Re: SU+J Lost files after a power failure
David Demelier wrote: Hello there, I'm writing because after a power failure I was unable to log in on my FreeBSD 9.2-RELEASE. The SU+J journal were executed correctly but some files disappeared, including /etc/pwd.db. Thus I was unable to log in. I've been able to regenerate the password database with a live cd but I'm afraid that more files had disappeared somewhere else... I think this is a serious issue, the journal should not truncate files, so something should have gone wrong somewhere.. Any ideas? Should I open a PR? Not sure there is enough to go on for a PR, but something is weird. Friday morning our power went down at home for about three hours after I had already left for work. When I came home I found the router/gateway box was OK. It is still with the old DOS mbr and disklabel scheme, with softupdates, and is a pair of disks gmirrored. The other box is my first foray into the land of GPT, along with SU+J. It was sitting at the 'couldn't mount... Press return for /bin/sh' line. There was an error indicating that replaying one or more journals had failed. I was able to successfully fsck all the other partitions (besides /), then rebooted and system came back up OK. Both of these machines were recently updated to 9.2 Release from 9.1. It has been approximately 9 months, or so, since I last had a power outage like this one. Back then they were still 8.3 I think, did not have SU+J and recovered just fine on their own. This error about the replay of the journal(s) failing is somewhat disconcerting. Beyond that, however, I do not have any other details or data. Nothing to flesh out a PR, but thought I'd mention what I saw in conjunction with your experience. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SU+J Lost files after a power failure
Michael Powell wrote: [snip] The other box is my first foray into the land of GPT, along with SU+J. It was sitting at the 'couldn't mount... Press return for /bin/sh' line. There was an error indicating that replaying one or more journals had failed. I was able to successfully fsck all the other partitions (besides /), then rebooted and system came back up OK. Meant to include also that I booted from a CD with wddiags and ran the Quick test and it found no errors on the disk. [snip] -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Reinstall without reformat
The brutal and brute-force approach can work - better if you boot from a USB stick, of course. You can untar base.tzx and kernel.tzx in your /, with filesystems mounted. As Polytropon says, do a backup of what you'll want afterwards. This approach will leave a lot of cruft (old versions of shared libraries, etc.), but will certainly work. Grab the distribution from (in this case, the example is for 9.2, i386) ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/i386/9.2-RELEASE ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SU+J Lost files after a power failure
Charles Swiger wrote: [snip] Yes. Without journalling, you'd normally perform the full timeconsuming fsck in the foreground. With journalling, it should be able to do a journal replay to restore the filesystem to an OK state, but sometimes that doesn't restore consistency, in which case it usually fires off a background fsck rather than the foreground fsck. In my case the journal replay failed, with an error to that effect. All partitions other than / failed to mount and after hitting enter at the .../bin/sh prompt performed manual fsck on all of them, which found and fixed some stuff. Then shutdown -r and everything came up fine (clean) afterwards. Net result was no data loss for me. [snip] -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: NATD: net.inet.ip.fw.default_to_accept=1 vs firewall_type=OPEN
On Fri, 11 Oct 2013 04:38:45 +0200, Chris Stankevitz chrisstankev...@gmail.com wrote: Hello, Handbook section 31.9 describes the setup of NAT. Section 31.9.3 suggests net.inet.ip.fw.default_to_accept=1 during the first attempts to setup a firewall and NAT gateway. Section 31.9.5 suggests I specify a predefined firewall ruleset that allows anything in with firewall_type=OPEN Question: What is the difference between these two configurations (or where can I go to learn the difference between the two)? Thank you, Chris Hello, ipfw always has one default rule, standard is 65535 deny ip from any to any If you set net.inet.ip.fw.default_to_accept=1, you get 65535 allow ip from any to any instead. Specifing firewall_type=OPEN gives you an additional rule 65000 allow ip from any to any Now, if for example you execute ``ipfw flush'', thus deleting all rules, this deletes rule 65000, but the default rule stays in effect. With ...default_to_accept=0 ( standard setting ) you now have disabled all network connections and locked yourself out if you're working remote. HTH, Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: NAT: Handbook vs mailing list
Olivier Nicole wrote: [snip] The mailing list message linked above suggests that the handbook information is the old way and that the correct way is to set ipfw_enable and natd_enable in rc.conf. Then /etc/rc.d/ipfw will load ipfw.ko, and if natd_enable is set, will invoke /etc/rc.d/natd, which loads ipdivert.ko at the right time. From what you copied/explained, natd_enable will load ipdivert.ko and the handbook suggests that you load ipdivert.ko, so either way the module will be loaded. I'd go with the ipfw_enable and natd_enable as it may also do other needed things than just loading a kernel module. +1 on this. It is also present in the /etc/defaults/rc.conf this way as well (of course, use /etc/rc.conf for override customization). The original situation referred to early in the mailing-list content was a timing related problem where the ipdivert module would fail, even after ipfw loading _did_ succeed. Most of the 'old way' is a holdover from before the init system brought in the rc.subr startup scripts (imported from netbsd if memory serves). There have been a couple of hiccups along the way concerning the order things are started. For example, it doesn't really work to start a dhcp client prior to successful network initiate completion. Over time the rc.subr system has evolved and been cleaned up. A long time ago I eschewed running mergemaster when doing source-based upgrades. Just didn't like it and it never seemed like not doing it hurt anything. For quite some time I never experienced any problem with this approach. However, this eventually did bite me in the rump in a very bad way! :-) When running mergemaster while upgrading to a new release you may see these scripts being updated. So they are continuing to evolve, and a lot of this is to start up and configure things as the system comes up in a 'correct' and coherent order. So imho the Handbook is a wee bit outdated. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: failed to create gmirror with the handbook instructions
Andy Zammy wrote: # gpart show ada0s1 gpart: No such geom: ada0s1 By the way, this is after a restart of the machine. There's nothing to back up, I'm installing a fresh os, so I just install on one drive, plug the other in, and start following the handbook instructions for this method. So the only thing in loader.conf is geom_mirror_load=YES. [snip] Since you are beginning to reinstall from scratch, please allow/forgive a small interjection from some of my recent experience with this. Warren is more knowledgeable on this than I am, and I have followed many of his instructions in the past. With the shift towards GPT and away from the old DOS mbr/partition table stuff of the past, the current Handbook pages reflect this. The central point of contention arises from the fact that GPT, GEOM (gmirror), and many hardware RAID controllers require to claim the very last sector of a drive to store their metadata. Obviously, the effect of this collision is a whoever wrote last wrote best - so you can't use combinations of things that all want this sector. The most simple gmirroring is to slice an entire drive, with partitions contained within. The very end of the drive must NOT have any file system on it, and this is usually the case by default as most of the time slicing/partitioning leaves a little free space at the end anyway. This will not work with GPT; only with the old DOS compatible mbr and disklabel scheme. In order to use GPT and gmirror together you gmirror individual partitions (as opposed to the slice) , e.g. gmirror will write its metadata at the end of each partition leaving the very last sector at the end of the drive for GPT. This is what the content on the relevant Handbook pages reflects. More complicated, but allows for the demise of the ancient DOS/mbr partitioning. Notice that if you combine GPT and a hardware RAID controller card the same collision problem noted previously can still happen. If you utilize the BIOS on the controller card for anything it will save its metadata on the last drive sector. When not faced with terabyte sized humongous volumes and the huge amount of time an fsck will consume, the old DOS way with disklabel is still an option that works. The main reason for the journaling is to sidestep waiting for a very long fsck on a huge volume to run to completion before finishing a boot into a cleaned up/repaired file system. If your drive volume is small this is not so much a problem. Indeed my old gateway/firewall/IDS router box I did the old DOS/mbr scheme with gmirror (the old single-slice entire drive and mirror the drive) as the pair of drives are ancient 74GB Raptors. On my web/database test box I did go the GPT and SUJ+journaling route but am not using any mirroring here (yet). I have not experienced any problems with dump - but I also do not use the -L switch. It will show an error/warning about not dumping a live file system this way but I go ahead and do it anyway. IIRC the dump problem you may be seeing may be related to drive snapshotting. The caveat is I can sort of 'get away' with it as my boxen are largely quiescent, but would hesitate to do this on something like a public web/database box that was continually being hammered with lots of traffic. Just tossing out some ideas for your perusal and consideration. The way I used the old DOS/mbr and disklabel scheme on my router machine is very simple, quick to do, and has survived a few power outages now with no data loss (other than the time it takes to rebuild which it does automagically on boot). On the 74GB Raptors this rebuild takes about twenty minutes. Your situation and needs may force you in a different direction. Hence, the proverbial YMMV applies. FWIW. Now for to finally get around to purchasing a new UPS to replace the old one that went up in smoke and died horribly... -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Soekris for a Trac server
Hello Bill, thank you for your answer! Bill Tillman wrote: The way technology has moved on these days I would approach this from a completely different manner. Soekris makes some cool little boxes, but the last time I looked they still had I486 cpu's...today may be different, probably is. My point is that with computers so cheap these days why not just use a box, sans the drives and do a diskless boot from one of your FreeBSD servers...or better yet, setup another FreeBSD server using VM. It doesn't make sense to buy a box with VM technology so freely available. Of course you are right that virtualisation is the cheapest way to go. But this my actual setup and I am considering moving it to a physical support because for my uses, I value some of its features (low-noise™ or take-away™). Best regards, Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Soekris for a Trac server
Hi John, John Levine wrote: Dunno about Soekris, but I'm very happy with one of these mini-box systems that cost about $250 with a 60GB SSD disk: http://www.mini-box.com/MiniPC-Value-Systems thank you for your detailed answer and useful suggestion, I will probably look for a similar product! Regards, Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Soekris for a Trac server
I am planning to move a jail-hosted service to a physical device and would like to hear the advices of experts here. My service runs sshd, apache and trac (the ticket service) and I am considering getting one of the products by soekris. I know that some list users have some experience with these products so it would be very nice for me to ear if this kind of product is suitable for my project and if FreeBSD is doing well on these platforms. Also I am bit unsure about the setup I should pick: we are a hand of users for the service and I would like to know if a 64-MB Ram and a 166Mhz setup could do, or if I definitely should consider a faster CPU or more RAM. Given my actual jail based setup, is there an easy way to guess the required RAM — In the jail `top` reports a Size of 111M for the Python process, but I guess the interpreter is taking things easy when a lot of RAM is available, doesn't it? Last, are FreeBSD jails lightweight enough to run in such a constrained environment? It is not unlikely that the device evolves to run several other services (like a nfs) and I would appreciate to be able to confine services appropriately using jails. Thank you for your comments! Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: cause of reboot
Patrick Lamaiziere wrote: [snip] I looked last command, reboot ~ ~ AM 03.15 ~ The last time It happened (one month ago) to me it was the hard disk (periodic scripts read a large part of the disk). If the disk is smart capable try a full test with smartctl (sysutils/smartmontools) My gateway/firewall/mail/ids router box at home has 2 GB RAM in it, so normally it has enough extra room that nothing ever pushes over into swap with one exception: the periodic run at 0300. It is generally never more than just a few kilobytes, but I find it slightly surprising nonetheless. If a sector (or more) on the drive that is backing the swap partition has gone bad it might not even be noticeable until something pages out to swap (like my 0300 periodic run). If the drive is a WD the 'Quick' test using the manufacturers' wddiags utility should spot it, and is non-destructive. I have occasionally seen the full test not destroy data - but I wouldn't count on it being non- destructive. However, as long as the remap area isn't full the long test will repair the drive by relocating and mapping out the bad spot. When this silent fading away of magnetic media occurs wrt to higher-end RAID controllers the scrub function in the controller BIOS is where you would want to go. The other problem relative to this that I've run into is the apple before the cart syndrome around backups. I have seen dump fail to allow for backing up data prior to using the full wddiags to repair a drive so you kinda get stuck. If the full test is going to wipe the drive and you can't generate a fresh current backup you're stuck only being able to restore whatever is the last good backup you have on hand. Wouldn't surpise me at all if this were to turn out to be the drive just recently grew one or more bad spots. A bad spot or few on an old drive that gets repaired I might continue to use the drive for a while, maybe even for like a year time-frame wise. If 2 months later it starts growing more bad spots the drive goes in the rubbish bin. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: cause of reboot
kpn...@pobox.com wrote: [snip] While we're throwing ideas onto the table let me mention power supplies. Power supplies and hard drives are in a race to see which one will fail first. It may be that the power supply is marginal and added load from the drives being hit hard may send it over the edge. How heavily loaded is the machine in question? Absolute and total agreement with this. As they age and the filter caps leak and dry out more it will eventually become apparent. But in the meantime the output DC can just about meet spec up until really loaded. Then the ripple becomes so excessive it's not quite DC any longer. You can clearly see it using an oscilloscope. The 0300 AM periodic does hammer a machine enough to possibly push a marginal power supply over the edge. I once had a box where the RAM chips would sing with a high-pitched whistle only during the 0300 periodic run. It sounded just like the horizontal output on a television right before destruction. :-) [snip] -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to ask a DNS resolver listening on a different port than the tcp/udp 53
On Fri, Sep 27, 2013 at 4:11 PM, Frank Leonhardt fra...@fjl.co.uk wrote: On 27/09/2013 23:08, Terje Elde wrote: On 28. sep. 2013, at 00:03, Frank Leonhardt fra...@fjl.co.uk wrote: If I understand the way it works correctly, the resolver pulls a list of the NS and hard-sets the port number for each to 53 (via a manifest constant) . See libc/resolv/res_init.c. All you need to do(!) is change this to a value of your choice and recompile libc Sorry, but this is startin to look a lot like a complicated solution to a problem that isn't really there... It was more of an explanation as to /why/ it's not easy to do what asked in the original reasonable-sounding question. Beg to differ. The question isn't reasonable. There's no point in having a dns recursive resolver listening on a port other than the one that clients will contact it on. Far better to have the authoritative server listen on 127.53.0.1 and use the routable address for the cache, which can forward requests for the authoritative server when appropriate. - M ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: [FreeBSD-Announce] vBSDcon Registrations Only Open For 30 More Days!
