ftp/sftp file size limit

[josorio]

Is it possible to limit the accepted file size of any uploaded file by 
configuring the ftp or the sftp server (OpenBSD 5.3/amd64)? 

If not, can it be done by pf?

John

Re: python

[James Griffin]

* Jérémie Courrèges-Anglas  [2013-09-20 23:31:25 +0200]:

> Stefan Wollny  writes:
> 
> > Hi there!
> 
> Hi,
> 
> > As some of you might have noticed I had recently some issues with my
> > ancient IBM/lenovo T60 (>10 years young and still running; ye).
> >
> > Tonight I reinstalled my system to 5.4-current #62. When installing all
> > those packages needed on any decent desktop I stumpled upon python:
> >
> > One package had a dependency to python-2.7.5 and provided the advice if
> > this version is going to be the system-wide python-installion to make
> > the relevant symlinks.
> >
> > But: At least one other package (libreoffice) requires python-3.3.2 .
> >
> > Now what is the best way to go:
> >
> > (1)
> > Do nothing as the packages will use the python-version they need.
> >
> > (2)
> > Set symlinks to python-2.7.5
> >
> > (3)
> > Set symlinks to python-3.3.2
> >
> > Any hints, advices, remarks?
> 
> Ports are patched to use the versioned python executables / ressources.
> Thus you are free to do whatever pleases you.

I symlink to python2.7 but also have 3.3 installed as dependencies. The 
packages use the python version they need. The symlinking is really just for 
you to choose which verion you want to use for your own software/scripts etc., 
so making it more convenient for that purpose. 

Re: ftp/sftp file size limit

[john slee]

On 21 September 2013 17:07,  wrote:

> Is it possible to limit the accepted file size of any uploaded file by
> configuring the ftp or the sftp server (OpenBSD 5.3/amd64)?
>

You can do this on a per-user basis with a login class (man login.conf,
then man useradd) but the user experience is not exactly ideal. I set a
filesize limit of 1048576 bytes, then uploaded a file:

sftp> put /usr/share/dict/web2
Uploading /usr/share/dict/web2 to /home/uploader/web2
/usr/share/dict/web2  100% 2435KB 187.3KB/s   00:13
   Connection closed

/home/uploader/web2 was indeed limited to 1048576 bytes.

John

Re: Way too many crashes with recent snapshots (non-HTML-version)

[Erling Westenvik]

On Fri, Sep 20, 2013 at 11:43:50PM +0200, Stefan Wollny wrote:
> OK - it happened again: The system just stopped responding, entirely!
> 
> This time it was after roughly 4 hours. grellkm reported temperatures of
> acpi* below 80 degrees Celsius, over 10 degrees below the threshold.
>
> radeondrm0 at pci1 dev 0 function 0 "ATI Radeon Mobility X1300 M52-64"
> rev 0x00: apic 1 int 16 drm0 at radeondrm0
> drm: initializing kernel modesetting (RV515 0x1002:0x7149
> 0x17AA:0x2005). radeondrm0: VRAM: 128M 0x -
> 0x07FF (64M used) radeondrm0: GTT: 512M 0x0800
> - 0x27FF ttm_pool_mm_shrink_init stub
> drm: PCIE GART of 512M enabled (table at 0x0004).
> radeondrm0: 1400x1050
> wsdisplay0 at radeondrm0 mux 1: console (std, vt100 emulation), using

A shot in the dark perhaps, but I noticed that your machine has a
DuoCore cpu and radeon graphics. On two of my similar machines (a
ThinkPad T500 and a Dell Optiplex 755) I've given on up using radeon
graphics alltogether. Especially the Dell machine kept on stopping
completly.

The ThinkPad has switchable graphics, ATi or Intel, and runs fine with
the latter. On the Dell I gave up using my old ATi (RV610 chipset) a
week ago and switched to the onboard Intel chip. I lost dual head but at
least the machine is now rock stable.

I cannot afford to buy more recent ATi (AMD) cards and test, but suspect
radeondrm to be the culprit!?

Erling

no sound with Realtek ALC889A and OpenBSD 5.3 amd64

[Vigdis]

Hi,

I've been running OpenBSD for a couple of months on my server.
Recently the hard drive of my desktop computer (on Debian) died so I
tought I would try OpenBSD for my desktop. I successfully installed 5.3
amd64 on it with XFCE but I never succeeded in having sound from it.

