Re: [gentoo-server] Is there a Gentoo Linux Server Edition?
Hello, On 8/5/22 05:44, Turritopsis Dohrnii Teo En Ming wrote: Subject: Is there a Gentoo Linux Server Edition? Good day from Singapore, Is there a Gentoo Linux Server Edition? There is no *anything* edition of Gentoo Linux. The closest thing you will find to an edition are profiles, which you can download some on the Gentoo website [1], but Gentoo is a DIY distro, meaning it will be anything you make of it, whether it is a server, a desktop, an embedded system, a router, the list goes on... The Gentoo Wiki [2] has a lot of information on essentially everything. You should add a bookmark to it. [1] https://www.gentoo.org/downloads/ [2] https://wiki.gentoo.org/wiki/Main_Page Thank you. Regards, Mr. Turritopsis Dohrnii Teo En Ming Targeted Individual in Singapore 5 Aug 2022 Fri Blogs: https://tdtemcerts.blogspot.com https://tdtemcerts.wordpress.com -- Julien OpenPGP_signature Description: OpenPGP digital signature
Re: [gentoo-server] Is there a Gentoo Linux Server Edition?
On Fri, 5 Aug 2022 at 17:53, wrote: > > Not specifically, but Gentoo is whatever you make it. ok noted with thanks > > On 2022-08-05 11:44, Turritopsis Dohrnii Teo En Ming wrote: > > Subject: Is there a Gentoo Linux Server Edition? > > > > Good day from Singapore, > > > > Is there a Gentoo Linux Server Edition? > > > > Thank you. > > > > Regards, > > > > Mr. Turritopsis Dohrnii Teo En Ming > > Targeted Individual in Singapore > > 5 Aug 2022 Fri > > Blogs: > > https://tdtemcerts.blogspot.com > > https://tdtemcerts.wordpress.com
Re: [gentoo-server] Is there a Gentoo Linux Server Edition?
Not specifically, but Gentoo is whatever you make it. On 2022-08-05 11:44, Turritopsis Dohrnii Teo En Ming wrote: Subject: Is there a Gentoo Linux Server Edition? Good day from Singapore, Is there a Gentoo Linux Server Edition? Thank you. Regards, Mr. Turritopsis Dohrnii Teo En Ming Targeted Individual in Singapore 5 Aug 2022 Fri Blogs: https://tdtemcerts.blogspot.com https://tdtemcerts.wordpress.com
[gentoo-server] Is there a Gentoo Linux Server Edition?
Subject: Is there a Gentoo Linux Server Edition? Good day from Singapore, Is there a Gentoo Linux Server Edition? Thank you. Regards, Mr. Turritopsis Dohrnii Teo En Ming Targeted Individual in Singapore 5 Aug 2022 Fri Blogs: https://tdtemcerts.blogspot.com https://tdtemcerts.wordpress.com
Re: [gentoo-server]
2014-09-25 18:56 GMT+09:00 nholl...@tisys.org:
Re: [gentoo-server] Gentoo as Firewall on HP ProLiant DL360 G5
On 03/12/2014 04:26 PM, Pandu Poluan wrote: Hello list! I want to install Gentoo as headless firewalls on a pair of HP ProLiant DL360 G5 servers we happen to have lying around. Are there special issues I need to be aware of before embarking on this endeavor? Nothing special, you already know about the raid controller. We don't use any of the HP management stuff but sys-apps/cciss_vol_status will alert you if any of your drives fail.
Re: [gentoo-server] Gentoo as Firewall on HP ProLiant DL360 G5
On Mar 14, 2014 12:35 AM, Michael Orlitzky m...@gentoo.org wrote: On 03/12/2014 04:26 PM, Pandu Poluan wrote: Hello list! I want to install Gentoo as headless firewalls on a pair of HP ProLiant DL360 G5 servers we happen to have lying around. Are there special issues I need to be aware of before embarking on this endeavor? Nothing special, you already know about the raid controller. We don't use any of the HP management stuff but sys-apps/cciss_vol_status will alert you if any of your drives fail. Thanks! I just found out about app-admin/hp-health [1] from barzog-overlay [2]. Do you think I should emerge that? (Note: I am aware that the package's ebuild refers to an HP repo that's no longer updated; I'll just adapt the ebuild to refer to another HP repo) [1] http://gpo.zugaina.org/app-admin/hp-health [2] https://code.google.com/p/barzog-gentoo-overlay/ Rgds, --
Re: [gentoo-server] SPF Record with Multiple Servers
Hello Robert, The internal MTA has an Internet facing address since we have a plenty of them we just use it. Ordinary users connect through this internal MTA to send/receive mail. But everything that goes outside of the domain goes through the Postfix server. So I'm just uncertain about this configuration. Since the message originates in the internal MTA and the its relayed to the Postfix server... So I just need to know if the SPF record should include the internal MTA too, since the postfix server is already in the SPF declaration. Thanks in advance, Sent from my iPhone On 25/04/2013, at 13:03, Robert Bridge rob...@robbieab.commailto:rob...@robbieab.com wrote: Just the internet facing one, as I understand it. Nothing else should ever see the internal MTA, and it may not even have a routable IP address! On 25 April 2013 16:57, Vinícius Ferrão viniciusfer...@if.ufrj.brmailto:viniciusfer...@if.ufrj.br wrote: Hello Halassy, thanks for your reply. I'm aware of the syntax, I just mistyped it. The main question still continues, should I put both MTAs or just the Internet facing one? Thanks in advance, Sent from my iPhone On 25/04/2013, at 05:14, Halassy Zoltán zhala...@loginet.humailto:zhala...@loginet.hu wrote: Hello! Using MX in SPF record is a simple way to describe trivial two-way setups, that is, MX will also send the mails, not just receive them. If you have a non-trivial setup, you can use, for example IP addresses, like ip6: and ip4:. Add every address which from a mail could possibly leave your organization, and that's it, do not use MX. BTW, the syntax is v=spf1, not what you wrote. 2013-04-25 01:32 keltezéssel, Vinícius Ferrão írta: I've a question about the SPF setup in my domain. We have two MTAs: an exchange server that does not use SMTP to relay messages to the Internet and a Postfix Mail Gateway on the border to send and receive messages to/from the internet. The clients connect on the Exchange Server to relay messages to the external world. So an SMTP connection would start in the Exchange, then it relays to the Postfix server and then to the Internet. On the other hand when a message come from the Internet it first arrives in the Postfix server and after the processing it's handled to the Exchange server. The question is: which SPF TXT string I should use? The Postfix server is my only MX. And I don't know if I should include the Exchange Server name in the SPF rules. I was considering: vspf=1 mx -all But this does not include the Exchange, and I don't know if it's right or not.
Re: [gentoo-server] SPF Record with Multiple Servers
The only servers that need inclusion in the SPF declaration are servers that will be passing email out of your domain. Other internal servers don't matter, as they never connect to anyone elses email servers. On 25 April 2013 17:30, Vinícius Ferrão viniciusfer...@if.ufrj.br wrote: Hello Robert, The internal MTA has an Internet facing address since we have a plenty of them we just use it. Ordinary users connect through this internal MTA to send/receive mail. But everything that goes outside of the domain goes through the Postfix server. So I'm just uncertain about this configuration. Since the message originates in the internal MTA and the its relayed to the Postfix server... So I just need to know if the SPF record should include the internal MTA too, since the postfix server is already in the SPF declaration. Thanks in advance, Sent from my iPhone On 25/04/2013, at 13:03, Robert Bridge rob...@robbieab.com wrote: Just the internet facing one, as I understand it. Nothing else should ever see the internal MTA, and it may not even have a routable IP address! On 25 April 2013 16:57, Vinícius Ferrão viniciusfer...@if.ufrj.br wrote: Hello Halassy, thanks for your reply. I'm aware of the syntax, I just mistyped it. The main question still continues, should I put both MTAs or just the Internet facing one? Thanks in advance, Sent from my iPhone On 25/04/2013, at 05:14, Halassy Zoltán zhala...@loginet.hu wrote: Hello! Using MX in SPF record is a simple way to describe trivial two-way setups, that is, MX will also send the mails, not just receive them. If you have a non-trivial setup, you can use, for example IP addresses, like ip6: and ip4:. Add every address which from a mail could possibly leave your organization, and that's it, do not use MX. BTW, the syntax is v=spf1, not what you wrote. 2013-04-25 01:32 keltezéssel, Vinícius Ferrão írta: I've a question about the SPF setup in my domain. We have two MTAs: an exchange server that does not use SMTP to relay messages to the Internet and a Postfix Mail Gateway on the border to send and receive messages to/from the internet. The clients connect on the Exchange Server to relay messages to the external world. So an SMTP connection would start in the Exchange, then it relays to the Postfix server and then to the Internet. On the other hand when a message come from the Internet it first arrives in the Postfix server and after the processing it's handled to the Exchange server. The question is: which SPF TXT string I should use? The Postfix server is my only MX. And I don't know if I should include the Exchange Server name in the SPF rules. I was considering: vspf=1 mx -all But this does not include the Exchange, and I don't know if it's right or not.
Re: [gentoo-server] SPF Record with Multiple Servers
On Apr 25, 2013 11:31 PM, Vinícius Ferrão viniciusfer...@if.ufrj.br wrote: Hello Robert, The internal MTA has an Internet facing address since we have a plenty of them we just use it. Ordinary users connect through this internal MTA to send/receive mail. But everything that goes outside of the domain goes through the Postfix server. So I'm just uncertain about this configuration. Since the message originates in the internal MTA and the its relayed to the Postfix server... So I just need to know if the SPF record should include the internal MTA too, since the postfix server is already in the SPF declaration. Thanks in advance, Sent from my iPhone On 25/04/2013, at 13:03, Robert Bridge rob...@robbieab.com wrote: Just the internet facing one, as I understand it. Nothing else should ever see the internal MTA, and it may not even have a routable IP address! On 25 April 2013 16:57, Vinícius Ferrão viniciusfer...@if.ufrj.br wrote: Hello Halassy, thanks for your reply. I'm aware of the syntax, I just mistyped it. The main question still continues, should I put both MTAs or just the Internet facing one? Thanks in advance, Sent from my iPhone On 25/04/2013, at 05:14, Halassy Zoltán zhala...@loginet.hu wrote: Hello! Using MX in SPF record is a simple way to describe trivial two-way setups, that is, MX will also send the mails, not just receive them. If you have a non-trivial setup, you can use, for example IP addresses, like ip6: and ip4:. Add every address which from a mail could possibly leave your organization, and that's it, do not use MX. BTW, the syntax is v=spf1, not what you wrote. 2013-04-25 01:32 keltezéssel, Vinícius Ferrão írta: I've a question about the SPF setup in my domain. We have two MTAs: an exchange server that does not use SMTP to relay messages to the Internet and a Postfix Mail Gateway on the border to send and receive messages to/from the internet. The clients connect on the Exchange Server to relay messages to the external world. So an SMTP connection would start in the Exchange, then it relays to the Postfix server and then to the Internet. On the other hand when a message come from the Internet it first arrives in the Postfix server and after the processing it's handled to the Exchange server. The question is: which SPF TXT string I should use? The Postfix server is my only MX. And I don't know if I should include the Exchange Server name in the SPF rules. I was considering: vspf=1 mx -all But this does not include the Exchange, and I don't know if it's right or not. Please do not top post; its frowned upon in this list. Now to answer your last question: No need. An SPF record should contain *only* the email server(s) that actually talks to another domain's email server. Since the Exchange server and the Postfix server are in the same domain, and since *only* the Postfix server actually talks to mail servers of *other* domains, you only need to specify the Postfix server in the SPF record. The situation gets complicated, though if you (1) re-relay your email (e.g., through your ISP's mail relay), or (2) use Gmail to act as an on behalf of mail server, or (3) both. Just for an example, here's the SPF Record for my previous office: v=spf1 ip4:174.120.70.145 ip4:174.120.70.155 ip4:49.128.177.72 a mx ip4:49.128.177.71 a:rockefeller.post.co.id a:carnegie.post.co.id include:_ spf.google.com -all The set of IP addresses are the ISP's mail relay servers; the a: fields are the IP addresses of our cloud servers, and some of us use Gmail as a stand-in for corporate email when we're outside the office. Rgds, --
Re: [gentoo-server] Windows NT4 on KVM+QEMU extremely slow...
KVM is enabled in BIOS too. I doubled checked it. Disabled and even got a message saying the KVM is not available when Disabled in BIOS…. Thanks, Vinícius Ferrão: Administrador de Sistemas www.ferrao.eti.br | +55 (21) -2619 On Apr 18, 2013, at 11:29 AM, Robert Bridge rob...@robbieab.com wrote: Hi, Are you sure your hardware virt isn't disabled in the BIOS? It is, in my experience, the one BIOS setting the linux kernel doesn't/can't over-ride. Cheers, RobbieAB On 18 April 2013 01:35, Vinícius Ferrão viniciusfer...@if.ufrj.br wrote: Hello dudes, Thanks for the replies. But I've read somewhere that -no-kvm should be enabled in order to run NT4 Properly. Anyway, I removed the flag and nothing really happened. It's still slow. It's usable, but slow. VMWare was much faster. And about the RAM issue. It's Windows NT4. I don't think more is necessary. The machine boots consuming only 30MB. And about the slowness of the system is during CPU intensive operations. Anything else to try dudes? Thanks, Vinícius Ferrão: Administrador de Sistemas www.ferrao.eti.br | +55 (21) -2619 On Apr 17, 2013, at 5:54 PM, Hinnerk van Bruinehsen h.v.bruineh...@fu-berlin.de wrote: On Wed, Apr 17, 2013 at 07:34:00PM +, Vinícius Ferrão wrote: Hello dudes, I'm running Windows NT 4 Terminal Server on QEMU and the performance is too slow; I don't even know how to debug it and I even don't if this is normal or not. On VMWare Player the performance was much better. And this isn't a migration. I've reinstalled the NT4 from the ground. Anyway; i'm launching the VM with this arguments: kvm -m 128m -name WinNT4TS -drive file=winnt4ts.raw -cdrom Windows\ NT\ 4\ Terminal\ Server\ Image/WINNT-TSE40.iso -net nic,model=ne2k_pci,macaddr=00:0c:29:74:fa:b4 -net tap -vga std -cpu pentium,level=1 -smp 1 -no-acpi -no-hpet -no-kvm -boot c -vnc none -daemonize Hi, iirc the commandline switch --no-kvm disables kvm (so it'S just software emulated qemu). You disable hardware virtualization accerleration with it. Other than that: more than 128 MB ram will most likely also help to speed things up. WKR Hinnerk smime.p7s Description: S/MIME cryptographic signature
Re: [gentoo-server] Windows NT4 on KVM+QEMU extremely slow...
