh hangs (even on different port), I can use echo (7/tcp), chargen (19/tcp), and telnet services fine from the same client to the same system. (sshd on different port and via inetd does not work.) - I don't understand why even though my same client cannot use the NetBSD router's shell, I can route through it fine and use outside shell fine at same time. I will replace the ethernet-over-power, but I wonder still how I can tune my NetBSD router so I can use ssh to it. Maybe some quality of service configuration.
NPF/interface tuning? shell unusable on gateway
On same hardware, a week ago I changed my router from a different
operating system to NetBSD/amd64 9.2.
It is running a simple NAT gateway using NPF and also runs dhcpd and
unbound for internal LAN.
Periodically my shells on this new NetBSD router become unusable -- too
slow to type.
The interfaces are:
re0 is my WAN
re0 at pci2 dev 0 function 0: RealTek 8168/8111 PCIe Gigabit Ethernet
(rev. 0x03)
re0: interrupting at msix1 vec 0
re0: using 256 tx descriptors
rgephy0 at re0 phy 7: RTL8211B 1000BASE-T media interface
re1 is my LAN
re1 at pci3 dev 1 function 0: RealTek 8169/8110 Gigabit Ethernet (rev.
0x10)
re1: interrupting at ioapic0 pin 16
re1: using 256 tx descriptors
rgephy1 at re1 phy 7: RTL8211C 1000BASE-T media interface
I can reproduce the problem by starting an rsync (over ssh) within my
LAN transferring to or from outside. I can also reproduce by running
"speedtest-cli" within my LAN.
I cannot reproduce the problem by doing the rsync or speedtest-cli
directly on the NetBSD router itself. So it appears not be the NAT nor
the WAN interface.
While my NetBSD router shell is unusable, I can still use remote SSH
shells fine. That is the part that confuses me, so over the NAT and
over the WAN is okay. Even ssh shell on the remote host rsyncing to or
from is usable while the NetBSD gateway shell is unusable (at the same
time).
There is low cpu load when I have problem.
With rsync across my gateway, if I use --bwlimit 1400k, the problem is
noticable but shell is somewhat usable. --bwlimit 1500k or faster then
shell is unusable.
I tried to watch with sysstat ifstat. It appears to hang when re1 out
(to my LAN) reaches around 10 Mbits/s to 11 Mbits/s. One time the
"systat ifstat 0.01" showed it hanged at out 10.883 Mb/s , peak:
12.196 Mb/s. (But since it hangs, it may not have updated timely.)
The shell hangs immediately when doing the rsync. When I suspend the
rsync, my shell recovers in about 10 seconds. I could reproduce this
many times.
speedtest-cli over LAN shows Download: 6.34 Mbit/s
systat ifstat 0.01 shows peak 24.312 Mb/s
another speedtest-cli run over LAN Download: 9.95 Mbit/s
systat peak 20.981 Mb/s
A speedtest-cli over the LAN using same hardware, same interfaces,
different operating system was Download: 62.72 Mbit/s but that was six
months ago, and different target "best server".
I can also get 18.816 Mb/s traffic from the gateway (not over NAT nor
WAN) to LAN and the NetBSD gateway shell is still usuable, but noticably
laggy. So 1.5 times more bandwidth. So maybe it is the NPF NAT that is
the problem.
My npf.conf is:
$ext_if = "re0"
$int_if = "re1"
$ext_addrs = { ifaddrs($ext_if) }
$localnet = { 172.16.1.0/24 }
alg "icmp"
map inet4($ext_if) dynamic $localnet -> inet4($ext_if)
group "external" on $ext_if {
pass stateful out all
block in all
}
group "internal" on $int_if {
pass final all
}
group default {
pass final on lo0 all
block all
}
I am unsure if the NPF is the problem, and maybe my interface has a
problem, but it was working fine for me to login and use the shell on
the system locally fine many times before I put NetBSD on it.
Any suggestions on tuning so my shell on the router is usable?
Here is "sysstat vmstat 0.01" when it hangs:
4 usersLoad 0.12 0.05 0.05 Sat Mar 26 18:31:58
Proc:r d sCsw Traps SysCal Intr Soft Fault PAGING SWAPPING
1 6114 1193 1200 1000in out in out
ops
14.3% Sy 0.0% Us 0.0% Ni 3.6% In 82.1% Idpages
|||||||||||
===%% forks
fkppw
Anon 130180 4% zero 302356 1250 Interrupts fksvm
Exec24816% wired 24 TLB shootdownpwait
File 1831888 61% inact 671384 100 cpu0 timer relck
Meta 409088% bufs89448 336 ioapic0 pin 16 rlkok
(kB)real swaponly free ioapic0 pin 18 noram
Active1315476 331500 814 msix1 vec 0 ndcpy
Namei Sys-cache Proc-cache ioapic0 pin 23 fltcp
Calls hits% hits % ioapic0 pin 19 zfod
66 100 cow
512 fmin
Disks: sd0 wd0 dk0 dk1 682 ftarg
seeksitarg
xfersflnan
bytespdfre
%busy
Any suggestions on
Re: restore super block? recover missing data?
On Sun, 20 Mar 2022, Michael van Elst wrote:
> r...@reedmedia.net ("Jeremy C. Reed") writes:
>
> >FFSv2 sb at 2176 size 623508480, last mounted on
> >FFSv2 sb at 2240 size 623508480, last mounted on /
>
>
> One more thing. Since the first superblock is found, it might be
> still ok and you only need to recover the disklabel (and handle the
> bad blocks that started everything).
Thank you so much (and other email too).
I did a grep -a over my filesystem for a few entries I would see in my
disklabel. It found source code, docs, examples. But after several hours
it found four identical copies of my disklabel (from /var/backups). I
used "disklabel -R sd4 J.disklabel-NEW" and was able to mount my
partitions. Doing a find over them caused both of the mount points to
fail. (I didn't handle the bad blocks.) I rebooted, replugged in the
disk caddy, and re-mounted and was able to copy over my missing files.
(Note to self: 1) make sure my backups are complete for what I need; 2)
don't ignore disk errors; 3) monitor disk for SMART and disk errors.)
restore super block? recover missing data?
On NetBSD 8.x I had a disk failing. I didn't write down complete kernel messages but like: ahcisata0 clearing WDCTL_RST failed for drive 0 wd0 writing fsbn 288240960 ... bn 288243008 writing fsbn 544623424 ... bn 544625472 My system basically hung when I accessed some files. I had to power off a few times after I gave up waiting. I could use my shell but couldn't run any commands from file system. On next boot I could use system again. The problem seemed to happen when I looked a specific file or directory. fsck showed me same file. Single filesystem. I enabled wapbl so I could reboot faster. mount -o log /dev/wd0a I tried reading and writing to it with dd dd if=/dev/rwd0d skip=288243008 out=/dev/null count=1 I should have saved to a file! dd if=/dev/zero skip=288243008 out=/dev/rwd0d count=1 then read again I didn't see any kernel messages at that time. I also tried using badsect with same number. The manual says "sector" and the command-line usage says "blkno". It resulted in something like block ... in superblock area: cannot attach When I tried to reboot my Dell said "Operation System Not Found" (that spelling). I couldn't boot from multiple USB flash disks either so unsure if other problems. I removed the SATA 2.5 inch disk. There was an extra screw loose in around there. Don't know where it came from. I put it into a USB adapter caddy and booted on a different NetBSD 9.2 system: Mar 19 18:44:29 localhost /netbsd: [ 3378.8978590] umass1 at uhub3 port 1 configuration 1 interface 0 Mar 19 18:44:29 localhost /netbsd: [ 3378.8978590] umass1: JMicron (0x152d) USB to ATA/ATAPI bridge (0x2329), rev 2.00/1.00, addr 3 Mar 19 18:44:29 localhost /netbsd: [ 3378.8978590] umass1: using SCSI over Bulk-Only Mar 19 18:44:29 localhost /netbsd: [ 3378.8978590] scsibus1 at umass1: 2 targets, 1 lun per target Mar 19 18:44:29 localhost /netbsd: [ 3378.8978590] sd4 at scsibus1 target 0 lun 0: disk fixed Mar 19 18:44:29 localhost /netbsd: [ 3378.9077701] sd4: 596 GB, 16383 cyl, 16 head, 63 sec, 512 bytes/sect x 1250263728 sectors I have read over the entire rsd4d without any kernel messages (grepping for data which took 11290.89 real 156.49 user 152.81 sys). localhost# /sbin/disklabel sd4 # /dev/rsd4: type: SCSI disk: 3AS label: fictitious flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 16 sectors/cylinder: 1008 cylinders: 16383 total sectors: 1250263728 rpm: 3600 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 4 partitions: #sizeoffset fstype [fsize bsize cpg/sgs] a: 1250263728 0 4.2BSD 0 0 0 # (Cyl. 0 - 1240340) d: 1250263728 0 unused 0 0# (Cyl. 0 - 1240340) disklabel: boot block size 0 disklabel: super block size 0 --- localhost# fsck /dev/sd4a ** /dev/rsd4a BAD SUPER BLOCK: CAN'T FIND SUPERBLOCK /dev/rsd4a: CANNOT FIGURE OUT SECTORS PER CYLINDER --- localhost# fsck_ffs -b 32 /dev/sd4a Alternate super block location: 32 ** /dev/rsd4a BAD SUPER BLOCK: MAGIC NUMBER WRONG --- Running for hours: localhost# scan_ffs -b /dev/sd4a Disk: 3AS fictitious Total sectors on disk: 1250263728 FFSv2 sb at 191 size 1237910688, last mounted on FFSv2 sb at 223 size 1237910688, last mounted on / FFSv2 sb at 254 size 203423744, last mounted on FFSv2 sb at 318 size 203423744, last mounted on / FFSv2 sb at 2176 size 623508480, last mounted on FFSv2 sb at 2240 size 623508480, last mounted on / FFSv1 sb at 40025 size 18443881409241666161, last mounted on FFSv2 sb at 1519296 size 623508480, last mounted on E??H FFSv2 sb at 3036352 size 623508480, last mounted on FFSv2 sb at 4553408 size 623508480, last mounted on FFSv2 sb at 6070464 size 623508480, last mounted on FFSv1 sb at 7005534 size 1, last mounted on FFSv1 sb at 7005550 size 1, last mounted on FFSv2 sb at 7587520 size 623508480, last mounted on FFSv2 sb at 9104576 size 623508480, last mounted on FFSv2 sb at 10621632 size 623508480, last mounted on FFSv2 sb at 12138688 size 623508480, last mounted on FFSv2 sb at 13655744 size 623508480, last mounted on FFSv2 sb at 15172800 size 623508480, last mounted on FFSv2 sb at 16689856 size 623508480, last mounted on FFSv2 sb at 18206912 size 623508480, last mounted on FFSv2 sb at 19723968 size 623508480, last mounted on FFSv2 sb at 21241024 size 623508480, last mounted on FFSv2 sb at 22758080 size 623508480, last mounted on FFSv2 sb at 24275136 size 623508480, last mounted on FFSv2 sb at 25792192 size 623508480, last mounted on FFSv2 sb at 27309248 size 623508480, last mounted on FFSv2 sb at 28826304 size 623508480, last mounted on FFSv1 sb at 28851269 size 18446741685369321174, last mounted on FFSv2 sb at 30343360 size 623508480, last mounted on tLH?