I installed PC-BSD (on a separate HDD) and at first there wasn't
sound neither. PC-BSD provides a panel control (with GUI) where I was
able to change the default audio device and then sound was working. I
grep the dmesg (at the end of the mail, there are the two complete
dmesg) dmesg | grep pcm
pcm0:  at nid 3 on hdaa0
pcm1:  at nid 20,22,21,23 and
24,26 on hdaa1 
pcm2:  at nid 27 and 25 on hdaa1 
pcm3:  at nid 30 and 31 on hdaa1

The audio device which is working on PC-BSD is pcm1.

I looked for these device in the dmesg from OpenBSD but they are not
present. All I can find about is 
azalia1 at pci0 dev 27 function 0 "Intel 82801I HD Audio" rev 0x02: msi
azalia1: codecs: Realtek ALC885
audio0 at azalia1

I give you PC-BSD and OpenBSD dmesg and the output of audioctl and
mixerctl.

PC-BSD  dmesg :

Copyright (c) 1992-2013 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights
reserved. FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 9.2-RELEASE-p7 #0: Wed Sep 11 15:02:50 UTC 2013
r...@amd64-builder.pcbsd.org:/usr/obj/usr/src/sys/GENERIC amd64
gcc version 4.2.1 20070831 patched [FreeBSD]
module zlib already present!
CPU: Intel(R) Core(TM)2 Duo CPU E6850  @ 3.00GHz (3000.06-MHz
K8-class CPU) Origin = "GenuineIntel"  Id = 0x6fb  Family = 0x6  Model
= 0xf  Stepping = 11
Features=0xbfebfbff
Features2=0xe3fd
AMD Features=0x20100800 AMD Features2=0x1
  TSC: P-state invariant, performance statistics
real memory  = 2146304000 (2046 MB)
avail memory = 2034683904 (1940 MB)
Event timer "LAPIC" quality 400
ACPI APIC Table: 
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
FreeBSD/SMP: 1 package(s) x 2 core(s)
 cpu0 (BSP): APIC ID:  0
 cpu1 (AP): APIC ID:  1
WARNING: VIMAGE (virtualized network stack) is a highly experimental
feature. ioapic0: Changing APIC ID to 2
ioapic0  irqs 0-23 on motherboard
kbd1 at kbdmux0
cryptosoft0:  on motherboard
aesni0: No AESNI support.
acpi0:  on motherboard
acpi0: Power Button (fixed)
acpi0: reservation of 0, a (3) failed
acpi0: reservation of 10, 7fde (3) failed
cpu0:  on acpi0
cpu1:  on acpi0
attimer0:  port 0x40-0x43 irq 0 on acpi0
Timecounter "i8254" frequency 1193182 Hz quality 0
Event timer "i8254" frequency 1193182 Hz quality 100
atrtc0:  port 0x70-0x73 irq 8 on acpi0
Event timer "RTC" frequency 32768 Hz quality 0
Timecounter "ACPI-safe" frequency 3579545 Hz quality 850
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x408-0x40b on acpi0
hpet0:  iomem 0xfed0-0xfed003ff on acpi0
Timecounter "HPET" frequency 14318180 Hz quality 950
Event timer "HPET" frequency 14318180 Hz quality 450
Event timer "HPET1" frequency 14318180 Hz quality 440
Event timer "HPET2" frequency 14318180 Hz quality 440
Event timer "HPET3" frequency 14318180 Hz quality 440
acpi_button0:  on acpi0
pcib0:  port 0xcf8-0xcff on acpi0
pci0:  on pcib0
pcib1:  irq 16 at device 1.0 on pci0
pci1:  on pcib1
vgapci0:  port 0xa000-0xa0ff mem
0xe000-0xefff,0xf500-0xf500 irq 16 at device 0.0 on
pci1 hdac0:  mem 0xf501-0xf5013fff irq 17
at device 0.1 on pci1 uhci0:  port
0xd100-0xd11f irq 16 at device 26.0 on pci0 uhci0: LegSup = 0x2f00
usbus0 on uhci0 uhci1:  port
0xd200-0xd21f irq 21 at device 26.1 on pci0 uhci1: LegSup = 0x2f00
usbus1 on uhci1
uhci2:  port 0xd000-0xd01f irq 18
at device 26.2 on pci0 uhci2: LegSup = 0x2f00
usbus2 on uhci2
ehci0:  mem
0xf8104000-0xf81043ff irq 18 at device 26.7 on pci0 usbus3: EHCI
version 1.0 usbus3 on ehci0
hdac1:  mem 0xf810-0xf8103fff irq 22
at device 27.0 on pci0 pcib2:  irq 16 at device
28.0 on pci0 pci2:  on pcib2
pcib3:  irq 19 at device 28.3 on pci0
pci3:  on pcib3
atapci0:  port
0xb000-0xb007,0xb100-0xb103,0xb200-0xb207,0xb300-0xb303,0xb400-0xb40f
mem 0xf800-0xf8001fff irq 19 at device 0.0 on pci3 ahci0:  at channel -1 on atapci0 ahci0: AHCI v1.00
with 2 3Gbps ports, Port Multiplier supported ahci0:
quirks=0x1 ahcich0:  at channel 0 on ahci0
ahcich1:  at channel 1 on ahci0 ata2:  at
channel 0 on atapci0 pcib4:  irq 16 at device 28.4
on pci0 pci4:  on pcib4
re0:  port
0xc000-0xc0ff mem 0xf700-0xf7000fff irq 16 at device 0.0 on pci4
re0: Using 1 MSI message re0: Chip rev. 0x3800
re0: MAC rev. 0x
miibus0:  on re0
rgephy0:  PHY 1 on
miibus0 rgephy0:  none, 10baseT, 10baseT-FDX, 10baseT-FDX-flow,
100baseTX, 100baseTX-FDX, 100baseTX-FDX-flow, 1000baseT,
1000baseT-master, 1000baseT-FDX, 1000baseT-FDX-master,
1000baseT-FDX-flow, 1000baseT-FDX-flow-master, auto, auto-flow re0:
Ethernet address: 00:1a:4d:5a:71:ae uhci3:  port 0xd300-0xd31f irq 23 at device 29.0 on pci0 usbus4 on
controller> uhci3 uhci4:  port
controller> 0xd400