Brett Glass wrote: All: It's good to see corporate support of BSD, but at the same time I have mixed feelings about certain corporations -- Verisign among them -- hosting BSD-related conferences or becoming involved in the development of BSD-based operating systems. Why? Because Verisign, based in Reston, Virginia (the city next door to Vienna, VA, home of the NSA), has strong ties to this shadowy agency. No. I used to work right down the street from Network Solutions (now known as Verisign) in Herndon. Indeed, I had job offerings from them but felt I was better off to stay where I was. The NSA is headquartered at Ft Meade, near Columbia in Maryland. I worked there for 8 years? The CIA headquarters is in Mclean, Virgina, which is right next door to Vienna. Reston/Herndon is a few miles down the Dulles Toll Rd to the west. I've been to all these places, so this is not some MapQuest google for me. The NSA, in turn -- as reported in documents recently leaked by Edward Snowden -- has a very strong interest in weakening the security of cryptographic algorithms, cryptographic software, and operating systems. We may want to look this gift horse very carefully in the mouth, or at least monitor very closely contributions of code that might introduce backdoors or weaknesses. On some level I agree with this - to a point. Examine how the NSA maneuvered the NIST to approve and mandate the FIPS-140 protocols, where deeply concealed was a known weak prng. To some of us this is not news - we've known it for a long time. Arguments of pro vs con, good vs evil, ad infinitum ad nauseum, etc, are better served in a different venue. It is so much easier to get away with concealing such things inside the closed-source paradigm. What I like and admire with open source is the code is out there in public for all to examine. These truly arcane crypto stuffs operate at such a high level of mathematical complexity that even very highly skilled cryptographer/mathematicians argue amongst themselves. I am just not that smart, or that highly educated. There are some in the open source community who do have very large propellers on their beanie caps. I defer to them simply because they are smarter then me. I would trust them long before I would trust closed source. I agree about the 'looking the gift horse in the mouth' concept. Bear in mind, however, some of the guys at NIST are pretty smart too. And yet this FIPS-140/prng stuff went right by them. My suggestion is for FreeBSD (indeed open source in general) to try and engage, include, and attract to the community the kinds of elite mathematician who may have the facilities to examine the code at a higher level than can dummies like me. Whenever The Citadel wants the public to fixate on any one particular brouhaha I know they are trying to get everyone looking in a particular direction whilst they are pulling something else. Verisign may very well have some other obfuscated agenda. Take a step backwards and try to obtain some view of the bigger picture (hint). Will not elaborate here, even though I do have some crackpot ideas. I find it highly ironic: http://en.wikipedia.org/wiki/Snowden_%28character%29#Snowden I got no end of amusement from this. Just my $ 0.02. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD stuck during the boot process.
On Tue, Sep 17, 2013 at 9:47 AM, atar atar.yo...@gmail.com wrote: Polytropon free...@edvax.de wrote: On Tue, 17 Sep 2013 12:15:58 +0300, Atar wrote: When I try to boot FreeBSD from a USB stick, it stuck during the boot process. But if I boot it in safe mode, it succeeds to boot. Yes, you remember correctly, safe mode disable the ACPI support automatically. The problem may also be that USB devices take a long time to settle. I suggest these in your /boot/loader.conf hint.acpi.0.disabled=1 kern.cam.boot_delay=1 kern.cam.scsi_delay=2000 The CAM boot delay is needed for USB booting on some of my machines, esp. Soekris boxes. 10 seconds is safe. - M ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
this 48-core box...
I'm considering bidding on this 48-core box: http://www.ebay.com/itm/Supermicro-A-Server-1042G-TF-1U-H8QG6-4-CPUS-48-cores-2-2Ghz-128GB-RAM-/151119828428?pt=COMP_EN_Servershash=item232f7195cc Does anyone have experience with it and can I use all the cores? Thanks! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Disappointing dependency introduced in 9.1 (from 8-STABLE)
Because I build a lot of embedded devices with serial consoles, I was in the habit of hacking /boot/loader by commenting out a line in a Makefile that enables terminal emulation /sys/boot/i386/libi386/Makefile: #CFLAGS+= -DTERM_EMU and then in /sys/boot doing a make clean make unfortunately, with 9.X, this breaks the compile. It seems a dependency was introduced which requires the videoconsole code. I find this extremely irritating. Of course, there's nothing to stop me (at the moment) from compiling loader under 8-STABLE and installing it on 9.1 machines, but... Is there a better way now to stop the cursor from scribbling illegibly across the screen? - M ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Network startup with age Ethernet device
On Wed, Sep 4, 2013 at 8:49 AM, Lowell Gilbert freebsd-questions-lo...@be-well.ilk.org wrote: Have you tried using netwait? I think that would involve putting enable_netwait in rc.conf, and netwait_enable=YES would be it. - M ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipfw gateway rerouting
# my kernel has # options ROUTETABLES=16 GATEWAY_0=10.3.255.0 GATEWAY_1=10.3.255.1 setfib 0 route add default $GATEWAY_0 setfib 1 route add default $GATEWAY_1 ipfw table 1 add $NET_0 0 ipfw table 1 add $NET_1 0 ipfw table 1 add $NET_2 1 ipfw table 1 add $NET_3 0 ipfw add 00500 setfib tablearg ip from any to any in lookup src-ip 1 rule 500 will cause traffic from NET_2 to go out a different gateway (if it's not destined for a local net - presumably other rules will handle those cases) # man setfib # man ipfw (see the section on the setfib action) On Sun, Aug 18, 2013 at 3:15 PM, Jos Chrispijn ker...@webrz.net wrote: Can someone please hint me to to good explanatory site that explains how to reroute a network server to different/non standard network gateway(s) with ipfw? thanks, Jos Chrispijn __**_ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/**mailman/listinfo/freebsd-**questionshttp://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-** unsubscr...@freebsd.org freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pkgng problem
For the archives: I left the problem alone for a few days, with no changes on my side. Came back Monday. Tried again. Everything worked on the affected machines. ==ml -- Michael W. Lucas - mwlu...@michaelwlucas.com, Twitter @mwlauthor http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ Absolute OpenBSD 2/e - http://www.nostarch.com/openbsd2e coupon code ILUVMICHAEL gets you 30% off helps me. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
pkgng problem
Hi, I'm sure someone has had this before, but I can't find any reference to it. # pkg upgrade Updating repository catalogue digests.txz 100% 997KB 997.1KB/s 997.1KB/s 00:00 packagesite.txz 100% 5530KB 1.8MB/s 3.2MB/s 00:03 pkg: Invalid manifest format: mapping values are not allowed in this context Incremental update completed, 0 packages processed: 0 packages updated, 0 removed and 22568 added. pkg: No digest falling back on legacy catalog format packagesite repository catalogue is up-to-date, no need to fetch fresh copy Nothing to do This is from a machine freshly converted to pkgng. Any suggestions? Thanks, ==ml -- Michael W. Lucas - mwlu...@michaelwlucas.com, Twitter @mwlauthor http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ Absolute OpenBSD 2/e - http://www.nostarch.com/openbsd2e coupon code ILUVMICHAEL gets you 30% off helps me. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pkgng problem
Thanks, Matt. # pkg -vv | sed -ne '/Repositories/,$p' Repositories: packagesite: url: http://pkg-test.freebsd.org/pkg-test-freebsd:9:x86:32/latest key: enabled: yes mirror_type: SRV Also: # pkg -v 1.1.4 ==ml -- Michael W. Lucas - mwlu...@michaelwlucas.com, Twitter @mwlauthor http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ Absolute OpenBSD 2/e - http://www.nostarch.com/openbsd2e coupon code ILUVMICHAEL gets you 30% off helps me. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pkgng problem
Matt, Another data point on this: Machines converted to pkgng a couple weeks ago can install new packages just fine despite showing the same error. And it looks like they download the new repo information: # pkg install sysrc Updating repository catalogue digests.txz 100% 997KB 997.1KB/s 997.1KB/s 00:00 packagesite.txz 100% 5530KB 1.4MB/s 1.9MB/s 00:04 pkg: Invalid manifest format: mapping values are not allowed in this contex Incremental update completed, 0 packages processed: 8292 packages updated, 1115 removed and 129 added. pkg: No digest falling back on legacy catalog format packagesite repository catalogue is up-to-date, no need to fetch fresh copy The following 1 packages will be installed: Installing sysrc: 5.2 The installation will require 39 kB more space 15 kB to be downloaded Proceed with installing packages [y/N]: y sysrc-5.2.txz 100% 16KB 15.8KB/s 15.8KB/s 00:00 Checking integrity... done [1/1] Installing sysrc-5.2... done Machines upgraded to pkgng this week, using the same script as I used a couple weeks ago, cannot install packages. # pkg install sysrc Updating repository catalogue digests.txz 100% 997KB 997.1KB/s 997.1KB/s 00:00 packagesite.txz 100% 5530KB 2.7MB/s 1.5MB/s 00:02 pkg: Invalid manifest format: mapping values are not allowed in this context Incremental update completed, 0 packages processed: 0 packages updated, 0 removed and 22568 added. pkg: No digest falling back on legacy catalog format packagesite repository catalogue is up-to-date, no need to fetch fresh copy pkg: No packages matching 'sysrc' has been found in the repositories Not sure if this supports the bad repo theory, but it's interesting. Thanks, ==ml -- Michael W. Lucas - mwlu...@michaelwlucas.com, Twitter @mwlauthor http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ Absolute OpenBSD 2/e - http://www.nostarch.com/openbsd2e coupon code ILUVMICHAEL gets you 30% off helps me. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pkgng problem
On Fri, Aug 16, 2013 at 11:23:41AM -0700, Adrian Chadd wrote: Have you done a pkg update first, just in case you needed to pull in a pkgng update? Yep, tried that. ==ml -- Michael W. Lucas - mwlu...@michaelwlucas.com, Twitter @mwlauthor http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ Absolute OpenBSD 2/e - http://www.nostarch.com/openbsd2e coupon code ILUVMICHAEL gets you 30% off helps me. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Theft in the Clouds
Amazon EC2 certainly offers Dedicated Instances, in which the hardware is dedicated to a single customer. On Thu, Jul 25, 2013 at 1:15 PM, Jerry je...@seibercom.net wrote: Not really a FreeBSD issue, but I did find this article rather fascinating. http://www.technologyreview.com/news/506976/how-to-steal-data-from-your-neighbor-in-the-cloud/ This is really about side-channel attacks against crypto - not general data snooping. - M ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: HOWTO monitor changes in installed packages within jails?
On 20.07.2013, at 18:34, Michael Grimm trash...@odo.in-berlin.de wrote: On 20.07.2013, at 14:53, Matthew Seaman m.sea...@infracaninophile.co.uk wrote: On 20/07/2013 12:09, Michael Grimm wrote: I did migrate to pkgng some month ago, and ever since I am curious how to monitor changes in installed packages within jails. I am looking for a functionality/port that works like 490.status- pkg-changes for my host. Question: is there any functionality within the periodic system or a port that I might have missed to find? You can't just run 490.status-pkg-changes directly in your jail? Yes, I can ;-) But! I do have a lot of service jails running at my host, thus I would like to omit modifying every jail's /etc/periodic.conf adding: | daily_status_pkg_changes_enable=YES# Show package changes | pkg_info=pkg info # Use this program Try this patch: Thanks for that approach, namely adding pkg -j jailname info for every jail running. Due to my amount of jails I might need to add some looping over jls -N output instead of adding a lot of $daily_status_pkg_changes_flags. I was hoping that I could omit programming that functionality myself, but I might need to do so. I ended up in adding: --- snip --- /usr/src/etc/periodic/daily/490.status-pkg-changes 2013-04-03 17:59:35.894705550 +0200 +++ /etc/periodic/daily/490.status-pkg-changes 2013-07-23 20:19:27.833641916 +0200 @@ -32,6 +32,24 @@ diff -U 0 $bak/pkg_info.bak2 $bak/pkg_info.bak \ | grep '^[-+][^-+]' | sort -k 1.2 fi + +# added jail(s) support +# + for jname in `jls -N | grep -v JID | awk '{print $1}'`; do + if [ -f $bak/pkg_info_${jname}.bak ]; then + mv -f $bak/pkg_info_${jname}.bak $bak/pkg_info_${jname}.bak2 + fi + jexec ${jname} ${pkg_info:-/usr/sbin/pkg_info} $bak/pkg_info_${jname}.bak + + cmp -sz $bak/pkg_info_${jname}.bak $bak/pkg_info_${jname}.bak2 + if [ $? -eq 1 ]; then + echo + echo Changes in installed packages (jail ${jname}): + diff -U 0 $bak/pkg_info_${jname}.bak2 $bak/pkg_info_${jname}.bak \ + | grep '^[-+][^-+]' | sort -k 1.2 + fi + done + fi ;; --- snip Not perfect, really, but working at my side. Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Re[3]: vBSDcon Website Update
Fish Kungfu wrote: Weird, now it's up. ...Fish DNS takes time to propagate -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
HOWTO monitor changes in installed packages within jails?
Hi -- I did migrate to pkgng some month ago, and ever since I am curious how to monitor changes in installed packages within jails. I am looking for a functionality/port that works like 490.status-pkg-changes for my host. Question: is there any functionality within the periodic system or a port that I might have missed to find? Thanks in advance and with kind regards, Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: HOWTO monitor changes in installed packages within jails?