Re: manpage section-names
On Sat, 30 Oct 2021, Todd Gruhn wrote: > I noticed that the manpage-reader at man.netbsd.org has > sections 3LUA and 9LUA. I noticed my system also has sections > 3f, 3am, and n . What are the names of these sections? > > As I continue installing software, will I have more new manpage-sections > installed? I didn't look at the PLISTs (package lists), but likely you will not. See /etc/man.conf for the _subdir list and the sections. If a package installs elsewhere, likely your man won't see it. But you can edit man.conf if really needed (but may be better to fix the package install). 3lua see "man 3lua intro" 9lua see "man 9lua instro" 3f is empty on my system, but I have it under the old CSRG... "This section describes those functions that are in the Fortran run time library." 3am as installed on my system from package is the "Free Software Foundation" "GNU Awk Extension Modules" n I didn't search for definition of "n" but I have (on very old BSD): tcl, Tk, X Version 10, dipress, and a bunch of third-party software from SPMS like Jove. - Jeremy echo Ohl zl obbx uggc://errqzrqvn.arg/obbxf/csfrafr/ | \ tr "Onoqrsuvxzabcefghl" "Babdefhikmnoprstuy"
Re: Thoughts regarding Borg and Python, and pkgtools
On Sun, 8 Aug 2021, Todd Gruhn wrote: > 2) Where are the man pages? My man-page viewer cant find them You can see if manpages are installed by looking at the package list pkg_info -L py39-borgbackup # replace that correct package name I don't think the package installs a manpage per the PLISTs. I didn't look at the source ...
Re: firefox and maxfiles and rlimit.descriptors
> So how can one increase the kernel limit so that ulimit -n can work with > a greater value? (it doesn't accept anything else but 956, despite > kern.maxfiles being increased). $ sysctl kern.maxfiles kern.maxfiles = 3405 $ sudo sysctl -w kern.maxfiles=3500 kern.maxfiles: 3405 -> 3500 $ sysctl kern.maxfiles kern.maxfiles = 3500 $ sysctl proc.$$.rlimit.descriptors.hard proc.13239.rlimit.descriptors.hard = 3405 $ ulimit -H -n 3405 $ sudo sysctl -w proc.$$.rlimit.descriptors.hard=3450 proc.13239.rlimit.descriptors.hard: 3405 -> 3450 $ ulimit -H -n 3450 Notice I use root to increase the hard limit for my non-root process.
HVM virtualization?
One of my hosting providers is converting VPSes from PV to HVM virtualization due to security issue https://xenbits.xen.org/xsa/advisory-286.html They say NetBSD does not work under HVM mode and can choose a different BSD (or Linux). Can someone tell me about this? I did look briefly at http://wiki.netbsd.org/ports/xen/howto/ but don't understand the context of the wiki saying it is supported but the hosting provider saying it does not work. Thanks!
Re: quad port gigabit eithernet?
On Wed, 23 Sep 2020, Hisashi T Fujinaka wrote: > Yes. Still in production. > > https://ark.intel.com/content/www/us/en/ark/products/codename/36767/portville.html > > On Wed, 23 Sep 2020, SAITOH Masanobu wrote: > > I350-T4V2? Thank you. This gave me a hint to look in sys/dev/pci/pcidevs_data.h and sys/dev/pci/if_wm.c The link above is for Controller: Intel 82576 System Interface Type PCIe v2.0 (2.5 GT/s) E1G44ET2 Intel Gigabit ET2 Quad Port Server Adapter which I think is the #define PCI_PRODUCT_INTEL_82576_QUAD_COPPER_ET2 0x1526 /* 82576 quad-1000BaseT Ethernet */ The part number above I think is Controller: Intel I350 PCIe v2.1 (5.0 GT/s) and there are multiple pci definitions for I350 too but unsure about T4 I will likely order a E1G44ET2 or EXPI9404PT (82571GB controllers). (I head about Intel PRO/1000 PT Quad Port Server Adapter off list). Thanks again
quad port gigabit eithernet?
I found a couple examples of quad-port Ethernet drivers in manpages, but don't see anything specifically for Gigabit Ethernet. wm(4) does mention some dual port devices but no four. (I see a Intel 82580 at a store online that had 4 ports on one PCIe adaptor.) Any suggestions for a quad port gigabit ethernet network interface card with four RJ45 jacks supported by NetBSD and the device driver for it? Thanks Jeremy C. Reed echo Ohl zl obbx uggc://errqzrqvn.arg/obbxf/csfrafr/ | \ tr "Onoqrsuvxzabcefghl" "Babdefhikmnoprstuy"
Re: NetBSD Jails
On Sat, 16 May 2020, Aaron B. wrote: > It also doesn't solve the ultimate issue here, which is isolation: a > user (in the kernel sense of user, not necessary a human logged in via > SSH) in one chroot could run 'ls' or equivalant syscalls and see > activity inside a different chroot. Assuming this is a typo, please see the security.curtain=1 sysctl. For details, read manuals: security(7) secmodel_extensions(9) sysctl(7)
Re: Testing a password
On Wed, 29 Apr 2020, Todd Gruhn wrote: > I found the master password file. The passwords that were set (root, > cvs, my account) > all start with $sha$ -- so the passwords are encrypted using SHA? > > If I write a PERL program that checks passwords (cant use crypt), how > would I do this? Any particular modules I need? You will need to salt it the same way which For the C reference see __gensalt_sha1() and pw_gensalt() src/lib/libcrypt/pw_gensalt.c (NOTE: a pw_gensalt(3) manual page needs to be written) with example use in src/lib/libpam/modules/pam_unix/pam_unix.c and src/usr.bin/passwd/local_passwd.c (NOTE: the crypt(3) manual page needs to be updated to document the $sha1$ behavior.) For perl, you can try p5-CryptX or Digest::SHA (I think in default install perl install)
Re: DNSSEC vs netbsd-8/sparc?
The problem I reproduced in March (but didn't solve) was on amd64 where the DS didn't match. It used SHA384. Two different examples: https://mail-index.netbsd.org/netbsd-users/2020/03/24/msg024303.html https://mail-index.netbsd.org/netbsd-users/2020/03/20/msg024285.html
Re: DNSSEC vs netbsd-8/sparc?
On Thu, 16 Apr 2020, John D. Baker wrote:
> Curiously, with "dnssec-validation auto;" commented out (but with
> "dnssec-enable yes;" un-commented) the server resolves external domains,
> but appears to not actually use DNSSEC?
>
> Conversely, with "dnssec-enable yes;" commented out but with
> "dnssec-validation auto;" un-commented, the server fails to resolve
> external domains.
The named is misleading. Even though it logs about using bind.keys file
or using using built-in keys, it is not. When using defaults of
"dnssec-enable yes;" and "dnssec-validation yes;" you have to have a
trusted-keys or managed-keys also configured.
A quick way is
include "/etc/namedb/bind.keys";
(outside of options { }; block)
See /usr/share/doc/reference/ref8/bind9/arm/Bv9ARM.ch06.html
(My book at amazon is the cross-referenced, edited, and expanded version
of that, but now a few years old.)
The bindkeys-file defines the path to the above file.
It is used if using dnssec-validation as auto (not yes).
Using dnssec-validation default as yes means "a trust anchor must be
manually configured using a trusted-keys or managed-keys statement."
Since not trust anchor is manually configured, explains why it probably
works for you (because no validation).
Now you may have other problems:
1) Your bind.keys file may be too old.
See if it has one of the keys that matches what you can see with:
dig +multi -t DNSKEY .
Now maybe you don't trust that. Also see
http://ftp.isc.org/isc/bind9/keys/9.11/
and
https://data.iana.org/root-anchors/root-anchors.xml
and https://www.iana.org/reports/2017/root-ksk-2017.pdf
but that is a DS which can be verified:
t1:reed$ dig +multi -t DNSKEY . > tmp-root-keys
t1:reed$ dnssec-dsfromkey -f tmp-root-keys .
. IN DS 20326 8 1 AE1EA5B974D4C858B740BD03E3CED7EBFCBD1724
. IN DS 20326 8 2
E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
2) Or for some reason, some older named built on older NetBSD is
generating DS hash wrong so when tries to verify a DNSKEY (against a DS)
it fails. (See the older thread where two different postings showed the
DS mismatch.)
Re: SMTP servers receiving from gmail
On Thu, 16 Apr 2020, ignat...@cs.uni-bonn.de wrote: > However, SPF seems > to work to pacify Google and isn't very difficult to setup. For many years, I periodically send emails using NetBSD.org address. I didn't think about SPF. I never get any bounces for this. Now I see the SPF rule in the TXT record has "?all" or neutral or no policy. In your case, is it that Google just likes that a SPF is there regardless of the qualifier?
Re: DNS Failures - All of a sudden today 20200325
On Wed, 25 Mar 2020, ya...@sdf.org wrote: > Another user on the ISC list suggested setting > dnssec-lookaside no; > Which also feels risky. Comment out or remove the NetBSD provided configuration for that in named.conf. > And generically ISC suggested all users remove the dlv.isc.org zone from > their configuration...because the zone is empty and if removed would not > cause > the expired key to fail dns... > > My only problem is I do not know how to remove as I cannot find this zone in > my configuration. Not a zone but a managed keys (or trusted keys) configuration. Remove the reference to it (a few lines) from your bind keys file, probably at /etc/namedb/bind.keys If you have managed-keys or trusted-keys with it elsewhere remove those lines there too. But be sure to keep the DNS root zone's keys. (Looking at my old sent-mail, I tested and reported about this scenario in May 2014.)
Re: trouble resolving protonmail.ch, dnssec, seems netbsd-specific maybe
> I don't know why but the created new digest hash didn't match. > The technique is to use same digest algorithm type and create a digest > of the matching DNSKEY. In this case the resulting digest didn't match. > (New one was six bytes shorter.) I did this wrong. A little cleanup below. I don't know why the digests don't match. > I will stop here. I just assume something is wrong with the crypto (in > bind9 or its dependencies). ;; validating ch/DNSKEY: JCR3: dns_rdata_tostruct result 0 ;; validating ch/DNSKEY: JCR24: old key tag 55966 ;; validating ch/DNSKEY: JCR25: old algorithm 13 ;; validating ch/DNSKEY: JCR22: old ds length 32 ;; validating ch/DNSKEY: JCR23: old digest CEB479416E4EFD770800434BE1245E1B10D4CF018255C11D8544C448FA032B32 ;; validating ch/DNSKEY: JCR7: dns_rdata_tostruct result 0 ;; validating ch/DNSKEY: JCR9: algorithm 13 13 ;; validating ch/DNSKEY: JCR8: keytag 55966 18757 ;; validating ch/DNSKEY: JCR7: dns_rdata_tostruct result 0 ;; validating ch/DNSKEY: JCR9: algorithm 13 13 ;; validating ch/DNSKEY: JCR8: keytag 55966 55966 ;; validating ch/DNSKEY: JCR10: dns_ds_buildrdata result 0 ;; validating ch/DNSKEY: JCR14: new type 43 ;; validating ch/DNSKEY: JCR15: old length 36 ;; validating ch/DNSKEY: JCR16: new length 36 ;; validating ch/DNSKEY: JCR17: new digest type 2 ;; validating ch/DNSKEY: JCR18: new key tag 55966 ;; validating ch/DNSKEY: JCR19: new algorithm 13 ;; validating ch/DNSKEY: JCR20: new ds length 32 ;; validating ch/DNSKEY: JCR21: new digest CEB479416E4EFD770800434BE1245E1B10D4CF018255C11D8544C448FA032B32 ;; validating ch/DNSKEY: JCR13: dns_rdata_compare result 0 ;; validating ch/DNSKEY: JCR11: dns_rdata_compare ;; validating ch/DNSKEY: JCR2: keyfromds result 0 ;; validating ch/DNSKEY: JCR: result 0 ;; validating protonmail.ch/DNSKEY: JCR3: dns_rdata_tostruct result 0 ;; validating protonmail.ch/DNSKEY: JCR24: old key tag 27196 ;; validating protonmail.ch/DNSKEY: JCR25: old algorithm 8 ;; validating protonmail.ch/DNSKEY: JCR22: old ds length 48 ;; validating protonmail.ch/DNSKEY: JCR23: old digest E422EE237DE2FE29190F1BDDC0C0E2469679411F329AAB2A7BD8DE43575C1C6FAB6B9FFC521996E526F4B5D513798D9E ;; validating protonmail.ch/DNSKEY: JCR7: dns_rdata_tostruct result 0 ;; validating protonmail.ch/DNSKEY: JCR9: algorithm 8 8 ;; validating protonmail.ch/DNSKEY: JCR8: keytag 27196 6753 ;; validating protonmail.ch/DNSKEY: JCR7: dns_rdata_tostruct result 0 ;; validating protonmail.ch/DNSKEY: JCR9: algorithm 8 8 ;; validating protonmail.ch/DNSKEY: JCR8: keytag 27196 27196 ;; validating protonmail.ch/DNSKEY: JCR10: dns_ds_buildrdata result 0 ;; validating protonmail.ch/DNSKEY: JCR14: new type 43 ;; validating protonmail.ch/DNSKEY: JCR15: old length 52 ;; validating protonmail.ch/DNSKEY: JCR16: new length 52 ;; validating protonmail.ch/DNSKEY: JCR17: new digest type 4 ;; validating protonmail.ch/DNSKEY: JCR18: new key tag 27196 ;; validating protonmail.ch/DNSKEY: JCR19: new algorithm 8 ;; validating protonmail.ch/DNSKEY: JCR20: new ds length 48 ;; validating protonmail.ch/DNSKEY: JCR21: new digest 73D3962080B965B6A3D80AB3097FDA1C561C49FB938C06941D9910DC6B3E21AC0F2C8610BB8F6ADB0279EC726D2C4648 ;; validating protonmail.ch/DNSKEY: JCR13: dns_rdata_compare result 1 ;; validating protonmail.ch/DNSKEY: JCR12: dns_rdata_compare else ;; validating protonmail.ch/DNSKEY: JCR2: keyfromds result 29 ;; validating protonmail.ch/DNSKEY: JCR: result 29
Re: trouble resolving protonmail.ch, dnssec, seems netbsd-specific maybe
I added a large amount of debugging.