Re: no sound with Realtek ALC889A and OpenBSD 5.3 amd64

[Dmitrij Czarkoff]

>From your mixerctl output:

> outputs.master=0,0

This means that your volume level is set to 0. Did you try setting higher
value?


Dmitrij D. Czarkoff

Re: no sound with Realtek ALC889A and OpenBSD 5.3 amd64

[Vigdis]

On Sat, 21 Sep 2013 16:15:28 +,
Dmitrij Czarkoff  wrote:

> From your mixerctl output:
> 
> > outputs.master=0,0
> 
> This means that your volume level is set to 0. Did you try setting
> higher value?

Duh, I couldn't think the problem would be so stupid :-)
Thanks!

> 
> Dmitrij D. Czarkoff
> 


-- 
Vigdis

Re: Way too many crashes with recent snapshots (non-HTML-version)

[Ryan Freeman]

On Sat, Sep 21, 2013 at 12:10:18PM +0200, Erling Westenvik wrote:
> On Fri, Sep 20, 2013 at 11:43:50PM +0200, Stefan Wollny wrote:
> > OK - it happened again: The system just stopped responding, entirely!
> > 
> > This time it was after roughly 4 hours. grellkm reported temperatures of
> > acpi* below 80 degrees Celsius, over 10 degrees below the threshold.
> >
> > radeondrm0 at pci1 dev 0 function 0 "ATI Radeon Mobility X1300 M52-64"
> > rev 0x00: apic 1 int 16 drm0 at radeondrm0
> > drm: initializing kernel modesetting (RV515 0x1002:0x7149
> > 0x17AA:0x2005). radeondrm0: VRAM: 128M 0x -
> > 0x07FF (64M used) radeondrm0: GTT: 512M 0x0800
> > - 0x27FF ttm_pool_mm_shrink_init stub
> > drm: PCIE GART of 512M enabled (table at 0x0004).
> > radeondrm0: 1400x1050
> > wsdisplay0 at radeondrm0 mux 1: console (std, vt100 emulation), using
> 
> A shot in the dark perhaps, but I noticed that your machine has a
> DuoCore cpu and radeon graphics. On two of my similar machines (a
> ThinkPad T500 and a Dell Optiplex 755) I've given on up using radeon
> graphics alltogether. Especially the Dell machine kept on stopping
> completly.
> 
> The ThinkPad has switchable graphics, ATi or Intel, and runs fine with
> the latter. On the Dell I gave up using my old ATi (RV610 chipset) a
> week ago and switched to the onboard Intel chip. I lost dual head but at
> least the machine is now rock stable.
> 
> I cannot afford to buy more recent ATi (AMD) cards and test, but suspect
> radeondrm to be the culprit!?