Hi Vinícius, The first thing that springs to mind to check is have you got hardware virtualisation enabled? I notice your launch command includes -no-kvm as an argument - doesn't that disable kvm and result in a fallback to qemu? Try running with kvm enabled and I suspect your performance will be approximately 10x better. Just a couple of thoughts, RobbieAB On 17 April 2013 20:34, Vinícius Ferrão viniciusfer...@if.ufrj.br wrote: Hello dudes, I'm running Windows NT 4 Terminal Server on QEMU and the performance is too slow; I don't even know how to debug it and I even don't if this is normal or not. On VMWare Player the performance was much better. And this isn't a migration. I've reinstalled the NT4 from the ground. Anyway; i'm launching the VM with this arguments: kvm -m 128m -name WinNT4TS -drive file=winnt4ts.raw -cdrom Windows\ NT\ 4\ Terminal\ Server\ Image/WINNT-TSE40.iso -net nic,model=ne2k_pci,macaddr=00:0c:29:74:fa:b4 -net tap -vga std -cpu pentium,level=1 -smp 1 -no-acpi -no-hpet -no-kvm -boot c -vnc none -daemonize Thanks in advance, Vinícius Ferrão: Administrador de Sistemas www.ferrao.eti.br | +55 (21) -2619
Re: [gentoo-server] Windows NT4 on KVM+QEMU extremely slow...
On Wed, Apr 17, 2013 at 07:34:00PM +, Vinícius Ferrão wrote: Hello dudes, I'm running Windows NT 4 Terminal Server on QEMU and the performance is too slow; I don't even know how to debug it and I even don't if this is normal or not. On VMWare Player the performance was much better. And this isn't a migration. I've reinstalled the NT4 from the ground. Anyway; i'm launching the VM with this arguments: kvm -m 128m -name WinNT4TS -drive file=winnt4ts.raw -cdrom Windows\ NT\ 4\ Terminal\ Server\ Image/WINNT-TSE40.iso -net nic,model=ne2k_pci,macaddr=00:0c:29:74:fa:b4 -net tap -vga std -cpu pentium,level=1 -smp 1 -no-acpi -no-hpet -no-kvm -boot c -vnc none -daemonize Hi, iirc the commandline switch --no-kvm disables kvm (so it'S just software emulated qemu). You disable hardware virtualization accerleration with it. Other than that: more than 128 MB ram will most likely also help to speed things up. WKR Hinnerk signature.asc Description: Digital signature
[gentoo-server] DoS Analysis and Prevemption
Hey all, we hit some nice traffic last night that took our main gateway down. Pacemaker was configured to failover to our second one, but that one died aswell. In a little post-analysis, I found the following in the logs: Apr 14 21:42:11 cesar1 kernel: [27613652.439846] BUG: soft lockup - CPU#4 stuck for 22s! [swapper/4:0] Apr 14 21:42:11 cesar1 kernel: [27613652.440319] Stack: Apr 14 21:42:11 cesar1 kernel: [27613652.440446] Call Trace: Apr 14 21:42:11 cesar1 kernel: [27613652.440595] IRQ Apr 14 21:42:12 cesar1 kernel: [27613652.440828] EOI Apr 14 21:42:12 cesar1 kernel: [27613652.440979] Code: c1 51 da 03 81 48 c7 c2 4e da 03 81 e9 dd fe ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 55 b8 00 00 01 00 48 89 e5 f0 0f c1 07 89 c2 Apr 14 21:42:12 cesar1 CRON[13599]: nss_ldap: could not connect to any LDAP server as cn=admin,dc=rz,dc=dawanda,dc=com - Can't contact LDAP server Apr 14 21:42:12 cesar1 CRON[13599]: nss_ldap: could not search LDAP server - Server is unavailable Apr 14 21:42:24 cesar1 crmd: [7287]: ERROR: process_lrm_event: LRM operation management-gateway-ip1_stop_0 (917) Timed Out (timeout=2ms) Apr 14 21:42:48 cesar1 kernel: [27613688.611501] BUG: soft lockup - CPU#7 stuck for 22s! [named:32166] Apr 14 21:42:48 cesar1 kernel: [27613688.611914] Stack: Apr 14 21:42:48 cesar1 kernel: [27613688.612036] Call Trace: Apr 14 21:42:48 cesar1 kernel: [27613688.612200] IRQ Apr 14 21:42:48 cesar1 kernel: [27613688.612408] EOI Apr 14 21:42:48 cesar1 kernel: [27613688.612626] Code: c1 51 da 03 81 48 c7 c2 4e da 03 81 e9 dd fe ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 55 b8 00 00 01 00 48 89 e5 f0 0f c1 07 89 c2 Apr 14 21:42:55 cesar1 kernel: [27613695.946295] BUG: soft lockup - CPU#0 stuck for 21s! [ksoftirqd/0:3] Apr 14 21:42:55 cesar1 kernel: [27613695.946785] Stack: Apr 14 21:42:55 cesar1 kernel: [27613695.946917] Call Trace: Apr 14 21:42:55 cesar1 kernel: [27613695.947137] Code: c4 00 00 81 a8 44 e0 ff ff ff 01 00 00 48 63 80 44 e0 ff ff a9 00 ff ff 07 74 36 65 48 8b 04 25 c8 c4 00 00 83 a8 44 e0 ff ff 01 5d c3 We're using irqbalance to not only hit the first CPU for ethernet card hardware interrupts when traffic comes in (learned from last much more intensive DDoS). However, since this not helped, I'd like to find out what else we can do. Our gateway has to do NAT and has a few other iptables rules it needs in order to run OpenStack behind, so I can't just drop it. Regarding the logs, I can see, that something caused the CPU cores to get stuck for a number of different processes. Has anyone ever encountered such error messages I quoted above or knows other things one might want to do in order to prevent hugh unsocialized incoming traffic from bringing a Linux node down? Best regards, Christian.
[gentoo-server] ipv6 + dhcpv6 + unique local addresses
Hello! Is there anyone who has experience with unique local addresses (fc00::/7)? I have experience with radvd and isc dhcp (in ipv6 mode too with the -6 flag), I could already configure stateful configuration with global unicast (2000::/3) addresses with working default gateway. What I am trying to do now is to create a local IPv6 network space with a dhcpv6 server (amd64 gentoo), which is only reachable via VPN. The network does not have any router, it's isolated. IPv4 is not an option, and DHCPv6 is mandatory. The clients are mostly Windows Vista+ systems. What I am seeking is the proper way to do this. I could make it work, but I consider this a hack. I generated a random IPv6 address range, but I will use the fd00:2001:db8::/64 prefix in the description. Problem #1: DHCPv6 works fine, it pushes an IPv6 address to the client, but the client does not get the prefix information with it. Eg.: client gets fd00:2001:db8:::fffe/128 as address, but missing the local route information for fd00:2001:db8::/64 through the interface. Problem #2: If I use radvd advertising the fd00:2001:db8::/64 prefix, the client configures that up, but it also configures a bogus default route too, which is definitely unwanted. Hack #1: Using dhcp and radvd together actually works (even though it's very ugly). It does not ruin an existing IPv6 connection, and does not cause problems when originally there is none. I just fear it *might*. Hack #2: It is possible to create static (even on-link) routes with netsh, but other than being ugly as well, it's not platform independent solution. What I would require is (if it's somehow possible), to make the platform-independent client do prefix discovery, find the prefix on-link, but do not configure routing information for that link. And to do it the proper way. Any ideas? smime.p7s Description: S/MIME kriptográfiai aláírás
Re: Re: [gentoo-server] ipv6 + dhcpv6 + unique local addresses
Thank you for contacting Resilient. We will respond to you shortly. Kind regards, The Resilient team This is an auto-reply message; please do not respond to this e-mail
Re: Re: Re: [gentoo-server] ipv6 + dhcpv6 + unique local addresses
Thank you for contacting Resilient. We will respond to you shortly. Kind regards, The Resilient team This is an auto-reply message; please do not respond to this e-mail
Re: Re: Re: Re: [gentoo-server] ipv6 + dhcpv6 + unique local addresses
Thank you for contacting Resilient. We will respond to you shortly. Kind regards, The Resilient team This is an auto-reply message; please do not respond to this e-mail
Re: Re: Re: Re: Re: [gentoo-server] ipv6 + dhcpv6 + unique local addresses
Thank you for contacting Resilient. We will respond to you shortly. Kind regards, The Resilient team This is an auto-reply message; please do not respond to this e-mail
Re: Re: Re: [gentoo-server] ipv6 + dhcpv6 + unique local addresses
Thank you for contacting Resilient. We will respond to you shortly. Kind regards, The Resilient team This is an auto-reply message; please do not respond to this e-mail
Re: Re: Re: Re: [gentoo-server] ipv6 + dhcpv6 + unique local addresses
Thank you for contacting Resilient. We will respond to you shortly. Kind regards, The Resilient team This is an auto-reply message; please do not respond to this e-mail
Re: Re: Re: Re: Re: Re: Re: [gentoo-server] ipv6 + dhcpv6 + unique local addresses
Thank you for contacting Resilient. We will respond to you shortly. Kind regards, The Resilient team This is an auto-reply message; please do not respond to this e-mail
[gentoo-server] Re: ipv6 + dhcpv6 + unique local addresses
To answer my own question, actually found the answer: http://www.ietf.org/rfc/rfc2461.txt On page 18: Router Lifetime [...] A Lifetime of 0 indicates that the router is not a default router and SHOULD NOT appear on the default router list. [...] So this needs to written in radvd.conf: AdvDefaultLifetime 0; Yay. 2013.04.01. 14:01 keltezéssel, Halassy Zoltán írta: Hello! Is there anyone who has experience with unique local addresses (fc00::/7)? I have experience with radvd and isc dhcp (in ipv6 mode too with the -6 flag), I could already configure stateful configuration with global unicast (2000::/3) addresses with working default gateway. What I am trying to do now is to create a local IPv6 network space with a dhcpv6 server (amd64 gentoo), which is only reachable via VPN. The network does not have any router, it's isolated. IPv4 is not an option, and DHCPv6 is mandatory. The clients are mostly Windows Vista+ systems. What I am seeking is the proper way to do this. I could make it work, but I consider this a hack. I generated a random IPv6 address range, but I will use the fd00:2001:db8::/64 prefix in the description. Problem #1: DHCPv6 works fine, it pushes an IPv6 address to the client, but the client does not get the prefix information with it. Eg.: client gets fd00:2001:db8:::fffe/128 as address, but missing the local route information for fd00:2001:db8::/64 through the interface. Problem #2: If I use radvd advertising the fd00:2001:db8::/64 prefix, the client configures that up, but it also configures a bogus default route too, which is definitely unwanted. Hack #1: Using dhcp and radvd together actually works (even though it's very ugly). It does not ruin an existing IPv6 connection, and does not cause problems when originally there is none. I just fear it *might*. Hack #2: It is possible to create static (even on-link) routes with netsh, but other than being ugly as well, it's not platform independent solution. What I would require is (if it's somehow possible), to make the platform-independent client do prefix discovery, find the prefix on-link, but do not configure routing information for that link. And to do it the proper way. Any ideas? smime.p7s Description: S/MIME kriptográfiai aláírás
[gentoo-server] Detect where a connection drop occurs
Hello dudes, I've configured an service and I know it's working normally through TCP port 548. But I'm only able to connect to it using a VPN connection. I need to debug it detecting where (in which hop) the connection is being dropped. Any ideias on how to do that? I've tried tcptraceroute without success: sudo tcptraceroute www.mydomain.com 548 Selected device en0, address 172.16.144.115, port 49302 for outgoing packets Tracing the path to www.mydomain.com (146.164.36.7) on TCP port 548 (afpovertcp), 30 hops max 1 172.16.144.1 0.769 ms 0.598 ms 0.686 ms 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * Thanks in advance, Vinícius Ferrão: Administrador de Sistemas www.ferrao.eti.br | +55 (21) -2619 smime.p7s Description: S/MIME cryptographic signature
Re: Re: Re: [gentoo-server] Detect where a connection drop occurs
Thank you for contacting Resilient. We will respond to you shortly. Kind regards, The Resilient team This is an auto-reply message; please do not respond to this e-mail
Re: Re: Re: Re: [gentoo-server] Detect where a connection drop occurs
Thank you for contacting Resilient. We will respond to you shortly. Kind regards, The Resilient team This is an auto-reply message; please do not respond to this e-mail
Re: Re: Re: Re: Re: [gentoo-server] Detect where a connection drop occurs
Thank you for contacting Resilient. We will respond to you shortly. Kind regards, The Resilient team This is an auto-reply message; please do not respond to this e-mail
Re: Re: Re: Re: Re: Re: Re: [gentoo-server] Detect where a connection drop occurs
Thank you for contacting Resilient. We will respond to you shortly. Kind regards, The Resilient team This is an auto-reply message; please do not respond to this e-mail
Re: Re: Re: Re: Re: Re: Re: Re: [gentoo-server] Detect where a connection drop occurs
Thank you for contacting Resilient. We will respond to you shortly. Kind regards, The Resilient team This is an auto-reply message; please do not respond to this e-mail
Re: [gentoo-server] Detect where a connection drop occurs
Ok, Someone set an automatic message and now we're getting spammed. Very nice. Vinícius Ferrão: Administrador de Sistemas www.ferrao.eti.br | +55 (21) -2619 On Feb 22, 2013, at 2:22 AM, i...@resilient.nl wrote: Thank you for contacting Resilient. We will respond to you shortly. Kind regards, The Resilient team This is an auto-reply message; please do not respond to this e-mail smime.p7s Description: S/MIME cryptographic signature
Re: Re: Re: Re: Re: Re: Re: Re: Re: [gentoo-server] Detect where a connection drop occurs
Thank you for contacting Resilient. We will respond to you shortly. Kind regards, The Resilient team This is an auto-reply message; please do not respond to this e-mail
Re: Re: [gentoo-server] Detect where a connection drop occurs
Thank you for contacting Resilient. We will respond to you shortly. Kind regards, The Resilient team This is an auto-reply message; please do not respond to this e-mail
Re: [gentoo-server] Detect where a connection drop occurs
Hi, 1. netstat -ant 2. if returns 0.0.0.0:548 its ok 3. else: check your service if it's connected to VPN interface only. 4. Traceroute to HOST not PORT. Port pinging can be blocked by your Internet Provider. 5. Check Your IPtables rules if You don't block any ports or set connlimit, rejects etc.: iptables -L 6. Check Your IDS software like Prelude/Snort. Best regards, MM 2013/2/22 Vinícius Ferrão viniciusfer...@if.ufrj.br Hello dudes, I've configured an service and I know it's working normally through TCP port 548. But I'm only able to connect to it using a VPN connection. I need to debug it detecting where (in which hop) the connection is being dropped. Any ideias on how to do that? I've tried tcptraceroute without success: sudo tcptraceroute www.mydomain.com 548 Selected device en0, address 172.16.144.115, port 49302 for outgoing packets Tracing the path to www.mydomain.com (146.164.36.7) on TCP port 548 (afpovertcp), 30 hops max 1 172.16.144.1 0.769 ms 0.598 ms 0.686 ms 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * Thanks in advance, *Vinícius Ferrão*: Administrador de Sistemas www.ferrao.eti.br | +55 (21) -2619
Re: [gentoo-server] Detect where a connection drop occurs
tcptracerout is entirely appropriate here (its not the same as traceroute) Whats the routing table say? (route -n) BillK On 22/02/13 15:44, Mateusz Arkadiusz Mierzwinski wrote: Hi, 1. netstat -ant 2. if returns 0.0.0.0:548 http://0.0.0.0:548 its ok 3. else: check your service if it's connected to VPN interface only. 4. Traceroute to HOST not PORT. Port pinging can be blocked by your Internet Provider. 5. Check Your IPtables rules if You don't block any ports or set connlimit, rejects etc.: iptables -L 6. Check Your IDS software like Prelude/Snort. Best regards, MM 2013/2/22 Vinícius Ferrão viniciusfer...@if.ufrj.br mailto:viniciusfer...@if.ufrj.br Hello dudes, I've configured an service and I know it's working normally through TCP port 548. But I'm only able to connect to it using a VPN connection. I need to debug it detecting where (in which hop) the connection is being dropped. Any ideias on how to do that? I've tried tcptraceroute without success: sudo tcptraceroute www.mydomain.com http://www.mydomain.com 548 Selected device en0, address 172.16.144.115, port 49302 for outgoing packets Tracing the path to www.mydomain.com http://www.mydomain.com (146.164.36.7) on TCP port 548 (afpovertcp), 30 hops max 1 172.16.144.1 0.769 ms 0.598 ms 0.686 ms 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * Thanks in advance, *Vinícius Ferrão*: Administrador de Sistemas www.ferrao.eti.br http://www.ferrao.eti.br | +55 (21) -2619 tel:%2B55%20%2821%29%20-2619
Re: [gentoo-server] Completely wrong spam detection in SpamAssassin
Hello Vinícius, I have a generic solution for you: 1. Get some sound sleep 2. Make sure the mail that gets trough passes through your spamassassin host/process (hint: don't trust headers completely, look at logs for Message-Id: on client and serverS ) 3. Drink ($your_favorite_drink) to celebrate Cheers, Kalin.
