Re: Questions: Upgrade + Port Tree
On Sun, Aug 26, 2007 at 04:17:57PM -0500, Sean Darby wrote: 1. Would it be possible to address the issue of new port tree in some more detail after system upgrade in the FAQ? I suppose it would be, but you're the first to ask this. (Somewhat surprisingly.) I have followed the steps provided on the site's FAQ for upgrading my system (I have 4.0 now, going to 4.1). (...) I will follow the provided steps for the upgrade including the final steps (upgrading /etc and individual packages). I figured that if I'll be making any possible manual upgrades on packages after the system is upgraded, I might as well up the ports too. I presently have the default /usr/ports/* that comes with 4.0, I'd like to up that to the /usr/ports/* that comes with 4.1. What would be a safe process in doing that? The fastest solution is to just use `cvs up'. (Or cvs -qd your_favourite_anoncvs_mirror up -P /usr/ports, as the case may be.) The easiest solution is probably to delete your ports tree and untar ports.tar.gz from 4.1. I'm aware of individual/manual updates of packages, as with pkg_add -u (app), though am aiming for updating/upgrading the entire port tree structure (not download everything, just the tree that points me in the right direction within which the potentially new versions of apps would be available in 4.1). I see in the site's FAQ 15.3.2, Fetching the ports tree, basics like: $ ftp ftp://ftp.openbsd.org/pub/OpenBSD/4.1/ports.tar.gz However, the basic warning, Before continuing, you must read the section about NOT mixing up your OpenBSD system and ports tree. ...leads to the section talking about crazy errors (doesn't really help much beyond linking back onto itself). The important part to remember is that after a system upgrade, none of your ports is guaranteed to work until you upgrade them (although OpenBSD goes to great lengths to make sure they do keep working, and pretty much anything that does not interact directly with the kernel keeps working - things like pfstat and OpenAFS might break). In particular, just having a 4.0 port installed on the system should not be a problem. On the other hand, trying to install 4.0 ports on a 4.1 system, or the other way around, can lead to `weird problems'. This is what is meant by `mixing up your OpenBSD system and ports tree', and since quite a few people try to do so (`I want that -current port, so let's update the ports tree on my -stable system and install it - hey, it doesn't work!'), the FAQ makes an effort to make sure people `get this'. My usual upgrade involves updating the base system, rebooting, pkg_add -ui, and then updating whatever else I need (/usr/src, /usr/ports, ...). Joachim -- TFMotD: leave (1) - remind you when you have to leave
Re: IPsec on IPv6
On Mon, Aug 27, 2007 at 09:09:33AM +1000, Leon yendor wrote: There does not seem to be much mention of the combination in man pages etc in 4.1. Is it really just like IPsec over IPv4 or ? On a user-interface level, yes. (On a protocol level, not exactly - IPv6 has built-in support for IPsec - but as far as I know, all changes are improvements from the point of view of IPsec.) Joachim -- PotD: multimedia/gstreamer-0.10/plugins-ugly,-mpeg2 - multimedia framework - mpeg2 plugin
Re: Backport drivers from 4.1 to 4.0
Joachim and Nick, Thanks for the advice. I was just think about how to minimize the impact for production boxes based on previous release (4.0, 4.1...). Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joachim Schipper Sent: Monday, August 27, 2007 4:21 AM To: misc@openbsd.org Subject: Re: Backport drivers from 4.1 to 4.0 On Mon, Aug 27, 2007 at 02:42:34AM +0800, Kevin Cheng wrote: Hi Darrin, Thanks for reply. The reason is that we have bunch of files integrated with 4.0 and it would take us months to upgrade to 4.2 again. we just finished from 3.3 to 4.0 of upgrade few months ago, plus months of test to stabilize our 4.0 based applications. Should we just isolate one by one manually as safety approach? Any CVS that we can trace for what files been changed for specific drivers? E.g., 4.0-4.1. I'd like to point out that 4.0-4.2 will be *a lot* easier than 3.3-4.0. You can, of course, use any of the AnonCVS mirrors, linked from the home page. But that is still the wrong approach. Joachim
Re: Another qemu + OpenBSD host + networking + pf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sun, Aug 26, 2007 at 08:30:19PM -0700, Allie Daneman spake forth: Ok...first off I apologize for wasting bandwidth this morning looking for help...blame it on Sunday morning laziness. After googling and trying things I got my qemu working w/XP finally. The undeadly article is great but isn't as complete as it could be. Hopefully this will fill in the cracks for any of you out there that want to get qemu going ASAP to start using virtualization on OBSD ;) Here it is cut and dry: ### Install ### 1) qemu-img create -f qcow xp.hd 4G Create image * make sure xp.hd is writable by the owner running qemu (otherwise you can't partition the drive in Windows Install) ** 2) qemu -m 384 -cdrom XP.iso -boot d -monitor stdio xp.hd Boot iso image as if it was on a cdrom ### Setup networking ### 3) Update /etc/sysctl to enable forwarding: net.inet.ip.forwarding=1 4) Create /etc/hostname.tun0 with the following: link0 up inet 192.168.0.1 255.255.255.0 5) Create /etc/pf.conf with this or something similar: internal = tun0 external = ipw0 set loginterface $external scrub in all nat on $external from $internal:network to any - ipw0 pass quick on lo0 all flags any pass in quick on $internal proto icmp all keep state pass in quick on $internal from $internal:network to any keep state pass out quick on $internal from any to $internal:network keep state pass out quick on $external proto tcp all modulate state pass out quick on $external proto { udp, icmp } all keep state block quick all ### starting Qemu ### 6) sudo qemu -m 384 -monitor stdio -net nic -net tap xp.hd That's it !!! No qemu-ifup script needed. Obviously you assign XP (or whatever OS you install) an IP in the 192.168.0.0/24 network and you're golden. This is a virtual network...so changing it is as easy as changing your hostname.tun0, pf.conf, and the IP in the OS you're running as a virtual. My only dilemma is that I run dhcp on two external interfaces and I don't want to change DNS servers on my virtual every time I move. I think I'm going to work on running dhcpd on tun0 and script a DNS IP harvester for dhcpd to assign the same DNS servers as the host. There's always more to do ;) Enjoy... Thanks for all of that. It'll make it a lot easier for a pf dummy like myself. Sorry for the link before. Didn't know it was the same info as undeadly. Just a link, that is, to where I sent you. We know where road where good intentions lead. ;) Denny White -- ___ ___ / __/ _ \/ __/__ / _\ \/ // / _//___/ / /___//_/ /_/ [ 1987 - 2007 ] http://sdf.lonestar.org Public Access Unix System === GnuPG key : 0x1644E79A | http://wwwkeys.nl.pgp.net Fingerprint: D0A9 AD44 1F10 E09E 0E67 EC25 CB44 F2E5 1644 E79A === iD8DBQFG0ouGy0Ty5RZE55oRAokKAKCF6dJG4SMmnJtMg7q/5i6Qr4f48QCdEyt/ XIGjSsPpm/gPkticonkUSSg= =lCL1 -END PGP SIGNATURE-
Re: VPN Connection from 4.1 to WatchGuard
