Re: how to fsck automatically at boot

[Nick Holland]

On 5/20/24 09:37, Jan Stary wrote:

On May 20 13:22:26, mikyde...@yahoo.fr wrote:

Hello,

I have two use cases and problems with fsck.

1) When my openbsd boots after an outage, the system asks me to fsck /, /usr, 
/var or /home manually.
So I do
fsck /dev/sd0a
And then I'm asked questions and I usually answer F

So my question is that I want this process to be done automatically at boot 
time for each partition that has a problem.


The /etc/rc boot script calls fsck -p;
if that fails, it means fsck -p was unable to fix a major problem.
It is the point that it requires an admin's intervention.

You would have to change the fsck call to fsck -y;
but don't do that.


I'd look at why your file systems are always needing these manual
interventions after a hard shutdown.  I routinely power down my
personal systems with yanking the power cord if it would take me
longer "properly" connect a console and properly shut down.

yeah, I get fscks, but I rarely get a manual intervention required.
It does happen...but rarely.


(Also, don't let a server have power outages, obviously.)


This is because I use a small server without screen and keyboard.


So what? That is no excuse to leave broken filesystems unattended.


2) I have another disk in my small server, and I mount one partition of it with 
in fstab
aa929243b0f5.a /var/mylogs ffs rw,nodev,nosuid 1 2
When I remove that disk the boot sequence stops and asks for a fsck
I would like that this disk is mounted when it's present, but when it's not 
installed I don't want the boot sequence to stop


Make it also "noauto" in fstab and mount it in rc.local.


Last I tried this, it didn't do what I wanted -- "noauto" still expects
to have the disk there and will fsck it on boot.  Failure to be able to
do this stops the boot.  It's been a while since I last tried this, so
perhaps something has changed (including my recollection?)


I have some backup servers with big file systems that can take hours to
fsck. I pulled the mount lines out of /etc/fstab and put them in a
separate script that is invoked at boot from /etc/rc.local

And this might be a solution for the OP's problem:
make /usr and /usr/* "ro" during normal operation, and move all the
"lots of volatile data" stuff over to partitions that are mounted post
boot by a separate script.  Maybe make /tmp an MFS if that's an option.
That will minimize the fsck problems, and allow the system to come up
for either manual, remote fixing or even fsck -y in the mountall script.
Don't forget you ro'd the /usr partitions, otherwise your upgrades will
be unpleasant. :)

Nick.

Re: Favorite configuration and system replication tools?

[Nick Holland]

On 5/7/24 19:25, Jo MacMahon wrote:

I'm interested if anybody has solutions using just the base system - I would 
want something like etckeeper or git that was a true version control system, 
rather than dump(8)/restore(8) which are backup systems. I'm idly considering 
learning CVS for it, and I suppose if I'm going to become a true OpenBSD user I 
will have to learn CVS at some point!

Jo


almost?
base+rsync is pretty close.

For over 20 years now, I've been using an rsync --link-dest backup
system to make system backups.  Several daily backups, several
monthly backups.  Not a true revision control system, but you have
the ability to compare versions of a file as far back as you wish to
keep copies.  Plus, since it stores its backups in fully readable form,
you can do all kinds of fantastic system research.  Backups are stored
in /ibs///(backed up file system tree).  through the
magic of hard links, every backup is incremental from the backup before
in terms of files moved over the wire and space on disk, but every backup
directory is a full backup.

grep and careful wildcards gets you all kinds of info:
What systems is user "bob" on?
$ grep "bob" /ibs/*/.latest/etc/passwd

When how long as "bob" been on server "server"?
$ grep "bob" /ibs/server/*/etc/passwd

What systems are set up using dhcp?
$ grep autoconf /ibs/*/.latest/etc/hostname.*

When I bring up a new laptop, I typically install OpenBSD, install rsync,
install whatever packages I want, install a root authorized key from my
backup server, and then push my home directory from a backup to the new
system.

https://holland-consulting.net/scripts/ibs/

I've scaled it from home use to "big" (current employer, almost 500 systems
doing just etc and a few other directories.  Last job, about 100 systems
with about 30TB of backup data)

client: rsync.  backup server: Rsync + script.


Other options:
CVS is in base, it works, but I don't find it as useful for system configs
as my Incremental Backup System.  But it is 100% in base.

If you are a fan of git, you might want to try Game of Trees (GOT), which is
a LOT lighter weight in terms of required support than git.
https://gameoftrees.org/index.html
Same comments apply as for CVS, though -- works, but not as useful to me.
But...git seems to be the new favorite revision control system, so knowing
got/git is more marketable than cvs. :-/


Nick.

Re: Upgraded to 7.5: vfs.ffs.dirhash_dirsize no longer exists and large directory ere veeery slow

[Nick Holland]

On 4/11/24 05:47, Federico Giannici wrote:

We have a server with A LOT of files in some directories (an email
server in maildir format).

Since we upgraded from OpenBSD amd64 7.3 to 7.5 (passing through 7.4) it
became very very very slow to access these large directories!

,,,
You may be being bitten by the removal of softdeps (soft updates)
in 7.4 more than the availability of a knob to twist.  This was a
huge hit for some things -- I had one backup job go from a couple
hours to eight or so hours.  However, it turned out that increase
in time has not inconvenienced me at all, and some random lockups
related to softdeps have gone away.  Overall, win for me (the
fscks after a lockup took hours, too, not to mention all the time
and effort spent replacing part after part assuming it was a HW
issue).

As I understand it...there were known (known unknown?) bugs in the
softdep code, the code was ugly, and it made it difficult to
actually improve the code.

Nick.

Re: OpenBSD 7.5 bsd.upgrade hangs after sysupgrade

[Nick Holland]

On 4/7/24 10:42, Страхиња Радић wrote:

Дана 24/04/07 12:46PM, Страхиња Радић написа:
Ok. The alternative would be to find a way to make 7.5 efifb work on my laptop. 
The version of efifb from 7.4 works (that is how I installed 7.4 in the first 
place), unlike 7.5 efifb.


I'd just like to add that it efifb might not even be the reason for system
hang. I noticed these lines in the output from 7.5 bsd.upgrade I got when I
entered `verbose` at the UKC prompt and exited UKC:

uhub0: device problem, disabling port 2
uhub0: device problem, disabling port 3
uhub0: device problem, disabling port 5
uhub0: device problem, disabling port 6

on my working 7.4 system, I have

uhub0 at usb0 configuration 1 interface 0 "AMD xHCI root hub" rev \
3.00/1.00 addr 1

and later

urtwn0 at uhub0 port 2 configuration 1 interface 0 "Realtek 802.11n \
NIC" rev 2.00/0.00 addr 2
urtwn0: MAC/BB RTL8188EU, RF 6052 1T1R, address 
uhidev0 at uhub0 port 3 configuration 1 interface 0 "SiGmaMicro USB \
Optical Mouse" rev 1.10/1.10 addr 3
uhidev0: iclass 3/1
ums0 at uhidev0: 3 buttons, Z dir
wsmouse2 at ums0 mux 0
uvideo0 at uhub0 port 5 configuration 1 interface 0 "Sonix Technology \
Co., Ltd. Integrated Camera" rev 2.00/0.28 addr 4
video0 at uvideo0
ugen0 at uhub0 port 6 "Atheros Communications product 0xe300" rev \
2.01/0.01 addr 5

so the devices which have a "problem" are all devices connected to USB ports;
or rather, the USB hub itself?

Are there any regressions in the AMD xHCI hub code?



My 100% guess is that you have a machine that's very dependent upon
ACPI, and the install kernel's ACPI support is very minimal, or
has a funny UEFI system.  Or a funny BIOS.  Some machines work better
as UEFI, some work better running BIOS.  A firmware upgrade may
change that (which could suck).

There are other ways, though...

First, I would verify that the 7.5 kernel boots -- copy it to /bsd75,
for example, then "boot bsd75 -s" (the -s is so it doesn't try to go
multi-user with a mixed new kernel/old userland/packages).  If that
seems happy, just do a "remote upgrade", using the "Manual Upgrade
(without the install kernel)" process in
https://www.openbsd.org/faq/upgrade75.html.

Nick.

Re: 7.5 NO hard drive?

[Nick Holland]

On 4/7/24 03:03, lati...@vcn.bc.ca wrote:

Hello

i have 1 DELL Latitude E4300 that had OBSD 7.3 working correctly, but i
decided to do a clean installation of 7.5 deleting everything on it with a
live cd linux; then tested 7.5 and it says NO disk.

After that i tested Linux, NetBSD, FreeBSD all them where installed
without a problem; But, OBSD 7.3  7.4 7.5 said NO disk!

It is something related to OBSD?
What could happened?
How to install OBSD 7.5

PS:
Thanks for the new version 7.5 i run 2 laptops and 1 server with it!

Thanks



So OpenBSD has been correctly installed, thanks so much to maintain it nice!

The problem was with the BIOS, it needs IHCH or something like that to be
recognized!
But it is working now as a xfce Desktop!




probably AHCI and not the so-called RAID mode that many Dells default to, but
definitely not Dell only "feature".

This is our 25+ year "friend", BIOS assisted software RAID.  The idea is the
BIOS will handle initial tagging and replication of the drive until the OS is
booted, then the OS takes over as it takes over the low-level disk support.
This handles the "boot off any surviving disk" issue, but it creates a huge
potential issue where a drive might end up being duplicated by the BIOS to a
second disk...unintended!  This would be bad.  Not only could you clobber
data on a second drive, but in the modern world of UUIDs for disks, you just
put two disks on the same system with the same "uniq" identifiers, and one
of those disks is very incomplete.  This is also bad.

OpenBSD disabled this "RAID" mode support over ten years ago (from memory),
FreeBSD did around the same time, and a number of Linux distros took their
time, but eventually did the same thing.

Now...this was true on OpenBSD 7.3 as well, so something changed on your
computer, I'm suspicious your CMOS battery has died, and the system came back
up in the defaults, which include this RAID "feature".

Nick.

Re: Bridging firewall with online update/upgrade

[Nick Holland]

On 4/3/24 12:19, Karel Lucas wrote:

Hi all,

I am creating a bridging firewall with OpenBSD and the following
hardware:
https://www.amazon.nl/dp/B0B6J89MXJ?ref=ppx_pop_dt_b_asin_image=1.
OpenBSD is already installed. I want to use ETH1 for the input from my
ADSL modem, ETH2 and ETH3 for the output to my network. Furthermore, I
would like to use ETH4 for the update/upgrade of the firewall. Remove
the connection from ETH1, plug it into ETH4, and update/upgrade. Then
the connection returns to ETH1. ETH4 therefore receives an IP address
and ETH1,ETH2 and ETH3 not. But now the problem: as long as the network
connection of the ADSL modem is in ETH4, my network, including the
firewall, is no longer secured, and attackers can take advantage. I
therefore wonder whether it is possible to let the data flow via ETH1
and ETH4 first pass through PF before an update/upgrade is done via
ETH4. This means that the bridging firewall will have two entrances, one
without and one with an IP address. I would like to know if that is
possible, or if there is another option.



There are lots of options, but I'm not seeing the point of the bridging
firewall here.  Sounds like you are making things complicated and I'm
suspicious you won't be getting much benefit from it.  I think you would
do much better with NAT.

But...pretending for the moment this is the right solution for you, if
you are already planning on physically moving to the box to do upgrades,
just download the installXX.img file on another machine, drop it on a
thumb drive, walk over to your bridge and reboot from the thumb drive
and upgrade, don't bother fiddling with cables.

I'm also pretty sure you can put an internal IP on one of the ports
other than the bridge, and copy the files and install from there.  That
would have the benefit of remote administration, too.

Nick.

Re: Bash instead of ksh

[Nick Holland]

On 4/2/24 15:34, Steve Litt wrote:
...

Does "general shell" mean the interactive shell you use? If so, I think
that's an excellent idea for non-root accounts.


Ok, I'll bite...
Why do you think that's an "excellent idea" -- something you would
encourage people to do?  What is it that you see bash doing so much
better than stock pdksh?

Nick.

Re: Bash instead of ksh

[Nick Holland]

On 4/1/24 12:24, Karel Lucas wrote:

Hi all,

Instead of ksh I want to use bash as a general shell. But how can I set
it up that way? Bash is already installed.



Easy to do, as several have explained how.
...BUT...
I'd really suggest not doing that.

If you are writing a script that requires bash, just set your #! line
properly.  (presumably #!/usr/local/bin/bash)

If you really need bash for a user shell at a particular moment, invoke
it at a command line.

The pdksh that comes with OpenBSD by default is very good and supports
most of the "fancy" stuff that bash does, but is stock with the system,
so it has no dependencies, no issues at upgrade, and is quite lean
compared to bash.  I'd suggest that administrative accounts be kept as
close to stock as you can.  Now, if you have a non-administrative user
who only knows Linux...ok, sure, change their default shell.  But as a
system administrator, you will generally find benefit in knowing the
native tools.  During the week for a living, I administer Linux machines,
and use bash.  In evenings and weekends, I work with OpenBSD and pdksh.
I really have no issue switching between the two.

Nick.

Re: UKC> disable "smth"

[Nick Holland]

On 3/16/24 08:52, ofthecentury wrote:

I boot with 'boot -c' and then
enter 'disable mei' and then
'quit'.
Pcidump still shows Intel MEI,
just as it does when booting
with default config. I don't
think anything changed.


In this case, correct.
As was already pointed out -- devices exist or don't -- but
that's a hw config that the OS doesn't usually have a lot of
control over.  All the OS can do is connect a driver or not.

config or ukc only disables OS support for something.
pcidump will show you what HW the OS knows exists, and on
modern machines, that's going to be a pretty complete
list.


But UKC doesn't complain
when I disable mei, so I know
it knows 'mei' and disables it.


this assumption is not correct:
ukc> disable nothing  # invalid device -- no response
ukc> disable ep   # valid device -- response!
110 ep* disabled
111 ep* disabled

You can easily verify this with a known good device and
a bogus name (like my 'nothing' above).


But how would I know it
does disable it?

Also, 'boot -c' accumulates what
changes I do. How does one
reset changes to go back to
vanilla kernel?


Again, an incorrect assumption.  boot -c does NOT retain
changes between boots.  UKC> is after the kernel is loaded
but before the kernel is fully running.  While in ukc>,
the kernel doesn't really have an ability to write to
disk, as it hasn't been fully started yet.

IF you want to make changes to disk, use "config -ef" from
the booted system, then write your changes to disk.  Then
you can either use config -ef to re-enable a device, or just
copy over an unmodified kernel.

Be aware that altering the kernel binary will "break" the
Kernal Address Re-Linking (KARL).  There are fixes for this,
HOWEVER, I'm not sure what your goals are here in tweaking
your kernel like this, but I'm guessing breaking KARL isn't
your biggest problem you are about to create for yourself.
This probably isn't something you want to be doing.

Nick.

Re: Saving UKC> list output

[Nick Holland]

On 3/15/24 07:56, ofthecentury via misc wrote:

When you want to turn off
a device on OpenBSD you
can do it at boot time with
manual `boot -c` command.
(Can also be automated)
After entering entering
`boot -c` you get UKC>
configuration prompt.
I type `list` and get a nice
list of all drivers I can
disable with `disable
mei` or disable `lpc`.
But how do I get
that list into a file
so I can review it?
Is there some
way to do it?
Thx!


um...  your formatting is giving me Commodore VIC20(1)
flashbacks...

Anyway:

script
config -e /bsd
...
ukc> list
[hit enter a bunch of times]
CTRL-C (to get out of config)
CTRL-D (to get out of script)

ta-da!  output in 'typescript'.

config does some of what boot -c does from a running system.
script captures screen input and output.
man config
man script

Nick.

Re: many serial ports

[Nick Holland]

On 2/8/24 04:00, Jan Stary wrote:

What HW do people use to read data from many serial ports
simultaneously? My use case is reading the output of
https://en.wikipedia.org/wiki/Electropalatography
The device has eight serial port outputs;
I need to read those at the computer side.

Do I just stuff my box with 8 cereals,
or is there something more elegant?
Some multiplexing USB dongle?

Jan



I have used a few modest-price USB to 8 port serial converters,
they seem to "Just Work'.

Here's one:
uhub2 at uhub0 port 4 configuration 1 interface 0 "NEC product 0x0050" rev 
2.00/1.00 addr 2
uftdi0 at uhub2 port 1 configuration 1 interface 0 "FTDI FT232R USB UART" rev 
2.00/6.00 addr 3
ucom0 at uftdi0 portno 1
uftdi1 at uhub2 port 2 configuration 1 interface 0 "FTDI FT232R USB UART" rev 
2.00/6.00 addr 4
ucom1 at uftdi1 portno 1
uftdi2 at uhub2 port 3 configuration 1 interface 0 "FTDI FT232R USB UART" rev 
2.00/6.00 addr 5
ucom2 at uftdi2 portno 1
uftdi3 at uhub2 port 4 configuration 1 interface 0 "FTDI FT232R USB UART" rev 
2.00/6.00 addr 6
ucom3 at uftdi3 portno 1
uftdi4 at uhub2 port 5 configuration 1 interface 0 "FTDI FT232R USB UART" rev 
2.00/6.00 addr 7
ucom4 at uftdi4 portno 1
uftdi5 at uhub2 port 6 configuration 1 interface 0 "FTDI FT232R USB UART" rev 
2.00/6.00 addr 8
ucom5 at uftdi5 portno 1
uhub3 at uhub2 port 7 configuration 1 interface 0 "NEC hub" rev 2.00/1.00 addr 9
uftdi6 at uhub3 port 1 configuration 1 interface 0 "FTDI FT232R USB UART" rev 
2.00/6.00 addr 10
ucom6 at uftdi6 portno 1
uftdi7 at uhub3 port 2 configuration 1 interface 0 "FTDI FT232R USB UART" rev 
2.00/6.00 addr 11
ucom7 at uftdi7 portno 1


And here's another one:
uhub3 at uhub0 port 4 configuration 1 interface 0 "NEC hub" rev 2.00/1.00 addr 2
umcs0 at uhub3 port 1 configuration 1 interface 0 "MosChip MCS7840 Serial" rev 
2.00/0.01 addr 3
ucom0 at umcs0 portno 0: usb0.4.1.0
ucom1 at umcs0 portno 1: usb0.4.1.0
ucom2 at umcs0 portno 2: usb0.4.1.0
ucom3 at umcs0 portno 3: usb0.4.1.0
umcs1 at uhub3 port 2 configuration 1 interface 0 "MosChip MCS7840 Serial" rev 
2.00/0.01 addr 4
ucom4 at umcs1 portno 0: usb0.4.2.0
ucom5 at umcs1 portno 1: usb0.4.2.0
ucom6 at umcs1 portno 2: usb0.4.2.0
ucom7 at umcs1 portno 3: usb0.4.2.0

I'm not going to provide names or product numbers, because I've been using both 
for
well over six or seven years now, so anything you buy new will almost certainly 
be
"different".  Both were under $150US at the time.  Selection was based on "If 
this
doesn't work, am I going to cry about the wasted money?" process.  Both worked.
You may get better results with a bigger price tag, you may not.

One is basically just a snoot-load of individual FTDI USB to Serial chips 
behind a couple
USB hubs.  The other is a couple four port USB to serial chips, also behind a 
USB hub.
OpenBSD handles both just fine.

I've had occasional issues where the things "break" (can't establish 
communications with
the serial ports) and to get serial ports running again requires a physical
unplug/plug-in or an OS reboot.  So far, a reboot has always fixed it for me.  
So it
shouldn't be on a machine that requires a maintenance window for reboot, but 
rather a
more-or-less application dedicated system.  Dunno if all devices do this, but 
I've seen
some people complain about this on other OSs, too -- I kinda have the 
impression the FTDI
chips were designed to be plugged in and unplugged a lot, not left attached and 
operating
for months at a time, but ... no idea if there is anything to that other than my
speculation (I don't use the MosChip box as much as the FTDI, so I really can't 
say if
it has the same problem.  And thinking about it, I don't recall having to 
reboot the
system the FTDI device is attached to in a while due to port lockup, so maybe 
it's fixed
in the OS, maybe it has become so automatic to me, I just do it and don't log 
it in my
brain).

Nick.

Re: questions about RAID5C, RAID6, RAID6C, can Openbsd be a good storage-server OS?

[Nick Holland]

On 2/4/24 14:02, beecdadd...@danwin1210.de wrote:

hello

I will make a storage server, and RAID just has to be on it, right?


mybbe... (more later)
 

is RAID6 in work or maybe plans, I would like to know
what about RAID5 + CRYPTO or RAID6 + CRYPTO?
I read these
https://www.reddit.com/r/openbsd/comments/r4bydk/encrypted_raid6_support/
and from it
https://marc.info/?t=15434869341=1=2


best to start with authoritative sources that are up to date.
https://man.openbsd.org/softraid

you will note no reference to RAID6 in there.  Nor one-layer
softraid 5C, like there is 1C.

Is it "in the works"?  how would that matter?  If it is there, you
can use it.  If it isn't...you can't.  If it is "in the works", it
still isn't there.  So...I'd suggest just assuming it isn't there,
and if it is added (or you add it), upgrade at your next HW refresh.
 

encryption is a must, I won't have it unencrypted
what about RAID controller like RAID6 and software RAIDC combination?
it would be cool to have redundancy like RAID6 and secure data with CRYPTO..
RAID1C is too expensive


"RAID1C is too expensive" -- define expensive?
You can get a Really Big SATA disk for the price of a good HW RAID controller,
and a good HW RAID controller generally requires a big, power hungry chassis.
Oh...and if you are going to run HW RAID, you MUST have spare HW on-hand
because you can't just take the drives off RAID controller X and put them on
the RAID controller you just managed to find two years later when you need
it and hope it will work.  And of course, that implies a second chassis,
because these things tend to work together.


does anyone run multi-TB storage servers with OpenBSD? what raid do you run,
what about hardware raid? I fear/dislike hardware raid but I never tried it
I want to live without OpenZFS/FreeBSD, butnot without encryption and redundancy


HW RAID works, but you better understand your controller.  Most people get
their system running, pat themselves on the back, and are 100% hosed when
they need to replace a drive and have no idea how.  HW raid is usually a
little easier to figure out how to get running without reading the
instructions, but much harder to figure out when things go wonky.

(granted, SW raid, you have to figure out how to detect and swap out a
failed drive, but my SW RAID is more similar to yours than my HW RAID is
to yours, and thus, I can probably help you out more.  x the number of
people on misc@ :)
 

I don't have to be able to boot from it (canbe other disk which also maybe in
RAID1C), but would be nice

I know OpenBSD is not meant to be run as big fancy storage server with maybe
complicated reliability like RAID6 + CRYPTO, but what you expect? everyone
loves OpenBSD and wants to use it for everything, not FreeBSD


Realistically, for home use, I suspect OpenBSD will be more-than-sufficient
for most people.  You just don't need the World's Fastest for most
applications.  Case in point: I was whining to myself about the removal of
softdeps from OpenBSD recently...it is a HUGE performance hit for a few of
the systems I manage.  But you know what I discovered?  Worst case, even
though one backup went from two hours to eight or more hours, it doesn't
change what I accomplish in a day.  Wickedly fast is fun.  But the real
performance problem is usually me.  It would work fine for many business
uses, too.


thank you I am sorry if I ask too much, I don't demand, just nice request


OpenBSD Softraid RAID6 isn't a thing (yet?).
OpenBSD Softraid RAID5C isn't a thing (yet?).

Layered RAID isn't officially supported, but it works.  Layering crypto on
top of a HW RAID works in every sense.  Softraid doesn't even know it is on
HW RAID and doesn't care (though bioctl can be used to monitor both).
Expecting the system to come up on its own with manually layered softraid
is not wise.

If you want to layer your RAID, you will probably want to have your boot
partitions/drives be RAID1C (or just RAID1), then the data stored on a
big softraid "drive".  I would suggest NOT putting the layered RAID volumes
in /etc/fstab, but rather have some kind of manual script that you run post
boot to bring up the big data storage drives.  This way, when the power goes
out and you need an fsck on your array, you don't have to go to the box to
do it, you can do it remotely.

RAID1 wins a lot of awards for just plain simplicity, and thus, some
versatility.  So I'd suggest reconsidering your "need" for RAID5, and see
if you can get by with RAID1C on a big pair of drives.