Re: [gentoo-server] Kernel configuration management
Hello, kernel deployment is really a concern for our distribution. I don't want be long on the topic but just give my own way. I try to use the KISS principle as often as I could. ( http://en.wikipedia.org/wiki/KISS_principle) So I just manage one kernel for all servers. - I use no module at all: good for security and easy for deployment, no initrd creation and problems related. - I have just created manually (the big part) my first kernel with all the options I wish now and in the future. I try to stay really minimal on hardware support. - If I get new hardware, I add to the configuration options for this specific hardware. Even if it's not in use on all servers. This way, update are easy, you could use oldconfig to upgrade kernel version and deployment is just about scp kernel,system.map files. Since I don't use modules, specific arguments are specified on the grub boot command line. Few advices to test your kernel: 1) use qemu to test your firsts kernel/grub boot (http://en.gentoo-wiki.com/wiki/Grub2#Verifying_.28qemu.29) This way you don't lost your time with kvmip or vnc to reconnect to your server console to boot on a working kernel in case of boot failure. 2) use sys-apps/kexec-tools (http://en.gentoo-wiki.com/wiki/Kexec) To don't wait time with BIOS/RAID/BOOTP init of your server once your base kernel boot and you want adjust some options: make a new configuration, compile it, deploy it (I use a script to chain everything from oldconfig to deployment) and adjust kexec config file if needed then reboot. Kexec just replace the reboot sequence and permit to reboot on a new kernel really quickly since it's bypass all BIOS/RAID/BOOTP initializations by loading the new kernel and boot on it after an init 1. (on my servers, reboot this way take about 30s instead of 4 minutes) That's my 2 cents. Jean-Francois On Tue, 2012-11-06 at 22:27 +0100, Matthias-Christian Ott wrote: I'm planning to migrate several computers to Gentoo. At the moment I'm running two machines with ad-hoc kernel configurations based on the kernel configuration from the installation CD (which was created for 2.6.26). In order to keep the maintenance effort for the new machines low, I would like to have a unified/baseline kernel configuration with minor adjustments for some machines. I have been thinking about this for several weeks now and came to the conclusion, that there are two sub-problems: Creating a universal kernel configuration and merging and maintaining specific configurations with the baseline configuration. The second problem can be solved by simple concatenation and/or defconfigman, kccmp and make silentoldconfig. OpenWRT does this pretty much the same way. Creating the baseline configuration is much harder. So far I tried make defconfig, the installation CD configuration and kernel-seeds.org. None really satisfied my requirements and often resulted in ad-hoc changes when I simply went through a compile and reboot cycle until everything worked. I had a look at policies of other GNU/Linux distributions [1,2] and found that I need to develop or adopt a policy for my systems (the Ubuntu modular where possible policy seems reasonable to me and probably makes the curent ad-hoc configuration unnecessary). I also thought about reusing kernel configurations from other distributions, but have some doubts about kernel version mismatches (i.e. the kernel versions of Gentoo and the other distribution differ) and about unintended implications of kernel options that I don't fully understand. The mailing list archives show that this topic has been partly discussed before (especially whether Gentoo should have a default kernel configuration like other distributions), so I don't want to start a lengthy discussion about this here. I'm more interested in what other people do for larger deployments/installations on heterogeneous hardware. Regards, Matthias-Christian [1] https://wiki.ubuntu.com/Kernel/Dev/KernelConfig [2] https://wiki.linaro.org/KernelConfigPolicyDraft
[gentoo-server] Kernel configuration management
I'm planning to migrate several computers to Gentoo. At the moment I'm running two machines with ad-hoc kernel configurations based on the kernel configuration from the installation CD (which was created for 2.6.26). In order to keep the maintenance effort for the new machines low, I would like to have a unified/baseline kernel configuration with minor adjustments for some machines. I have been thinking about this for several weeks now and came to the conclusion, that there are two sub-problems: Creating a universal kernel configuration and merging and maintaining specific configurations with the baseline configuration. The second problem can be solved by simple concatenation and/or defconfigman, kccmp and make silentoldconfig. OpenWRT does this pretty much the same way. Creating the baseline configuration is much harder. So far I tried make defconfig, the installation CD configuration and kernel-seeds.org. None really satisfied my requirements and often resulted in ad-hoc changes when I simply went through a compile and reboot cycle until everything worked. I had a look at policies of other GNU/Linux distributions [1,2] and found that I need to develop or adopt a policy for my systems (the Ubuntu modular where possible policy seems reasonable to me and probably makes the curent ad-hoc configuration unnecessary). I also thought about reusing kernel configurations from other distributions, but have some doubts about kernel version mismatches (i.e. the kernel versions of Gentoo and the other distribution differ) and about unintended implications of kernel options that I don't fully understand. The mailing list archives show that this topic has been partly discussed before (especially whether Gentoo should have a default kernel configuration like other distributions), so I don't want to start a lengthy discussion about this here. I'm more interested in what other people do for larger deployments/installations on heterogeneous hardware. Regards, Matthias-Christian [1] https://wiki.ubuntu.com/Kernel/Dev/KernelConfig [2] https://wiki.linaro.org/KernelConfigPolicyDraft
[gentoo-server] Clustering with LTSP Fat Clients as Torque Nodes
Hello Folks, I was thinking about this scenario. It would be great to implement a TORQUE Cluster with nodes booting through LTSP in the Fat Client configuration. It appears to be simple: 1. Set up Torque-Server in the server. 2. Emerge LTSP-Server. 3. Configure DHCP Server. 4. Create a simple NAT with iptables rules. 5. Build the Node Images with all necessary stuff: Torque Client, Compilers, Libraries and Scientific Software. 6. ??? 7. Profit The question is: someone should have wondered about this, but someone implemented this? This works? This appears to work? A first problem at this pre-implementation point is the LTSP reliance in X.org Server. Which is bloatware in a cluster node... Thanks in advance, Vinícius Ferrão: Administrador de Sistemas www.ferrao.eti.br smime.p7s Description: S/MIME cryptographic signature
[gentoo-server] Centrify Express and PBIS (Old Likewise-Open) vs FOSS Solutions
Hello people, I am analysing this two solutions for Active Directory integration and I would like to hear some opinions about those softwares. They are better than FOSS solutions? Like Winbind+Samba or SSSD with LDAP/Kerberos. Any considerations? Thanks in advance, smime.p7s Description: S/MIME cryptographic signature
Re: [gentoo-server] Disclaimer to forwarded mails to external domain?
On 09/03/2012 05:07 PM, Vinícius Ferrão wrote: Is this so that people won't mark those messages as spam (thus pinning the blame on your mail server)? If so, let me assure you that it will be ignored. I've even called some of our customers with forwarded addresses on the phone and personally asked them to stop marking stuff as spam. They still ignore me. Actually we have user that automatic redirect messages to their personal accounts. And this behaviour is not 100% approved by the university. So I want to put a disclaimer in those people, as example: j...@university.com mailto:j...@university.com redirects to j...@gmail.com mailto:j...@gmail.com. I want to put a disclaimer in *ALL* messages redirected to external domains. OK disregard my cynicism then =) The tricky part is how to detected which messages are automatically forwarded to an external domain. If this is a filtering gateway, I'm guessing all of your recipients are listed in relay_recipient_maps? If so, you should be able to override the default_transport (which defaults to smtp:). For example, you could set up a disclaimer-only instance of amavis on port 10029, and then set the default_transport to smtp:[localhost]:10029. I would beware of unintended consequences, though. You're liable to stick a disclaimer on some things by accident. There's no recipient check in my mail filtering gateway. I leave this job to my final destination. It's not easy to get the final destination since we have some different end destination servers and a separate mailman server. Although it isn't related to your current problem, you really must check recipient validity at receipt time. Otherwise, you're a backscatter source. If I send spam to you (To: user@invalid) claiming to be from u...@example.com, you'll accept it, because you aren't validating the recipient. When you try to send it to its final destination, it will reject it, because user@invalid doesn't live there. Now, you're stuck with the message, and your filtering server will try to return it to the sender. But the sender was forged! So you wind up returning my spam to u...@example.com. If it's not possible to get a list of valid recipients, you can fall back to address verification: http://www.postfix.org/ADDRESS_VERIFICATION_README.html Basically, postfix will put the sender on hold, contact the destination server in the background, check that the recipient is valid, and relay the answer to the sender. I can't really understand your example: in this situation everything will be disclaimed; and I just want to modify messages to people that receive their corporate emails in their personal account. It depends on how you're set up. There are two transports that are basically the same[1]: 'relay' and 'smtp'. If your domains are listed in relay_domains, mail to them will be relayed to the destination via the 'relay' transport. The idea was, if all of your domains are listed in relay_domains, then any mail using the default_transport='smtp' instead of 'relay' must be going off-site. The only stuff going off-site should be mail that's being forwarded to external domains. Unfortunately, unless you validate your recipients, you'll be bouncing messages, and those go off-site too so the reasoning doesn't hold. The first thing I would do is fix your recipient validation. Once that's done, it's probably safe to add the disclaimer to the 'smtp' transport. I would also ask on the postfix-users list -- there are people there who know a lot more than I do and might be able to point out a reason why it wouldn't work. But the first thing they would tell you to do is fix the recipient validation, so you might as well get that out of the way! [1] http://www.postfix.org/ADDRESS_CLASS_README.html
[gentoo-server] Group permissions bits interfering with default ACL mask
I have a directory (drupal modules directory) where developers regularly untar (or cp) archives. The contents should be rwx for the 'developers' group, so that some other developer can update or remove the module later. I've set default ACLs on the parent directory, and the regular default ACLs are applied but the default mask is not. This is because tar/cp preserve the original group permission bits -- a strategy that doesn't make sense under a directory with default ACLs. For an example, I'll copy /etc/profile (mode: 0644) into a directory whose contents should be rwx to the 'apache' user via its default ACL. gantu acl $ getfacl . # file: . # owner: mjo # group: mjo user::rwx group::--- other::--- default:user::rwx default:user:apache:rwx default:group::--- default:mask::rwx default:other::--- gantu acl $ cp /etc/profile ./ gantu acl $ getfacl profile # file: profile # owner: mjo # group: mjo user::rw- user:apache:rwx #effective:r-- group::--- mask::r-- other::--- So, even though the directory has default:mask::rwx, newly-created files have mask::r--. I've been searching for a while and others have run into this problem; so far, I don't see any good solutions. Does anything come to mind? Initially I thought I could set developers' umasks appropriately; however, both tar and cp ignore the umask (even with --no-preserve=mode!) and use the source permission bits anyway.
[gentoo-server] Disclaimer to forwarded mails to external domain?
Hello dudes, I'm considering to implement a new feature in my Postfix Mail Filtering Gateway. It would be great to add a disclaimer note to forwarded mails to an external domain. Since I'm already running amavisd-new, with all his friends, I was thinking to invite alterMIME to the party. The tricky part is how to detected which messages are automatically forwarded to an external domain. A quick example: Our domain is mydomain.com and all mails received by j...@mydomain.com are automatically redirected (forwarded) to j...@externaldomain.com. And when this behaviour is detected the disclaimer must be added to the received message message. So the main question is: how to do this? And just in case: alterMIME is the best solution? Thanks in advance, Vinícius Ferrão smime.p7s Description: S/MIME cryptographic signature
Re: [gentoo-server] Is there a way to create a Spamcatch address for SpamAssassin?