On 20.07.2013, at 14:53, Matthew Seaman m.sea...@infracaninophile.co.uk wrote: On 20/07/2013 12:09, Michael Grimm wrote: I did migrate to pkgng some month ago, and ever since I am curious how to monitor changes in installed packages within jails. I am looking for a functionality/port that works like 490.status- pkg-changes for my host. Question: is there any functionality within the periodic system or a port that I might have missed to find? You can't just run 490.status-pkg-changes directly in your jail? Yes, I can ;-) But! I do have a lot of service jails running at my host, thus I would like to omit modifying every jail's /etc/periodic.conf adding: | daily_status_pkg_changes_enable=YES# Show package changes | pkg_info=pkg info # Use this program Try this patch: Thanks for that approach, namely adding pkg -j jailname info for every jail running. Due to my amount of jails I might need to add some looping over jls -N output instead of adding a lot of $daily_status_pkg_changes_flags. I was hoping that I could omit programming that functionality myself, but I might need to do so. Thanks for your input and with kind regards, Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: gpart: table 'da0' is corrupt; operation not permitted
On Tue, Jul 16, 2013 at 1:44 PM, aurfalien aurfal...@gmail.com wrote: Upon doing; gpart destroy da0 I get; gpart: Device busy crude but effective: DISK=da0 offset=`diskinfo $DISK | awk '{ print $4 - 131072 }'` dd if=/dev/zero of=/dev/$DISK bs=64k count=1 dd if=/dev/zero of=/dev/$DISK bs=64k seek=$offset gpart create -s gpt ${DISK} ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: auth.notice on syslog server
On Mon, Jun 24, 2013 at 5:35 AM, SWENNEN Rudi rudi.swen...@onprvp.fgov.be wrote: Hello FreeBSD-list, I have the following two freebsd systems/servers: a server and a client. The syslog of the client is send to the server. I was wondering why the auth.notice entry on my server is generating a syslog entry (/dev/console) when I change to root on the client: Jun 24 12:01:38 SERVER kernel: Jun 24 12:00:32 CLIENT su: rudi to root on /dev/ttyv0 Is there a way to limit the auth-facility not to log via syslog if the entry in generated from a remote system? Yes, on the host that sends the logs. E.g., auth.*,authpriv.*: /var/log/auth console.*,cron.*,daemon.*,kern.*,mail.*,ntp.*,security.*,syslog.*,user.*,local.*: @loghost ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Boot Loader Issue
On Sun, Jun 23, 2013 at 4:12 PM, Polytropon free...@edvax.de wrote: On Sun, 23 Jun 2013 15:47:53 -0700, Doug Hardie wrote: I need to alter mountroot so it tries the right partition/slice. How do I do that? I couldn't find anything in the handbook on that. You need to install the GPT boot code, e. g. # gpart add -t freebsd-boot -l gpboot -b 40 -s 512K ad0 Why the offset? Why 512k? # gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 ad0 I think it's simpler to make an entry in /boot/loader.conf: vfs.root.mountfrom=ufs:/dev/ada0s1a ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD slice/partiton setup question
On Tue, Jun 18, 2013 at 10:44 AM, Istvan Gabor suseuse...@lajt.hu wrote: ... How can I do this in FreeBSD? Can I have slices with only one partition occupying the whole slice? Can I do something like the following: /dev/ad0s1a / /dev/ad0s2e /home /dev/ad0s3e /usr/local /dev/ad0s5b swap /dev/ad0s6e /home/user1 /dev/ad0s7e /home/user2 etc. where the partitions (a, e, b) occupy the whole slice where they reside on? Why bother with partitions if you're going to use the whole slice? Why bother with slices if you won't run out of partitions? - M ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Re: FreeBSD slice/partiton setup question
You can simply newfs the device itself, without a volume label, slice, or partition. That's the normal thing to do with malloc devices, or additional disks. If the disk doesn't require a boot loader, isn't the root device, etc. that may be the best thing to do. Your caution about EXT* is spot-in - adequate tools exist for EXT2FS, but it's still problematic. - M ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Any BASIC Gurus around?
I'm no BASIC Guru, but this one line caught my eye while scrolling through your mail: 2010 IF ABS(H1. THEN GOTO 2040 Missing parenthesis? Regards, Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD maximum password length
I know this may seem off-the-wall to some, but I pasted a hashed password for a user under 9.1 into the /etc/passwd entry for that user on an 8.3 machine, and auth continues to work properly. That's nice. - M ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
pkg-devel problem with incremental update
Installed pkg-devel 1.1.0.b3 and get the following message about incremental update whenever update is called. sudo pkg update Updating repository catalogue pkg: incremental update is not possible as repo format is inappropriate, trying full upgrade packagesite repository catalogue is up-to-date, no need to fetch fresh copy What should I do to make incremental updates possible? -- Michael Gass mg...@csbsju.edu ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Bourne shell if syntax
On Mon, Jun 10, 2013 at 12:16 PM, Tim Daneliuk tun...@tundraware.com wrote: That wasn't really my point. I use sentinels because in the face of an empty string this: if [ $PTR = ] Actually evaluates to: if [ = ] Which throws an error. Right. Many scripts seem to assume that sh is bash, and that's certainly not the case here. if [ x$BLAH = x ]; then is the most reliable and portable way of determining if it's a string of zero length. - M ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
What is the correct CPUTYPE for this machine?
I have an old laptop: FreeBSD 9.1-RELEASE #0 r243826: Tue Dec 4 06:55:39 UTC 2012 r...@obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 CPU: Mobile AMD Duron(tm) Processor (1096.23-MHz 686-class CPU) Origin = AuthenticAMD Id = 0x671 Family = 6 Model = 7 Stepping = 1 Features=0x383f9ffFPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE AMD Features=0xc0480800SYSCALL,MP,MMX+,3DNow!+,3DNow! What is the correct value for CPUTYPE in make.conf? Thanks, mg -- Michael Gass mg...@csbsju.edu ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: What is the correct CPUTYPE for this machine?
On Sat, Jun 08, 2013 at 10:10:10AM -0400, ill...@gmail.com wrote: On 8 June 2013 09:34, Michael Gass mg...@csbsju.edu wrote: I have an old laptop: FreeBSD 9.1-RELEASE #0 r243826: Tue Dec 4 06:55:39 UTC 2012 r...@obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 CPU: Mobile AMD Duron(tm) Processor (1096.23-MHz 686-class CPU) Origin = AuthenticAMD Id = 0x671 Family = 6 Model = 7 Stepping = 1 Features=0x383f9ffFPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE AMD Features=0xc0480800SYSCALL,MP,MMX+,3DNow!+,3DNow! What is the correct value for CPUTYPE in make.conf? Duron was just a low-cost Athlon, da? OK, checking the internet, looks like I should use CPUTYPE?=k7 as the mobile amd duron 1.1G is a k7 group, but the make.conf example only lists values like k8, k6-3, k6-2, k6, and k5. Which should I use? mg -- Michael Gass mg...@csbsju.edu ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Error building math/sage
=pmbuildingmain PM_BUILD_ONLY_LIST=pm_bol PM_DEL_BUILD_ONLY=pm_dbo PM_NEEDS_UPDATE= math/sage PM_PARENT_PID=65716 PM_PARENT_PORT=math/sage PM_VERBOSE=vopt PREFIX=/usr/local PWD=/usr/ports/math/sage/work/sage-5.9/spkg PYTHONPATH=/usr/ports/math/sage/work/sage-5.9/local RANLIB=/usr/local/bin/ranlib READELF=/usr/local/bin/readelf SAGE_ATLAS_LIB=/usr/local/lib SAGE_FAT_BINARY=yes SAGE_INSTALL_GCC=no SAGE_LOCAL=/usr/ports/math/sage/work/sage-5.9/local SAGE_LOGS=/usr/ports/math/sage/work/sage-5.9/logs/pkgs SAGE_PARALLEL_SPKG_BUILD= SAGE_PORT=yes SAGE_ROOT=/usr/ports/math/sage/work/sage-5.9 SAGE_SPKG_INST=/usr/ports/math/sage/work/sage-5.9/spkg/installed SAVE_SHARED=wopt SHELL=/bin/sh SHLVL=2 SIZE=/usr/local/bin/size STRINGS=/usr/local/bin/strings SUDO_COMMAND=/usr/local/sbin/portmaster math/sage SUDO_GID=1001 SUDO_UID=1001 SUDO_USER=mgass SYSTEMVERSION= TERM=xterm TMPDIR=/tmp UPGRADE_TOOL=portmaster USER=root USERNAME=root _=/usr/bin/env __MKLVL__=2 build_deps_il= build_only_dl_g= dep_of_deps=0 num_of_deps=0 pbu=/usr/ports/packages/portmaster-backup pd=/usr/ports pdb=/var/db/pkg port_dbdir=/var/db/ports use_pkgng=yes *** make: illegal option -- - usage: make [-BPSXeiknpqrstv] [-C directory] [-D variable] [-d flags] [-E variable] [-f makefile] [-I directory] [-j max_jobs] [-m directory] [-V variable] [variable=value] [target ...] real0m0.001s user0m0.000s sys 0m0.001s *** Error building Sage. The following package(s) may have failed to build: tail: /usr/ports/math/sage/work/sage-5.9/logs/pkgs/*.log: No such file or directory The build directory may contain configuration files and other potentially helpful information. WARNING: if you now run 'make' again, the build directory will, by default, be deleted. Set the environment variable SAGE_KEEP_BUILT_SPKGS to 'yes' to prevent this. gmake: *** [build] Error 1 *** [do-build] Error code 1 Stop in /usr/ports/math/sage. *** [build] Error code 1 Any suggestions? -- Michael Gass mg...@csbsju.edu ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Error building math/sage
On Thu, Jun 06, 2013 at 09:41:46AM -0500, Michael Gass wrote: Trying to build math/sage-5.9_1 from ports. Everything builds except sage itself. Here is the system info. FreeBSD dc7800.home.net 9.1-STABLE FreeBSD 9.1-STABLE #0 r251294: Mon Jun 3 17:52:11 CDT 2013 root@:/usr/obj/usr/src/sys/HP20130603 amd64 Here is /etc/make.conf CPUTYPE?=core2 WITH_PKGNG=yes # added by use.perl 2013-06-03 21:30:08 PERL_VERSION=5.14.2 TEX_DEFAULT=texlive Here is output from the build (sorry for any control chars in script). Error is around 120 lines down. port_dbdir=/var/db/ports ..removed lines.. use_pkgng=yes *** make: illegal option -- - usage: make [-BPSXeiknpqrstv] [-C directory] [-D variable] [-d flags] [-E variable] [-f makefile] [-I directory] [-j max_jobs] [-m directory] [-V variable] [variable=value] [target ...] real 0m0.001s user 0m0.000s sys 0m0.001s *** Error building Sage. The following package(s) may have failed to build: tail: /usr/ports/math/sage/work/sage-5.9/logs/pkgs/*.log: No such file or directory The build directory may contain configuration files and other potentially helpful information. WARNING: if you now run 'make' again, the build directory will, by default, be deleted. Set the environment variable SAGE_KEEP_BUILT_SPKGS to 'yes' to prevent this. gmake: *** [build] Error 1 *** [do-build] Error code 1 Stop in /usr/ports/math/sage. *** [build] Error code 1 Any suggestions? Got it to install. Kept getting the above problem when usning portmaster. So I did a make clean in the sage directory and then make install clean. That did it. Mike Gass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Max top end computer for Freebsd to run on
Al Plant wrote: James wrote: Several modest servers applied well will take you further than one big iron—and for less cost. James I agree. I have witnessed the benefit of what you say. Putting your faith in one big server can be a problem if the box fails, especially hardware failure. Keeping a spare server in a rack that can be switched in to service quickly can save you if one dies. Time (waiting for parts), most failures are hardware if your running FreeBSD. Even most Linux boxes. There are 2 approaches, and applying both together is what I favor. Scale up (vertical) is a horsepower per box kind of thing. Scale out (horizontal) adds more of the same kind of box(es) in parallel. The resulting redundancy will keep you up and online. Sizing matters somewhat. Having excess horsepower that sits unused is extra money spent on one box that could have been applied to scale out redundancy. If you can size one machine to match your current and projected workload, then if there are two, or more, of these and one fails the remaining can shoulder the load while you get the broken one back up. Where the balance point is struck will depend on workload. Let's say (hypothetical) one box as a web/database server can handle 1,000 connections/users per second within desired latency and response time. If a spike in demand suddenly comes that box will slow to a crawl (or even fall over) as it tries to keep up, as it is lacking the extra horsepower overhead that would otherwise be sitting idle if it did. Scaling out (horizontally) by adding more boxes will distribute this spike across multiple machines and remain within the desired processing response/latency time so together they can handle 2,000 when the need is present. Need another 1,000? Add another box, and so on. So the trick is to understand your workload. Don't go overboard on just one huge high-power machine which sits mostly idle and takes you offline if it fails. Spend the money on more moderately sized boxen. Me, I like to have at least 3 of everything (if I can) such that they are sized so that 2 of them together can easily handle the desired load. The third one is for redundancy and the 'what-if' spike in demand. Another advantage here is you can take one offline for updates, then put it back online and test it out for problems. If there is no problem then you can take one of the other two down and update it. This way you can do updates without your service being offline. But the trick is still to understand your specific workload first, then spread the money around accordingly. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Disable build new pkg format in poudriere
C. L. Martinez wrote: HI all, I need to build some packages without using new pkg format. I would like to accomplish this using poudriere, but is this possible?? Or do I need to use another package builder?? I have tried to build rsync, but when I try to install, this error is returned: tar: +CONTENTS: Not found in archive tar: Error exit delayed from previous errors. pkg_add: tar extract of /poudriere/data/packages/fbsd91_amd64_legacy-default/All/rsync-3.0.9_3.txz failed! pkg_add: unable to extract table of contents file from '/poudriere/data/packages/fbsd91_amd64_legacy- default/All/rsync-3.0.9_3.txz' - not a package? In make config file: WITH_PKGNG=no WITHOUT_X11=yes Try WITHOUT_PKGNG=yes and see if it helps. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Should I move to amd64 ?
I am currently using a 9.1-RELEASE with an i386 install. The hardware is a core 2 duo with 2 GB of RAM. My video card is an ati radeon hd 2400 xt. Things work fine. Would I gain anything by starting over and doing an AMD64 install or would that be a bad idea? Would my system perform better, worse, or the same after the change? I may eventually bring the memory up to 4GB, but not anytime soon. I understand some ports my not work - like WINE - but I do not use WINE. Would there be other problems? -- Michael Gass mg...@csbsju.edu ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Should I move to amd64 ?
I am currently using a 9.1-RELEASE with an i386 install. The hardware is a core 2 duo with 2 GB of RAM. My video card is an ati radeon hd 2400 xt. Things work fine. Would I gain anything by starting over and doing an AMD64 install or would that be a bad idea? Would my system perform better, worse, or the same after the change? I may eventually bring the memory up to 4GB, but not anytime soon. I understand some ports my not work - like WINE - but I do not use WINE. Would there be other problems? -- Michael Gass mg...@csbsju.edu ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: swap partition leads to instability?
On Sun, May 26, 2013 at 6:17 PM, Adam Vande More amvandem...@gmail.comwrote: Normal dynamic wear leveling on a modern SSD will be better than imposing an FS- backed swap for 4GB partion occupying a small fraction of total drive space. Quite so. - M ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: BSD sleep
On Tue, May 28, 2013 at 4:45 PM, Joshua Isom jri...@gmail.com wrote: You think it's trivial until you read this: http://infiniteundo.com/post/**25326999628/falsehoods-** programmers-believe-about-timehttp://infiniteundo.com/post/25326999628/falsehoods-programmers-believe-about-time Some days have 86400 seconds, some have 86401. There is a provision for two leap seconds to be applied at once, but that hasn't ever happened. Still, a truly correct clock, set to UTC, might someday read 23:59:59 23:59:60 23:59:61 00:00:00 How many seconds did that hour have? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: swap partition leads to instability?