And as for my "mybbe" on automatically assuming you need RAID on a
storage server, you MIGHT just find that multiple stand-alone systems will
give you better redundancy for some applications.  RAID helps if your
disk fails, but there are a lot of other things that fail on storage servers,
and for SOME applications, having a whole other machine ready to roll is
a better solution.  Granted, my FIRST choice is TWO machines running RAID
storage, but that's 

Re: Adaptec 8405 SGL drivers these days?

[Nick Holland]

On 1/26/24 00:37, Kevin wrote:

Hey gang,

Looking at a server whose only option for storage comes via an Adaptec 8405 SGL.

Given the battles between OpenBSD and Adaptec for documentation that
pre-date the Hoover administration, I'm curious if this card is
supported.


Let's be clear: it isn't about documentation of how the card works, it is
about documentation of how the cards are BROKEN.  Lots of HW has bugs
that have to be worked around in software...but those bugs have to be
documented in order to have a useful product and driver.


It's a 4-port SATA RAID on a beefy server with gobs of RAM and storage
and is an offensively reasonable price.


Do you like your data?  If so, you need to find a different solution.
If not, save yourself some time and just delete your data now.

Adaptec RAID cards are crap.  The company was crap.

Note: this story is on a Linux based system.
https://nickh.org/warstories/adaptec.html
(no ads!)

Nick

Re: GENERIC.MP#1600 last snapshot cvs cant create tmp subdir

[Nick Holland]

On 1/17/24 12:07, Todd C. Miller wrote:

On Wed, 17 Jan 2024 11:11:36 -0500, "Sven F." wrote:


well i tried anoncvs.spacehopper.org  after the fail and then
anoncvs.comstyle.com
( default one is in the trace, is "anon...@obsdacvs.cs.toronto.edu:/cvs" )


I can confirm the problem with obsdacvs.cs.toronto.edu but other
servers are fine.  So it does appear to be a problem on
obsdacvs.cs.toronto.edu itself.

  - todd



Yes.  the cvs checkout tmp directory was filled on obsdacvs.cs.toronto.edu.
That has been fixed.  My apology for the issue.

Nick.

Re: Communication between hosts on different network interfaces

[Nick Holland]

On 1/6/24 15:09, Ibsen S Ripsbusker wrote:

Dear colleagues,



I have various network appliances that I don't really trust, like
a printer. I have these plugged into an unmanaged switch and
connected to network interface igc2.

I want to allow the igc1 network to make web requests to the igc2
network, and I want the igc2 network to have very restricted access
outside of igc2.


what does a printer need internet access for?
nevermind.  Don't answer that.  It's the 21st century.  Many people
think their bloomin' thermostats should have Internet access...(I'm
really close to replacing my non-internet connected digital
programmable thermostat with a 100% mechanical.  Because...they
don't suck)
 

(My main computer is connected to network interface igc1.
And the egress interface is igc0.)

MY QUESTION: What would be a normal way of achieving this?


let's abstract this a bit...
(in large part because a sequence of letters and numbers confuses
me quickly.)

So you have a trusted network, an untrusted network, and of course,
the Internet, which we will just call "The Evil".

While you can do it with a bridge, I don't want to think that
hard.  And it would be a lot of work.

[snip bridge stuff]


I also tried setting different subnets.


yeah. that's the way I'd go.

trusted:

   /etc/hostname.igc1:>inet 192.168.2.1/24
 
untrusted:

   /etc/hostname.igc2:
   inet 192.168.3.1/24

With this everything works as I want except that
the only way I figured out to allow hosts on 192.168.2.1/24
to access 192.168.3.1/24 was with NAT, and that can't be right.


yeah, the problem is, it sounds like your barrier machine is not
your primary gateway/firewall.  So when your trusted machine in
192.168.2/24 talks to an address in 192.168.3/24, it talks to your
primary gateway, and your gateway says, "whoa, dude.  wazzat?"

I'd fix this by making your main firewall the barrier machine.
This would require a three or more port firewall.

Pass in from trusted to anywhere.
block in quick on untrusted to trusted
Pass from untrusted to anywhere (but trusted is already blocked)


Failing that, with a separate barrier machine, you will need to
add a static route for the 192.168.3/24 subnet to point to the
"trusted" address of your barrier machine. That way, when your
trusted network machines try to access the untrusted network, they
know to route through your barrier machine.  Every single trusted
machine that wants to access something in that subnet will need
that extra route added.  Clumsy at best (probably doable with the
DHCP server.  I just glanced, looks kinda ugly).


I guess if there is only one untrusted device, you could just use
an inbound NAT tunnel for whatever ports need to access that
device, then just use the barrier's IP address to access the
device.  But I don't normally think in quantities of one, and
this doesn't scale well.  But if there's only one device, or several
devices, but they can all be hit on different ports, that's an
option.


Another way to do it is with two NATting firewalls:

Evil <--[NAT-FW] <- untrusted network [NAT-FW] <- trusted network.
(internet) (192.168.3/24) (192.168.2/24)

traffic flows unimpeded in the direction of the arrows, and is
blocked going backwards.  Your trusted machines can hit untrused
machines or the internet, untrusted machines can hit the Internet,
but they can't dig through to your trusted network.  Yeah, the down
side is that the trusted network has to jump through two routers,
so the untrusted network potentially has better access than the
trusted network, and that's just not fair.  But ... it's easy.


I've done the opposite, what I call "portable DMZ"s, where untrusted
machines need access to the Internet but shouldn't be allowed to
touch the trusted machines, but unlike your situation, the untrusted
machines don't need to be accessed by the trusted.  Small machine,
two NICs.  One NIC is DHCP to the trusted network, NAT and DCHP server
on the untrustedv side, maybe a logging DNS server.  Block all from
the untrusted to the trusted subnet, pass everything else (internet).
These don't need those inbound static routes.

Nick.

Re: man.openbsd.org, cvsweb.openbsd.org maintenance

[Nick Holland]

man.openbsd.org,
cvsweb.openbsd.org,
openbsd.cs.toronto.edu
obsdacvs.cs.toronto.edu

are all back up and running.  Snapshots and packages should be
up to date, now, too.

My apologies for the inconvenience.

Nick.

On 12/19/23 15:38, Nick Holland wrote:

Hello,

man.openbsd.org, cvsweb.openbsd.org, openbsd.cs.toronto.edu
and obsdacvs.cs.toronto.edu will be unavailable for site
maintenance starting Thursday, December 21 about 6:00am ET
(UTC-5) and hopefully be back up and running by Saturday,
December 23, 6:00am ET.

Sorry for any inconvenience.

Nick.

Re: man.openbsd.org timing out via HTTP & HTTPS

[Nick Holland]

On 12/29/23 17:55, Eric Pruitt wrote:

On Fri, Dec 29, 2023 at 02:46:39PM -0600, Tim Chase wrote:

Not much to add to the subject.  For a couple days now, I've tried
connecting via HTTP & HTTPS from various points around the internet
and they all time out.  Sounds like something hung or accidentally
lost power and needs a nudge.


Known issue:

- https://marc.info/?l=openbsd-misc=170301839017559=2
- https://marc.info/?l=openbsd-misc=170345453930038=2

Eric


yep...

With some luck, I'm hoping man.openbsd.org and cvsweb.openbsd.org
will be back on line Tuesday or Wednesday next week (Jan 2-3).

In the meantime, as Eric pointed out,
https://cvsweb.egoslike.us/
https://man.egoslike.us/

are available as temporary fill-ins.

Nick.

Re: self-hosted man.openbsd.org script?

[Nick Holland]

On 12/24/23 08:25, Paul Pace wrote:

I have this vague memory of reading someone who posted a script, IIRC,
to convert the system's man pages to HTML, or similar, into somewhere
under /var/www and the pages worked just like the highly useful
man.openbsd.org, and not like the plain text pages that everyone always
posts to their websites.

Does someone happen to know where that is?


/usr/src/usr.bin/mandoc is where the source for man.cgi resides.
Frequent small updates take place, I believe it would be good to use
the -current source code if you wish to play with it.  It has very
simple dependencies, so should be no issue running -current man.cgi
code compiled on a -stable.

... however ...

being that UofT might be down for a few days, I have lit up a
VPS with cvsweb and man content on them.

https://cvsweb.egoslike.us/
https://man.egoslike.us/

And look, my backups and notes don't suck. :)

These are not official, but they are run by one of the people who
run the official sites.  They will go away once the official site
is back up and running.

Nick.



On 12/23/23 11:16 AM, Nick Holland wrote:

On 12/19/23 15:38, Nick Holland wrote:

Hello,

man.openbsd.org, cvsweb.openbsd.org, openbsd.cs.toronto.edu
and obsdacvs.cs.toronto.edu will be unavailable for site
maintenance starting Thursday, December 21 about 6:00am ET
(UTC-5) and hopefully be back up and running by Saturday,
December 23, 6:00am ET.

Sorry for any inconvenience.

Nick.



Unfortunately, it seems there's a problem impacting our servers,
and everyone is celebrating the holiday.

So ... return of man.openbsd.org, cvsweb.openbsd.org and
the install and anoncvs mirrors will be delayed.

Nick.

Re: man.openbsd.org, cvsweb.openbsd.org maintenance

[Nick Holland]

On 12/19/23 15:38, Nick Holland wrote:

Hello,

man.openbsd.org, cvsweb.openbsd.org, openbsd.cs.toronto.edu
and obsdacvs.cs.toronto.edu will be unavailable for site
maintenance starting Thursday, December 21 about 6:00am ET
(UTC-5) and hopefully be back up and running by Saturday,
December 23, 6:00am ET.

Sorry for any inconvenience.

Nick.



Unfortunately, it seems there's a problem impacting our servers,
and everyone is celebrating the holiday.

So ... return of man.openbsd.org, cvsweb.openbsd.org and
the install and anoncvs mirrors will be delayed.

Nick.

Re: Post (snap) update emails: fsck errors and (in)security output

[Nick Holland]

On 12/20/23 06:02, Why 42? The lists account. wrote:

...
Reply-To:

Hi All,

A couple of questions ...

I have "ROOTBACKUP=1" in /etc/daily.local to replicate my root partition
as described in the FAQ (https://www.openbsd.org/faq/faq14.html#altroot)

I noticed after an update to a new snapshot via sysupgrade that the next
daily output email contains many many fsck "UNREF FILE" errors (See the
output included below). Is this expected, or is there some problem? Most
or all of the files seem to be owned by me (robb) so I'm thinking that
these errors may be related to files in /tmp ... Not sure why this occurs
though?


the ROOTBACKUP process is making an image of a live file system; fsck
grumblings ARE expected.  It's just one of those things you aren't supposed
to do (but I do it regularly, because normally, you can get away with it).

Why the files it is grumbling about are owned by you ... that is a puzzle.
Is your /tmp on a separate partition?  If so, it shouldn't be being backed
up by the ROOTBACKUP process.  Same for "home" or any other file system you
have access write to.

I also see this:

Backing up root=/dev/rsd1a to /dev/rsd0a:

is sd1a actually your root, and sd0a actually your altroot?


Second question: Also after an upgrade, the "daily insecurity output"
contains a huge amount of setuid changes e.g.
...
-r-xr-sr-x 1 root auth   21144   Nov 30 15:36:52 2023 /usr/bin/skeyinit
-r-xr-sr-x 1 root auth   21144   Dec 19 08:35:26 2023 /usr/bin/skeyinit
-r-xr-sr-x 1 root _sshagnt   440496  Nov 30 15:36:53 2023 /usr/bin/ssh-agent
-r-xr-sr-x 1 root _sshagnt   443856  Dec 19 08:35:26 2023 /usr/bin/ssh-agent
-r-sr-xr-x 1 root bin19608   Nov 30 15:36:53 2023 /usr/bin/su
-r-sr-xr-x 1 root bin19608   Dec 19 08:35:27 2023 /usr/bin/su
-r-xr-sr-x 1 root tty17936   Nov 30 15:36:54 2023 /usr/bin/wall
-r-xr-sr-x 1 root tty17936   Dec 19 08:35:28 2023 /usr/bin/wall
-r-xr-sr-x 1 root tty14184   Nov 30 15:36:55 2023 /usr/bin/write
-r-xr-sr-x 1 root tty14184   Dec 19 08:35:28 2023 /usr/bin/write
-r-xr-sr-x 4 root _token 21248   Nov 30 15:36:44 2023 
/usr/libexec/auth/login_activ
-r-xr-sr-x 4 root _token 21248   Dec 19 08:35:18 2023 
/usr/libexec/auth/login_activ
...

What actually changed then?


The files.


Surely many or all of these files had the same permission bits before the
upgrade?
Maybe these files now have diffent inode numbers, after the upgrade?
Why is each filename reported twice? Are these "old" and "new" values?


This isn't complaining about the EXISTENCE of setuid programs, it is advising
that setuid programs CHANGED from their last recorded version.
After all, if I manage to drop a new setuid program on your system, perhaps
naming it "ping" or "su", that would be bad, you might want to know about it.
Sure, dropping a setuid program that wasn't setuid before could be bad, but
replacing an existing one would be more sneaky.

You upgraded your machine, so you replaced a lot of setuid programs.  And
yes, it shows date stamp and size of the old file and the new file.
Seeing something bump up or down a few bytes and matching the same date and
time stamp of other binaries after an upgrade is expected.  Seeing that "su"
went from 20k to 70k might warrant investigation.

(and yes, I have seen events where a major upgrade caused a lot of noise in
a "something changed" file...which unfortunately hid something we needed to
know about ALSO happened, and was dismissed as "part of the upgrade noise".
This wasn't OpenBSD nor was it a "security event", but it did delay the
detection and repair of a redundancy failure issue because one line was
missed in a sea of thousands of lines of "yeah, that's expected" noise.)

Nick.



Thanks in advance for any feedback!

Cheers,
Robb.


Subject: mjoelnir daily output
...
OpenBSD 7.4-current (GENERIC.MP) #1535: Tue Dec 19 00:55:53 MST 2023
 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

  1:30AM  up  7:20, 7 users, load averages: 0.62, 0.44, 0.40

Backing up root=/dev/rsd1a to /dev/rsd0a:
131071+0 records in
131071+0 records out
1073733632 bytes transferred in 10.509 secs (102169077 bytes/sec)
** /dev/rsd0a
** Last Mounted on /
** Phase 1 - Check Blocks and Sizes
INCORRECT BLOCK COUNT I=26656 (64 should be 32)
CORRECT? yes

INCORRECT BLOCK COUNT I=26688 (4128 should be 0)
CORRECT? yes

** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
UNREF FILE I=26064  OWNER=robb MODE=100600
SIZE=4 MTIME=Dec 20 01:30 2023
CLEAR? yes

UNREF FILE I=26069  OWNER=robb MODE=10640
SIZE=0 MTIME=Dec 19 19:02 2023
CLEAR? yes

UNREF FILE I=26070  OWNER=robb MODE=10640
SIZE=0 MTIME=Dec 20 01:02 2023
CLEAR? yes

UNREF FILE I=26073  OWNER=robb MODE=100600
SIZE=28672 MTIME=Dec 20 01:30 2023
CLEAR? yes
...
** Phase 5 - Check Cyl groups
FREE BLK COUNT(S) WRONG IN SUPERBLK
SALVAGE? yes

SUMMARY INFORMATION BAD
SALVAGE? yes

BLK(S) MISSING IN BIT MAPS
SALVAGE? yes

6103 

man.openbsd.org, cvsweb.openbsd.org maintenance

[Nick Holland]

Hello,

man.openbsd.org, cvsweb.openbsd.org, openbsd.cs.toronto.edu
and obsdacvs.cs.toronto.edu will be unavailable for site
maintenance starting Thursday, December 21 about 6:00am ET
(UTC-5) and hopefully be back up and running by Saturday,
December 23, 6:00am ET.

Sorry for any inconvenience.

Nick.

Re: a couple question about my fde setup

[Nick Holland]

On 11/19/23 18:09, Shadrock Uhuru wrote:

hi all
a couple question about my fde
first, i have fde setup using a keydisk on my laptop, encryption and
decryption works fine
when i reboot with the key inserted it doesn't find the key,
i have to shut the machine down and restart it then the key is detected,
is this normally how a reboot works with fde and keydisk ?

second when i boot the laptop it tries to boot from the wrong disk,
it tries to boot off hd0 whereby at the boot prompt i then have to type
boot sd0a:/bsd which then proceeds to a normal boot,
do i just run
/usr/mdec/installboot -v /boot /usr/mdec/biosboot sd0
to fix this ?


You have provided a whole lot of no-information here.  dmesg, disk
layout and boot mode would be nice starting points.  "hd0"?  What is
that in your machine?

Both issues sound like a firmware issue.  Boot device is usually
controllable in BIOS/firmware setup -- once the OpenBSD boot loader
is running, it is too late to determine what you boot from.  USB
storage not being found under some boot conditions and being seen
on others, sounds like a firmware bug.  Almost certainly, in fact,
as OpenBSD itself isn't loaded and running, it's just the boot
code talking to the firmware or BIOS.

Many modern-ish computers support both UEFI and BIOS booting.  They
often have different bugs in different modes.  I have a couple machines
here that were sold running embedded Linux with a warning "must use
BIOS mode" in the firmware for their original application...but OpenBSD
only can see storage in EFI mode.

Also look for firmware updates to your system.  I'd suggest starting
with reloading in the opposite boot mode first, because if a new BIOS
introduces new bugs, it is sometimes difficult to revert.  And yes,
you will have to reinstall to switch boot modes (technically, no, but
if you have to ask, yes).

Nick.

Re: Three more orphan packages

[Nick Holland]

On 11/16/23 18:12, Daniele B. wrote:


Just found out that in my system persist the following stuff:

in /etc/passwd:
user _nagios


I don't really think you want users deleted when you uninstall a
package.  Things may be invisibly (to the package manager) be
connected to that user.


in /var:
/nagios/
/nagios/rw/nagios.cmd  0 kb
/nagios/objects.cache   27.0 kb
/nagios/retention.dat   35.9kb

If I try to delete /var/nagios this is recreated probably at system
boot.

There is no cron job nor rc service present apparently for Nagios

Never, EVER say, "there is no ..." until you find the actual cause.
It just never goes well, and I say that as someone who has foolishly
made the claim, and as the person who laughed their *** off when it
became clear the claimer was failing to fix the problem because they
believed their own boast.
 

Any explanation for this happening and any help to clean away all
properly?


Obviously something is creating it.  The OpenBSD Startup process is
very straight forward, it really shouldn't be too hard to find.  A
"grep -R" of a few appropriate strings in the /etc directory would
probably find the culprit pretty easily.  You could also read and
understand rc(8) and find what is going on by following the startup
process.

Nick.

Re: Upgrading from 7.3 to 7.4 with sysupgrade

[Nick Holland]

On 11/16/23 20:25, Odd Martin Baanrud wrote:

Hello,

I’m planning to upgrade my router from 7.3 to 7.4 using sysupgrade, but I’ve 
one concern.
Some time ago, I upgraded a RPi4 from 7.2 to 7.3, and X got installed, even 
though it wasn’t before the upgrade.
I thaught sysupgrade only upgraded the installed sets.


Nope.  Never did.  It always assumes a full, all file-set install.


How does it work on 7.3?


Same as it has om the past.  Full upgrade.


On my router, I have base, comp and man installed, and I don’t want the X sets 
on that machine.


if you don't want X or any other file set, just do a manual upgrade
from the console.  It's that simple.  No one mandates the use of
sysupgrade, sysupgrade is just a very special case (though highly
useful) subset of potential ways to do an install

But, whatever your reason for wanting to keep some files off your
computer, it is probably flawed.  So I'd really suggest, just don't
worry about it, just do an upgrade, let it install everything, and
be done with it.  But if you don't like the way sysupgrade does
things, don't use that tool.

Nick.

Re: Slow relink in 7.4

[Nick Holland]

On 10/17/23 05:07, David Higgs wrote:

I have an underpowered amd64 VPS and attempted to (auto)upgrade it to 7.4.
Everything went swimmingly until it attempted to relink the kernel, at
which point it (seemingly) hung.

With previous releases, I would expect the host to become unresponsive for
a few minutes, and eventually recover. I chalked the issue up to
insufficient RAM and hitting swap - however, my upgrade has been in this
state for more than 6 hours.

I plan to consult the manual upgrade guide to hopefully figure out a way to
successfully finish the install, and then disable relinking while I find a
solution.

Does anyone have tips for this situation, aside from throwing more hardware
at it?

Thanks!

—david


I had some issues with a VPS for a while -- absolutely horrific disk
performance.  Upgrades that used to take ten minutes (and yes, THAT was
really bad) started taking well over an hour (I gave up, stopped it, and
did it manually by unpacking tar files, coping kernel, etc., so I have no
idea what the actual time was going to be if I had let it complete).  I
contacted tech support at the VPS, and they came back with, "oh yeah, you
are on some really old hardware.  Please set up a new instance and migrate
to that, that should solve your problem", but since the machine was doing
its usual job just fine (low volume mail and webserver), I was slow to
actually do this.  Finally, they sent me notice they were decommissioning
the old hw I was on, and I HAD to move by x/x/, and thus, I did, and
things are much better.  And it turned out, cheaper.

However, I did find it interesting that my poor disk performance was even
worse when doing the upgrade.

Moral: might be worth talking to your VPS provider.  You might be on old
hw, too.

A number of releases ago, but after KARL and library relinks1, I found
that on i386, 384MB was required to prevent swapping during the kernel and
library relink at boot.  I'm assuming it is "worse" now, and worse yet on
amd64.

Nick.

Re: OpenBSD 7.4

[Nick Holland]

On 10/12/23 13:54, Karel Lucas wrote:

Is it already known when openBSD 7.4 will be released? I would like to
know that, because of a project I am working on.


The answer to your question is already out there, but I offer this
procedural tip:

IF you wish to follow releases, start your project on the PREVIOUS release.
When you think your project is complete, but before going into actual
production, do an upgrade to the active release.

Why?  Because the hardest part of most long-term projects seems to be
keeping things up-to-date.  You shouldn't be putting things into
production and hoping that the upgrade process will be figured out "later",
and maximize you get to put off that "problem".  The upgrade process has
to be core to the design and implementation, and should be tested before
going into production.

This isn't an OpenBSD specific tip, either.  In fact, this is easier on
OpenBSD than most Linuxes, because routine upgrades are part of the OpenBSD
mindset, unlike many linux distros, where upgrades are to be put off as
long as possible via "Long Term Support" distributions.  After watching the
fiascos at every company I've ever seen "Long Term Support" Linux releases
used in, I've become absolutely convinced LTS is just a BAD IDEA and I'm
thankful OpenBSD doesn't do that.

Nick.

Re: sftp activity logging?

[Nick Holland]

On 8/31/23 17:29, myml...@gmx.com wrote:

Hi All,

I am setting an openbsd 7.3 stable system to serve files via ssh's sftp
subsystem.

Does openssh have a native way to audit what files were
downloaded/uploaded with user/timestamp information?

If not, are there any recommendations?

Thanks in advance.



Try this, perhaps?

man sftp-server,
 options of interest may include -f, -l.

You will probably have to have a /dev/log inside the chroot, which
also means the "nodev" option is not your friend.

Nick.

Re: I nuked my filesystem

[Nick Holland]

On 9/26/23 21:42, sprits killshot wrote:

I did the thing.
dd'd a 5gb img to my ssd instead of my usb and I want to die.

dd if=file.iso of=/dev/sd1c

I am using a CRYPTO RAID partition and luckily I'm smart enough not to
nuke that.

My ssd is 2TB so I believe it uses FFS2 by default.  I'm hopelessly
running scan_ffs on it in case it was silently updated or the man is
wrong or there's a God.


ok...so the first 5G of sd1 is gone.  So most likely, all file systems
that have any bit of them in that first 5g are not practically
recoverable.  (here's the sad bit -- if you were trying to steal info
like credit card numbers or personal ID numbers, there's probably lots
still accessible, but for your uses, just consider all partitions that
start in the first 5G gone.

BUT ... everything after that has potential.

Put in pictures ...
* If you have one big 2TB partition, stop reading now, you can start
crying, and wish you had a good backup system in place.
==> sd1a: 2000GB # Practically speaking, gone.  Too much clobbered.