Hi, as I remember, you can't send (forward) spam message which you receive, because it will looks like that you are spammer (antispam software also use headers of incoming message). I've used dedicated imap folder for this purpose. -- Tomáš Dobrovolný Odesláno z mého telefonu. Omluvte prosím mou stručnost. Vinícius Ferrão viniciusfer...@cc.if.ufrj.br napsal(a): Hello dudes, The question is on the subject: can I create a address like s...@mydomain.com to send mails that I and others receive as spam to feed the Bayesian filter of SpamAssassin? I'm running a Mail Filtering Gateway with Postfix and his friends: amavisd-new, SpamAssassin, Pyzor, Razor and DCC. Also would be great to report to the services like Razor and Pyzor. Thanks in advance, Vinícius Ferrão
Re: [gentoo-server] Leap Second 'bug'
From 300 servers only ~10 were affected. The symptom: high CPU consumption. The workaround I've used: /etc/init.d/ntpd stop date -s `date` /etc/init.d/ntpd start On 2 July 2012 08:35, Pandu Poluan pa...@poluan.info wrote: Just wondering... did Saturday's Leap Second bit your infrastructure? Did you do something special (like Google did) to prevent chaos? 'Leap Second' Bug Wreaks Havoc Across Web | Wired Enterprise | Wired.com http://m.wired.com/wiredenterprise/2012/07/leap-second-bug-wreaks-havoc-with-java-linux/Sent from Maxthon Mobile Rgds, -- Kind regards, Denis Bondar
[gentoo-server] no-multilib - multilib (theory)
Hello! (speaking about x86 and x86_64) I've read after going no-multilib, there is no way back (at least there is no straight way to do, though hacks exists). I'm wondering what makes it difficult. The first issue is, gcc can make 32bit object files, but the linker cannot create executables as 32bit libgcc.a is missing. On multilib systems, gcc itself is a 64bit executable, only with a few extra 32bit .a and .so files (so effectively a cross-compiler on a 64-bit system for 32-bit systems). I didn't try, but I can't see why one couldn't compile a multilib gcc on a non-multilib system. Does linking those extra 32bit .so and .a files require some information from the not-present 32bit libc which causes the problem? smime.p7s Description: S/MIME kriptográfiai aláírás
[gentoo-server] A Nasty md/raid bug
Hello! I read the article http://neil.brown.name/blog/20120615073245 , which explains a nasty bug about raids, but i'm wondering if any of these code was backported to gentoo-sources or hardened-sources. From the article: The bug was introduced by commit c744a65c1e2d59acc54333ce8 md: don't set md arrays to readonly on shutdown. and fixed by commit 30b8aa9172dfeaac6d77897c67ee9f9fc574cdbb md: fix possible corruption of array metadata on shutdown. These entered the upstream kernel for v3.4-rc1 and v3.4-rc5 respectively, so no main-line released kernel is vulnerable. However the first patch was tagged Cc: sta...@vger.kernel.org as it fixed a bug, and so it was added to some stable releases. For v3.3.y the bug was introduced by commit ed1b69c5592d1 in v3.3.1 and fixed by commit ff459d1ea87ea7 in v3.3.4, so v3.3.1, v3.3,2, and v3.3.3 are vulnerable. For v3.2.y the bug was introduced by commit 6bd620a44f7fd in v3.2.14 and fixed by commit 31097a1c490c in v3.2.17 so v3.2.14, v3.2.15. v3.2.16 are all vulnerable. The bug was not backported to any other kernel.org kernels. so only those 6 are vulnerable. Some distributors may have picked up the patch applied it to their own kernel so it is possible that other kernels are vulnerable too. smime.p7s Description: S/MIME kriptográfiai aláírás
[gentoo-server] Fwd: Re: [gentoo-user] udevd boot messages
Mes amis, Please be informed that the latest baselayout update might very likely needs a reboot. Here's some info I repost from Gentoo-user list. For the full thread, check out its archive. Rgds, -- Forwarded message -- From: Tanstaafl tansta...@libertytrek.org Date: May 23, 2012 11:27 PM Subject: Re: [gentoo-user] udevd boot messages To: gentoo-u...@lists.gentoo.org On 2012-05-21 5:00 PM, Markos Chandras hwoar...@gentoo.org wrote: On 05/21/2012 03:27 PM, Michael Hampicke wrote: I updated udev from 171-r5 to 171-r6 and now i get several udevd boot message as : udevd[1389]: can not find '/lib/udev/rules.d/90-network.**rules': No such file or directory udevd[1389]: can not find '/lib/udev/rules.d/95-keymap.**rules': No such file or directory .. and so on. /lib is a symlink pointing to /lib64. /lib64/udev/rules.d is ok with all the rules that udevd does not find at boot. No I would guess it was because of the upgrade of sys-apps/baselayout to 2.1-r1. Things got crazy here with that upgrade. I had to re-merge every package with files under /lib/ In your case re-merging udev should to the trick. The package clearly informed you that you need to reboot for things to work properly You should reboot the system now to get /run mounted with tmpfs! Have a look on pkg_postinst() function in that ebuild. You chose to ignore it and this is why you had these problems after the update. pet-peeve I asked about this a while back but never got a decent answer... *Especially* for servers, there really, REALLY needs to be a way to see this kind of warning BEFORE updating... ie, the warning should be printed to the screen during an 'emerge -pvuDN world' or something, so I know that a reboot will be required for this update. /pet-peeve
Re: [gentoo-server] Postfix Double Bounce Handling
On 2012-05-14 2:48 PM, Vinícius Ferrão viniciusfer...@cc.if.ufrj.br wrote: But I don't understand what can make my server a backscatter source. I'm not relaying from outside, and I only accept messages from my domain, *From* your domain? Or destined *for* your domain? and only from my aging sendmail+dovecot server, so no relaying from outside. Well, since you haven't proven any of your assertions, we have no way of knowing. You should be asking this on the postfix list, but we can probably help you here too, if you are willing to listen... First, we'll need full output of postconf -n... What I don't have is what you said: check for local recipients. But this is a problem? If you accept messages to *any* address (including invalid recipients), then that is what is causing the bounce messages. If you only accept messages for valid recipients, the bounces stop. Simple, no?
[gentoo-server] Postfix Double Bounce Handling
Hello, I'm running a postfix mail filtering gateway in a hardened gentoo box and I really don't know what to do with double-bounced messages. Since we have a lot of spam bots attacking our infrastructure, the double bounce messages cannot be ignored and mail mail queue is growing with undeliverable double bounce messages. Any thoughts on what should be done to handle this? Thanks in advance, Vinícius Ferrão
Re: [gentoo-server] Active Directory Based Authentication?
On May 12, 2012 4:28 AM, Matthew Thode prometheanf...@gentoo.org wrote: On 05/11/2012 09:51 AM, Vinícius Ferrão wrote: Hello Pandu, I have done a implementation using a daemon named sssd. It's sponsored by the Fedora Project if I remember correctly. It supports 2008r2 AD without much hassle. I've setup everything relying on LDAP for information and Kerberos for authentication. So you don't need things like nss-ldap, nslcd, nscd and other old services. You can handle almost everything with SSSD. And even better: SSSD supports offline server authentication in the case of your AD is down or not reachable at the moment. I can send you some links in the night (Brazilian night) when I will be at home. Sent from my iPhone On 11/05/2012, at 00:36, Pandu Poluan pa...@poluan.info wrote: Hello list, I just want to know, what is your recommendation(s) to implement Active Directory authentication on Gentoo? I want to use AD not only for logins, but also for running daemons/services. *Ideally*, it would also allow me to manage my boxen using GPO, but I can live without that. Rgds, I can attest to how awesome sssd is. I use it for linux server to linux client, but the concept is still the same. Ahaha, this is what I've been looking for: a recommendation backed by experience ;-) Thanks for the heads up, guys! Honestly, this is the first time I ever heard of SSSD. Sounds very interesting... I'll certainly look into it. Rgds,
[gentoo-server] Active Directory Based Authentication?
Hello list, I just want to know, what is your recommendation(s) to implement Active Directory authentication on Gentoo? I want to use AD not only for logins, but also for running daemons/services. *Ideally*, it would also allow me to manage my boxen using GPO, but I can live without that. Rgds,
Re: [gentoo-server] Active Directory Based Authentication?
Pandu Poluan pa...@poluan.info 2012-05-11 10:36: Hello list, I just want to know, what is your recommendation(s) to implement Active Directory authentication on Gentoo? Attribute data can be stored/retrieved in ldaps (as in AD usually only allows authenticated binds to retrieve data and it requires an ssl connection to do that, other than that it's really just ldap). Authentication can be done either via ldaps or kerberos, though I personally find the later to be extra complication that's usually unnecessary. As someone else mentioned, there's a wealth of data out there on how to do this in any number of schemes (eg: libnss-ldap, libpam-ldap, sssd, etc.). I want to use AD not only for logins, but also for running daemons/services. I don't see the distinction. Either way it seems you're concerned with authenticating users and doing attribute lookups on them. *Ideally*, it would also allow me to manage my boxen using GPO, but I can live without that. I'm not personally aware of anything that does that. If there is, it's probably something like redhat/suse specific. However, I believe it is possible to use a samba4 host as a domain controller to serve GPs to windows clients. Cheers, Brian signature.asc Description: Digital signature
Re: [gentoo-server] Active Directory Based Authentication?
On 05/11/2012 09:51 AM, Vinícius Ferrão wrote: Hello Pandu, I have done a implementation using a daemon named sssd. It's sponsored by the Fedora Project if I remember correctly. It supports 2008r2 AD without much hassle. I've setup everything relying on LDAP for information and Kerberos for authentication. So you don't need things like nss-ldap, nslcd, nscd and other old services. You can handle almost everything with SSSD. And even better: SSSD supports offline server authentication in the case of your AD is down or not reachable at the moment. I can send you some links in the night (Brazilian night) when I will be at home. Sent from my iPhone On 11/05/2012, at 00:36, Pandu Poluan pa...@poluan.info wrote: Hello list, I just want to know, what is your recommendation(s) to implement Active Directory authentication on Gentoo? I want to use AD not only for logins, but also for running daemons/services. *Ideally*, it would also allow me to manage my boxen using GPO, but I can live without that. Rgds, I can attest to how awesome sssd is. I use it for linux server to linux client, but the concept is still the same. -- -- Matthew Thode (prometheanfire) signature.asc Description: OpenPGP digital signature
Re: [gentoo-server] Nginx dav-ext webdav the gentoo way
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thank you, i did that now and it works as it should be. Regards Norman Am 23.04.2012 09:04, schrieb Denis Bondar: Hi Norman- The Gentoo way is to create your own ebuild in your PORTDIR_OVERLAY. For example, I needed the auth_ldap in nginx. The final diff for my ebuild was look like https://gist.github.com/2469281 On 22 April 2012 15:15, Norman Rieß nor...@smash-net.org mailto:nor...@smash-net.org wrote: Hello, i am running an OwnCloud instance on my nginx webserver. The problem is, nginx seems not to implement the OPTIONS and PROPFIND methods of webdav. But these methods are needed to run OwnCloud webdav. There is a nginx-ext-dav module, which supports these methods but this module seems not to be in the nginx ebuild or in the portage tree. So what is the gentoo way here? I would rather like to avoid compiling nginx myself, breaking the update process of portage. I did not find an overlay containing this, but franky, i did not really know how to search for that. Have any of you done this and how? Thank you. Regards, Norman -- Kind regards, Denis Bondar -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPluO0AAoJEMCA6frkLT6z3JwH/iY5dAOgED/yOeqGFtWjfkUb qzldR1rznapNmkWYawtAtTUcPQv9mefb8p6CAoA0WLd5JSYXK0D2gfQKSr0T9kAx GmfxSuYel+PNzIWzpzEv4tuMXQd1UeffEJfOnipFVuswTdDiQYhRDh2ZBWWOGZwx GCFrnGFqfYj3TuvqMSs+Sb2SrUvJBpP0yUuIDZN5vd6RHazzChHwfMEHDQjUv2qZ mEdOqg1EtL5eEwXUfBKsU07sxjTocS8a8Mypc5NlAJJnXLM+TtPVydexOmFIOk3K qzm/SA7MsQiz4VvjMTVgdbvAilWqvUaTGOHrTZhud7ATv2NZvaTgZVlXDDPoAls= =6qAr -END PGP SIGNATURE-
Re: [gentoo-server] Nginx dav-ext webdav the gentoo way