On Thu, Aug 23 2007 at 58:21, James Lepthien wrote: Hi again, Hi, just for your information and if anybody runs into the same problem. I found outr that there are a lot of sysctl values for IPSec which can be changed so that it is possible for me to not use the default timeout of 86400. Have a look: [...] net.inet.ip.ipsec-pfs=1 net.inet.ip.ipsec-timeout=28800 net.inet.ip.ipsec-soft-timeout=8 [...] soft timeout should be inferior to ipsec-timeout. Frow what I understood, ipsec timeout is when isakmpd *needs* new key pair. ipsec-soft-timeout is when the kernel computes the key pair. So if soft-timeout is longer than the isakmpd one, then isakmpd has to wait for the calculation of the key as soon as it requires it. As the calculation may take some times, you certainly prefer the kernel computes the keys before isakmpd asks them. I already changed the ipsec-timeout to my WatchGuard value at the other end and also change the encryption to 3des. Now I will take a closer look if it really works flawlessly ;) Aren't these values fixed with ipsecctl or isakmpd.conf?! Cheers, James PS: Does anybody know which are the timeouts for phase 1 and 2? I guess the ipsec-timeout I changed is fpr phase 2 only. Which of the others is for phase 1? The phase1 and phase2 timeouts are managed by isakmpd.conf (search misc, it was already mentionned serveral times ;)) By default, isakmpd negociates the value with the peer between 60 and 84600 seconds. [...] My ipsec.conf looks like this: ike esp from $ext_IP to $peer_GW ike esp from $ext_IP to $peer_LAN peer $peer_GW ike esp from $int_LAN to $peer_LAN \ peer $peer_GW \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group none \ psk You have group none for phase 2. That means you don't use PFS. But in this email you fixed sysctl's pfs option to 1. There is a contradiction. Regards, Claer
openssl: digital envelope routines:EVP_DecryptFinal:bad decrypt
Hi lads, Having a wee bit of bother decrypting a dump before a restore following a 4.0 - 4.1 migration on i386. Different box, same hardware apart from a bigger disk. I've decrypted and restored successfully before and not had any probs, but was on the same 4.0 box. Could host keys be the issue? Searching shows me I have the wrong pass phrase, see below: [EMAIL PROTECTED] /home 0# ls -l /var/dumpster/spool/teak/_home_0* -rw-r--r-- 1 root wheel 513409024 Aug 24 04:18 /var/dumpster/spool/teak/_home_0_Year.dump.gz.crypto -rw-r--r-- 1 root wheel101 Aug 24 04:19 /var/dumpster/spool/teak/_home_0_Year.dump.gz.crypto.digest [EMAIL PROTECTED] /home 0# sha1 /var/dumpster/spool/teak/_home_0_Year.dump.gz.crypto SHA1 (/var/dumpster/spool/teak/_home_0_Year.dump.gz.crypto) = 6cfb01a847e97608cf5fe6767ee3272fab39c0f5 [EMAIL PROTECTED] /home 0# cat /var/dumpster/spool/teak/_home_0_Year.dump.gz.crypto.digest SHA1 (/var/dumpster/tmp/teak/_home_0_Year.dump.gz.crypto) = 6cfb01a847e97608cf5fe6767ee3272fab39c0f5 [EMAIL PROTECTED] /home 1# openssl enc -bf -d -salt \ -pass file:/etc/dumpster/teak.dumpster_slices.conf.passwd \ -in /var/dumpster/spool/teak/_home_0_Year.dump.gz.crypto \ -out /var/dumpster/spool/teak/_home_0_Year.dump.gz bad decrypt 14574:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:/usr/src/lib/libssl/src/crypto/evp/evp_enc.c:509: [EMAIL PROTECTED] /home 0# ls -l /var/dumpster/spool/teak/_home_0_Year.dump.gz -rw-r--r-- 1 root wheel 513409000 Aug 27 08:48 /var/dumpster/spool/teak/_home_0_Year.dump.gz Have a go anyway and see what comes out in the wash: [EMAIL PROTECTED] /home 0# gunzip /var/dumpster/spool/teak/_home_0_Year.dump.gz [EMAIL PROTECTED] /home 0# ls -l /var/dumpster/spool/teak/_home_0_Year.dump -rw-r--r-- 1 root wheel 639454657 Aug 27 08:57 /var/dumpster/spool/teak/_home_0_Year.dump [EMAIL PROTECTED] /home 0# restore rf /var/dumpster/spool/teak/_home_0_Year.dump ./a-user/some/file: (inode 20743) not found on tape Mount tape volume 2 Enter ``none'' if there are no more tapes otherwise enter tape name (default: /var/dumpster/spool/teak/_home_0_Year.dump) none Warning: End-of-input encountered while extracting ./a-user/another/file bad entry: incomplete operations name: ./a-user/some/thing/else.pdf parent name ./a-user/some/thing entry type: LEAF inode number: 46871 flags: NEW abort? [yn] y dump core? [yn] n [EMAIL PROTECTED] /home 0# rm -rf /home/* I found this, which suggests a bad password: http://www.eecis.udel.edu/wiki/ececis-docs/index.php/FAQ/Applications#toc22 To decrypt (notice the -d for decryption) the file created in the previous example do the following: % openssl enc -d -in ciphertextout -out outputfile -aes256 enter aes-256-cbc decryption password: If the password is correct the plaintext will appear in outputfile. Be sure to delete or protect this file when done. At all times also make sure that standard permissions would not allow someone to read the plaintext file. If an incorrect password is enter something like this will be displayed: bad decrypt 11044:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:evp_enc.c:450: [EMAIL PROTECTED] /home 0# cat /etc/dumpster/teak.dumpster_slices.conf.passwd Super secret phrase [EMAIL PROTECTED] /home 0# openssl enc -bf -d -salt \ -in /var/dumpster/spool/teak/_home_0_Year.dump.gz.crypto \ -out /var/dumpster/spool/teak/_home_0_Year.dump.gz enter bf-cbc decryption password:Super secret phrase bad decrypt 5368:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:/usr/src/lib/libssl/src/crypto/evp/evp_enc.c:509: The pass phrase is over 100 characters long, includes UPPER and lower letters, digits, and symbols including ; and others. Could this be the cause? TIA for any pointers. -- Craig Skinner [EMAIL PROTECTED] Phone +44 (0) 1506 673024 5-digit shortdial:x73024 Sun Remote Support Centre, Linlithgow, Scotland, UK
Re: nat ipv6 - ipv4 using pf
On Sun, Aug 26, 2007 at 12:48:06PM +0200, alwin wrote: i have a webserver and i'm using ipv6 and ipv4 addresses. the apache server in openbsd does not support ipv6 so i tought i will use pf to nat the ipv6 address to the ipv4 address for port 80. but pf for some reason does not support this. i added the following rule to /etc/pf.conf: nat pass on vr0 from any to 2000:888:10:bbb::2 port http - 213.84.168.252 port http and got the following error message : /etc/pf.conf:40: no translation address with matching address family found. using rdr instead of nat gives thesame problem. if i read this correctly pf does not support natting between different address families (eg ipv6 and ipv4). why is this? Remember that IPv4 datagrams and IPv6 datagrams are different, and have different structures. This should be obvious from the fact that IPv6 addresses are bigger than IPv4 addresses. Now, consider what the output packet would look like, post-NAT, in the scenario you describe. Would it be an IPv4 packet containing an IPv6 source address? It couldn't be - it wouldn't fit. (However I like the idea of using IPv5 for this purpose :-) Or would it be an IPv6 packet containing an IPv4 destination address? Well it could, as there's a standard way of mapping IPv4 addresses into IPv6 format, but your application won't receive IPv6 packets so that doesn't help. NAT just changes addresses within a packet. What you want to do is to replace a TCP-over-IPv6 stream with a TCP-over-IPv4 stream (and of course, in the latter case, both source and destination addresses would have to be IPv4). If you really want to do this, you could set up a TCP (layer 4) proxy which accepts incoming IPv6 connections and makes outgoing IPv4 connections. But that wouldn't be very good, because Apache would see incoming sessions all arriving from the proxy's IP address, which means you lose the real source IP addresses in logs and access control. A HTTP (layer 7) proxy would be better, in that it could add an X-Forwarded-For: header which contained the original source IPv6 address. However, I think you'd find life far, far easier just by recompiling Apache to work with IPv6 natively. Regards, Brian.