The Intel SLC mSATA drives I use in embedded devices don't support TRIM, but - it doesn't seem to matter. Actually, I'm confident that just using bare partitions for swap is fine, and I haven't had any of the trouble I witnessed with MLC devices. The difference is that the size is limited to under 32GB. - M On Sun, May 26, 2013 at 4:32 PM, Warren Block wbl...@wonkity.com wrote: On Sun, 26 May 2013, Polytropon wrote: On Sun, 26 May 2013 16:09:06 +0700, Erich Dollansky wrote: Hi, On Sun, 26 May 2013 01:58:32 -0700 (PDT) M. V. bored_to_deat...@yahoo.com wrote: I have a 24/7 network server/gateway with FreeBSD-8.2 on a SSD drive. it's partitioned as normal (/ , /tmp, /var , /usr and swap) for a long time now. But recently I heard from a FreeBSD expert that I shouldn't have swap partition for my server, and having swap partition could make my server unstable. this was so strange for me, and I searched a lot but couldn't find a reason for this claim. because it is a false claim. I never ever have had any system with working hard, that gave a problem because of the swap space. I think the problem here is that he's using a SSD. As soon as the swap partition is being in heavy use, which means it receives many writes, this may lead to the SSD wearing out, decreasing its lifetime. Another problem with SSDs is that they can have difficulty with wear leveling. This is even worse with swap because there is no way to use TRIM to tell the SSD about blocks that have been freed. The workaround is a swapfile on UFS with TRIM enabled. It works fine, and even better when you update the rc scripts for shutdown. Here's an article on setup: http://www.wonkity.com/~**wblock/docs/html/ssd.htmlhttp://www.wonkity.com/~wblock/docs/html/ssd.html And here is the PR with a patch: http://www.freebsd.org/cgi/**query-pr.cgi?pr=bin/168544http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/168544 __**_ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/**mailman/listinfo/freebsd-**questionshttp://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-** unsubscr...@freebsd.org freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Case sensitive usernames and sendmail - mystic voodoo
On Sun, May 26, 2013 at 6:17 PM, Polytropon free...@edvax.de wrote: On Sun, 26 May 2013 18:44:41 -0600, Modulok wrote: I know usernames are case-sensitive, I thought emails were too. If I remember e-mail basics correctly: No. They're not. For example, f...@example.com, f...@example.com and f...@example.com and all upper/lowercase variations are the same as f...@example.com. You remember incorrectly ;-) The local part of an address (before the @ sign) is case-sensitive (with the exception of postmas...@example.com) Everything to the right of the @ is indeed case insensitive, but everything to the left might be case sensitive, depending on local policy. This means you must preserve the case of everything to the left of the @ sign. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: setup journaling for root partition
On Wed, May 22, 2013 at 10:53 PM, s m sam.gh1...@gmail.com wrote: thanks Michael for your quick reply:) yes, i can boot from usb freebsd flash and use fixit mode. i have root, var, tmp, usr and swap on my system. i create an extra swap partition to use it as journal provider for root partition. in fixit mode, first i run two below command in order to abel load gjournal: ln -s /dist/lib /lib ls -s /dist/boot/kernel /boot/modules then gjournal load and after that: gjournal label -f ad3s1a ad3s1g (ad3s1a is root partition and ad3s1g is swap partition for journal provider) but this error is shown: gjournal cannot clear metadata on ad3s1a: operation not permitted what is wrong here??? i really don't know how to fix it: Try using -v to get more verbose output. I am at a loss here, too. Perhaps you can try gjournal load dd if=/dev/zero of=/dev/ad3s1g bs=1m gjournal clear -v ad3s1a gjournal label -vf ad3s1a ad3s1g and see what it says, if anything. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: file corruption solution (soft-update or ZFS)
On Thu, May 23, 2013 at 5:33 AM, Warren Block wbl...@wonkity.com wrote: .. One thing mentioned earlier is that ZFS wants lots of memory. 4G-8G minimum, some might say as much as the server will hold. Not necessarily so - deduplication places great demands on memory, but that can be satisfied with dedicated cache devices (on SSD for performance and safety reasons). Without dedup, the requirements are more modest. Softupdates guarantee metadata consistency, but do nothing to address data integrity. ZFS has copy-on-write semantics (which solve a problem that even hardware RAID can't), and end-to-end checksums to detect/prevent data corruption (large drives will have uncorrectable bit errors over their lifetime). - M ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: MySQL hangs server completely
On Wed, 22 May 2013 15:52:45 +0200, Alejandro Imass aim...@yabarana.com wrote: Hi, We've been having this problem with a customer for a while and it seems that some funky query makes MySQL use 100% of CPU. Nevertheless, even though you can see in top that it's only 1 CPU in 100% (out of 8) the server eventually becomes useless and stops responding completely. So my question is, how does a user process hang the whole server? What system resources could MySQL be draining to make the server stop responding completely? In laymans terms - can't do better - MySQL racing itself to obtain a ( table | memory | file ) lock? I know I can death-stall the MySQL server at a customer's site if I give it a big enough query ( like, DROPping a table, recreating it and pushing backup data inside ) while cron's hourly backup-dump is running on the database. Just the MySQL server, the machine itself hasn't stalled yet - but I'm sitting at the console while doing this, so I don't know what would eventually happen if I'd let it sit for a while. Regards, Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: setup journaling for root partition
On Wed, May 22, 2013 at 10:27 PM, s m sam.gh1...@gmail.com wrote: thanks Michael, but in all documentation about journaling, tunefs is used as below: tunefs -J enable ad3s1X.journal. ad3s1X.journal is created by gjournal command: gjournal label ad3s1a ad3s1g that assign ad3s1g as journal provider for ad3s1a and create ad3s1a.journal which contains ad3s1a as data provider and ad3s1g as journal provider. my problem is, i can not run gjournal command for root partition in fixit mode nor single user mode. you mean, i should just use tunefs command on ad3s1X (root partition)? if yes, then where journal provider for root partition is located? in root partition? Ah, sorry - lack of careful reading on my part. Can you boot from installation media and use the fixit mode? This still won't work if the last sector of the partition is in use by the filesystem You'll need a spare partition of some size to be the journal provider, as in the example. The very best approach is to create a gjournal and then newfs. How is your disk organized? One big root partition with everything on it? - M ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: setup journaling for root partition
On Mon, May 20, 2013 at 10:59 PM, s m sam.gh1...@gmail.com wrote: hello everybody i want to setup a journal partition for my root partition. but i do not know how to do that. in FreeBSD handbook, it is done in single user mode, unmount the desired partition and assign the journal partition to it. i test this procedure and it is done for /usr partition but for root partition, it can not be unmount in single user mode. See the man page on gjournal To configure journaling on the UFS file system using gjournal, one should first create a gjournal provider using the gjournal utility, then run newfs(8) or tunefs(8) on it with the -J flag which instructs UFS to coop- erate with the gjournal provider below. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: setup journaling for root partition
AFAIK Softupdates journaling still breaks snapshot functionality - which makes it unusable for me. I wouldn't assume that the O.P. doesn't want we he's asking for. - M On Tue, May 21, 2013 at 7:42 AM, Arthur Chance free...@qeng-ho.org wrote: On 05/21/13 12:43, saeedeh motlagh wrote: thanks Julien, but i think it's not true. man page for newfs seys that journaling is done via gjournal and in freebsd handbook it says do journaling with gjournal for UFS file system. you mean i should create a partition and just enable journaling for it with -J flag? i think my problem is, my gjournal can not act correctly in fixit mode because i can load it in single user mode and every thing is ok but in fixit mode, i can not load it and all commands return errors. please help me to make a journal for my root:((( Look more carefully at the newfs man page. Option -J (upper case) is gjournal type journalling, option -j (lower case) is native UFS soft update journalling. It's the latter one you want. This is on RELEASE-9.1 though. What version are you on? -- In the dungeons of Mordor, Sauron bred Orcs with LOLcats to create a new race of servants. Called Uruk-Oh-Hai in the Black Speech, they were cruel and delighted in torturing spelling and grammar. _Lord of the Rings 2.0, the Web Edition_ __**_ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/**mailman/listinfo/freebsd-**questionshttp://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-** unsubscr...@freebsd.org freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: setup journaling for root partition
On Tue, May 21, 2013 at 8:20 AM, Warren Block wbl...@wonkity.com wrote: On Tue, 21 May 2013, Arthur Chance wrote: On 05/21/13 15:46, Michael Sierchio wrote: AFAIK Softupdates journaling still breaks snapshot functionality - which makes it unusable for me. I wouldn't assume that the O.P. doesn't want we he's asking for. Good point, I'd forgotten that problem as I don't use UFS snapshots. I can imagine it would be a killer for some people. It is, especially if you use dump/restore. Or tarsnap (which is what we use for backups here), or... there are many use cases for snapshots. - M ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: setup journaling for root partition
On Tue, May 21, 2013 at 10:14 PM, s m sam.gh1...@gmail.com wrote: thanks guys for your attentions. i want to setup journaling in FreeBSD 8.2. i compare soft-update and journaling and choose journaling (it is more suitable for my goals). i want to enable journaling for all my partitions. i can do it for all partitions except root in single user mode. i can not do it for root because i can not unmount root in single user mode. No, but you don't need to. In single user mode, root is mounted read-only. You can run tunefs on the root fs device. - M ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: problems with port upgrade consistency using portsnap
fddi wrote: [snip] so ther is something wrong in my crontab 0 3 * * * /usr/sbin/portsnap -I cron update pkg_version -vIL= See man portsnap, section TIPS - it shows example of correct way: 0 3 * * * root /usr/sbin/portsnap cron The TIPS section contains more details. [snip] -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to get kernel source code of free-BSD release 9.1
Chou, David J wrote: Hi, I have created a virtual machine of PC-BSD release 9.1 64 bit in VMware Player Version 5.0.0 build-812388 based on PCBSD9.1-x64-DVD.iso downloaded from ftp://mirrors.isc.org/pub/pcbsd/9.1/amd64/PCBSD9.1-x64-DVD.iso , and setup network configuration and installed Firefox 20.0 by AppCafe, and configured the network setting in Preference-Advanced of Firefox, and I could access Internet. Now I need to build my own customized kernel, but there is no src subdirectory in /usr, so here is my question: 1. Is there any way to install kernel source when I create the virtual machine from PCBSD9.1-x64-DVD.iso ? Not sure about PCBSD as I haven't used it, but with regular FreeBSD I believe you can by selecting the appropriate package distribution group. Been a while since I've done an install, but even so the source will be the static RELEASE bits and not contain any security updates. 2. Any BKM to get the kernel source after the Virtual Machine already created as my case now? Yes - install the devel/subversion port. Go ahead and create the src directory under /usr. Then do: svn checkout svn://svn.freebsd.org/base/releng/9.1 /usr/src Once having checked out you can then issue a svn update /usr/src command to pull in security updates as they become available over time. There are also two US mirrors available such as: svn checkout svn://svn0.us-east.freebsd.org/base/releng/9.1 /usr/src svn checkout svn://svn0.us-west.freebsd.org/base/releng/9.1 /usr/src I have used the us-east one. There is also a project underway to add in to base an 'svnup', similar in scope to how csup replaced cvsup to make it easier in the future. I believe freebsd-update is also a possibility but I have no experience with it. At any rate, more details can be found in the Handbook. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: List Spam Filtering
On Thu, 09 May 2013 02:26:26 +0200, Julian H. Stacey j...@berklix.com wrote: Hi questions@ ( spammer not cc'd ) Reference: From: Aaron Seligman aselig...@altitudedigitalpartners.com Reply-to: aselig...@altitudedigitalpartners.com Date: Wed, 08 May 2013 18:59:07 + (UTC) Subject:Re: Display Video Campaigns-Inventory Needed Message-id: 1368039547.0568389241738...@mf7.sendgrid.net Happy hump-day, We have an opportunity with an RTB partner to monetize INT Geo's; UK, CAN, AUS Video: (Pre-roll, mid-roll and post-roll) If list write access was changed to Subscribers Only: - List could silently discard such spam. - Postmaster@ ( webmaster@ weeding web archives) would have less work. - Less individual need to select spam phrases to copy to personal filters ( less time searching WTF dialect American above meant in English ;-). Newbies would be told subscribe before posting in all of: /etc/motd http://lists.freebsd.org/mailman/listinfo/freebsd-questions Automatic list bounce response. Only clueless, lazy, spammers might be lost. A net gain. Cheers, Julian I'm curious how much spam you get through this list. Just counted, and I have about 2 Spams per week for the last month, that's more than usual. Regards, Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
ls(1), rm(1) - No such file or directory even though they are there.
Hi List, There is a rather curious problem that I have, which I haven't encountered before. I make regular backups of my packages and put them onto an external usb drive, which is mounted read/write via sysutils/fusefs-ntfs. Now these backups don't exist no more and at the same time they are there. That is to say, upon issuing ls and/or rm on the command line I get rather strange results. Here are some of my outputs: mike@machine1:/mnt/Programs/FreeBSD/91binaries/packages % ls [a long list that has been cut out] zip-3.0.tbz mike@machine1:/mnt/Programs/FreeBSD/91binaries/packages % ls zip-3.0.tbz ls: zip-3.0.tbz: No such file or directory Some have files that (don't) exist have i-nodes and some haven't: mike@machine1:/mnt/Programs/FreeBSD/91binaries/packages % ls -i zip-3.0.tbz ls: zip-3.0.tbz: No such file or directory mike@machine1:/mnt/Programs/FreeBSD/91binaries/packages % ls -i linux-f10-tiff-3.8.2.tbz 2469 linux-f10-tiff-3.8.2.tbz Running rm on the folder I get No such file or directory for every single entry: mike@machine1:/mnt/Programs/FreeBSD/91binaries/packages % rm * [a long list that has been cut out] rm: linux-f10-tiff-3.8.2.tbz: No such file or directory Yet again some of the files can be test via gzip and some can't: mike@machine1:/mnt/Programs/FreeBSD/91binaries/packages % gzip -t linux-f10-tiff-3.8.2.tbz mike@machine1:/mnt/Programs/FreeBSD/91binaries/packages % echo $? 0 mike@machine1:/mnt/Programs/FreeBSD/91binaries/packages % gzip -t zip-3.0.tbz gzip: can't stat: zip-3.0.tbz: No such file or directory mike@machine1:/mnt/Programs/FreeBSD/91binaries/packages % Looks like the this part of the file system is corrupt. I also booted the drive up under Windows and got the same result. The files are there, but can't be read, overwritten or deleted. What does the list say about the above mentioned? Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: enter single user mode from boot menu
On Sun, Apr 28, 2013 at 4:04 PM, Polytropon free...@edvax.de wrote: After the BTX loader has started, keep hammering the space bar. :-) At some point, you'll see the Ok _ prompt. This is where you enter the command boot -s to go into single-user mode. The kernel will load as you would expect, but no further action (rc.d startup) will be taken. Instead you have to confirm the shell (/bin/sh by default) by pressing enter at the When prompted Enter full pathname of shell or RETURN for /bin/sh: prompt; and then you're left at the # _ prompt, which means you're in single user mode. Type exit to start into multi-user mode as usual. In single user mode, the root filesystem will be the only one mounted, and it will be mounted read-only. If you need to make changes (Correcting a fat-fingered edit to /etc/fstab, for example), you'll need to mount root rw. mount -u -o rw / is the minimal command to do that. You might also find it easier to mount /tmp and /var if they're separate filesystems... YMMV, etc. - M ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Home WiFi Router with pfSense or m0n0wall?
