OpenBSD Journal

Version 0.114 of Game of Trees has been released (and the port updated):

• preserve author timestamps when rebasing commits
• stop running ssh with -q by default; -q hides host key fingerprint errors
• fix gotsys-read-conf crash when ssh key comments are missing in gotsys.conf
• relax repository path permission checks in gotsys-repo-create
• add gotsys apply -w option which waits until sysconf has been run
• fix gotsysd getting stuck due to missing final messages from libexec helpers
• plug a file descriptor leak in the gotsysd libexec process

In a fediverse post, Stefan Sperling (stsp@) asks for testing of a potential fix for a problem affecting a number of network interface drivers (namely bge, bnx, iavf, igc, ix, ixl, ngbe and pcn), pointing to a message on tech@ with the subject bge/bnx/iavf/igc/ix/ixl/ngbe/pcn: ifq_restart() fix that reads

List: openbsd-tech Subject: bge/bnx/iavf/igc/ix/ixl/ngbe/pcn: ifq_restart() fix From: Stefan Sperling <stsp () stsp ! name> Date: 2025-06-20 10:12:14 A bug has been fixed by yasuaok@ in vmx(4) where the driver was calling ifq_restart() without actually having made any space on a full Tx ring. Calling ifq_restart() in this case can lead to a condition where the interface gets stuck in OACTIVE until the interface is reset with ifconfig.

Read more…

Fresh from the recently concluded j2k25 hackathon comes this report from Klemens Nanni (kn@), who writes:

New country, lots of ramen, friends and new folks - heck, yes!

Having missed the last four (our five?, hard to tell…) hackathons, j2k25 aligned just right to finish our holidays with beautiful sights and culinary delights between streaks of hacking, leaving all else aside for a solid week - it was refreshing retreat and sparked plans to make another, even longer trip through Japan!

This time, I brought a few unfished and/or unanswered diffs, but also specifically wanted to look into unfamiliar code, now that folks were around to ask for advice and discuss with.

First, the installer and rc(8) were due for cleanup: common code for randomness seed files used by bootloaders and rc seemed unnecessarily different, so I synced their logic, style and comments wrt. subtle, yet important details around the sticky(8) bit:

Read more…

In some cases, the current dhcpd(8) is not quite as reliable as one would want in providing the requested data to the actual requestor. After some rounds of discussion and experimentation, David Gwynne (dlg@) is circulating a diff on tech@ that switches the daemon to use UDP sockets instead of bpf.

The motivation is summarized as,

tl;dr this replaces bpf with udp sockets in dhcpd, mostly to make it better at replying with the ip that requests were sent to.

and the full message, with the subject dhcpd(8): use UDP sockets instead of BPF reads,

List: openbsd-tech Subject: dhcpd(8): use UDP sockets instead of BPF From: David Gwynne <david () gwynne ! id ! au> Date: 2025-06-13 3:29:20 tl;dr this replaces bpf with udp sockets in dhcpd, mostly to make it better at replying with the ip that requests were sent to. ive been hacking on this because of a problem at work, which i want to solve by setting up a bunch of "anycast" dhcp servers. ie, i want to have multiple dhcpd on separate servers with the same IP assigned as an alias on all of them.

Read more…

In a long series of commits, Robert Nagy (robert@) updated clang(1)/llvm/lld(1) in -current to version 19.1.7 (from version 16.0.6):

CVSROOT: /cvs Module name: src Changes by: robert@cvs.openbsd.org 2025/06/11 06:54:56 Log message: import of llvm from LLVM 19.1.7 Status: Vendor Tag: LLVM Release Tags: LLVM_19_1_7 U src/gnu/llvm/llvm/.clang-format […]

Those building from source should follow the instructions in Following -current and using snapshots before making the leap.

Kristaps Dzonsons (known for mandoc(1), rpki-client(8), and much more) has written an article, Source code sandboxing, on sandboxing from the perspective of developers. It compares the facilities available under several operating systems, and requests relevant contributions.

As Undeadly readers might expect, OpenBSD's pledge(2) and unveil(2) receive favourable appraisal.

