Re: [AOLSERVER] AOL server 4.5.2 w/ virtual servers - SSL not working
Could your IP address be the one failing?
Error: nsopenssl: failed to listen on 23.253.\
246.52:443: Permission denied
What's the stray back slash for?
On Aug 16, 2015 9:17 AM, Scott Goodwin sc...@scottg.net wrote:
Has this ever worked in the past? It's been a long time since I've looked
at the module and I don't recall if it worked for multiple SSL listening
ports as virtual servers on the same AOLserver instance. I never had an
occasion to use it that way. If it's not capable of doing that in its last
incarnation it will probably take some work to modify it to do it properly.
/s.
On Aug 15, 2015, at 8:17 PM, Thorpe Mayes tma...@ecognizant.net wrote:
Hi,
I have AOLserver 4.5.2 running with virtual servers - main.tcl with
several sub config files.
Three of the domain names are using SSL. The certificate is a UCC SSL
Certificate that will accommodate up to 5 domain names.
If I activate the virtual server for just one of the three domains that
are using SSL, then everything works fine. When I activate two or more of
the sub files that need ssl, the server fails to start. Here is the tail
end of the log file:
[15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: nsmain:
AOLserver/4.5.2 running
[15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: nsmain:
security info: uid=502, euid=502, gid=502\
, egid=502
[15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver:
starting: nssock
[15/Aug/2015:18:39:13][3924.18446744073356683008][-sched-] Notice: sched:
starting
[15/Aug/2015:18:39:13][3924.18446744073356543744][-nssock:driver-] Notice:
starting
[15/Aug/2015:18:39:13][3924.18446744073356543744][-nssock:driver-] Notice:
nssock: listening on 23.253.246.52:80
[15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver:
starting: nsopenssl
[15/Aug/2015:18:39:13][3924.18446744073356404480][-nsopenssl:driver-]
Notice: starting
[15/Aug/2015:18:39:13][3924.18446744073356404480][-nsopenssl:driver-]
Notice: nsopenssl: listening on 23.253.246.52\
:443
[15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver:
starting: nsopenssl
[15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-]
Notice: starting
[15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-]
Error: nsopenssl: failed to listen on 23.253.\
246.52:443: Permission denied
[15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-]
Notice: exiting
[15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver:
starting: nsopenssl
[15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-]
Notice: starting
[15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-]
Error: nsopenssl: failed to listen on 23.253.\
246.52:443: Permission denied
[15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-]
Notice: exiting
[15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Fatal: could not
start drivers
Here is the ssl portion of the main.tcl file:
ns_section ns/server/module/nsopenssl
# ns_param RandomFile /some/file
ns_param SeedBytes 2048; # was 1024
Here is what the ssl portion of the sub files (all appear to load
successfully - see below):
#-
# OpenSSL and nsopenssl
# http://openacs.org/forums/message-view?message_id=320064 - for nsd code
- note: must use port 443
# http://openacs.org/doc/install-nsopenssl.html - binding port 443 in
daemontools
#-
ns_section ns/server/${ecognizant}/module/nsopenssl/sslcontexts
ns_param ${ecognizant}_users_ctx SSL context used for $ecognizant
regular user access
# ns_param admins_ctx SSL context used for administrator access
ns_param ${ecognizant}_client_ctx SSL context used for $ecognizant
outgoing script socket connections
ns_section ns/server/${ecognizant}/module/nsopenssl/defaults
ns_param server ${ecognizant}_users_ctx
ns_param client ${ecognizant}_client_ctx
ns_section
ns/server/${ecognizant}/module/nsopenssl/sslcontext/${ecognizant}_users_ctx
ns_param Role server
ns_param ModuleDir $ssldocdir
ns_param CertFile cert.pem
ns_param KeyFile key.pem
ns_param CAFile ca.pem
ns_param Protocols All
ns_param CipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
ns_param PeerVerify false
ns_param PeerVerifyDepth 3
ns_param Trace false
ns_section
ns/server/${ecognizant}/module/nsopenssl/sslcontext/${ecognizant}_client_ctx
ns_param Role client
ns_param ModuleDir $ssldocdir
ns_param CertFile cert.pem
ns_param KeyFile key.pem
ns_param CAFile ca.pem
ns_param Protocols All
ns_param CipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
ns_param PeerVerify false
ns_param PeerVerifyDepth 3
ns_param Trace false
ns_section ns/server/${ecognizant}/module/nsopenssl/ssldrivers
ns_param ${ecognizant}_users_drv Driver for
Re: [AOLSERVER] Aolserver - Postgresql - not recognizing columns added to tables