* If you have multiple partitions and some of them start after 5GB,
you might be in luck.  Let's say you have three partitions:

(start of disk)
==> sd1a: 4GB# Totally gone.
==> sd1d: 500GB  # Practically gone.  Too much clobbered.
==> sd1e: 1496GB # untouched.
(note: the letter orders don't matter, it's the starting
offsets that matter to you.  If you put the 1.5TB sd1e at the front
of the disk, and sd1a and sd1d after it, sd1a and sd1d are untouched,
but sd1e is not (practically) recoverable.)

To recover sd1e, you need to recreate a disklabel that matches what
was there before...exactly.  To the sector.

Now..I see you clobbered sd1c, not sd0c.  With a bit of luck,
perhaps sd0 (or at least, not sd1!) is where your /var partition is,
and with a little more luck, you have left your machine on over
night enough times to let /etc/daily run and save your butt.

[edit: just realized sd1 is probably your softraid encrypted
drive, so you probably lost your /var.  But maybe you have a copy
somewhere]

Take a look in /var/backups/ for disklabel.sd1*.  IF they exist,
they are backups of exactly the disklabel that was on that disk
when they were made.  Hopefully, that is recent enough for you.

Drop a new MBR (or EFI) on sd1 with fdisk, then import that
disklabel (disklabel -e sd1, clear it,
 ":r /var/backups/disklabel.sd1.current", write it, quit), and
you should be in business -- your un-nuked partitions will
become immediately available (but sd1a and sd1d will not be
"formatted" for you at this point).

Note: I haven't done exactly this, but I think it will work,
based on doing enough things with OpenBSD disk layout that I
think I know what you can get away with.  Practicing on a
spare system would be advisable.


Now...what if that /var/backups directory doesn't contain a
disklabel backup?  Well, you MIGHT still be in business.
OpenBSD disk layout stuff is very predictable.  IF you know
how your disk was originally laid out and you repeat that
process, you will end up in the same place again.

For example, if you know that you created a 4GB partition,
a 500GB partition, and then the rest of the disk as a third
partition, AND you know the disk was created using an MBR
layout, you can probably:
   fdisk -iy sd0
   disklabel -E sd0
   > create 1G partition
   > create 500G partition
   > create "rest of disk" partition

And...most likely, that 1G partition would be where it was
before, the 500G would be where it was, and (ta-da) your
"rest of disk" partition would be exactly where it was.


Exception: a number of years ago, OpenBSD changed the

default starting offset from 63 sectors to 64 sectors to better
handle 4k block drives.  You will need exactly the correct
offset.  Assuming your disks were set up at the same time,
your sd0 would be a good guide there.

I just reread your note and realize that you might be saying
that sd1 is an encrypted disk.  In which case, all the
above applies, BUT you probably can't see your /var partition,
so you might be out of luck.  But if you know how it was
created (and your daily output e-mails might be of use there),
you might get lucky recreating the disklabel.  You might want
to start by imaging the remains of the disk to another drive
before going any further so you can try again if you guess
wrong.

But yeah. You need a good backup.
here's mine: https://holland-consulting.net/scripts/ibs/
ksh shell script + rsync + another computer and big disk.

Nick.

httpd stopping

[Nick Holland]

Hello,
Twice in the last couple weeks, I've had httpd fall over on me.
Only clue I've got is this in /var/log/messages:

MASTER $ grep httpd daemon
Sep 23 05:24:06 node2 httpd[69989]: logger exiting, pid 69989
Sep 23 05:24:06 node2 httpd[80972]: parent terminating, pid 80972
Sep 23 05:24:06 node2 httpd[46871]: server exiting, pid 46871
Sep 23 05:24:06 node2 httpd[34953]: server exiting, pid 34953

first time was after seven days of uptime, this time after
six days. (dmesg below)

I've not seen httpd fall over like this before...where can
I look to provide better info on this problem?

(I've got a pair of machines here.  I've flipped over to
the other after reving it up to -current (yesterday's
snapshot, but machine that failed twice is still at the
snapshot that failed for now).

Nick.

OpenBSD 7.3-current (GENERIC.MP) #1360: Fri Sep  8 19:01:03 MDT 2023
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 50078154752 (47758MB)
avail mem = 48540717056 (46292MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.2 @ 0x6f3c3000 (84 entries)
bios0: vendor American Megatrends Inc. version "3.4" date 10/30/2020
bios0: Supermicro X11SPW-TF
efi0 at bios0: UEFI 2.7
efi0: American Megatrends rev 0x5000e
acpi0 at bios0: ACPI 6.2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP FPDT FIDT SPMI UEFI SSDT MCFG HPET APIC MIGT MSCT PCAT 
PCCT RASF SLIT SRAT SVOS WDDT OEM4 OEM1 SSDT OEM3 SSDT SSDT DMAR HEST BERT ERST 
EINJ WSMT
acpi0: wakeup devices XHCI(S4) RP17(S4) PXSX(S4) RP18(S4) PXSX(S4) RP19(S4) 
PXSX(S4) RP20(S4) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) 
PXSX(S4) RP04(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0
acpimcfg0: addr 0x8000, bus 0-255
acpihpet0 at acpi0: 2399 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) Bronze 3204 CPU @ 1.90GHz, 1900.06 MHz, 06-55-07, patch 
05003604
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,MPX,AVX512F,AVX512DQ,RDSEED,ADX,SMAP,CLFLUSHOPT,CLWB,PT,AVX512CD,AVX512BW,AVX512VL,PKU,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,TSX_CTRL,MISC_PKG_CT,ENERGY_FILT,SBDR_SSDP_N,PSDP_NO,FB_CLEAR,RRSBA,GDS_CTRL,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 
16-way L2 cache, 8MB 64b/line 11-way L3 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 25MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.2, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) Bronze 3204 CPU @ 1.90GHz, 1900.17 MHz, 06-55-07, patch 
05003604
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,MPX,AVX512F,AVX512DQ,RDSEED,ADX,SMAP,CLFLUSHOPT,CLWB,PT,AVX512CD,AVX512BW,AVX512VL,PKU,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,TSX_CTRL,MISC_PKG_CT,ENERGY_FILT,SBDR_SSDP_N,PSDP_NO,FB_CLEAR,RRSBA,GDS_CTRL,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu1: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 
16-way L2 cache, 8MB 64b/line 11-way L3 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Xeon(R) Bronze 3204 CPU @ 1.90GHz, 1900.13 MHz, 06-55-07, patch 
05003604
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,MPX,AVX512F,AVX512DQ,RDSEED,ADX,SMAP,CLFLUSHOPT,CLWB,PT,AVX512CD,AVX512BW,AVX512VL,PKU,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,TSX_CTRL,MISC_PKG_CT,ENERGY_FILT,SBDR_SSDP_N,PSDP_NO,FB_CLEAR,RRSBA,GDS_CTRL,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu2: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 
16-way L2 cache, 8MB 64b/line 11-way L3 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Xeon(R) Bronze 3204 CPU @ 

Re: man.openbsd.org is down?

[Nick Holland]

On 9/23/23 13:42, S V wrote:

Any info on man.openbsd.org state? It is down for me and web checkers.


It is back up now.
Seems my monitor's alert to text me is handled as spam by my cellular
service now.  Sorry for the downtime!

Nick.

Re: desire for journaled filesystem

[Nick Holland]

On 9/6/23 08:23, John Holland wrote:

Janne-

Thanks for all that useful information.

others- this is a thinkpad, that's not on all the time, so a cron backup
is not that good. I actually back up manually, currently using "borg"
for that. I mostly just do email and web on it so there's probably
nothing serious lost. In a few days I will have the external disk with
the backup back here and I may see what I can find on it. My /home
partition has a lot of data on it because I built an AWS Openbsd machine
image on it. But it would be good to see whether my system is working
correctly.


Cats are fuzzy
Fire is hot
Journaling file systems are complicated
Backups are important.

That's four mostly unrelated topics.  I'd argue there is more
connection between cats and journaled file systems then there is
between journaled filesystems and backups, in that both cats and
fancy file systems can be adorably cute and cause lots of data
loss (and the backups are how you recover from bad file systems
and cat mischief).

Put bluntly, I turn my OpenBSD machines off by yanking power
from them often, and I've been doing that for well over 20 years
(since OpenBSD v2.5).  Sometimes accidentally (bad laptop battery,
power outage, tripping over a power cord), sometimes out of lazy
indifference and not feeling like logging in and doing it right.
Yeah, I get lots of scary looking messages about my data being
turned to hash, but you know how often I've had actual data loss
because of that?  Only when I didn't save my work (which does
happen too often).

The ONLY time I remember I had an "event" that caused actual file
system corruption that wasn't easily fixed with a routine fsck
was when a SCSI controller literally fell out of the computer
while the computer was on. Yeah, ended up reformatting that one.
Pretty sure your journaled file systems would have been in
pretty much the same place, and ZFS would have shit itself on
an unrelated computer across the room in sympathy.  (oh, there
was that incident with the nail gun going through the hard disk,
but I'm pretty sure no FS was gonna save that one).

You know how often your beloved "journaling file system" would
have saved my data?  I can't think of one time.  I'm sure someone
somewhere will swear it saved their data, but that's hard to
prove.  I'm just lacking experience losing data on FFS that
could have been saved by a "better" FS.  Twenty+ years of power
outages, broken hardware, testing software, tripping over power
cords and being lazy with hundreds of machines, and can't say I
ever said, "Gee, I wish I had a journaled file system, that
really would have saved me right there".

You know how often those piece of shit Linux File System of the
Month have bit me in various ways?  A lot.  Just spent the last
week dealing with a problem that turned out to be 100% CAUSED
by BTRFS.  A problem that just wouldn't have been a thing if it
was running FFS.  It was literally "features" taking down a
customer facing system, over and over.

You are trying to "fix" a non-problem by making things more
complicated.  Not gonna work they way you expect.

Nick.

Re: volatility or something like that in the future ?

[Nick Holland]

On 8/19/23 06:05, whistlez wrote:
...
I honestly don't understand this hatred. 

...

Dude, for a self-proclaimed sensitive person, you are really
very offensive, and begging to have your tender little ass
handed (verbally) to you on a platter.

You are spending a lot of time telling very skilled people that
you are both ignorant on this topic AND how to do their jobs.

You know what is offensive around here?
* Telling developers how they should spend their efforts.
* Being offended when someone suggests YOU demonstrate work.
* Taking pride in your ignorance on how to do something but
  assuming you have the right to tell others to utilize their
  skill.
* Suggesting that because Linux does something, OpenBSD should
  do it without understanding how WRONG so much of Linux is (at
  least in an OpenBSD mindset).

Linux has become Windows Reinvented Badly.  You seem to think
OpenBSD should become Linux Reinvented Badly.  That's offensive.

Nick.

Re: Stuck in X start and crash loop

[Nick Holland]

On 8/17/23 12:10, l...@ena.re wrote:

Hey,

I am new to OpenBSD. I run 7.3-stable.

My understanding after reading X(7), Xsecurity(7) and xenodm(1) is that
one can set the environment variable XAUTHORITY to specify the location
of the file, which by default, is located at $HOME/.Xauthority.> 
In $HOME/.profile I set XAUTHORITY=$HOME/.config/X/Xauthority and moved

.Xauthority to $HOME/.config/X/Xauthority.

However, now, when I boot and X is started, I see the cursor in the
middle of the screen for a moment and then X seems to crash and start
again. I am stuck in this loop.

Why do I not witness the behaviour I expected? Should I have set the
environment variable in $HOME/.xsession?


if you want my opinion of what you should do, i'd argue you should leave
it alone.


More importantly, how do I exit this loop and revert the changes?


What isn't clear is when you get the loop.  Are you logging in in text
mode then starting X as you, and getting this loop?  or is X starting
on boot, and you are getting that loop?  If X is starting on boot and
looping, I think you have another problem, because a file in your
home directory isn't being referenced until you log in.


But, to answer your question about how to fix it...depending on what
is going on, I'd start with CTRL-ALT-F1 to get to the command line,
log in, undo.

You might be able to hit CTRL-ALT-BackSpace to shut down X, but if
you are running xenocara, that will just take you back to the login
prompt.  But NOW you might be able to CTRL-ALT-F1 back to the CLI.

WORST CASE, reboot the machine, and boot in single user mode.
# mount -a
# export TERM=vt220
...fix it

Nick.

Re: Mouse not working via KVM switch

[Nick Holland]

On 8/14/23 13:37, Karel Lucas wrote:

HI all,
On a recent install of openBSD I can't get the mouse to work through my
KVM switch. I work with various computers via a KVM switch on 1 monitor
with a keyboard/mouse combination. Only on the PC with openBSD the mouse
does not work, the keyboard on the other hand works fine. Both are
connected to the KVM switch via USB, and the switch via USB to the
computers. The brand of the mouse is Logitech. Does anyone know why the
mouse doesn't work, but the keyboard does?
 
Good thing Logitech only makes one kind of mouse. HA! HAHAHaHahahaha!!!

I am so funny.  Really, though -- you thought mentioning just the brand
name of one of the more diverse makers of mice over 40+ years is all we
needed to know?

KVM switches are like a lot of other things -- tested with Windows, MAYBE
Linux.  And there are widely differing qualities and designs, some probably
weren't tested at all.

I can assure you, OpenBSD has no intrinsic issue with KVM switches.  I
regularly use a dual HDMI monitor 4-way KVM switch on OpenBSD and
Windows machines, works great in spite of being shockingly cheap (until
it seems two of the USB input ports died...but fortunately, it had two
extras, and I wouldn't be surprised if a complete powerdown fixed it).
That one replaced an even cheaper single monitor switch which was almost
useful, but had a lot of issues (including keyboard/mouse just dying
from time to time).

First of all, does your mouse work directly plugged into the OpenBSD
computer?  If so, it's your KVM switch.  Replace it.  If not, it is
your mouse.  Replace it.

Second...if you boot the OpenBSD machine with the KVM pointed at the
OpenBSD machine, does it work?  If so, your KVM switch is cranky.  You
might be able to improve how OpenBSD deals with KVM switched mice,
because yes, it does seem to be a little more touchy than some other
OSs, but someone with good programming and HW trouble shooting
skills AND a cheap-*** POS KVM switch would have to care.  Most people
that skilled generally just buy a better KVM switch and move on.

What does the dmesg show as you switch the KVM around?  That would tell
us how the KVM works.  Some are equiv. of plugging and unplugging the
mouse/keyboard/monitor, some do some kind of "keep alive" so the
computer thinks the mouse is still there.  Both can cause problems of
different types (my "good" one seems to plug/unplug the mouse/keyboard,
but has a great keep-alive for the monitor).

Nick.

Re: nsd listening on localhost is zone transfer possible transfer ?

[Nick Holland]

On 8/4/23 13:23, Shadrock Uhuru wrote:

hi everyone
i have unbound setup on port 53
and nsd listening on localhost port 53530
i have set up another dns server as a secondary
am i correct to assume that i can't zone transfer because
as the nsd's are listening on localhost
the primary can't reach the secondary ?

i have these errors on the primary
error: xfrd: zone 1.10.10.in-addr.arpa: max notify send count reached, 
10.10.1.5 unreachable
error: xfrd: zone forwardzone: max notify send count reached, 10.10.1.5 
unreachable

shadrock



yes, they have to have some way to talk.
Lots of ways around this, including alternate ports,
redirection in PF, etc.

For example...you could redirect from ONE IP address (your
"other" server) to NSD, the rest goes to unbound.  Or have
unbound listen on another port that is filtered to only
listen to your other server.


But my recommended way: don't do zone transfers.  Manage your
DNS in another way.

I consider the whole zone transfer thing a bad idea.

What's the reason for having multiple DNS servers?  Redundancy.
What do you get when one of your "redundant" systems controls
the other?  A: A system that isn't very redundant.  If that
controlling system goes down, you have issues.

LONG TIME AGO...in a job far, far away, I set up a pair of
DNS servers, and a little script.  I (or my teammates) could
make changes to either DNS server, test them, then run the script.
The script would:
1) run a diff between the zone file on THIS system and the OTHER system.
2) Put that diff into a file, named with the date and time.
3) Put me in vi to edit that file, so I could put a comment in it
explaining what the change was for.  This gives me a chance to verify
the change is JUST what I want, and make sure there weren't other
changes made that didn't get replicated.
4) IFF I saved that file with changes, it would:
  a) copy and install the file to the "other" system
  b) save the diff file to a history directory on BOTH systems
5) Compare the replication script to make sure I didn't update one
and forget to update the other.

Now you have two DNS servers that hold the same data when you want
them to, can be managed separately for testing, and brought back
into sync.  Either machine can run indefinitely without the other,
either machine can be used as a source for rebuilding the other.

You also have near zero-effort "change control".  Same concept works
for PF and other redundant systems.

Today, lots of people will recommend a central management system,
and that's not all bad, but I have found often with DNS, you want
to be able to test a change on one machine before breaking
everything...and then waiting for the next refresh cycle to fix it.

Nick.

Re: Installing openBSD

[Nick Holland]

On 8/3/23 16:48, Karel Lucas wrote:


Hi,

My openBSD installation was successful! I first removed all partitions
except for the EFI partition, which I left. Second I created one openBSD
partition(type A6) on the freed space, after which I partitioned that
partition with auto layout. Then I continued with the regular
installation, and after reboot I got the login prompt. So in hindsight
it was wise to leave the EFI partition. Perhaps others can benefit from
this experience.


So you leapt from "This didn't break the shit out of my computer" to
"everyone should do it this way".  Creative.  But wrong.

NO.  If you don't have reason to retain the EFI partition (i.e.,
multibooting), just pick whole disk GPT and quit wasting time.

If you don't know what is in your EFI partition, you SHOULD overwrite
it so you know you have a clean and trustable system.

OpenBSD is designed to be able to install on wiped disks, new disks,
or co-exist with other systems.  You seem to think that if you go
out a buy a new hard disk at the store, you couldn't possibly
install OpenBSD on it because there's no existing EFI partition.
A lot of people can assure you this is incorrect.

Nick.




Op 01-08-2023 om 07:04 schreef patric conant:
Hitting enter in the installer to use the whole disk will take care of 
you. As pointed out repeatedly, there are no requirements from pfsense 
to install or maintain openbsd. In the same way that pfsense didn't 
need anything form OpenBSD to install, OpenBSD can create all the 
necessary partitions for successful EFI experience, and doesn't need 
anything from pfsense.


On Sun, Jul 30, 2023 at 12:41 PM Karel Lucas  wrote:


Hi all,

I'm going to install openBSD on a small PC that currently has
PfSense on
it. This PC boots this OS via (U)EFI, and therefore has an EFI
partition
on the existing SSD. The current partition table looks like, as
shown by
openBSD fdisk:

  0: efiboot0
  1: gptboot0
  2: swap0
  3: zfs0.

Should I keep the (U)EFI partition? And if so, how do I mount the
future
openBSD root partition to this (U)EFI installation? Are there any
other
things I should watch out for? I look forward to receiving responses
from this community. Sincerely, Karel.



--
Patric Conant
Mirage Computing Lead Consultant
@MirageComputing on twitter
https://m.facebook.com/MirageComputing/
316 409 2424

Re: Installing openBSD

[Nick Holland]

On 7/30/23 13:30, Karel Lucas wrote:


Hi all,

I'm going to install openBSD on a small PC that currently has PfSense on
it. This PC boots this OS via (U)EFI, and therefore has an EFI partition
on the existing SSD. The current partition table looks like, as shown by
openBSD fdisk:

   0: efiboot0
   1: gptboot0
   2: swap0
   3: zfs0.

Should I keep the (U)EFI partition? And if so, how do I mount the future
openBSD root partition to this (U)EFI installation? Are there any other
things I should watch out for? I look forward to receiving responses
from this community. Sincerely, Karel.



The OpenBSD installer is designed to be able to install to a totally blank
hard disk, so there is no need to retain any of the current partitions.

IF you are trying to do simple wipe and load, just chose the "entire disk
GPT" option and everything will happen as you wish, most likely.

If you think your hardware is special, you might want to test on another
disk, at least temporarily.

IF you want to multiboot, just don't until you can answer questions like
this yourself.  Multibooting is very complicated, and requires a mastery
of the boot process of ALL the OSs installed.  People often consider it
a way to "learn" a new OS, I disagree, it is a good way to get massively
frustrated and lose a lot of data.

Nick.

Re: How to customize disk partition in UEFI？

[Nick Holland]

On 7/22/23 15:44, ykla wrote:

For OpenBSD installation, I choose custom disk in partition. And I set the
first partition is MSDOS and mountpoint is /boot/efi and the second
partition is /, the last partition is swap. And I continue install openbsd,
but at least it warning me that boot install failed, the system will not
boot.

And set none mountpoint is also be errors.

Last I Automated partition first and delete all partition except i that is
MSDOS partition. Then everything is fine.

So how to customize disk partition in UEFI except Auto creates EFI
partition?

ykla


I think you are confusing the fdisk and disklabel parts of the install,
and you aren't providing enough details about what you are trying to do.

During the fdisk stage, you don't worry about root and swap.  During
the disklabel stage, you don't worry about the efi stuff.

So ... let's assume you are doing an OpenBSD-only UEFI install.
In the installer, pick "Whole Disk GPT" or something similar to set up
the UEFI partition and the OpenBSD partition.  Done.

IF you are trying to multi-boot and adjust your fdisk partitions, I'd
suggest starting with the OS that is most picky and/or gives you the
least control over the install -- probably Linux or Windows.  Then boot
the OpenBSD installer, and work an OpenBSD partition into available
space, and do the install as normal.

Now customize the disklabel partitions as you wish.  You went out
of your way to mention swap and root, and nothing else.  I'm taking
this as meaning you are intending to do things wrong by making a root-
only system.  Please stop and reconsider your life choices here, this
one is probably not one of your better ones.

Nick.

Re: Concise passage in OpenBSD documentation about motivation

[Nick Holland]

On 7/18/23 13:26, Ibsen S Ripsbusker wrote:

Dear colleagues,

About 20 years ago I read in some OpenBSD documentation, likely the
installation instructions, that we want people to copy our OpenBSD even
if to use it even in proprietary products, because the alternative is
that incompetent people write their own software instead of copying and
then the users suffer. I found this particular passage to be very well
written. Does someone know where I might find this wonderful passage?

With great honor,

Ibsen



Dang, that sounds familiar.  I think I found it:
https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/www/faq/faq1.html?rev=1.147=text/html#ReallyFree

I definitely say something similar regularly, but it looks like the
original text here was from Theo, himself.  I've been similarly
inspired and found the example memorable. :)

Nick.

Re: Intel DRM error on T 440

[Nick Holland]

On 7/6/23 01:46, Jonathan Drews wrote:

uname:  OpenBSD 7.3 GENERIC.MP#1125 amd64

  I get the following error message when my Thinkpad T440 wakes up:

drm:pid73944:intel_dp_aux_wait_done *ERROR* [drm] *ERROR* AUX A/DDI
A/PHY A: did not complete or timeout within 10ms (status 0xa01300e1)

I have Googled that error message and no fixes turn up.

In other respects, my OpenBSD T440 works just great. My rc.conf.local
contains this:>
apmd_flags=-A
pf=YES
pkg_scripts=messagebus cupsd mysqld
xenodm_flags=

Any suggestions as to what I may have misconfigured would be helpful.
I have loaded the firmware using fw_update. This error did not occur
in OpenBSD 7.2.


I believe what you are seeing is an informative message about what is
going on under the covers, not an problem you (as a user) need to
deal with if everything is working as it should be.  However, if things
are NOT working as they should, messages like this are potentially
helpful to developers to track down the problem.

Hardware is often imperfect, and often doesn't behave as documented,
and has to be "fixed" (or more accurately, worked around) in software.
I think that's all you are seeing here -- notification that something
was worked around (or at least, didn't behave as expected) -- if
there are no other symptoms.

Nick.

Re: encrypted_hdd_data_recovery(OpenBSD_7.3)

[Nick Holland]

On 6/30/23 08:30, soko.tica wrote:

Thanks NIck,

How do I exactly try to unlock the disk with bioctl command?

I do not have the appropriate disk to try to rebuild it.

