After enjoying the Xen thread, and the comments about the horrid mess
that is x86 hardware design, I'm wondering what hardware on which
OpenBSD will run _is_ well designed.

Who makes a hardware architecture that is open (enough) that OpenBSD can
run fully on it, that has good performance. I'm assuming that its not
COTS an so will cost more than x86.

Note that I'm not asking: who makes good hardware on which we can then
run Xen. I'm talking about a solid piece of hardware on which to run
one an...

all,

I'm happy to read whatever I need to, in order to get this system
running. I come before this list humbly. Please don't flame my ass
with RTFMs :)

I have a new Dell Optiplex 745 with an Intel Core 2 Duo.

this system completed the install. Now on boot it hangs after:
wskbd1: connecting to wsdisplay0

the only issue I had during install was that the on-board nic would
not grab a dhcp address - but the pci nic did.

how can I troubleshoot this further? I followed the FAQ for the
ins...

Contrariwise, there is *some* security benefit to running all the
services virtualized, compared to running all the services on the same
machine but *not* virtualized. In that case, though, you're not getting
any improved resource utilization, and you're going with a very
complicated and unaudited system (with arbitrary code execution bugs
coming to light *this month*) to achieve "improved security."

You can achieve a lot of the promises of virtualized servers (with
fewer moving parts, and more...

I have, what appears to be, v1 of this card, but I get the following from
dmesg--even when booting from the latest snapshot of cd42.iso:

Intersil, ISL3890, -, - (manufacturer 0xb, product 0x3890) "Intersil Prism
GT/Duette" rev 0x01 at cardbus1 dev 0 function 0 not configured

I'm not certain how to update pcidevs and related to accurately reflect this
(I noticed product 0x3890 is already in pcidevs.h), so some advice is
appreciated.

Thanks.

Yes.

(Or you build it from ports. Still, 4.2 is very much unreleased at this
moment.)

HTH... Nico

i have some pcie-ems, there are pcie-bnxs, and certainly others. fibre
limits your options. i usually terminate wan fibres on a switch and use
copper or plain sx (really just copper these days) to the routers - has
the disadvantage that you don't see link state changes directly, has
the advantage of added flexibility and just connecting two machines for
redundancy reasons (details differ a lot depending on environment).

that said, it shouldn't be too hard to find a pcie-sx card. lx could
ge...

Hi,

When testing greylisting with synchronizing we noticed the following
strange behavior:
Machine A (10.100.64.234) is the machine we receive mail through.
Machine B (10.100.64.233) is synced through spamd

Check out the expire value on machine A after the state have gone from
Grey to White!
It has taken the default 36 days ahead instead of our 2 hour (testvalue)
from spamd_flags!!
But Machine B (the passive "brother" which gets synced through
spamd-sync) behaves as it should!?

spamdb (A)...

Hello,

On Vmware Fusion (tested with Fusion 1.1 on a Core2duo imac), OpenBSD
(-current) is very slow on anything that is not just a pure computation task.

While compiling something, or while running MySQL, PgSQL, Apache or
Sendmail, "top" always shows that the CPU spends 99% or 100% of its time in
the system state.

This is of course with the vic(4) and mpi(4) drivers. But this is always
the case anyway, even without any disk or network I/O.

Does anyone know what might be wrong?
...

Hi,

I made a fresh install of current some five days ago and when I tried
to install fluxbox I get:

--------------------
# pkg_add fluxbox
Can't install imlib2-1.4.0: lib not found png.6.0
Dependencies for imlib2-1.4.0 resolve to: png-1.2.18, bzip2-1.0.4,
libid3tag-0.15.1bp0, jpeg-6bp3, libungif-4.1.4p1, tiff-3.8.2p0
Full dependency tree is
png-1.2.18,bzip2-1.0.4,libid3tag-0.15.1bp0,jpeg-6bp3,libungif-4.1.4p1,tiff-3.8.2p0
png.6.0: partial match in /usr/local/lib: major=5, minor=2 (bad major)
...

thanks for the answer!

Pau

First of all post to the right list. ;) This would fit better in
the misc-list.

Now, for your question; what you're looking for is in the
/etc/login.conf file. There is a man-page for it, login.conf(5)

In /etc/login.conf you have a line that says:
auth-defaults:auth=passwd,skey:

You'd want to change that line to something like:
auth-defaults:auth=ldap

OpenBSD doesn't include an LDAP module though so you'd have to write
your own, details for how to do so is in the login.conf(5) man page.
...

unfortunately this is not enough. the user ids and groupd ids must also
be present on the machine. this means that you have to add the accounts

Swell!