I don't quite remember my postgresql, but I'm presuming that maybe postgresql has something like a data dictionary like in Oracle that needs syncing perhaps? Regards. 2015-08-10 8:44 GMT+08:00 Peter Sadlon f_petra...@hotmail.com: Just to better understand your problem, this was the order of events? old server: create table old server: alter table add column old server: select any/all columns work copy to new server new server: select from original columns work with postgresdql new server: select from an added column works with postgresdql new server: select from original columns work with tcl new server: select from an added column FAILS with tcl My first guess would be to make sure your config script is connecting to the correct database/server now that you have multiple db servers. Same thing for postgresdql. Are you connecting with the same username via postgresdql and tcl? Next check your pg_dump file, do a grep for the new column name, make sure that it is included in the dump. -- From: tma...@ecognizant.com Date: Sun, 9 Aug 2015 14:03:28 -0500 To: aolserver-talk@lists.sourceforge.net Subject: [AOLSERVER] Aolserver - Postgresql - not recognizing columns added to tables Hi, I have moved postgresql databases from one server to another. This was done by dumping the database, moving the resulting file to the new server, and then restoring the dumped file on the new server. When I directly select rows via postgresdql (on the new server) from a table that had a column added after the table was created and before the table was moved to the new server there are not any problems. However, when I try to do the same select from within a tcl script an error is thrown - the column does not exist. When I run the sql statement without the offending column, there is not a problem. So, it appears to me that the problem is with columns that have been added to tables via alter tableā¦ Can anyone shed some light on this problem? Thank you, Thorpe Thorpe Mayes eCognizant LLC 2313 Lockhill-Selma Road, Ste 164 San Antonio, TX 78230 Phone: (405) 445-7877 Cell: (405) 514-9753 -- ___ aolserver-talk mailing list aolserver-talk@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/aolserver-talk -- ___ aolserver-talk mailing list aolserver-talk@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/aolserver-talk -- A scrum a day keeps the pigs at bay -- ___ aolserver-talk mailing list aolserver-talk@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/aolserver-talk
Re: [AOLSERVER] AOLserver questions
Thank you once again for your swift response! On Friday, March 20, 2015 at 2:33:59 PM UTC+8, Gustaf Neumann wrote: Am 20.03.15 um 05:47 schrieb Sep Ng: Hi Gustaf! Thank you for the informative response! I've been thinking of moving to NaviServer but I don't know enough about the transition to make that call yet. Right now, we're on aolserver and so, I'm trying to see what I can do on this platform. I do not understand why the delivery doesn't work on https out of the box and requires a reverse proxy. bgdelivery takes the socket (file descriptor) of the current connection, but it has no knowledge about SSL. When it hands the file descriptor to the background delivery thread, this can write back to the client just using plain tcl i/o. So, background delivery can certainly write to the file-descriptor, but that won't be accepted by the client trying to decrypt the channel. I think that is now making more sense now. Thanks. I may have to look into this as well. I suspect the varied client connection is part of the problem and them sitting on the connection threads is hurting us. what is hurting you? We have instances where we'd get a high number of concurrent users that the requests are getting queued, but when I look at the logs, there's a lot of static files being served for each login page, let alone other pages being served in aolserver. So, I'm theorizing that being able to get those static file requests pushed into a single thread and free up the connection threads would help in scalability. However, we do not serve big files on our server so this has me wondering about the benefits of this change. whatever big means. connections can hang also when writing a few KBs. Interesting. I'm not certain if aolserver has any facilities for asynchronous file writing and spooling. the writer threads are an extension of naviserver over aolserver It seems that I will have to build everything by hand. I had hoped that simply transferring the thread and having it ns_returnfile would be enough to get a simple form of background delivery going but it doesn't look like that's the case. if your site requires https, one cant use bgdelivery without a reverse proxy. otherwise, everything is pre-packaged. Oh. We don't use OpenACS as everything here is custom built by me and others before me. So, it's looking like I'm going to have to roll up my sleeves and get to work. By the way, I've seen in previous posts of yours that the you did switch from aolserver to naviserver. How big was the change? What things did you have to re-write/port to get them running in naviserver? Regards. -g Regards. On Friday, March 20, 2015 at 12:03:52 PM UTC+8, Gustaf Neumann wrote: Dear Sep, The question whether it is worth to use asynchronous delivery boils down to a question of usage pattern and desired scalability. The general problem with serving (large) resources via classical aolserver is that a connection thread is unable to handle other threads for the time span of the delivery. It is important to understand that the time span of the delivery is mostly determined by the client. A client with little processing power connection over e.g. a mobile phone can block a connection quite a long time. A special instance of this is the slow-read attack [2], which is a special denial-of-service attack. To serve e.g. 60 concurrent files one would require 60 connection threads. Note that this can happen quite soon when serving content with several included resources (images, css, js) the first time to a client. When the server runs out of connection threads, the requests are queued, which means that the the user-perceived runtime of a request is actually queueing time plus