Alejandro Imass wrote: [snip] Most consider the answer to use WPA2, which I do use too. Many think it is 'virtually' unbreakable, but this really is not true; it just takes longer. I've done WPA2 keys in as little as 2-3 hours before. Are you saying that any WPA2 key can be cracked or or you simply referring to weak keys? I would also like to specifically if it's for weak keys or are all WPA2 personal keys crackable by brute force. Also is WPA2 Enterprise as weak also. Could anyone expand on how weak is WPA2 and WPA2 Enterprise or is this related to weak PSKs only?? I'm just a lowly sysadmin and not any kind of crypto expert. The problem is time and horsepower. While a ridiculously easy key of say 4 characters that is not salted may be doable on a PC, once you start to get to 8-9 characters or more the time it takes begins to get huge fast. It's a matter of can you tie up the resource long enough to wait it out. Throw salting into the mix and it gets longer again. What I do at home is concatenate 2 ham radio call signs of friends that I can remember. Then I sha256 that and select from the end backwards 15 characters. This won't actually defeat the inherent weakness of using a pre- shared key, but it will take longer for a simple brute force. You should also throw in additional characters from your character set beyond just alpha/numerics. Also, my little tinkertoy i5-3570K overclocked up to 4.5GHz is just that - a toy. I can use it to generate a trace file, which I then take to work and replay it using a z196 when they occasionally allow me to play for bit. I also have rainbow tables and dictionary word-lists pregenerated for cheating. Another thing people are playing with is stuffing 4 high end video cards in a box and using them for computation. This enhances the PC platform beyond just using the CPU. There are also people doing this in the cloud. And they will rent you compute time for a fee. :-) The pre-shared key is the weakest as compared to Enterprise. Enterprise WPA is stronger because it is a user account based system which authenticates using 802.1x via a Radius server. You can even assign certificates to user accounts and if they don't have the cert on the client they are trying to connect with, it won't. Throw Kerberos re-ticketing into the mix adds another layer to the onion. I seem to think recalling something about Kerberos re-ticketing something like every 900 seconds, or something like that. Switches and other network equipment that supports 802.1x can also filter out traffic that is not authorized. Bottom line is Enterprise is better than a simple pre-shared key. But it involves radius, dns/dhcp, windows domain controllers, active directory, a PKI infrastrucure and access points that are designed for use in this environment (and they cost more). So while it may be more secure than a simple pre-shared key, it is simply not practical for the home user as they won't have all the 'other' resources required to utilize it. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Home WiFi Router with pfSense or m0n0wall?
Arthur Chance wrote: [snip] What I was pondering is some form of L2TP tunnel, or some other form of IPSEC tunnel to form some kind of VPN like communication between the client and the wifi. Just never have begun to find the time to get anywhere with the idea. But basically it would resemble a VPN that only accepts connection from a tunnel endpoint client and not pass any traffic from any other client lacking this VPN-like endpoint. I think such a thing is very possible and have read some articles by people who have done very similar sounding things. Indeed, this is what SSL-VPN providers do via a subscription service so people surfing at open wifi coffee shops tunnel through the local open wifi and setup an encrypted VPN tunnel. A quick note: pfSense (I don't know about m0n0wall) has OpenVPN built in to it. Depending on whether all devices which are going to connect wirelessly can run the client end of OpenVPN, this might be a quick way to get greater security on the WiFi side. This is along the lines of what I was thinking. I am my own CA and can generate certs that no one else has the private keys to. The problem with buying certs from a provider is the gov't has access to the private keys on demand. This was mandated back during the Clinton administration for the US. I do things like turn password auth off on my SSH and only auth via certs. Extending this to other 'connectivities' is a way to make it harder for those with no approved cert to get in. The pairing of firewall and OpenVPN together sounds interesting. Will definitely check it out. Thanks for the pointer! -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Home WiFi Router with pfSense or m0n0wall?
Michael Powell wrote: [snip] Are you saying that any WPA2 key can be cracked or or you simply referring to weak keys? I would also like to specifically if it's for weak keys or are all WPA2 personal keys crackable by brute force. Also is WPA2 Enterprise as weak also. Could anyone expand on how weak is WPA2 and WPA2 Enterprise or is this related to weak PSKs only?? Oh, and BTW was going to include this in the last and forgot: http://www.aircrack-ng.org/doku.php?id=cracking_wpa -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Home WiFi Router with pfSense or m0n0wall?
Alejandro Imass wrote: On Sun, Apr 21, 2013 at 9:52 AM, Michael Powell nightre...@hotmail.com wrote: Alejandro Imass wrote: Hi, I'm looking to replace the piece of crap 2wire WiFi router that gets crakced every other day for something with pfSense or m0n0wall Not sure what you mean by 'cracked' here. If you are meaning that someone is using aircrack-ng to break your Wifi authentication key a firewall won't do much to stop this. I use mac address authentication plus wpa2 psk and yet they are still able to connect so it seems that 2Wire's routers are an insecure piece of crap and they are full of holes and back-doors. Just google 2wire vulnerabilities or take a look at this video http://www.youtube.com/watch?v=yTtQGPdSIfM With Kismet able to place a wifi unit into monitor mode you can quickly get a list of everything in the vicinity, including all the MAC addresses of devices connecting the various access points. You can then clone your unit's MAC address to match one in the list. Even though I do use it, MAC access lists are very easy to get around and will only stop those who do not know how to do this. Even in passive mode, without using active attack to speed things up I can crack a WEP key in 45 minutes easily. Doing this passively doesn't expose you. The time it takes depends on how busy the access point is. An active attack can break WEP in 2-3 minutes, or less. I've seen it done between a minute and a minute and a half. Most consider the answer to use WPA2, which I do use too. Many think it is 'virtually' unbreakable, but this really is not true; it just takes longer. I've done WPA2 keys in as little as 2-3 hours before. Look at how many ISPs world-wide use 2wire. Makes you wonder if ISPs use these crappy routers on purpose to get some more revenue from cap overruns. Really these WEP/WPA2 protocols are not providing the level of protection that is truly necessary in this modern day. You can keep out script kiddies and people who don't have skill, but people who know what they are doing are only slowed down. The ISPs are seemingly more interested and concerned with protecting Big Media Content's DRM schemes. They have a monetary stake as they move in the direction of deals with 'Big Media', less so the incentive to do more for their retail Internet-access customer. And don't even me started on the advertising industry run-amok. :-) -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Home WiFi Router with pfSense or m0n0wall?
Alejandro Imass wrote: [...] Really these WEP/WPA2 protocols are not providing the level of protection that is truly necessary in this modern day. You can keep out script kiddies and people who don't have skill, but people who know what they are doing are only slowed down. Thanks for the detailed explanation! So, are there ways to run a secure WiFi network? It would seem that in my case I have neighbours that know what they're doing so should I just forget about WiFi go back to UTP? We use 802.1x auth on our switch (and other hardwares) ports at work and this utilizes a Radius server. At work we are mostly a $MS WinderZ shop, but with Enterprise grade access points (we have Aruba's), EAP, and Radius we can extend our network Kerberos out through the wifi realm. Without going into details ( way too much/many for the scope here) I basically have an almost completely locked network which just won't allow a device on it that it doesn't recognize. It is a pain, and not perfect either by any stretch. I have more problems with printers as a result than anything else. I do have to keep an open Internet access for visitors to use, but it is separated from our main network with no path between the two. :-) This does provide better security when compared to what consumers are running at home. It is much more complex and requires expensive equipment. And even still, a really high-grade Uber hacker might still find a way in. We hire pen-tester companies about once a year, and while they haven't found any glaring holes there are some grey areas that we wonder if a really motivated Uber hacker spent enough time on... I have entertained on and off the idea of getting a wifi card for my FreeBSD gateway/firewall box at home to see if I could come up with something more resembling something like we have at work. It probably wouldn't be as involved, but I do think (FreeBSD as a very _capable_ and flexible OS) something could be designed that would inherently be somewhat more secure than what I see in the basic ISP home router. I have Verizon's FIOS here with an Actiontec MI424WR-Rev 3 router and I think I could do better. The alternate provider here is Comcast which mostly seems to be using Motorola Surfboard routers, but the bottom line is I don't have any problem cracking any of them. This email is already getting a trifle long, so suffice to say if you really need the best security on a home ISP router the best you can do is turn off the radio and use Ethernet and UTP. This returns to the original focus of your question in that the firewall would be the point of contention and not the cracking of WEP/WPA2 auth keys. What I was wanting to point out to you originally is that changing the firewall is a separate issue from the cracking of Wifi auth keys. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Home WiFi Router with pfSense or m0n0wall?
Alejandro Imass wrote: On Mon, Apr 22, 2013 at 3:45 PM, Michael Powell nightre...@hotmail.com wrote: Alejandro Imass wrote: [...] Really these WEP/WPA2 protocols are not providing the level of protection that is truly necessary in this modern day. You can keep out script kiddies and people who don't have skill, but people who know what they are doing are only slowed down. Thanks for the detailed explanation! So, are there ways to run a secure WiFi network? It would seem that in my case I have neighbours that know what they're doing so should I just forget about WiFi go back to UTP? We use 802.1x auth on our switch (and other hardwares) ports at work and this utilizes a Radius server. At work we are mostly a $MS WinderZ shop, but with Enterprise grade access points (we have Aruba's), EAP, and Radius we [...] This email is already getting a trifle long, so suffice to say if you really need the best security on a home ISP router the best you can do is turn off the radio and use Ethernet and UTP. This returns to the original focus of your question in that the firewall would be the point of contention and not the cracking of WEP/WPA2 auth keys. What I was wanting to point out to you originally is that changing the firewall is a separate issue from the cracking of Wifi auth keys. I absolutely got that but I was assuming that a pre-packaged WiFi router with pfSense or m0n0wall would have a more secure wireless hardware and software as well. Now I see the problem is more complex and that the wireless part is vulnerable regardless. So if by cracking the wireless part they can spoof the mac addresses of authorized equipment, what other methods could a BSD-based firewall use to prevent the cracker from penetrating or using the network beyond the WiFi layer? From your response it seems very little or nothing really... Yes - unfortunately this is about the state of things. Not a whole lot you're going to do to improve the consumer grade home router. There are some hardware specific firmware projects that I've never played with such as: http://www.dd-wrt.com/site/index The pre-packaged home equipment is relatively cheap when compared against the top of the line enterprise-grade commercial products. Most are some form of embedded Linux. For example, the MI424WR-Rev3 I have here is busybox ( http://www.busybox.net/ ). If you turn on remote management and telnet into it you get a busybox prompt! With a busybox shell and all busybox commands. The firewall many of these embedded Linux things are using is iptables2, the standard linux firewall package. What I was pondering is some form of L2TP tunnel, or some other form of IPSEC tunnel to form some kind of VPN like communication between the client and the wifi. Just never have begun to find the time to get anywhere with the idea. But basically it would resemble a VPN that only accepts connection from a tunnel endpoint client and not pass any traffic from any other client lacking this VPN-like endpoint. I think such a thing is very possible and have read some articles by people who have done very similar sounding things. Indeed, this is what SSL-VPN providers do via a subscription service so people surfing at open wifi coffee shops tunnel through the local open wifi and setup an encrypted VPN tunnel. Just not enough time in the day. I know it's do-able, just never have found the time to properly approach it. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Home WiFi Router with pfSense or m0n0wall?
Alejandro Imass wrote: Hi, I'm looking to replace the piece of crap 2wire WiFi router that gets crakced every other day for something with pfSense or m0n0wall Not sure what you mean by 'cracked' here. If you are meaning that someone is using aircrack-ng to break your Wifi authentication key a firewall won't do much to stop this. -Mike [snip] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pwd.db/spwd.db file corupption when having unsafe system poweroff
Tak Tak wrote: hi everyone, i wanna know what exactly happens for freebsd files and processes, when we shutdown system via pressing hardware power key for 3 seconds? here's what has happened to me, recently: i've faced a strange problem.. on one of my bsd servers, one of my coworkers had defined and edited some system users, and then, instead of safe shutdown, he kept pressing power-button for 3 seconds!.. after next startup, we couldn't login anymore! we had to replace pwd.db and spwd.db files, via bootable-freebsd Fixit mode, and then, everything was fine! we know that we are, for sure, better to use safe shutdown, but i can't guarantee it always happens. what if sudden power off makes same problem??so i can't leave my servers in such situations.. My questins are: what has happened exactly? just in-used corrupted files ?? is there any way to prevent this situation? (instead of having a read-only FS.. i can't apply it on this server for now..). i'm sorry if my question seems dummish! i'm trying to increase my bsd knowledge, but i'm just on my way.. for sure, i appreciate any ideas or answers :) At the risk of illustrating what I'm fuzzy on, possibly those with more in- depth skill can fill in the blanks or tidy up some with more accurate and complete details. Pressing the power button for 4 seconds as described is invoking the ACPI layer to stimulate call(s) down to the system BIOS. Whatever is set in the BIOS wrt to power control and various power-savings modes are passed through the ACPI layer. The problem with this is the acpi module in FreeBSD may, or may not, be a perfect implementation for every possible piece of hardware in existance. The piece of that which really concerns me are individual manufactuer BIOS quirks can be just enough 'off' so as to misbehave even when the FreeBSD acpi implentation is basically sound. The jist of this is (IMHO here - YMMV) is I consider it a bad procedure to turn off a server as you've described. Use the shutdown command properly instead. I would never do what your coworker did to any of my servers. Caveat being sometimes you have no other choice but to do a hard power-down. A hard power-down is done by using the switch on the power supply, and not using the ACPI/BIOS from pressing the power switch on the front. When you do have an 'uh-oh' like this, FreeBSD normally boots back into an unclean file system with corresponding whinings and complaints about how the file system(s) were not properly dismounted. Normally a background fsck ensues after 60 seconds of idle. In your case whatever files were left open and not properly closed this background fsck, had it been allowed to run and complete, would have cleaned this up. The problem starts when someone presses the power off button again, and again, before this process completes. Using the power button ACPI/BIOS only compounds this situation. I have had at one time or another, power failures that occurred almost back to back, only with a few minutes in between. So what happened was on first boot after power came back the power went down again right in the middle of this background fsck. Two more of these and my file system(s) were in pretty not-so-good shape. Luckily I was running gmirror and one of the drives was consistent. So the mirror got rebuilt from the drive with the consistent file system automagically (takes a while), then the system continued to boot, and then the background fsck finally kicked in. Gmirror saved my bacon here. Journaling is also supposed to provide similar error recovery features. I've had this happen twice on 2 different boxen. Needless to say, 2 broken UPS units were scrapped and replaced as a result. I would recommend you do NOT use the power button as you described above. Period. In any event pay particular attention to that very first boot after an 'uh-oh' power off event. Look at top and watch for the background fsck to kick off and complete, returning the machine to quiescent state BEFORE you do ANYTHING else to it. This includes pressing the button on the front. Just my $.02 - but I've had a couple of experiences like this and survived them successfully by doing things my way. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: When will binary packages be back?