Too bad the many checks didbn't have debug logging.
I don't know why but the created new digest hash didn't match.
The technique is to use same digest algorithm type and create a digest
of the matching DNSKEY. In this case the resulting digest didn't match.
(New one was six bytes shorter.)
I will stop here. I just assume something is wrong with the crypto (in
bind9 or its dependencies).
;; validating protonmail.ch/DNSKEY: JCR23: old digest
"#})^Y^OESCF<96>yA^_2<9A>*{CW\^\ok<9F>R^Y<96>&^Sy<8D><9E>p1^?!|
;; validating protonmail.ch/DNSKEY: JCR24: old digest length 56
;; validating protonmail.ch/DNSKEY: JCR7: dns_rdata_tostruct result 0
;; validating protonmail.ch/DNSKEY: JCR9: algorithm 8 8
;; validating protonmail.ch/DNSKEY: JCR8: keytag 27196 6753
;; validating protonmail.ch/DNSKEY: JCR7: dns_rdata_tostruct result 0
;; validating protonmail.ch/DNSKEY: JCR9: algorithm 8 8
;; validating protonmail.ch/DNSKEY: JCR8: keytag 27196 27196
;; validating protonmail.ch/DNSKEY: JCR10: dns_ds_buildrdata result 0
;; validating protonmail.ch/DNSKEY: JCR14: new type 43
;; validating protonmail.ch/DNSKEY: JCR15: old length 52
;; validating protonmail.ch/DNSKEY: JCR16: new length 52
;; validating protonmail.ch/DNSKEY: JCR17: new digest type 4
;; validating protonmail.ch/DNSKEY: JCR18: new key tag 27196
;; validating protonmail.ch/DNSKEY: JCR19: new algorithm 8
;; validating protonmail.ch/DNSKEY: JCR20: new length 48
;; validating protonmail.ch/DNSKEY: JCR21: new digest s<96> <80>e
;; validating protonmail.ch/DNSKEY: JCR25: new digest length 50
Re: trouble resolving protonmail.ch, dnssec, seems netbsd-specific maybe
On Fri, 20 Mar 2020, Jarle Greipsland wrote: > r...@reedmedia.net writes: > > I was able to reproduce maybe the problem. I think the version of named > > is bad (it is unsupported). > Might it have to do with the fact that the (only) DS RR for > protonmail.ch uses digest type 4 (i.e. SHA-384), which is an > optional algorithm? What is the support of our BIND version for > the SHA-384 algorithm? I was wondering about that but the BIND code then (9.10.5-P1) has the SHA-384 algorithm support src/external/bsd/bind/dist/lib/isc/sha2.c and the DS code has the digest_type support for DNS_DSDIGEST_SHA384 src/external/bsd/bind/dist/lib/dns/rdata/generic/ds_43.c Also I was able to find some current domains that only have type "4" that work (mxz.ch, v4bl.org, agimm.org, ampau.org). I do think it has something to do with the netbsd build separate from netbsd build, it works fine. I didn't track this down yet. You can also use delv to see named like behaviour: delv protonmail.ch delv -d 99 protonmail.ch
Re: trouble resolving protonmail.ch, dnssec, seems netbsd-specific maybe
I was able to reproduce maybe the problem. I think the version of named
is bad (it is unsupported). I believe you got it to work because dnssec
validation was disabled. (When enabled the queries did not work.)
> My config file starts out (now that I changed auto to yes):
>
> options {
> directory "/etc/namedb";
> dnssec-enable yes;
> dnssec-validation yes;
> managed-keys-directory "keys";
> bindkeys-file "bind.keys";
> allow-recursion { acl_recursive_query; };
> };
dnssec-validation yes should be using the "bind.keys"
> and dnssec-validation used to be auto. With dnssec-validation yes, I
> think bindkeys-file is ignored.
That is reversed. It is using bindkeys-file. Have a look at
/usr/share/doc/reference/ref8/bind9/arm/Bv9ARM.ch06.html (or see my
extended edited version of it :)
> keys/managed-keys.bind has something that looks current
That is used because your bind.keys is using managed-keys.
Let's verify your named is doing validation:
dig @127.0.0.1 +dnssec . | egrep "flags:|RRSIG"
You should see the "ad" flag.
dig @127.0.0.1 +dnssec www.netbsd.org
You should also see the "ad" flag.
But protonmail.ch does have problems which I see using BIND 9.10.5 on
NetBSD 8.1 using "dnssec-validation auto;"
Mar 20 01:32:11 morden named[292]: validating protonmail.ch/DNSKEY: no
valid signature found (DS)
Mar 20 01:32:11 morden named[292]: no valid RRSIG resolving
'protonmail.ch/DNSKEY/IN': 3.127.12.149#53
Mar 20 01:32:12 morden named[292]: validating protonmail.ch/DNSKEY: no
valid signature found (DS)
Mar 20 01:32:12 morden named[292]: no valid RRSIG resolving
'protonmail.ch/DNSKEY/IN': 18.194.37.70#53
Mar 20 01:32:12 morden named[292]: validating protonmail.ch/DNSKEY: no
valid signature found (DS)
Mar 20 01:32:12 morden named[292]: no valid RRSIG resolving
'protonmail.ch/DNSKEY/IN': 185.70.40.19#53
So it tried all three of their nameservers above.
Mar 20 01:32:12 morden named[292]: broken trust chain resolving
'protonmail.ch/A/IN': 185.70.40.19#53
Mar 20 01:32:12 morden named[292]: query client=0x7f18b31d0800
thread=0x7f18b598f000 (protonmail.ch/A): query_find: unexpected error
after resuming: broken trust chain
I bumped up some debugging
20-Mar-2020 02:04:20.361 validating protonmail.ch/DNSKEY: no DNSKEY
matching DS
20-Mar-2020 02:04:20.361 validating protonmail.ch/DNSKEY: no valid
signature found (DS)
I also looked at v9_10 lib/dns/validator.c code around this.
$ dig +multiline +dnssec @a.nic.ch. protonmail.ch
protonmail.ch. 3600 IN DS 27196 8 4 (
E422EE237DE2FE29190F1BDDC0C0E2469679411F329A
AB2A7BD8DE43575C1C6FAB6B9FFC521996E526F4B5D5
13798D9E )
keyid is 27196
$ dig +multiline +dnssec @ns1.protonmail.ch protonmail.ch -t DNSKEY
...
) ; ZSK; alg = RSASHA256 ; key id = 6753
...
) ; KSK; alg = RSASHA256 ; key id = 27196
So there is one for the same keyid.
I didn't try to use any custom tool to test the DS hash and signatures
themselves.
But using other and newer nameservers validated it fine.
I also use "dnssec-validation yes;" instead of auto. bind.keys in the
NetBSD 8.1 I looked at is out of date. It won't work for DNSSEC. It
falls back to use no DNSSEC.
My recommendation is use newer named.
(I have had similar problems before related to not being built with
correct algorithms support but that resulted in different messages.)
Re: trouble resolving protonmail.ch, dnssec, seems netbsd-specific maybe
On Thu, 19 Mar 2020, Greg Troxel wrote: > I changed > >dnssec-validation: auto > > to > >dnssec-validation: yes Are you saying this fixed your problem? > after finding this hint: > > https://kb.isc.org/docs/aa-01547 > > dnssec-validation yes; or dnssec-validation auto; (the former requires > manually-configured trust anchors using trusted-keys or managed-keys; > the latter will use BIND's built-in managed keys) > > it seems that auto uses built-in keys, and yes uses the keys in > keys/managed-keys.bind. That is reverse of your quoted statement above. > But, I wonder if our keys on the netbsd-8 branch need to be updated. "auto" uses managed-keys and should update automatically to get the trusted keys. See the data pointed to by the bindkeys-file setting (like /etc/namedb/bind.keys or /etc/bind.keys). There could be a dynamic jnl file associated with it. I can help analyze these files for you. Try using: rndc managed-keys status "yes" would just use the keys you manually defined (with trusted-keys or your own managed-keys statement). Maybe you disabled dnssec-validation since no extra config? Do you have other dnssec validation problems for other domains? Maybe problem is with that domain itself? But a quick look at it and it appears to be good.
Re: Shared object "libintl.so.9" not found (but its there)
On Wed, 11 Mar 2020, Jeffrey Walton wrote: > $ ldd /usr/pkg/bin/git > /usr/pkg/bin/git: > -lpcre2-8.0 => /usr/pkg/lib/libpcre2-8.so.0 > -lpthread.1 => /usr/lib/libpthread.so.1 > -lc.12 => /usr/lib/libc.so.12 > -lz.1 => /usr/lib/libz.so.1 > -lintl.1 => /usr/lib/libintl.so.1 > > ldd says libintl.so.1 should be used. > > I can't seem to get more information though: > > $ LD_DEBUG=files git submodule --init > Shared object "libintl.so.9" not found > Shared object "libintl.so.9" not found > Shared object "libintl.so.9" not found > Shared object "libintl.so.9" not found The "submodule" is a separate program. You may want to look at /usr/pkg/libexec/git-core/git-submodule--helper and ktrace -i git submodule --init kdump | less -plibintl Maybe that will show what wants it.
Re: How do you set $PS1 on /bin/ksh
In addition to the other recommendations, don't have the PS1 prompt run commands everytime the prompt is generated. For example, you don't need to run commands each prompt to figure out your username and hostname as likely they won't or cannot change in the same shell session. For example: PS1='`whoami`$ ' vs. PS1=`whoami`"$ "
commercial preinstalled NetBSD systems?
The webpage at https://www.netbsd.org/gallery/preinstalled.html is out of date. For United States, only one of the five companies appears to mention NetBSD. If you have suggestions for updating the webpage please let me know. (I will remove the ones that are defunct or appear to not support NetBSD.) Thanks! (I was searching for small systems with wifi ... any suggestions?) Jeremy C. Reed echo Ohl zl obbx uggc://errqzrqvn.arg/obbxf/csfrafr/ | \ tr "Onoqrsuvxzabcefghl" "Babdefhikmnoprstuy"
Re: Why are all pkg* commands in man section 1?