execution time. Background delivery (as described in [2]) is fully integrated in OpenACS addresses the problem by delegating output spooling (file deliveries) to a single thread, which can deliver easily several 100 concurrent downloads by using Tcl's asynchronous I/O operations. Note that this works not only for static resources, but as well dynamic requests (e.g. generating long HTML pages from e.g. a database). We used this approach with very good success since 2006 in large OpenACS installations (with e.g. 2000 simultaneous active users; simultaneous active means here users who requested pages within a time interval of 5 secs). In OpenACS, one can use simply ad_returnfile_background [3] instead of ad_returnfile to make use of background delivery. The limitations of background delivery are that (a) it just works for plain http, and (b) that it works for at most 1024 concurrently open file handles. We addressed (a) by using a reverse proxy in front of the server, which delivers the files from the backend via https. The limitation (b) is harder, since it depends
Re: [AOLSERVER] AOLserver questions
Thank you very much for shedding a lot of light into this. On Friday, March 20, 2015 at 3:58:19 PM UTC+8, Gustaf Neumann wrote: Am 20.03.15 um 07:48 schrieb Sep Ng: what is hurting you? We have instances where we'd get a high number of concurrent users that the requests are getting queued, but when I look at the logs, there's a lot of static files being served for each login page, let alone other pages being served in aolserver. So, I'm theorizing that being able to get those static file requests pushed into a single thread and free up the connection threads would help in scalability. yes, there is a certain hope, that removing this burden from the connection threads will improve the situation. Another option to reduce queuing time is to increase the number of connection threads. If the bottleneck are slow sql-queries then this pooling stuff will not help. Right now, I do not believe sql queries are the culprit for the sacalability issues. I have a better understanding on this now. I think the only real issue from implementation stand point is getting the reverse proxy setup right. Often the first task to determine, what the bottleneck is, can be already be difficult. NaviServer has several introspection means for monitoring. The following graph shows queuing times, filter and run times (you won't get these numbers from aolserver). The graph (from OpenACS.org) shows that queuing time is on that site typically around 0.1 ms, with peaks in the range of 16 ms. This is for example quite useful for determining the right number of running connection threads. naviserver allows to change this number dynamically without restart [image: weekly graph] This chart is something that would benefit us very much. NaviServer is looking like a target I should be working towards in the future. By the way, I've seen in previous posts of yours that the you did switch from aolserver to naviserver. How big was the change? What things did you have to re-write/port to get them running in naviserver? We did the move of our main site 4 years ago (now we have around 50 naviserver sites), but i do not have a detailed writeup of the changes. Most of our changes went into OpenACS (download OpenACS 5.8.1, search for NaviServer). what comes to my mind is: - NaviServer dropped the useless $conn argument from several commands (like old: ns_return $conn 200 text/plain ... - ns_return 200 text/plain ... - different modules (e.g. for ssl), different config file - more functionality built-in which was as a module under aolserver crypo functions (sha, md5), cache, base-64 encoding, gzip delivery (actually, the ns_cache function in naviserver usues a single command style (ns_cache_eval) and in aolserver subcommand style, but we added already a compatibility layer to the naviserver source tree which is sufficient for OpenACS - no ns_share (use nsv instead) - no ns_set -persistent We did not use the latter two, but this comes sometimes up in the mailing lists. The move was quite easy for us, but ymmv. There seems to be much work to be done and this can't be rolled out quickly. I will have to spend more time on this when the time comes. -g -- Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/___ aolserver-talk mailing list aolserver-talk@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/aolserver-talk
Re: [AOLSERVER] AOLserver questions
Hi Gustaf! Thank you for the informative response! I've been thinking of moving to NaviServer but I don't know enough about the transition to make that call yet. Right now, we're on aolserver and so, I'm trying to see what I can do on this platform. I do not understand why the delivery doesn't work on https out of the box and requires a reverse proxy. I suspect the varied client connection is part of the problem and them sitting on the connection threads is hurting us. However, we do not serve big files on our server so this has me wondering about the benefits of this change. I'm not certain if aolserver has any facilities for asynchronous file writing and spooling. It seems that I will have to build everything by hand. I had hoped that simply transferring the thread and having it ns_returnfile would be enough to get a simple form of background delivery going but it doesn't look like that's the case. Regards. On Friday, March 20, 2015 at 12:03:52 PM UTC+8, Gustaf Neumann wrote: Dear Sep, The question whether it is worth to use asynchronous delivery boils down to a question of usage pattern and desired scalability. The general problem with serving (large) resources via classical aolserver is that a connection thread is unable to handle other threads for the time span of the delivery. It is important to understand that the time span of the delivery is mostly determined by the client. A client with little processing power connection over e.g. a mobile phone can block a connection quite a long time. A special instance of this is the slow-read attack [2], which is a special denial-of-service attack. To serve e.g. 60 concurrent files one would require 60 connection threads. Note that this can happen quite soon when serving content with several included resources (images, css, js) the first time to a client. When the server runs out of connection threads, the requests are queued, which means that the the user-perceived runtime of a request is actually queueing time plus execution time. Background delivery (as described in [2]) is fully integrated in OpenACS addresses the problem by delegating output spooling (file deliveries) to a single thread, which can deliver easily several 100 concurrent downloads by using Tcl's asynchronous I/O operations. Note that this works not only for static resources, but as well dynamic requests (e.g. generating long HTML pages from e.g. a database). We used this approach with very good success since 2006 in large OpenACS installations (with e.g. 2000 simultaneous active users; simultaneous active means here users who requested pages within a time interval of 5 secs). In OpenACS, one can use simply ad_returnfile_background [3] instead of ad_returnfile to make use of background delivery. The limitations of background delivery are that (a) it just works for plain http, and (b) that it works for at most 1024 concurrently open file handles. We addressed (a) by using a reverse proxy in front of the server, which delivers the files from the backend via https. The limitation (b) is harder, since it depends on Tcl's usage of the select() system call, which allows to wait for events for max. 1024 file descriptors. Above this limit, it simply crashes. Lifting this limit in systems like Linux is possible, but requires a privately compiled libc and linux kernel. You might think, 1024 this is much more one needs, but we were actually running close to this limit for lecture casting (video streaming of university lectures). A better approach is to use NaviServer.'s c-level support. NaviServer provides lightweight c-implemented writer-threads using asynchronous I/O similar to bg-delivery, but not using select(). The writer threads works seemless with http and https. As with bgdelivery, a single writer thread can serve a multitude of concurrent deliveries. When several writer threads are defined, the load is split up between these. NaviServer can also serve streaming HTML (multiple ns_write commands) via writer threads. It also support static and dynamic gzip deliveries see e.g. [3] When one uses OpenACS with NaviServer it will automatically use writer-threads when configured. In reference [4] on can see the difference in response time (actually the time duration spent in connection threads) in NaviServer. OpenACS.org runs on NaviServer since Sep 2014. A more detailed discussion of these properties is in [5], all of this is part of NaviServer 4.99.6. sorry for the longish reply, -g [1] http://openacs.org/xowiki/Boost_your_application_performance_to_serve_large_files! [2] http://en.wikipedia.org/wiki/Denial-of-service_attack#Slow_Read_attack [3] http://openacs.org/api-doc/proc-view?proc=ad_returnfile_backgroundsource_p=1 [3] http://www.qcode.co.uk/post/121 [4] http://openacs.org/forums/message-view?message_id=4111406 [5
[AOLSERVER] AOLserver questions
Hi all, I've been reading up on aolserver background delivery tricks on OpenACS and I've seen that the patches for the static TCL channel is already in 4.5.1. In the spirit of improving server performance, I've been wondering if such facility is worth building on the custom app to increase concurrency and scalability. Most of the time, our aolserver also has to handle incoming requests for multiple jpeg, javascript libraries, and a lot of other things. Freeing up the connection thread sounds very useful in improving the server scalability so I wanted a little bit of help on getting this to work. It's been hard trying to wrap my head around using ns_conn channel and what I can actually do with this static TCL thread. It seems that I should be redefining ns_returnfile to use background delivery. Could I use it to push a TCL proc that generates given the parameters, the dynamic page to this TCL channel to free up my connections? Sep -- Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/___ aolserver-talk mailing list aolserver-talk@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/aolserver-talk
[AOLSERVER] Question on ns_eval
Hello,
I've been looking into improve my development environment by using ns_eval
to update all the TCL interps everytime I do changes on it. First off, it
looks like I have to escape all the special TCL characters on ns_eval. Is
this the intended behaviour because I've seen many examples of people using
ns_eval to do something like this:
ns_eval {source /somewhere/out/there/file.tcl}
but this has never worked for me (source seems to get confused with the [
and the ].