Mike. wrote: [snip] Additionally, for me, building from ports for me has tended to pull in many, many X-windows support files when they are not needed. Specifically, I run a non-windowing system using command line tools. When I tried to compile Samba from ports, I finally killed the 'make' stage after three hours of compiling X-windows stuff. Nowhere had I ever spcified that the system was running X or any other windowing system. Yet, there it was, three hours of wasted time. In addition to what Jeff has said, for servers where I do not want any X related stuff I place WITHOUT_X11= yes in /etc/make.conf. In addition to make config option(s), there may also be some default stuff here and there in the Mk files. The make.conf line will short circuit these. IIRC there may be some exceptions where you need some (a handful or less) of some X related packages. Seem to think of things like gd, imagemagick, freetype, etc., for PHP kind of things. In these cases, the make.conf line will blanket cover most of what you don't want and you can choose make config options that will pull in only what you absolutely need without starting down the line to everything X-related. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: EC2 Instances Future
I still follow Colin's original pattern of using a minimal Linux grub boot EBS device (1GB), ext2fs, with the root partition being on another (ufs2) EBS device. This works very well, with a couple of caveats - - Install e2fsprogs (pkg or port) - you will need it, on occasion when modifying the boot device (after mounting rw). - Kernel upgrades are tricky, so be careful - Edit /etc/freebsd-update.conf intelligently to prevent unintended consequences Apart from that, I have been running i386 and amd64 instances this way, both 8.3 and 9.1, without difficulty (apart from some Xen clock weirdness in 8.3). No Windoze Tax. ;-) - M On Wed, Apr 10, 2013 at 10:05 AM, jflowers jflow...@ezo.net wrote: Is there anything likely to be available in the future (3 months to a year) to avoid the Windows tax on FreeBSD instances for the smaller (t1.micro, m1.small, m1.medium) types? I understand the problem but don't find anything much online about a possible solution. Probably because I don't understand as much as I think. Thanks. -- Jim Flowers jflow...@ezo.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Problems with IPFW causing failed DNS and FTP sessions
Okay, what's your DNS setup? Are you running a recursive cache that contacts the root servers directly? Using your ISP's servers? Etc. As a mitigation step, I tried pointing my caches to 8.8.8.8 and 8.8.4.4. - but it turns out that Google is intentionally blocking (returning NX responses to) many netblocks right now because they contain hosts known to be part of the botnet in the DDOS DNS amplification attack. I'm mirroring the root zone everywhere I have a cache, and it's helping. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Recipie for CPU souffle'
Ronald F. Guilmette wrote: [[ Mostly, this posting is just a story. But it does include one question, towards the end. See below. ]] Well, I accidentally found what I believe is most likely the reason for the system halts I have been having recently, so I just thought that I would share that. It _is_ a bit humorous. (The mystery system shutdowns have _not_ been due to a power issue, it would appear.) I just now experienced another episode in which the machine powered itself off, as I was working on it, for no apparently good reason. Since it was down anyway, I decided that this would be a good time to pull out that *^%$#@ bleedin' new USB 3.0 PCIe card I had recently installed... just in case that was causing the problem. As I reached in to begin extracting the PCIe card, the tip of one of my fingers accidentally brushed up against my CPU heatsink. I in- stinctively yanked it away immediately. If I had not done so, I would probably have gotten a third degree burn. I left the system off for a couple of minutes after that... to let it cool down a bit before doing anything else... and then I powered it back on, checked that the CPU fan was indeed turning (it was) and then I went immediately to the BIOS and the PC Heath Status. The CPU temperature was listed as being 63c == 145f !!! And this was _after_ I had allowed the system to be powered down for a couple of minutes to cool down!!! So anyway, the fan turned and I watched the CPU temp slowly inch down to something more normal... like in the vicinity of 24c. I don't know what to make of this, except to suspect that some loose wires inside my case got in the way of the CPU fan turning. (I am not neat like some folks. The inside of myu case _is_ really rather sloppy, so this could easly have happened.) I've now installed mbmon and xmbmon and will be watching the CPU temp closely for awhile. I really wish that one or the other of those tools allowed setting a threshold CPU temp, beyond which the tool would emit an ear piercing alarm via the motherboard speaker... you know.. in case the regular external stereo speakers are turned off. question What *is* the best way to achieve the above effect, i.e. to arrange for the machine to scream for help in case it is getting too hot? I don't want it to just die, like it is doing now. I want it to scream so that I can rush over and at least try to do an orderly shutdown. /question Regards, rfg P.S. I am loading the system pretty heavily now, and have been for the last 20+ minutes, and xmbmon is showing me a nice constant 31c for the CPU temp. So for the moment at least, all is well. P.P.S. I have a (relatively) monster sized heatsink in this system, and it sits atop a quite modest 2.7GHz single-core Athlon, so it is not at all surprising that the ``stable'' CPU temp is around 30c (86f). Many old Athlons from the older generation used a thermal pad for heat transfer. It was what looked like a little piece of soft plastic almost something like a milimeter thick and an inch or so square that would have come preapplied to the OEM heat sink which accompanied the CPU in a retail box set. With these processors you cannot just simply smear a lot of thermal grease in there as a replacement. Indeed, doing so (not using a thermal pad) voids the warranty. Thermal grease works best when it is applied as a very thin but evenly distributed layer and the heat sink is then clamped down very tightly so it is in very close contact with the processor. Doing this (using just thermal grease in lieu of the pad) leaves a small void or gap through there will be little heat transfer. You might want to confirm that your processor model requires a thermal pad and not grease. Then hunt some down and use it instead of thermal grease. I seem to recall they were somewhat difficult to locate a place from which to purchase. Also the backing paper was darn near impossible to get off without destroying it (why the OEM cooler had it pre-applied). So get a few of them so you can tear up a couple before you succeed. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: databases/mysql55 to databases/mariadb
Andrei Brezan wrote: [snip] Also what i've noticed is that 'p' as a suffix is for percona. Oops! And I was thinking Percona but for some reason PostgreSQL came out my fingers! DOH! -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: use of the kernel and licensing
On Sun, 31 Mar 2013 16:31:43 +0200, Polytropon free...@edvax.de wrote: On Sun, 31 Mar 2013 09:39:29 -0400, Joe wrote: Does one have to file legal paper work with the government to be issued a copyright on software? With _which_ government? :-) Basic understanding of copyright is: The stuff _you_ write happens automatically under _your_ copyright, because you are the creator. There is nothing you need to do to achieve the copyright - it's yours by acting. At the moment you write something like (C) Joe Sixpack 2012 it's set in stone. There might be other ways to prove (!) copyright, e. g. when one of your files appears in someone else's work, but now with the originator line saying (C) Nick Nosewhite 2013. In case of a court trial which involves copyright, you can prove from your CVS log of creation (or whatever source management system or even file system you use) that _you_ have been writing that code, nobody else. Does any software not having a copyright statement or any license comments included in the source mean that it's public domain? I would assume this. Imagine a snippet of code with no author mentioned in it (or in the source it comes from, or any file it is accompanied by), how would you be able to conclude something _else_ than this is public domain with _no_ copyright holder? I think you are wrong here. quoting http://en.wikipedia.org/wiki/Public_domain_software: Under the Berne Convention, which most countries have signed, an author automatically obtains the exclusive copyright to anything they have written, and local law may similarly grant copyright, patent, or trademark rights by default. The Berne Convention also covers programs. Therefore, a program is automatically subject to a copyright, and if it is to be placed in the public domain, the author must explicitly disclaim the copyright and other rights on it in some way. Note the wording explicitly disclaim. While German law has something like a triviality threshold which may well apply to very small code snippets, i'd say no included license by default means all rights reserved. Regards, Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: smartd
Polytropon wrote: On Sun, 31 Mar 2013 17:25:32 -0500, ajtiM wrote: I installed smartmontools, start_smartd=yes I have in rc.conf Without further investigation - shouldn't that be smartd_enable=YES conforming to the syntax of other service start commands? At least that might be the reason why smartd doesn't automatically start. Sadly I can't find a reference to how to edit rc.conf in man smartd; at least the manual explains the options well... ;-) This is correct, as per: /usr/ports/sysutils/smartmontools/files/pkg-message.in Don't know if it's a typo in his email but he was missing a on the: daily_status_smart_devices=/dev/ada0 line as well. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Problems with IPFW causing failed DNS and FTP sessions
It would be really helpful if you'd post the ruleset. At first glance, your stateful rules seem rather wrong, unless there's a check-state above. Also, in and out aren't discriminating enough - every packet is seen by the ruleset more than once. You should think in terms of interfaces, direction, etc. Are you doing NAT? Stateful rules with NAT are indeed possible, but subtle. Your problem has nothing to do with server load, and probably everything to do with not-terribly-well-conceived ruleset. Please post yours here. - M On Sun, Mar 31, 2013 at 8:34 PM, Don O'Neil li...@lizardhill.com wrote: Hi everyone. recently my server started having issues with DNS and FTP sessions either not resolving or timing out. I've tracked the issue down to IPFW. if I issue a 'sysctl net.inet.ip.fw.enable=0' then my issues go away. I have the basic rules like this for dns; 01160 allow udp from any to any dst-port 53 in keep-state 01161 allow tcp from any to any dst-port 53 in keep-state 01162 allow udp from any to any dst-port 53 out keep-state 01163 allow tcp from any to any dst-port 53 out keep-state When I try an nslookup sometimes they fail, sometimes they get through, even if I change my DNS server to google, my ISP, or even OpenDNS. the firewall seems to be causing the issue. I have about 65 rules in all. Any ideas what could be causing this? My server load is low, usually hovering around .2 How can I look at the actual amount of traffic that the IPFW module is processing and track down potential performance issues? My server isn't pushing much data, only around 4-5 Mbps sustained. Thanks! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Problems with IPFW causing failed DNS and FTP sessions
Don O'Neil wrote: Hi everyone. recently my server started having issues with DNS and FTP sessions either not resolving or timing out. I've tracked the issue down to IPFW. if I issue a 'sysctl net.inet.ip.fw.enable=0' then my issues go away. [snip] I'm probably not smart enough to be able to help directly with your problem but I'd like to add that there is a snowballing DNS Amplification ddos attack against SpamHaus going on which is spilling over. I was looking at some weird stuff my Suricata was reporting today when I noticed a large majority of it was coming from CloudFlare CDN. They use anycast packet traffic to deflect and diffuse such attacks for their customers. I'm wondering if your box has just been sitting there doing it's thing and you've made zero changes to it so it is essentially 'steady state' and this problem just sort of came up seemingly out of nowhere. Consider a possibility that the cause may be external and what you're seeing is just IPFW's reaction to it. A friend of mine is on a nearby Verizon subnet and he uses their DNS servers. He noticed minimal hiccup while I have my DNS pointed at OpenDNS and it took them almost a day to get their situation under control. Once they did traffic seemed to return to normal, then I noticed Suricata alerting on return traffic in my pf DNS firewall rule. All the traffic Suricata was complaining about was coming from the CloudFlare CDN. I've never seen this before, so I'm not completely certain what to make of it. My hypothesis is OpenDNS subscribed to CloudFlare's protection, and since it is legit return traffic from my DNS server's lookups the firewall never touched it. I would never have noticed if it wasn't for Suricata. I just don't know enough about it all, just that I was having some flaky DNS stalling and hanging and when it seemed like it returned to normal I began to see this weird stuff from CloudFlare CDN on my DNS traffic. Just would like to point out it may be possible your problem is somehow just a reflection of some noise going on outside your box. As for exactly what you might do about it is for smarter people than me. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Problems with IPFW causing failed DNS and FTP sessions