Kristaps' article refers to Sandboxing Adoption in Open Source Ecosystems, an academic article published on the subject.

[In 2016, Undeadly published Kristaps Dzonsons on pledge(2).]

Following a discussion on tech@ [initiated by a post with patch from Ted Unangst (tedu@)], the "TearFree" option has been backported to the xenocara modesetting(4) driver in -current:

CVSROOT: /cvs Module name: xenocara Changes by: matthieu@cvs.openbsd.org 2025/06/09 12:18:36 Modified files: xserver/dix : pixmap.c xserver/hw/xfree86/common: xf86Mode.c xserver/hw/xfree86/drivers/modesetting: dri2.c driver.c driver.h drmmode_display.c drmmode_display.h dumb_bo.c meson.build modesetting.man pageflip.c present.c vblank.c xserver/hw/xfree86/modes: xf86Crtc.h xf86Rotate.c xserver/include: displaymode.h pixmap.h xserver/present: present.h present_screen.c Log message: Backport TearFree page flips for the modesetting driver from X.Org maaster. Work done by tedu@ based on previous diffs by jcs@ and stsp@. One bug fix in master by me. tested and ok tb@. commit on behalf of tedu@

The option is on by default, so users of the relevant hardware can expect smooth(er) scrolling ahead.

Rafael Sadowski (rsadowski@), OpenBSD developer and prolific blogger, has been looking into file system performance optimizations on our favorite operating system, and is now sharing his tips and tricks in FFS optimizations with dirhash on his blog.

He leads in with a TL;DR:

tl;dr

Consider playing with sysctl vfs.ffs.dirhash_maxmem to increase the maximum dirhash cache.

That said, it is worth your time to read the whole thing!

Version 0.113 of Game of Trees has been released (and the port updated):

• tweak 'got status' and 'got add' ignores handling for better git compatibility
• improve redundant pack detection during 'gotadmin cleanup'
• gotwebd: do not forget to initialize *ngroups argument for getgrouplist()
• fix default access for root and _gotd when gotsysd runs without config file
• fix bogus "unexpected privsep message" from gotsh during 'got send'
• fix a race in gotd notification processing causing notify process to exit

In a multi-part article, kraileth reviews the installers of various BSD operating systems.

Part 2 covers OpenBSD:

https://eerielinux.wordpress.com/2025/04/27/installing-bsd-in-2025-part-2-a-critical-look-at-openbsds-installer/

That's how it looks from the outside coming in, folks!

Fresh from the just concluded j2k25 hackathon in Nara, Japan, Rafael Sadowski (rsadowski@) has published his report on his blog: Week 2: The j2k25 Japan Hackathon

We arrived in Nara during the late afternoon. After checking into our hotel, goda@, my wife and I headed straight to the hack room. My initial thought was to finally do some ports hacking to warm up and create a plan for the upcoming week. I hadn't had much opportunity for focused thinking during our busy week in Tokyo.

As soon as I booted OpenBSD, kn@ appeared. I was genuinely happy to see him again, and we spent the first half hour catching up. Then he mentioned we were about to head to the team event. This completely derailed my planned "first day" approach - instead of keyboard and OpenBSD work, the evening was filled with excellent food, beer, and funny conversations.

Read more…

Reining in file system access is hard to get right, even for OpenBSD developers.

In a message to tech@ titled openat(2) is mostly useless, sadly Theo de Raadt (deraadt@) describes how the openat(2) family of system calls has failed to live up to expectations in practice, and he proposes changes that may improve the situation.

Theo writes, List: openbsd-tech Subject: openat(2) is mostly useless, sadly From: "Theo de Raadt" <deraadt () openbsd ! org> Date: 2025-05-28 14:03:29 The family of system calls related to openat(2) are mostly useless in practice, rarely used. When they are used it is often ineffectively or even with performance-reducing results. int openat(int fd, const char *path, int flags, ...); These are the others:

Read more…

Recently, Crystal Kolipe found that attaching softraid volumes as read-only devices did not work.

Then what to do?

Fix the code and make it work, of course!

The full story is available as “Stay, (write), protected!”, taking us through the steps of adding a feature to OpenBSD. Enjoy!