I did a test and ran:
ns_eval {ns_log notice {test me}}
which produced errors where there were too many ns_log arguments. I was
able to get it to work by doing this:
ns_eval {ns_log notice \{test me\}}
This leads me to believe that I have to escape every character that I use
for ns_eval.
My second question is that some of my custom API calls don't seem to be
recognized when running ns_eval. I don't really have much of an
explanation for what this could be. If anyone has ideas and theories, I'm
all ears.
Thanks!
--
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb___
aolserver-talk mailing list
aolserver-talk@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/aolserver-talk
Re: [AOLSERVER] Question on ns_eval
Thank you for the responses. I'll conduct some tests. The code I use to
reload right now is:
eval namespace eval :: source $file
so on swtching to ns_eval, I thought to maybe skip the namespace eval.
With or without don't seem to make a difference, but I'll
continue to look into this.
On Friday, February 15, 2013 2:59:28 AM UTC+8, William J. Webb wrote:
On Thursday, February 14, 2013 12:33:26 PM UTC-6, William J. Webb wrote:
At the core, we use a slightly different version of:
proc eval_source { filename } {
if { [file exists $filename] } {
set err [catch { ns_eval [list source $filename] } result]
if { $err } {
ns_log notice eval_source ERROR: $result
}
} else {
error file $filename does not exist.
}
}
#}}}
There are some wrappers around this to recurse through directories using
patterns, ignore certain types of files, etc.
Note that ns_eval is asynchronous and the script isn't immediately
evaluated in the other interpreters until their next atalloc event. E.g.:
you run an ns_eval/source in one nscp, you won't see it reflected in a
second concurrent nscp session.
Will
On Thursday, February 14, 2013 3:21:30 AM UTC-6, Sep Ng wrote:
Hello,
I've been looking into improve my development environment by using
ns_eval to update all the TCL interps everytime I do changes on it. First
off, it looks like I have to escape all the special TCL characters on
ns_eval. Is this the intended behaviour because I've seen many examples of
people using ns_eval to do something like this:
ns_eval {source /somewhere/out/there/file.tcl}
but this has never worked for me (source seems to get confused with the
[ and the ].
I did a test and ran:
ns_eval {ns_log notice {test me}}
which produced errors where there were too many ns_log arguments. I was
able to get it to work by doing this:
ns_eval {ns_log notice \{test me\}}
This leads me to believe that I have to escape every character that I
use for ns_eval.
My second question is that some of my custom API calls don't seem to be
recognized when running ns_eval. I don't really have much of an
explanation for what this could be. If anyone has ideas and theories, I'm
all ears.
Thanks!