I'll give you a more cogent reply tomorrow - if you use keep-state rules, you want to be a little more specific - for tcp, you want allow tcp from X to Y setup keep-state - i.e. you start the stateful rule on packets that have the SYN flag set. There are some other oddities here - I'm guessing that the firewall rules are there to protect this box itself... in which case your stateful rules really need only to consider outbound traffic, and to allow replies. Let me know if that assumption is erroneous. More later. Time for - M On Sun, Mar 31, 2013 at 9:33 PM, Don O'Neil li...@lizardhill.com wrote: Thanks for the response... here's my full rullset: # ipfw list 00100 check-state 00101 allow tcp from any to any established 00102 allow ip from any to any out keep-state 00103 allow icmp from any to any 00201 allow ip from any to any via lo0 00202 allow ip from any to 127.0.0.0/8 00203 allow ip from 127.0.0.0/8 to any 00204 deny tcp from any to any frag 00301 deny log logamount 50 ip from any to any ipoptions rr 00302 deny log logamount 50 ip from any to any ipoptions ts 00303 deny log logamount 50 ip from any to any ipoptions lsrr 00304 deny log logamount 50 ip from any to any ipoptions ssrr 00305 deny log logamount 50 tcp from any to any tcpflags syn,fin 00306 deny log logamount 50 tcp from any to any tcpflags syn,rst 01110 allow tcp from any to any dst-port 20 in 0 allow tcp from any to any dst-port 20 out 01112 allow tcp from any to any dst-port 21 in 01113 allow tcp from any to any dst-port 21 out 01114 allow tcp from any to any dst-port 990 in 01115 allow tcp from any to any dst-port 990 out 01116 allow udp from any to any dst-port 990 in 01117 allow udp from any to any dst-port 990 out 01118 allow tcp from any to any dst-port 989 in 01119 allow tcp from any to any dst-port 989 out 01120 allow udp from any to any dst-port 989 in 01121 allow udp from any to any dst-port 989 out 01122 allow tcp from any to any dst-port 1024-65000 keep-state 01125 allow tcp from any to any dst-port 22 in 01126 allow tcp from any to any dst-port 22 out 01130 allow tcp from any to any dst-port 25 in 01131 allow tcp from any to any dst-port 25 out 01132 allow tcp from any to any dst-port 587 in 01133 allow tcp from any to any dst-port 587 out 01134 allow tcp from any to any dst-port 2525 in 01135 allow tcp from any to any dst-port 2525 out 01140 allow tcp from any to any dst-port 110 in 01141 allow tcp from any to any dst-port 110 out 01142 allow tcp from any to any dst-port 995 in 01143 allow tcp from any to any dst-port 995 out 01144 allow tcp from any to any dst-port 2110 in 01145 allow tcp from any to any dst-port 2110 out 01150 allow tcp from any to any dst-port 143 in 01151 allow tcp from any to any dst-port 143 out 01152 allow tcp from any to any dst-port 993 in 01153 allow tcp from any to any dst-port 993 out 01160 allow udp from any to any dst-port 53 in keep-state 01161 allow tcp from any to any dst-port 53 in keep-state 01162 allow udp from any to any dst-port 53 out keep-state 01163 allow tcp from any to any dst-port 53 out keep-state 01170 allow tcp from any to any dst-port 80 in 01171 allow tcp from any to any dst-port 80 out 01172 allow tcp from any to any dst-port 443 in 01172 allow tcp from any to any dst-port 443 out 01180 allow tcp from any to any dst-port in 01181 allow tcp from any to any dst-port out 65535 deny ip from any to any I've tried these rules; 01160 allow udp from any to any dst-port 53 in 01161 allow tcp from any to any dst-port 53 in 01162 allow udp from any to any dst-port 53 out 01163 allow tcp from any to any dst-port 53 out Without the keep-state option, and the problem is still persisting... The weird thing is that I've run these rules for a number of years without any issues until just recently. I've checked my interface stats to make sure there aren't a bunch of fragmented packets or errors, and there aren't. I'm not running NAT, it's a publically accessible IP address. -Original Message- From: Michael Sierchio [mailto:ku...@tenebras.com] Sent: Sunday, March 31, 2013 8:58 PM To: Don O'Neil Cc: freebsd-questions@freebsd.org Subject: Re: Problems with IPFW causing failed DNS and FTP sessions It would be really helpful if you'd post the ruleset. At first glance, your stateful rules seem rather wrong, unless there's a check-state above. Also, in and out aren't discriminating enough - every packet is seen by the ruleset more than once. You should think in terms of interfaces, direction, etc. Are you doing NAT? Stateful rules with NAT are indeed possible, but subtle. Your problem has nothing to do with server load, and probably everything to do with not-terribly-well-conceived ruleset. Please post yours here. - M On Sun, Mar 31, 2013 at 8:34 PM, Don O'Neil li...@lizardhill.com wrote: Hi everyone. recently my server started having issues with DNS and FTP
Re: Problems with IPFW causing failed DNS and FTP sessions
On Sun, Mar 31, 2013 at 9:39 PM, Michael Powell nightre...@hotmail.com wrote: I'm probably not smart enough to be able to help directly with your problem but I'd like to add that there is a snowballing DNS Amplification ddos attack against SpamHaus going on which is spilling over Yes, this is very much true. The ICANN servers are dropping packets like mad, and many of the .com servers as well. I am mirroring the root zone locally to mitigate. It works to forward DNS to Google's servers (8.8.8.8, 8.8.4.4.) EXCEPT - they are blocking some net blocks (issuing spurious negative responses) because of large numbers of nets with hosts in the botnet participating in the attack. - M ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Problems with IPFW causing failed DNS and FTP sessions
net.inet.ip.fw.dyn_short_lifetime ? net.inet.ip.fw.dyn_udp_lifetime ? You might want to increase these, given the current state of things... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Portsnap gets ports that claim to be out of date
John Levine wrote: When I do portsnap update and try building stuff, I get errors like this: ^^ Mk/bsd.port.mk, line 5: warning: You are using a ports file that originated from CVS!! Mk/bsd.port.mk, line 6: warning: The FreeBSD project has switched from CVS to SubVersion. Mk/bsd.port.mk, line 7: warning: This CVS repository is NO LONGER UPDATED! If you see this Mk/bsd.port.mk, line 8: warning: message then your tree is STALE and you need to follow Mk/bsd.port.mk, line 9: warning: the update instructions to receive any more updates. I'm not using CVS, I'm using portsnap. Any ideas? It's a 9.1 system, fully up to date as far as I know. Have you tried doing: portsnap fetch update instead of portsnap update? -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: databases/mysql55 to databases/mariadb
Andrei Brezan wrote: Hello list, Is there a make.conf option that I can use to replace mysql55-[server,client] with mariadb55-[server,client] or i need to use for example pkg set -o databases/mysql55-client:databases/mariadb55-client? What happens if I want to use one port with mysql dependency and another one with mariadb as dependency? This is just a theoretical question, I don't have such a requirement, yet. All this is on 9.1-RELEASE but I think applies to different versions too. Look at: /usr/ports/Mk/bsd.database.mk I only perused it briefly, but I think you want something such as MYSQL_VER=55m. The 'm', or 'p' suffix switches to either MariaDB or PostgreSQL if I understand correctly. At any rate, this is the file that controls this. If it doesn't work (possibly I've got it wrong), I'd suggest a PR to get it added in. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Client Authentication
On Tue, 26 Mar 2013 22:56:37 +0100, Daniel O'Callaghan da...@clari.net.au wrote: On 27/03/2013 4:18 AM, Joseph Olatt wrote: Any ideas/suggestions on this will be appreciated. Thanks, -- Doug A little while back I wrote a system to do a simple Two Factor Authentication and dynamic manipulation of PF (Packet Filter) Tables. I created it to prevent brute-force attacks on the servers that I have exposed on the Internet. I'm happy to share a program I wrote which slows down the brute force attackers. It simply counts the SYN packets from a given IP and limits the rate per minute by dropping the packet if they are coming too fast. Uses ipfw divert sockets, so would work if you prefer ipfw over pf. Me Me Me! ...ahem. I do prefer IPFW over PF and would very much like to try it out, so please do share. Regards, Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Client Authentication
On Wed, 27 Mar 2013 01:37:36 +0100, Daniel O'Callaghan da...@clari.net.au wrote: On 27/03/2013 10:37 AM, Michael Ross wrote: I'm happy to share a program I wrote which slows down the brute force attackers. It simply counts the SYN packets from a given IP and limits the rate per minute by dropping the packet if they are coming too fast. Uses ipfw divert sockets, so would work if you prefer ipfw over pf. Me Me Me! ...ahem. I do prefer IPFW over PF and would very much like to try it out, so please do share. OK, here 'tis https://secure.clari.net.au/ratelimit2.tgz Danny Thanks! I'd like to be able to change the time window: http://gurder.ross.cx/misc/ratelimit.patch Regards, Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: gettext problem in FreeBSD 8.3 system hosed
Antonio Olivares wrote: [snip] As following /usr/port/UPDATING, I ran into a bit of trouble. System is hosed and I cannot update any ports. I tried to follow advice here: 20130316: AFFECTS: users of converters/libiconv and devel/gettext AUTHOR: b...@freebsd.org libiconv now handles the lib/charset.alias file instead of devel/gettext. If you are using pkgng 'and' upgrading from source with portupgrade or portmaster, first delete gettext, upgrade libiconv, then reinstall gettext. # pkg delete -f devel/gettext # portmaster converters/libiconv devel/gettext or # pkg delete -f devel/gettext # portupgrade converters/libiconv devel/gettext [snip] I have tried to follow the instructions included in /usr/ports/UPDATING but I have not succeeded in this machine. I am thinking of moving it to 8.4-BETA1 release and then reworking the ports or deleting them and restarting in case of not having replies I have gotten myself out of trouble before but it can take days to get the machine back in working order :( Not exactly an answer here, in terms of recovery, but more along the lines of trying to figure out how it happened. Did you previously convert this machine to pkgng? The reason I ask is the instructions in UPDATING _only_ apply if you did so. If you did not, then you did not need to pay any attention to that section in UPDATING. I have not yet investigated the changeover to pkgng. I recently just did a portupgrade -a without doing as UPDATING suggested and had no difficulty with either port. So if you have not converted to pkgng then there is/was a misunderstanding in the reading of UPDATING. If you did convert to pkgng then you are in new territory I have not seen yet, and the point is moot. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Is fdisk broken?
On Fri, Mar 22, 2013 at 7:33 AM, mla_str...@att.net wrote: Can fdisk be made happy again? (At least for a few more years?) The short answer is: no. Fdisk comes from a world where even 1G drives were not yet on the horizon. Use gpart. The long answer is readily available in the forums - google is your friend. - M ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How To Get App To Start At Boot?
On Tue, Mar 19, 2013 at 2:13 PM, Drew Tomlinson d...@mykitchentable.net wrote: I installed Splunk which is not part of the ports tree. It's a proprietary app that I downloaded and installed on it's own. I start it with '/usr/local/splunk/bin/splunk start'. It should also be stopped with '/usr/local/splunk/bin/splunk stop'. In an attempt to automate it, I created this symlink in /usr/local/etc/rc.d: Not the way to do it at all. ;-) (assuming /opt/splunk*/bin is in your path) # splunk enable boot-start This installs the script below as /etc/rc.d/splunk. You then merely need to put splunk_enable=YES in /etc/rc.conf Questions like this are better answered by searching the splunk FAQs, etc. Lots of good info there. #!/bin/sh # PROVIDE: splunkd # REQUIRE: LOGIN # KEYWORD: shutdown # /etc/rc.d/splunk # init script for Splunk. # generated by 'splunk enable boot-start'. . /etc/rc.subr name=splunk extra_commands=status rcvar=`set_rcvar` eval ${rcvar}=\${${rcvar}:-'NO'} splunk_start() { ${splunk_home:-/opt/splunkforwarder}/bin/splunk start --no-prompt --answer-yes $@ } start_cmd=splunk_start splunk_stop() { ${splunk_home:-/opt/splunkforwarder}/bin/splunk stop $@ } stop_cmd=splunk_stop splunk_restart() { ${splunk_home:-/opt/splunkforwarder}/bin/splunk restart $@ } restart_cmd=splunk_restart splunk_status() { ${splunk_home:-/opt/splunkforwarder}/bin/splunk status $@ } status_cmd=splunk_status load_rc_config $name run_rc_command $@ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: No sound with Thinkpad X60
On Thu, 14 Mar 2013 23:59:09 +0100, Peter Harrison four.harris...@googlemail.com wrote: Hi list, I've a problem with sound on a Thinkpad X60, which has an Intel HDA chip. This is what I see in dmesg: hdac0: Intel 82801G HDA Controller mem 0xee24-0xee243fff irq 17 at device 27.0 on pci0 hdacc0: Analog Devices AD1981HD HDA CODEC at cad 0 on hdac0 hdaa0: Analog Devices AD1981HD Audio Function Group at nid 1 on hdacc0 pcm0: Analog Devices AD1981HD (Analog) at nid 5 and 25,8 on hdaa0 hdacc1: Conexant (0x2bfa) HDA CODEC at cad 1 on hdac0 unknown: Conexant (0x2bfa) HDA CODEC Modem Function Group at nid 2 on hdacc1 (no driver attached) and from sndstat: FreeBSD Audio Driver (newpcm: 32bit 2009061500/i386) Installed devices: pcm0: Analog Devices AD1981HD (Analog) (play/rec) default and from mixer: Mixer vol is currently set to 100:100 Mixer pcm is currently set to 100:100 Mixer speaker is currently set to 100:100 Mixer cd is currently set to 1:1 Mixer rec is currently set to 1:1 Mixer igainis currently set to 42:42 Mixer ogainis currently set to 100:100 Mixer monitor is currently set to 67:67 Recording source: cd But I have no sound. This is using Gnome 2.32 on 9.1-R. I did initially accidentally install Pulseaudio, but have subsequently deleted it and reinstalled everything that depended on it without the Pulseaudio dependency. Any thoughts on what I'm doing wrong? Thanks in advance. Possibly not helping a lot: I have a T510 thinkpad with Intel HDA audio, running Windows 7. I need to have the audio driver *and* the modem driver installed for any sound to work. So possibly the modem part has to be initialised or something. You have no driver attached on your modem, so maybe that's worth looking at. You could also try if sound works from a terminal without running Gnome at all, just to be sure it's not some Gnome configuration thing. Regards, Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: No sound with Thinkpad X60
On Sat, 16 Mar 2013 00:28:27 +0100, Peter Harrison four.harris...@googlemail.com wrote: Friday, 15 March 2013 at 18:48:24 +0100, Michael Ross said: On Thu, 14 Mar 2013 23:59:09 +0100, Peter Harrison four.harris...@googlemail.com wrote: Hi list, I've a problem with sound on a Thinkpad X60, which has an Intel HDA chip. This is what I see in dmesg: hdac0: Intel 82801G HDA Controller mem 0xee24-0xee243fff irq 17 at device 27.0 on pci0 hdacc0: Analog Devices AD1981HD HDA CODEC at cad 0 on hdac0 hdaa0: Analog Devices AD1981HD Audio Function Group at nid 1 on hdacc0 pcm0: Analog Devices AD1981HD (Analog) at nid 5 and 25,8 on hdaa0 hdacc1: Conexant (0x2bfa) HDA CODEC at cad 1 on hdac0 unknown: Conexant (0x2bfa) HDA CODEC Modem Function Group at nid 2 on hdacc1 (no driver attached) and from sndstat: FreeBSD Audio Driver (newpcm: 32bit 2009061500/i386) Installed devices: pcm0: Analog Devices AD1981HD (Analog) (play/rec) default and from mixer: Mixer vol is currently set to 100:100 Mixer pcm is currently set to 100:100 Mixer speaker is currently set to 100:100 Mixer cd is currently set to 1:1 Mixer rec is currently set to 1:1 Mixer igainis currently set to 42:42 Mixer ogainis currently set to 100:100 Mixer monitor is currently set to 67:67 Recording source: cd But I have no sound. This is using Gnome 2.32 on 9.1-R. I did initially accidentally install Pulseaudio, but have subsequently deleted it and reinstalled everything that depended on it without the Pulseaudio dependency. Any thoughts on what I'm doing wrong? Thanks in advance. Possibly not helping a lot: I have a T510 thinkpad with Intel HDA audio, running Windows 7. I need to have the audio driver *and* the modem driver installed for any sound to work. So possibly the modem part has to be initialised or something. You have no driver attached on your modem, so maybe that's worth looking at. You could also try if sound works from a terminal without running Gnome at all, just to be sure it's not some Gnome configuration thing. Regards, Michael Thanks Michael. Tried turning gnome off. Still no sound from the console. Is there a FreeBSD kernel module for the modem? Don't know. But stepping back, do you have snd_hda loaded? ( Silly me, should have been the first question. ) Found this: http://www.bmichelsen.no/blog/2012/01/28/configuring-freebsd-for-x60s/ Regards, Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OpenVPN vm cant connect to other VM's
