OpenBSD

OpenBSD RDomains

Intro

Let’s assume you have a Mikrotik Router which got a Mgmt Interface with IP: ‘192.168.88.1/24’ and DHCP Server enabled. You wann Access the Router via HTTP/HTTPS while offering Internet Services for the Mikrotik Router. You have an APU and OpenBSD running. What do you do ?

Setup

  • 2 NIC’s
  • em0: dhcp client, default route, rdomain 0
  • em3: dhcp client, rdomain 3

Interfaces

Interface em0

cat << 'EOF' > /etc/hostname.em0
# Public Internet
inet 	autoconf
inet6	autoconf
EOF

Interface em3

OpenBSD - USB

dmesg

show disks

dmesg |grep ^sd. 
sd0 at scsibus1 targ 0 lun 0: <ATA, KingFast, T031> t10.ATA_KingFast_04xxxxxxxxxxxx
sd0: 114473MB, 512 bytes/sector, 234441648 sectors, thin
sd1 at scsibus4 targ 1 lun 0: <JetFlash, Transcend 8GB, 1100> removable serial.85xxxxxxxxxxxxxxxxxx
sd1: 7450MB, 512 bytes/sector, 15257600 sectors

Show DiskLabel

sysctl hw.disknames
hw.disknames=sd0:9axxxxxxxxxxxxxx,sd1:60xxxxxxxxxxxxxx

Show Disklabel sd1

disklabel sd1 
disklabel sd1 
# /dev/rsd1c:
type: SCSI
disk: SCSI disk
label: Transcend 8GB
duid: 60xxxxxxxxxxxxxx
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 949
total sectors: 15257600
boundstart: 64
boundend: 15257600

16 partitions:
#                size           offset  fstype [fsize bsize   cpg]
  c:         15257600                0  unused

Fdisk

kill everything

Hetzner - Arm64 OpenBSD

OpenBSD on ARM64 at Hetzner DC

Price/Performance is unbeatable at Hetzner for arm64 virtual machines. A Server (CAX21) with 4 CPU, 8 GB RAM, 80 GB Disk, 20 TB Traffic/month cost around 7 Euros/Month.

Let’s build a Template for OpenBSD. Here is how todo it:

  • Get Server with CAX21 (4 CPU, 8 GB RAM, 80 GB Disk), with Debian or Ubuntu
  • Menu “ISO-Images”, mount Image “OpenBSD 7.4-current 2023-11-03 (arm64)”
  • Reboot the VM
  • Install OpenBSD as usual
  • Disk: sd0
  • Use (W)hole disk
  • (E)dit auto layout
  • Delete all Partitions execpt Partition “i” (MSDOS)
  • Build Disk Layout as you like. My Layout for 80GB at Hetzner
  • Location of sets? http
  • HTTP Server: cdn.openbsd.org
  • Server directory? pub/OpenBSD/7.4/arm64
  • finish setup
  • halt vm, remove iso images
  • boot vm and login through console or ssh

Any Comments ?

sha256: 2ea0f6b96f44980331d15e964c778907c458816776b7ab2315d7c40bb24845b2

APU - Firmware Upgrade

intro

as we all know, the apu’s from pcengines are eol. but it’s worth to bring the existing ones to the latest firmware. if you have openbsd running on your boxes, you can upgrade it with like this:

add packages

doas pkg_add -i flashrom pciutils

set hostname

based on apu version and mac of em0

type=$(dmesg |grep ^bios0: |tail -1 |sed 's/.*gines //')
mac=$(ifconfig em0 |awk '/lladdr/ {print $2}' |awk -F':' '{printf "%s-%s-%s\n",$4, $5, $6}')
echo "${type}-${mac}" |tee /etc/myname; hostname $(cat /etc/myname)

sample

Python Versions

History

Long time ago, there were huge discussions about Python 2.7 or Python 3.xx. Fortunately, these times are gone and we’ve all gotten over the hurdle to Python 3. But are you on 3.6, 3.7, 3.8 ? or even 3.11 or 3.12 ? That’s the current Version you should use for your daily Projects ?