--
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb___
aolserver-talk mailing list
aolserver-talk@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/aolserver-talk
Re: [AOLSERVER] modload: could not find Ns_ModuleInit in /usr/local/aolserver451/bin/nssha1.so
For archival purposes, I added this CFLAG to the Makefile. -Wl,--no-as-needed which linked the .so files successfully. Reference. http://stackoverflow.com/questions/14329967/missing-a-library-in-ldd-after-using-gcc-l On Wednesday, January 30, 2013 7:42:17 AM UTC+8, Sep Ng wrote: I just came across this particular issue right now while rebuilding aolserver on ubuntu 12.10. Curiously it's for a different module, nscache.so. I checked ldd and it doesn't look like libnscache.so is being linked to it. I'm not sure why that's the case, but perhaps I missed something during the compile. On Monday, May 14, 2012 2:57:37 PM UTC+8, Jim wrote: Is your aolserver installation in a system-wide place? It's in /usr/local/aolserver451 which is not a system-wide known place... and as I like to maintain and build the web stack myself, I tend to like this approach. Having said this, both (in standard place versus anywhere else) can work if you use some of the things I'll describe now. The libs created against aolserver and tcl are dynamic libs, so ld.so is used to load and use them. /etc/ld.so.conf should list the places that the machine owner feels should be considered the standard places. So, if /usr/local/aolserver451/lib is in this file, it's considered a system-wide place, and libs in that dir will be found without further ado. If it's not, the best way is not to alter /etc/ld.so.conf, but to add the lib dir to the env var LD_LIBRARY_PATH. If you do this before trying to run nsd, the libs in /usr/local/aolserver451 will be pulled in exactly as if that dir were in /etc/ld.so.conf. -Jim On 5/13/12, Klaus Hofeditz ]project-open[ klaus.h...@project-open.com wrote: Hi all, I am trying to install AOLSERVER 4.5.1 on Ubuntu 12.04 (LTS). While nslog loads ok, nssha1 fails: [13/May/2012:17:09:35][15372.3073791680][-main-] Notice: modload: loading '/usr/local/aolserver451/bin/nssha1.so' [13/May/2012:17:09:35][15372.3073791680][-main-] Warning: modload: could not find Ns_ModuleInit in /usr/local/aolserver451/bin/nssha1.so [13/May/2012:17:09:35][15372.3073791680][-main-] Fatal: modload: failed to load module '/usr/local/aolserver451/bin/nssha1.so' Any ideas where to start digging? Tx for your support! Klaus root@abc:/usr/local/src/aolserver-4.5.1/nssha1# make install NSHOME=/usr/local/aolserver451 gcc -O2 -Wall -Wno-implicit-int -fPIC -pipe -I/usr/local/aolserver451/include -I/usr/local/aolserver451/include -DNO_CONST -DPACKAGE_NAME=\tcl\ -DPACKAGE_TARNAME=\tcl\ -DPACKAGE_VERSION=\8.5\ -DPACKAGE_STRING=\tcl\ 8.5\ -DPACKAGE_BUGREPORT=\\ -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_LIMITS_H=1 -DHAVE_SYS_PARAM_H=1 -DUSE_THREAD_ALLOC=1 -D_REENTRANT=1 -D_THREAD_SAFE=1 -DHAVE_PTHREAD_ATTR_SETSTACKSIZE=1 -DHAVE_PTHREAD_GETATTR_NP=1 -DGETATTRNP_NOT_DECLARED=1 -DTCL_THREADS=1 -DTCL_CFGVAL_ENCODING=\iso8859-1\ -DMODULE_SCOPE=extern\ __attribute__\(\(__visibility__\(\hidden\\)\)\) -DTCL_SHLIB_EXT=\.so\ -DTCL_CFG_DEBUG=1 -DTCL_TOMMATH=1 -DMP_PREC=4 -D_LARGEFILE64_SOURCE=1 -DTCL_WIDE_INT_TYPE=long\ long -DHAVE_STRUCT_STAT64=1 -DHAVE_OPEN64=1 -DHAVE_LSEEK64=1 -DHAVE_TYPE_OFF64_T=1 -DHAVE_GETCWD=1 -DHAVE_OPENDIR=1 -DHAVE_STRTOL=1 -DHAVE_WAITPID=1 -DHAVE_GETADDRINFO=1 -DHAVE_GETPWUID_R_5=1 -DHAVE_GETPWUID_R=1 -DHAVE_GETPWNAM_R_5=1 -DHAVE_GETPWNAM_R=1 -DHAVE_GETGRGID_R_5=1 -DHAVE_GETGRGID_R=1 -DHAVE_GETGRNAM_R_5=1 -DHAVE_GETGRNAM_R=1 -DHAVE_GETHOSTBYNAME_R_6=1 -DHAVE_GETHOSTBYNAME_R=1 -DHAVE_GETHOSTBYADDR_R_8=1 -DHAVE_GETHOSTBYADDR_R=1 -DUSE_TERMIOS=1 -DHAVE_SYS_TIME_H=1 -DTIME_WITH_SYS_TIME=1 -DHAVE_STRUCT_TM_TM_ZONE=1 -DHAVE_TM_ZONE=1 -DHAVE_GMTIME_R=1 -DHAVE_LOCALTIME_R=1 -DHAVE_MKTIME=1 -DHAVE_TM_GMTOFF=1 -DHAVE_TIMEZONE_VAR=1 -DHAVE_STRUCT_STAT_ST_BLKSIZE=1 -DHAVE_ST_BLKSIZE=1 -DHAVE_INTPTR_T=1 -DHAVE_UINTPTR_T=1 -DHAVE_SIGNED_CHAR=1 -DHAVE_LANGINFO=1 -DHAVE_SYS_IOCTL_H=1 -DTCL_UNLOAD_DLLS=1 -DPACKAGE_NAME=\\ -DPACKAGE_TARNAME=\\ -DPACKAGE_VERSION=\\ -DPACKAGE_STRING=\\ -DPACKAGE_BUGREPORT=\\ -DTCL_CFG_OPTIMIZED=1 -DTCL_CFG_DEBUG=1 -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_TIMEGM=1 -DHAVE_DRAND48=1 -DHAVE_RANDOM=1 -DHAVE_POLL=1 -DHAVE_GETADDRINFO=1 -DHAVE_GETNAMEINFO=1-c -o nssha1.o nssha1.c command-line:0:0: warning: PACKAGE_NAME redefined [enabled by default] command-line:0:0: note: this is the location of the previous definition command-line:0:0: warning: PACKAGE_TARNAME redefined [enabled by default] command-line:0:0: note: this is the location of the previous
Re: [AOLSERVER] Race conditions with Ns Set Persist?