On Fri, 13 Dec 2019, Ottavio Caruso wrote: > I wonder why they are all in section 1 of the manual pages and not in > section 8, where one would expect them to be. I think it is a mistake. I thought there was a PR (problem report) ticket for it. I certainly reported it before. Some others I found (years ago) which could be considered for section 8 include: altqstat.1 atf-cleanup.1 atf-format.1 bpm.1 daicctl.1 dtmfdecode.1 ipftest.1 ipresend.1 ipsend.1 iptest.1 kimpersonate.1 lptest.1 mopchk.1 mopcopy.1 mopprobe.1 moptrace.1 omshell.1 pkg_add.1 pkg_admin.1 pkg_create.1 pkg_delete.1 pkg_info.1 postalias.1 postcat.1 postconf.1 postdrop.1 postfix.1 postkick.1 postlock.1 postlog.1 postmap.1 postmulti.1 postqueue.1 postsuper.1 screenblank.1 sendmail.1 sntp.1 srtconfig.1 sup.1
Re: Xs with WM or Desktop brakes? Clean installation.
On Fri, 15 Nov 2019, lati...@vcn.bc.ca wrote: > 1. the Xs brakes when i try to use WMs or Desktop Mate and XFCE4, and how > to get out of Xs? Ctrl+Alt+Backspace do not work, pressing right button of > the mouse+exit does not work, it stay forever. For Ctrl+Alt+Backspace, maybe need xorg.conf with DontZap option turned to on. See xorg.conf manual. > 2. is there a simple form to start WMs or Desktops? i can not start Mate, > and others WMs and Desktop? I use ~/.xinitrc file > 3. is there a simple command to delete all the packages (binaries), > installed by hand? something like: # pkg_delete everything or pkgin delete > everything? leaving only the NetBSD standard installation? see https://wiki.netbsd.org/pkgsrc/how_to_upgrade_packages/#index8h2 pkg_delete -Rr '*-*' or -or- pkg_delete -ff '*-*' or: rm -rf /usr/pkg (but loses configs and keeps stale metadata)
Re: Letsencrypt certificates
> pkgsrc Masters, what's the story? Because the package is used by other packages. https://www.netbsd.org/docs/pkgsrc/creating.html#creating.python-module Another reason is pkgsrc builder can choose to use different python version so potentially (for some packages) could have the software installed multiple times for different pythons. But I do prefer in this case to just have package called "certbot" available.
Re: Letsencrypt certificates
I realize I didn't answer your question. You shouldn't need to do all SIG(0) style with KEY record. Ignore that. Use the "key" in named.conf with allow-update or update-policy.
Re: Letsencrypt certificates
> I am trying to work out whether that means that the keyfile > contents must be manually added to the zone file, because in > named.conf I have an include line for update.key which contains the > path to that key, so it should be there already. Do you also have your zone configured to allow updates (with allow-update or update-policy)? Make sure you can use nsupdate manually at the command line to update the zone without using acme.sh first.
Re: Write an install image to a flash drive?
On Tue, 20 Aug 2019, Bob Bernstein wrote: > I want to use a flash drive instead of a CD to upgrade from an > old 'current' to our latest. This is being done on an ancient > emachine amd64: "ancient" In my experience some old systems just won't boot from USB flash disks well. In some cases, I have had to try over five different flash disks until I found one that worked. Did you get any error message or information before it reverted booting from your hard disk?
time consistently behind 6 seconds every day
See these daily NTP offsets:
Jul 19 20:40:14 t1 ntpdate[16879]: step time server 23.239.26.89 offset
6.039924 sec
Jul 20 20:40:14 t1 ntpdate[4698]: step time server 206.55.191.142 offset
6.038794 sec
Jul 21 20:40:14 t1 ntpdate[22152]: step time server 69.89.207.99 offset
6.036992 sec
Jul 22 20:40:14 t1 ntpdate[20684]: step time server 96.42.83.78 offset
6.039788 sec
Jul 23 20:40:15 t1 ntpdate[27466]: step time server 96.235.18.130 offset
6.036430 sec
Jul 24 20:40:14 t1 ntpdate[908]: step time server 198.46.248.36 offset
6.039517 sec
That is from a daily cron job running ntpdate.
I know I can run ntpd to keep in sync and I will probably do that on
this system.
But are there any NetBSD tunings that I should consider to also make
sure its system better keeps track of time?
NetBSD 8.0 amd64. Please let me know about any sysctls or dmesg output
or other diagnostic info that may be useful.
Thanks!
Jeremy C. Reed
p.s. I noticed this because I flagged a DNS RRSIG Inception time in the
future by 6 seconds off. I checked and I was off by 5.717946 and fixed a
moment later and I was off by 5.726703. Still I think the other system
was at least a fraction of a second fast since was serving very new
signature.
echo 'EhZ[h ^jjf0%%h[[Zc[Z_W$d[j%Xeeai%ZW[ced#]dk#f[d]k_d%' | \
tr'#-~''\-.-{'
Re: max users
On Sat, 27 Apr 2019, JP wrote: > is there a maximum number of users that can be logged in at a given time? config(5) says there is no such limit. Linux has a pam way using limits.conf. FreeBSD could use inetd to spawn sshd with a inetd.conf "max-child" option. I don't know of an existing NetBSD way for ssh logins. Ideas could be: add some PAM feature to record logins and honoring it; or add a "max-child" option to inetd and use it to spawn sshd.But why the limit? Explain your use case and maybe we can provide a different solution.
change console font size to larger 80x24
Using evbarm on pinebook (NetBSD current as of yesterday). The font size is too small. I enabled additional virtual consoles in /etc/ttys wsconscfg -t 80x24 2 results in: screen 2 is already configured I remove with wsconscfg -dF 2 Then wsconscfg -t 80x24 2 results in wsconscfg: WSDISPLAYIO_ADDSCREEN: Device not configured Try wsconscfg -t 80x24 2 -e vt100 2 and wsconscfg -e vt100 -t 80x24 2 both get Device not configured wsconscfg -e vt100 has no error but then wsconscfg -t 80x24 2 results in: screen 2 is already configured I also tried setting 80x24 in /etc/wscons.conf and reboot but nothing noticable. Tried with different screens and with 80x25. Luckily startx works and then I can use xterm as Huge but even that is too small. Any hints with wsconscfg? I couldn't see to setup wireless :) Other options may be to have a custom kernel (but doesn't help when cannot see to get that far :) Or boot.cfg menu. Any hints? Thanks
Re: Install kernel and userland without source?
On Sat, 9 Feb 2019, J. Lewis Muir wrote: > https://mail-index.netbsd.org/netbsd-help/2008/03/04/msg89.html > https://mail-index.netbsd.org/netbsd-help/2008/03/04/msg90.html > > but that's for upgrading from NetBSD 3.1 to 4, so I'm not confident that > it applies to NetBSD 8. That should work.
choosing a lightweight database
Any recommendations on a lightweight database (no extra server process) to use with dynamic website? It is not a lot of data. Currently stored in ~1000 flat files (all stored in git) and could easily be converted to JSON or XML for readable text store. Each file ranges between 7 and 184 unique (per file) values. When done maybe I will have around 10,000 keys and 500,000 attributes like: 1342-rolley-lake-provincial-park flush-toilet=yes 1342-rolley-lake-provincial-park drinking-water=yes 1342-rolley-lake-provincial-park drive-up-camping=yes 1342-rolley-lake-provincial-park showers=yes 1342-rolley-lake-provincial-park hiking=yes 1342-rolley-lake-provincial-park hiking-notes="Lakeside Loop is a 40 minute hike." 1342-rolley-lake-provincial-park state="British Columbia" 1342-rolley-lake-provincial-park country=ca 1-cedar-ridge-scenic-overlook-dinosaur-valley-state-park flush-toilet=no 1-cedar-ridge-scenic-overlook-dinosaur-valley-state-park drinking-water=no 1-cedar-ridge-scenic-overlook-dinosaur-valley-state-park drive-up-camping=no 1-cedar-ridge-scenic-overlook-dinosaur-valley-state-park showers=no 1-cedar-ridge-scenic-overlook-dinosaur-valley-state-park firepit=no 1-cedar-ridge-scenic-overlook-dinosaur-valley-state-park firepit-notes="Ground fires are prohibited; use backpacking stove." 1-cedar-ridge-scenic-overlook-dinosaur-valley-state-park country=usa 1-cedar-ridge-scenic-overlook-dinosaur-valley-state-park state=tx Around 200 attributes, but not all for each. Also I have key/values like FOO-notes="for supplementing text for FOO" And description and direction fields with sentences. The values may be free form text, numbers, boolean yes/no (some values are links to other files). I generate static webpages easily from this (and can dynamically generate webpages easily). Storing this in Berkeley DB would be easy. But I want an easy way to search everything like: country=ca province=alberta elevation>=1524 meters cost<=5 or keyword searches against description fields. Any thoughts on lightweight no database server ideas? I may just use sqlite. Minimal dependencies would be great. Thanks
Re: /var on tmpfs
On Thu, 15 Nov 2018, Don NetBSD wrote: > I've a box with a DoM. I'd like to mount / as ro and create a > tmpfs for /var (and /tmp). I don't think anything else NEEDS to > be rw (the infrequent changes to /etc can be made by unlocking / > to make those changes). > > I imagine I can just make a tarball of a skeletal /var and > unpack this over /var, once mounted? > > Is there a preexisting mechanism for this sort of thing? > Or, do I roll my own? Have a look at the /etc/mtree/ specifications. Many /var/ entries in there. You could use it to create your own spec file for your required files and directories with correct ownership and permissions and then run mtree to generate them. Or (looking at my notes from 2002), I used a /var.copy directory pre-populated as needed and after the /var was mounted and "cp -R -p /var.copy/* /var" into it.
what wireless network adapters?
What are the best wireless network adapters supported by NetBSD? I want to replace my provider's wifi router with a NetBSD solution. I don't see these supported, but anything comparable to Qualcomm Atheros QCA9980 or Broadcom BCM4366?
Re: Quick BIND question
I see you already found a newer version. Nearly all the many vulnerabilities it has had over the past decade don't provide privileged access nor compromise the system beyond just crashing named. Maybe some of your clients can be prompted to query your named for known queries that can crash it. In some cases it can be trivial. echo "qvt -p punbf -g gkg nhgubef.ovaq @fson.faf-co.vfp.bet.|terc Errq" |\ tr "Enopqrstuvabcefghk" "Rabcdefghinoprstux"
Re: howto request a new package?
On Sat, 9 Jun 2018, Kathe wrote: > is there any process for requesting a new package? > actually it's just a modification of an existing > package, just that netbsd isn't running on my > machine yet, and even if it did, i just don't > know how to create a new package from scratch. > thanks. Kindly ask on the pkgsrc-users list. You may be able to test out the pkgsrc on a non-NetBSD system too. Docs for creating a package for an existing specification is at https://www.netbsd.org/docs/pkgsrc/binary.html Creating from scratch is at https://www.netbsd.org/docs/pkgsrc/creating.html You mention it is just a modification. Maybe email about what packaage you want updated and what the modification is about.
emulation for 32 bit big endian?
What is the quickest and easiest NetBSD to install that is 32 bit and big endian using an emulator? I need a working network in the virtual system too or an easy way to copy files to its virtual disk. For example, I fetched kernel and iso and tried: $ qemu-system-mips -hda netbsd.evbmips.disk -kernel netbsd-INSTALL_MALTA -cdrom NetBSD-8.0_RC1-evbmips-mipseb.iso -nographic MIPS32/64 params: cpu arch: 128 MIPS32/64 params: TLB entries: 16 MIPS32/64 params: Icache: line=16, total=2048, ways=2, sets=64, colors=0 MIPS32/64 params: Dcache: line=16, total=2048, ways=2, sets=64, colors=0 cpu_arch 0x80: not supported And it just hangs there using 99% cpu on a Linux host. I cannot find installation docs for that example. I have okay experience with qemu with i386 but want to try others. I have also used simh-vax (but wrong endian) and tme with sun4 (not sure if was 32 bit). Any advice or pointers would be appreciated.