Status of Python versions

A good indicator is this Website: https://devguide.python.org/versions/

OpenBSD

It’s also recommended to check what our Operating System is installing by default, or what you can get from their Package Repository.

OpenBSD 7.4

OpenBSD 7.4 finally released

Today, the 55th Release of OpenBSD was announced. My Upgrade Script is available here.

Highlights

  • vmd(8) has moved to a multi-process model for virtio(4) block and network devices
  • malloc(3) now has built-in leak detection
  • In OpenSSH 9.5, ssh-kengen(1) generates Ed25519 keys by default
  • sec(4) for Route Based IPSec VPNs

see the Post on Undeadly for more Details, or the OpenBSD Page

Script

doas su -
cd /root
ftp https://blog.stoege.net/scripts/.helpers
ftp https://blog.stoege.net/scripts/upgrade_to_74.sh
chmod u+x upgrade_to_74.sh

Execute

do the Upgrade

OpenBSD 7.4 DevBox

OpenBSD 7.4

… will be released next week (23. Oct 2023). Why not have a look at the upcomming OS and prepare a VM for Software Development ?

Preparation

grab a fresh VM and Install OpenBSD 7.4

os version

puffy74# sysctl kern.version
kern.version=OpenBSD 7.4 (GENERIC.MP) #1396: Sun Oct  8 09:20:40 MDT 2023
    deraadt@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

empty vm

puffy74# pkg_info
quirks-6.159        exceptions to pkg_add rules and cache

add go, rust, python

puffy74# pkg_add go rust python3
quirks-6.159 signed on 2023-10-07T10:09:24Z
go-1.21.1: ok
rust-1.72.1:nghttp2-1.56.0: ok
rust-1.72.1:nghttp3-0.15.0: ok
rust-1.72.1:ngtcp2-0.19.1: ok
rust-1.72.1:curl-8.3.0p0: ok
rust-1.72.1:libssh2-1.11.0: ok
rust-1.72.1: ok
python3-3.10p2:xz-5.4.4: ok
python3-3.10p2:sqlite3-3.42.0: ok
python3-3.10p2:libiconv-1.17: ok
python3-3.10p2:gettext-runtime-0.22.2: ok
python3-3.10p2:libffi-3.4.4: ok
python3-3.10p2:bzip2-1.0.8p0: ok
python3-3.10p2:python-3.10.13: ok
python3-3.10p2: ok

show packages

SSH LogLevels

Log Levels for SSH

In SSH, the LogLevel option allows you to control the level of logging information generated by the SSH client and server.
There are several log levels you can use to adjust the verbosity of SSH logging. Here are the most commonly used log levels:

QUIET:
Suppresses all log messages, except for fatal errors. It provides the least amount of information.
FATAL:
Logs only fatal errors, indicating severe issues that may prevent the SSH session from being established.
ERROR:
Logs error messages, which are issues that might cause problems but don't necessarily prevent the session from being established.
INFO:
Logs informational messages, such as connection status and key exchange details. This is the default log level.
VERBOSE:
Provides more detailed logging than INFO, including additional debugging information.
DEBUG:
Generates detailed debugging messages. This level is useful when diagnosing connection and authentication issues.
DEBUG1, DEBUG2, DEBUG3:
Provides even more verbose debugging output, with DEBUG3 being the most detailed.

Settings per User

cat ~/.ssh/config
  Host *
    LogLevel QUIET
    LogLevel FATAL
    LogLevel ERROR
    LogLevel INFO
    LogLevel VERBOSE
    LogLevel DEBUG
    LogLevel DEBUG1
    LogLevel DEBUG2
    LogLevel DEBUG3
    ...