--

/ Raimo Niskanen, Erlang/OTP, Ericsson AB

seems?
to whom?
to people who never wrote a line of code and don't understand how
things work?

--
Henning Brauer, hb@bsws.de, henning@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

In theory, you're correct.

In practice there are (at least) four questions which all must be
answered in the affirmative for this to be true:

1) Does the hardware architecture provide all of the hooks needed to
implement virtualization?
2) Does the specific hardware correctly implement that architecture?
3) Does the virtualization software architecture properly implement
virtualization?
4) Does the specific software correctly implement that architecture?

Answering any of those questio...

Sorry, the kernel hacking world is pretty far removed from 'enterprise
reality' <not that it's a bad thing - I often wish it were that simple>!!
In reality, there are tons of SMEs out there using MS Crap and other risky
software! The few security risks you cite for XEN are negligable by comparison.

Anything we can do to increase security, *including* setting up VMs (of any
flavor) is an improvement [that also increased hardware utilization].

Lee

That depends on your viewpoint. There certainly may be some issues at the
OS level (which have been mentioned previously), however the majority of VM
applications benefit from security *isolation*, which has nothing to do
with security issues of the underlying OS, and that was the viewpoint I was
communicating.

For example, say you have three departments within a company: Marketing,
Development, Production. Allowing each department to maintain their own
server instance allows each departmen...

err, that is a very bad comparision. I am not aware of any "layer2
attacks" (you probably mean vlan hopping things) that work against any
half reasonable configured switch from the last 10 years.
heck, these days even everybody except cisco has sane defaults.
(well, I dunno about those cheap switches, admittedly)

this comparision is wrong on another basis: vlans are dead simple, just
a tiny and simple header before the ethernet segment. virtualization is

without bad config errors (that are ...

I'm curious about this. Do you have any pointers I can go look up? Thanx!

--
"This officer's men seem to follow him merely out of idle curiosity."
-- Sandhurst officer cadet evaluation.

Quite the opposite!! A VM provides a safe, sane, decently
compartmentalized way to run a specific application domain. It's obvious
we have different viewpoints, but both are equally valid - your's from the
OS, mine from the application.

Lee

================================================
Leland V. Lammert lvl@omnitec.net
Chief Scientist Omnitec Corporation
Network/Internet Consultants www.omnitec.net
================================================

It's that extra 4MB of poo code, that is what makes it more secure.

It's slippery and sticky at the same time, so that the application
attackers slip and slide and fall into the page boundaries.

If the actual hardware let us do more isolation than we do today, we
would actually do it in our operating system.

The problem is the hardware DOES NOT actually give us more isolation
abilities, therefore the VM does not actually do anything what the say
they do.

While x86 hardware has the same pag...

I vote to add it to theo.c.

Thanks

Daniel

Index: src/usr.bin/mg/theo.c
===================================================================
RCS file: /cvs/src/usr.bin/mg/theo.c,v
retrieving revision 1.101
diff -u -p -r1.101 theo.c
--- src/usr.bin/mg/theo.c 28 Aug 2007 17:57:16 -0000 1.101
+++ src/usr.bin/mg/theo.c 24 Oct 2007 21:19:08 -0000
@@ -147,6 +147,7 @@ static const char *talk[] = {
"cache aliasing is a problem that would have stopped in 1992 if
someone h...

"Why"? Because that's what happens *anyway*.
--
Matthew Weigel
hacker
unique@idempot.net

Huh? What does circular logic have to do with a simple statement? Running
different application domains on separate VMs provides isolation BETWEEN
those application domains. That's security by anyone's definition.

The fact is that the OS level security is *separate*, and could be an
issue has nothing to do with the point I'm making.

What if the client OS were Windoze? The security of that OS is crap, and
we all know it. Any sane sysadmin will have a good firewall in front of
that machine, whether...

I thought it was obvious, .. but I know you have beter things on your mind.

Believe what? OBSD is secure? I thought you were proud of the project?
Sheesh! If our leader doesn't believe OBSD is secure, we ALL better be
running for cover. Linux, anyone?

If you're saying that OBSD will never be modified to run AS a XEN
hypervisor, that's probably a true statement. No need to corrupt a decent

Sure they do. If I'm running Windoze as a guest OS, there are hundreds or
thousands of possible vul...