I am trying it from openbsd 6.9 bootable usb. The encrypted hdd was 7.3.


don't do that.
I'm not aware of any incompatibilities between 7.3 and 6.9, but I'm not
going to look, it just isn't a good idea.  Bring your 6.9 box up to 7.3,
then do it.


But ... after you upgrade your recovery machine to 7.3, let's assume
your drive you are after is sd2, and the encrypted drive is partition d
(note there are two assumptions there, hopefully my example is wrong,
and you have to understand what I'm suggesting here before blindly
doing it!) :

  #  bioctl -c C -l /dev/sd2d softraid0

at that point, it will prompt you for your passphrase, and if you enter
that correctly and the disk is intact, it will create a new "drive",
which will have its own disklabel, and you can mount those partitions.

Nick.



Please.

Thanks in advance


On Sat, Jun 17, 2023 at 4:33 PM Nick Holland 
wrote:


On 6/17/23 08:40, soko.tica wrote:
> Hello list,
>
> I have managed to screw by
> #fsck_ffs /dev/sd1a
>
> the root partition of my unmounted HDD (OpenBSD 7.3 stable, possibly not
> fully updated). It crashed during boot due to the power outage, than it
was
> unable to boot and required fsck_ffs, and I answered 'F' to the 'Fyn'
> prompt.
>
> Here is the present status of it (it is sd0 in this sequence).
> ===
> Script started on Sat Jun 17 12:26:43 2023
> think# disklabel sd0
>
> # /dev/rsd0c:
> type: SCSI
> disk: SCSI disk
> label: HGST HTS725050A7
> duid: 35e70751b7e36f98
> flags:
> bytes/sector: 512
> sectors/track: 63
> tracks/cylinder: 255
> sectors/cylinder: 16065
> cylinders: 60801
> total sectors: 976773168
> boundstart: 64
> boundend: 976768065
> drivedata: 0
>
> 16 partitions:
> #size   offset  fstype [fsize bsize   cpg]
>a:976768001   64RAID
>c:9767731680  unused
> think# ^D
>
>
> Script done on Sat Jun 17 12:26:54 2023
> ===

this is as I'd expect.  but you aren't showing what happens
when you try to unlock it   I understand you have a problem,
but you haven't told us what it is.


I was corrected off-list here.  You told us the problem, the
problem is "no backup"



If you have a problem when unlocking the disk with the bioctl
command, you probably aren't going to get your data back.

If you can get the drive unlocked and available as another
logical drive, you will probably have to fsck each partition
within it.  Hopefully any horrible problems here would be
contained to individual partitions, and you can pull data off
the rest.
...

> Naturally, there is data there, and naturally, I have no backup of it. Of
> course I do know the passphrase, it is my hdd.

this is what we call a learning experience.

> If there is any chance to recover it, please let me know.

chance, maybe.  But almost by design, encrypted storage is more
fragile than unencrypted storage.

Nick.

Re: Which hardware for a firewall?

[Nick Holland]

On 6/20/23 13:13, Karel Lucas wrote:


Hi all,

I'm going to create a firewall with openBSD, and would like to use the
ARM64 or ARMv7 distribution for that. Unfortunately I don't know what
hardware I can get for this, and that's the reason for this mail. Can
someone point me to a suitable platform for this? If this email does not
belong on this mailing list, I offer my apology. This is my first post
on this mailing list, and ask for understanding. Sincerely, Karel.



Fortunately, since there's only one speed connection, a set number of
devices doing a fixed number of things in each location, we will have no
problem advising you on the best choice for your application...

oh, wait... :)

Well, here's the HW compatibility for those platforms:
https://www.openbsd.org/arm64.html
https://www.openbsd.org/armv7.html

You will have to decide what fits your needs.

Honestly, though, I'd suggest just recycling an old PC and a surplus
network card (or multi-port card, depending on how people toss stuff
out around you).  If you want "the best choice", this is probably it.

Nick.

Re: Wrong SHA256 sums for latest snapshot

[Nick Holland]

On 6/19/23 14:38, Benjamin Stürz wrote:

Hi misc@,

I have issues installing the latest snapshot from cdn.openbsd.org.


Snapshots change frequently.  They take time to distribute around
the world.  Content Delivery Networks pull from lots of different
sources and cache various things at various times.

Kinda easy to see how things like this not only happen, but are
kinda expected.

For snapshots, you might want to pick a favorite local mirror and
use that.  I doubt you will see a huge difference in performance
for an install or upgrade.

Nick.

Re: encrypted_hdd_data_recovery(OpenBSD_7.3)

[Nick Holland]

On 6/17/23 08:40, soko.tica wrote:

Hello list,

I have managed to screw by
#fsck_ffs /dev/sd1a

the root partition of my unmounted HDD (OpenBSD 7.3 stable, possibly not
fully updated). It crashed during boot due to the power outage, than it was
unable to boot and required fsck_ffs, and I answered 'F' to the 'Fyn'
prompt.

Here is the present status of it (it is sd0 in this sequence).
===
Script started on Sat Jun 17 12:26:43 2023
think# disklabel sd0

# /dev/rsd0c:
type: SCSI
disk: SCSI disk
label: HGST HTS725050A7
duid: 35e70751b7e36f98
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 60801
total sectors: 976773168
boundstart: 64
boundend: 976768065
drivedata: 0

16 partitions:
#size   offset  fstype [fsize bsize   cpg]
   a:976768001   64RAID
   c:9767731680  unused
think# ^D


Script done on Sat Jun 17 12:26:54 2023
===


this is as I'd expect.  but you aren't showing what happens
when you try to unlock it   I understand you have a problem,
but you haven't told us what it is.

If you have a problem when unlocking the disk with the bioctl
command, you probably aren't going to get your data back.

If you can get the drive unlocked and available as another
logical drive, you will probably have to fsck each partition
within it.  Hopefully any horrible problems here would be
contained to individual partitions, and you can pull data off
the rest.
...


Naturally, there is data there, and naturally, I have no backup of it. Of
course I do know the passphrase, it is my hdd.


this is what we call a learning experience.


If there is any chance to recover it, please let me know.


chance, maybe.  But almost by design, encrypted storage is more
fragile than unencrypted storage.

Nick.

Re: media on full screen in current

[Nick Holland]

On 6/12/23 07:54, Pau A.S. wrote:

Hi,

...

This has led to a FS corruption which I do not know how to fix, only in one
partition. Upon boot, the system runs fsck on them but the output is that
they are clean with some level of fragmentation.

In any case, /usr/local is corrupted. Is there a way to repair it? I
naively hoped that an upgrade would do it, but it does not.


I'd like to see how you determined that /usr/local is corrupted.
You have given a diagnosis, not the data.  Your diagnosis may be
incorrect.

But in general:
umount /usr/local (1)
fsck /usr/local
(look at output.  Give up hitting "Y" a lot, hit "F")
(MAKE SURE YOU TELL IT TO MARK FILE SYSTEM AS CLEAN!)
mount /usr/local

IF for some reason that doesn't work, worst case, copy everything off
to some other place, umount, newfs that partition, remount, restore.
But I'd like to see the actual output of this activity.

Nick.

(1) this may require bringing the system up in single user mode.
/usr/local probably can be done without single user mode but many
other mounts will require it)

softdep / softraid RAID1 issue?

[Nick Holland]

Hiya.

tl;dr version: multiple machines with softraid RAID1 & softdep have
file systems freeze when doing lots of I/O, possibly involving
adding and removing links from the same files at the same time.
Workaround found.

Need help finding better diagnostic information.


long version:
=
I have a couple systems which have had an issue for a long time
where suddenly, disk activity would just ... stop.  No message on
console, no panic.  Usually, I can still log in, but if I touch
the effected file systems, my SSH session (or console login) freezes.
Always happens during some intense disk activity (more on that in a
moment). When it happens, I can not reboot the system without a hard
reset or power cycle (and these systems have multi-TB file systems on
them, so doing this is painful).  umount on the impacted file systems
hangs.

I'm not really sure if I lose all file systems or just some.  Most of
the file systems are very "static".  Some things seem to work for a
while, but it could well be just cached data.

I tried swapping computers, replacing disks, and even doing weekly
reboots, all to seemingly no impact.  Problem has occurred for well
over a year, maybe longer.  Upgraded frequently to most recent
snaphot, no change seen (I often use hangs as an opporunity to
upgrade).

Recently, however, I think I caught it in mid-failure.  Disk activity
was still going on, but it was very slow.  'top' showed "WAIT" on
softdep (or something similar).  The jobs that should have been long
done was still running according to the logs (new files being added
to the list of files backed up), but very very slowly.  And then it
came to a hard stop, as before.  This may have been an unusual event,
or I might just have happened to look in right place to see something
was still happening.

These machines are used for rsync --link-dest backup.  The short
version of the algorithm is something like this:

 =-
PREVIOUS=(find previous backup)
TODAY=(today's date)
OLDEST=(find oldest backup in the set)
REMOTE=(machine we are backing up)

# remove oldest backup
rm -r $OLDEST &

mkdir $TODAY

# make new backup
rsync --link-dest $PREVIOUS $REMOTE $TODAY
 =-

This backup process basically makes a hard link for files that haven't
changed, and copies over files that did change.  After first backup,
all future backups are incrementals, both in time and additional disk
usage.

A bunch of these will typically be running at the same time, maybe five
to ten of them (adjusting this number didn't seem to have any effect).
When it fails, usually a few succeed, and the rest just never complete.

Here's where it gets weird -- removing the '&' after the rm -r $OLDEST
line seems to have FIXED THE PROBLEM.  No problems in 18 days, which is
a pretty good record.

SPECULATION:
the rm and rsync processes running at the same time can potentially be
putting both new links and removing old links from the same file at the
same time (well...multi-tasking definition of "same time").  Maybe
something is having a problem with this.

I have another machine running the same backup process, which has not
had a problem.  It has been running happily for 123 days now (yeah, I
kinda forgot about it).  It is a little laptop, so only one hard disk,
but I am using a softraid encrypted disk.  So yes, also using softraid,
but only one media to read/write to.  So maybe associated with either
RAID1 or multiple disk I/Os.

So, my problem is worked around, but I suspect there's still a bug
there.

I am happy to put the '&' back and gather more information next time
it happens...if someone tells me what info to gather.

Nick.


Machine that has had problems, but fixed by no longer backgrounding
the rm -r $OLDEST backup:

OpenBSD 7.3-current (GENERIC.MP) #1175: Wed May  3 08:19:33 MDT 2023
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 5872685056 (5600MB)
avail mem = 5675061248 (5412MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeb240 (42 entries)
bios0: vendor AMI version "7.16" date 01/18/2012
bios0: Hewlett-Packard p6-2108p
acpi0 at bios0: ACPI 4.0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC MCFG SLIC HPET SSDT SSDT DBGP
acpi0: wakeup devices SBAZ(S4) P0PC(S4) UHC1(S3) UHC2(S3) USB3(S3) UHC4(S3) 
USB5(S3) UHC6(S3) UHC7(S3) XHC0(S3) XHC1(S3) PE20(S4) PE21(S4) PE22(S4) 
PE23(S4) BR15(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD E2-3200 APU with Radeon(tm) HD Graphics, 2395.89 MHz, 12-01-00
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,ITSC
cpu0: 64KB 64b/line 2-way 

Re: carp flapping

[Nick Holland]

Followup...

On 5/12/23 08:17, Stuart Henderson wrote:

On 2023-05-12, Nick Holland  wrote:

...

I had several other people suggest network problems.  I'm not going to
say "impossible" or even "unlikely", but my understanding is that the
two machines are both plugged into the same switch, in the same rack.




I've since had someone more familiar with the physical environment say
my blind trust in their switch hw may be slightly misplaced. :)


You can also look at

netstat -ni -I ixl0
netstat -ni -I ixl0 -e
kstat ixl0:::



These looked REALLY clean.  no drops, fails or collisions.


which may give some other clues

even pfctl -si might have something relevant


Several people pointed out I was using the default advskew of 1 second,
which means a small network glitch (or system load?  maybe I'm all wrong
about this system never breaking a sweat, at least when it comes to
network traffic) would flip it, so I've increased it to 10 on both
machines (and apparently just induced a flip of my own. oops).  By the
nature of this system, some people will be annoyed by any flip, so it
really doesn't matter if it was a 1 second outage or a 30 second outage,
I just want the system available again after an unhappy event (or
routine maintenance).


the course adjustment in seconds is advbase, advskew is a much smaller
delay meant for a config with primary/backup where the backup advertises
just slightly less frequently.


Um. yeah.  I set advbase, and typed advskew in the e-mail. my bad.
After setting to 10, I have gone over two weeks without any flips, so that
looks like that is a pretty good fix.
 
Thanks for the guidance!


Nick.

Re: carp flapping

[Nick Holland]

On 5/12/23 03:28, Stuart Henderson wrote:

On 2023-05-12, Nick Holland  wrote:

Here's the problem I've seen:  I have my two machines flipping state
randomly(?).  This bothers me because that means it is breaking  people's
downloads.  Longest period betweek flips was less than two weeks.

So ... I cranked up the carp logging to 5 and then 7 to see what it had
to say about why...and it had almost nothing to say.


Does netstat -s -p carp give any enlightenment?



ok, I just skewed the stats by taking the opportunity to bring the now
backup up to -current, so node1 does not have the most recent flap:

node1 $ uptime
 7:18AM  up  8:22, 1 user, load averages: 0.00, 0.05, 0.08

node1 $ doas netstat -s -p carp
carp:
29981 packets received (IPv4)
0 packets received (IPv6)
0 packets discarded for bad interface
0 packets discarded for wrong TTL
0 packets shorter than header
0 discarded for bad checksums
0 discarded packets with a bad version
0 discarded because packet too short
0 discarded for bad authentication
0 discarded for unknown vhid
0 discarded because of a bad address list
0 packets sent (IPv4)
0 packets sent (IPv6)
0 send failed due to mbuf memory error
0 transitions to master

 node2 $ uptime
 7:19AM  up 4 days, 20:58, 2 users, load averages: 0.83, 0.78, 0.73

$ ] netstat -s -p carp
carp:
367836 packets received (IPv4)
0 packets received (IPv6)
0 packets discarded for bad interface
0 packets discarded for wrong TTL
0 packets shorter than header
0 discarded for bad checksums
0 discarded packets with a bad version
0 discarded because packet too short
0 discarded for bad authentication
0 discarded for unknown vhid
0 discarded because of a bad address list
52806 packets sent (IPv4)
0 packets sent (IPv6)
0 send failed due to mbuf memory error
2 transitions to master


Will monitor going forward, though.


I had several other people suggest network problems.  I'm not going to
say "impossible" or even "unlikely", but my understanding is that the
two machines are both plugged into the same switch, in the same rack.

Several people pointed out I was using the default advskew of 1 second,
which means a small network glitch (or system load?  maybe I'm all wrong
about this system never breaking a sweat, at least when it comes to
network traffic) would flip it, so I've increased it to 10 on both
machines (and apparently just induced a flip of my own. oops).  By the
nature of this system, some people will be annoyed by any flip, so it
really doesn't matter if it was a 1 second outage or a 30 second outage,
I just want the system available again after an unhappy event (or
routine maintenance).

Nick.

carp flapping

[Nick Holland]

Hi,

I have a couple identical servers that provide a few services (not FW or
gateway -- http, ftp, etc.).  Figured they would make a great CARP pair,
so if the primary broke, the secondary would take over immediately.
It would also make maintenance windows shorter...make changes on secondary
machine, test, reboot primary to force the secondary to become master.

The two machines should be equals.  I have no preference on running on
one machine or the other.  IF nothing breaks, I'd prefer that the one
that is serving keep serving until I tell it otherwise.  Both machines
should have no issue with performance with the tasks they have, lots of
proc, lots of RAM, nvme disk, etc.

Here's the problem I've seen:  I have my two machines flipping state
randomly(?).  This bothers me because that means it is breaking  people's
downloads.  Longest period betweek flips was less than two weeks.

So ... I cranked up the carp logging to 5 and then 7 to see what it had
to say about why...and it had almost nothing to say.

Here is the info from messages from both machines for the most recent
flip.  Past ones look basically the same.

Node 2:
/var/log $ zgrep carp0 messages
May  9 21:51:23 node2 /bsd: carp0: state transition: BACKUP -> MASTER
May  9 21:51:25 node2 /bsd: carp0: state transition: MASTER -> BACKUP
May 11 16:36:04 node2 /bsd: carp0: state transition: BACKUP -> MASTER


Node 1:
/var/log $ zgrep carp messages
May  9 21:51:25 node1 /bsd: carp0: state transition: MASTER -> BACKUP
May  9 21:51:28 node1 /bsd: carp0: state transition: BACKUP -> MASTER
May 11 16:36:07 node1 /bsd: carp0: state transition: MASTER -> BACKUP


hostname.carp0 from both machines:
inet a.b.c.240 255.255.255.0 128.100.17.255 vhid 1 carpdev ixl0 pass censored
inet alias a.b.c.241 255.255.255.255 128.100.17.255
inet alias a.b.c.243 255.255.255.255 128.100.17.255
inet alias a.b.c.246 255.255.255.255 128.100.17.255

verified identical (before slight anonymizing) on both systems.

hostname.ixl0 on node1:
inet a.b.c.248/24

hostname.ixl0 on node2:
inet a.b.c.247 0xff00

pf.conf includes this before any other "quick" statements:
pass quick inet proto carp all


Is there something I'm missing?  Incorrect expectations on my part?


Nick.

dmesg:
OpenBSD 7.3-current (GENERIC.MP) #1175: Wed May  3 08:19:33 MDT 2023
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 50078154752 (47758MB)
avail mem = 48540807168 (46292MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.2 @ 0x6f3c3000 (84 entries)
bios0: vendor American Megatrends Inc. version "3.4" date 10/30/2020
bios0: Supermicro X11SPW-TF
efi0 at bios0: UEFI 2.7
efi0: American Megatrends rev 0x5000e
acpi0 at bios0: ACPI 6.2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP FPDT FIDT SPMI UEFI SSDT MCFG HPET APIC MIGT MSCT PCAT 
PCCT RASF SLIT SRAT SVOS WDDT OEM4 OEM1 SSDT OEM3 SSDT SSDT DMAR HEST BERT ERST 
EINJ WSMT
acpi0: wakeup devices XHCI(S4) RP17(S4) PXSX(S4) RP18(S4) PXSX(S4) RP19(S4) 
PXSX(S4) RP20(S4) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) 
PXSX(S4) RP04(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0
acpimcfg0: addr 0x8000, bus 0-255
acpihpet0 at acpi0: 2399 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) Bronze 3204 CPU @ 1.90GHz, 1900.06 MHz, 06-55-07
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,MPX,AVX512F,AVX512DQ,RDSEED,ADX,SMAP,CLFLUSHOPT,CLWB,PT,AVX512CD,AVX512BW,AVX512VL,PKU,WAITPKG,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 
16-way L2 cache, 8MB 64b/line 11-way L3 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 25MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.2, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) Bronze 3204 CPU @ 1.90GHz, 1900.09 MHz, 06-55-07
cpu1: 

Re: What is the best way to move a VM to a bigger image?

[Nick Holland]

On 5/6/23 12:54, Hannu Vuolasaho wrote:

Hello,

I made a silly mistake when I set up my VM and my disk image is too
small for my next operation.

My plan is to give the new image to the VM, run a minimal install on
it so I get the boot loader installed. Also disklabel will be good.

After that I remove all the files and mount the old VM image to
another part of the tree.

Rest is just a dump and restore operation. And checking the /etc/fstab

Is this a good way to skin this cat? Or is there a better way to do it?


Not enough information to give an absolute answer, but on minimal thought,
I can think of a few ways to deal with a space problem on a VM:

0) Just start over
* Advantage: Disk space probably wasn't your only error in setup.  Good
time to fix those other issues, too.  Practice in config.
* Disadvantage: Opportunity to make NEW errors! :)

1) build a new VM, restore from your backup to the new VM.
* Advantage: tests your backup and restoration process.  If your routine
backup/restore process doesn't get you through this, you have a problem.
You still have your old VM untouched.
* Disadvantage: More or less end up with where you started, but more
space.

2) Add additional virtual disks to your VM.  Copy partitions to new disk,
delete partitions on old disk, growfs partitions on old disk to use space
of partitions, etc.
* Advantage: you really learn disk manipulation, can sometimes be done
with minimal downtime.
* Disadvantage: you can really screw stuff up, too, leading to option #0


2a) Enlarge the existing virtual disk, use the additional space as with
option #2 above.

3) Dang, I thought I had another option here, but I'm blanking on what
it was.
Advantage: someone else can put their thoughts in.
Disadvantage: do you really want to trust someone this forgetful?

Nick.

Re: Very slow smtp connection to mail.openbsd.org

[Nick Holland]

On 5/3/23 18:30, S V wrote:

Hello,

I'm trying to setup my own mail server and while I can send email to
any already tested and interesting for me domains.
I always get "delayed" with misc@openbsd.org: Connection closed
unexpectedly while trying openbsd lists.
I telnet to 25 port and see that it has extremely slow speed like 1
character per second. I telnet from other "non-mail" vps
and I see that for first seconds it is also slow, but later it become "instant".

Are there any "delay" filter for spammers? If yes then why it detects
my non-mail vps as ok and still slows my "mail server" (with existing
PTR)?
If there are no delay... ugh, guess I'm out of luck with my ISP ? But
then again why vps is ok?

Thanks in advance for any suggestions!



man spamd
It's running on the OpenBSD mail server.
also look up "Greylisting" with your favorite search engine.

Nick.

Re: openbsd firewall configuration for extreme hostile environment

[Nick Holland]

On 4/26/23 08:46, jonathon575 wrote:

Greetings,

I have OpenBSD configured strictly as a dedicated firewall. Only BSD,
BSD.rd, BSD.mp, and Base are installed (supposedly, this is the
minimum installation). Blocked All, and only few selected out going
IP addresses are allowed (strictly vpn ip addresses).


which basically means, you blew a huge hole in the firewall.
VPNs don't ADD security, they let infested computers you can't properly
maintain enter your network from all over the world.  They take a
horrible idea (let people into your network) and make it less bad.
But there's a gap between "less bad" and "good". No firewall can
fix this.
 

I maintained rc.conf at its default configuration, including disabled
ntpd, smtpd, sndiod, sshd, then deleted sshd binary file and related
library directory, as well as deleted the portmap file. However, the
penetration is still happening. IPS is not helping. DHCP is enabled
and configured for LAN.


So...totally non-default config.
you can't track activity by accurate time stamps (no NTP), you can't
remotely manage the machine, and you have a management nightmare on
your hands.


I do have few clarifications, and kindly need your expertise:

1) Regarding the log files, how to sappnd the .history file? I could
not locate it. Kindly advise.


just..don't.
When you start worrying about stuff like that, you are no longer
preventing attack, you are just measuring it.


2) I read the publications of Mr. Michael Lucas, he did state that he
had intruders to his openbsd systems few times, and the way to stop
and frustrate the bugger was to make every file immutable, but, he
did not specify how to do that without breaking the system. 


"I want to shoot myself in the foot, but I want to be ok"
No, what you are proposing is a very good definition of "breaking
the system".

and again...  It is far better to keep people out of your system
through proper maintenance than try to slow 'em down once they
are in it.  Now, if you have a horrible web application, ok, sure,
you might want to go all defense-in-depth here, because, well your
application sucks and we know you aren't going to fix that, and some
C-level said, "This is the answer, make it work".  But a firewall
should be a pretty robust thing and a bad target anyway.
If I want into your network, I'm not going to waste time on your
firewall, I'll work over the things you expose *through* the
firewall.  That's where the data is anyway...


I had the> directories /bin, /sbin, /usr/bin, /usr/sbin, /etc, schg immutable
(chflags -R schg ), however, when applying it to other directories
including the lib related directories such as /usr/lib, /lib, ..etc I
get the error message "relink reorder failed..." when restarting the
system.


yep.  You shot yourself in the foot, and it hurts.  You haven't even
started to experience the pain of bleeding out, either.  That comes
when you try to upgrade this frankensystem.


How to make every file/directory, the file-system, schg immutable
without breaking the system?


you don't.
 

3) [CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP
connections.