Re: nat ipv6 - ipv4 using pf
Hello, On Sun, Aug 26, 2007 at 12:48:06PM +0200, alwin wrote: i have a webserver and i'm using ipv6 and ipv4 addresses. the apache server in openbsd does not support ipv6 so i tought i will use pf to nat the ipv6 address to the ipv4 address for port 80. but pf for some reason does not support this. i added the following rule to /etc/pf.conf: nat pass on vr0 from any to 2000:888:10:bbb::2 port http - 213.84.168.252 port http and got the following error message : /etc/pf.conf:40: no translation address with matching address family found. As you have noticed and has been explained, this is not possible. Maybe you can find interesting having a look at faithd(8) which, however, relies on an optional feature which is not compiled* in GENERIC kernels (pseudo-device faith 1 in sys/config/GENERIC). * I would be interested for some explanations and/or pointers about why this feature is not enabled by default (security or kernel size reason ?). -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1 [demime 1.01d removed an attachment of type application/pgp-signature]
Scaling DNS with CARP + pf (+ hoststated ?)
Hi there, I'm wondering is there a way to scale DNS service using OpenBSD's CARP and loadbalancing/pool features of pf ? How about hoststated(8) ? (as I know hoststated(8) doesn't support UDP right now) Here is the lab setup I tried but ran into problems: 1) setup two OpenBSD 4.1 servers with two CARP groups and pfsync as written in OpenBSD FAQ/manuals, 2) each CARP group holds its public DNS IP address (clients use these IPs as nameservers), 3) on each server, first DNS IP is x.x.x.1 and it is bound to carp0, and second DNS IP is x.x.x.2 and it is bound to carp1, 4) as this is a common active-active failover scenario, each server is the CARP master for single DNS IP (of course, it is also a backup for the other DNS IP), 5) I create /etc/dns_pool which contains IP addresses of the backend DNS servers located on the same LAN as these two CARP boxes (LAN firewall denies direct access from clients to these backend servers): x.x.x.3 x.x.x.4 x.x.x.5 x.x.x.6 ... etc 6) then, I build and enable the following pf.conf (note the usage of /etc/dns_pool) set skip on lo scrub in no-df table dns_pool persist file /etc/dns_pool rdr pass on trunk0 proto { tcp udp } to { (carp0) \ (carp1) } port 53 - dns_pool port 53 round-robin block in quick inet6 pass out quick pass quick on trunk0 proto carp pass quick on fxp2 proto pfsync pass in quick on trunk0 inet proto tcp to (trunk0) \ port 22 block in quick 7) as you can see I use trunk(4) (in failover mode) - it works well, 8) now, when I try to use a client (with public DNS IPs as nameservers) I got the following: # host www.cnn.com ;; reply from unexpected source: x.x.x.3#53, expected x.x.x.1#53 ;; reply from unexpected source: x.x.x.3#53, expected x.x.x.1#53 ;; reply from unexpected source: x.x.x.5#53, expected x.x.x.2#53 ;; connection timed out; no servers could be reached It is clear now that the client side DNS resolver inspects DNS reply packet payload (which originates from one of the backend servers) _and_ compares it with the packet src IP (it is the public DNS IPs due to rdr translation). So please, any suggestions how to make DNS loadbalancing on OpenBSD work ? It would be great if this can be done with hoststated so I would have enough arguments to choose OpenBSD over Cisco CSM (which is currently being considered for this task). Thanks for any suggestion ! Reje Ready for the edge of your seat? Check out tonight's top picks on Yahoo! TV. http://tv.yahoo.com/
Re: Radeon X1300 mobile + WXGA - out of luck?
Le dimanche 26 aoC;t 2007 C 22:10 +0200, Joachim Schipper a C)crit : On Sun, Aug 26, 2007 at 06:39:13PM +0200, Joachim Schipper wrote: On Sun, Aug 26, 2007 at 03:38:47PM +0200, Eric Elena wrote: Le samedi 25 aoC;t 2007 C 22:41 +0200, Joachim Schipper a C)crit : I just got a laptop (Acer Aspire 5100 `series') with a Radeon video card (X1300) and a WXGA screen - 1200x800. It was a good deal, but the ATI video card had me worried. Am I correct in thinking that there is no way to get X to display 1200x800 (...) (--) VESA(0): Virtual size is 1024x768 (pitch 1024) Have you tried to add Virtual 1200 800 in the subsection display (section screen)? No; I just tried to play with it, and: - without Option ShadowFB no the screen is garbled (the bottommost part is not initialized, i.e. displays whatever was displayed there last, and the rest of the screen is repeated in four `bands' - and you can scroll the screen as noted below) - with Option ShadowFB no the screen displays correctly, but sadly at 1024x800 (or possibly 1024x768). Moving the mouse cursor to the edge scrolls the screen, which, I suppose, is the proper behaviour. Of course, the display is rather slow without ShadowFB, but that's not really a problem. Note that the shadow buffer works fine for any of the `supported' (if wrong) modes like 1024x800. A new log file, with your virtual line and the shadow buffer disabled, is available at http://jschipper.dynalias.net/~joachim/posts/20070825/Xorg.0.log. ^^ I'm an idiot. Use http://jschipper.dynalias.net/~joachim/posts/20070826/Xorg.0.log, or the old URL (I just created that file). Sorry for the noise... Joachim Can you send your xorg.conf? Eric
Re: Scaling DNS with CARP + pf (+ hoststated ?)
