… a while ago. I upgraded all my boxes since quite a while, but i didn’t write a short post about it. There is nothing really unexpected, a stable, easy, straigh-forward development of my favourite OS, except that there is a need for more than 1G Free Disk Space in /var. That was a bit a problem for smalled Boxes like the APU with 16G Disk …
It seems as OpenBSD (and the installed Software) is useing more and more Space in the /usr Partition. For Upgrading to 7.1, at least 1.1 GB Free Space is needed. So, i’m gooing to update my Default Partitioning Proposal like this:
root@puffy# df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/sd0a 3.9G 766M 2.9G 20% /
/dev/sd0d 1.9G 20.0K 1.8G 0% /tmp
/dev/sd0e 5.8G 36.1M 7.3G 0% /var
/dev/sd0f 7.8G 3.6G 3.8G 49% /usr
/dev/sd0g 2.xG 150M 7.2G 2% /home
which results in this:
a 4G /
a 2G swap
a 2G /tmp
a 6G /var
a 8G /usr
a * /home
root@puffy# df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/sd0a 3.9G 766M 2.9G 20% /
/dev/sd0d 1.9G 20.0K 1.8G 0% /tmp
/dev/sd0e 7.8G 36.1M 7.3G 0% /var
/dev/sd0f 7.8G 3.6G 3.8G 49% /usr
/dev/sd0g 7.7G 150M 7.2G 2% /home
which results in this:
a 4G /
a 2G swap
a 2G /tmp
a 8G /var
a 8G /usr
a * /home
sha256: 2f78497b58d2704bc07a1d2404cefe74432d634a4d816bb58f11b5c0a359627f
conn puffy
authby = secret
ike = aes256-sha256-modp2048
keyexchange = ikev1
ikelifetime = 1h
keyingtries = 0
left = %defaultroute
right = 193.xx.xx.xx
leftid = 212.xx.xx.xx
rightid = 193.xx.xx.xx
lifetime = 1200s
leftsubnet = 10.11.1.8/30
rightsubnet = 10.1.6.0/24
esp = aes256-sha256-modp2048
dpddelay = 30
dpdtimeout = 120
dpdaction = restart
auto = start
net.inet.ip.forwarding=1
net.inet.gre.allow=1
for i in $(cat /etc/sysctl.conf); do sysctl $i;done
# Tunnel to Debian
local_gw = "193.xx.xx.xx"
local_net = "10.1.6.0/24"
remote_gw = "212.xx.xx.xx"
remote_net = "10.11.1.8/30"
key = "DAS-SAG-ICH-DIR-NICHT-:)"
ike dynamic esp tunnel from $local_net to $remote_net peer $remote_gw \
main auth $auth1 enc $enc1 group $group1 lifetime $time1 \
quick auth $auth2 enc $enc2 group $group2 lifetime $time2 \
srcid $local_gw \
psk $key
ike dynamic esp tunnel from $remote_net to $local_net peer $local_gw \
main auth $auth1 enc $enc1 group $group1 lifetime $time1 \
quick auth $auth2 enc $enc2 group $group2 lifetime $time2 \
srcid $remote_gw \
psk $key
rcctl enable ipsec isakmpd
rcctl set isakmpd flags -K
rcctl restart ipsec isakmpd
cat /etc/hostname.enc0
up
# Allow UDP Port 500 and 4500
pass in on (egress) proto udp from 193.xx.xx.xx to 212.xx.xx.xx port {isakmp, ipsec-nat-t}
pass out on (egress) proto udp from 212.xx.xx.xx to 193.xx.xx.xx {isakmp, ipsec-nat-t}
# Allow ESP encapsulated IPsec traffic on the external interface
pass in on (egress) proto esp from 193.xx.xx.xx to 212.xx.xx.xx
pass out on (egress) proto esp from 212.xx.xx.xx to 139.xx.xx.xx
# Allow IP in IP Traffic
pass in on enc0 proto ipencap from 193.xx.xx.xx to 212.xx.xx.xx keep state (if-bound)
pass out on enc0 proto ipencap from 212.xx.xx.xx to 193.xx.xx.xx keep state (if-bound)
… or reboot the Box so all Settings gets applied
Stumbled upon something that I’ve missed for a long time: encrypting files with the ssh public key :)
OpenBSD (and most others *nix systems) got a package for age. Just install it.
doas pkg_add age
Asymmetric Encryption encrypts and decrypts the data using two separate yet mathematically connected cryptographic keys. These keys are known as a ‘Public Key’ and a ‘Private Key’. Together, they’re called a ‘Public and Private Key Pair’
We’re all dealing with MAC Addresses, some times … there are different formats on different systems. this little script convert it to all formats and you can choise the appropriate ones.