The above outgoing IP addresses are strictly related to VPN TCP ip
addresses, so I hope the mentioned CVE is rectified in openbsd,
however, I am not sure what new vulnerabilities are present with the
existing, latest openbsd and VPN protocols that would have similar
effects.


Well, your comments on that CVE are about as clear as the CVE itself
is.  Looks like it boils down to "if someone can get into your systems
enough to see packets, they can guess where they are going."
How did you decide THIS was your big concern?


I included the below lines in the pf.conf to try to mitigate this
vulnerability:

set reassemble yes match in all scrub (no-df random-id reassemble tcp
max-mss 1440)

However, it was still not sufficient to prevent the penetration.


that wasn't how your systems were penetrated.  Almost certain of that.


I did not come across any literature on how to mitigate the mentioned
CVE in OpenBSD.


that's a big hint.


4) Perl: How to remove Perl and other scripting languages from the
base installation without affecting other utilities that use it?! I
do not have comp.tgz installed, but if perl is present, Perl can do
anything that most compiled languages allow and can often do it
quicker.


:eyeroll:
This idea is stupid.  Just plain stupid.
(Granted, it is a common stupid idea.  But there's a lot of stupid
in the world)

Do you discard all the tools in your house because a thief might
use them to disassemble stuff inside your house?  Discard the soap
because they might want to wash their hands?  Turn off the water
in case they get thirsty?  Turn off the heat and AC so they won't be
comfortable?  That's what this line of logic boils down to. Any
self-respecting burglar will bring their own tools, meanwhile stuff
will be falling apart all around you over your misguided sense of
security.


5) Disabled Services.

The services in the 

Re: SATA disk identify taking 10 seconds to give me output

[Nick Holland]

On 4/20/23 05:56, Raja Sekhar wrote:

Hi,

I am running OpenBSD_7.1 on VMWare workstation16. It has two hard disks(wd0
& sd0)

I am trying to get hard disk information using the following command.

*$atactl  identify*

If I use the disk wd0, I am getting output immediately.

If I use the disk sd0, I am getting the output after 10 seconds.

I need to trigger the above command multiple times, it is causing delay in
my scenario.

When I go through the kernel code the delay is occuring in scsi_xs_sync()
function.

What's the problem and what is the fix for this issue.


well, the problem is pretty clearly in VMware Workstation.
I don't see a problem with real hw.

First, I'd start by getting to 7.3. See if your "problem" is still
showing.

Second, I'd look at the virtual HW you have selected.  Try a different
interface card emulation.  And why do you have different types of
hardware on a VM anyway?  Put your virtual disks on the hw that
works best for you.

So many questions would be answered with a dmesg...

Nick.

Nick.

Re: File system is full after using dd

[Nick Holland]

On 4/15/23 10:14, Lorenzo Torres wrote:

Hello, I've run the dd command to wipe the data of an SD card:dd
if=/dev/zero of=/dev/rsdb1c bs=1MAfter quite some time it crashed

   ^^ bzzzt.  game over.

saying that the / filesystem is full and even after a reboot the same
happens. Now I can't even run xorg because the fs is full. Any idea
on why this happened? I have a 1TB NVME SSD as root disk and I have
only a root partition as well as the efi partition on the root disk

  ^  game took a while to be over, didn't it?

As people have already said, you created a file, you didn't zero your
SD card.

But...what wasn't said (yet?  as I'm typing this?  Probably twenty
people will respond about this two seconds after I hit "SEND") was
pointing out this is one of many reasons NOT to create a huge root
partition and nothing else.  Granted,  OpenBSD has lots of
OpenBSD-only reasons, too, but one big root partition is Bad Unix
Administration.

If you had an appropriate sized root partition, perhaps 1G (default),
you would have quickly discovered something was wrong, probably in
a few seconds.  Instead, it took a while, and you assumed you had
accomplished your mission of zeroing an SD card.  So not only did
you fill root, your sensitive data is still on the card.

Many system administrators can tell you stories about thinking they
were backing up every night to tape, only to find out that they were
dumping a big backup *file* in their /dev directory rather than
putting their data to tape...and find this when they realize their
tape has never been written when they need a restore.

$DAYJOB involves helping maintain a bunch of systems that regularly
fill their root partitions.  Not always by bad initial design,
but often because there was "plenty of space" on the root partition,
so someone started dropping data or applications there. And then,
one day...boom.

Partition your system.  And / should be as small as you can sanely
get away with.  That isn't to say it should be super-tiny.  But
if you have 1GB to spare, it is probably too big.  I did learn to
regret a 200MB root because OpenBSD grew a lot over around ten
years that I used that install.

Nick.

Re: Help for another wiped out disklabel

[Nick Holland]

On 4/13/23 16:08, Greg Thomas wrote:

Thank you!  I gave it one more shot before attempting the script and I'm
back in.  I figured I'd try 0 for the beginning of the partition.

grits# disklabel sd1
# /dev/rsd1c:
type: SCSI
disk: SCSI disk
label: Ext SSD
duid: 2eeb6058175bf1f7
flags:
bytes/sector: 512
sectors/track: 20
tracks/cylinder: 22
sectors/cylinder: 440
cylinders: 2131143
total sectors: 937703088
boundstart: 0
boundend: 937703088

16 partitions:
#size   offset  fstype [fsize bsize   cpg]
   a:9377030400  4.2BSD   4096 32768 1
   c:9377030880  unused


OUCH.  Don't do this!

I'm not sure why your disklabel got overwritten *in your case*, but there
is stuff that's supposed to be at sector zero, and a disklabel is NOT IT.
Something someday will clobber it.  And it did.

Please, back your data up, put either a UEFI or MBR partition table on it,
and then use the rest of the disk for your backup.  With modern disk
sizes, the amount of space you "save" isn't worth the first time this
happens to you.

Nick.
(who went back to look at your dmesg to make sure it wasn't a sparc64 :)

Re: Unable to receive dhcplease from ISP

[Nick Holland]

On 4/1/23 19:57, Bill A wrote:

Hi all,

I ran into this issue today when I decided to do some maintenance on
my home network.  My laptop runs OpenBSD 7.2.  I attempted to get a
dhcplease from Spectrum Internet with a direct connection to my em0
ethernet interface.  I got no response.  I'm having the same problem
with another computer that I wanted to use as my firewall (also
running OpenBSD, same ver).

There is no dhcpleased.conf on my laptop, as I didn't see how any
defaults needed to change.  I also haven't had any recent issues
getting a lease on it in other situations (yet).

Cabling is good.  A different (non-OpenBSD) firewall normally sits on
this interface, and after I put it back, everything was working as
normal.  I'm happy to provide any additional information as
requested.

I tried this several times, cleared and shutdown the iwm0 interface,
cleared the em0 interface, etc, this is output from the last time.


I can replicate that with my ISP if I follow your steps.
With my service, if I change the MAC address of the machine attached to
my cable modem, I have to power cycle the cable modem to get a new
DHCP lease.

Not saying that is your problem, but you never indicated you power
cycled the modem...which I have found critical for the last 20+ years.

Nick.

Re: Home folder default permission

[Nick Holland]

On 3/23/23 14:36, Matthew Weigel wrote:

On 2023-03-23 11:53 am, ch...@qatland.com wrote:

I did not look at the code at all for this.  Only using existing 
programs.

 If this should not be working then a patch will be needed somewhere.


I didn't give it a try, but I took your report at face value and looked
closer at the code.

When it copies /etc/skel over, it does so with a command like
"pax -rw -pe /etc/skel
/home/$USER"(https://github.com/openbsd/src/blob/869ed59d760a94e6086f364d91f2b56074421cc9/usr.sbin/user/user.c#L316)
which sets all permissions, starting with /etc/skel. That's why it
behaved
as you observed, the way the original poster wanted.


However I will state that having the ability to set the default
permissions somewhere would be useful, and a requirement in some
environments.


I agree, not that I have any say.  It's also worth pointing out that you
can have multiple skeleton directories and specify which one you want to
use when you run the program; there's no need to change the default
skeleton directory (or, it's possible to keep a traditional readable-by-
all skeleton directory around even if you make it not the default).

Matthew



I kinda like the /etc/skel directory providing the default.  That's the
model for a new user -- it has a basic .profile, a .ssh directory
and empty .ssh/authorized_keys file, all with permissions properly set.

Yeah, I know some compliance people want to see complete privacy on
home directories, but that kinda defeats a point of a multi-user system,
that people might just want to collaborate with each other.

Nick.

disk integrity checking

[Nick Holland]

(this is a request for a "that's stupid", not a suggestion
of something people should do at this point)

An idea that's been floating around in my head, inspired
by the ZFS "scrubbing" idea: rather than build that "check
your data" process into the file system, just do something
periodically like this:

  # dd if=/dev/rsd0c of=/dev/null bs=1m

and repeat against all physical drives.  The logic being,
all hard drives have some kind of error detection logic
in them, at least a checksum of some kind on all data blocks.
See if you can read every block on the disk.  No errors, your
data might be intact.  Errors, it probably isn't (or won't
be in the future).  Crypto-grade integrity, probably not...
but probably quite sufficient for spotting most bad spots
on the disk.

So...I tried it against disks with mounted file systems and
softraid partitions on them.

It...seems to work. I did have one laptop with a softraid
encrypted drive that gave a nice, clear "Input/output error",
but I can't reproduce it (maybe it got locked out?  Seems
odd on a read, but ...

Is this sane?  is it safe to attempt to read all the blocks
on an entire 'c' partition of a disk that's doing "other
things" at the same time, including a layers of softraid?

Nick.

Re: Performance optimizing OpenBSD 7.2

[Nick Holland]

On 2/15/23 04:54, Claudio Jeker wrote:

On Wed, Feb 15, 2023 at 10:28:57AM +0100, Gábor LENCSE wrote:

Hi Lars,

> I downscaled from 8 to 4 vCPUs and from 8 to 4 gig RAM - and the two obsd
> now seems to hold the packages decently.

As for performance optimization, I think the direction is good, and perhaps
you could go even further if you have a load balancing device that can
distribute the traffic among the multiple VMs.


Not sure why reducing the memory should help. Also reducing the number of
virtual CPUs has probably little effect as well. The main point in reducing
the number of cores and disabling threads is to give modern CPUs more
thermal/power headroom to run the fewer CPUs at a higher clockspeed.
I doubt you get the same effect on vCPUs.


Quite some time ago, the story with VMware (and I'm guessing it is true of
all x86 virtualization) is that to have "time" on the processor, ALL the
required CPUs had to be available.  A single CPU VM could almost always
find time to run...an 8 CPU VM had to wait until there were all eight
cores available to run, so if your task didn't use lots of cores, you
often lost by requesting more than you needed.  Not sure how true it was
"back then" or now, but if better performance is seen with fewer cores,
this might be why.

Nick.

Re: Calculating VMs/CPU

[Nick Holland]

On 2/4/23 17:31, latin...@vcn.bc.ca wrote:

Hello misc

i am building an only VMD server:

How could calculate the relation: CPU, Ram, Storage, VMs please?

Thanks.
PD:
I have a Lenovo ThinkPad Edge 4 i3 cores, 500GB disk. 8GB Ram.



This is kinda virtualization 101 stuff, not really specific to OpenBSD.

RAM: assume more than 1:1.  The VM will require certain overhead, as will
the base OS.  So, if you want 2G VMs, you won't be getting four of them
on your 8G machine.  You might get three.  (some VM systems support
"thin provisioning" of RAM.  This is really a great way to hurt yourself
unless you really know what you -- and all your guest OSs -- are doing.
And you are still really likely to hurt yourself).

Disk: Assume 1:1.  Even if your VM system supports thin provisioning
(OpenBSD doesn't appear to), don't.  Assume you will use 100% of the
disk you provision for a VM. Because you will.  Thin provisioning VMs
is generally a bad idea.

CPU: Test, don't speculate.  This is where you can get some benefit from
resource sharing.  You can also end up fooling yourself into thinking
that 10 VMs that are usually 90% idle can share one CPU, because that
10% busy time?  They are all working on the same task.


In your case of a 4xi3 8g/500g, I suspect your machine will run out of
RAM, CPU and then disk, in that order, though if you work at it, you
can run out in any order you wish. :)

But it is all how you define your VMs and what you do with it.  Your
host i3 could be maxed out with a web browser, so the VMs you run are
going to have to be minimal and your expectations modest.

Nick.

Re: Max number of NICs

[Nick Holland]

On 1/23/23 17:54, Lars Bonnesen wrote:

How many physical NICs can you add to an OpenBSD host (vmx)

I am asking because I am running an OpenBSD on a VMware host but apparently
OpenBSD can only see 8 of them.

Can I raise the limit somehow?

Regards, Lars.


may years ago (back in the 3.x days, iirc), someone asked me to jam
a machine full of NICs and see what happened.

Four 4-port dc(4) NICs (16 ports) plus one 3com 3c905 on the main
board later, I saw no issues, but then I lacked any use for a 17 port
machine.  If I recall properly, the person who asked me to do it was
expecting some kind of issue, but when I told him they were dc(4)s,
he was disappointed and said, "Well, of course those will work".

I had a machine for a while with something like ten or
eleven em(4)s in it, I had fired it up, don't recall seeing any
problems with it identifying all the ports (in fact, iirc, it found
a port on the MoBo that was not extended to the outside).  Again,
no issue, but after staring at the power hungry box for many years
and never doing anything with it, it finally got recycled.  Again,
that was many releases ago...so not sure how it applies today.

Current FW box is a old citrix appliance with a six port NIC and two
onboard ports, for eight em(4)s.

Nick.

Re: Query on openrsync(1)

[Nick Holland]

On 1/10/23 03:49, Abhishek Chakravarti wrote:


OpenBSD newbie here. While trying to backup my OpenBSD configs to my
Arch Linux box, I noted a discrepancy between the openrsync(1) manpage
examples and what I encountered. The steps to reproduce are as follows:

```
$ uname -a
OpenBSD oberon.taranjali.org 7.2 GENERIC.MP#758 amd64
$ touch foo bar
$ rsync -av foo bar abhishek@192.168.1.3:/home/abhishek
ksh: rsync: not found
$ openrsync -av foo bar abhishek@192.168.1.3:/home/abhishek
Enter passphrase for key '/home/abhishek/.ssh/id_ed25519':
Transfer starting: 2 files
bar
foo
Transfer complete: 56 B sent, 187 B read, 0 B file size
```

The EXAMPLES section for the openrsync(1) specifically mention rsync and
not openrsync. I did find an earlier thread related to this issue:
https://marc.info/?l=openbsd-misc=162123821229046=2

The suggestion from that thread seems to be to use the rsync package
instead of openrsync. Is this still the case? And if not, shouldn't the
openrsync(1) manpage examples invoke openrsync instead of rsync?

Thank you for your time and consideration.



I'm a big fan of rsync, and was really excited by openrsync being
built into OpenBSD, but so far, it hasn't done the jobs I need it
to do :-/

A few things that cause me trouble are the lack of a -H (preserve
hard links -- I bet that's ugly to code), -W (disable the
delta-transfer "feature".  Yes, I know it was The Reason for rsync,
but in my experience, it takes longer to do the delta transfers
than to just send the whole bloomin' file for the vast majority
of my usage.  And I don't mean 5% longer -- I'm talking 400%
longer sometimes.  And maybe worse...unpredictable), and I'm a
big fan and user of --link-dest.

But ... if it does what you want, absolutely, give it a spin.
If it doesn't...either install the package or grab the source code
to openrsync, add what you need and submit it. :)


I think there was some talk about ultimately naming it rsync, but
unless it is 100% feature compatible (and I'm not sure I'd consider
that a good thing), that will cause confusion in my world.

Nick.

Re: CARP and DHCP

[Nick Holland]

On 1/6/23 02:31, Christer Solskogen wrote:

On Mon, Jan 2, 2023 at 5:14 PM Nick Holland 
wrote:


hiya.

Goal: home (i.e., DHCP external network config) redundant
firewalls with CARP and PFSYNC.





Totally doable. I've been running it like that for the last 7 years at
home.
My ISP doesn't like it when the two firewalls have different mac-addresses,


same here. :)


so I have to do some spoofing on the slave machine.
ifstated is your very good friend here.  My /etc/hostname.$extif is empty.

CARP is only in use for the internal interface.

This if my ifstated.conf on mster:

carp_up = "carp0.link.up"
carp_down = "!carp0.link.up"
carp_init = "carp0.link.unknown"

init-state auto

state auto {
 if ($carp_up)
 set-state fw_master
 if !($carp_up)
 set-state fw_slave
}

state fw_master {
 init {
 run "route -qn flush"
 run "ifconfig em2 inet autoconf"
 run "pfctl -f /etc/pf.conf"
 }

 if ($carp_down)
 set-state fw_slave
 if ($carp_init)
 run "sleep 2"
}

state fw_slave {
 init {
 run "ifconfig em2 -inet"
 run "route -qn flush"
 run "route add default 192.168.0.3"
 }

 if ($carp_up)
 set-state fw_master
}


Does this actually maintain state?  I'm thinking pfsync might
not work properly when the external interface "changes" like that.
It wouldn't actually matter much in *my case*, but I'm wondering
about the more general case.

Thanks!

Nick.

Re: (video) obsd install initial boot process slowed down

[Nick Holland]

On 1/5/23 02:22, Sylvain Saboua wrote:

https://youtu.be/lzGT1TAGG1Y

OpenBSD 7.2 (GENERIC.MP) #758: Tue Sep 27 11:57:54 MDT 2022
  dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8449818624 (8058MB)
avail mem = 8176320512 (7797MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xda571018 (40 entries)
bios0: vendor American Megatrends Inc. version "4.6.5" date 11/11/2013


Not exactly a new machine (i.e., my vintage. :) )

...

cpu0: Intel(R) Core(TM) i7-2620M CPU @ 2.70GHz, 2693.94 MHz, 06-2a-07

...ten year old processor.
...


ahci0 at pci0 dev 31 function 2 "Intel 7 Series AHCI" rev 0x04: msi,
AHCI 1.3
ahci0: port 0: 6.0Gb/s

...

sd0 at scsibus1 targ 0 lun 0: 
naa.5002538f40c128a7
sd0: 953869MB, 512 bytes/sector, 1953525168 sectors, thin


good. don't think that was factory. :)
...[snip]...

That didn't seem *that* slow to me.

For giggles, I compared your startup time vs. my netbook with
full disk encryption.  It turns out, you are right, you
actually were slower for the kernel load (once the kernel
loaded, your system kicked my netbook's butt)

What you are seeing is the initial kernel load taking place.  The
OS is not running then -- the firmware has loaded /boot and it is
pulling up the kernel a little bit at a time through the system
firmware and with only one core jumping between the system
firmware, the boot code, decrypting data, etc., and it has 22MB
to load (that used to be SO HUGE!).  You are 100%  dependent upon
the system firmware at this point, OpenBSD is not running yet
(OpenBSD provided code, yes, the kernel, no).

I don't think this counts as an OpenBSD bug at all, it's just
the way your machine works until a modern OS is loaded and takes
over managing the hardware.  /boot has only a few ways to get
data off the disk, it basically ends up working through somewhat
updated (for large disk) tools that existed on the 1982 IBM XT.

Looks like you are using UEFI boot -- you might want to try it
with BIOS/Legacy.  That's an old enough machine that UEFI might
not have been the optimal way to boot that machine. You could
see if there's a newer BIOS for your computer.

Nick.

Re: 回复: Softraid crypto metadata backup

[Nick Holland]

On 1/2/23 23:54, Nathan Carruth wrote:

Thank you for the response.

I am with you 100% on backups. My real question was, How
does one backup crypto volume metadata? Given that
it can be backed up, clearly it should be, but there is no
information in any of the cited documentation as to where
the metadata is or how to back it up.


There appears to be no intended way to backup this crypto
metadata you are worried about.  Not that I'd really want
extra copies of anything related to a crypto disk floating
around anywhere if I could help it.  Not sure what you are
hoping to get "backed up", but it sure sounds like something
useful to the wrong people. Encrypted disks are supposed to
"fail closed".  If that scares you, your backup sucks or
you shouldn't be running encrypted drives.

(well...you COULD
   # dd bs=1m if=/dev/rsd0c of=/mnt/someotherdevice/disk.img
and that would get your meta data, your data, your microdata
your macrodata and possibly your first born).

So let me offer you this, instead.  A backup of potentially
someday useful disk data:

for DISK in $(sysctl -n hw.disknames|tr ',' ' '); do
D=$(echo $DISK| cut -f1 -d:)
print
print "== $DISK ==="
fdisk $D
disklabel $D
done


(note: this script is surely missing edge and special cases.
It has been run on three different machines.  I do not wish
to talk about how much time I've spent making it look prettier.
I guarantee it is worth about what you paid for it and nothing
more).

Run that periodically, redirect the output to a file, get that
file to another place, and you have full info about your disk
partitions, both fdisk and disklabel, in case you overwrite
them someday.  Far more likely than a crypto failure that can
be recovered by some crypto metadata backup.  And the cool
thing since the prefix "meta" basically boils down to "sounds
cool, no idea what it means", we can call this metadata. :)

(Yes, the disklabel info is stored by security(8), ... kinda.
Spot checking two of my systems right now, I see both are
missing drives...and I'm not sure why, I suspect there's a
good reason.  But fdisk output is NOT there, and I'd rather
prefer it be there too on fdisk platforms).

Nick.



Thanks!
Nathan


Does a softraid(4) crypto volume require metadata backup? (I am
running amd64 OpenBSD 6.9 if it is relevant, will probably
upgrade in the next few months.)

I understand FreeBSD GELI (e.g.) requires such a backup to protect
against crypto-related metadata corruption rendering the encrypted
volume inaccessible.

Neither the OpenBSD disk FAQ nor the man pages for softraid(4) or
bioctl(8) have anything to say about the matter. Web searches also
turn up no relevant information.


Storage requires backup.
Encrypted storage is (by design) more fragile than unencrypted storage.
Sounds like you are trying to protect against ONE form of storage
failure and avoid the solution you really need to have: a good backup
system, to deal with *all* forms of storage failure.

I'd suggest a good backup system...to deal with ALL forms of data loss.
Yes, encrypted storage implies a certain care has to be taken with the
backups as well, you need to pick a solution that is appropriate for
your needs -- or accept that yeah, stuff will go bye-bye someday.

I don't see a benefit to trying to protect against some single failure
mode when all the other failure modes still exist.  If you have good
backups, you are good.  If you don't, dealing with a 1% problem isn't
going to change much.

Nick.

Re: obsd install initial boot process slowed down

[Nick Holland]

On 1/4/23 01:13, Sylvain Saboua wrote:

Hi, my openbsed (encrypted) install is functionning really
well, apart from one thing, that would signal a bug or smth:

The initial boot process, right after I type the security
key in, which displays cyphers aligning in between rotating
semicolumns (I hope this is clear), is slow, on this install.


Nope.  Totally not clear.
What platform, what hardware, dmesg.

Also...no idea what you are talking about.  First boot after
install?  every boot?  during install?

EXACTLY What are you seeing on the screen when it is "slow"?
And what does "slow" mean?

I've got encrypted partitions running on 1GHz class netbooks,
which I'll admit is painful, but it's not the crypto that is
the core problem.  So you have to show what is different in
your configuration than mine.

Nick.

Re: Softraid crypto metadata backup

[Nick Holland]

On 1/2/23 22:22, Nathan Carruth wrote:

Does a softraid(4) crypto volume require metadata backup? (I am
running amd64 OpenBSD 6.9 if it is relevant, will probably
upgrade in the next few months.)

I understand FreeBSD GELI (e.g.) requires such a backup to protect
against crypto-related metadata corruption rendering the encrypted
volume inaccessible.

Neither the OpenBSD disk FAQ nor the man pages for softraid(4) or
bioctl(8) have anything to say about the matter. Web searches also
turn up no relevant information.


Storage requires backup.
Encrypted storage is (by design) more fragile than unencrypted storage.
Sounds like you are trying to protect against ONE form of storage
failure and avoid the solution you really need to have: a good backup
system, to deal with *all* forms of storage failure.

I'd suggest a good backup system...to deal with ALL forms of data loss.
Yes, encrypted storage implies a certain care has to be taken with the
backups as well, you need to pick a solution that is appropriate for
your needs -- or accept that yeah, stuff will go bye-bye someday.