As far as I can tell, the ns_sets are being used exclusively by specific threads, so the data shouldn't really be going from one ns_set to another, except that it does happen, so I'm thinking there might be something happening with the ns_set implementation. I'll look into the possibility of using nsvs. On Tuesday, September 25, 2012 1:23:44 PM UTC+8, Jeff Rogers wrote: ns_sets are not internally interlocked. If you are using the same shared set in multiple threads, you need to protect it with a mutex. Do you specifically need the indexability of ns_sets? nsvs are easier to use for most cases, and if you have more than a few keys probably faster too. -J Sep Ng wrote: I have several ns_set objects in my aolserver with the persist flag on to manage several things but I'm noticing that some of the ns_set objects are losing keys for no apparent reason. Also at one instance, the ns_set object retrieved belongs to a totally different one. I'm not sure if there's a bug with ns_set or if there's something wrong with my code, but I thought I'd throw this one out there to see if you guys have experienced this issue before. Thanks in advance. -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ aolserver-talk mailing list aolserv...@lists.sourceforge.net javascript: https://lists.sourceforge.net/lists/listinfo/aolserver-talk -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ aolserver-talk mailing list aolserver-talk@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/aolserver-talk
Re: [AOLSERVER] pthreads and AOLserver
Thanks Maurizio. I will review the links you have posted. I wanted to raise this question to everyone. It seems to me that ns_thread wait and join have the same functionality. If that is the case, why the insistence of defining the 'wait' command? On Thursday, June 21, 2012 10:13:47 PM UTC+8, Maurizio Martignano wrote: Dear Sep Ng, Memory leaks do exist in the majority of Web Servers (Aolserver included). This is a sad fact. Instead of trying to fix these leaks a better and cheaper strategy could be to have a daily restart of your web/application server. In case you need continuous operation, you can set up a cluster of web/application servers where each one of them does a restart every now and then to cope with the memory leaks, in any case the cluster never stops being available. I created several installations of this type, see for instance: http://www.spazioit.com/pages_en/sol_inf_en/distributed-sandbox-for-application-servers_en/ Another need, which now unfortunately emerged in my area is the requirement to have redundant installations, capable of resisting to catastrophic events. You can find something about this in here: http://www.spazioit.com/pages_en/sol_inf_en/disaster_recovery_solutions_en/ I hope you find this information useful. Ciao, Maurizio *From:* Sep Ng *Sent:* 21 June 2012 03:10 *To:* aolser...@googlegroups.com *Subject:* [AOLSERVER] pthreads and AOLserver I've been poking around with how AOLserver handles ns_threads and wanted to raise the questions pertaining to memory leaks. From the pthread_create man page... A thread may either be *joinable* or *detached*. If a thread is joinable, then another thread can call pthread_join(3) http://www.kernel.org/doc/man-pages/online/pages/man3/pthread_join.3.html to wait for the thread to terminate and fetch its exit status. *Only when a terminated joinable thread has been* * joined are the last of its resources released back to the system.* Does this mean that if I don't use ns_thread join, the resources and tcl interpreter of the thread spawned by ns_thread begin will not get released? If someone would kindly definitively answer this for me, that would be well appreciated. Regards. -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ aolserver-talk mailing list aolserver-talk@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/aolserver-talk
Re: [AOLSERVER] SSL connection error
My guess is it has something to do with your keys and certificates, maybe. Maybe you should post relevant sections of your config.tcl. On Monday, June 18, 2012 8:11:18 PM UTC+8, Iuri Sampaio wrote: Hi there, After setting up nsopenssl on aolserver I got the following error. SSL connection error Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have. Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error. Though, 1) config.tcl is properly set 2) paths and permissions are properly set 3) and logs show the libs and certs were loaded sucessfully [17/Jun/2012:20:20:45][30618. 