$ maconvert aa:bb:cc:dd:ee:ff
aabbccddeeff
aa:bb:cc:dd:ee:ff
aa-bb-cc-dd-ee-ff
aabb.ccdd.eeff
Copy/Paste will work on OpenBSD, Linux needs some small Modifications (as there is no doas for example …)
doas su -
cat << 'EOFSCRIPT' > /usr/local/bin/maconvert
#!/usr/bin/env bash
# v0.1, 2021, by Christian Henschel
# v0.2, 2021-12-29, Stöge -> add OpenBSD Support & install gawk if needed
if [ OpenBSD == $(uname -s) ]; then
which gawk &>/dev/null || doas pkg_add gawk
_awk=$(which gawk)
else
_awk=$(which awk)
fi
if [ -z "$1" ]; then
cat <<'EOF'
no mac address entered, valid format are:
cafedeadbeef
cafe.dead.beef
ca:fe:de:ad:be:ef
ca-fe-de-ad-be-ef
EOF
exit 1
else
mac=$(echo $1 | sed -e 's/[.:-]//g')
maccolon=$(echo $mac | $_awk '{gsub(/..\B/,"&:")}1')
macdash=$(echo $mac | $_awk '{gsub(/..\B/,"&-")}1')
macpoint=$(echo $mac | $_awk '{gsub(/....\B/,"&.")}1')
fi
cat <<EOF
$mac
$maccolon
$macdash
$macpoint
EOF
exit 0
EOFSCRIPT
doas chmod 755 /usr/local/bin/maconvert
maconvert
NJoy!
the 7.0 Release was released on 14. Oct 2021, two weeks before the official Launch Date (1. Nov).
All the Changes are listed here: https://www.openbsd.org/70.html, or summarized: undeadly.org
Things i have to consider for my Boxes:
Follow to official Upgrade Guide. You can Upgrade with an USB Stick, ISO Image, PXE Boot or inline (from a running system).
AS Lookup Helper Script. It’s written for OpenBSD and need’s some modification for Linux. It basically depends on Python, PIP Installer and Python Package “aslookup”. Have Fun !
wget https://blog.stoege.net/scripts/aslo
chmod 755 aslo
./aslo 1.1.1.1
… and the Content himelf. It basically check’s if pip is installed, if as-lookup is installed, and then does the as lookup for the given IP Adress
#!/usr/bin/env bash
# AS Lookup for IP Address
install_pip() {
echo -e "\npip not found, install ?\n"
read -rsp $'Press any key to continue...\n' -n1 key
pkg_add py3-pip--
ln -sf /usr/local/bin/pip3.9 /usr/local/bin/pip
echo -e "\npip installed ...\n"
}
install_aslookup() {
echo -e "\nas-lookup not found, install ?\n"
read -rsp $'Press any key to continue...\n' -n1 key
pip install aslookup
echo -e "\naslookup installed ...\n"
}
aslo() {
as-lookup -s cymru `getent hosts $1 |awk '!/:/{ print $1}'`
}
which pip &>/dev/null || install_pip
which as-lookup &>/dev/null || install_aslookup
aslo $1
exit 0
you can simply ask one ip …
Wanna run your own Nextcloud Server on OpenBSD … ? Give a Try ! It’s quite trivial as you can see. Just fireup an empty machine, assign an Hostname / DNS Record, and follow the Examples below. This Setup is done on the current Version, 6.9. Have Fun !
Inspired by: https://dev.to/nabbisen/nextcloud-on-openbsd-installation-15d6
install some packages. i use sqlite as db because i don’t expect a lot of users/traffic/files.