I too have a thinkpad T60 with a slightly 'better' radeon chipset, at
least the model number is slightly higher:

11:16 insomniac:~% dmesg|grep radeondrm
radeondrm0 at pci1 dev 0 function 0 "ATI Radeon Mobility X1400" rev 0x00: apic 
1 int 16
drm0 at radeondrm0
radeondrm0: VRAM: 128M 0x - 0x07FF (128M used)
radeondrm0: GTT: 512M 0x0800 - 0x27FF
radeondrm0: 1400x1050
wsdisplay0 at radeondrm0 mux 1: console (std, vt100 emulation), using wskbd0

It currently has an uptime of 6 days 16hrs, I beat the graphics regularly. 
6 days 16hrs ago i did an update to a newer snapshot.

my desktop running a radeon hd3650 had an uptime of over 15 days whilst
using heavy gl stuff.  managed to freeze it with a browser, though ;)

laptop has yet to freeze since radeondrm officially in-tree, it was a bit
shakey during the initial radeondrm tests, but those weren't even public
in the first place.

my Thinkpad T60 does not have an option to switch between radeon and
an intel chip.

-ryan

> 
> Erling

Re: Way too many crashes with recent snapshots (non-HTML-version)

[Marc Espie]

On Sat, Sep 21, 2013 at 11:26:31AM -0700, Ryan Freeman wrote:
> laptop has yet to freeze since radeondrm officially in-tree, it was a bit
> shakey during the initial radeondrm tests, but those weren't even public
> in the first place.
> 
> my Thinkpad T60 does not have an option to switch between radeon and
> an intel chip.

Your mileage may vary. With current, radeon works splendidly here, but intel
does some weird things at work...

Some supplementary info: there's a reason it's called current, and the kms
work is some major undertaking.  It's quite alright to report problems, with
preferably as much useful info as possible, but expect things to change
quite a lot more before 5.5.

I, for one, am very happy with the current progress, kudoes to jsg@ and
kettenis@. 


Even if things are not letter-perfect yet, the current
gfx performance of my machines is ways ways better than it was a few months
ago, including 3d, video playing, and heck, even vertical synchronization.

dovecot fails with too many open files

[Nikola Gyurov]

Hey everyone,

I'm running 5.4-current and using dovecot-2.2.5p0 from the default
package repository.

When starting dovecot, it fails with multiple too many open files errors:
Sep 21 21:07:46 core dovecot: master: Dovecot v2.2.5 starting up
Sep 21 21:07:46 core dovecot: master: Error: service(director): pipe()
failed: Too many open files
Sep 21 21:07:46 core dovecot: master: Error: service(dict): pipe()
failed: Too many open files
Sep 21 21:07:46 core dovecot: master: Error: service(config): pipe()
failed: Too many open files
Sep 21 21:07:46 core dovecot: master: Error: service(auth): pipe()
failed: Too many open files
Sep 21 21:07:46 core dovecot: master: Error: service(auth-worker):
pipe() failed: Too many open files

As per this:
http://www.openbsd.org/cgi-bin/cvsweb/ports/mail/dovecot/pkg/README-server?rev=1.1

I've created a separate login class for dovecot (I'm not using the
login.conf.db db) with higher limits:
# tail -5 /etc/login.conf
# Dovecot
_dovecot:\
:openfiles-cur=2048:\
:openfiles-max=4096:\
:tc=daemon:

Changed the _dovecot user to be in it:
Login: _dovecot
Uid [#]: 518
Gid [# or name]: 518
Class: _dovecot
Home directory: /nonexistent
Shell: /sbin/nologin
Full Name: Dovecot Account

Yet I'm still getting the same errors.
Any ideas?