On Mon, 27 Aug 2007 05:03:40 -0700 (PDT), reje [EMAIL PROTECTED] wrote: Hi there, I'm wondering is there a way to scale DNS service using OpenBSD's CARP and loadbalancing/pool features of pf ? How about hoststated(8) ? (as I know hoststated(8) doesn't support UDP right now) Is it really necessary to balance your DNS load across multiple servers? The DNS infrastructure was designed with redundancy in mind. Are you answering so many queries that it's necessary to spread the load across multiple servers behind the same virtual address? Seems very unlikely. DNS is a very low-overhead protocol; I would expect your firewall pool to suffer before your DNS servers. Sorry, I know this doesn't answer your question but it smells like you're over-engineering. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Scaling DNS with CARP + pf (+ hoststated ?)
reje wrote: Hi there, I'm wondering is there a way to scale DNS service using OpenBSD's CARP and loadbalancing/pool features Don't ever load balance DNS in anyway. Read the DNS BIND book. -- Craig Skinner [EMAIL PROTECTED] Phone +44 (0) 1506 673024 5-digit shortdial:x73024 Sun Remote Support Centre, Linlithgow, Scotland, UK
Re: Software freedom
Theo de Raadt [EMAIL PROTECTED] writes: If anyone had any doubt that our insistance on freedom was important, just read this. http://mail-index.netbsd.org/source-changes/2007/08/24/0027.html What is even more astounding is the incestious love-in these other groups have, with their Sam-worship, that prevents them from doing the obvious and right thing. I for one, will say that I don't understand it at all. But hey, it gives me another reason to mock the cult of Sam (Leffler) and Jason (Thorpe). Fun fun fun. Ouch. Now the people in the office are looking at me and asking me why I'm laughing like a maniac. :) //art
Re: Backport drivers from 4.1 to 4.0
Kevin Cheng [EMAIL PROTECTED] writes: Hi Darrin, Thanks for reply. The reason is that we have bunch of files integrated with 4.0 and it would take us months to upgrade to 4.2 again. we just finished from 3.3 to 4.0 of upgrade few months ago, plus months of test to stabilize our 4.0 based applications. Should we just isolate one by one manually as safety approach? Any CVS that we can trace for what files been changed for specific drivers? E.g., 4.0-4.1. this is such a bad idea. From experience I can tell you that it's much easier (in total) to upgrade your code once every 6 months than to do huge projects to do the same once every few years. //art Thanks, Kevin -Original Message- From: Darrin Chandler [mailto:[EMAIL PROTECTED] Sent: Monday, August 27, 2007 2:19 AM To: Kevin Cheng Cc: misc@openbsd.org Subject: Re: Backport drivers from 4.1 to 4.0 On Mon, Aug 27, 2007 at 01:33:34AM +0800, Kevin Cheng wrote: What would be the safe way to backport driver codes from 4.1 to 4.0, such as (/usr/src/sys/dev) ci, pcmcia, usb? For most values of safe the answer is none. With the upcoming 4.2 release, 4.0 will be unsupported. Your backports will be unsupported immediately. Is there some pressing reason why you can't upgrade/reinstall to a newer version? -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: Software freedom
rest of the kernel uses it to store the value of curlwp. Sam won't recompile the HAL for us (fair enough), and we can't modify the HAL to use another register because doing so could put us in breach of the license (v. crappy). So, do a save/set/restore on %s7 in KernIntr() How hard is it to recompile the HAL that Sam can't be bothered to do it, and more importantly, why should a trivial change to make the software inter operable be a breach of the license? That can't be the owner's intent.
Re: Scaling DNS with CARP + pf (+ hoststated ?)
reje wrote: Please take a look at this Cisco document regarding Scaling DNS services and CSM: http://www.cisco.com/application/pdf/en/us/guest/netsol/ns377/c649/cdccont_0900aecd800eb95d.pdf It a while since I had such a good laugh. The cisco doc above requires more than one device, but as IOS is incapable of running BIND they have come up with their kludge. p.s.- long ago read DNS BIND but this book assumes tolerance to DNS timeouts and availability of more than two DNS IP addresses. :) If you are CARPing, you have more than 1 box, so you can put caching resolvers on them, or other boxes. If you are serving zones, use a hidden master and have slaves pull from that to serve to the Internet. You are wasting your time trying to load balance DNS with hardware or software when the protocol was designed to withstand major problems. If your leased line your cisco/carp boxes goes down to then what? DNS is designed to be globally redundant, with multiple servers serving the same zones. Work with it, not against it. -- Craig Skinner [EMAIL PROTECTED] Phone +44 (0) 1506 673024 5-digit shortdial:x73024 Sun Remote Support Centre, Linlithgow, Scotland, UK
Re: nat ipv6 - ipv4 using pf
On Mon, Aug 27, 2007 at 01:32:20PM +0100, Brian Candler wrote: On Sun, Aug 26, 2007 at 12:48:06PM +0200, alwin wrote: i have a webserver and i'm using ipv6 and ipv4 addresses. the apache Brian. hmm yes, the ipv6 address wont fit in the ipv4 space, the other way around would work but it will become a mess (apache log files for example). so that's a no go. the l7 proxy could work, i have polipo working but not for the outside world. i don't like compiling apache with ipv6 support since i would end up with a non standard openbsd base install (which will complicate upgrading and troubleshooting). the faithd daemon als looks quit cool, although it maps the other way around, it will be usefull when you have an ipv6 only network. anyway, thanks for the good suggestions, i will have a look at apache2 (since i'm running svn too, this might be a good idea), or else i will simply drop ipv6 for the http and wait for the ipv6 patches to be included. alwin. [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Scaling DNS with CARP + pf (+ hoststated ?)