3074823872][-main-] Notice: modload: loading '/usr/lib/aolserver4/bin/nssha1.so' [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: modload: loading '/usr/lib/aolserver4/bin/nsopenssl-3.0/nsopenssl.so' [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl: generating 512-bit temporary RSA key ... [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl: generating 1024-bit temporary RSA key ... [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): loading SSL context 'users' [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'users' ciphers loaded successfully [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'users' using SSLv3 protocol [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'users' using TLSv1 protocol [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'users' certificate and key loaded successfully [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'users' CA file loaded successfully [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: users (nsopenssl): session cache is turned on for sslcontext 'cnauto' [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): loading SSL context 'client' [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'client' ciphers loaded successfully [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'client' using SSLv2 protocol [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'client' using SSLv3 protocol [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'client' using TLSv1 protocol [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'client' certificate and key loaded successfully [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'client' CA file loaded successfully [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: client (nsopenssl): session cache is turned on for sslcontext 'cnauto' [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): default SSL context for server is users [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: default server SSL context: users [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): default SSL context for client is client [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: default client SSL context: client [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): loading 'users' SSL driver ... [17/Jun/2012:20:20:56][30618.3052837744][-nsopenssl:driver-] Notice: starting [17/Jun/2012:20:20:56][30618.3052837744][-nsopenssl:driver-] Notice: nsopenssl: listening on 127.0.0.1:8443 ### I believe the error is related to the 'client' certificate. Before I got the error: [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl (cnauto): loading SSL context 'client' [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl (cnauto): 'client' ciphers loaded successfully [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl (cnauto): 'client' using SSLv2 protocol [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl (cnauto): 'client' using SSLv3 protocol [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl (cnauto): 'client' using TLSv1 protocol [17/Jun/2012:20:00:42][30405.3074971328][-main-] Error: nsopenssl (cnauto): 'client' certificate file is not readable or does not exist [17/Jun/2012:20:00:42][30405.3074971328][-main-] Error: nsopenssl (cnauto): SSL context 'client' left uninitialized [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl (cnauto): default SSL context for server is users [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: default server SSL context: users [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl (cnauto): default SSL context for client is client [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: default client SSL
[AOLSERVER] Strange issue with nsopenssl
Hi, I've been looking at one aolserver install which seems to be crashing when I run with SSL certificates. The weird thing is that if I run it as root, the startup goes fine, which leads me to believe it is possibly a permission issue. The crash happens right when nsd attempts to generate 512-bit keys. Has this happened to anybody before? Thanks! -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ aolserver-talk mailing list aolserver-talk@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/aolserver-talk
[AOLSERVER] What does invalid database_id mean?
Every once in a while on my aolserver logs, I find this error and I'm not sure what it means. Typically, I see it when performing a database operation and then aolserver drops into an error like: invalid database_id: nsdb0 Is this related to another log entry: max connections exceeded? Is the database handle not valid? Hoping someone can shed some light on the nature of this error. Thanks! -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ aolserver-talk mailing list aolserver-talk@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/aolserver-talk
Re: [AOLSERVER] Strange issue with nsopenssl
I'll just go ahead and post the solution to this problem. Apparently there's a library conflict between my Oracle install and OpenSSL. I solved it by setting LD_PRELOAD=/usr/lib/libcrypto.so.0.9.8 before running aolserver. On Tuesday, May 1, 2012 11:16:24 AM UTC+8, Sep Ng wrote: Hi, I've been looking at one aolserver install which seems to be crashing when I run with SSL certificates. The weird thing is that if I run it as root, the startup goes fine, which leads me to believe it is possibly a permission issue. The crash happens right when nsd attempts to generate 512-bit keys. Has this happened to anybody before? Thanks! -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ aolserver-talk mailing list aolserver-talk@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/aolserver-talk