I don't see a benefit to trying to protect against some single failure
mode when all the other failure modes still exist.  If you have good
backups, you are good.  If you don't, dealing with a 1% problem isn't
going to change much.

Nick.

CARP and DHCP

[Nick Holland]

hiya.

Goal: home (i.e., DHCP external network config) redundant
firewalls with CARP and PFSYNC.

Long ago, I think the word was "CARP and DHCP network
configs don't work well together".  A bit of searching man
pages isn't showing me anything.  A bit of googling is
showing some old solutions that were fairly complicated.

A lot has changed, lots of nifty new tools.  Is there anything
that would make a DHCP-configured redundant FW relatively
straight-forward?  I can think of a lot of reasons why this
would NOT be an easy thing to accomplish, but maybe I've missed
something.

(Goal is to re-acquaint myself with CARP.  I can accomplish
that goal with a "buffer" machine between the CARP/PFSYNC FW
and the outside Internet, but if I can skip the extra machine
and get the benefits of redundancy, I'd like to do so).

Nick.

Re: sysupgrade fails with "FAILED" when "verifying sets"?

[Nick Holland]

On 12/12/22 07:22, Why 42? The lists account. wrote:


Hi All,

Today sysupgrade failed for me, but I'm not sure why? Here's the output:

 [ ... ]

There is a problem with the distribution network currently.  Hopefully
will be resolved soon.

Doing a quick check, looks like only amd64 is broke..but of course,
that's what you probably want. (good time to upgrade your other platforms!)

Nick.

Re: Configure OpenBSD for remote server rarely used

[Nick Holland]

On 11/27/22 12:10, James Johnson wrote:

Thanks for your response.

I am not intending to switch the machine. In terms of resources, I am
mainly concerned about hard drives and cpu being worn down
unnecessarily. I am not sure how much of a concern this should be
though.


The CPU isn't going to "wear out" due to being running, at least not in
a meaningful time scale.

HISTORICAL EVIDENCE hints that a spinning drive will last longer than
a frequently power cycled drive.

Steady-state is easiest on hw.  Powering up and down is large power
surges, and that's generally not good.  This is across the board --
power supply, hard drives, main board, CPU, memory, etc.  The only
part that I think gets a benefit from being turned off would be a CRT
monitor, and maybe the HV in an older LCD monitor.

That's based on historical experience with a lot of different machines.
How that relates to the hardware you have at hand, there's no way to
know, other than get 50 identical machines, power one half on-and-off
regularly and leave the other half on.


Yes, I do know in advance when the machine needs to run and when it
can sleep.

"Some machines have a wake option in their BIOS." -> thanks for the
pointer, I will look into that.


That might work for you, but I think your premise is flawed.
 

"How much electricity have you saved by that?" -> I don't know. The
main concern is not using the hardware unnecessarily, to hopefully
increase its lifetime. Though less electricity usage is a nice side
bonus.


I just did some measurements here before seeing these replies.  Short
version: single 4TB 3.5" 5400 RPM drive draws less than 7W when
running...and I doubt you get all that power "back" when you spin
down the drive.  CPUs mostly draw power when doing something, the
difference between an mostly idle CPU running at 1GHz vs. 3GHz is
fairly small.  And on a rack mount server, fans may draw more power
than an idle CPU.


"How much resources would that save?" -> My thoughts was that it
would be better for hard drive longevity to have them spun down,
rather than them being up for months without any access needed. I
don't know in practice if that matters for life expectancy of the
drive?


As someone who has seen a lot of hard drives power down working and
not spin back up at next power-on...I'm pretty sure your plan is
absolutely defeating your goal.  I'm pretty sure a whole lot of
other people are also screaming "NO!!!" at their computer right now.
I hold a lot of unpopular views based on my experience, but I'm pretty
sure "leave drives running for maximum life" is NOT one of them,
it's pretty mainstream.

From your elaboration on your goals, just leave it alone.  By trying
to make it a super-efficient system, you are going to increase your
downtime and failure in a number of ways.

Nick.







On 27 Nov 2022, at 15:50, Jan Stary  wrote:

On Nov 27 09:37:19, mytraddr...@gmail.com wrote:

The main thing I am trying to do is to make it sleep every now
and then to protect resources.


How much eletricity does the machine eat? (What other "resources"
are you concerned about?)


1) Make it sleep and wake up when woken up remotely I
investigated Wake On Lan, which I enabled via ifconfig. However,
this system is deployed remotely, and I have no access to other
computers on the LAN, so I am unable to make this work.

2) Make it sleep for a few hours and then wake up


Do you know in advance at what hours the machine needs to run, and
when it can sleep?


After 3hours+ of research in man pages and the internet, I have
not seen any solution for that.


Some machines have a wake option in their BIOS.


3) hard drives Spin down, CPU lower freq I have been able to
lower the CPU speed by running `apm -L`.


How much electricity have you saved by that?


I haven't been able to spin down the hard drives.


How much resources would that save?

I you are concerned about resources, wouldn't you be better off 
getting a low-power machine, with SSD disks?  There are machines 
out there that eat around 10W and get the job done (dependeing on

the job of course); and SSD doesn't need to spin down.


I cannot share the full dmesg for security reasons


Bullshit.

Re: Keyboard won't work during OpenBSD 7.1 or 7.2 installation.

[Nick Holland]

On 11/22/22 00:54, Clint wrote:

Dear Sirs,

  


My name is Clint Wu, I had been told the DMP’s EBOX-336x mini PC (product
page  ) can run OpenBSD
7.1.

 ...

My keyboard stop working at this stage. Did any one report this problem
before?

Can you tell me how to solve this? what should I do next?　Please advise,
thank you.


well, I have no knowledge of this machine, but one thing I would try is
to see if you can switch it between legacy (BIOS, MBR, etc.) and UEFI
booting.  Some machines have bugs in one mode but not the other.  My
favorite example is a machine I have that was sold with a custom Linux
install and a warning that "you MUST use legacy mode" for the standard
app, but OpenBSD can't see the disk I/O unless you run it in UEFI mode.
Different hardware WILL behave differently.  Nothing has made me
appreciate the PC BIOS more than the things that have tried to replace
it.

IF you got the model with the serial port, you could try using a serial
console.

Sounds like you got it loaded via alternative means, if you can ssh into
the system and get a dmesg out of it, it would be interesting to look
at and might shed some clues.  But some of these specialty machines
(including some virtualization products) are built and tested to certain
OSs and not much regard is given to other system or the reference
designs.

Nick.

Re: Ctrl key doesn't interrupt boot

[Nick Holland]

On 11/14/22 06:40, Harald Dunkel wrote:

Hi folks,

according to boot(8) holding the Ctrl key is supposed to interrupt
boot before /etc/boot.conf is read. But it doesn't. I see boot's
message on VGA that it switches over to serial (as mentioned in
boot.conf), and then it doesn't boot for a reason I would like to
investigate. The screen stays black.

I am sure that console redirection is turned off in the BIOS.
OpenBSD is version 7.2. USB Keyboard.

Every helpful hint is highly appreciated.


Harri



Wild guess, but I suspect that your BIOS isn't setting the marker
that /boot uses to see the pressing of the CTRL key on your system
with a USB keyboard.  /boot is pretty much dependent upon your
system BIOS doing The Right Thing, as the OS hasn't loaded yet.
So other than looking at Other Things, I'm not sure there's an
OpenBSD fix for this.

Does your machine accept a PS/2 keyboard?  If so, does CTRL work
as expected there?

Nick.

Re: Can I undo OpenBSD GPT partition table and recover my data? was: Triple booting Windows/Debian/OpenBSD?

[Nick Holland]

On 11/3/22 10:14, Ottavio Caruso wrote:

On Tue, 1 Nov 2022 at 12:27, Ottavio Caruso naively wrote:

...

This is how it looks from Debian:


Device Start   End   Sectors  Size Type

...

/dev/sda6  223012864 877277183 654264320  312G Microsoft basic data

...

So I officially joined the club of idiots who don't back up their
partition table. I wanted to install OpenBSD to free space, instead I
must have overwritten the partition table (hopefully not formatting
the drive because I aborted soon after realizing the mistake). I have
attached two screenshots.

I don't mind reinstalling Windows and Linux but I have a 350GB fat32
partition with tons of videos and books that I'd like to recover.

I have tried using testdisk from cgsecurity but it cannot recover that
particular partition.

Any help will be appreciated.


IF you happen to know where the start and end of that FAT32 partition
is, i.e., an old OpenBSD fdisk or disklabel output, you can create
a new partition of the same type in that exact location and your data
will Just Be There, though getting it out of a laptop would be a bit
tricky.

Looks like you have the info from your linux install.  I'd suggest
practicing on something else with whatever tools you have, I am
pretty sure OpenBSD won't "help" you by doing anything to the newly
(re)created partition, but I can't make promises about any other
tool.  I really can't make promises about OpenBSD, I haven't
tried doing this in a while.

Now repeat after me: multibooting is hard.  Never do it on a system
that you aren't prepared to completely reload...

Nick.

Re: Installing OpenBSD on new Chromebook

[Nick Holland]

On 10/29/22 10:11, Jeff Ross wrote:



On 10/29/22 1:29 AM, Stuart Henderson wrote:

On 2022-10-28, Gabriel Busch de Brito  wrote:



All of places I'm finding with directions on how to do this are from circa
2015 and do not work now.

Anybody have a pointer to a more updated set of directions I can try?

I suggest that you follow the installation guide at the FAQ section of
the website.


Chromebooks aren't standard computers and usually come with a
locked-down bootloader that will need disabling to install another OS.

Also if it's arm rather than x86 there will be additional challenges
beyond this.

So there's not enough information in the original post to give any kind
of pointer.



Thanks Stuart.

It's an HP Chromebook 14a-na1083d with an Intel Celeron N4500 with 4G
ram and 128 eMMC drive.

Booting up in developer mode it tells me that it is Model LANTIS-MEXL if
that helps.



Just install it, see what happens.  If you want a guarantee, buy me one
exactly like it, and I'll do what I'm suggesting you do. :)  (and then
you will discover why I call model numbers "market position statements",
not "unique HW configuration identification systems")

Or maybe better yet, see if it will boot from an OpenBSD install image
on a USB drive, if it does, set up a full OpenBSD install on a USB drive
and see what happens. I've had pretty good luck with HP PC-like systems
that weren't sold with "standard" operating systems on them, but past
experience is no indicator yada-yada-yada.

Pain points if you get past booting are likely to be wireless and graphics.

If you can get it to boot from a USB drive to test, you are probably good
for an install.  If you can't, probably not worth the effort.  There MAY be
tricks you can do, but you can put a lot of time and effort into forcing
something to install OpenBSD and then find out X doesn't work.  Or there's
no functioning network.  Or both.

Nick.

Re: softraid disk read error

[Nick Holland]

On 10/18/22 09:35, se...@0x.su wrote:

I have raid1 volume (one of two on PC) with 2 disks.

# disklabel sd5
# /dev/rsd5c:
type: SCSI
disk: SCSI disk
label: SR RAID 1
duid: 7a03a84165b3d165
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 243201
total sectors: 3907028640
boundstart: 0
boundend: 3907028640
drivedata: 0

16 partitions:
#size   offset  fstype [fsize bsize   cpg]
   a:   39070286080  4.2BSD   8192 65536 52270 # /home/vmail
   c:   39070286400  unused


Recently I got an error in dmesg

mail# dmesg | grep retry
sd5: retrying read on block 767483392

(This happened during copying process)

and system marked volume as degraded

mail# bioctl sd5
Volume  Status   Size Device
softraid0 1 Degraded2000398663680 sd5 RAID1
   0 Online  2000398663680 1:0.0   noencl 
   1 Offline 2000398663680 1:1.0   noencl 

I tried to reread this sector (and a couple around) with dd to make sure
the sector is unreadable:

mail# dd if=/dev/rsd3c of=/dev/null bs=512 count=16 skip=767483384
16+0 records in
16+0 records out
8192 bytes transferred in 0.025 secs (316536 bytes/sec)
mail# dd if=/dev/rsd5c of=/dev/null bs=512 count=16 skip=767483384
16+0 records in
16+0 records out
8192 bytes transferred in 0.050 secs (161303 bytes/sec)

but error did not appeared.
Are there any methods to check if sector is bad (preferably on the fly)?
If this is not a disk error (im going to replace cables just in case)
should i just get disk back online with
bioctl -R /dev/sd3a sd5
?


You made some assumptions about the math that the disk uses vs. the math
dd uses, and I'm not sure I agree with them.  I'd suggest doing a dd read
of the entire disk (rsd3c), rather than trying to read just the one
sector.  Remember, there's an offset between the sectors of sd5 (the
softraid drive) and sd2 & sd3 where sd5 lives.  So I'd kinda expect your
sd3 check to pass because you missed the bad spot, and I'd expect your
sd5 check to pass because the bad drive is locked out of the array and
no longer a problem.

IF you are a cheap *** or the machine is in another country, you might
want to try dd'ing zeros and 0xff's over the entire disk before putting it
back in the array.  That sometimes triggers a discovery of a bad spot and
locks it out and replaces it with a spare.  I've had some success with
this process, actually, though it's a bad idea. :)

Nick.

Re: Swap on SSD's (with softraid 1+C)

[Nick Holland]

On 9/7/22 09:05, Erling Westenvik wrote:

Hello,

...

My question is: Should I let swap be outside RAID altogether? Like
"directly" on the physical disks as in sd0b and sd1b? I mean, why have
softraid waste CPU cycles making swap content (if any) redundant? What
do you people do?


1) if you are using swap, you are doing it wrong.  The additional
processor load of encrypting swap twice is going to be lost in the
screams of horror and malcontent from your users and you.  Really is
a case of optimizing the positioning of the deck chairs on the Titanic.
Things are going down, people are unhappy.  They won't notice the
tiny difference.

2) Swap on softraid means you can re-use the swap space for other things
when you decide "I never use swap, but I wish I made my /var partition
a big bigger".  It is difficult to now create a new softraided space on
an unencrypted part of the drive.

3) you said "Softraid 1+C", so having non-redundant swap isn't going to
accomplish what you want when a disk fails.  IF you are using swap
and the swap disk fails, I'm pretty sure your system is going to have
a bad day.



(Follow up question as for swap sizing: In the age of 32+ GB RAM, do
you people really follow the recommendations on having swap at least
twice the amount of RAM? I'm hoping for 72GB RAM and that would steal
144GB of my 525GB disks, something that seems ridiculous.)


depends.  Using 525GB of disk if you are building a firewall system
and only need 20G is also ridiculous.  But yeah 2xRAM dates back to
...well, I can't think of a time when it was ever a good idea (well,
in an academic environment, I once used an IBM mainframe with 16MB
RAM and two 16MB RAM disks for swap, the swap was ALMOST like regular
RAM.  That might have made some sense, but I never got to see how
the swap actually was used and worked on the thing).

As mentioned above, the advantage of allocating 144G RAM to swap is
you now have 140G you could reallocate to something else if you
later decide 144G was massively overkill for swap, but you didn't
make a big enough /tmp or /var partition or need a separate /var/www.
If you need all the 500GB of SSD, you probably should get a bigger
disk. If you don't need it, leave a good chunk unallocated.  Swap
is kinda unallocated, right? :)

So in short: I see no real disadvantage to swap on RAID1+C, and some
potential advantage.  You might wish you did, you are unlikely to
wish you didn't.

Nick.

Re: Is OpenBSD suited for old Dell Precision T5500 (Dual Xeon X5675, 72GB RAM)

[Nick Holland]

On 9/7/22 08:09, Jan Stary wrote:

> > 1) On initial boot (with 7.1 release, on a usb stick) it more or less
> > immediately panicked into ddb when I tried to pipe dmesg into a file on
> > the usb stick. I took out the NVMe-card, and whether or not that was the
> > problem the machine anyhow behaved better long enough for me to get
> > network and do a fw_update.
> 
> sure sounds like it could be a bad USB stick.

> Very common.  For important things, I have learned to write zeros over
> the entire USB stick before expecting it to actually work.  Nothing to
> do with the T5500.


I am puzzled: how exactly is a zero filled USB stick
less panicky than another USB stick?


My experience with floating gate storage (SSD, Flash) has been less
than stellar, and I'm a bit cynical about billions of microscopic
capacitors holding their charge reliably.  Well, perhaps I'm TOO
cynical, but I've had a lot of issues over the years. (I'm also cynical
about trillions of bits of magnetic flux, but my experience with
that has been better).

Especially with the "cheap" stuff (or top dollar stuff that is
actually cheap stuff with a big price tag), there often seem to have
bad spots on the drives that sometimes OpenBSD doesn't handle
gracefully.  Writing the entire surface of the drive seems to find
and lock out the bad spots in advance of their use for data.  Ideally,
I should probably write all zeros AND all ones, but if I'm in a rush
to get something in production (or BACK into production), I just do
zeros.  Writing zeros seems to help, I can't think of a case where
I can state with confidence that writing zeros and ones did something
better than just zeros.

For example, last week, I stuck a 60g USB drive on a machine, rsync'd
a bunch of data to it, and a little way in, it dropped to near zero
performance.  No obvious error, but the data stopped moving and the
USB system seemed to basically stop.  Could not reboot because the
OS couldn't umount the USB stick.  Power cycled, dd'ed zeros over
the drive, and now I've got no issues with it.

I've been able to extend the life of flakey SSDs the same way (don't
say "write fatigue", these drives haven't had a fraction of the
writes to be worried about "write fatigue".  They just weren't good
drives).

Plus...probably not a bad idea to know what data is on a USB drive
anyway.

Nick.

Re: Is OpenBSD suited for old Dell Precision T5500 (Dual Xeon X5675, 72GB RAM)

[Nick Holland]

On 9/6/22 21:52, Erling Westenvik wrote:

Hello,

A friend donated an old Dell Precision T5500 workstation, a heavy
bastard with dual Xeon X5675 and 72GB RAM which still packs a punch I
believe. At least it does for me. I would like it to replace my old i7
3770k. However, I'm starting to have doubts:

1) On initial boot (with 7.1 release, on a usb stick) it more or less
immediately panicked into ddb when I tried to pipe dmesg into a file on
the usb stick. I took out the NVMe-card, and whether or not that was the
problem the machine anyhow behaved better long enough for me to get
network and do a fw_update.


sure sounds like it could be a bad USB stick.
Very common.  For important things, I have learned to write zeros over
the entire USB stick before expecting it to actually work.  Nothing to
do with the T5500.

NVMe??  don't think I have that in mine...But then, I probably wasn't
looking.

This an add-on board?  I'd certainly strip it down as much as possible.


2) After fw_update the radeondrm was detected and I got a nice 2560x1600
console. However, before it would give me a login prompt the machine got
stuck with repeating complaints about "ehci_device_clear_toggle: queue
active". So – USB related, right?  Very well! Out with the usb stick, in
with an old SSD with OpenBSD 6.7.

3) The machine behaves better, xenodm starts fine with cwm, but it won't
resume after suspend (zzz).


haven't tried suspending.  Thing has been on pretty much 24x7 for five+
years.
 

Some or all of the above problems may have solutions, trivial or not,
but more problems may perhaps lurk under the surface..?

So I guess my question is if someone knows whether these Dell machines
are known to be error prone in general, or problematic with OpenBSD in
particular, and if I should stop before wasting time!?


well, I have one, looks very similar to yours.  I've been using it for
quite a few years, this message is being composed on it, in fact.  Like
it enough that when a friend of mine told me he had another one, I got
it as a spare.

In short: you have a potentially good machine.  I have no idea of the
condition that yours is actually in, but "Run OpenBSD on a T5500? Yes".

Nick.

OpenBSD 7.2-beta (GENERIC.MP) #702: Sun Aug 21 00:29:07 MDT 2022
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 34340835328 (32749MB)
avail mem = 33282695168 (31740MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xf0450 (102 entries)
bios0: vendor Dell Inc. version "A16" date 05/28/2013
bios0: Dell Inc. Precision WorkStation T5500
acpi0 at bios0: ACPI 3.0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT APIC BOOT ASF! MCFG HPET TCPA DMAR _RAT SLIC SSDT
acpi0: wakeup devices VBTN(S4) PCI0(S5) PCI1(S5) PCI2(S5) PCI3(S5) PCI5(S5) 
PCI6(S5) KBD_(S3) USB0(S3) USB1(S3) USB2(S3) USB3(S3) USB4(S3) USB5(S3) 
PCI8(S5) PCIA(S5) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU X5670 @ 2.93GHz, 3192.40 MHz, 06-2c-02
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,MELTDOWN
cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 4-way I-cache, 256KB 64b/line 
8-way L2 cache, 12MB 64b/line 16-way L3 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 133MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU X5670 @ 2.93GHz, 3192.02 MHz, 06-2c-02
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,MELTDOWN
cpu1: 32KB 64b/line 8-way D-cache, 32KB 64b/line 4-way I-cache, 256KB 64b/line 
8-way L2 cache, 12MB 64b/line 16-way L3 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Xeon(R) CPU X5670 @ 2.93GHz, 3192.02 MHz, 06-2c-02
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,MELTDOWN
cpu2: 32KB 64b/line 8-way D-cache, 32KB 64b/line 4-way I-cache, 256KB 64b/line 
8-way L2 cache, 12MB 64b/line 16-way L3 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 16 

Re: recommended partitions to backup with dump

[Nick Holland]

On 8/24/22 13:28, Shadrock Uhuru wrote:

hi everyone
after losing a considerable amount of data that i had accumulated over the last 
year or so
by trying to remove a directory called '~' that i had created by mistake
in a sub directory of my home directory with rm -rf ~
which of course started to eat through my home directory with a vengence,
i managed to stop it before it went to far,
i didn't have any recent backups,
needless to say i've learning my lesson about having a good policy of regular 
backups.
what are the recommended partition to backup if

1 i want to do a fresh reinstall e.g. to move to a larger hard drive.
2 for a disaster recovery like what i experienced above.

i will be using ville walveranta's autodump 1.5a script
which does a full dump on sundays and incremental dumps during the week,
i already have /home /etc and /root set for backup,
are there any other partitions i should bear in mind ?

shadrock



/root and /etc should be on the root partition ( / , sd0a, typically).
There is *generally* not much data of substance in the directory /root,
but that depends on your environment.

Also depending on your environment, there's often a lot of really important
stuff in /var.  Or not.  You may have local scripts hiding out in
/usr/local/*bin.

If you want a "Bare Metal" restoration, you really need everything.  I
kinda think of 'dump' as a bare-metal restoration tool, though it can
definitely restore individual files.

The real answer, though, is "you backup everything you need".  OpenBSD
installs are so small, the vast majority of your system is often so much
bigger, might as well just back up everything, or exclude things that are
more trouble than they are worth (/mnt, /tmp leap into mind).

After you establish your backup system, build and validate a new system
based on that backup, both a "fresh install" and a "unhappy event" case.

I'm rather a fan of "know where your important files are" and restore by
building a new system, installing the required applications, then copying
over the config files and the data directories.  Thus I tend to be partial
to rsync backups using the --link-dest option rather than dump(8)s of file
systems.  Both have their place, and they really aren't competitors.

I have a sample starting point rsync --link-dest script here:
  https://holland-consulting.net/scripts/ibs/

Nick.

Re: OpenBSD 7.1 : reorder_kernel: failed

[Nick Holland]

On 7/29/22 7:29 AM, Nicolas wrote:

Hello,

I recently used the multiprocessor kernel on my OpenBSD 7.1 computer,
using this command :

cp bsd bsd.sp && cp bsd.mp bsd

Since then, I have this message in /var/log/messages :

Jul 25 20:17:05 server reorder_kernel: failed -- see
/usr/share/relink/kernel/GENERIC.MP/relink.log

Here is the contents of the relink.log file :
(SHA256) /bsd: OK

LD="ld" sh makegap.sh 0x gapdummy.o
ld -T ld.script -X --warn-common -nopie -o newbsd ${SYSTEM_HEAD} vers.o
${OBJS}
ld: error: duplicate symbol: i915_get_bridge_dev
  >>> defined at i915_drv.c:106
(/usr/src/sys/dev/pci/drm/i915/i915_drv.c:106)
  >>>    i915_drv.o:(i915_get_bridge_dev)
  >>> defined at i915_dma.c:206
(/usr/src/sys/dev/pci/drm/i915/i915_dma.c:206)
  >>>    i915_dma.o:(.text+0x0)
*** Error 1 in /usr/share/relink/kernel/GENERIC.MP (Makefile:999
'newbsd': @echo ld -T ld.script -X --warn-common -nopie -o newbsd
'${SYSTEM...)