Hi Norman- The Gentoo way is to create your own ebuild in your PORTDIR_OVERLAY. For example, I needed the auth_ldap in nginx. The final diff for my ebuild was look like https://gist.github.com/2469281 On 22 April 2012 15:15, Norman Rieß nor...@smash-net.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, i am running an OwnCloud instance on my nginx webserver. The problem is, nginx seems not to implement the OPTIONS and PROPFIND methods of webdav. But these methods are needed to run OwnCloud webdav. There is a nginx-ext-dav module, which supports these methods but this module seems not to be in the nginx ebuild or in the portage tree. So what is the gentoo way here? I would rather like to avoid compiling nginx myself, breaking the update process of portage. I did not find an overlay containing this, but franky, i did not really know how to search for that. Have any of you done this and how? Thank you. Regards, Norman -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPk+hOAAoJEMCA6frkLT6zk30H/2fSPGTZMV2WI8a33NtNV3cq WVGGPhXFC/mQ36E8sSNC/nSnYnHghXoifB41l8yZOTJ3Yt/7qwwE+3uV7D+SJFZJ IjzGovj3Yx1Io6xEyUwfu6yCwcToWqLD5FMFFQUMAa/JJsWUHjAnexaPQRMLYxE4 tuBZZay/oRrq8ACy61d4n11tKOm/ZvHcYs5yhgKMOYpBzHXyLakkkbdkuVUK35pg GDvw29IxQ7hQgZt2Cf2SWTsXS/WcsxhAPbUkVMwumWQoEIagzCAA82T+GKL6PtN6 Z7u2sWHes3bNX3Lzg+NArOLsg0v7lxWWxJZrpUJO3LV9SqbsIU/a1cbmNh7n0Vw= =/aV7 -END PGP SIGNATURE- -- Kind regards, Denis Bondar
[gentoo-server] Nginx dav-ext webdav the gentoo way
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, i am running an OwnCloud instance on my nginx webserver. The problem is, nginx seems not to implement the OPTIONS and PROPFIND methods of webdav. But these methods are needed to run OwnCloud webdav. There is a nginx-ext-dav module, which supports these methods but this module seems not to be in the nginx ebuild or in the portage tree. So what is the gentoo way here? I would rather like to avoid compiling nginx myself, breaking the update process of portage. I did not find an overlay containing this, but franky, i did not really know how to search for that. Have any of you done this and how? Thank you. Regards, Norman -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPk+hOAAoJEMCA6frkLT6zk30H/2fSPGTZMV2WI8a33NtNV3cq WVGGPhXFC/mQ36E8sSNC/nSnYnHghXoifB41l8yZOTJ3Yt/7qwwE+3uV7D+SJFZJ IjzGovj3Yx1Io6xEyUwfu6yCwcToWqLD5FMFFQUMAa/JJsWUHjAnexaPQRMLYxE4 tuBZZay/oRrq8ACy61d4n11tKOm/ZvHcYs5yhgKMOYpBzHXyLakkkbdkuVUK35pg GDvw29IxQ7hQgZt2Cf2SWTsXS/WcsxhAPbUkVMwumWQoEIagzCAA82T+GKL6PtN6 Z7u2sWHes3bNX3Lzg+NArOLsg0v7lxWWxJZrpUJO3LV9SqbsIU/a1cbmNh7n0Vw= =/aV7 -END PGP SIGNATURE-
Re: [gentoo-server] MySQL Backup
I use this for some very large data sets as well. The trouble is that to do it right you have to lock the tables while it's running, so I actually run it off replication slaves instead. One of the nice things of doing things this way is that you can use perl or your other favorite text processing tool to parse out individual databases, tables, views, etc. That's important in a hosting environment and usually more difficult/costly with raw file backups. Brian Tanner Danzey arkan...@gmail.com 2012-04-15 13:10: I usr MySQL's mysqldump and a daily cron task that zips it up and sends it to my NFS backup drive in dated folders. It works just fine for my minute data set. On Apr 15, 2012 1:04 PM, Gerry Smith [1]smith.ge...@gmail.com wrote: What's recommended for MySQL backups these days ? I've been using zmanda, which I found very easy to install and use, but it doesn't seem to be in portage anymore ? Thanks, Gerry Smith References Visible links 1. mailto:smith.ge...@gmail.com
[gentoo-server] MySQL Backup
What's recommended for MySQL backups these days ? I've been using zmanda, which I found very easy to install and use, but it doesn't seem to be in portage anymore ? Thanks, Gerry Smith
Re: [gentoo-server] MySQL Backup
Tar+ssh Gerry Smith smith.ge...@gmail.com wrote: What's recommended for MySQL backups these days ? I've been using zmanda, which I found very easy to install and use, but it doesn't seem to be in portage anymore ? Thanks, Gerry Smith
Re: [gentoo-server] MySQL Backup
We use xtrabackup from percona, with tar to generate backup of the running mysql servers in a fraction of the time it would take to use mysqldump. Restoration is than just a case of copy the uncompressed tarball into place and starting mysql. It's a pain when it comes to restoring individual tables, but for a full system backup it's fast and easy. RobbieAB. On 15 April 2012 20:40, Jesse Pasichnyk je...@pasichnyk.net wrote: I run backuppc, calling MySQL dump as a pre-backup task... From: Tanner Danzey Sent: 4/15/2012 10:56 AM To: gentoo-server@lists.gentoo.org Subject: Re: [gentoo-server] MySQL Backup I usr MySQL's mysqldump and a daily cron task that zips it up and sends it to my NFS backup drive in dated folders. It works just fine for my minute data set. On Apr 15, 2012 1:04 PM, Gerry Smith smith.ge...@gmail.com wrote: What's recommended for MySQL backups these days ? I've been using zmanda, which I found very easy to install and use, but it doesn't seem to be in portage anymore ? Thanks, Gerry Smith
[gentoo-server] DomU freezes in the middle of booting
Hello, Stuck with starting DomU. :( I've compiled bzImage with Xen frontend drivers, modules, installed them, added some extra parameters about console -- kernel = /etc/xen/DomU-kernels/kernel-3.2.12-domU memory = 1024 name = vm0 disk = ['phy:/dev/vg01/vm0,xvda,w'] root = '/dev/xvda ro' extra = 'xencons=tty' vif = ['vifname=veth1, bridge=xenbr0'] vcpus=2 -- then started DomU with: # xl create /etc/xen/vm0 -c and console output freezes somewhere after: -- device-mapper: ioctl: 4.22.0-ioctl (2011-10-19) initialised: dm-de...@redhat.com TCP cubic registered blkfront: xvda: flush diskcache: enabled xvda: unknown partition table -- What am i doing wrong? ;) P.S.: Also before that I got some not critical errors. I guess it related to RTC or HPET somehow. Is it a big problem for DomU system? -- PCI: System does not support PCI PCI: System does not support PCI Switching to clocksource xen CE: xen increased min_delta_ns to 15 nsec CE: xen increased min_delta_ns to 225000 nsec CE: xen increased min_delta_ns to 337500 nsec CE: xen increased min_delta_ns to 506250 nsec CE: xen increased min_delta_ns to 759375 nsec CE: xen increased min_delta_ns to 1139062 nsec CE: xen increased min_delta_ns to 1708593 nsec CE: xen increased min_delta_ns to 2562889 nsec CE: xen increased min_delta_ns to 3844333 nsec CE: xen increased min_delta_ns to 5766499 nsec CE: xen increased min_delta_ns to 8649748 nsec CE: xen increased min_delta_ns to 1000 nsec CE: Reprogramming failure. Giving up CE: Reprogramming failure. Giving up hrtimer: interrupt took 5163 ns CE: xen increased min_delta_ns to 15 nsec CE: xen increased min_delta_ns to 225000 nsec CE: xen increased min_delta_ns to 337500 nsec CE: xen increased min_delta_ns to 506250 nsec CE: xen increased min_delta_ns to 759375 nsec CE: xen increased min_delta_ns to 1139062 nsec CE: xen increased min_delta_ns to 1708593 nsec CE: xen increased min_delta_ns to 2562889 nsec CE: xen increased min_delta_ns to 3844333 nsec CE: xen increased min_delta_ns to 5766499 nsec CE: xen increased min_delta_ns to 8649748 nsec CE: xen increased min_delta_ns to 1000 nsec CE: Reprogramming failure. Giving up CE: Reprogramming failure. Giving up CE: Reprogramming failure. Giving up pnp: PnP ACPI: disabled -- -- Konstantin
Re: [gentoo-server] DomU freezes in the middle of booting
On Thu, 12 Apr 2012 10:53:16 +0300 Konstantin konstan...@astafjev.com wrote: /dev/vg01/vm0 from the host, can you verify that /dev/vg01/vm0 has a valid partition table? -- Matthew Thode (prometheanfire) signature.asc Description: PGP signature
Re: [gentoo-server] DomU freezes in the middle of booting
Hello Matthew, Thank you for your letter. Thursday, April 12, 2012, 11:18:41, Matthew Thode wrote: On Thu, 12 Apr 2012 10:53:16 +0300 Konstantin konstan...@astafjev.com wrote: /dev/vg01/vm0 from the host, can you verify that /dev/vg01/vm0 has a valid partition table? Sure. I've already done it. Actually sometimes (very rare) output jumps somewhere farther like: device-mapper: ioctl: 4.22.0-ioctl (2011-10-19) initialised: dm-de...@redhat.com TCP cubic registered blkfront: xvda: flush diskcache: enabled xvda: unknown partition table REISERFS (device xvda): found reiserfs format 3.6 with standard journal REISERFS (device xvda): using ordered data mode reiserfs: using flush barriers REISERFS (device xvda): journal params: device xvda, size 8192, journal first block 18, max trans len 1024, max batch 900, max commit age 30,max trans age 30 REISERFS (device xvda): checking transaction log (xvda) REISERFS (device xvda): Using r5 hash to sort names VFS: Mounted root (reiserfs filesystem) readonly on device 202:0. Freeing unused kernel memory: 508k freed INIT: version 2.88 booting OpenRC 0.9.8.4 is starting up Gentoo Linux (x86_64) [XENU] * Mounting /proc ... [ ok ] .skipped * Initializing random number generator ... [ ok ] INIT: Entering runlevel: 3 * Mounting network filesystems ... [ ok ] * Doing udev cleanups * Starting local [ ok ] So I guess that my problem somewhere else. -- Konstantin
Re: [gentoo-server] DomU freezes in the middle of booting
On Apr 12, 2012 4:57 PM, Konstantin konstan...@astafjev.com wrote: Hello, With the help of Nikita, I've figured out how to get rid of xvda: unknown partition table I have to use /dev/xvda1 not the /dev/xvda - disk = ['phy:/dev/vg01/vm0,xvda,w'] root = '/dev/xvda ro' - changed to: - disk = ['phy:/dev/vg01/vm0,xvda1,w'] root = '/dev/xvda1 ro' - Anyway booting freezes. Once I've saw: - TCP cubic registered XENBUS: Waiting for devices to initialise: 295s...290s...285s...280s...275s...270s...265s...260s...255s...250s...245s...240s...235s...230s...225s...220s...215s...210s...205s...200s...195s...190s...185s...180s...175s...170s...165s...160s...155s...150s...145s...140s...135s...130s...125s...120s...115s...110s...105s...100s...95s...90s...85s...80s...75s...70s...65s...60s...55s...50s...45s...40s...35s...30s...25s...20s...15s...10s...5s...0s... XENBUS: Timeout connecting to device: device/vbd/51713 (local state 3, remote state 1) XENBUS: Timeout connecting to device: device/vif/0 (local state 1, remote state 1) VFS: Cannot open root device xvda1 or unknown-block(0,0) Please append a correct root= boot option; here are the available partitions: Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0) Pid: 1, comm: swapper/0 Not tainted 3.2.12-gentoo #2 Call Trace: [81318ebd] ? panic+0x92/0x199 [81319004] ? printk+0x40/0x4c [814f4e2e] ? mount_block_root+0x238/0x24f [814f4fc0] ? prepare_namespace+0x12c/0x156 [814f4b3e] ? kernel_init+0x10a/0x113 [8131d074] ? kernel_thread_helper+0x4/0x10 [8131bd33] ? int_ret_from_sys_call+0x7/0x1b [8131b43c] ? retint_restore_args+0x5/0x6 [8131d070] ? gs_change+0x13/0x13 - So I guess may be it's related to some DomU kernel configuration problem? I've attached it to this letter. test # cat .config | grep XEN CONFIG_XEN=y CONFIG_XEN_DOM0=y CONFIG_XEN_PRIVILEGED_GUEST=y CONFIG_XEN_PVHVM=y CONFIG_XEN_MAX_DOMAIN_MEMORY=128 CONFIG_XEN_SAVE_RESTORE=y # CONFIG_XEN_DEBUG_FS is not set CONFIG_PCI_XEN=y CONFIG_XEN_PCIDEV_FRONTEND=y CONFIG_XEN_BLKDEV_FRONTEND=y CONFIG_NETXEN_NIC=m CONFIG_XEN_NETDEV_FRONTEND=y CONFIG_HVC_XEN=y CONFIG_XEN_BALLOON=y CONFIG_XEN_BALLOON_MEMORY_HOTPLUG=y CONFIG_XEN_SCRUB_PAGES=y CONFIG_XEN_DEV_EVTCHN=y # CONFIG_XEN_BACKEND is not set CONFIG_XENFS=y CONFIG_XEN_COMPAT_XENFS=y CONFIG_XEN_SYS_HYPERVISOR=y CONFIG_XEN_XENBUS_FRONTEND=y CONFIG_XEN_GNTDEV=m CONFIG_XEN_GRANT_DEV_ALLOC=m CONFIG_SWIOTLB_XEN=y -- Konstantin Have you tried: root = '/dev/xvda1' That is, without 'ro'? Rgds,
Re: [gentoo-server] DomU freezes in the middle of booting
Should be googled easily: you need to modify your inittab adding entries for xen virtual console hvc0:2345:respawn:/sbin/getty 38400 hvc0 xvc0:2345:respawn:/sbin/getty 38400 xvc0 On Thu, Apr 12, 2012 at 1:55 PM, Konstantin konstan...@astafjev.com wrote: Hello, With the help of Nikita, I've figured out how to get rid of xvda: unknown partition table I have to use /dev/xvda1 not the /dev/xvda - disk = ['phy:/dev/vg01/vm0,xvda,w'] root = '/dev/xvda ro' - changed to: - disk = ['phy:/dev/vg01/vm0,xvda1,w'] root = '/dev/xvda1 ro' - Anyway booting freezes. Once I've saw: - TCP cubic registered XENBUS: Waiting for devices to initialise: 295s...290s...285s...280s...275s...270s...265s...260s...255s...250s...245s...240s...235s...230s...225s...220s...215s...210s...205s...200s...195s...190s...185s...180s...175s...170s...165s...160s...155s...150s...145s...140s...135s...130s...125s...120s...115s...110s...105s...100s...95s...90s...85s...80s...75s...70s...65s...60s...55s...50s...45s...40s...35s...30s...25s...20s...15s...10s...5s...0s... XENBUS: Timeout connecting to device: device/vbd/51713 (local state 3, remote state 1) XENBUS: Timeout connecting to device: device/vif/0 (local state 1, remote state 1) VFS: Cannot open root device xvda1 or unknown-block(0,0) Please append a correct root= boot option; here are the available partitions: Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0) Pid: 1, comm: swapper/0 Not tainted 3.2.12-gentoo #2 Call Trace: [81318ebd] ? panic+0x92/0x199 [81319004] ? printk+0x40/0x4c [814f4e2e] ? mount_block_root+0x238/0x24f [814f4fc0] ? prepare_namespace+0x12c/0x156 [814f4b3e] ? kernel_init+0x10a/0x113 [8131d074] ? kernel_thread_helper+0x4/0x10 [8131bd33] ? int_ret_from_sys_call+0x7/0x1b [8131b43c] ? retint_restore_args+0x5/0x6 [8131d070] ? gs_change+0x13/0x13 - So I guess may be it's related to some DomU kernel configuration problem? I've attached it to this letter. test # cat .config | grep XEN CONFIG_XEN=y CONFIG_XEN_DOM0=y CONFIG_XEN_PRIVILEGED_GUEST=y CONFIG_XEN_PVHVM=y CONFIG_XEN_MAX_DOMAIN_MEMORY=128 CONFIG_XEN_SAVE_RESTORE=y # CONFIG_XEN_DEBUG_FS is not set CONFIG_PCI_XEN=y CONFIG_XEN_PCIDEV_FRONTEND=y CONFIG_XEN_BLKDEV_FRONTEND=y CONFIG_NETXEN_NIC=m CONFIG_XEN_NETDEV_FRONTEND=y CONFIG_HVC_XEN=y CONFIG_XEN_BALLOON=y CONFIG_XEN_BALLOON_MEMORY_HOTPLUG=y CONFIG_XEN_SCRUB_PAGES=y CONFIG_XEN_DEV_EVTCHN=y # CONFIG_XEN_BACKEND is not set CONFIG_XENFS=y CONFIG_XEN_COMPAT_XENFS=y CONFIG_XEN_SYS_HYPERVISOR=y CONFIG_XEN_XENBUS_FRONTEND=y CONFIG_XEN_GNTDEV=m CONFIG_XEN_GRANT_DEV_ALLOC=m CONFIG_SWIOTLB_XEN=y -- Konstantin
