Some odd openbsd notes

This page contains an odd assortment of notes from my experiences using OpenBSD and various other software on the system. Your mileage may vary.

	Some of my local ports, most in reasonable state. Tarballs under the tarballs directory.
	In 3.2-beta and forward, apache is chrooted in /var/www. I was setting up a system where I wanted to consolidate the quotas for my web users, so I wanted to move apache to /home/www. I ended up modifying the contents of /usr/src/usr.sbin/httpd, and reinstalling. See my diff.
	Another note on the above: apparently that's not necessary, it sufficies to set a different ServerRoot in your httpd.conf. Or so I have been told. Furthermore, if you have taken the ill-advised step of union/null mounting /usr into the chroot, you should ensure that you copy /var/run/ld.so.hints into the chroot as well, otherwise any program requiring libs that live in /usr/X11R6 (not in the default search path!) won't be able to run.
	With RAIDframe, if you configure a raid volume and then want to start over, make sure you zero out the first few blocks of the file. I didn't do that, and it caused many headaches. I ended up just newfs'ing the drives (after changing the disklabels back) and this worked too - but its overkill. Otherwise, RAIDframe is really easy to set up!
	I wrote a small diff against qmHandle version 1.0.0 to allow a (properly priveleged!) user to delete all messages from either the local or remote queues. Just a more fine grained 'delete all'. See it here.
	If you're like me, you'd like your web server to be able to send out emails. The problem is that it runs in a chroot() environment. In order to do this, I spent a bit of (annoying) time trying various solutions. I tried mini_sendmail (search on freshmeat for it) ... it should have worked but it didn't - I think b/c I didn't have a proper environment setup for php to make system() calls (i.e. no shell, ld.so, etc). Mini-qmail is another fun solution as it supports qmqp - but there are two pieces of this puzzle now - qmqpd and qmqpc. Woo! If you've followed the instructions the instructions in Life With Qmail, you'll find my instructions very simple to follow - if not, you'll probably find it pretty easy anyway. Here is a script that puts all the programs you'll need in all the right places. Its really pretty straightforward, so reading the script covers most of the necessary documentation on that end. Note: when I initially created this script, it assumed you had a full working qmail installed in QMAILHOME (/var/qmail by default). You probably want this if you're using the port. Caveats / Changes you need to make ("client" side): Check the contents of the new qmqpservers / me / defaultdomains files to make sure they're right (I didn't try very hard to make this correct). On the server side, you need to turn on a basic qmqpd server as described by DJB's FAQ. Once again, if you've followed Life With Qmail, you can drop in my run scripts for supervise: cd /var/qmail/supervise mkdir -p qmail-qmqpd/log copy my run script to qmail-qmqpd/run copy my log/run script to qmail-qmqpd/log/run make extra entries in qmailctl to start/stop/restart qmail-qmqpd
	I've made an OpenBSD port of the above technique (sorta). Its slightly more OpenBSD-erific, which means that it installs the appropriate files in /usr/local/bin and modifies qmail to expect config files (me, defaultdomain, qmqpservers) in /etc/mini-qmail. I tested briefly on i386, but this is basically Qmail - so it should work anywhere Qmail does. Bugs / whatever, welcome (note on email: don't be afraid of tmda ... it just wants to know that you're a real person!). Download it here.
	In case you ever happen to get your own SSL certificate from someone like Thawte or InstantSSL (my preference), you might want to know how to create PEM format certificates for use with things like Stunnel or Courier IMAP. To do so, follow the example here.
	More on the above... Yeah, for some reason, this took me a lot longer than it should have. It seems that Stunnel wants the entire certificate chain in the pem file including your RSA private key used to sign your original CSR. Why? I don't know, seems dumb considering there is a CAfile option where you can put the certs for your CA, but it never seemed to work for me. You'd only notice this if you had a valid certificate, but OE/Entourage were still complaining that its broken. So, to get the "proper" pem file, put them in like this: RSA KEY HERE... ... BLANK LINE ... YOUR SSL CERT ... ... BLANK LINE ... (heh) YOUR ROOT CERT1 ... ... BLANK LINE ... YOUR ROOT CERT2 ... You get the idea. Dunno, but thats what it took to get OE / Entourage to not complain that my cert was invalid. In addition, my config file may be informative. For chroot details (though OpenBSD specific), my chroot is populated like this. If I ever learn about mtree, I'll write an mtree for it.
	Ever wanted to connect a sun machine to another sun machine and log into one of their consoles? I have, and after trying it out I realized that if they're both running without keyboards, they're both running gettys on their serial consoles. That is, you can't open the device because its already locked by the getty process. So, in OpenBSD at least, go into /etc/ttys and disable the offending port (for my IPX w/ 3.2, it appears that only the 'console' line works, so disable that!). Then make sure there are no phantom login or login_passwd processes running and use tip, cu, or minicom to open the device like on any other machine. Works great!
	Supposing you wanted to spend half of your day off doing something completely less useful than you thought when you started, you might try and setup OpenBSD as a NIS client complete with Automount (AMD) maps. Yeah, I did that. This is far from a howto, but the gist is as follows: Server Side: Setup NIS using the standard instructions in yp(8). Create some amd maps (examples: master, home) Modify your NIS Makefiles with these diffs ( diff for 'Makefile's, diff for 'Makefile.yp's) Run make, then ypcat -k amd.master. You should see your amd maps Client side: Append a '+' as the last line in your /etc/group file Append '+:::::::::' as the last line in your /etc/passwd (w/ vipw) Since we're pulling the maps from yp, not locally, you have to modify amd's startup routines. Add some lines to rc.conf.local and to rc.local and you should be all set. Reboot, make sure there are no warnings on startup, and try and log in as one of the NIS users. Hopefully by now you won't have noticed that you could do a very similar setup with rdist, using an rdistfile somewhat like this one. Thanks to Todd Miller on the OpenBSD misc list for the reference and original rdistfile. If you had noticed, you're probably wondering why you bothered in the first place, since you probably want to keep /etc/sudoers in sync between machines as well. I suppose this technique still has some benefits.
	Here is a super-quick port of throttle, a bandwidth throttling pipe. Useful for controlling the speed of services launched via inetd, tcpserver, or ssh. Tested on OpenBSD 3.2, i386. Let me know what you think!
	Here is another super-quick port of mod_watch from snert. Testing on OpenBSD 3.2, i386. Heavily based on the mod_throttle port.
	Here is a quick script to convert PureFTPd's stats format to common log format (suitable for analysis by Webalizer).
	Some notes on setting up a Cyclades Z-series card in a recent version of OpenBSD.
	My spamdb-report script, adapted from the original.