Are you pushing routes in your server.conf file? (hint - show, don't tell) - M On Wed, Mar 6, 2013 at 2:38 AM, Brent Clark brentgclarkl...@gmail.com wrote: Hi guys Im struggling with a freebsd vm, that I have that I use for a VPN connection too, from my workstation to my home LAN. And I was wondering if someone could peer review me and my problem. OpenVPN is working beautifully. I.e. I can connect to some services (apache etc) that I run directly on my FreeBSD / openvpn vm. What im now trying to achieve is that I can connect to other VMs / machines on my home LAN. Im using tun for my VPN, and my pf.conf looks like so (please see the nat on ...) [root@freebsd /usr/home/bclark]# cat /etc/pf.conf ext_if=re0 vpn_if=tun0 int_net=10.0.0.0/24 vpn_net=192.168.200.0/24 set skip on lo0 set optimization normal #set block-policy drop set limit { states 2, frags 1, src-nodes 2 } # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. scrub in all # Translation: specify how addresses are to be mapped or redirected. # NAT rules # enabling NAT currently breaks policy based routing #nat on $ext_if from { $int_net, $vpn_net } to any - ($ext_if) #nat on tun0 from { 192.168.200.0/24 } to any - (re0) nat on re0 from { 192.168.200.0/24 } to any - (re0) table sshguard persist block in quick on re0 proto tcp from sshguard to any port ssh label ssh brute What am I missing? If anyone could assist, it would be appreciated. Kind Regards Brent Clark ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD 9 and Windows XP
On Sat, 09 Mar 2013 21:27:45 +0100, Polytropon free...@edvax.de wrote: On Sat, 9 Mar 2013 12:07:41 -0800 (PST), leeoliveshackelf...@surewest.net wrote: Good afternoon, FreeBSD enthusiasts. Can FreeBSD 9.1 be installed on a computer on which Windows XP currently resides? Yes. If so, how can this installation be done? First of all, you need a tool to make disk space available; you can do this by adding an additional hard disk, or by resizing the Windows partition. As Windows does not seem to provide native tools to do this I may misremember, but Win7 does have a functional shrink drive in the drive administration console, and I do think that was there in XP already. Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Performance Related Question
On Wed, 27 Feb 2013 23:05:44 +0100, Frederico Costa fredpo...@mufley.com wrote: Hi everyone... I have a kind of interesting question when comes to performance of FreeBSD in different HW. i am not trying to come up with a scientific reason for measuring performance. :-) It is just a curiosity, and of course to see if i understand it and improve performance of my systems. i am running 2 systems at the moment, lets call them S1 and S2, running FreeBSD 9.1-RELEASE-p1 amd64: S1: Intel Core2 Duo E6550 @ 2.33GHz 2GB RAM 500GB disk (not important probably just for reference) S2: 2x Dual-Core AMD Opteron 2216 2.4GHz 14GB Ram 320GB disk (not important probably just for reference) Both the systems are running more or less the same sw, apache, imap server, postfix, and the needed perl/php/python and running very light load. Also both are using a GENERIC kernel and not running X, they are just text based :-) From cpubenchmark.net the cpu performance index are for s1: 1501 and s2: 1518, so very similar. As i felt the AMD system seemed slower when comes to compiling, i just done a performance test which was make buildworld on both of systems from scratch and the times are: S1: 2h 12m S2: 2h 59m If I read you right, you didn't ``make -jX buildworld'', with X being the number of processes to spawn, so you used just one core on either machine. Buildworld does a lot of I/O, so disk speed is relevant. Regards, Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Performance Related Question
On Wed, 27 Feb 2013 23:38:34 +0100, Frederico Costa fredpo...@mufley.com wrote: On 2013-02-27 22:27, Michael Ross wrote: If I read you right, you didn't ``make -jX buildworld'', with X being the number of processes to spawn, so you used just one core on either machine. Buildworld does a lot of I/O, so disk speed is relevant. Yes, i just made make buildworld. So i should use make -j2 on the S1(dual core) and -j4 on S2 (2xdualcore)? And it also makes sense what you say about the I/O. i will start another to see the results. Maybe try higher settings. Handbook ( http://www.freebsd.org/doc/handbook/makeworld.html ) says: However, since much of the compiling process is I/O bound rather than CPU bound, it is also useful on single CPU machines. On a typical single-CPU machine, run: # make -j4 buildworld make(1) will then have up to 4 processes running at any one time. Empirical evidence posted to the mailing lists shows this generally gives the best performance benefit. On a multi-CPU machine using an SMP configured kernel, try values between 6 and 10 and see how they speed things up. Thanks fred On Wed, 27 Feb 2013 23:05:44 +0100, Frederico Costa fredpo...@mufley.com wrote: Hi everyone... I have a kind of interesting question when comes to performance of FreeBSD in different HW. i am not trying to come up with a scientific reason for measuring performance. :-) It is just a curiosity, and of course to see if i understand it and improve performance of my systems. i am running 2 systems at the moment, lets call them S1 and S2, running FreeBSD 9.1-RELEASE-p1 amd64: S1: Intel Core2 Duo E6550 @ 2.33GHz 2GB RAM 500GB disk (not important probably just for reference) S2: 2x Dual-Core AMD Opteron 2216 2.4GHz 14GB Ram 320GB disk (not important probably just for reference) Both the systems are running more or less the same sw, apache, imap server, postfix, and the needed perl/php/python and running very light load. Also both are using a GENERIC kernel and not running X, they are just text based :-) From cpubenchmark.net the cpu performance index are for s1: 1501 and s2: 1518, so very similar. As i felt the AMD system seemed slower when comes to compiling, i just done a performance test which was make buildworld on both of systems from scratch and the times are: S1: 2h 12m S2: 2h 59m If I read you right, you didn't ``make -jX buildworld'', with X being the number of processes to spawn, so you used just one core on either machine. Buildworld does a lot of I/O, so disk speed is relevant. Regards, Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: dump issue
Snapshots are not yet supported when running with journaled soft updates: Operation not supported :-( On Mon, Feb 11, 2013 at 7:27 AM, Robert Huff roberth...@rcn.com wrote: Will someone please confirm or deny that (UFS) journaling and dump -L continue to be incompatible? Respectfully, Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can anyone direct me to some information about what WITHOUT_PROFILE=YES actually means.
dweimer wrote: I have ran into a recent issue, after a lot of trouble shooting I have narrowed it down to something in my /etc/src.conf the full file just has: WITHOUT_BIND=YES WITHOUT_NTP=YES WITHOUT_FLOPPY=YES WITHOUT_FREEBSD_UPDATE=YES WITHOUT_PROFILE=YES Of course bind and ntp are added in by ports after the system is built, everything compiles, I have a very specific issue with one thing not working on an installed port, with no apparent error. To make a long story short though one of my build attempts, I forgot to copy the /etc/src.conf file to the new system. And well the problem was gone, when I discovered that's what I did differently, I commented out all lines on a different system rebuilt and installed, sure enough it worked. Looking at the src.conf options that I was using, I can't see how any option other than the WITHOUT_PROFILE could possibly be causing the problem. Though I am in the process of building systems with different options removed in an attempt to find out for sure. The WITHOUT_PROFILE was added from a help document I read some time ago about upgrading from source, and hasn't caused any problems before now. I know it instructs the build process to avoid compiling profiled libraries. But my searching hasn't been able to lead me to what the difference is between a profiled and non-profiled library is. I'm not a code hacker, so take with pinch of salt. In the man page for src.conf it declares that variable values would be ignored, and of course I missed that. While I have WITHOUT_PROFILE= true in my src.conf, the correct use is simply WITHOUT_PROFILE by itself. Since I have never experienced any form of difficulty perhaps the difference here is the quotation marks. Maybe something is malfunctioning from the . See if removing these helps? Also, from what I understand what's in src.conf should only apply to building the system, e.g code located under /usr/src. I've always taken this to mean it should not apply to building anything in ports. My limited understanding is that when you build profiled code you are inserting a little extra debug code which is utilized to measure the time spent within internal structures, such as functions and other sub-routines. Not that I even know how such info would get extracted at runtime, programmers use this to look for areas within their code that hog resources time-wise and zero in on those to concentrate on makeing more efficient/faster. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Software raid VS hardware raid
Artem Kuchin wrote: [snip] The server is going to be a web server with many sites and with mysql running on it. Nothing really really heavy. Currently with run all this on our own server with 8 cores and 16GB ram and 3ware raid1 and cpu load is about 5% :) Everything is quick and responsive. I hope to see the same on a software raid. The controller would be a slight concern. But for what you've described doing I doubt it will be a big deal. The 3Ware may have a faster processor on it than say a generic onboard built-in. But since all we're talking here is a RAID 1 mirror my guess is it may not be a big enough difference to see. Writes will be just as if you are writing to 1 drive, reads will be faster. Maybe that 5% cpu load turns into 6% or 7%. I really don't want to deploy ZFS on a new server where all these site need to migrate because i am kind of don't fix it if it is not broken kind of guy. UFS+journaling+softupdates served us well for years and snapshots are available on ufs too. I understand; I've only played around with ZFS some on Solaris. I may move in that direction some day, but for now My other concern is what happens when one drive goes down if we use gmirror? Is it completelly transparent and bad drive can be hot swapped while server is running and rebuild started? I am thinking now about gpt+gmirror (including boot and swap) I've never actually hot-swapped one but I can't see any reason why not. You can't use the gmirror remove directive when a drive has failed, but you do a gmirror forget device , swap it, then just do gmirror insert device to insert the replaced drive into the mirror. When everything is working as it should gmirror is mostly 'automatic', e.g. after the insert the rebuild just starts. Main thing I appreciated about this is the server stayed up and online after one drive died. My two servers at home are my testbeds to test out things first before doing stuff to the ones at work. I just installed both to 9.1. The difference now is I've used GPT (gpart) and this is new to me. Previously everything was always fdisk and disklabel. Both these machines are setup on one drive at this point and I haven't yet gotten into the mirroring yet. With the old fdisk/disklabel it was simple to just mirror the entire drive itself (slice). The other approach is to mirror partitions. I think I may need to do this as I think this is the way you have to proceed in order to avoid having gpt and gmirror both trying to claim the last sector on the drive (metadata storage). -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Software raid VS hardware raid
Artem Kuchin wrote: Hello! I have to made a decision on choosing a dedicated server. The problem i see is that while i can find very affordable and good options they do not provide hardware raid or even if they do it is not the best hardware for freebsd. The server base conf is 8core 32gb ram 2.8+ ghz. So, maybe someone has personal experience with both worlds and can tell if it really matters in such configuration if i go for software raid. What are the benefits and what are the negatives of software raid? How much is the performance penalty? I am planning to use mirror configuration of two SATA 7200rpm 2TB disks. Nothing fancy. File system planned is UFS with journaling. I can't say for sure exactly what's best for your needs, however, please allow me to toss out some very generic tidbits which may aid you in some way. Historically back when RAID was new, hardware controllers were the only way to go. Back then I would never look at software RAID for a server machine. Best to offload as much work away from the CPU as possible to free it up for running the OS. What has changed is the amount of raw horsepower available from modern-day processors as compared to when RAID first came out. On the multi-core monster CPUs of today software RAID is a perfectly viable consideration because there are CPU cycles to spare, so the performance penalty is less now than it once was. Having said that, there are several other considerations to keep in mind as well. The type of RAID required matters. If you want/need RAID 5/6 it is definitely better to go with hardware RAID because of the horsepower required to do the XOR parity generation. You would want RAID 5/6 running on a hardware controller and not on the CPU. On the other hand, RAID 0, 1, and 10 are fine candidates for software RAID. One thing I've noticed that seems to somewhat get lost in this discussion is equating software-based RAID with not needing to spend money on the expensive RAID controller. At first glance it does seem like quite a waste to spend hundreds of dollars on a really fast RAID controller and then turn all its functionality off and just use it JBOD style. If you truly want performance you still need the processing power of the hardware chip on the (expensive) controller. Most central to this is I/Os per second. This matters more to some workloads than others, with being a database server probably at the top of the list where I/Os per second is king. The better the chip on the controller card the more I/Os per second. Another thing that matters less wrt to server hardware is the third kind of RAID known as fake or pseudo RAID. This is mostly found on desktop PC motherboards and some low-end (cheap) hardware cards. There is a config in the BIOS to set up so-called RAID, but it is only half of the matter - the other half is in the driver. FreeBSD does indeed have support for some of these fake RAID things but I stay far far away from them. Either go hardware or pure software only - the fakeraid is crap. Another thing I'd warn you about is the drives themselves. Take a look: http://wdc.custhelp.com/app/answers/detail/a_id/1397 Many people get very lucky much of the time and don't experience problems with this. Using drives designed for desktop PCs with RAID can be prone to problem. Drives designed for servers are more expensive, but I've always felt it is better to put server drives in servers. :-) In terms of a 'performance penalty' what you will find is it gets shifted away from just losing a few CPU cycles into other areas. If the drives are Advanced Format 4k sector critters and they aren't properly aligned in the partitioning phase of set up performance will take a hit. If the controller chip they are hooked up to is slow, then the entire drive subsystem will suffer. Another thing you will find that will surface as a problem area is the shift away from the old style DOS MBR scheme and towards GPT. Software RAID (and indeed hardware controllers too) store their metadata at the end of the drive and needs to be outside the file system. The problem arises when both the software raid and the GPT partitioning try to store metadata to the same location and collide. Just knowing about this in advance and spending some quality reading time about it prior to trying to set up the box will help greatly. Plenty has been written (even in this list) about this subject by people smarter than me so the info you need is out there, albeit it can be confusing at first. I guess what I'm trying to point out is that low performance wrt software RAID will stem from other things besides just simply consuming a few CPU cycles. Today's CPUs have the cycles to spare. I've been using gmirror for RAID 1 mirrors for a few years now and am happy with this. I have had a few old drives die and the servers stayed up and online. This allowed me to defer the actual drive replacement and not have