cd / ; apropos ; find * ;
Table des matiรจres

Tips, FAQ, comments... #

About apu2 #

apu2 is a great board that require few power and well supported by OpenBSD.

However, you can't plug it to a screen but have to use the serial port to install and do admin task. Actually, it may be a good thing if you already have a laptop and don't want to buy an extra screen and keyboard.

Even though apu2 are not build anymore, we will talk here about apu2 tips, also useful for other boards with a serial port.

For the record, this documentation is hosted on an apu2d0.

Get to the apu2 console #

Plus the usb dongle or directly the serial cable to a computer. To get to the serial console, you can run on OpenBSD :

cu -s 115200 -l /dev/cuaU0

You should run the above as root or add your username to "dialer" group before:

doas usermod -G dialer $(whoami)

Install OpenBSD on APU2 #

Just proceed as usual with an USB key as installation media. In the console, before booting, add the following options so the installer knows we're in serial console :

boot> 
stty com0 115200
set tty com0

No need to do if afterwards, the installer save this option.

Upgrade apu2 bios #

You can flash the firmware with flashrom tool :

# pkg_add flashrom

Now read /usr/local/share/doc/pkg-readmes/flashrom for up-to-date instructions.

Check file checksum #

When you transfer files, you may ensure the authenticity of data.

To do so, computing a file checksum is useful. Use the sha256 command:

$ sha256 debian-9.6.0-amd64.qcow2.gz
SHA256 (debian-9.6.0-amd64.qcow2.gz) = 91831ba15446f3ab418ae8a5c2a8ac0d852dc5d43bd595a70b88bd6ea4ded397

Do the same on both ends: the output must be the same.

Notice that on GNU/Linux, sha256 don't exist. Its equivalent is sha256sum.

If you are paranoid, you can go further and check signatures with signify tool.

How to change password #

Use passwd command:

# passwd jdoe

To change superuser password, you have to make sure to be correctly logged with appropriate environment variables. To do so, use -l flag:

# su -l
# passwd root

Periodic tasks (cron) #

Everything is ready on OpenBSD to run tasks periodically. You can edit the following scripts:

Make sure you use the full path of commands you need to run as PATH variable can be different than your user's. As example:

echo "You are so handsome" | mail -s "Hi" root # Not OK

echo "You are so handsome" | /usr/bin/mail -s "Hi" root # GOOD

Use which command_name to find absolute paths.

If you need more accurate timing, use cron.

Enter crontab -e and edit the file to specify when the user will run automatically a command. As example, to run it hourly (actually, every time the clock display "0 minutes"):

0 * * * * /path/to/command

With the example below, the command is run every 5 minutes:

*/5 * * * * /path/to/command

To learn more, read man crontab(5) manpage.

Look at this website to help you writing crontasks.

crontabs are very handy ๐Ÿ˜Ž.

Disk Partitioning #

If you need to set up another disk, we describe here how to prepare it.

โš  Notice all this can be achieved after disk encryption and having a RAID identified as sd1 later.

Identifiy the disk #

Plug the disk and run dmesg. You'll see something like that:

umass0 at uhub0 port 1 configuration 1 interface 0 "Western Digital Ext HDD 1021" rev 2.00/20.21 addr 2
umass0: using SCSI over Bulk-Only
scsibus2 at umass0: 2 targets, initiator 0
sd1 at scsibus2 targ 1 lun 0: <WD, Ext HDD 1021, 2021> SCSI2 0/direct fixed serial.10581021383235373034
sd1: 1907727MB, 512 bytes/sector, 3907024896 sectors

Here, the disk is identified as sd1. Adjust according to your case later.

Partitioning #

Actually, we create slices with disklabel:

# disklabel -E sd1

A prompt show up. Now we can create slices.

When in doubt, enter p to display the current state.

To create the first slice, enter a a. It means "Add a slice a".

Let default offset. Set the size according to your needs. To do so, you may use :

Choose filesystem "4.2BSD".

Add more slices if you want with a d, a e, a f...

โš  Notice you can't create a c slice since it's reserved to identify the whole disk. Also, b is often used for swap, but it's not mandatory.

Once done, enter q to exit and apply changes.