Re: bozohttpd
On Thu, 1 Mar 2018, Jeremy C. Reed wrote: > The -s works when not using -b > > With -s and -b the debugging is lost. > > I see it uses daemon(3) > to redirect standard error to /dev/null -f -b -s combination works for me
Re: bozohttpd
The -s works when not using -b With -s and -b the debugging is lost. I see it uses daemon(3) to redirect standard error to /dev/null
Re: package upgrade strategy
On Thu, 28 Sep 2017, r0ller wrote: > By the way, what kind of difference is indicated by the number in the > 'nb' suffix? Means the original code (upstream source) was not changed. The nb means we may be building or installing it differently (like due to a new patch, new build option, or a dependency change, for example). > Another question would be if it's possible to keep different > versions of a package installed? I know in case of shared libs it may > be tricky because of the symlinks but the runtime linker is not > looking for the symlink I hope but the versioned soname, right? Any > hints are welcome! Well if you build your own from pkgsrc, you can use a different PKG_DBDIR and LOCALBASE. (Maybe bootstrap it with different settings.) But then you have an additional install to manage and lots of resources potentially wasted. (Sorry you had a package disappear.)
Re: xsane and root permissions
On Thu, 15 Jun 2017, BERTRAND Jo?l wrote: > OK. I have found the mistake. ss0, nss0 _and_ enss0 are used by > sane. With 660 permissions an these devices, xsane runs as expected > and withtout root permissions. Glad it works. Often you can use ktrace to run a tool and then after run "kdump | less" to see the output to learn about the problem such as a "Operation not permitted" or "Permission denied". Then related lines (like CALL and NAMI) could show you what it is trying to do and what device files.
Re: bind reacts badly to dhcpcd losing/regaining connectivity
On Sat, 15 Apr 2017, Rhialto wrote: > and these errors about re1 (my external interface) kept going all the > time. When I noticed them and restarted named, they went away. > > Why does named not succeed in using the interface when it gets an > address again? What to do about it? I noticed partly because my dns data > seemed to have dropped out of caching name servers elsewhere. See the BIND docs about automatic-interface-scan (enabled by default) and interface-interval (defaults to 60 minutes). echo uggc://errqzrqvn.arg/obbxf/ovaq-qaf/ | \ tr "noqruvxzabcefg" "abdehikmnoprst"
Re: old i386 3.1 packages or upgrading with KVM
Thank you all for the responses (even off-list). Sorry I wasn't very clear and my subject line was wrong. This is upgrading WITHOUT KVM and I have no console access to this remote server.
Re: old i386 3.1 packages or upgrading with KVM
On Tue, 14 Mar 2017, Jeff_W wrote: > "Jeremy C. Reed" <r...@reedmedia.net> wrote: > > > Does anyone know where I can find old 3.1 packages for i386? > > > > I cannot find old source distfiles for using old pkgsrc. > > .. > > If binaries are okay there is this: > > ftp://ftp.NetBSD.org/pub/NetBSD-archive/NetBSD-3.1/iso/i386pkg-3.1.iso Thanks Jeff. I should have mentioned that I saw that, but it has a limited set of packages. But I may try it to fill in (until I can get the system upgraded).
old i386 3.1 packages or upgrading with KVM
Does anyone know where I can find old 3.1 packages for i386? I cannot find old source distfiles for using old pkgsrc. I am working on an old system that the hosting provider only has a Windows-based KVM. I am concerned upgrading it headless. I know our upgrade docs have tips of upgrade issues, and I could attempt upgrading 3 to 4, 4 to 5, 5 to 6, 6 to 7. But I'd rather not spend days on this. Anyone have any suggestions? Maybe easiest is to just install a new system and migrate data and configs over to it.
Re: window managers
On Thu, 28 Apr 2016, Steve Blinkhorn wrote: > Can anyone suggest a good way forward with X11 window managers using > X11R& (I'm in the processw of moving to amd64 7.0). For many years I > have used IceWM, but the pkgsrc binary fails with symbol _XGetRequest > not found in libXext.so.7. If I compile from source I get a segfault. > > The pkgsrc mwm binary fails in the same way. But twm works (does > anyone actually use twm these days?).o Sounds like you may have a mix of X11 packages built using different dependencies (maybe built on different systems). It also sounds like you may have multiple X11 libraries installed that are incompatible.
Re: Silly shell question
On Tue, 22 Mar 2016, Swift Griggs wrote: > On Tue, 22 Mar 2016, Johnny Billquist wrote: > > Only environment variables are propagated to child processes. > > Thanks for the info, but do you happen to know what the actual > mechanism that the child processes is able to "import" the exported > variable ? Ie.. is it some special OS glue/magic, or is it just > straight getenv() calls by the client shell/app ? Yes just use getenv. See the manpage. I wouldn't call it a "client" but either a child or replacement. > I don't see anything magical in the man page for getenv() that would > distinguish an exported versus non-exported variable. The concept doesn't exist at that level. Have a look at the execve manpage. Also have a look at the src/bin/sh source too: execcmd in eval.c environment in var.c tryexec in exec.c
Re: Silly shell question
Some ideas to add to your research: echo $FOO FOO=def ksh echo $FOO exit > # FOO=abc > # export FOO > # ksh > # echo $FOO > abc > # exit > # FOO=123 > # ksh > # echo $FOO > 123 > # exit ksh echo $FOO unset FOO echo $FOO exit echo $FOO unset FOO echo $FOO ksh echo $FOO exit
Re: Ancient BSD's Licensing & Trademarks when porting and/or forking V7 and/ or 2.x - 4.x BSD's
Have a look here: http://wiki.tuhs.org/doku.php?id=events:free_licenses In particular note that in 2002 the copyright owner made the old V7 code and 32V Unix code available as open source with a BSD-like license. While 3BSD was derived from 32V, it also included a lot of other code that was copyright separately (or simply ownership details were lost). You can not assume the 2002 license applies to the non-32V code. 3BSD was not under any type of open source BSD license. It was proprietary code. A decade later huge portions were rewritten or relicensed using the then new BSD licensing. (There were multiple revisions of the BSD license even back then.) So in other words, it would be difficult and possibly wrong to use 3BSD using a current BSD license. They don't match up. Then again, it probably doesn't matter. By the way, I am curious, why 3BSD? (3BSD doesn't have IP/TCP for example and has very limited supported hardware.) There are somewhat maintained continuations or forks for 2.11BSD and 4.3BSD-Tahoe (like "Quasijarus"). (Someday, hopefully soon, I will finish my lengthy book all about this.)
Re: Ancient BSD's Licensing & Trademarks when porting and/or forking V7 and/ or 2.x - 4.x BSD's
On Wed, 10 Feb 2016, Martin wrote: > Of course that is not what I was trying to suggest. Perhaps I should > have made it more clear but I am not trying to void the original > licence in any way shape or form. I am asking because I do not want > to. Though Lyndon you have answered my question. That a project > released under a BSD-style Licence cannot change to a later license > version when releasing a derivative of said project. Unlike the GPL > licence which if the original work was released under GPL v1 a > derivative could be released under GPL v2 or 3. See ftp://ftp.cs.berkeley.edu/ucb/4bsd/README.Impt.License.Change This is an example where the old code could change to the later license. (And many others who used the similar license later also agreed to remove that advertising clause too.) In your other email you asked about 2.11BSD. The 2BSD series wasn't officially maintained by the CSRG. While it includes a lot of software from CSRG's 4.3BSD (and later), many of the licenses weren't updated and many of the proprietary files weren't replaced with open source files, For example, some code refers to the non-open source "Berkeley software License Agreement" and many have no license statement at all. It would be an interesting exercise to compare all 2.11BSD + patch release code with the now-open 6th, 32V, and 7th editions to see document their lineage and state a license for them. Then do the same of the BSD code (for example various code was open sourced in the later 4.3 Networking releases). (We will make assumption that changes to same code files were under the original license and will accept that they are under new license today. Even if substantial changes, nobody, I assume, will complain today.) There will also be many files unrelated to 32V and unrelated to the 4.3BSD family which the lineage will be hard to know. That said I personally wouldn't care about it, since many have been reusing and redistributing this unofficial project code for decades now. (Just so it is clear -- 4.3/4.4 and 2.11 are very different systems and 4.4 as we know it wasn't derived from original 2BSD -- which wasn't even an operating system.)
Re: texlive xelatex not working [ Was fontconfig : .so.2 not provided by 2.11.1?]
I may have missed something in the previous thread or in this thread... but what feature are you missing? I don't know answer if full TeX Live distrubution is available in pkgsrc, but I use the pkgsrc for my LaTeX related work every week for over a decade. I have generated many documents (including books for print) and it has provided what I needed. I use lots of custom features (beyond the default installation), like: tex-tocbibind tex-cite tex-microtype tex-everypage tex-draftwatermark tex-lineno tex-tocloft Maybe someone can help you get the needed parts installed without having the full texlive.
[no subject]
At Wed, 25 Nov 2015 10:00:00 + (UTC) I had a cron job run:
for tz in America/Los_Angeles America/Chicago America/New_York \
Asia/Tokyo Europe/Berlin ; do
TZ=$tz date -d "Wednesday 22:00utc" +"%A %B %d %I:%M %p %z %Z ${tz}" ;
done
This resulted in:
Wednesday November 25 12:00 PM -0800 PST America/Los_Angeles
Wednesday November 25 02:00 PM -0600 CST America/Chicago
Wednesday November 25 03:00 PM -0500 EST America/New_York
Wednesday December 02 05:00 AM +0900 JST Asia/Tokyo
Wednesday November 25 09:00 PM +0100 CET Europe/Berlin
Notice the December 02 above.
An easy workaround is to also add today's date to the -d parsedate
string above.
Is this expected behavior? Undefined? A bug?
man pages for section 5 config files with useless SYNOPSIS
I noticed some section 5 file format man pages for a configuration file have a SYNOPSIS, but most do not. For example, /usr/src/share/man/man5/passwd.conf.5 has .Sh SYNOPSIS .Nm Well it is in the basic template. mdoc(7) says SYNOPSIS is mandatory and that .Nm is required for section 5. But also it says the SYNOPSIS describes typical usage for config(1) kernel compilation declaration, #include header, function types and arguments, variables types, or command line arguments. Why considered mandatory. I think it is noise like in example above. Can we change this rule? Can we remove it from some files like the following? exports gettytab login.conf mixerctl.conf passwd.conf printcap rc (has multiple parts) usermgmt.conf wscons.conf (maybe others too, but not very many) By the way, maybe the better way is like netconfig.5: .Sh SYNOPSIS .Pa /etc/netconfig So if you prefer not removing from above, but use .Pa instead with pathname, let me know. But the majority don't have it. (I am not listing them out here now.) Here is the example that made me notice today: t1:arm$ man rndc.conf | head -13 man: Formatting manual page... RNDC.CONF(5) BIND9RNDC.CONF(5) NAME rndc.conf - rndc configuration file SYNOPSIS rndc.conf DESCRIPTION rndc.conf is the configuration file for rndc, the BIND 9 name server
Re: How do I start mixerctl as first daemon?
On Mon, 28 Sep 2015, Ottavio Caruso wrote: > Can I alter the init sequence to make mixerctl start as first daemon? See the special tags at the top of the rc.d scripts, like PROVIDE, REQUIRE, KEYWORD, and BEFORE. Try adding a # BEFORE: line in the mixerctl rc.d script, for example: # BEFORE: DAEMON Look at output from: rcorder /etc/rc.d/* Adjust BEFORE to get mixerctl to happen earlier. (Look at other rc.d scripts to get some ideas.)