Any Comments ?

sha256: b62b3c4dc3fb31bf4d2cadbd8d3a632de0a9374ae4a2a6026d0b6d9d0bace367

OpenBSD - Nornir

Build Nornir on OpenBSD - Failed :(

Any Idea how to build it … ?

(cisco-nornir-py3.11) puffy$ RUST_BACKTRACE=1 poetry add nornir-netmiko 

...
Compiling asn1 v0.13.0
       Running `rustc --crate-name asn1 --edition=2018 /home/stoege/.cargo/registry/src/github.com-1ecc6299db9ec823/asn1-0.13.0/src/lib.rs --error-format=json --json=diagnostic-rendered-ansi,artifacts,future-incompat --crate-type lib --emit=dep-info,metadata,link -C opt-level=3 -C linker-plugin-lto -C overflow-checks=on -C metadata=e01d853059c772ba -C extra-filename=-e01d853059c772ba --out-dir /tmp/tmpyhzdyoqa/cryptography-40.0.2/src/rust/target/release/deps -L dependency=/tmp/tmpyhzdyoqa/cryptography-40.0.2/src/rust/target/release/deps --extern asn1_derive=/tmp/tmpyhzdyoqa/cryptography-40.0.2/src/rust/target/release/deps/libasn1_derive-dbeffd4d85568b7f.so --extern chrono=/tmp/tmpyhzdyoqa/cryptography-40.0.2/src/rust/target/release/deps/libchrono-994a1164a0b8cdf4.rmeta --cap-lints allow`
       Running `rustc --crate-name pyo3 --edition=2018 /home/stoege/.cargo/registry/src/github.com-1ecc6299db9ec823/pyo3-0.15.2/src/lib.rs --error-format=json --json=diagnostic-rendered-ansi,artifacts,future-incompat --crate-type lib --emit=dep-info,metadata,link -C opt-level=3 -C linker-plugin-lto -C overflow-checks=on --cfg 'feature="abi3"' --cfg 'feature="abi3-py310"' --cfg 'feature="abi3-py36"' --cfg 'feature="abi3-py37"' --cfg 'feature="abi3-py38"' --cfg 'feature="abi3-py39"' --cfg 'feature="default"' --cfg 'feature="extension-module"' --cfg 'feature="indoc"' --cfg 'feature="macros"' --cfg 'feature="paste"' --cfg 'feature="pyo3-macros"' --cfg 'feature="unindent"' -C metadata=001198fe1619b05c -C extra-filename=-001198fe1619b05c --out-dir /tmp/tmpyhzdyoqa/cryptography-40.0.2/src/rust/target/release/deps -L dependency=/tmp/tmpyhzdyoqa/cryptography-40.0.2/src/rust/target/release/deps --extern cfg_if=/tmp/tmpyhzdyoqa/cryptography-40.0.2/src/rust/target/release/deps/libcfg_if-4852c268cf497cfc.rmeta --extern indoc=/tmp/tmpyhzdyoqa/cryptography-40.0.2/src/rust/target/release/deps/libindoc-8cef8f8418f89ebd.rmeta --extern libc=/tmp/tmpyhzdyoqa/cryptography-40.0.2/src/rust/target/release/deps/liblibc-e2bfee5c7507c149.rmeta --extern parking_lot=/tmp/tmpyhzdyoqa/cryptography-40.0.2/src/rust/target/release/deps/libparking_lot-dbbcb49cdfedf28d.rmeta --extern paste=/tmp/tmpyhzdyoqa/cryptography-40.0.2/src/rust/target/release/deps/libpaste-b236df9534aa35a4.rmeta --extern pyo3_macros=/tmp/tmpyhzdyoqa/cryptography-40.0.2/src/rust/target/release/deps/libpyo3_macros-1c568e083598ae83.so --extern unindent=/tmp/tmpyhzdyoqa/cryptography-40.0.2/src/rust/target/release/deps/libunindent-321bc6f9dc7b8458.rmeta --cap-lints allow --cfg Py_3_6 --cfg Py_LIMITED_API --cfg 'py_sys_config="WITH_THREAD"' --cfg track_caller --cfg min_const_generics --cfg addr_of`
       Running `/tmp/tmpyhzdyoqa/cryptography-40.0.2/src/rust/target/release/build/cryptography-rust-2d57360915c33af1/build-script-build`
  error: failed to run custom build command for `cryptography-rust v0.1.0 (/tmp/tmpyhzdyoqa/cryptography-40.0.2/src/rust)`
  