Yes, we have that much DNS requests hiting our servers (we are not experiencing any DoS but from legitimate user requests :-) Furthermore, the DNS infrastructure tiemouts are unacceptable in our scenario. Registering additinal NS records is also unacceptable. FYI: our primary DNS experiences cca. 4000 requests per second, secondary goes with cca. 3000 req/sec. Primary server is SUN Fire V480 with 16GB RAM, secondary is also SUN Fire V480 with 8GB RAM. Both servers are running Solaris 9 + BIND 9. Firewall is PIX 535, works like a charm. Cheers --- Jason Dixon [EMAIL PROTECTED] wrote: On Mon, 27 Aug 2007 05:03:40 -0700 (PDT), reje [EMAIL PROTECTED] wrote: Hi there, I'm wondering is there a way to scale DNS service using OpenBSD's CARP and loadbalancing/pool features of pf ? How about hoststated(8) ? (as I know hoststated(8) doesn't support UDP right now) Is it really necessary to balance your DNS load across multiple servers? The DNS infrastructure was designed with redundancy in mind. Are you answering so many queries that it's necessary to spread the load across multiple servers behind the same virtual address? Seems very unlikely. DNS is a very low-overhead protocol; I would expect your firewall pool to suffer before your DNS servers. Sorry, I know this doesn't answer your question but it smells like you're over-engineering. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net that gives answers, not web links. http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC
Re: Software freedom
rest of the kernel uses it to store the value of curlwp. Sam won't recompile the HAL for us (fair enough), and we can't modify the HAL to use another register because doing so could put us in breach of the license (v. crappy). So, do a save/set/restore on %s7 in KernIntr() How hard is it to recompile the HAL that Sam can't be bothered to do it, and more importantly, why should a trivial change to make the software inter operable be a breach of the license? That can't be the owner's intent. I don't think you should ask our list, but instead go ask Sam directly. He is after all, the owner, since it is not free source code. Free source code depends on a basic principle that you don't need to count on the decisions of others -- whether they be companies or individuals -- because you have all the pieces you need to build, repair, or improve things. But in the case of NetBSD (and FreeBSD) users, for Atheros support, this principle has been badly broken for years. few people in a personality cult have decided that they will permit a piece of one-person-dependent binary software into their source tree, and will screw all their users by doing so. Then along came Reyk, and a few others who helped him, who wrote a completely free replacement for the non-free atheros driver. But did the NetBSD and FreeBSD developers choose to participate and help him? No, in fact they actively work through postings to reduce developer's desire to work with Reyk. A few years ago there were even core developers in those projects passing along a meme that Reyk's code was illegal or immoral in some sense. Shame on them. In that way, the FreeBSD and NetBSD developers stuck to their cult process, with Jason Thorpe (apparently) being the loud voice inside NetBSD core pushing for retaining the Sam Leffler non-free code, and dismissing the proposals from those who would have preferred to see some people in that project at least working with Reyk's free work to improve support. In FreeBSD, various developers have also let their love of Sam stand ahead of their respect for their user's wants and needs. Who does Sam love? Not the principled free source users, but perhaps an NDA with Atheros, and his friends who work there. Now, noone says that Reyk's free driver is 100% complete (and this is mostly because Atheros keeps changing their chips in really strange ways, all undocumented of course). But at least it is free, and others could participate at improving it, through the same reverse engineering and guess work that Reyk has done. On the other side of the coin, the non-free driver is only being pushed by a cult, not one of which codes to improve it, because quite frankly they can't, because they don't have the source. NetBSD and FreeBSD are reducing their community's choice. They don't represent their user community's needs or wants. They have let politics get in the way of choosing the right software. (Another funny thing has happened over the years. Because Sam's Atheros support has been so important to the cult, work on other wireless drivers has been poo-poo'd within the various development groups, and this is a major part of why OpenBSD surged ahead with support for so many other devices. We did not consider one driver the most important, because it was obvious to us that other devices which were documented were more important... right from the start..)
Support for soundblaster audigy SE ?
Hello, is anyone could confirm to me that this sound card is supported by OpenBSD (4.1) ? I couldn't see it in this page http://openbsd.com/i386.html But, this sound card could use same driver than other soundblaster cards ? Thanks for the information ! :-) Nicolas -- Nicolas Letellier, administrateur systhmes Site personnel : http://nicoelro.net Curriculum-vitae : http://nletellier.info
Re: Scaling DNS with CARP + pf (+ hoststated ?)
Please take a look at this Cisco document regarding Scaling DNS services and CSM: http://www.cisco.com/application/pdf/en/us/guest/netsol/ns377/c649/cdccont_0900aecd800eb95d.pdf p.s.- long ago read DNS BIND but this book assumes tolerance to DNS timeouts and availability of more than two DNS IP addresses. :) Don't ever load balance DNS in anyway. Read the DNS BIND book. -- Craig Skinner[EMAIL PROTECTED] Phone +44 (0) 1506 6730245-digit shortdial:x73024 Sun Remote Support Centre, Linlithgow, Scotland, UK Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search http://search.yahoo.com/search?fr=oni_on_mailp=graduation+giftscs=bz
148 Units for sale in Fort Smith, AR
148 units for sale in Fort Smith, Arkansas Brad James CRRC One West Mountain Suite 102 Fayetteville, AR 72701 (479) 739-4480 [EMAIL PROTECTED] To be removed send an email to [EMAIL PROTECTED] with unsubscribe in the subject line [demime 1.01d removed an attachment of type image/gif which had a name of og.jpg]
Re: Scaling DNS with CARP + pf (+ hoststated ?)
reje wrote: Yes, we have that much DNS requests hiting our servers (we are not experiencing any DoS but from legitimate user requests :-) Furthermore, the DNS infrastructure tiemouts are unacceptable in our scenario. Registering additinal NS records is also unacceptable. FYI: our primary DNS experiences cca. 4000 requests per second, secondary goes with cca. 3000 req/sec. Primary server is SUN Fire V480 with 16GB RAM, secondary is also SUN Fire V480 with 8GB RAM. Both servers are running Solaris 9 + BIND 9. Firewall is PIX 535, works like a charm. Increase some of your heavily used records' TTLs. Add more public slave servers, 5-7 is a good number. Have them pull from a hidden master. Put some of the servers far away from you, but near your clients. e.g: London, Franfurt, Paris, Sydney, where ever (can't do that with load bal). If you have both of your only 2 servers in the same rack, you will have problems. I once saw one idiot put both DNS servers into Solaris 10 zones on a single box (e15k). What is the point?? I used to work for an ISP serving some popular domains. Used white i386 boxes in various colo racks (own and others), nae probs. Fire walling was done by Juniper, no load balancing. Go re-read the DNS and BIND book. -- Craig Skinner [EMAIL PROTECTED] Phone +44 (0) 1506 673024 5-digit shortdial:x73024 Sun Remote Support Centre, Linlithgow, Scotland, UK
Fetch files on an intermitent connection.
Hello, I'm on an OpenBSD 4.0 machine only intermitently connected to the Internet. I needed to get the Java port working on it. Is there any way to get the dependent files downloaded only while I have a connection, to be compiled later. Best, ~Mayuresh
Re: nat ipv6 - ipv4 using pf
alwin [EMAIL PROTECTED] wrote: anyway, thanks for the good suggestions, i will have a look at apache2 (since i'm running svn too, this might be a good idea), or else i will simply drop ipv6 for the http Alternatively, use a different server program. bozohttpd, lighttpd, and thttpd are in the ports collection and support IPv6. and wait for the ipv6 patches to be included. Won't happen. -- Christian naddy Weisgerber [EMAIL PROTECTED]
openbsd instead of cisco vpn client
Hi I came across the following situation: there's network where several employees have access to a client of theirs using Cisco VPN clients. To centralize and ease administration I want to put in place an OpenBSD box that will create a single VPN. The client is so bearucratic that by the time their paperwork for setting up a site to site VPN the need for this VPN will be gone. So is it possible to mimick Cisco VPN client connection with OpenBSD IPSEC? TIA Paolo
Re: openbsd instead of cisco vpn client
On 8/27/07, Paolo Supino [EMAIL PROTECTED] wrote: Hi I came across the following situation: there's network where several employees have access to a client of theirs using Cisco VPN clients. To centralize and ease administration I want to put in place an OpenBSD box that will create a single VPN. The client is so bearucratic that by the time their paperwork for setting up a site to site VPN the need for this VPN will be gone. So is it possible to mimick Cisco VPN client connection with OpenBSD IPSEC? It completely depends on the configuration of the Cisco IPsec device, but in most cases the answer is no. Common configurations for client VPN will use Cisco extensions that are not supported outside of their implementation. DS
Re: Support for soundblaster audigy SE ?