Re: NetBSD website man pages down
The admin said that after a power outage, a hyopervisor couldn't be brought up and on-site remote-hands were unable to revive it either. As of yesterday, an estimate of when it will be restored was unknown. I will email admins about it too. Sorry for the inconvenience.
Re: greylisting multiple mail servers, greylisting with SPF, challenge response
On Thu, 27 Aug 2015, Matthias Scheler wrote: I workaround these by adding individual IPs or blocks to my pf rules to bypass the spamd (so goes direct to mail server). It sounds like you need a better greylisting software. I would recommend milter-greylist which works with Sendmail and Postfix. Thanks. I installed it from pkgsrc and it appears to be working fine. It makes whitelisting e.g. Microsoft's outlook.com very easy: # Outlook.com racl whitelist domain .outbound.protection.outlook.com I am hoping I don't have to do that (in this case using spf). I can automate updating the pf whitelist table from DNS SPF records, but that doesn't help with unknown senders. Not sure what you mean by that. But milter-greylist has builtin SPF support. I built the package with PKG_OPTIONS.milter-greylist=dnsrbl p0f postfix-milter spamassassin spf (the default I changed from sendmail-milter to postfix-milter) Thanks for pointing me to milter-greylist (and thank you manu@). I have a few comments about it (maybe later I will discuss at their list): 1) user smmsp was the default and it appeared to work. I changed to user postfix though. 2) lots of logging with milter-greylist: (unknown id). I looked at source code and it appears that maybe this is because postfix doesn't have queueid. I am not sure if this matters, but maybe it could have a friendlier log output (maybe generic postfix-queue)? 3) changed default dumpfreq from 1 to 60. Warnings in docs about dumping to frequent, so seems like one second default is too frequent. I don't know. 4) changed global setting to greylist for 15 minutes instead of 30: greylist 15m It has been long time since I researched, but some common servers used to retry to me like: 1 minute, then 3 minutes, then 9 minutes, then 27 minutes, then 60 minutes. So if default retry greylisting is 30 minutes, I may need to wait 60 minutes. (I haven't analyzed the timing recently.) 5) changed global setting to keep whitelisted for 10 days instead of 1: autowhite 10d I used to use 36 days. 10d has not meaning to me, but the default 1 day seems much too short. 6) changed how long greylist tuples are retained instead of default 5d: timeout 6d I cannot remember why, but I think I saw some mail servers not retry until after 5 days. Something broken maybe but allow another day to try. 7) I used a few DNSRBLs and then greylist them with delay of 6h (instead of 15 minutes as custom defined above). If they are in a DNSRBL, I don't block here. I think this means that later they can get through. The postfix also used the reject_rbl_client for same. Maybe by delaying some will make it that other DNSRBL lists also contain the IP. As an example: dnsrbl SORBS DUN dnsbl.sorbs.net 127.0.0.10 racl greylist dnsrbl SORBS DUN delay 6h 8) I had a bunch of spamtraps that before were used to tarpit smtp connections with very slow conversations. So if the email is sent to, that sending IP was tarpitted. Now I have: racl blacklist rcpt paytonbarlenequ...@bsdnewsletter.com flushaddr (and several others) I confirmed that when this RCPT TO: is sent, it gets denied Go away! and then the previously open IP is not back in Greylisting in action. This may be a better solution than I had before as I found that some legitimate sending servers also mailed to my spamtraps. This new solution will allow them back in via greylisting (as long as they don't keep sending to my spamtraps). 9) Later I saw logs about postfix/smtp rejecting some emails to my spamtraps due to DNSRBL and I was confused why weren't logging about blacklisted. I assume the postfix order was to do the smtpd_client_restrictions before my milter was used. So this means that DNSRBL blocked spamtraps won't flush my milter-greylist whitelist entries. I guess this is fine -- if later the DNSRBL delists the IP then I can feel fine with greylist delay going from my configured 6 hours down to my 15 minutes. 10) The tarpit feature is not documented in man pages. The README actually confused me and I still don't understand. But anyways, it didn't work for me: libmilter = 8.14 is required for tarpit For now my spamtrap solution above seems fine. But I would like to consider the idea to slow down conversations to waste their time and potentially help others. 11) My previous setup added IPs to my spamtrap tarpit if they first communicated with a different MX that wasn't the first. I sometimes wonder if that is dangerous as maybe some network problem caused the first connection to highest priority MX was lost so it fell back correctly to another MX. 12) When I first enabled (prior to any DNSRBL) I got a bunch of spam allowed (SPF-compliant, bypassing greylist). I saw that the spammers had correct SPF DNS TXT records. I think maybe it would be useful to greylist the sender at least one time even if SPF matched. So maybe the tuple wouldn't just record the IP (since
Re: pkgin giving download mismatch
Maybe on download server side the pkg_summary(5) available database doesn't match the actual download package.
greylisting multiple mail servers, greylisting with SPF, challenge response
I am curious if any of you still use greylisting? I have been using spamd for around a decade. Using greylisting helps me block around 94.5% of spam senders. But over the past few months it has become too difficult to manage. The main reason is that a lot of mail is being retried by too many mail servers. For example, from many servers under outbound.protection.outlook.com, bullet.mail.*.yahoo.com, mail-*.google.com, etc. Greylisting just is no working because the tuplet is never (rarely) reused (i.e. different sending IP). I workaround these by adding individual IPs or blocks to my pf rules to bypass the spamd (so goes direct to mail server). Some I gathered manually from parsing spamdb database and others from DNS SPF records. I also script getting some known servers also via SPF and add to a pf whitelist (to bypass spamd and go direct to mail server). I can automate updating the pf whitelist table from DNS SPF records, but that doesn't help with unknown senders. I could try to make some script to attempt to look at spamdb greylist database to see if there is any others I should whitelist. An example of that is Yahoo. It doesn't have ranges defined in SPF but uses SPF's PTR. I could use a different greylister than has SPF checks builtin. I understand that this is not the purpose of SPF, especially since spammers can use correct SPF and then bypass my greylisting. I could do SPF check and still greylist first time to stop or punish some spammers (and legitimate mailers) at least one time by making them try again later. Does anyone know of any research about what percentage of spammers use their own domains that have good SPF? (Maybe I can analyze my own collection.) Or maybe I can extend or use a greylister that uses the network for the tuplet instead specific IP (but network would just be a guess). Or maybe the greylister uses the networks/IPs from the SPF (including its ptr support) for greylisting. Now a problem I have with the many IPs and networks I already whitelist is that I get spam from them too. (For example I get spam from outbound.protection.outlook.com.) In addition, I tarpit/blackhole IPs that send mail direct to some of my spamtrap email addresses. This ends up tarpitting the same IPs that I receive legitimate email from. (Yes spam coming from legitimate servers!) I also trapped IPs for trying last MX first but maybe that is bad idea and maybe I end up blocking legitimate senders. My research had shown this blocks approximately 59% of unknown senders. Currently my tarpit database has 1.14 times more IPs than my whitelist. (For a long time, it was only around 6 to 12% the size, but now more and more are tarpitted.) Do you use greylisting? Spamtraps? SPF to create whitelists? I still want to enable a challenge response system, but we need protocols to be created/extended so mail senders can understand that they are being challenged and require a response (so they can provide a friendly and understandable method for senders to verify, which may be like a sender using a micropayment, etc.). Any of you using challenge-response to limit spam? Jeremy C. Reed p.s. I noticed my spamd greylist database has 698631 entries in it. It doesn't seem to be cleaning up very quickly.
Re: Where to install user stuff
On Thu, 16 Jul 2015, Greg Troxel wrote: On various SGI, Linux FreeBSD boxen, I have always installed in-house software under /usr/local. I notice no such directory on my NetBSD 6.1.5 box. I did notice that pkg_add installed sudo under /usr/pkg. Is that the recommended/standard/canonical place to install user software under NetBSD ? I'd like to keep everything as tidy buttoned-down as possible :-). TIA have a good one. /usr/local is reserved for bits managed locally per system. Hence pkgsrc does not use it. My view is that because pkgsrc manages /usr/pkg, you should not hand install anything in /usr/pkg. So if you build something not with pkgsrc, /usr/local is a fine place for it. To add to Jeff's and Greg's responses ... commonly most open source software defaults to /usr/local for installations. So if you download some source and use their default recipes to install, commonly they will end up in /usr/local/. (As an example the default autoconf m4 macros contain ac_default_prefix=/usr/local which ends up in the default ./configure scripts.) If you mix and match, the package system may get some incompatibilities or when you try to clean up you may lose some dependencies, for example. And yes, /usr/pkg/ is the standard place to install packages on NetBSD. Even the default configurations for executable search paths and man pages include directories under /usr/pkg/. But really if you need something, and it's not in pkgsrc, the best thing is to add it to pkgsrc. That's what I try to do ... hundreds of times :) The first times add extra time and difficulty, but later cleanup or reinstalls (or installs on others systems) it saves lots of time. And when it hits pkgsrc officially it helps others too.
Re: Bind ending up in Parked state.
On Tue, 10 Mar 2015, Christos Zoulas wrote: Still I would like to know what is taking all this time... ktrace it and then kdump -R to display relative timestamps. I also have bind 9.10.2 on NetBSD/amd64 6.1.3 in 20117 jreed 430 1394M 1296M parked/0 0:52 0.00% 0.00% named That is after doing a kill of the pid and named logged: 10-Mar-2015 19:17:44.544 no longer listening on ::1#5300 10-Mar-2015 19:17:44.559 exiting I send ABRT to it and then gdb bt Core was generated by `named'. Program terminated with signal 6, Aborted. #0 0x7f7ff6a3964a in _sys___kevent50 () from /usr/lib/libc.so.12 (gdb) bt #0 0x7f7ff6a3964a in _sys___kevent50 () from /usr/lib/libc.so.12 #1 0x7f7ff6e06ed3 in __kevent50 () from /usr/lib/libpthread.so.1 #2 0x005e7284 in watcher (uap=0x7f7ff7b29000) at socket.c:4190 #3 0x7f7ff6e0b2ce in ?? () from /usr/lib/libpthread.so.1 #4 0x7f7ff6a75d80 in ___lwp_park50 () from /usr/lib/libc.so.12 I ran it again with ktrace, sent term signal to it, and it logged exit and hung. End of kdump -R showed 1564 3 named-1.96396 RET _lwp_unpark_all 0 1564 8 named0.07460 CALL _lwp_unpark_all(0x7f7ff2e8,3,0x7f7ff7b90090) 1564 3 named0.02081 CALL ___lwp_park50(0,0,0x7f7ff7b90090,0x7f7ff7b90090) 1564 4 named-1.99409 CALL ___lwp_park50(0,0,0x7f7ff7b90090,0x7f7ff7b90090) 1564 7 named-1.94745 RET ___lwp_park50 0 1564 7 named0.09647 CALL ___lwp_park50(0,0,0x7f7ff7b90090,0x7f7ff7b90090) 1564 8 named0.02576 RET _lwp_unpark_all 0 1564 9 named0.02070 RET ___lwp_park50 0 1564 2 named0.01449 RET ___lwp_park50 0 1564 8 named-1.98846 CALL ___lwp_park50(0,0,0x7f7ff7b90090,0x7f7ff7b90090) 1564 5 named0.01263 RET ___lwp_park50 0 1564 2 named0.02382 CALL ___lwp_park50(0,0,0x7f7ff7b90090,0x7f7ff7b90090) 1564 9 named-1.99323 CALL ___lwp_park50(0,0,0x7f7ff7b90090,0x7f7ff7b90090) 1564 5 named0.02127 CALL ___lwp_park50(0,0,0x7f7ff7b90090,0x7f7ff7b90090) Hit 't' to switch to the thread view to get more details about what's going on for each individual thread (for the threaded named). PID USERNAME PRI NICE SIZE RES STATE TIME WCPUCPU COMMAND 1564 jreed 390 1241M 1144M parked/0 1:10 0.00% 0.00% named after pressing t PID LID USERNAME PRI STATE TIME WCPUCPU NAME COMMAND 1564 9 jreed 37 parked/2 0:12 0.00% 0.00% - named 1564 5 jreed 40 parked/5 0:08 0.00% 0.00% - named 1564 2 jreed 41 parked/4 0:07 0.00% 0.00% - named 1564 8 jreed 41 parked/7 0:07 0.00% 0.00% - named 1564 7 jreed 40 parked/3 0:07 0.00% 0.00% - named 1564 4 jreed 39 parked/1 0:07 0.00% 0.00% - named 1564 6 jreed 39 parked/0 0:07 0.00% 0.00% - named 1564 3 jreed 39 parked/6 0:07 0.00% 0.00% - named 156410 jreed 43 parked/5 0:02 0.00% 0.00% - named
Re: pure-ftpd
Now I tried to configure it under NetBSD. While the installation (pkgin in my case) printed partial instructions, there was no mention about where to put the config file. The rc script gives no hint. I cannot even guess where to ftp directory for files to make available might be, since it is one of the things to be defined by the config file! Assuming the config file's name should remain pure-ftpd.conf also under NetBSD, I put a copy of it in many possible places. No luck. Did you try under /usr/pkg/etc/ ?