Best regards,
Nikola Gyurov

Re: dovecot fails with too many open files

[Stuart Henderson]

On 2013-09-21, Nikola Gyurov  wrote:
> Hey everyone,
>
> I'm running 5.4-current and using dovecot-2.2.5p0 from the default
> package repository.
>
> When starting dovecot, it fails with multiple too many open files errors:
> Sep 21 21:07:46 core dovecot: master: Dovecot v2.2.5 starting up
> Sep 21 21:07:46 core dovecot: master: Error: service(director): pipe()
> failed: Too many open files
> Sep 21 21:07:46 core dovecot: master: Error: service(dict): pipe()
> failed: Too many open files
> Sep 21 21:07:46 core dovecot: master: Error: service(config): pipe()
> failed: Too many open files
> Sep 21 21:07:46 core dovecot: master: Error: service(auth): pipe()
> failed: Too many open files
> Sep 21 21:07:46 core dovecot: master: Error: service(auth-worker):
> pipe() failed: Too many open files
>
> As per this:
> http://www.openbsd.org/cgi-bin/cvsweb/ports/mail/dovecot/pkg/README-server?rev=1.1
>
> I've created a separate login class for dovecot (I'm not using the
> login.conf.db db) with higher limits:
> # tail -5 /etc/login.conf
> # Dovecot
> _dovecot:\
> :openfiles-cur=2048:\
> :openfiles-max=4096:\
> :tc=daemon:
>
> Changed the _dovecot user to be in it:
> Login: _dovecot
> Uid [#]: 518
> Gid [# or name]: 518
> Class: _dovecot
> Home directory: /nonexistent
> Shell: /sbin/nologin
> Full Name: Dovecot Account
>
> Yet I'm still getting the same errors.
> Any ideas?
>
> Best regards,
> Nikola Gyurov
>
>

How are you starting Dovecot? The login class addition is only used
when starting via the rc.d system e.g. "/etc/rc.d/dovecot start"
or adding dovecot to the pkg_scripts variable in /etc/rc.conf.local.

Re: pf.conf for OpenVPN

[Shteryana Shopova]

Hi,

On Fri, Sep 20, 2013 at 9:06 AM, Carsten Larsen  wrote:

> On 09/17/2013 19:25, Predrag Punosevac wrote:
>
>> Internet (128.xxx)   OpenVPN clients (VPN network 10.8.0.xxx)
>>
>>  The subnet mask for private addresses seems odd. With the /8 mask you
> have specified a class A network. Take a look at this table:
> http://en.wikipedia.org/wiki/**Classless_Inter-Domain_**
> Routing#IPv4_CIDR_blocks
>
> etc.
>
> weird indeed


>
>  1. Right now I pass UDP packets on ext_if port 1194 to allow VPN clients
>> to connect to server. Is that correct? Is there more restricitve way
>> of doing this.
>>
>>  As restrictive as it gets.
>
> correct


>
>  2. I would like to filter traffic coming and going from 10.8.0.xxx.
>> Do I write separate rules for tun0 interface?
>>
>>  Yes.
>
>
sort of


>  3. Do I use rdr to allow OpenVPN clients from VPN network 10.8.0.xxx
>> to reach my internal network (192.168.2.xxx)? I would like VPN clients
>> to have the same access to my HPC clusters, DNS etc as my desktops
>> behind PF.
>>
>>
It's slightly more complicated than that. Here's an example -

pass in quick on $int_if from $lan_net to $lan_ip rdr-to $vpn_if:network:0
pass out quick on $int_if to $lan_net received-on $vpn_if nat-to $int_if

In short, that will match ANY already decrypted traffic coming from the
OpenVPN clients on tun0, create state, translate the source IP from the
OpenVPN client's OpenVPNSubnet one to the IP of the LAN interface, and send
it out the LAN interface. The replies from the hosts on the LAN network
will match the above created state and will be redirected to $vpn_if (tun0
in your case) - the OpenVPN server handles it from there. The OpenVPN
clients need to know the proper route to the LAN network - one way to do it
is inject a static route in the client's routing table by adding the
following line to the OpenVPN server config -

push "route 192.168.2.0 255.255.255.0"