Now enter disklabel sd1 to see disk state:

# /dev/rsd1c:
type: SCSI
disk: SCSI disk
label: Ext HDD 1021
duid: 782f1ddb783cdd13
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 243201
total sectors: 3907024896
boundstart: 64
boundend: 3907024065
drivedata: 0

16 partitions:
#            size       offset  fstype [fsize bsize  cpg]
  a:    629153472           64  4.2BSD   4096 32768    1
  d:   3277870464    629153536  4.2BSD   8192 65536    1 
  c:   3907024896            0  unused

Notice the duid:

duid: 782f1ddb783cdd13

You can use it later to identify the disk and avoid confusions if there are several. You can find it also with this command:

# sysctl hw.disknames
hw.disknames=wd0:bfb4775bb8397569,cd0:,wd1:56845c8da732ee7b,wd2:f18e359c8fa2522b

You're almost done, you still have to create the filesystem for each slices:

# newfs /dev/rsd1a
# newfs /dev/rsd1d

Don't forget the "r" ๐Ÿ˜‰

Now you can edit /etc/fstab to mount the previous slices easyly. Notice the use of the previous duid:

...
782f1ddb783cdd13.a /home/prx/music/ ffs rw,noatime,nodev,nosuid,noauto 0 0
782f1ddb783cdd13.d /mnt/backup/ ffs rw,noatime,nodev,nosuid 1 2

That's a lot of options, you'll learn more in man fstab(5).

In this example:

To mount every mountpoint listed in /etc/fstab, enter:

# mount -a

How to find my network interface ? #

Use ifconfig command.

Your interface might have an inet (IP) and might belong to egressgroup.

As example:

$ ifconfig                                                   
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
        priority: 0
        groups: lo
        inet 127.0.0.1 netmask 0xff000000
re0: flags=218843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,MPSAFE,AUTOCONF6> mtu 1500
        lladdr fc:aa:14:65:5f:86
        priority: 0
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
        status: active
        inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
enc0: flags=0<>
        priority: 0
        groups: enc
        status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33144
        priority: 0
        groups: pflog

Here, "lo0" is not the interface we're looking for: it's local interface used by some program. "enc0" and "pflog0" are not our interface, they are respectively the encrypted interface used by IKED and pf logging inteface.

It remains "re0", the ethernet as written in "media" section.

Logs #

Your server keep records of its activity. It is often stored in text files called "logs". You can find most of them in /var/log and /var/www/logs.

You'll consider amongst others:

There are more.

I advice to read them from time to time to check everything works as expected. You can see them in realtime with the following command:

tail -f /var/log/messages /var/log/daemon /var/log/maillogs /var/log/authlog

Soon, you'll notice new files ending with ".0.gz", ".1.gz"... Those are archived logs. To avoid endlessly growing logs, OpenBSD run periodically "newsyslog" command and compress archives if necessary.

You can configure newsyslog if you edit /etc/newsyslog.conf. You may add new lines if an application create logs not listed:

...
/var/log/messages                       644  5     300  *     Z
/var/log/authlog        root:wheel      640  7     *    168   Z
...

As usual, read man newsyslog(8) to learn more about this file.

Check for improvements with lynis #

Lynis is a tool to scan your system looking for improvements in terms of security.

# pkg_add lynis
# lynis audit system

You'll see a lot of messages. Read /var/log/lynis-report.dat carefully then:

# less /var/log/lynis-report.dat

As example, you may read:

suggestion[]=SSH-7408|Consider hardening SSH configuration|AllowTcpForwarding (YES --> NO)|-|
suggestion[]=SSH-7408|Consider hardening SSH configuration|ClientAliveCountMax (3 --> 2)|-|
suggestion[]=SSH-7408|Consider hardening SSH configuration|Compression (YES --> NO)|-|

To filter for suggestions:

# grep suggestion /var/log/lynis-report.dat

How to deal with power loss ? Where my mails are going ? #

Well, that happens...

You can buy an uninterruptible power supply (UPS). It's a kind of backup battery where you plug your server and router. in case of powerloss, the UPS keep your server running giving about 20 minutes or more to shutdown properly or find another solution.

In case a daemon crashed because of some bug, OpenBSD notice in its daily report daemons that should be running but aren't. You can check then.

So, no big deal if sometimes your server is down.

What happens when a mail server is, for some reasons, unreachable ?

SMTP protocol is designed to be reliable.

If your server is unreachable when someone tries to send you an email, things happens like in real life : the mailmain try again after some time. After trying, it may give up, sending a message to the author indicating there is a problem with the recipient.