Re: [gentoo-server] DomU freezes in the middle of booting
Hello Pandu, Thursday, April 12, 2012, 13:09:15, Pandu Poluan wrote: Have you tried: root = '/dev/xvda1' That is, without 'ro'? Rgds, Thank you. Already tried without any difference. -- Konstantin
Re: [gentoo-server] DomU freezes in the middle of booting
Hello Andrey, Thank you for your letter. Thursday, April 12, 2012, 13:17:52, Andrey Korolyov wrote: Sorry, I have missed because of savvy Gmail interface - the answer belongs to disappearance of login prompt. On Thu, Apr 12, 2012 at 2:09 PM, Andrey Korolyov x...@quake.ru wrote: Should be googled easily: you need to modify your inittab adding entries for xen virtual console hvc0:2345:respawn:/sbin/getty 38400 hvc0 xvc0:2345:respawn:/sbin/getty 38400 xvc0 Yeah, I remember that. AFAIK, it could be done by modifying inittab in DomU or by inserting some extra parameters in virtual machine configuration file like extra = 'xencons=tty' But right now I have an issue with XENBUS, I guess. -- Konstantin
Re: [gentoo-server] DomU freezes in the middle of booting
On Apr 12, 2012 6:23 PM, Konstantin konstan...@astafjev.com wrote: Hello Pandu, Thursday, April 12, 2012, 13:09:15, Pandu Poluan wrote: Have you tried: root = '/dev/xvda1' That is, without 'ro'? Rgds, Thank you. Already tried without any difference. It's a DomU, right? Why do you have Dom0 option enabled? Rgds,
Re: [gentoo-server] DomU freezes in the middle of booting
Hello Pandu, Thursday, April 12, 2012, 15:29:42, Pandu Poluan wrote: Thursday, April 12, 2012, 13:09:15, Pandu Poluan wrote: Have you tried: root = '/dev/xvda1' That is, without 'ro'? Rgds, Thank you. Already tried without any difference. It's a DomU, right? Why do you have Dom0 option enabled? You mean this part of .config file: CONFIG_XEN_DOM0=y CONFIG_XEN_PRIVILEGED_GUEST=y CONFIG_XEN_PVHVM=y CONFIG_XEN_MAX_DOMAIN_MEMORY=128 CONFIG_XEN_SAVE_RESTORE=y I just could not find how to disable this code in menuconfig. :) -- Konstantin
Re: [gentoo-server] DomU freezes in the middle of booting
On Apr 12, 2012 8:51 PM, Konstantin konstan...@astafjev.com wrote: Hello, Thursday, April 12, 2012, 15:52:50, Konstantin wrote: Thursday, April 12, 2012, 15:29:42, Pandu Poluan wrote: Thursday, April 12, 2012, 13:09:15, Pandu Poluan wrote: Have you tried: root = '/dev/xvda1' That is, without 'ro'? Rgds, Thank you. Already tried without any difference. It's a DomU, right? Why do you have Dom0 option enabled? You mean this part of .config file: CONFIG_XEN_DOM0=y CONFIG_XEN_PRIVILEGED_GUEST=y CONFIG_XEN_PVHVM=y CONFIG_XEN_MAX_DOMAIN_MEMORY=128 CONFIG_XEN_SAVE_RESTORE=y I just could not find how to disable this code in menuconfig. :) If I'm trying to turn it off, but then other frontend options disappear. Latest update: When I saw - * Starting local [ ok ] - I've noticed that domU actually working. I've tried to change inittab remotely via ssh to something like # TERMINALS x1:12345:respawn:/sbin/agetty 38400 console linux #c1:12345:respawn:/sbin/agetty 38400 tty1 linux #c2:2345:respawn:/sbin/agetty 38400 tty2 linux #c3:2345:respawn:/sbin/agetty 38400 tty3 linux #c4:2345:respawn:/sbin/agetty 38400 tty4 linux #c5:2345:respawn:/sbin/agetty 38400 tty5 linux #c6:2345:respawn:/sbin/agetty 38400 tty6 linux Then reinitialized init by localhost ~ # init q and console in Dom0 become interactive again. So that freezing after Starting local was the console problem anyway. Right now only one left with that random start. DomU starts successfully about one time per three unsuccessful. I've noticed that it gets stuck when kernel outputs this text: - Switching to clocksource xen pnp: PnP ACPI: disabled CE: xen increased min_delta_ns to 15 nsec CE: xen increased min_delta_ns to 225000 nsec CE: xen increased min_delta_ns to 337500 nsec CE: xen increased min_delta_ns to 506250 nsec CE: xen increased min_delta_ns to 759375 nsec CE: xen increased min_delta_ns to 1139062 nsec CE: xen increased min_delta_ns to 1708593 nsec CE: xen increased min_delta_ns to 2562889 nsec CE: xen increased min_delta_ns to 3844333 nsec CE: xen increased min_delta_ns to 5766499 nsec CE: xen increased min_delta_ns to 8649748 nsec CE: xen increased min_delta_ns to 1000 nsec CE: Reprogramming failure. Giving up CE: Reprogramming failure. Giving up hrtimer: interrupt took 5171 ns TCP bind hash table entries: 65536 (order: 8, 1048576 bytes) TCP: Hash tables configured (established 131072 bind 65536) TCP reno registered UDP hash table entries: 512 (order: 2, 16384 bytes) UDP-Lite hash table entries: 512 (order: 2, 16384 bytes) CE: xen increased min_delta_ns to 15 nsec CE: xen increased min_delta_ns to 225000 nsec CE: xen increased min_delta_ns to 337500 nsec CE: xen increased min_delta_ns to 506250 nsec CE: xen increased min_delta_ns to 759375 nsec CE: xen increased min_delta_ns to 1139062 nsec CE: xen increased min_delta_ns to 1708593 nsec CE: xen increased min_delta_ns to 2562889 nsec CE: xen increased min_delta_ns to 3844333 nsec CE: xen increased min_delta_ns to 5766499 nsec CE: xen increased min_delta_ns to 8649748 nsec CE: xen increased min_delta_ns to 1000 nsec CE: Reprogramming failure. Giving up CE: Reprogramming failure. Giving up platform rtc_cmos: registered platform RTC device (no PNP device found) - And when kernel not writing any CE: messages domU boots successfully: PCI: System does not support PCI PCI: System does not support PCI Switching to clocksource xen pnp: PnP ACPI: disabled Trying to figure out what to do next. -- Konstantin Try using tickless. I forgot where exactly, but IIRC on the same page where you set the CPU type. Rgds,
Re: [gentoo-server] DomU freezes in the middle of booting [SOLVED]
Hello Pandu, Thursday, April 12, 2012, 17:30:08, Pandu Poluan wrote: On Apr 12, 2012 8:51 PM, Konstantin konstan...@astafjev.com wrote: Thursday, April 12, 2012, 15:52:50, Konstantin wrote: Thursday, April 12, 2012, 15:29:42, Pandu Poluan wrote: Thursday, April 12, 2012, 13:09:15, Pandu Poluan wrote: Have you tried: root = '/dev/xvda1' That is, without 'ro'? Rgds, Thank you. Already tried without any difference. It's a DomU, right? Why do you have Dom0 option enabled? You mean this part of .config file: CONFIG_XEN_DOM0=y CONFIG_XEN_PRIVILEGED_GUEST=y CONFIG_XEN_PVHVM=y CONFIG_XEN_MAX_DOMAIN_MEMORY=128 CONFIG_XEN_SAVE_RESTORE=y I just could not find how to disable this code in menuconfig. :) If I'm trying to turn it off, but then other frontend options disappear. Latest update: When I saw - * Starting local [ ok ] - I've noticed that domU actually working. I've tried to change inittab remotely via ssh to something like # TERMINALS x1:12345:respawn:/sbin/agetty 38400 console linux #c1:12345:respawn:/sbin/agetty 38400 tty1 linux #c2:2345:respawn:/sbin/agetty 38400 tty2 linux #c3:2345:respawn:/sbin/agetty 38400 tty3 linux #c4:2345:respawn:/sbin/agetty 38400 tty4 linux #c5:2345:respawn:/sbin/agetty 38400 tty5 linux #c6:2345:respawn:/sbin/agetty 38400 tty6 linux Then reinitialized init by localhost ~ # init q and console in Dom0 become interactive again. So that freezing after Starting local was the console problem anyway. Right now only one left with that random start. DomU starts successfully about one time per three unsuccessful. I've noticed that it gets stuck when kernel outputs this text: - Switching to clocksource xen pnp: PnP ACPI: disabled CE: xen increased min_delta_ns to 15 nsec CE: xen increased min_delta_ns to 225000 nsec CE: xen increased min_delta_ns to 337500 nsec CE: xen increased min_delta_ns to 506250 nsec CE: xen increased min_delta_ns to 759375 nsec CE: xen increased min_delta_ns to 1139062 nsec CE: xen increased min_delta_ns to 1708593 nsec CE: xen increased min_delta_ns to 2562889 nsec CE: xen increased min_delta_ns to 3844333 nsec CE: xen increased min_delta_ns to 5766499 nsec CE: xen increased min_delta_ns to 8649748 nsec CE: xen increased min_delta_ns to 1000 nsec CE: Reprogramming failure. Giving up CE: Reprogramming failure. Giving up hrtimer: interrupt took 5171 ns TCP bind hash table entries: 65536 (order: 8, 1048576 bytes) TCP: Hash tables configured (established 131072 bind 65536) TCP reno registered UDP hash table entries: 512 (order: 2, 16384 bytes) UDP-Lite hash table entries: 512 (order: 2, 16384 bytes) CE: xen increased min_delta_ns to 15 nsec CE: xen increased min_delta_ns to 225000 nsec CE: xen increased min_delta_ns to 337500 nsec CE: xen increased min_delta_ns to 506250 nsec CE: xen increased min_delta_ns to 759375 nsec CE: xen increased min_delta_ns to 1139062 nsec CE: xen increased min_delta_ns to 1708593 nsec CE: xen increased min_delta_ns to 2562889 nsec CE: xen increased min_delta_ns to 3844333 nsec CE: xen increased min_delta_ns to 5766499 nsec CE: xen increased min_delta_ns to 8649748 nsec CE: xen increased min_delta_ns to 1000 nsec CE: Reprogramming failure. Giving up CE: Reprogramming failure. Giving up platform rtc_cmos: registered platform RTC device (no PNP device found) - And when kernel not writing any CE: messages domU boots successfully: PCI: System does not support PCI PCI: System does not support PCI Switching to clocksource xen pnp: PnP ACPI: disabled Trying to figure out what to do next. Try using tickless. I forgot where exactly, but IIRC on the same page where you set the CPU type. Rgds, If you mean Tickless System (Dynamic Ticks) as NO_HZ=y so it already enabled for me. I figured out how to solve my problem with DomU. I've changed tsc_mode to something different from 0 or 4 and it seems started to work for me. Here is short tsc_mode option description from sample VM config file: # # tsc_mode : TSC mode (0=default, 1=native TSC, 2=never emulate, 3=pvrdtscp) # emulate TSC provides synced TSC for all vcpus, but lose perfomrance. # native TSC leverages hardware's TSC(no perf loss), but vcpu's TSC may lose #sync due to hardware's unreliable/unsynced TSC between CPUs. # default intelligently uses native TSC on machines where it is safe, but #switches to emulated if necessary after save/restore/migration # pvrdtscp is for intelligent apps that use special Xen-only paravirtualized #cpuid instructions to obtain offset/scaling/migration info and maximize #performance within pools
Re: [gentoo-server] DomU freezes in the middle of booting [SOLVED]
On Apr 12, 2012 9:46 PM, Konstantin konstan...@astafjev.com wrote: Hello Pandu, If you mean Tickless System (Dynamic Ticks) as NO_HZ=y so it already enabled for me. I figured out how to solve my problem with DomU. I've changed tsc_mode to something different from 0 or 4 and it seems started to work for me. Here is short tsc_mode option description from sample VM config file: # # tsc_mode : TSC mode (0=default, 1=native TSC, 2=never emulate, 3=pvrdtscp) # emulate TSC provides synced TSC for all vcpus, but lose perfomrance. # native TSC leverages hardware's TSC(no perf loss), but vcpu's TSC may lose #sync due to hardware's unreliable/unsynced TSC between CPUs. # default intelligently uses native TSC on machines where it is safe, but #switches to emulated if necessary after save/restore/migration # pvrdtscp is for intelligent apps that use special Xen-only paravirtualized #cpuid instructions to obtain offset/scaling/migration info and maximize #performance within pools of machines that support the rdtscp instruction tsc_mode=1 Ah, glad to hear that. BTW, does anybody has NTP server on a virtual machine? ;) Actually, I do. With tickless, the clock drifts around unpredictably, so I resort to having one of my VMs sync to the NTP pool, while other VMs sync to that VM. Rgds,
Re: [gentoo-server] Toughts on Virtualization
Greetings,
Tuesday, April 10, 2012, 03:13:36, Hacking Network Solutions - Gentoo List
Subscriptions wrote:
On Mon, 2012-04-09 at 19:32 +0300, Konstantin wrote:
What kernel versions are you using for Dom0? Today I've tried to use
sys-kernel/gentoo-sources-3.2.12 and couldn't find any backend driver
support. Am I missed something? ;)
Hi Konstantin,
I use Xen with Gentoo for both Dom0 and DomU.
The back-end driver support is well hidden in the menus,
Device Drivers --- Xen driver support --- Backend driver support
is required to show them.
I have attached a working .config 3.2.12 for your convenience.
Thank you very much for your kernel configuration file. I've tried to
compile 3.3.1-gentoo with slightly modified your .config by changing
CPU to Intel Core2 and disabling Xen unnecessary for Dom0 frontend
drivers. And kernel seems working, but not with the app-emulation/xen.
It still crashes while booting with something like:
[ 1.391175] Code: 97 81 e8 5f ...
[ 1.394173] RIP [0141a9f5] xen_irq_init+0x15/0xa0
[ 1.394173] RSP ...