I did a :

sha256 -h /var/db/kernel.SHA256 /bsd
That did not change anything.

Here is what I have in / :

-rwx--   2 root  wheel  22977229 Jul 20 20:10 bsd
-rwx--   1 root  wheel  15629818 Sep 19  2019 bsd.backup
-rwx--   2 root  wheel  22977229 Jul 20 20:10 bsd.booted
-rw-r--r--   1 root  wheel  22977229 Apr 22 13:40 bsd.mp
-rw---   1 root  wheel   4606368 Apr 22 13:40 bsd.rd
-rw---   1 root  wheel  22863908 Jul 20 20:09 bsd.sp

The computer seems to run fine. I don't know if that error message is
important.


The message is important in that the kernel re-link process is a
really cool bit of OpenBSD security, which isn't working for you
right now.  Which leave you still in the position of being much
more secure than Linux, but still worth fixing. :)

Without this feature working, you are running the exact same kernel
every time you boot.  Like most other OSs...


What's you opinion, could you help me with that message ?


Well, I'm not really sure what is going on, but I'm guessing you
have done something odd in the past that left the kernel rebuild
process in a strange state.  Which is a lot of words for saying,
"I don't know, but I'm blaming you" :)

I'm thinking booting off bsd.rd and "upgrading" the system to the
same version you are running now would probably fix the problem
by bringing everything back in sync (I'm assuming you are running
7.1-release, if you are running a snapshot, just run "sysupgrade"
and move to a new snapshot).

Nick.

"cdio cddbinfo" broken?

[Nick Holland]

I noticed that the cdio(1) cddbinfo command seem to no longer
work.  I don't think this is a snapshot breakage -- I upgraded
a May 8 snapshot to Jul 23 snapshot, but I am pretty sure I
had a failure on the May 8 snap just before upgrading, and
I appear to have used it successfully on June 23.

For some CDs, it returns an accurate title:
  $ cdio cddbinfo
  Van Halen / Van Halen II (rock)

but not the track listing it used to show.

Other CDs, it shows nothing at all.  No error code or
message is returned.  So far, in all my samples that I know had
worked are giving me a title.

Can anyone confirm/refute?

Nick.

OpenBSD 7.2-beta (GENERIC.MP) #644: Sat Jul 23 19:59:20 MDT 2022
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 34340835328 (32749MB)
avail mem = 33282711552 (31740MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xf0450 (102 entries)
bios0: vendor Dell Inc. version "A16" date 05/28/2013
bios0: Dell Inc. Precision WorkStation T5500
acpi0 at bios0: ACPI 3.0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT APIC BOOT ASF! MCFG HPET TCPA DMAR _RAT SLIC SSDT
acpi0: wakeup devices VBTN(S4) PCI0(S5) PCI1(S5) PCI2(S5) PCI3(S5) PCI5(S5) 
PCI6(S5) KBD_(S3) USB0(S3) USB1(S3) USB2(S3) USB3(S3) USB4(S3) USB5(S3) 
PCI8(S5) PCIA(S5) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU X5670 @ 2.93GHz, 3192.46 MHz, 06-2c-02
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,MELTDOWN
cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 4-way I-cache, 256KB 64b/line 
8-way L2 cache, 12MB 64b/line 16-way L3 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 133MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU X5670 @ 2.93GHz, 3192.02 MHz, 06-2c-02
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,MELTDOWN
cpu1: 32KB 64b/line 8-way D-cache, 32KB 64b/line 4-way I-cache, 256KB 64b/line 
8-way L2 cache, 12MB 64b/line 16-way L3 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Xeon(R) CPU X5670 @ 2.93GHz, 3192.02 MHz, 06-2c-02
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,MELTDOWN
cpu2: 32KB 64b/line 8-way D-cache, 32KB 64b/line 4-way I-cache, 256KB 64b/line 
8-way L2 cache, 12MB 64b/line 16-way L3 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 16 (application processor)
cpu3: Intel(R) Xeon(R) CPU X5670 @ 2.93GHz, 3192.02 MHz, 06-2c-02
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,MELTDOWN
cpu3: 32KB 64b/line 8-way D-cache, 32KB 64b/line 4-way I-cache, 256KB 64b/line 
8-way L2 cache, 12MB 64b/line 16-way L3 cache
cpu3: smt 0, core 8, package 0
cpu4 at mainbus0: apid 18 (application processor)
cpu4: Intel(R) Xeon(R) CPU X5670 @ 2.93GHz, 3192.02 MHz, 06-2c-02
cpu4: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,MELTDOWN
cpu4: 32KB 64b/line 8-way D-cache, 32KB 64b/line 4-way I-cache, 256KB 64b/line 
8-way L2 cache, 12MB 64b/line 16-way L3 cache
cpu4: smt 0, core 9, package 0
cpu5 at mainbus0: apid 20 (application processor)
cpu5: Intel(R) Xeon(R) CPU X5670 @ 2.93GHz, 3192.02 MHz, 06-2c-02
cpu5: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,MELTDOWN

Re: OpenBSD hardware accelerated video? (In X on Intel/AMDGPU/ARM64)

[Nick Holland]

On 7/20/22 10:24 AM, Joseph wrote:

Hi,

Is there any hardware accelerated video decoding in OpenBSD today?

E.g. in X on AMDGPU and Intel & ARM64 built-in graphics.

My best understanding is that the X graphics rendering is indeed
accelerated on those, but video decoding is not.

HW accelerated video decoding would be very useful as high-resolution
full-screen playback not really works now because there's too much
lag (or maybe I had unsupported hardware, if so glad to be corrected). It
would contribute to a sense of smoothness in X/web browsing.


well...I have some pretty old hw that I don't seem to have any issue
watching full screen 1920x1200 video from YouTube.  Or 1920x1080 on my
other monitor.  On both Firefox and Chrome.  Zero efforts to optimize
performance, just tweaking login.conf to respect the expectations of
modern browsers so they don't get slapped out of RAM for excess memory
consumption.

OpenBSD 7.1-current (GENERIC.MP) #506: Sun May  8 20:07:46 MDT 2022 <- needs 
updating :-/
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 34340835328 (32749MB)
avail mem = 33282727936 (31740MB)
...
bios0: vendor Dell Inc. version "A16" date 05/28/2013
bios0: Dell Inc. Precision WorkStation T5500
...
cpu0: Intel(R) Xeon(R) CPU X5670 @ 2.93GHz, 3192.41 MHz, 06-2c-02
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,MELTDOWN
[six real cores, hyperthreading off.  Was once a fast processor,
but that was probably ten years ago].
...
radeondrm0 at pci3 dev 0 function 0 "ATI Radeon HD 5450" rev 0x00
drm0 at radeondrm0
...
radeondrm1 at pci4 dev 0 function 0 "ATI Radeon HD 3450" rev 0x00
drm1 at radeondrm1
...
[pretty sure both those video cards were always lame]

Now, I'm not very picky, but I don't see obvious lag.  Kinda sucks,
I was much more productive before youtube and other video sources
became fully functional in OpenBSD. :)

Nick.

Mirror/website maintenance: man.openbsd.org, cvsweb.openbsd.org, *.cs.toronto.edu

[Nick Holland]

Hello,

Due to power maintenance, the following systems are expected
be down 7:00am to 7:00pm EST on Sunday July 17:

man.openbsd.org
cvsweb.openbsd.org
openbsd.cs.toronto.edu
obsdacvs.cs.toronto.edu

Systems should come back up when the power work is completed,
I'll be monitoring and verifying.

Nick.

Re: Installing sets from /

[Nick Holland]

On 7/13/22 1:11 PM, Vincent Legoll wrote:

Hello,

I was trying to autoinstall OpenBSD 7.1 on a VM when I stumbled upon
something unexpected (to my uneducated eyes) in the installer.

What I'm trying to do may very well fall in the "unsupported" basket,
just tell me. But still, I think I can at least ask if this is
actually intended behavior.

When I used the following answers:

[...]
Location of sets = disk
Is the disk partition already mounted = yes
Pathname to the sets = /
[...]

I expected the setup to look at the / (from the ramdisk), but it
searched in /mnt2 instead.


As a user, I'd expect the response there to be "As would be seen
on the running system."

As a user, I expect it to go something like this:
I put the install sets someplace on the running systemm, say
/home/upgrade or /usr/rel.  I rebooted into bsd.rd, chose
"install" or "upgrade", I expect to answer exactly where I put
the files. How the upgrader or installer does the upgrade or
install, I really don't care."

The installer happens to mount the system hanging off /mnt2,
but I shouldn't have to know that.  I definitely shouldn't have to
include that in my answer (in my opinion)
 ...


Is this in need for a modification, or is it good as-is ?
I can submit a patch if you think it is useful.


Speaking only for myself, I think it is working exactly as I'd
hope right now.

I would spend some time thinking about why you are stuffing the
install files into the ramdisk rather than from an existing
file system or other more supported option.  I think the "proper"
answers will work better for you all around.

Nick.

Re: Fanless amd64 sytem recommendations

[Nick Holland]

On 7/11/22 1:13 AM, B. Atticus Grobe wrote:

I've been running a Hewlett-Packard HP t620 Quad Core TC for a couple of
years now in that role, with the AMD GX-415GA SOC in it. It's the bigger
brother of that found in the APU systems.

The stock configuration usually has 4GB of RAM in them, with a single re(4)
1GBps NIC, and a 16GB mSATA SSD.

I haven't had any issues out of mine, which I got for I believe $50 on
eBay. They seem to be fairly easy to acquire. Another $25 for a power brick
(which amazingly has had no issues either), and you're good to go.

These boxes have eDPI display outputs, and optionally have either an RS-232
serial port or VGA output, along with USB 2 and USB 3.

They come with an embedded version Windows 10, but I've had no issues
running OpenBSD 6.8-7.0 on it, 9front, or LInux. IIRC, it supports EFI
booting, but I've only used legacy BIOS boot.

If you get one from eBay, I would recommend opening it and verifying that
all the internal screws are tight. I had some loose either from shipping or
carelessness on the mSATA hold-down and a few other places.


few notes on a HP T430 Thin Client...which probably apply to some other HP
thin clients, definitely not others.

HP T430: 16GB "disk", 2G RAM Intel N4000 dual core
1) OpenBSD requires the machine be in UEFI mode, which is a change from the
HP linux which requires it be in legacy mode.  If not in UEFI, you have no
storage (for OpenBSD).

2) bsd.rd doesn't work without a monitor or fake monitor plug attached.
Thus, if running headless, you can't do a "sysupgrade" (but can do a
"remote upgrade" without bsd.rd/sysupgrade).  Standard bsd.mp kernel works
just fine.  Friend of mine reports Linux does the same thing.

3) Rather than using a formal HP power pack, you can "fake it" with just
about anything capable of putting out 12-20v and 0.75A or more.  High value
(100k-300k) resistor added between center pin and +V on the computer
overrides the "Is this an HP power pack?" test.  The higher the voltage, the
lower the current draw.  Hint: the parts are tiny, the workspace is cramped,
not a good way to learn to solder. :)

4) Total power dissipation was 4w while compiling a kernel, which took
25 minutes.  2W when idle (according to a wattmeter that had a 1W
granularity on its readings, so +/-1W on the reading).

5) X seems to just work.  Have not used it extensively, though.

6) wired: re(4).  Wireless (IF so equipped): iwm0

IF you happen to be in the Detroit, MI area and want one, I've got
too many, contact me off-list.  Probably cost less than Ebay "shipping".

Nick.

OpenBSD 7.1-current (GENERIC.MP) #0: Sun Jul  3 16:39:00 EDT 2022
n...@springboard.in.nickh.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 1686781952 (1608MB)
avail mem = 1618362368 (1543MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x6a8a7000 (23 entries)
bios0: vendor AMI version "N41 v01.06" date 03/14/2019
bios0: HP HP t430 Thin Client
acpi0 at bios0: ACPI 6.1
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP FPDT FIDT MCFG DBG2 DBGP HPET LPIT APIC NPKT SSDT SSDT 
SSDT SSDT SSDT SSDT SSDT SSDT UEFI DBGP SSDT WDAT NHLT WSMT
acpi0: wakeup devices SIO1(S3) HDAS(S3) XHC_(S4) XDCI(S4) RP01(S4) PXSX(S4) 
RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4) 
RP06(S4) PXSX(S4)
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimcfg0 at acpi0
acpimcfg0: addr 0xe000, bus 0-255
acpihpet0 at acpi0: 1920 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) N4000 CPU @ 1.10GHz, 1096.97 MHz, 06-7a-01
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,UMIP,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu0: 24KB 64b/line 6-way D-cache, 32KB 64b/line 8-way I-cache, 4MB 64b/line 
16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 19MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.2.4.2.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Celeron(R) N4000 CPU @ 1.10GHz, 1096.63 MHz, 06-7a-01
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,UMIP,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN

Re: Convert a Linux VPS to OpenBSD

[Nick Holland]

On 6/20/22 11:47 AM, Étienne wrote:

Hello there,

This is a bit of a long shot, but I'm trying my luck: There used to be a
community thread on Scaleway's documentation website that explained how
to convert a Linux instance to an OpenBSD instance, because no OpenBSD
ISO image was available in their console. It seems that this doc
disappeared as their documentation section has changed format, and I
can't find it on archive.org either. I would like to try and apply the
same process at another VPS provider. Does anyone remember or know how
this was done, and would they be kind enough to summarise it here, please?

Thanks!



Assuming you have console and can do your own install, perhaps doing
a Linux install and leaving a chunk of the beginning of the "disk"
unallocated, then dd the minirootXX.img over the very beginning of
the "disk", then rebooting.  This should get you into the OpenBSD
installer, assuming you actually overwrote the beginning of the
logical disk and not a Linux partition.

A hard reset or "power cycle" might work better than a reboot, as
you don't want the Linux system updating anything on the disk
partition tables after the dd is complete (if "reboot" even works
at that point).

However, you might want to think long and hard about committing to
a VPS that doesn't actively support the OS you wish to install.  What
works today may faceplant tomorrow and they may not care at all to
fix it for you.

Nick.

Re: Cannot configure wi-fi card

[Nick Holland]

On 5/27/22 10:25 PM, Matsuda Kenji wrote:

Hello.

I just installed OpenBSD 7.1 and am having trouble
setting up a wi-fi card.
There is no wi-fi interface in ifconfig output.
Dmesg says that there is some error configuring NIC:
iwm0 at pci1 dev 0 function 0 "Intel Dual Band Wireless-AC 9260"\
 rev 0x29, msix
iwm0: Failed to wake up the nic.



do you have any options in the system setup that might help?  Maybe
even switching between UEFI and "legacy" boot modes, I have a
machine that refuses to see its storage devices if it is booted in
Legacy mode, but works pretty well in UEFI mode, and I could imagine
it going the other way, too.

Oh...a BIOS upgrade might be in order.

No promises.

Nick.

Re: bsdtar -O | --to-stdout

[Nick Holland]

On 5/26/22 4:55 AM, Dirty Dawn wrote:

Hi,

i'm looking for a way to reproduce -O flag in bsdtar/gtar using tar
or pax but i didn't find one.

There is a way to do that using standard tar or pax?

Thank you


It generally works better if you tell us what you are wishing
to accomplish, rather than the option some other OS uses.
Sounds like you are trying to send tar output (or input) to
stdin/stdout.

The (a?) common "Unix way" of doing this is specifying the file
name "-".  This trick is portable across many Unixes and many
Unix commands:

  $ tar cf - * |ssh remote "tar xf -"
(tar current directory to stdout, send it via SSH to computer
"remote", and untar in the current directory on the remote
computer)

This works for a lot of commands...

  $ ssh remote "cat /etc/hosts" | diff -u - /etc/hosts

Nick.

Re: gpt+uefi boot+openbsd+linux

[Nick Holland]

On 5/24/22 6:28 PM, Gustavo Rios wrote:

May some one here suggest a documentation the explains this scenario ? I am
in needof this.

Thanks in advance!


I've actually been experimenting with the UEFI OpenBSD and Windows combo,
though I suspect it is applicable to Linux, as well.

Warning: I'm trying to avoid GRUB as my boot selector.  UEFI is supposed
to be able to do this for us.  So I would rather just use it.  I don't
trust grub to do anything other than Windows and Linux (which is just
Windows re-invented badly).

Short version: wow...there's a lot variety out there on machines.  If you
want one answer for all hardware, that's not gonna happen. :-/
That's about the only certainty I have at this point.  Many UEFI systems
are only designed to boot Windows it seems, the idea of multiple OSs on
one disk didn't occur to some people..

I don't want to use the Windows 10 boot selection process IF I have
another option.  Unlike Windows 7 and before, it seems to boot
95% of Windows, then gives you the menu.  If you pick OpenBSD, it then
totally reboots the machine -- back to the firmware and back up, but
this time to OpenBSD. If you pick Windows, the last 5% loads in a couple
seconds.

IF you install OpenBSD first, you need to puff-out the GPT boot
partition before install.  OpenBSD's default is really tiny, just
enough to boot OpenBSD (as you would expect).  Boot bsd.rd, drop
to shell, MAKEDEV your disk, "fdisk -gb20 sd0" or similar, iirc,
for a 100MB GPT UEFI boot partition.  The default Windows one is
big enough for OpenBSD to share, I'm guessing Linux, as well.

A couple Dell laptops I have with UEFI actually don't suck.  In the BIOS,
there's an option to select various boot targets.  One is "Windows Boot
Manager" or something like that, the others can be loaders pulled out of
the UEFI boot partition.  This ends up working really slickly for dual
booting, and it looks like it would easily extend to multiple OSs.
Basically put each option in your boot list, make the first one your
primary OS (the "no hands" boot).  If you want to boot a different OS,
you hit the boot selection key at the right time (F12? I mark mine with
a bit of paint, so I can't remember what it is).  This brings up a
menu, the menu selections can be readable to humans...  May not be
the ultimate solution for all people, but ... works really well for
me.

I've got a couple older HP systems, not so impressive.  If you to hit
the magic key (F9, iirc) at the right moment, you can poke around
in the boot partition.  Otherwise, it wants to boot a particular OS, and
if I recall properly, I got one booting OpenBSD by default, the other
windows by default, and I have NO IDEA how the default was chosen (or
is it just the firmware on this machine prefers ...?).  One one of them,
I found a 16MB (yes, MB, not GB) SD card, came with an old digicam
(flashback to 12 exposure rolls of film!).  I dropped minirootXX.img
on it, created a /etc/boot.conf file that pointed to pulling the
kernel off hd1a:/bsd and called it done.  Want to run OpenBSD, leave
the SD card in place, want to boot windows, eject the card a little, push
it back in when it's booted.  This is cheesy, doesn't scale to a third OS,
but it works for me in this laptop.

I'm working on a better write-up (with fewer "IIRC"s :) ), but this might
be enough to get you started.

Nick.

Re: calling all PFsync users for experience, gotchas, feedback, tips and tricks

[Nick Holland]

On 5/11/22 3:32 PM, Tom Smyth wrote:

Hello Folks,

We are updating some course material for an upcoming PF firewall course,
and I would like to put a call out to those who use PFsync in a
redundant firewall cluster
about your user experience, have you come across any edge cases?
have you any tips or tricks about PFSync.
have you come across any edge cases / minor misconfigurations /
suboptimal configurations that caused problems, were there some tweaks
you had to make to make your system scale ?

it is likely that people who are running PFSync have  more complicated
firewall configs.

and I would like to see what tuning other people have done in the field.


It's been a few years since I managed a firewall cluster with pfsync, but
one thing I came up with fairly early on is we needed a way to manage rule
changes between the two devices, and I came up with something that I think
is pretty cool, and yet haven't seen anyone else describe something
similar.

Wrote a little script which, when run:
* Compared this script on "this" FW with "Other" FW
* generated a diff between the /etc/pf.conf file on both systems
  (other box assumed to be "old", "this" box assumed to be new)
* Put the diff into a file along with the user ID of the administrator who
  made the changes, prompted the user to enter a description for the change
  above the diff, who approved it, etc.
* If the administrator enters a change log and saves the file:
  * save that file to disk, with a clear date and time stamp.
  * Copy "this" FW's pf.conf file to the "other" system
  * pfctl -f /etc/pf.conf on both systems
  * scp the change log file to the other system
* Probably should look for changes in hostname.*, and deal with their
  changes, too, but I didn't implement that at the time, so I'd be lying
  if I told you I did.  But I recall wishing I had! :D

This way, you have a log of every change made to the system, plus
administrator comments as to why the change was made.  EITHER FW can push
changes to the other, both boxes have a full history, either box can be
used to rebuild the other.  IF you find a problem, a diff to undo it is
easily found.  It makes change control almost a pleasure.  If someone
made a change and forgets to push it to the other, you can see that the
diff is more complicated than you expected (or you made a typo and blew
something out!).

I've used similar scripts for other fully redundant systems, like DNS
servers.  Yes, I'm sure you can do similar things with system management
applications like puppet, etc., but this is completely self-contained,
no extra hw or packages required.  (and yes, DNS has the master/slave
config with zone transfers, but I'd argue this is a better system.)

Nick.

Re: OpenBSD ports require xbase set - still true?

[Nick Holland]

On 5/9/22 4:56 PM, Steffen Nurpmeso wrote:

Hello.

Just a rant, not for ports@.
I am installing OpenBSD 7.1 right now; this is only a VM, and
i want to create / manage ports there.
Until now whenever i wanted to do this i had to install xbase,
otherwise the port makefile complained some.  (I am afraid i have
forgotten the details.)  Is this still true?


So you want to "create/manage" ports in an unsupported environment.

What is the "problem" you are trying to solve?
This is 2022.  Hard drives are measured in hundreds of gigabytes
for tiny drives.

Current amd64 snapshot, ungzip'd:
 21.9M bsd*
 22.0M bsd.mp*
  4.4M bsd.rd*
592.0M May 11 15:03 base71.tar
265.0M May 11 15:03 comp71.tar
  6.3M May 11 15:03 game71.tar
 30.5M May 11 15:03 man71.tar
176.0M May 11 15:03 xbase71.tar <-- Not a big deal
 35.0M May 11 15:03 xfont71.tar
 57.5M May 11 15:03 xserv71.tar
 26.6M May 11 15:03 xshare71.tar

I think you have a problem with perspective here.
All of X (not just xbase) is about 300MB, and just isn't worth
worrying about today.  What you save by skipping it, you will
more than make up for by trying to fix the problems you will
make for yourself.

Nick.

Re: HP T430 "Thin Client": Won't sysupgrade without HDMI monitor attached.

[Nick Holland]

On 5/7/22 5:40 PM, Mike Larkin wrote:

On Fri, May 06, 2022 at 11:39:51PM -0400, Nick Holland wrote:

...

For giggles, I did a "gop" and a "video" at the boot> prompt, and both came
back with no response, just another boot> prompt.



just 'gop' amd 'video'?  These should be "machine gop" and "machine video".


huh. yep.  Just like it says in "man boot", which I did look at, but read
it wrong.  Slightly complicated that "gop" and "video" at the boot> prompt
alone produce no error message and no output.

"machine video" and "machine gop" listed a bunch of valid configs.
Putting "machine gop 1" or "machine video 1" in /etc/boot.conf changed
nothing, still getting a reboot when trying to boot bsd.rd with no
monitor attached, and a successful boot when the monitor is plugged in.

Nick.

Re: HP T430 "Thin Client": Won't sysupgrade without HDMI monitor attached.

[Nick Holland]

On 5/6/22 2:30 PM, Nick Holland wrote:

On 5/6/22 12:48 PM, Theo de Raadt wrote:

Florian Obser  wrote:


So, if you end up with a /bsd.upgrade on the running system that is
still mode 0700, your bootloader is on the fritz.

If you have a /bsd.upgrade that's 0600 your bootloader found the kernel
and tried to boot it, but the installer didn't get very far.