  Caused by:
    process didn't exit successfully: `/tmp/tmpyhzdyoqa/cryptography-40.0.2/src/rust/target/release/build/cryptography-rust-2d57360915c33af1/build-script-build` (exit status: 101)
    --- stdout
    cargo:rerun-if-changed=../_cffi_src/
    cargo:rustc-cfg=python_implementation="CPython"
  
    --- stderr
    thread 'main' panicked at 'unable to find openssl include path', build.rs:52:49
    stack backtrace:
       0: rust_begin_unwind
       1: core::panicking::panic_fmt
       2: core::panicking::panic_display
       3: core::panicking::panic_str
       4: core::option::expect_failed
       5: core::option::Option<T>::expect
       6: build_script_build::main
       7: core::ops::function::FnOnce::call_once
    note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
  warning: build failed, waiting for other jobs to finish...
  
      =============================DEBUG ASSISTANCE=============================
      If you are seeing a compilation error please try the following steps to
      successfully install cryptography:
      1) Upgrade to the latest pip and try again. This will fix errors for most
         users. See: https://pip.pypa.io/en/stable/installing/#upgrading-pip
      2) Read https://cryptography.io/en/latest/installation/ for specific
         instructions for your platform.
      3) Check our frequently asked questions for more information:
         https://cryptography.io/en/latest/faq/
      4) Ensure you have a recent Rust toolchain installed:
         https://cryptography.io/en/latest/installation/#rust
      
      Python: 3.11.3
      platform: OpenBSD-7.3-amd64-64bit-ELF
      pip: n/a
      setuptools: 67.7.2
      setuptools_rust: 1.6.0
      rustc: 1.68.0 (2c8cc3432 2023-03-06) (built from a source tarball)
      =============================DEBUG ASSISTANCE=============================
      
  error: `cargo rustc --lib --message-format=json-render-diagnostics --manifest-path src/rust/Cargo.toml --release -v --features 'pyo3/abi3-py36 pyo3/extension-module' --crate-type cdylib --` failed with code 101
  

  at ~/.local/lib/python3.10/site-packages/poetry/installation/chef.py:152 in _prepare
      148│ 
      149│                 error = ChefBuildError("\n\n".join(message_parts))
      150│ 
      151│             if error is not None:
    → 152│                 raise error from None
      153│ 
      154│             return path
      155│ 
      156│     def _prepare_sdist(self, archive: Path, destination: Path | None = None) -> Path:

Note: This error originates from the build backend, and is likely not a problem with poetry but with cryptography (40.0.2) not supporting PEP 517 builds. You can verify this by running 'pip wheel --use-pep517 "cryptography (==40.0.2)"'.

Fix -> Downgrade urllib

Downgrade urllib from 2.0.2 to 1.26.6 seems working. Discussion on Github

iperf3 - rdomain

how do i run a iperf3 server in a rdomain ? if you don’t know what a rdomain is, just have a look at the man pages

show interface with rdomain

-> rdomain 1 show that this Interface is not running in the Default RDomain 0

ifconfig em3 
em3: flags=808843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF4> rdomain 1 mtu 1500
	lladdr de:ad:be:ef:be:ef
	description: connected to Switch (Gi0/1)
	index 4 priority 0 llprio 3
	media: Ethernet autoselect (1000baseT full-duplex)
	status: active
	inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255

Install iperf3

install Package from Repository