On Mon, Aug 27, 2007 at 04:53:14PM +0200, Nicolas Letellier wrote: Hello, is anyone could confirm to me that this sound card is supported by OpenBSD (4.1) ? I couldn't see it in this page http://openbsd.com/i386.html But, this sound card could use same driver than other soundblaster cards ? No, this card is not supported. Audigy SE and LS use a CA0106 chipset and there is no driver for it. Unfortunately it seems that there is no documentation freely available which makes the driver much more difficult to write. I'd avoid creative products. -- Alexandre
Re: Backport drivers from 4.1 to 4.0
Artur, Thanks, Upgrade code based on release of obsd is easy, but it would a big job to maintain early released of products based on previous version of obsd. For example, we would maintain 8 version of products from 3.3 to 4.0 if codes are upgraded every half years. Kevin you would need to maintain released boxes based on early version of obsd The thing is to upgrade released products based on Should we just isolate one by one manually as safety approach? Any CVS that we can trace for what files been changed for specific drivers? E.g., 4.0-4.1. this is such a bad idea. From experience I can tell you that it's much easier (in total) to upgrade your code once every 6 months than to do huge projects to do the same once every few years.
maybe OT 3 year anniversay of Chuck Yerkes death
I don't think it's off topic but others might. I'm writing this post to remember Chuck Yerkes, a long time contributor to the [EMAIL PROTECTED] list. http://www.sage.org/about/yerkes.html Chuck died 3 years ago this past weekend while riding his motorcycle. http://web.archive.org/web/20041012235249/http://www.contracostatimes.com/mld/cctimes/news/9511974.htm http://marc.theaimsgroup.com/?l=openbsd-miscm=109385676632581w=2 Just wanted to remember you Chuck, take it easy wherever you are. diana
Re: nat ipv6 - ipv4 using pf
On Mon, Aug 27, 2007 at 04:36:06PM +0200, alwin wrote: the faithd daemon als looks quit cool, although it maps the other way around, it will be usefull when you have an ipv6 only network. When faithd receives TCPv6 traffic, faithd will relay the TCPv6 traffic to TCPv4. Hmm, sounds like exactly what you were looking for (as a layer 4 proxy). But presumably the Apache log files will show the faithd server's own IP address as the source IP for each connection.
Re: Backport drivers from 4.1 to 4.0
On 8/27/07, Kevin Cheng [EMAIL PROTECTED] wrote: Artur, Thanks, Upgrade code based on release of obsd is easy, but it would a big job to maintain early released of products based on previous version of obsd. For example, we would maintain 8 version of products from 3.3 to 4.0 if codes are upgraded every half years. Why would you maintain support for products going back to vastly unsupported versions of OpenBSD? If I had a product based on OpenBSD, I wouldn't give customers an excuse to keep themselves on older and unsupported releases. Do you want customers running 3.3 right now? They haven't been able to get patches for years now. In my experience at least part of the reason system designers choose OpenBSD as a basis for their solution is the security focus. You go that far out of date, you lose that advantage. Yes, the project has a release schedule. No, that doesn't make it easy to maintain the 5 year life cycle that other platforms like to advertise. It also doesn't mean that their schedule is superior or is even a good idea (or accurate). Some vendors are maintaining support for NT4 still; customer demand is driving that. It's stupid, and those that play that game are either really stupid or really good at getting risk acceptance documents signed off on. Or both. DS
Re: maybe OT 3 year anniversay of Chuck Yerkes death
Thanks for reminding us, Diana. Chuck died 20 days after my first motorcycle lesson; I had been meaning to send him an email telling him I was learning to ride. Here's one more pint glass being raised in Chuck's memory tonight. -Kit At 1:08 PM -0600 8/27/07, ACP wrote: I don't think it's off topic but others might. I'm writing this post to remember Chuck Yerkes, a long time contributor to the [EMAIL PROTECTED] list. http://www.sage.org/about/yerkes.html Chuck died 3 years ago this past weekend while riding his motorcycle. http://web.archive.org/web/20041012235249/http://www.contracostatimes.com/mld/cctimes/news/9511974.htm http://marc.theaimsgroup.com/?l=openbsd-miscm=109385676632581w=2 Just wanted to remember you Chuck, take it easy wherever you are. diana -- Ride safe, have fun!
Re: Questions: Upgrade + Port Tree
Thank you to all for the excellent input. I'm now officially upgraded. It feels good, nice and... fresh! I've started reading/learning about CVS. Again, thank you all! Sean Joachim Schipper wrote: On Sun, Aug 26, 2007 at 04:17:57PM -0500, Sean Darby wrote: 1. Would it be possible to address the issue of new port tree in some more detail after system upgrade in the FAQ? I suppose it would be, but you're the first to ask this. (Somewhat surprisingly.) I have followed the steps provided on the site's FAQ for upgrading my system (I have 4.0 now, going to 4.1). (...) I will follow the provided steps for the upgrade including the final steps (upgrading /etc and individual packages). I figured that if I'll be making any possible manual upgrades on packages after the system is upgraded, I might as well up the ports too. I presently have the default /usr/ports/* that comes with 4.0, I'd like to up that to the /usr/ports/* that comes with 4.1. What would be a safe process in doing that? The fastest solution is to just use `cvs up'. (Or cvs -qd your_favourite_anoncvs_mirror up -P /usr/ports, as the case may be.) The easiest solution is probably to delete your ports tree and untar ports.tar.gz from 4.1. I'm aware of individual/manual updates of packages, as with pkg_add -u (app), though am aiming for updating/upgrading the entire port tree structure (not download everything, just the tree that points me in the right direction within which the potentially new versions of apps would be available in 4.1). I see in the site's FAQ 15.3.2, Fetching the ports tree, basics like: $ ftp ftp://ftp.openbsd.org/pub/OpenBSD/4.1/ports.tar.gz However, the basic warning, Before continuing, you must read the section about NOT mixing up your OpenBSD system and ports tree. ...leads to the section talking about crazy errors (doesn't really help much beyond linking back onto itself). The important part to remember is that after a system upgrade, none of your ports is guaranteed to work until you upgrade them (although OpenBSD goes to great lengths to make sure they do keep working, and pretty much anything that does not interact directly with the kernel keeps working - things like pfstat and OpenAFS might break). In particular, just having a 4.0 port installed on the system should not be a problem. On the other hand, trying to install 4.0 ports on a 4.1 system, or the other way around, can lead to `weird problems'. This is what is meant by `mixing up your OpenBSD system and ports tree', and since quite a few people try to do so (`I want that -current port, so let's update the ports tree on my -stable system and install it - hey, it doesn't work!'), the FAQ makes an effort to make sure people `get this'. My usual upgrade involves updating the base system, rebooting, pkg_add -ui, and then updating whatever else I need (/usr/src, /usr/ports, ...). Joachim
Re: Backport drivers from 4.1 to 4.0
Kevin Cheng wrote: Upgrade code based on release of obsd is easy, but it would a big job to maintain early released of products based on previous version of obsd. For example, we would maintain 8 version of products from 3.3 to 4.0 if codes are upgraded every half years. Why? If you do an OS upgrade it leaves the old shared libraries around, so any installed apps should continue working. If you want OS version independence, then compile your app static.