$ doas pkg_add nextcloud
quirks-3.633 signed on 2021-09-27T19:58:00Z
Ambiguous: choose package for nextcloud
a 0: <None>
1: nextcloud-20.0.12
2: nextcloud-21.0.4
Your choice: 2
Ambiguous: choose dependency for nextcloud-21.0.4:
a 0: php-pdo_mysql-7.4.23
1: php-pdo_pgsql-7.4.23
2: php-pdo_sqlite-7.4.23
Your choice: 2
nextcloud-21.0.4:argon2-20190702: ok
nextcloud-21.0.4:libsodium-1.0.18p1: ok
nextcloud-21.0.4:libxml-2.9.10p3: ok
nextcloud-21.0.4:oniguruma-6.9.6: ok
...
nextcloud-21.0.4: ok
Running tags: ok
The following new rcscripts were installed: /etc/rc.d/php74_fpm
See rcctl(8) for details.
New and changed readme(s):
/usr/local/share/doc/pkg-readmes/femail-chroot
/usr/local/share/doc/pkg-readmes/nextcloud
/usr/local/share/doc/pkg-readmes/php-7.4
Create some Folders and stuff in the Chrooted Environment
you know nslookup, dig, hosts, getenv and all the commans for the cli. but have you ever tried dog ?
Website: https://dns.lookup.dog/
and their Doku: https://dns.lookup.dog/dns-in-five-minutes
dog is an open-source DNS client for the command-line. It has colourful output, supports the DoT and DoH protocols, and can emit JSON.
$ doas pkg_add dog
$ dog example.com --tls @dns.google
$ dog -H @https://dns.google/dns-query lookup.dog
A lookup.dog. 18m08s 51.159.26.255
$ dog bsago.me --json | jq .responses[0].answers[0]
{
"address": "138.68.117.94",
"class": "IN",
"name": "bsago.me.",
"ttl": 7111,
"type": "A"
}
$ dog --help
dog ● command-line DNS client
Usage:
dog [OPTIONS] [--] <arguments>
Examples:
dog example.net Query a domain using default settings
dog example.net MX ...looking up MX records instead
dog example.net MX @1.1.1.1 ...using a specific nameserver instead
dog example.net MX @1.1.1.1 -T ...using TCP rather than UDP
dog -q example.net -t MX -n 1.1.1.1 -T As above, but using explicit arguments
Query options:
<arguments> Human-readable host names, nameservers, types, or classes
-q, --query=HOST Host name or IP address to query
-t, --type=TYPE Type of the DNS record being queried (A, MX, NS...)
-n, --nameserver=ADDR Address of the nameserver to send packets to
--class=CLASS Network class of the DNS record being queried (IN, CH, HS)
Sending options:
--edns=SETTING Whether to OPT in to EDNS (disable, hide, show)
--txid=NUMBER Set the transaction ID to a specific value
-Z=TWEAKS Set uncommon protocol-level tweaks
Protocol options:
-U, --udp Use the DNS protocol over UDP
-T, --tcp Use the DNS protocol over TCP
-S, --tls Use the DNS-over-TLS protocol
-H, --https Use the DNS-over-HTTPS protocol
Output options:
-1, --short Short mode: display nothing but the first result
-J, --json Display the output as JSON
--color, --colour=WHEN When to colourise the output (always, automatic, never)
--seconds Do not format durations, display them as seconds
--time Print how long the response took to arrive
Meta options:
-?, --help Print list of command-line options
-v, --version Print version information
Happy Dog !
OpenBSD 6.9 and PHP 8 is out … Why not give a try ?
what PHP Packages are available with Version 6.9 ?
root@host # pkg_info -Q php |grep '\-8'
php-8.0.3
php-apache-8.0.3
php-bz2-8.0.3
php-cgi-8.0.3
php-curl-8.0.3
php-dba-8.0.3
php-dbg-8.0.3
php-enchant-8.0.3
php-gd-8.0.3
php-gmp-8.0.3
php-imap-8.0.3
php-intl-8.0.3
php-ldap-8.0.3
php-mysqli-8.0.3
php-odbc-8.0.3
php-pcntl-8.0.3
php-pdo_dblib-8.0.3
php-pdo_mysql-8.0.3
php-pdo_odbc-8.0.3
php-pdo_pgsql-8.0.3
php-pdo_sqlite-8.0.3
php-pgsql-8.0.3
php-pspell-8.0.3
php-shmop-8.0.3
php-snmp-8.0.3
php-soap-8.0.3
php-sqlite3-8.0.3
php-tidy-8.0.3
php-xsl-8.0.3
php-zip-8.0.3
add webserver, php8 and enable the services