Re: using /etc/cron.d
On Fri, 16 Jan 2015, matthew sporleder wrote: Okay it looks like modes 400 and 600 work The manpage should be updated for this. Or I prefer maybe we should fix it. The process_crontab code could be modified so /etc/cron.d/ follows the same mode rules as /etc/crontab. I think the crontab.5 manpage also needs to be fixed that the /etc/cron.d/ would have the username field too. I didn't test this, but just reading code, it appears that /etc/cron.d in this implementation uses filenames that are named for the users and don't have a user field in the database, while other implementations may use arbitrary names and do have user field in the database. I did a quick look at the Debian manpage and it has a note about this: Additionally, in Debian, cron reads the files in the /etc/cron.d directory. cron treats the files in /etc/cron.d as in the same way as the /etc/crontab file (they follow the special format of that file, i.e. they include the user field) ...
Re: Listening on port 25 to receive mail
On Fri, 5 Dec 2014, Rocky Hotas wrote: I tried to send an e-mail from a host in a LAN to another host in the *same* LAN which runs NetBSD. But the connection was refused because the NetBSD host is not listening on port 25. How could I make it possible? Your subject says to receive mail and your need is to relay mail. Both can be done by default with already installed software. /etc/rc.d/postfix rcvar Set postfix=YES like in your /etc/rc.conf (or in /etc/rc.conf.d/postfix). Make sure you have the original /etc/mailer.conf and then run the start script: /etc/rc.d/postfix start This may rebuild your mail aliases database and start the Postfix mail system, which includes, by default, the postfix master, pickup, and qmgr daemons. But none of these offer the SMTP listening service. Edit the /etc/postfix/master.cf file and you can uncomment the first #smtp line by removing the # hash mark. Tell postfix to reload with: postfix reload (or /etc/rc.d/postfix reload) Then you should see the *.25 port listening with netstat. (No smtpd daemon is started yet; it will be started when needed. Other postfix processes may start too, like smtp, proxymap, cleanup, trivial-rewrite, and/or bounce,) You may need to study postfix documentation to learn more, but by default it should relay for networks as seen by running: postconf mynetworks You don't need official Sendmail sendmail from packages. But I do have some comments below: First I installed sendmail from pkg. Then, following the instructions at the end of the installation, I forced the symbolic link /usr/sbin/sendmail (which initially pointed to /usr/sbin/mailwrapper) to point to /usr/pkg/libexec/sendmail/sendmail. You don't need to createthe symlink. When installing the package, there should be a message about the mailwrapper and mailer.conf. You should have a /usr/pkg/share/examples/sendmail/mailer.conf that you can copy to /etc/mailer.conf (instead of doing symlinks for all). (Be sure to backup original first). Next, I put the line sendmail=YES in /etc/rc.conf. However, after rebooting, in the output of netstat -an -f inet |grep LISTEN there was anything about port 25. I assume you have no /etc/rc.d/ script for sendmail and your startup configuration doesn't know to look at scripts under /usr/pkg/etc/rc.d/ (see rc_directories setting) --- and also probably sendmail rc.d script wasn't copied there. There are more simple steps for this, but I will stop here. Because maybe the postfix ideas above will work for you quickly.
Re: pf version
On Thu, 18 Sep 2014, Zoran Kolic wrote: What is pf firewall version on current (7.99)? I think it is from OpenBSD 4.2 and 4.3-current. See the src/doc/3RDPARTY file about it. I plan to istall on rpi. Rules are already made, but I'm aware that version might be a bit old and syntax not the same as on openbsd. You may want to consider learning NPF which is maintained in NetBSD. Probably some here can help you convert rules as needed.
delete user from group (was Re: NetBSD reference card (again!))
On Tue, 12 Aug 2014, Ilia Zykov wrote: Maybe anybody knows how to remove an user from a secondary(additional) group without manual edits the /etc/group. For instance: FreeBSD 'pw groupmod group -d user' The user(8) tool doesn't offer it, but its code does have rm_user_from_groups function for removing from all groups. Maybe you can reuse or extend that code to have routine to only remove from defined group(s). By the way, the usermod/groupmod tool(s) on Linux (I looked at Ubuntu passwd 1:4.1.4.2+svn3283-3ubuntu5.1 package) also doesn't have this feature, but the usermod -G does remove the user from any groups not listed with the -G.
Re: Aw: Re: pkgin: mplayer-1.1.1nb1 is not available on the repository
On Thu, 17 Jul 2014, Carsten Kunze wrote: But if that's the reason why does pkgin avail list it? Or do I have do setup an alternative server path to be able to install it? I assume the pkg_summary(5) database was created using a repo of packages that included some packages not allowed to be served. The problem package was either removed or at least not uploaded. So the list of available packages doesn't match. I didn't look at old email in this thread to see what repo has problem. But I have a few scripts to check sanity of the repo and see many potential problems, including: http://ftp.netbsd.org/pub/NetBSD/misc/reed/pkgsrc-package-sanity/missing-or-old-pkg_summary.txt See http://ftp.netbsd.org/pub/NetBSD/misc/reed/pkgsrc-package-sanity/README for some details
Re: something is randomly closing ssh-tunnels
Peter, The workaround for this is to add pass out log body quick proto tcp from 85.X.X.X port = 22 to 77.X.X.X.X at the end of all of your keep state ipf rules. I've added the log body bit to provide more information about the ssh packets that aren't picked up by the ssh rules and session state. Cheers, Darren
using getent(3) and specifying more arguments after the key?
The getent.1 manual says:
For cgetcap(3) style databases (disktab, printcap) specifying a key,
lists the entry for that key, and specifying more arguments after the key
are used as fields in that key, and only the values of the keys are
returned. For boolean keys true is returned if the key is found. If a
key is not found, then false is always returned.
I only looked at this part of the code briefly. I think the manpage
means to say:
... only the values of the fields are returned. For boolean fields,
`true' is returned if the field is found. If a field is not found, then
`false' is always returned.
But I cannot reproduce it, for example:
t1:reed$ getent disktab floppy ty
t1:reed$ getent disktab floppy ob
t1:reed$ getent disktab floppy pc
t1:reed$ getent gettytab Console rw
But I would think it would be like this:
t1:reed$ getent disktab floppy ty
floppy
t1:reed$ getent disktab floppy ob
0
t1:reed$ getent disktab floppy pc
2880
t1:reed$ getent gettytab Console rw
true
Note that getent with the entry does work:
t1:reed$ getent disktab floppy
floppy|3.5in High Density
Floppy:ty=floppy:se#512:nt#2:rm#300:ns#18:nc#80:pa#2880:oa#0:ba#4096:fa#512:ta=4.2BSD:pb#2880:ob#0:pc#2880:oc#0:
t1:getent$ ./getent gettytab Console
Console|Console Decwriter II:rw:sp#300:
Am I doing this wrong to get the value? Or is this not working? Or maybe
I don't understand the manual.
(By the way, I just sent a patch to tech-userlevel to add login.conf
support to getent(1) but this problem is in an unpatched version too.)
Thanks,
Jeremy C. Reed
echo 'EhZ[h ^jjf0%%h[[Zc[Z_W$d[j%Xeeai%ZW[ced#]dk#f[d]k_d%' | \
tr'#-~''\-.-{'
Re: using getent(3) and specifying more arguments after the key?
Looks broken to me. Fix it.
Okay, one line fix. I will commit if nobody objects.
t1:getent$ ./getent gettytab Console junk rw sp
false
true
300
Index: getent.1
===
RCS file: /cvsroot/src/usr.bin/getent/getent.1,v
retrieving revision 1.23
diff -U 7 -r1.23 getent.1
--- getent.111 Oct 2011 20:39:40 - 1.23
+++ getent.125 Jun 2014 18:58:28 -
@@ -23,15 +23,15 @@
.\ CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
.\ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
.\ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
.\ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
.\ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\ POSSIBILITY OF SUCH DAMAGE.
.\
-.Dd October 11, 2011
+.Dd June 25, 2014
.Dt GETENT 1
.Os
.Sh NAME
.Nm getent
.Nd get entries from administrative databases
.Sh SYNOPSIS
.Nm getent
@@ -97,20 +97,23 @@
will be retrieved using the appropriate enumeration function and printed.
.Pp
For
.Xr cgetcap 3
style databases
.Sy ( disktab ,
.Sy printcap )
-specifying a key, lists the entry for that key, and specifying more arguments
-after the key are used as fields in that key, and only the values of the keys
-are returned.
-For boolean keys
+specifying a key,
+.Nm
+lists the record entry for that key.
+Additional arguments specified after the key are used as capability
+fields in that record, and only the values of the fields are
+returned.
+For boolean fields,
.Dv true
-is returned if the key is found.
+is returned if the capability is found.
If a key is not found, then
.Dv false
is always
returned.
.Sh DIAGNOSTICS
.Nm
exits 0 on success,
Index: getent.c
===
RCS file: /cvsroot/src/usr.bin/getent/getent.c,v
retrieving revision 1.19
diff -U 7 -r1.19 getent.c
--- getent.c15 Mar 2012 02:02:23 - 1.19
+++ getent.c25 Jun 2014 18:58:28 -
@@ -634,15 +634,15 @@
}
} else {
if ((b = mygetent(db_array, argv[0])) == NULL)
return RV_NOTFOUND;
if (argc == 1)
handleone(db_array, b, recurse, pretty, 0);
else {
- for (i = 2; i argc; i++) {
+ for (i = 1; i argc; i++) {
for (j = 0; j sizeof(sfx) - 1; j++) {
cap = cgetcap(b, argv[i], sfx[j]);
if (cap) {
capprint(cap);
break;
}
}
Re: something is randomly closing ssh-tunnels (was: ipfilter randomly dropping..)