There are no rules about time between each periodic delivery attemps. Each 4h, then each days, depending on the sender's configuration. It may give up after a week however.

To prevent the worst case where your server has burned, configure a backup mail server -- secondary -- so it keeps your emails while you are fixing your server. It is described in the mail part of this documentation.

I have a problem, what can I do ? #

Daemon issue #

If a daemon isn't starting, try starting it by hand to see errors ouput. As example, with httpd, you can enter:

rcctl -d start http

Read Manpages #

Check the manpage of the tool having an issue.

Look into /usr/local/share/doc/pkg-readmes if there are specific instructions.

Problem with a port/package #

Use pkg_check command to fix the state of your ports usage.

Look into logs #

Look at logs with tail command to see if there are error messages :

# tail -f /var/log/messages /var/log/daemon

For a website:

# tail -f /var/www/logs/*

For login issues:

# tail -f /var/log/authlog

Also, run dmesg to see if a device has an issue.

Check what the Firewall is doing #

Look at firewall traffic with tcpdump to see where it's failing:

# tcpdump -n -e -ttt -i pflog0

Corrupted filesystem or loop reboots #

Try to boot on the ramdisk bsd.rd.

boot> bsd.rd [Enter]

Then choose to reinstall sets with U: Upgrade or use the shell to fix filesystem with fsck.

You also can boot on a disk prepared with "minirootXX.img".

Then choose S : Shell.

Look after your disk with dmesg. In this example, we use sd1.

Make sure it is ready with:

cd /dev && sh MAKEDEV sd1

Then, check and fix the filesystem:

fsck -y sd1a
fsck -y sd1d

Do it for each slices. Use disklabel sd1 to list them.

Ask for help #

Ask on official mailing list

Talk on XMPP room

Generate good random passwords #

The longer the better !

The more combinations a cracking tool will have to try, the more secure is your passphrase.

You may:

You can use OpenBSD's tools to generate random passwords. Below are examples for 15 charater long passwords:

$ openssl rand 15 -base64

$ dd if=/dev/urandom count=128 bs=1M 2>&1 | md5 | cut -b-15

$ jot -rcs  20 32 126

$ tr -cd ' -~' < /dev/urandom 
# only alnum
$ tr -cd '[:alnum:]' < /dev/urandom

Here are some interesting links on the topic:

https://m.xkcd.com/936/

Password strenght XKCD

Split and reassemble files #

If y ou have huge files to transfer, you can split them.

$ gzip -c big_file | split -b 100m - big_file.gz

You get max 100mb files sorted alphabetically :

$ ls -l
-rw-r--r--  1 xavier  xavier  104857600 Dec 12 16:52 big_file.gzaa
-rw-r--r--  1 xavier  xavier  104857600 Dec 12 16:52 big_file.gzab
-rw-r--r--  1 xavier  xavier   88204071 Dec 12 16:52 big_file.gzac

To recreate the original file, use cat:

cat big_file.gz_* | gunzip -c > big_file

Nice isnt it ? ๐Ÿ˜Ž

How to add/delete users? #

Add user #

Creating users let you :

According to the user's taks, you won't create the account the same way.

To add an user, use adduser. It is interactive istead of useradd. Yeah, I know...

That's how it looks like:

root@votreserveur[~] # adduser
Use option '-silent' if you don't want to see all warnings and questions.

Reading /etc/shells
Check /etc/master.passwd
Check /etc/group

Ok, let's go.
Don't worry about mistakes. There will be a chance later to correct any input.
Enter username []: toto
Enter full name []: Jean-Eudes
Enter shell csh ksh nologin sh [nologin]: nologin
Uid [1005]:
Login group toto [toto]:
Login group is toto. Invite toto into other groups: guest no
[no]:
Login class authpf bgpd daemon default dovecot pbuild staff unwind
[default]:
Enter password []:
Enter password again []:

Name:        toto
Password:    ***************
Fullname:    Jean-Eudes
Uid:         1005
Gid:         1005 (toto)
Groups:      toto
Login Class: default
HOME:        /home/toto
Shell:       /sbin/nologin
OK? (y/n) [y]: y
Added user toto
Add another user? (y/n) [y]: n
Goodbye!

Make sure to set a good passphrase.

Delete an user #

# userdel toto
# groupdel toto

Here you go! ๐Ÿ˜Š


Table of contents

Donate