FOSS Open Hardware Documentation
http://blogs.sun.com/webmink/entry/open_chips_wiki_open http://wikis.sun.com/display/FOSSdocs/Home -- Joco Salvatti Undergraduating in Computer Science Federal University of Para - UFPA web: http://www.openbsd-pa.org e-mail: [EMAIL PROTECTED]
Re: OpenBSd or HP-UX?
Travers Buda wrote: *snip* Just tell him that OpenBSD in the stead of HP-UX will be cheaper, faster to setup, and easier to maintain (because of your experience with Open.) Both OpenBSD and HP-UX can do LDAP, yes, but it's yourself that makes the difference here. Oh, and you have much more freedom in picking out your hardware (back to the cheap tangent.) -- Travers Buda It would be wonderful convince my boss with that argumentbut the next question he will ask is: What ifyou die tomorrow?? Who can maintain the system??... Thanks anywayit is a good point to mention on the conversation with my boss. Alvaro
Re: OpenBSd or HP-UX?
Marc Balmer wrote: We run an OpenLDAP installation on OpenBSD that is fully synchronized on two servers (one master, one slave) for the public schools here. ~15'000 accounts and all important systems (email, fileserver, even the ~80 firewalls, login, etc.) pull their data from it. Can you send me a dmesg of this computers? I think it is a good start to know how big is the hardware that i need to support something like that with OpenBSD... It is in operation for several years now, not a single problem with it. Which version of OpenLDAP are you running in this moment?? I can say nothing about HP-UX, but OpenBSD surely is a stable foundation for an OpenLDAP server. - Marc Balmer, micro systems Thanks in advance, alvaro
Re: OpenBSd or HP-UX?
Alvaro Mantilla Gimenez wrote: Travers Buda wrote: *snip* Just tell him that OpenBSD in the stead of HP-UX will be cheaper, faster to setup, and easier to maintain (because of your experience with Open.) Both OpenBSD and HP-UX can do LDAP, yes, but it's yourself that makes the difference here. Oh, and you have much more freedom in picking out your hardware (back to the cheap tangent.) -- Travers Buda It would be wonderful convince my boss with that argumentbut the next question he will ask is: What ifyou die tomorrow?? Who can maintain the system??... not sure, but i do think jason dixon is still offering support contracts this is WA cheaper than anything you'll get through HP on the support contract tip Thanks anywayit is a good point to mention on the conversation with my boss. Alvaro
Re: OpenBSd or HP-UX?
Jacob Yocom-Piatt wrote: tried to take a bit of a side adventure and get HP-UX going on a PA-RISC machine and it's no walk in the park. for cost, support, compatibility and simplicity reasons i've abandoned the project and decided to use other OSes instead. How was your adventure?? Can you be more specific?? I know the cost part...obviously it is more cheaper run OpenBSD that HP-UX. But i need more...something really heavy like I tried to install an OpenLDAP with HP-UX and the system load with 2000 users rise to the sky...but the same number of users with OpenBSD had an incredible performance and never pass from 10% of loador whatever... you CANNOT discount the value of having essentially direct access to the devs on these lists. the karma and assistance you receive as a result of making even small donations is considerable and, in my experience, better than any phone or tech support i've received from companies that support enterprise software. for a fraction of the cost of a support contract you can get direct access to the programmers and cut out the nimwits on the phone you have to wade through. I agree with you... as jc said, the only situation i can imagine where you'd want to run something enterprise is in the case that you need a monolithic server. unless the hardware is wacky, i'd still be inclined to run an opensource OS on it for the support reasons cited above. not very familiar with LDAP configs here but i imagine there is a way to spread load between machines, making the monolithic solution pointless. thanks for the reminder to investigate LDAP more closely... =) Thanks to you... Alvaro
Re: OpenBSd or HP-UX?
On Aug 27, 2007, at 8:57 PM, Jacob Yocom-Piatt wrote: Alvaro Mantilla Gimenez wrote: Travers Buda wrote: *snip* Just tell him that OpenBSD in the stead of HP-UX will be cheaper, faster to setup, and easier to maintain (because of your experience with Open.) Both OpenBSD and HP-UX can do LDAP, yes, but it's yourself that makes the difference here. Oh, and you have much more freedom in picking out your hardware (back to the cheap tangent.) -- Travers Buda It would be wonderful convince my boss with that argumentbut the next question he will ask is: What ifyou die tomorrow?? Who can maintain the system??... not sure, but i do think jason dixon is still offering support contracts this is WA cheaper than anything you'll get through HP on the support contract tip You really don't want me for LDAP support contracts. I'm sure there are plenty of other qualified consultants on the support.html page. Know your strengths, know your weaknesses. ;) --- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: OpenBSd or HP-UX?
J.C. Roberts wrote: The reasoning for HP-UX is brand name recognition, vendor support, and of course job security -when something goes wrong, your boss can blame the brand name vendor in hopes of saving his own ass. And this is, i think, the main point for my boss and his not understanding about the advantages of OpenBSD over HP-UX. But...i have hope yet...he does not close the door to the OpenBSD possibility. He wants probes...only i need to find a heavy argument. For example...the developers that port OpenBSD to HPPA and HP300 platformsmaybe they have benchmarks between this machines running HP-UX and/or OpenBSD. It works better?? LDPA has similarities to both database servers and file servers, so even though it's not an exact match, performance metrics for database/flle servers may be relevant to LDAP. As always, *YOUR* environment and requirements must be tested to get any truly meaningful performance metrics. If you have truly insane load and storage requirements, and an unlimited budget, spending a quarter of a million dollars on a very high end, 16+ CPU, Itanium box running HP-UX may be a better choice than OpenBSD. Then again, if that's really the case, I would prefer to go with big Sun hardware and Solaris under those circumstances. This is a good point too. Is it the performance of OpenBSD running on Sun computers equal to Solaris?? Personally...i think Solaris...sucks !! But there is no a technical opinion here...it is only i like the OpenBSD way to do the things. For me, Solaris is a like a big dinosaur. By comparison, the multiple processor support in OpenBSD is for i386 and amd64, and how well it will scale in *YOUR* situation can only be found through testing. Personally, I've never seen a 16+ CPU dmesg, but I'm not a project developer, and someone may very well be using OpenBSD on such hardware. Anyone that wants share his experience with this type of hardware? There are people from this list who deal with fairly large LDAP/SASL installations on OpenBSD. Chris Paul (sentinare.com) and Jason Dixon (dixongroup.net) come to mind but I'm sure there are others. Do you have their emails?? Please, give my email to them if they decide to share some information with me. (I look the emails too, maybe are public...i don't want to bother anyone with unwanted email). The best business decision is the solution that gives you the greatest reliability and security for your requirements with the least amount of investment. OpenBSD has a very good chance of coming out on top in the majority of fairly tested comparisons. The corner case of insane loads and storage requirements is the one *possible* exception but even then, it may be sufficient. Do you have urls of this fairly tests? jcr Thank you so much Alvaro
Re: OpenBSd or HP-UX?