[ 1.394173] CR2: 0040
[ 1.394173] ---[ end trace 4eaa2a86a8e2da22 ]---
[ 1.395470] swapper/0 used greatest stack depth: 4264 bytes left
[ 1.395580] Kernel panic - not syncing: Attempted to kill init
Right now I've tried to use latest xen ebuilds:
[I] app-emulation/xen
Available versions: 3.4.2-r4!t 4.1.1-r2!t (~)4.1.2!t {acm custom-cflags
debug flask pae xsm}
Installed versions: 4.1.2!t(05:24:10 PM 04/11/2012)(-custom-cflags -debug
-flask -pae -xsm)
[I] app-emulation/xen-tools
Available versions: 3.4.2-r3 (~)3.4.2-r5 (~)4.1.1-r5 4.1.1-r6
(~)4.1.2-r2!t {acm api custom-cflags debug doc flask hvm pygrub qemu screen
xend}
Installed versions: 4.1.2-r2!t(05:23:08 PM 04/11/2012)(api hvm pygrub
qemu screen xend -custom-cflags -debug -doc -flask)
Trying to search my issue in bugzilla. May be someone could share some
hints? ;)
--
Konstantin
Re: [gentoo-server] Toughts on Virtualization
Hello,
Wednesday, April 11, 2012, 17:38:25, Konstantin wrote:
Tuesday, April 10, 2012, 03:13:36, Hacking Network Solutions - Gentoo List
Subscriptions wrote:
On Mon, 2012-04-09 at 19:32 +0300, Konstantin wrote:
What kernel versions are you using for Dom0? Today I've tried to use
sys-kernel/gentoo-sources-3.2.12 and couldn't find any backend driver
support. Am I missed something? ;)
Hi Konstantin,
I use Xen with Gentoo for both Dom0 and DomU.
The back-end driver support is well hidden in the menus,
Device Drivers --- Xen driver support --- Backend driver support
is required to show them.
I have attached a working .config 3.2.12 for your convenience.
Thank you very much for your kernel configuration file. I've tried to
compile 3.3.1-gentoo with slightly modified your .config by changing
CPU to Intel Core2 and disabling Xen unnecessary for Dom0 frontend
drivers. And kernel seems working, but not with the app-emulation/xen.
It still crashes while booting with something like:
[ 1.391175] Code: 97 81 e8 5f ...
[ 1.394173] RIP [0141a9f5] xen_irq_init+0x15/0xa0
[ 1.394173] RSP ...
[ 1.394173] CR2: 0040
[ 1.394173] ---[ end trace 4eaa2a86a8e2da22 ]---
[ 1.395470] swapper/0 used greatest stack depth: 4264 bytes left
[ 1.395580] Kernel panic - not syncing: Attempted to kill init
Right now I've tried to use latest xen ebuilds:
[I] app-emulation/xen
Available versions: 3.4.2-r4!t 4.1.1-r2!t (~)4.1.2!t {acm
custom-cflags debug flask pae xsm}
Installed versions: 4.1.2!t(05:24:10 PM
04/11/2012)(-custom-cflags -debug -flask -pae -xsm)
[I] app-emulation/xen-tools
Available versions: 3.4.2-r3 (~)3.4.2-r5 (~)4.1.1-r5 4.1.1-r6
(~)4.1.2-r2!t {acm api custom-cflags debug doc flask hvm pygrub qemu screen
xend}
Installed versions: 4.1.2-r2!t(05:23:08 PM 04/11/2012)(api
hvm pygrub qemu screen xend -custom-cflags -debug -doc -flask)
Trying to search my issue in bugzilla. May be someone could share some
hints? ;)
Seems like there is a xen conflict bug with kernel-3.3.1:
https://bugs.gentoo.org/show_bug.cgi?id=411585
Rolling back to kernel-2.6.12 successfully started Dom0. :)
--
Konstantin
Re: [gentoo-server] Toughts on Virtualization
On Wed, 2012-04-11 at 17:38 +0300, Konstantin wrote:
Greetings,
Tuesday, April 10, 2012, 03:13:36, Hacking Network Solutions - Gentoo List
Subscriptions wrote:
On Mon, 2012-04-09 at 19:32 +0300, Konstantin wrote:
What kernel versions are you using for Dom0? Today I've tried to use
sys-kernel/gentoo-sources-3.2.12 and couldn't find any backend driver
support. Am I missed something? ;)
Hi Konstantin,
I use Xen with Gentoo for both Dom0 and DomU.
The back-end driver support is well hidden in the menus,
Device Drivers --- Xen driver support --- Backend driver support
is required to show them.
I have attached a working .config 3.2.12 for your convenience.
Thank you very much for your kernel configuration file. I've tried to
compile 3.3.1-gentoo with slightly modified your .config by changing
CPU to Intel Core2 and disabling Xen unnecessary for Dom0 frontend
drivers. And kernel seems working, but not with the app-emulation/xen.
It still crashes while booting with something like:
[ 1.391175] Code: 97 81 e8 5f ...
[ 1.394173] RIP [0141a9f5] xen_irq_init+0x15/0xa0
[ 1.394173] RSP ...
[ 1.394173] CR2: 0040
[ 1.394173] ---[ end trace 4eaa2a86a8e2da22 ]---
[ 1.395470] swapper/0 used greatest stack depth: 4264 bytes left
[ 1.395580] Kernel panic - not syncing: Attempted to kill init
Right now I've tried to use latest xen ebuilds:
[I] app-emulation/xen
Available versions: 3.4.2-r4!t 4.1.1-r2!t (~)4.1.2!t {acm custom-cflags
debug flask pae xsm}
Installed versions: 4.1.2!t(05:24:10 PM 04/11/2012)(-custom-cflags
-debug -flask -pae -xsm)
I may be wrong about this but I seem to remember reading somewhere that
enabling Xen always enables PAE in the kernel (on 32-bit systems) which
therefore requires that the pae use-flag be specified when building xen
and xen-tools.
[I] app-emulation/xen-tools
Available versions: 3.4.2-r3 (~)3.4.2-r5 (~)4.1.1-r5 4.1.1-r6
(~)4.1.2-r2!t {acm api custom-cflags debug doc flask hvm pygrub qemu screen
xend}
Installed versions: 4.1.2-r2!t(05:23:08 PM 04/11/2012)(api hvm pygrub
qemu screen xend -custom-cflags -debug -doc -flask)
Trying to search my issue in bugzilla. May be someone could share some
hints? ;)
Re: [gentoo-server] Toughts on Virtualization
On Tue, 2012-04-10 at 07:28 +0700, Pandu Poluan wrote: On Apr 10, 2012 7:15 AM, Hacking Network Solutions - Gentoo List Subscriptions gentoo.li...@hacking.co.uk wrote: On Mon, 2012-04-09 at 19:32 +0300, Konstantin wrote: What kernel versions are you using for Dom0? Today I've tried to use sys-kernel/gentoo-sources-3.2.12 and couldn't find any backend driver support. Am I missed something? ;) Hi Konstantin, I use Xen with Gentoo for both Dom0 and DomU. The back-end driver support is well hidden in the menus, Device Drivers --- Xen driver support --- Backend driver support is required to show them. I have attached a working .config 3.2.12 for your convenience. My company also maintains a (still unfinished and now slightly out of date unfortunately, but it is on my list of things to update) document related to using Xen with Gentoo here: http://www.mad-hacking.net/documentation/linux/deployment/xen/index.xml OMG! You're working there? Hats off to you guys, and max respect! I would never be able to deploy my Gentoo infrastructure had I not read this : http://www.mad-hacking.net/documentation/linux/deployment/buildserver/index.xml Thank you for the kind words - it's always nice to know that we've been able to help, especially with getting Gentoo more widely deployed in production/corporate environments. We also maintain ebuilds for the 4.0.2 branch of Xen in our overlay, which can be installed with layman (hacking-gentoo). Maybe this will be of some help, I hope so - if you have any problems with Xen feel free to ask me. If you have any issues with the docs/ebuilds please email me off list. Not an issue, just an honest question: Does having Gentoo as Dom0 significantly improve performance? I wish I could say - unfortunately we've only ever used Gentoo as our Dom0 distribution so have nothing to compare it against. Theoretically, distributions which are specifically customised for use as a Xen Dom0 _could_ be better from a performance standpoint as no doubt there must be some optimisations which can be made that would not be suitable for a more generic distribution. That said I would be very interested to know if any of them had actually been optimised in said fashion and if the requirements to still run as wide a range of software as possible on the Dom0 (equivalent to loads of USE flags) on a wide range of similar processors (equivalent to very generic CPU setting) actually hurts enough to still make Gentoo a better choice. My _guess_ is that it would, although we're probably talking fractions of a percent here not significant improvements unless the more generic distributions pay a particularly heavy price for their CPU tolerance. Max
Re: [gentoo-server] Toughts on Virtualization
Hello Pandu, Sunday, April 8, 2012, 21:26:34, Pandu Poluan wrote: I've deployed more than 20 Gentoo servers over VMware and XenServer, no performance issues. What kernel versions are you using for Dom0? Today I've tried to use sys-kernel/gentoo-sources-3.2.12 and couldn't find any backend driver support. Am I missed something? ;) -- Konstantin
Re: [gentoo-server] Toughts on Virtualization
On Apr 9, 2012 11:34 PM, Konstantin konstan...@astafjev.com wrote: Hello Pandu, Sunday, April 8, 2012, 21:26:34, Pandu Poluan wrote: I've deployed more than 20 Gentoo servers over VMware and XenServer, no performance issues. What kernel versions are you using for Dom0? Today I've tried to use sys-kernel/gentoo-sources-3.2.12 and couldn't find any backend driver support. Am I missed something? ;) Yes, you missed the Server part ;-) I'm using XenServer, not pure Xen, so I'd guess the Dom0 is a heavily patched CentOS. The Gentoo VMs all run as DomU. Rgds,
Re: [gentoo-server] Toughts on Virtualization
I'm using Linux-VServer for a couple of years, both with Gentoo and RHEL/CentOS. Had some trouble setting everything up at the time, but the main contributer (bertl) is always very helpful, and he is reachable on IRC (and the ML) nearly every day. If you don't need the guests to be able to do network configuration (since that can only be done from the host), I can definitely recommend Linux-VServer. Vinícius Ferrão viniciusfer...@cc.if.ufrj.br wrote: Hello fellas, I'm considering to implement some Gentoo Servers on top of VMWare vSphere ESXi. But perhaps this is not the best option. I was googling about performance issues in this scenario and started to consider some OS-Level VT, like OpenVZ or Linux-vserver, or whatever else. So I'm here to ask some opinions about virtualization. My restricted set of rules (LOL): 1. I will not run anything else than Linux. 2. I don't care about GPL, BSD, Icecream, Bacon, or whatever license, since it's free, it's fine. 3. Don't need to be an Opensource solution. Thanks for any help, -- Sent from my phone.
Re: [gentoo-server] Toughts on Virtualization
On Apr 10, 2012 7:15 AM, Hacking Network Solutions - Gentoo List Subscriptions gentoo.li...@hacking.co.uk wrote: On Mon, 2012-04-09 at 19:32 +0300, Konstantin wrote: What kernel versions are you using for Dom0? Today I've tried to use sys-kernel/gentoo-sources-3.2.12 and couldn't find any backend driver support. Am I missed something? ;) Hi Konstantin, I use Xen with Gentoo for both Dom0 and DomU. The back-end driver support is well hidden in the menus, Device Drivers --- Xen driver support --- Backend driver support is required to show them. I have attached a working .config 3.2.12 for your convenience. My company also maintains a (still unfinished and now slightly out of date unfortunately, but it is on my list of things to update) document related to using Xen with Gentoo here: http://www.mad-hacking.net/documentation/linux/deployment/xen/index.xml OMG! You're working there? Hats off to you guys, and max respect! I would never be able to deploy my Gentoo infrastructure had I not read this : http://www.mad-hacking.net/documentation/linux/deployment/buildserver/index.xml We also maintain ebuilds for the 4.0.2 branch of Xen in our overlay, which can be installed with layman (hacking-gentoo). Maybe this will be of some help, I hope so - if you have any problems with Xen feel free to ask me. If you have any issues with the docs/ebuilds please email me off list. Not an issue, just an honest question: Does having Gentoo as Dom0 significantly improve performance? Rgds,
[gentoo-server] Toughts on Virtualization
Hello fellas, I'm considering to implement some Gentoo Servers on top of VMWare vSphere ESXi. But perhaps this is not the best option. I was googling about performance issues in this scenario and started to consider some OS-Level VT, like OpenVZ or Linux-vserver, or whatever else. So I'm here to ask some opinions about virtualization. My restricted set of rules (LOL): 1. I will not run anything else than Linux. 2. I don't care about GPL, BSD, Icecream, Bacon, or whatever license, since it's free, it's fine. 3. Don't need to be an Opensource solution. Thanks for any help, smime.p7s Description: S/MIME cryptographic signature
Re: [gentoo-server] Toughts on Virtualization
On Apr 9, 2012 12:49 AM, Vinícius Ferrão viniciusfer...@cc.if.ufrj.br
wrote:
Hello fellas,
I'm considering to implement some Gentoo Servers on top of VMWare vSphere
ESXi. But perhaps this is not the best option.
I was googling about performance issues in this scenario and started to
consider some OS-Level VT, like OpenVZ or Linux-vserver, or whatever else.
So I'm here to ask some opinions about virtualization.
My restricted set of rules (LOL):
1. I will not run anything else than Linux.
2. I don't care about GPL, BSD, Icecream, Bacon, or whatever license,
since it's free, it's fine.
3. Don't need to be an Opensource solution.
Thanks for any help,
I've deployed more than 20 Gentoo servers over VMware and XenServer, no
performance issues.
From the top of my head, Some pointers when doing menuconfig:
* Go tickless
* Activate the relevant paravirtualization code; choose the
hypervisor-friendly suspend instead of spinlock
* Use the paravirtualized storage driver (Vmware PV-SCSI or Xen Block
FrontEnd)
* If using hardened, first configure for virtualization, exit (and save),
menuconfig again, and check the options under GrSec and PaX; there are
options that will cause performance penalty when run on top of a hypervisor
(see the help text)
* Do not compile *any* unnecessary drivers (e.g., wireless support, exotic
devices)
* Use I/O without delay
And, deployment-wise :
* When possible, do not create more than one partition per virtual drive;
instead, create 1 virtual drive per filesystem mountpoint. E.g. :
Instead of having /dev/sda{1,2,3,4} for /boot, /, /usr, and /home,
respectively, create 4 virtual drives instead. The above mointpoints will
then respectively map to /dev/sd{a,b,c,d}1
(The reason for the latter is because partitions get handled by the VM
(slower), while accesses to virtual hard disks are handled by the
hypervisor (faster)).
I don't have access to my Gentoo systems ATM, so I can't provide a more
detailed guide.