A new profiling subsystem is now in OpenBSD-current, from the hands of none other than Theo de Raadt (deraadt@) himself.

A longish sequence of commits introduced the changes incrementally, with a summary as follows: List: openbsd-cvs Subject: CVS: cvs.openbsd.org: src From: Theo de Raadt <deraadt () cvs ! openbsd ! org> Date: 2025-05-24 6:49:17 CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2025/05/24 00:49:17 Modified files: include : unistd.h sys/sys : exec.h exec_elf.h gmon.h proc.h systm.h sys/kern : exec_elf.c init_sysent.c kern_exec.c kern_exit.c kern_fork.c kern_pledge.c subr_prof.c syscalls.master Log message: In the old gprof profiling subsystem, the simplistic profil() syscall told the kernel about the sample buffer, and then the normal exit-time _mcleanup() would finalize the buffer, open()'ed a file and write out the details. This file opening has become increasingly impossible because of our privsep / privdrop, chroot, setresuid uid-dropping, pledge, unveil, and other efforts. So people stopped using gprof. Programs which needed profiling needed substantial mitigation removal changes to put them under test.

Read more…

Are you an OpenBSD user with a low power device such as a PC Engines APU2, with one or more em(4) network interfaces?

Darren Tucker (dtucker@) has a new diff out that may be of use to you, posted in a message to tech@:

List: openbsd-tech Subject: em(4) TX interrupt mitigation From: Darren Tucker <dtucker () dtucker ! net> Date: 2025-05-19 8:52:13 Hi. TL;DR: if you use em(4), particularly on a low-power device such as a pcengines APU2, please try this diff. The em(4) driver has 5 interrupt mitigation timers[0].

Read more…

Kirill A. Korinsky (kirill@) writes in with his guide to setting up an EdgeRouter 4 with OpenBSD/octeon to provide a failover gateway/router setup:

This article details the configuration process for setting up OpenBSD on an EdgeRouter 4 device to function as a home router, incorporating features such as private DNS resolution for clients and failover WAN connectivity.

Read the whole thing at Kirill's site.

erspan(4), the ERSPAN collection driver created by David Gwynne (dlg@) [and about which we recently reported] has been committed to the tree:

CVSROOT: /cvs Module name: src Changes by: dlg@cvs.openbsd.org 2025/05/13 19:54:12 Modified files: sys/net : if_gre.c Log message: add support for the ERSPAN Type II protocol ERSPAN is a specific GRE 0 protocol id with GRE sequence numbers enabled, with it's own shim header, and then an Ethernet payload.

Read more…

Version 0.112 of Game of Trees has been released (and the port updated):

• remove /tmp/got-importmsg temp files when import commit message is left empty
• rely on secondary _gotwebd groups if repos_path is not owned by _gotwebd group
• fix unrelated errors being reported if a histedit operation is aborted
• implement support for protected references in gotsys.conf and gotsysd
• plug memory leaks in some libexec helpers and in the gitconfig parser
• stop needlessly opening the repository whenever a work tree is opened

Omar Polo (op@) has announced the release of version 7.7.0p0 of OpenSMTPD:

[…] Changes in this release: ======================== - mail.lmtp: Correctly propagate LMTP permanent failures to smtpd. - Fixed connect filter request documentation in smtpd-filters.7. - Updated to new imsg APIs. […]

See the full release announcement for all the details.

Our favorite operating system is in the process of aquiring Encapsulated Remote Switch Port Analyzer (ERSPAN) support, in the form of a new virtual network interface, dubbed erspan(4).

An early version of the code, but possibly close to being ready for further development in-tree was presented by David Gwynne (dlg@) in a message to tech@:

List: openbsd-tech Subject: erspan(4): ERSPAN Type II collection From: David Gwynne <david () gwynne ! id ! au> Date: 2025-05-12 1:27:59 we were exploring how to better let us see what's happening on access networks or specific ports on a switch at work. our switches are pretty much all cisco, which has ERSPAN. ERSPAN in it's various forms ships Ethernet packets over GRE for collection and analysis on another system. There's 3 types of ERSPAN encapsulation, but Type II seems broadly implemented.

Read more…