On Monday 27 August 2007, Alvaro Mantilla Gimenez wrote: J.C. Roberts wrote: The reasoning for HP-UX is brand name recognition, vendor support, and of course job security -when something goes wrong, your boss can blame the brand name vendor in hopes of saving his own ass. And this is, i think, the main point for my boss and his not understanding about the advantages of OpenBSD over HP-UX. But...i have hope yet...he does not close the door to the OpenBSD possibility. He wants probes...only i need to find a heavy argument. For example...the developers that port OpenBSD to HPPA and HP300 platformsmaybe they have benchmarks between this machines running HP-UX and/or OpenBSD. It works better?? The hppa port is for 32bit. The hppa64 port will run more modern 64bit parisc systems. With the correct hardware both hppa and hppa64 are usable but you need to realize two things: (1) the ports are still under development and (2) benchmarks lie. The *ONLY* benchmarks that are applicable to your decisions are from the tests that *YOU* run in *YOUR* environment. Your boss should read up on LDAP and realize it was designed to scale by supporting clustering, fail-over and fault tolerance... -In other words it was built to run effectively on a bunch of lower cost commodity machines, as well as on huge expensive beasts. Unless you do a full case study with adequate testing in your environment, there is absolutely no valid justification for spending a ridiculous sum of money on huge massively multi-processor systems. LDPA has similarities to both database servers and file servers, so even though it's not an exact match, performance metrics for database/flle servers may be relevant to LDAP. As always, *YOUR* environment and requirements must be tested to get any truly meaningful performance metrics. If you have truly insane load and storage requirements, and an unlimited budget, spending a quarter of a million dollars on a very high end, 16+ CPU, Itanium box running HP-UX may be a better choice than OpenBSD. Then again, if that's really the case, I would prefer to go with big Sun hardware and Solaris under those circumstances. This is a good point too. Is it the performance of OpenBSD running on Sun computers equal to Solaris?? Personally...i think Solaris...sucks !! But there is no a technical opinion here...it is only i like the OpenBSD way to do the things. For me, Solaris is a like a big dinosaur. In some of the BS comparisons you'll find, OpenBSD is often just slightly slower due to it's memory/stack security and other security measures which other operating systems lack. Since other operating systems do not have these advanced security features, you can't really call the comparisons fair. In general the only truly fair test data you'll find is in the various presentations made by Theo and other developers over the years which compares OpenBSD to itself, with and without specific security features enabled. It can give you a rough idea of the performance cost of the various security features, but you need to realize different archs, systems, and even processors can yield slightly different results for such tests. By comparison, the multiple processor support in OpenBSD is for i386 and amd64, and how well it will scale in *YOUR* situation can only be found through testing. Personally, I've never seen a 16+ CPU dmesg, but I'm not a project developer, and someone may very well be using OpenBSD on such hardware. Anyone that wants share his experience with this type of hardware? There are people from this list who deal with fairly large LDAP/SASL installations on OpenBSD. Chris Paul (sentinare.com) and Jason Dixon (dixongroup.net) come to mind but I'm sure there are others. Do you have their emails?? Please, give my email to them if they decide to share some information with me. (I look the emails too, maybe are public...i don't want to bother anyone with unwanted email). I already gave you their web sites and Jason has replied in this thread suggesting you look at http://www.OpenBSD.org/support.html for people/companies who specialize in OpenBSD LDAP installations. The best business decision is the solution that gives you the greatest reliability and security for your requirements with the least amount of investment. OpenBSD has a very good chance of coming out on top in the majority of fairly tested comparisons. The corner case of insane loads and storage requirements is the one *possible* exception but even then, it may be sufficient. Do you have urls of this fairly tests? You missed the main point. You will never find urls to test results that are truly applicable to your decision. Any benchmarks or testing you might find on the web should be considered irrelevant since they could easily be fake, or wrong, but more importantly, because THEY DO NOT REFLECT RESULTS FOR YOUR ENVIRONMENT. Your system
syskonnect SK-9E22
Greetings all... We bought a SK-9S22 (pci-x) card a while ago, and even though 'man msk' listed it as working on 4.0, it actually didn't work. So, now we are thinking about a SK-9E22 (pci-e) for another box, and we think we should ask if this model is working on 4.1 before actually spending any money on it. Also, if anybody can recommend any 4-port gigabit NIC for openbsd, we would appreciate it Thanks in advance, g.
Re: OpenBSd or HP-UX?
On 8/27/07, Alvaro Mantilla Gimenez [EMAIL PROTECTED] wrote: Travers Buda wrote: *snip* Just tell him that OpenBSD in the stead of HP-UX will be cheaper, faster to setup, and easier to maintain (because of your experience with Open.) Both OpenBSD and HP-UX can do LDAP, yes, but it's yourself that makes the difference here. Oh, and you have much more freedom in picking out your hardware (back to the cheap tangent.) -- Travers Buda It would be wonderful convince my boss with that argumentbut the next question he will ask is: What ifyou die tomorrow?? Who can maintain the system??... Easy. Let him know that any person who has a grasp of the written language can easily pick a system up and administer it by reading the available documentation. I'm not kidding - this is an easy win. Docs are a strong point and an unappreciated one. How hard is it to find good for commercial Unix variants? It works out for me that even if you find the docs, it's incredibly hard to find the specifics you're looking for in all the fluff. Between the excellent manual pages and online docs (e.g. http://www.openbsd.org/faq/), coupled with the amassed years of other users' experience and developer input found in the misc@ archives, it is not difficult for anyone with some Unix familiarity to pick OpenBSD up and run with it. DS
Re: Software freedom
On Mon, 27 Aug 2007, [EMAIL PROTECTED] wrote: rest of the kernel uses it to store the value of curlwp. Sam won't recompile the HAL for us (fair enough), and we can't modify the HAL to use another register because doing so could put us in breach of the license (v. crappy). So, do a save/set/restore on %s7 in KernIntr() How hard is it to recompile the HAL that Sam can't be bothered to do it, and more importantly, why should a trivial change to make the software inter operable be a breach of the license? That can't be the owner's intent. Why are you making excuses for the people who provide binary blobs? It doesn't matter at all what the owner's _intent_ is, when the practical consequence is that OS developers have to put in layers of hacks for bugs that they cannot themselves fix. -d
Re: FOSS Open Hardware Documentation
On 8/27/07, JoC#o Salvatti [EMAIL PROTECTED] wrote: http://blogs.sun.com/webmink/entry/open_chips_wiki_open http://wikis.sun.com/display/FOSSdocs/Home -- Joco Salvatti Undergraduating in Computer Science Federal University of Para - UFPA web: http://www.openbsd-pa.org e-mail: [EMAIL PROTECTED] This is really nice and maybe we can expect better hardware support on SPARCs. This is probobly also good since I hope this puts pressure on other hardware manufacturers to open up their documentation. Maybe dlg@ can shed some more light on what is comming out of this from a OpenBSD perspective? BR dunceor