Rgds,
Re: [gentoo-server] Toughts on Virtualization
Il 08/04/2012 19:47, Vinícius Ferrão ha scritto: Hello fellas, I'm considering to implement some Gentoo Servers on top of VMWare vSphere ESXi. But perhaps this is not the best option. I was googling about performance issues in this scenario and started to consider some OS-Level VT, like OpenVZ or Linux-vserver, or whatever else. Linux-vserver is not real virtualization, it's more like a super-chroot. + It's very fast (host and guest performances are the same) + permit (ro)bind mounts + very easy iptables configuration for nat and firewalling + has deduplication, useful if many similar vs are involved (never used it tough) + it's very well mantained, often new versions are out minutes after the vanilla kernel ones - networking is less isolated, changes need stopping the vs. - it's a kernel patch, applying other patches (hardened) is a pain So I'm here to ask some opinions about virtualization. My restricted set of rules (LOL): 1. I will not run anything else than Linux. 2. I don't care about GPL, BSD, Icecream, Bacon, or whatever license, since it's free, it's fine. 3. Don't need to be an Opensource solution. Thanks for any help,
Re: [gentoo-server] Toughts on Virtualization
Em 08/04/2012, às 15:26, Pandu Poluan pa...@poluan.info escreveu:
I've deployed more than 20 Gentoo servers over VMware and XenServer, no
performance issues.
From the top of my head, Some pointers when doing menuconfig:
* Go tickless
* Activate the relevant paravirtualization code; choose the
hypervisor-friendly suspend instead of spinlock
* Use the paravirtualized storage driver (Vmware PV-SCSI or Xen Block
FrontEnd)
* If using hardened, first configure for virtualization, exit (and save),
menuconfig again, and check the options under GrSec and PaX; there are
options that will cause performance penalty when run on top of a hypervisor
(see the help text)
* Do not compile *any* unnecessary drivers (e.g., wireless support, exotic
devices)
* Use I/O without delay
And, deployment-wise :
* When possible, do not create more than one partition per virtual drive;
instead, create 1 virtual drive per filesystem mountpoint. E.g. :
Instead of having /dev/sda{1,2,3,4} for /boot, /, /usr, and /home,
respectively, create 4 virtual drives instead. The above mointpoints will
then respectively map to /dev/sd{a,b,c,d}1
(The reason for the latter is because partitions get handled by the VM
(slower), while accesses to virtual hard disks are handled by the hypervisor
(faster)).
I don't have access to my Gentoo systems ATM, so I can't provide a more
detailed guide.
Pandu,
Please provide more information if you can, like kernel config for XenServer
guest. I always have problem to do that with Gentoo and I'm using CentOS
because of that.
Thanks in advance.
Regard,
--
Eduardo Schoedler
Re: [gentoo-server] udev or mdev?
From: Pandu Poluan pa...@poluan.info On Mar 21, 2012 4:23 PM, Halassy Zoltán zhala...@loginet.hu wrote: IMO, initramfs adds yet another black box during server boot. The other way around, for me at least. I build my own initramfs, yet I don't know anything about mdev, just the fact it's part of busybox. So for me, mdev is a black box, while my initramfs definitely isn't. I see. Well, different views for different people, I guess. It's easier for me to bypass mdev (if it's b0rken) than to bypass initramfs. As I've had to use BusyBox extensively in some environments, I find their tools very lacking in comparison to non-BusyBox environments. As such, I've come to really hate mdev, and I'll keep udev around for as long as it is the standard or until that standard changes to something better - of which, mdev it will not be. $0.02 Ben
Re: [gentoo-server] udev or mdev?
On Wed, Mar 21, 2012 at 7:17 PM, Daniel Reidy dub...@gmail.com wrote: people actually need an initramfs? my kernel has only what it needs, and nothing it doesn't. +1 Only time I used initramfs was on a desktop and that was while testing a quirky lvm/raid setup that wouldn't boot without mdadm doing some assembly *before* the main root filesystem became available. That was never production quality though and all my servers run either off a HW RAID card or boot from a SAN. -- Drew Nothing in life is to be feared. It is only to be understood. --Marie Curie This started out as a hobby and spun horribly out of control. -Unknown
Re: [gentoo-server] udev or mdev?
On Mar 19, 2012 5:39 PM, Halassy Zoltán zhala...@loginet.hu wrote: a. I'm using udev and will still be using udev, latest version This. Question: Why would I replace a known system to a unknown one? The effort required to replace udev with mdev could be used to create an initramfs to mount that /usr , or alter the /etc/init.d/udev-mount to depend on an extra service, which does nothing else, but mount /usr . With the latter, further upgrades would just need to keep the extra depend in the init script, long live config-protect. IMO, initramfs adds yet another black box during server boot. Plus, udev is getting more and more complex with all its intelligence. And yet another daemon in memory, something I certainly don't need on my static virtualized servers. Rgds,
Re: [gentoo-server] udev or mdev?
IMO, initramfs adds yet another black box during server boot. The other way around, for me at least. I build my own initramfs, yet I don't know anything about mdev, just the fact it's part of busybox. So for me, mdev is a black box, while my initramfs definitely isn't. And yet another daemon in memory, something I certainly don't need on my static virtualized servers. I agree with that. But why do you need mdev for a static system? A few mknods would suffice. smime.p7s Description: S/MIME kriptográfiai aláírás
Re: [gentoo-server] udev or mdev?
people actually need an initramfs? my kernel has only what it needs, and nothing it doesn't. On Wed, Mar 21, 2012 at 5:39 AM, Pandu Poluan pa...@poluan.info wrote: On Mar 21, 2012 4:23 PM, Halassy Zoltán zhala...@loginet.hu wrote: IMO, initramfs adds yet another black box during server boot. The other way around, for me at least. I build my own initramfs, yet I don't know anything about mdev, just the fact it's part of busybox. So for me, mdev is a black box, while my initramfs definitely isn't. I see. Well, different views for different people, I guess. It's easier for me to bypass mdev (if it's b0rken) than to bypass initramfs. And yet another daemon in memory, something I certainly don't need on my static virtualized servers. I agree with that. But why do you need mdev for a static system? A few mknods would suffice. It allows triggered action when I (for example) attach a (virtual) hard disk to my VM. Rgds,
Re: [gentoo-server] udev or mdev?
a. I'm using udev and will still be using udev, latest version This. Question: Why would I replace a known system to a unknown one? The effort required to replace udev with mdev could be used to create an initramfs to mount that /usr , or alter the /etc/init.d/udev-mount to depend on an extra service, which does nothing else, but mount /usr . With the latter, further upgrades would just need to keep the extra depend in the init script, long live config-protect. smime.p7s Description: S/MIME kriptográfiai aláírás
[gentoo-server] udev or mdev?
Hello Server people! With the recent brouhaha on udev vs mdev back in the -user list, I just wondered about whether any server guy/gal here (beside me) actually use mdev instead of udev for the servers? So, an informal poll time! a. I'm using udev and will still be using udev, latest version b. I'm using udev and will still be using udev, but I'll mask 181 and later (the versions that require /usr to be present during boot) c. I'm using udev but will transition to mdev d. I'm using mdev already. e. A write in vote (please explain) I personally choose (d), because I like simpler systems (no initramfs), and I know *exactly* what's going on during boot if I go the mdev route. What's your answers? Rgds,
Re: [gentoo-server] udev or mdev?
On Mar 19, 2012 8:33 AM, Kalin KOZHUHAROV ka...@thinrope.net wrote: f. I didn't know mdev existed, will research and answer later :-| Cheers, Kalin. While researching, make sure to stop by this page: http://www.waltdnes.org/mdev/ Rgds,
[gentoo-server] Pay for a hardened VM image?
Hi all, Would anyone here be interested in being paid to create a hardened VM image for me that will run on a Microsoft Hyper-V host? If so, what would you be willing to do this for? If you may be interested, but not for Hyper-V, what would you recommend for a VM hypervisor that must run both a gentoo VM and one or two Microsoft Server VM(s) (no option there for this client)? Feel free to email me directly... I may also be interested in an ongoing relationship to support the VM infrastructure (only the VM infra) until I get more familiar and comfortable with it, so if you are interested in that too, let me know... Thanks Charles
[gentoo-server] Local CA on Gentoo
Hi peeps, I would like to know if someone successfully implemented a Local CA to sign services and servers using Gentoo or other Linux. I'm currently in a Mixed Environment (we have: Windows 2008R2, OS X Lion, Linux and FreeBSD), and I really want a single solution, since I need certs for my servers, as example: a Postfix Mail Gateway, a W2k8 Domain Controller, Exchange Server, Mac OS X Time Machine Server, etc. Thanks in advance, Vinícius smime.p7s Description: S/MIME cryptographic signature
Re: [gentoo-server] Local CA on Gentoo
Hi- As an option look at https://www.startssl.com/ It provides valid certs for free. 2012/2/10 Vinícius Ferrão viniciusfer...@cc.if.ufrj.br Hi peeps, I would like to know if someone successfully implemented a Local CA to sign services and servers using Gentoo or other Linux. I'm currently in a Mixed Environment (we have: Windows 2008R2, OS X Lion, Linux and FreeBSD), and I really want a single solution, since I need certs for my servers, as example: a Postfix Mail Gateway, a W2k8 Domain Controller, Exchange Server, Mac OS X Time Machine Server, etc. Thanks in advance, Vinícius -- Kind regards, Denis Bondar
Re: [gentoo-server] Local CA on Gentoo
Hi, IMHO EJBCA (http://www.ejbca.org) from the kind people at PrimeKey is a very good open source CA solution. It is used in many large, professional and certified/audited environments worldwide. Regards, Ewald Op 10 feb. 2012 om 02:04 heeft Vinícius Ferrão viniciusfer...@cc.if.ufrj.br het volgende geschreven: Hi peeps, I would like to know if someone successfully implemented a Local CA to sign services and servers using Gentoo or other Linux. I'm currently in a Mixed Environment (we have: Windows 2008R2, OS X Lion, Linux and FreeBSD), and I really want a single solution, since I need certs for my servers, as example: a Postfix Mail Gateway, a W2k8 Domain Controller, Exchange Server, Mac OS X Time Machine Server, etc. Thanks in advance, Vinícius
Re: [gentoo-server] Re: Relatively recent guide on TCP congestion-avoidance algo's traffic shaping
* **http://blog.edseek.com/~jasonb/articles/traffic_shaping/scenarios.html At the time of writing, the link appears to be down but you should able to access it via Google's cache.* The site is also available here... http://web.archive.org/web/20100727135916/http://blog.edseek.com/~jasonb/articles/traffic_shaping/scenarios.html On Mon, Jan 16, 2012 at 1:10 PM, Kerin Millar kerfra...@gmail.com wrote: On 01/07/2011 01:58, Pandu Poluan wrote: Another factor that made me re-think my setup is the 'strange' characteristics of traffic between my office and our brand-spankin'-new subsidiary office 14 floors below us: SSH is very nice, but any big file transfers (sftp, http, ftp, cifs,*anything* biggish) will run well only for the first 10 seconds or so, before slowing to a crawl (and even managed to make WinSCP complaining of 'no response for 15 seconds'). But the ping's have no dropped packets at all. With respect to this particular syndrome, I have found the approach described here to be extraordinarily effective:- http://blog.edseek.com/~**jasonb/articles/traffic_**shaping/scenarios.htmlhttp://blog.edseek.com/%7Ejasonb/articles/traffic_shaping/scenarios.html At the time of writing, the link appears to be down but you should able to access it via Google's cache. Also, check out the tosfix() function in FireHOL, which demonstrates the above implementation (and happens to be the best iptables wrapper, imho). There's an ebuild in portage but I would advise that you supplement it by grabbing the latest instance of the firehol.sh script from upstream CVS. Cheers, --Kerin
[gentoo-server] Re: Relatively recent guide on TCP congestion-avoidance algo's traffic shaping
On 01/07/2011 01:58, Pandu Poluan wrote: Another factor that made me re-think my setup is the 'strange' characteristics of traffic between my office and our brand-spankin'-new subsidiary office 14 floors below us: SSH is very nice, but any big file transfers (sftp, http, ftp, cifs,*anything* biggish) will run well only for the first 10 seconds or so, before slowing to a crawl (and even managed to make WinSCP complaining of 'no response for 15 seconds'). But the ping's have no dropped packets at all. With respect to this particular syndrome, I have found the approach described here to be extraordinarily effective:- http://blog.edseek.com/~jasonb/articles/traffic_shaping/scenarios.html At the time of writing, the link appears to be down but you should able to access it via Google's cache. Also, check out the tosfix() function in FireHOL, which demonstrates the above implementation (and happens to be the best iptables wrapper, imho). There's an ebuild in portage but I would advise that you supplement it by grabbing the latest instance of the firehol.sh script from upstream CVS. Cheers, --Kerin
Re: [gentoo-server] Re: Open Source Exchange alternatives
I've used zimbra for a number of clients over a several year period in the past and it is solid/reliable - however, my experience was with the commercial package running on RHEL5.The experience might be completely different for someone running the open-source feature set under gentoo. Also, while zimbra does provide pretty much all the features that one normally expects of an exchange type server and is extremely supportive of outlook, it does go its own way. I'm not sure that the features are that awesome, but it did somewhat also serve as a google apps alternative for cross platform users that didn't want to trust their email to the cloud. On Tue, Dec 13, 2011 at 5:41 AM, ITmail itm...@filtrationgroup.com wrote: On 12/12/11 01:03, Vladimir Rusinov wrote: On Mon, Dec 12, 2011 at 6:33 AM, Pandu Poluanpa...@poluan.info wrote: I am aware of the following: * Zimbra * Zarafa * Open Xchange * SOGo key word is aware, not experienced. I'm a bit more aware about Open Xchange. I've installed their virtual appliance some time ago for some development puproses. And I had a feeling that it's quite stable and good supported. But, I've never actually used it and I don't know how it works on Gentoo. But since it's java, I don't think it's too hard to install and maintain. I've set up XCNetwork's XC Connect server on an ubuntu vm a few years back for a remote office and it seems to work with various Outlook clients as advertised (no complaints). I never tried it with other calendar clients though. -- Matthew Marlowe m...@professionalsysadmin.com https://www.twitter.com/deploylinux 1-805-857-9144 Courage is not simply one of the virtues, but the form of every virtue at the testing point. -- C.S. Lewis
Re: [gentoo-server] Re: Open Source Exchange alternatives
On Mon, Dec 12, 2011 at 04:33, Pandu Poluan pa...@poluan.info wrote: Uh, I may have misconstrued my question. I should've asked: Any experience with the alternatives available out there? I've used Open-Xchange for a few weeks (as a user, not as an admin). Mostly for sync'ing my contacts, calendar and tasks because my Google Apps integration broke on my phone. Seems pretty slick, the web interface is compatible with just about anything out there and devices like phones and tablets think they are sync'ing to an MS Exchange server. Give it a try at https://www.ox.io The downside is that I couldn't find a native open-source desktop client for the groupware functionality. I found a third-party Evolution plugin for Open-Xchange that didn't compile on my amd64 gentoo box. Outlook would probably have worked, but I haven't tried it. -- mișu