On 23/06/2014 8:24 PM, Petar Bogdanovic wrote: During the past few weeks the ssh-tunnels to a remote machine started failing randomly. In a previous mail to tech-net I prematurely blamed ipfilter because disabling it yielded some immediate success. Unfortunately, subsequent testing showed that having npf enabled instead eventually lead to the same issues. What I know: * the server suddenly FINs the connection * the server ignores everything after that and sends about 20-30 RSTs for lots of late ACKs sent by the client * ipmon is able to track the connection but misses the FIN * yet ipfilter manages to update its state table and reduces the TTL of the connection from 24h to 30s * a server-tcpdump captures the FIN * a client-tcpdump captures the same FIN * according to wireshark, the FINs in both pcaps have sequence numbers that indicate lost segments (which at least in one case makes little sense since it was captured directly at the source) * ssh and sshd both never try to tear down the connection * ssh reports that the remote end has closed the connection * sshd bails on a failed write() with ENETUNREACH So the problem is this: * sshd tries to write to the socket, gets ENETUNREACH and then exits leading to the FIN packets being transmitted as the socket is closed down in the normal course of things but by the time it is doing the exit the network path has restored. For ICMP packets to cause this, you would need to see many of them. You've got public IP addresses in your capture file and you've made no mention of using NAT, so I'm going to assume that the box with sshd/ssh on it are connected to the Internet directly with some kind of cable modem or similar. Are you able to cross check the events from sshd with log data from those devices? For example, if the NIC facing outwards drops then you will get ENETUNREACH because the destination with the default route has disappeared. Or if your DHCP assigned IP address disappears briefly then again the route will disappear and ENETUNREACH. How about these two for me: netstat -s | grep -i unreach netstat -s | grep -i route And of course the other important thing to do in an experiment is to save the output of netstat -s at the start of a run and compare that with its output when the problem has been seen again. Kind Regards, Darren
Re: something is randomly closing ssh-tunnels (was: ipfilter randomly dropping..)
On 24/06/2014 10:39 PM, Darren Reed wrote: On 23/06/2014 8:24 PM, Petar Bogdanovic wrote: ... * sshd bails on a failed write() with ENETUNREACH So the problem is this: * sshd tries to write to the socket, gets ENETUNREACH and then exits leading to the FIN packets being transmitted as the socket is closed down in the normal course of things but by the time it is doing the exit the network path has restored. For ICMP packets to cause this, you would need to see many of them. Oh, I forgot, there are internal code paths in ipfilter/npf that can return ENETUNREACH. If you are using NetBSD 6 with ipfilter, comparing the output of this: ipfstat | grep 'block reason' from before and after might be illuminating. Or maybe just compare the entire output of ipfstat and ipfstat -s from before and after. Kind Regards, Darren
Re: No subdirectory accepted in /var/run ?
On Fri, 28 Feb 2014, herbert langhans wrote: I create a subdirectory /var/run/snort I restart the server - subdirectory /snort is gone Removed by /etc/rc.d/mountcritlocal hier(7) says that the /var/run/ system information files are rebuilt after each reboot. It would be good to have this, since snort's pidfile has trouble with it when I restart snort. Also I dont want to be to generous with the /var/run permissions. Any ideas? Thanks! If this is a package snort, then maybe it should be adjusted to use a different snort pid location? Or the snort.sh rc.d script can be adjusted to create if needed. Maybe as a workaround if you use a rc.d/snort script then maybe add /etc/rc.conf.d/snort containing: mkdir -p /var/run/snort Or add that mkdir to your /etc/rc.local Or use snort --pid-path to choose different location in your startup?
Re: Does my processor support 64bit kernel?
On Tue, 11 Feb 2014, Rhialto wrote: On Tue 11 Feb 2014 at 12:18:37 -0600, Jeremy C. Reed wrote: Try cpuctl identify 0 and look for LONG cpu feature. With yours you will probably also see EM64T. That can't be right. On my cpu (on which I have installed the 64-bit version) I don't have LONG. But I do have EM64T. (It is some Intel cpu). Maybe this is different after NetBSD 6.1.1. Sorry. Yes, the LONG is an AMD64 feature flag and EM64T is an Intel flag. Another posting suggested sysctl -a | grep 64 but I don't see what kernel state would help show that from looking at various NetBSD 32 bit and 64 bit systems.
Re: lpd/samba printing with usb
On Fri, 17 Jan 2014, pierre-philipp braun wrote: When I try to print a job from a windows client, with the printer configured and looking good, the printer spins on however nothing happens, the jobs stays in the queue (saying it is still printing), no page comes out and there is no log in /var/log/lpd-errs. I can also see the waiting jobs with lpq from the lpd and samba server, Have you been able to print successfully to your Samsung SCX-4200 printer via ulpt0 directly (without using samba)? I think it uses a proprietary format. Some open source driver is at http://splix.ap2c.org/ but for CUPS. I didn't look at it, but maybe you can make that work so you can test locally. Anyways, I have had ongoing problems trying to print via some ulpt0 printers. There are a few threads about it. I do have good success using a Brother HL 5150D Postscript printer over ulpt0 using lpd for several years now. You may find that using a printer with a non-proprietary format may be easier.
Re: Xfburn
On Tue, 14 Jan 2014, f...@freddyfisker.dk wrote: Why don't NetBSD have the Xfburn to burn CD and DVD? I think the libburnia dependency needs to be ported to NetBSD. But maybe for other platforms it may be added. I see an old version was pkgsrc-ized: http://code.google.com/p/dracolinux/source/browse/trunk/pkgsrc/xfburn/?r=810 FreeBSD has a port of xfburn http://svnweb.freebsd.org/ports/head/sysutils/xfburn/ http://svnweb.freebsd.org/ports/head/devel/libburn/ So maybe this can be reused for pkgsrc.
Re: pmake/NetBSD make sources for Linux?
On Mon, 6 Jan 2014, Malcolm Herbert wrote: Alternatively, are there reasonably current stand-alone versions of pmake to be had that would compile under Linux that someone can point me at[3]? See http://www.crufty.net/help/sjg/bmake.html http://www.crufty.net/ftp/pub/sjg/ has recent downloads. It's meant to be portable[4], according to the label on the tin ... :) [3] I've got almost exactly the same question about mtree, if anyone has hints on where to find current source for that which would work under Linux too, that would be appreciated At one time I had worked on a portable mtree using NetBSD sources on Linux, but I didn't try it lately. [4] unless this means 'parallel', I never got a good answer to this parallel It was coded for the Sprite project which was focusing on process migration. Their make was used to do parallel compilations remotely. It replaced the historical make in BSD in 1990.
Re: disks question
On Mon, 16 Dec 2013, Roelof Wobben wrote: I have two disks on my system. One of 300G and one of 80G where Netbsd can be installed. In linux they are called : /dev/sdb 300G /dev/sda 80G. Is there a way I can check which is which one on installing ? The next sysinst display will show the hard disk (or disks) it found, such as wd0, wd1, or sd0. These disks are identified by their NetBSD device name and disk number. Press Enter to continue to install NetBSD on the detected disk. Or if you have multiple choices, first select the desired disk to install on. If you don't know which disk is which, you may be able to find out. Temporarily suspend the installer by pressing Ctrl-Z. This will give you a Unix shell prompt. Then search for the hardware in the kernel boot messages; for example to search for all wd disks: # dmesg | grep wd[0-9] If your system has one or more wd disks, the output may tell you details about that hardware including its size. To get back to sysinst, type fg (and press Enter) at the shell prompt to bring the installer back to the foreground. (I hope this helps. I copy and pasted this directly from my unfinished book about NetBSD.) I thought I had a screenshots of this specific screen, but can't find now. But the new sysinst code shows that is shows the name, size, and vendor/product/model (depending on hardware type) so that should help without using dmesg.
Re: Printer
On Sat, 7 Dec 2013, f...@freddyfisker.dk wrote: How do I setup a Network Postscript printer? It is a Lexmark X544 printer and I use the Xfce desktop. Is there some pkgin packages I need to install? Is it in the Terminal the printer have to be setup? From a quick look I couldn't tell if it is a IPP or LPD printer. The easiest way may be to install the cups package. I found an articles that may help: http://wiki.netbsd.org/tutorials/how_to_setup_cups_in_netbsd/ The basic steps: Make sure you can ping your printer. pkgin install cups pkgin install foomatic-ppds-cups cp /usr/pkg/share/examples/rc.d/cupsd /etc/rc.d/ mkdir -p /etc/rc.conf.d/ echo cupds=YES /etc/rc.conf.d/cupsd /etc/rc.d/cupsd start In your webbrowser on the same system go to http://localhost:631 http://www.cups.org/documentation.php/network.html may have some details. Use that to add your new printer. Send a test page using that CUPS interface. Print using /usr/pkg/bin/lpr There may be some more steps you need too. Also consider installing xfce4-print package to manage print jobs in xfce (but no configuration of printer there).
Re: Where to put custom fonts?
On Mon, 25 Nov 2013, Ottavio Caruso wrote: I was thinking of copying the ttf fonts from Windows somewhere on the Netbsd partition. I don't have fontconfig (yet) but I have fc-cache. If you have fc-cache, you probably have fontconfig. I just copy TTF files to my personal ~/.fonts/ directory/ Your fonts.conf probably has the default definition: dir~/.fonts/dir If you don't want it for only your use, but for system wide, see the other dir entries in your fonts.conf.
Re: Where to put custom fonts?
On Mon, 25 Nov 2013, Ottavio Caruso wrote: I just copy TTF files to my personal ~/.fonts/ directory/ In \Windows\Fonts I have some fonts ending in .ttf, others in .TTF. Would the system understand the ones ending with capital .TTF or do they have to be converted or maybe just changing the capitalization? In my use, the capitalization doesn't matter. For example: $ ls ~/.fonts Glass_TTY_VT220.ttf ZIGZRG__.TTF $ fc-list | egrep -i 'glass|vt220|zig' Glass TTY VT220:style=Medium Zigzag:style=Regular
Re: update 6.0.1_PATCH - 6.0.2 added suid to /usr/bin/passwd
On Tue, 4 Jun 2013, Petar Bogdanovic wrote: # ls -la /path/to/6.0.1/usr/bin/passwd -r-xr-xr-x 3 root wheel 31003 Mar 6 13:35 /path/to/6.0.1/usr/bin/passwd # ls -la /path/to/6.0.2/usr/bin/passwd -r-sr-xr-x 2 root wheel 31003 Jun 3 14:21 /path/to/6.0.2/usr/bin/passwd I always use tar with p when extracting the sets so that part should be ok.. but other than that? I think at the last time your /usr/bin/passwd was not installed preserving that permission. This looks normal to me.
memory usage, including shared, for a set of programs?
What is best way to figure out memory usage for a set of programs? (I have nine python programs running.) Do I need to use pmap and have something compare what shared memory is used in each and then deduct all duplicates? As far as I understand, the ps output may have duplicated details. Memory: 583M Act, 158M Inact, 52K Wired, 27M Exec, 660M File, 7248K Free Swap: 1025M Total, 120M Used, 905M Free Totals for ps -awwwxo %mem,rss,rsz,tsiz,vsz are: %MEM RSS RSZ TSIZVSZ 15.1 135296 135296 9380 2007060 $ vmstat -s | egrep 'bytes per page|pages manage|pages free$|cached file pag|cached executab|swap page' 4096 bytes per page 218477 pages managed 3877 pages free 166878 cached file pages 6929 cached executable pages 262275 swap pages 30610 swap pages in use Now to look at my python daemons: $ ps -awwwxo pid,%mem,rss,rsz,tsiz,vsz,comm | egrep PID.*COMM|python PID %MEM RSS RSZ TSIZVSZ COMMAND 9866 0.5 4612 46128 118244 /usr/pkg/bin/python3.1 11797 0.5 4460 44608 131720 /usr/pkg/bin/python3.1 1334 0.6 5052 50528 113132 /usr/pkg/bin/python3.1 6242 0.5 4600 46008 125488 /usr/pkg/bin/python3.1 9657 0.9 8448 84488 112096 /usr/pkg/bin/python3.1 14447 0.3 3116 31168 128588 /usr/pkg/bin/python3.1 18240 0.3 2692 26928 145024 /usr/pkg/bin/python3.1 18558 0.5 4860 48608 126188 /usr/pkg/bin/python3.1 19478 0.5 4348 43488 134984 /usr/pkg/bin/python3.1 How can I know if the memory use above is accurate or not in regards to shared code? Anyway for pmap to join the output or recognize duplicates? Or do you know of another script to understand the pmap output? (I see that when I look at various processes with pmap -a, that there are overlapping or identical Start-End sections.) I am trying to understand this, as now my three main NetBSD systems are nearly always using lots of swap and they are becoming much slower. Thanks