If there is no /bsd.upgrade after a reboot and no email to root the
installer got rebooted by a watchdog process, otherwise you got an email
to root detailing the upgrade process.


A very nice 3-way split.


Brilliant, even.
   

Then once you figure out which one of those 3 is happening, it is easy
to reason about how to create further differentiations and see which is
happening.


I was very much guessing it was /boot, but no.
   
-rw---   1 root  wheel   4609699 May  6 13:13 bsd.upgrade


So ... it's booting bsd.upgrade and failing, which explains why copying
bsd.upgrade (aka bsd.rd) to /bsd tossed it into a lala-loop.

Unfortunately, this machine doesn't retain dmesg buffer between boots.

so ... booted bsd.rd with a monitor attached, and grabbed the dmesg below.

I'm looking at this:

 efifb0 at mainbus0: 1920x1080, 32bpp

If the system is booted (bsd) without a monitor attached, that says:

 efifb at mainbus0 not configured

Getting to the boot> prompt, typing "boot bsd.rd", unplugging the monitor
and hitting "ENTER" resulted in a successful boot of the bsd.rd kernel (and
efifb is showing the monitor as connected).

I tried bsd.rd renamed "bsd" so it would only boot bsd.rd, and then firing
the machine up and plugged the monitor in AFTER the boot process (probably)
started hoping to see some indication on the screen of the crash.  Result:
no display until the kernel crashes and the system reboots.

Nick.


Got contacted by someone off-list who told me they "fixed" this problem
on their machine by switching to a serial console, which is cool, but my
machine doesn't have a serial console. (set tty com0 resulted in a hang,
as it was probably waiting for the UART to say, "Sent that first character"
and it never does).

Is it possible that bsd.rd *must* have some kind of output device?
efifb fails to configure without a monitor attached, so no console output?

For giggles, I did a "gop" and a "video" at the boot> prompt, and both came
back with no response, just another boot> prompt.

Nick.

Re: HP T430 "Thin Client": Won't sysupgrade without HDMI monitor attached.

[Nick Holland]

On 5/6/22 12:48 PM, Theo de Raadt wrote:

Florian Obser  wrote:


So, if you end up with a /bsd.upgrade on the running system that is
still mode 0700, your bootloader is on the fritz.

If you have a /bsd.upgrade that's 0600 your bootloader found the kernel
and tried to boot it, but the installer didn't get very far.

If there is no /bsd.upgrade after a reboot and no email to root the
installer got rebooted by a watchdog process, otherwise you got an email
to root detailing the upgrade process.


A very nice 3-way split.


Brilliant, even.
 

Then once you figure out which one of those 3 is happening, it is easy
to reason about how to create further differentiations and see which is
happening.


I was very much guessing it was /boot, but no.
 
-rw---   1 root  wheel   4609699 May  6 13:13 bsd.upgrade


So ... it's booting bsd.upgrade and failing, which explains why copying
bsd.upgrade (aka bsd.rd) to /bsd tossed it into a lala-loop.

Unfortunately, this machine doesn't retain dmesg buffer between boots.

so ... booted bsd.rd with a monitor attached, and grabbed the dmesg below.

I'm looking at this:

   efifb0 at mainbus0: 1920x1080, 32bpp

If the system is booted (bsd) without a monitor attached, that says:

   efifb at mainbus0 not configured

Getting to the boot> prompt, typing "boot bsd.rd", unplugging the monitor
and hitting "ENTER" resulted in a successful boot of the bsd.rd kernel (and
efifb is showing the monitor as connected).

I tried bsd.rd renamed "bsd" so it would only boot bsd.rd, and then firing
the machine up and plugged the monitor in AFTER the boot process (probably)
started hoping to see some indication on the screen of the crash.  Result:
no display until the kernel crashes and the system reboots.

Nick.



OpenBSD 7.1-current (RAMDISK_CD) #468: Tue May  3 12:18:55 MDT 2022
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
real mem = 1686781952 (1608MB)
avail mem = 1631703040 (1556MB)
random: good seed from bootblocks
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x6a8a7000 (23 entries)
bios0: vendor AMI version "N41 v01.06" date 03/14/2019
bios0: HP HP t430 Thin Client
acpi0 at bios0: ACPI 6.1
acpi0: tables DSDT FACP FPDT FIDT MCFG DBG2 DBGP HPET LPIT APIC NPKT SSDT SSDT 
SSDT SSDT SSDT SSDT SSDT SSDT UEFI DBGP SSDT WDAT NHLT WSMT
acpihpet0 at acpi0: 1920 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) N4000 CPU @ 1.10GHz, 1096.97 MHz, 06-7a-01
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,UMIP,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu0: 4MB 64b/line 16-way L2 cache
cpu0: apic clock running at 19MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.2.4.2.1.1, IBE
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 120 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (RP01)
acpiprt2 at acpi0: bus -1 (RP02)
acpiprt3 at acpi0: bus 1 (RP03)
acpiprt4 at acpi0: bus 2 (RP04)
acpiprt5 at acpi0: bus -1 (RP05)
acpiprt6 at acpi0: bus -1 (RP06)
acpiec0 at acpi0: not present
acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001
"ALPS0001" at acpi0 not configured
"WCOM508E" at acpi0 not configured
"FS4304" at acpi0 not configured
acpicmos0 at acpi0
"INT33A1" at acpi0 not configured
"PNP0C14" at acpi0 not configured
"PNP0C0C" at acpi0 not configured
"USBC000" at acpi0 not configured
"PNP0C14" at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpicpu at acpi0 not configured
acpitz at acpi0 not configured
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Gemini Lake Host" rev 0x03
"Intel Gemini Lake GNA" rev 0x03 at pci0 dev 0 function 3 not configured
"Intel UHD Graphics 600" rev 0x03 at pci0 dev 2 function 0 not configured
"Intel Gemini Lake HD Audio" rev 0x03 at pci0 dev 14 function 0 not configured
"Intel Gemini Lake MEI" rev 0x03 at pci0 dev 15 function 0 not configured
ppb0 at pci0 dev 19 function 0 "Intel Gemini Lake PCIE" rev 0xf3: msi
pci1 at ppb0 bus 1
re0 at pci1 dev 0 function 0 "Realtek 8168" rev 0x15: RTL8168H/8111H (0x5400), 
msi, address 04:0e:3c:12:53:85
rgephy0 at re0 phy 7: RTL8251 PHY, rev. 0
ppb1 at pci0 dev 19 function 1 "Intel Gemini Lake PCIE" rev 0xf3: msi
pci2 at ppb1 bus 2
iwm0 at pci2 dev 0 function 0 "Intel Dual Band Wireless-AC 9260" rev 0x29, msix
xhci0 at pci0 dev 21 function 0 "Intel Gemini Lake xHCI" rev 0x03: msi, xHCI 1.0
usb0 at xhci0: 

HP T430 "Thin Client": Won't sysupgrade without HDMI monitor attached.

[Nick Holland]

here's a weird one.

HP T430 Thin Client, reloaded with OpenBSD.
In it's intended use, it runs Linux in BIOS boot mode.  OpenBSD's
installer will boot that way, but the kernel is unable to see the
16g storage device.  In UEFI boot mode, OpenBSD works well,
including running X.  This machine has ONLY HDMI and DisplayPort
video connections (one each).  There's no com port on the box for
an alternative view of what is going on.

The problem comes when I put them to work without a monitor.

The machine will boot fine, run fine...but sysupgrade fails to upgrade
the system.  It downloads the intended files, it reboots, and a few
moments later, it's back up and running -- the old kernel. Plug an
HDMI monitor in, run sysupgrade again, and it sees the upgrade marker
and does the upgrade.  Textbook Heisenbug :-/

For giggles, I did a sysupgrade -k (keep the files), let it reboot,
in the root directory was bsd.upgrade as expected.  I copied
bsd.upgrade to /bsd, forcing it one way or another to run
bsd.upgrade ... and the result was a hung system.  Never came back
after the reboot, no idea why.  When I moved it to be near an HDMI
monitor, it promptly booted, complained about permissions on
bsd.upgrade, but upgraded perfectly (but I am not sure which of
the two copies of the kernel it used).

What can I do to help provide info to determine what is going on
here?

Nick.

OpenBSD 7.1-current (GENERIC.MP) #493: Tue May  3 12:14:02 MDT 2022
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 1686781952 (1608MB)
avail mem = 1618399232 (1543MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x6a8a7000 (23 entries)
bios0: vendor AMI version "N41 v01.06" date 03/14/2019
bios0: HP HP t430 Thin Client
acpi0 at bios0: ACPI 6.1
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP FPDT FIDT MCFG DBG2 DBGP HPET LPIT APIC NPKT SSDT SSDT 
SSDT SSDT SSDT SSDT SSDT SSDT UEFI DBGP SSDT WDAT NHLT WSMT
acpi0: wakeup devices SIO1(S3) HDAS(S3) XHC_(S4) XDCI(S4) RP01(S4) PXSX(S4) 
RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4) 
RP06(S4) PXSX(S4)
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimcfg0 at acpi0
acpimcfg0: addr 0xe000, bus 0-255
acpihpet0 at acpi0: 1920 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) N4000 CPU @ 1.10GHz, 1096.97 MHz, 06-7a-01
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,UMIP,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu0: 4MB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 19MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.2.4.2.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Celeron(R) N4000 CPU @ 1.10GHz, 1096.97 MHz, 06-7a-01
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,UMIP,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu1: 4MB 64b/line 16-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 120 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (RP01)
acpiprt2 at acpi0: bus -1 (RP02)
acpiprt3 at acpi0: bus 1 (RP03)
acpiprt4 at acpi0: bus 2 (RP04)
acpiprt5 at acpi0: bus -1 (RP05)
acpiprt6 at acpi0: bus -1 (RP06)
acpiec0 at acpi0: not present
acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001
"ALPS0001" at acpi0 not configured
"WCOM508E" at acpi0 not configured
"FS4304" at acpi0 not configured
acpicmos0 at acpi0
"INT33A1" at acpi0 not configured
"PNP0C14" at acpi0 not configured
acpibtn0 at acpi0: PWRB
"USBC000" at acpi0 not configured
"PNP0C14" at acpi0 not configured
acpipwrres0 at acpi0: DRST
acpipwrres1 at acpi0: DRST
acpipwrres2 at acpi0: DRST
acpipwrres3 at acpi0: DRST
acpipwrres4 at acpi0: DRST
acpipwrres5 at acpi0: DRST
acpipwrres6 at acpi0: WRST
acpicpu0 at acpi0: C1(@1 halt!), PSS
acpicpu1 at acpi0: C1(@1 halt!), PSS
acpitz0 at acpi0acpitz0: TZ01: failed to read _TMP
acpitz0: TZ01: failed to read _TMP

acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD1F
cpu0: Enhanced SpeedStep 1096 MHz: speeds: 1101, 1100, 1000, 900, 800 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 

Re: Softraid on NVMe

[Nick Holland]

On 5/6/22 9:03 AM, Proton wrote:

Hi,

I'm using softraid 1C on my remote dedicated server, built on two NVMe disks.
It works really well from performance perspective and provide some data 
protection,
but there is no way to check device health status because SMART doesn’t work.
I guess bioctl will tell me only if devices are ‚online’, but nothing more?


wella softraid device isn't a physical device, so, I'm not sure
what you would get that you couldn't get out of bioctl.  I have:
  bioctl softraid0
in my /etc/daily.local, and I also have a backup system that checks softraid
status on all systems (hey, as long as I'm in the neighborhood and doing
stuff as root...)

You can look at the SMART status of the underlying physical devices in
the softraid set exactly as you would non-softraid drives.

So, if you put a lot of faith in SMART (I don't), what are you missing?


Are there any "poor man’s” methods for checking state of devices you would 
suggest
to perform periodically - like ‚cat /dev/rsd0c > /dev/null’ + ‚cat /dev/rsd1c > 
/dev/null’?
Will potential I/O errors or timeouts be reported to stderr or to some system 
log file?


doing read tests like that over the entire underlying drives seems like
a good idea to me. Haven't implemented it so I can't say how it would
respond to real problems, but I can think of only one good way to find
out.  (from experience: how things act when a drive fails are hard to
predict and really hard to test.  So even a dozen "this is how it behaved"
results doesn't tell you what happens for the NEXT failure)

I would definitely want to put some rate limiting on it so you don't
kill performance overall.


As last method I can reboot to linux rescue from time to time, but this would 
be not very convenient.

Should I forget about NVMe and use other option - LSI MegaRaid HW with SSD 
disks attached?


what would you gain there?  Now you could only access what the
controller thinks of the drive's state through bioctl (which
you seemed to think was inadequate for softraid).

In the HW vs. SW RAID argument, I'm firmly in the "either way" camp,
but if I understand your query, you are LOSING info here.

(I've also heard stories about SSDs and HW RAID not playing well
together, but I'm not prepared to defend or refute that statement.
On the other hand, I've seen SSDs work differently enough from what
HW and SW expect that ... nothing would surprise me).

Nick.

Re: creating new partition has corrupted the disklabel ("bad super block")

[Nick Holland]

On 4/30/22 5:16 AM, Sylvain Saboua wrote:

Hello

I have recently got an upgrade for my laptop with a 1TB SSD drive.
I successfully managed to install a dual boot between archlinux and
openbsd, both on encrypted partitions.

Everything was fine with both systems, until the final act of the
dual boot which consists in setting a partition for file sharing> between the 
two operating systems, using encfs on ext2.


So...you want to share an encrypted partition between two unrelated
operating systems.

Pretty sure that's not going to work.  And since you haven't provided
any details of what you did, I'm guessing you don't have a plan to
get around the problems.  Linux and OpenBSD use very different
encryption mechanisms.


Creating this partition in archlinux works fine, but has seemingly
corrupted the disklabel for openbsd : openbsd boots fine until the
disk-checking step comes, whereupon I am informed that the j and k
partitions on the sd1 disklabel are somewhat corrupted:> 
/dev/sd1k (/home): BAD SUPER BLOCK: MAGIC NUMBER WRONG

/dev/sd1j (/usr/obj): BAD SUPER BLOCK: VALUES IN SUPER BLOCK DISAGREE
WITH THOSE IN LAST ALTERNATE

UNEXPECTED INCONSISTENCY; RUN fsck_ffs MANUALLY

Automatic file system check failed: help!
Enter pathname of shell or RETURN for sh:


This absolutely does not imply a corrupted disklabel.  This is a
corrupted partition.  Or an encrypted partition that OpenBSD doesn't
know how to decrypt.
 

(this is an approximate copy of the error messages, I cannot properly
access the system to copy the logs or a full disklabel/fdisk)

How could I solve this ? For now trying a few things with fsck or newfs
didn't work but perhaps I looked in the wrong direction.

Also, this is on an install before the last openbsd 7.0 release.


not sure what that means, but OpenBSD is up to 7.1 now.


I don't know how I can upgrade an encrypted install using the usb
medium, but perhaps if I would this would be a way to solve my problem?


again, not sure what you are asking, but pretty sure the answer is "no".

Encrypted disk OpenBSD systems upgrade very much like unencrypted disk
systems, except you have to type your passphrase a few times (and maybe
say, "Boot THIS OS" a few times for a multiboot system).  An upgrade
may improve hardware support and add new features, but is unlikely to
fix a bad configuration.

If you want to have a common disk space between multiple OSs with full
disk encryption, you will need a non-encrypted space to work with.

But if your goal is a fully encrypted disk, creating a non-encrypted
chunk of disk seems to be defeating a purpose here.  Maybe you should
look at some other ideas:
* Use a USB flash drive or SD flash card.  Put it in when you need to
move files, remove it when you are done.
* External NFS server
* External SFTP server (could be a small VPS, so you could bounce
files between OSs literally anywhere.  Or between users!)

But as I and others have said in the past, multiboot systems are
complicated.

Nick.

Re: Unusable resolution on a widescreen monitor during install

[Nick Holland]

On 4/27/22 9:15 AM, David Demelier wrote:

Hello,

I have a lenovo thinkcentre machine connected to 24” LG screen (with
4k resolution), the installer boots fine using UEFI but it looks like
efifb takes a strange “squared” resolution where bottom part of the
console is below the screen so I’m unable to see what I type. I’ve
taken a picture of what’s seen:

http://markand.fr/static/openbsd-resolution.jpeg

I have tried disabling inteldrm using UKC as I’ve seen on some
websites with somewhat similar problem but with no effect. I’ve also
noticed there is no wscons(cfg|ctl) utilities in the installer so I
was unable to blindly type commands to alter the resolution either.
Unfortunately, changing boot video mode using `machine video …` does
not change kernel resolution either.

My only solution for now would be to boot not using UEFI but that’s
something I’d like to avoid if possible.

Do you have any idea why an incorrect resolution is picked up by the
kernel? I’m using install71.img on USB stick FYI.


The installer kernel is very limited in its abilities, and if I understand
UEFI (which I don't), the install kernel is more-or-less locked into using
what the firmware sets up.  "man efifb" kinda hints that I might be right
on this.

In short: probably not a lot you can do with the install kernel to fix
the problem.  And hopefully, once installed, the "real" kernel will be fine
with your monitor.

HOWEVER, 4k monitors and their support are interesting.  I have an old HP
netbook with an AMD competitor to the Intel Atom chips which just took off
and ran with an HDMI 4k monitor, and a much more capable and newer Thinkpad
which didn't work properly at all with 4k (in both OpenBSD and Windows).

You might want to start with a firmware upgrade for your machine in question,
see if that helps.  If not, a few ideas:

* Boot the installer, drop to shell, hit "clear" to put the cursor back at
the top of the screen and do your install, taking defaults as much as
possible to minimize dialog, and defaults for everything after the text rolls
off the bottom of the screen, and clean it up later.

* Do a serial install (aren't I funny?  As if there is a serial port on a
machine with an HDMI port!  But maybe there is...Maybe I should go buy
a lottery ticket, too).

* Try the install with a 1920x1080 or lesser resolution monitor.

* Move the hard disk to another UEFI machine and do the install on it, then
move the disk back, hoping the other machine works better for the installer.

Nick.

Re: clang 13 space issues with KARL

[Nick Holland]

On 4/25/22 1:23 PM, Peter J. Philipp wrote:

Hi,

I have an openbsd amsterdam vps and KARL is using up so much RAM that it
causes the system to swap.  I recently upgraded it to 7.1 and it's the first
time I had a problem with this (that I noticed).  I have tried to put KARL
into a login.conf'ed (32 MB data limit) user but ld doesn't like that at all
and exits with a memory allocation failure.

What can I do to make KARL reorder_kernel use less memory without buying more
RAM?  I've turned KARL off for now but that's not a real solution and I hate
it.

Is there no option in the clang 13.0.0 linker to store what it would normally
store in memory to disk?  I know it would be slow but KARL doesn't need to
be fast if it's backgrounded.


yep. It is called "swap".  You just reinvented swap. :)
And KARL is backgrounded already.


I've done some homework googling and found this:
https://stackoverflow.com/questions/25197570/llvm-clang-compile-error-with-memory-exhausted

in the checked solution, 1 and 2 are sorta out of the question, but question is
whether we're using a Debug build of clang?  Does anyone know off hand?

While I'm here thinking about possible solutions it would be cool if I could
allocate a 128 MB vmm inside this vmm (cascaded vmm's?) with a stripped down
KARL building kernel and lots of swap, then it can swap all it wants to while
linking and it leaves the system in reasonable memory without swapping in
the main vm.  Perhaps I'm thinking in over-engineering terms here?


"I have a problem with memory consumption.  I know!  I'll solve it adding a VM!"
Now you have many problems.  I really don't think this is a good idea.

How tiny is this VM???  My smallest intel box currently sitting around and
ready to go is a 400MHz celeron with 512MB RAM, i386 platform, so I just
fired it back up and did a few sysupgrades to bring it up to 7.1-current (ok,
"just" isn't applicable here, I started this test yesterday). I did a reboot
and as soon as I could log back in, did so and watched top -- ld topped out
at about 270MB. That is admittedly huge for an OS I used to do builds on
with 128MB and run in production with 32MB but a couple releases ago, I
found that 384MB was the minimum needed to avoid swap on boot. Doesn't look
much worse now (granted, i386 platform.  I don't know what you are running).

If you are trying to run <512MB RAM, I would politely suggest reconsidering
some life choices here. :)

Alternatively, you might want to think about other options.
KARL is great, but even without it, I think you will find OpenBSD is still far
more robust and secure than the systems your bank runs on, so disabling KARL
is not fatal in my mind for otherwise fairly secure systems.  If you wish to
get overly complicated, you could disable KARL on the production machine and
relink a kernel periodically on ANOTHER machine and put it on the prod
machine after it is built (there's your VM.  Just don't put it on an already
resource-starved system!)

Another idea might be to slip "disknice" into /etc/rc where it rebuilds the
kernel.  It is a cute little bit of code TedU@ wrote a number of years ago,
you can find it here:
https://marc.info/?l=openbsd-misc=126526614419455=2
It won't stop swapping, but *may* help other tasks get some time.  I've found
it useful on disk I/O tied tasks, but never tried it with a swap-bound task.
I have no idea how it would impact a swapping process.  Might solve your
problem, might do nothing ("doing nothing" counts as hurting when you make
changes to system scripts).

Nick.

Re: No valid root disk found when upgrading

[Nick Holland]

On 4/21/22 11:46 AM, michal.lyszc...@bofc.pl wrote:

Hello,

So I have OpenBSD 6.8 (yeah I know), and are trying to upgrade to
6.9 (and version by version until 7.1:)). Problem is that installer
does not see disk. This is my very first time I upgrade OpenBSD,
so I might be missing something simple. I've read through the upgrade
documentation, and tried to google my problem but I could not fix
my problem.

I upgrade with sysupgrade. After boot I try to select root disk:

Available disks are: .
Which disk is the root disk? ('?' for details) ?
sd0: NVMe, Samsung SSD 970, 2B2Q  (232.9G)
Available disks are: .
Which disk is the root disk? ('?' for details) sd0
sd0 is not a valid root disk.
Available disks are: .


Going into shell, /dev/sd0* do not exist. So I tried to create nodes:

upgrade# ./MAKEDEV sd0


Now disklabel shows proper disk info
(label is from samsung 960, even though I have samsung 970 disk.
I migrated some time ago from 960 to 970, guess I must have used
dd to do it, hence label from previous disk. I assure you I have
only 1 disk inserted, and no usb disks).

upgrade# disklabel sd0
# /dev/rsd0c:
type: SCSI
disk: SCSI disk
label: Samsung SSD 960
duid: dc999ef6267325df
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 30401
total sectors: 488397168
boundstart: 1024
boundend: 488397105
drivedata: 0

16 partitions:
#size   offset  fstype [fsize bsize   cpg]
  a:  8400960 1024  4.2BSD   2048 16384 12960
  b: 67119581  8401984swap
  c:4883971680  unused
  d:134223072 75521568  4.2BSD   2048 16384 12960
  e:278652416209744640  4.2BSD   4096 32768 26062
  i:  960   64   MSDOS


fdisk

upgrade# fdisk /dev/rsd0c
Disk: /dev/rsd0c   Usable LBA: 64 to 488397104 [488397168 Sectors]
   #: type [   start: size ]

   1: EFI Sys  [  64:  960 ]
   3: OpenBSD  [1024:488396081 ]


But when I exit shell I still have the very same problem as at the
beginning and I can't select root disk. Strange thing is, that when
I exit shell to installer, and then go back to shell with "!",
/dev/sd0 disappears.


that part is normal; I'm not sure why, but /dev seems to be "cleaned" if you
exit the install script under some (most?) circumstances.


This really isn't a way to work towards figuring out what is going wrong,
but being that a problem with the 6.8 to 6.9 upgrade isn't going to be
fixed at this point, I'm kinda thinking it would be worth just doing a manual
upgrade to 6.9 via copying over the kernel and untaring the files and see if
6.9 to 7.0 goes better.

If you want to play it safe, maybe just copy the new bsd to /bsd69 and
then do a "boot bsd69" and make sure it sees the disks properly before
committing to an actual upgrade.  You will probably get all kinds of nasty
error messages, but if so, you know 6.9 is seeing the disk, and a full
upgrade should be safe.

Nick.