In case policy towards VPN clients needs to be more restrictive - here's
another example -

pass in quick on $int_if proto tcp from $lan_net to $lan_ip rdr-to
$vpn_if:network:0
pass in quick on $int_if proto icmp from $lan_net to $lan_ip rdr-to
$vpn_if:network:0
pass out quick on $int_if proto tcp to $lan_net received-on $vpn_if nat-to
$int_if
pass out quick on $int_if proto icmp to $lan_net received-on $vpn_if nat-to
$int_if
block out quick on $int_if from $OpenVPNSubnet to any

Obviously this will forward only TCP and ICMP (ssh, ping etc)  and drop
anything else (UDP - traceroute, etc) from the OpenVPN clients.

 I would suggest either to use the same subnet as for the other machines,
> 192.168.2.0/24 I suppose, or to edit the config files of services to
> allow access from 10.8.0.0/16.
>

I seriously doubt any of these will work or is feasible .

cheers,
Shteryana

Re: dovecot fails with too many open files

[Nikola Gyurov]

Stuart,

I'm starting it from the rc.d system.
After changing the login class from '_dovecot' to 'dovecot' it worked.
I wonder why it wouldn't accept '_dovecot' for a login class.
Best regards,
Nikola Gyurov


On Sat, Sep 21, 2013 at 10:06 PM, Stuart Henderson  wrote:
> On 2013-09-21, Nikola Gyurov  wrote:
>> Hey everyone,
>>
>> I'm running 5.4-current and using dovecot-2.2.5p0 from the default
>> package repository.
>>
>> When starting dovecot, it fails with multiple too many open files errors:
>> Sep 21 21:07:46 core dovecot: master: Dovecot v2.2.5 starting up
>> Sep 21 21:07:46 core dovecot: master: Error: service(director): pipe()
>> failed: Too many open files
>> Sep 21 21:07:46 core dovecot: master: Error: service(dict): pipe()
>> failed: Too many open files
>> Sep 21 21:07:46 core dovecot: master: Error: service(config): pipe()
>> failed: Too many open files
>> Sep 21 21:07:46 core dovecot: master: Error: service(auth): pipe()
>> failed: Too many open files
>> Sep 21 21:07:46 core dovecot: master: Error: service(auth-worker):
>> pipe() failed: Too many open files
>>
>> As per this:
>> http://www.openbsd.org/cgi-bin/cvsweb/ports/mail/dovecot/pkg/README-server?rev=1.1
>>
>> I've created a separate login class for dovecot (I'm not using the
>> login.conf.db db) with higher limits:
>> # tail -5 /etc/login.conf
>> # Dovecot
>> _dovecot:\
>> :openfiles-cur=2048:\
>> :openfiles-max=4096:\
>> :tc=daemon:
>>
>> Changed the _dovecot user to be in it:
>> Login: _dovecot
>> Uid [#]: 518
>> Gid [# or name]: 518
>> Class: _dovecot
>> Home directory: /nonexistent
>> Shell: /sbin/nologin
>> Full Name: Dovecot Account
>>
>> Yet I'm still getting the same errors.
>> Any ideas?
>>
>> Best regards,
>> Nikola Gyurov
>>
>>
>
> How are you starting Dovecot? The login class addition is only used
> when starting via the rc.d system e.g. "/etc/rc.d/dovecot start"
> or adding dovecot to the pkg_scripts variable in /etc/rc.conf.local.

Re: dovecot fails with too many open files

[Stuart Henderson]

On 2013/09/21 22:52, Nikola Gyurov wrote:
> Stuart,
> 
> I'm starting it from the rc.d system.
> After changing the login class from '_dovecot' to 'dovecot' it worked.
> I wonder why it wouldn't accept '_dovecot' for a login class.

Glad it's fixed. I missed the _ in your paste from login.conf. The
rc.d system uses a login class with the same name as the daemon, if it
exists. (The sample in the pkg-readme does have it right).