Re: www.openbsd.org down?
Don't quite know where to post in this thread…. All good in Johannesburg :-p -Wayn0 On 25 Jun 2013, at 5:10 PM, Alexander Hall alexan...@beard.se wrote: Can someone please test from Burundi, Johannesburg and Minsk? Because that would probably also be really really really interesting. Luis Coronado lcoron...@ticoit.com wrote: Down from Costa Rica as well. -luis On Tue, Jun 25, 2013 at 7:23 AM, Jon Metzman jon.metz...@gmail.com wrote: I can't access the website but it is responding to ping requests from here in New York. On 06/25/2013 05:50 AM, Johan Mellberg wrote: Weird. Works from here (Sweden). == 25 jun 2013 kl. 11:43 skrev Alan Cheng bsdp...@gmail.com: I can't access www.openbsd.org right now. http://www.**downforeveryoneorjustme.com/**www.openbsd.orghttp://www.downforeveryoneorjustme.com/www.openbsd.orgshows it's down.
Re: www.openbsd.org down?
Ok, so maybe my level of irony wasn't obvious. I was not serious. I cannot imagine having reports from all over saying doesn't work from here either would help, and I got annoyed by all the noise. Anyway, it now seems up (from Sweden!) ;-), so lets just all drop this, mmkay? /Alexander Can someone please test from Burundi, Johannesburg and Minsk? Because that would probably also be really really really interesting. Luis Coronado lcoron...@ticoit.com wrote: Down from Costa Rica as well. -luis On Tue, Jun 25, 2013 at 7:23 AM, Jon Metzman jon.metz...@gmail.com wrote: I can't access the website but it is responding to ping requests from here in New York. On 06/25/2013 05:50 AM, Johan Mellberg wrote: Weird. Works from here (Sweden). == 25 jun 2013 kl. 11:43 skrev Alan Cheng bsdp...@gmail.com: I can't access www.openbsd.org right now. http://www.**downforeveryoneorjustme.com/**www.openbsd.orghttp://www.downforeveryoneorjustme.com/www.openbsd.orgshows it's down.
Re: Unable to configure smtpd as backup server
On Mon, Jun 24, 2013 at 01:41:49PM -0700, Scott Vanderbilt wrote: On 6/24/2013 1:23 PM, Gilles Chehade wrote: relay backup is used to setup secondary mail servers for a domain, that is a server that accept mails for a domain and relay to MXs with higher priority (i.e. lower preference in DNS). So when you specify 'mx' as a parameter for the 'backup' keyword, what does that mean precisely? A DNS server host name? A preference value? When I see MX, I think of the MX records in the DNS zone file. I tried using a preference value, and that was rejected by smtpd as invalid. If the backup parameter is specified, the current server will act as a backup server for the target domain. Accepted mails are only relayed through servers with a lower preference value in the MX record for the domain than the one specified in mx. [...] therefore: accept for domain foobar.org relay backup mx2.example.org will turn your machine as a backup mx for domain foobar.org with the same priority as mx2.example.org, only relaying to other MXs that have a higher priority Excellent. That's precisely what I needed to know. Thank you! np Also, there is something in the smptd.conf(5) man page which I found confusing. In the second example, it says The mail server has an external interface bnx0. But then the example code goes on to say listen on egress. Why is the interface 'bnx0' mentioned if it's not actually used in the example code? I'm assuming that is a mistake, but I don't know enough to say for certain. yes that's an error, the examples used to reference specific interfaces and I have forgotten a description somewhere when I updated the example to no longer do that. I actually fixed it locally about 10 days ago when another user reported the same bug but didn't commit to OpenBSD, it'll do that shortly thanks ;-) Thanks again for this fantastic software. It pleases me to no end to never have to look at a .mc file ever again. no one should, no one should ... ever -- Gilles Chehade https://www.poolp.org @poolpOrg
Re: Question about caching system
On 2013-06-26, Brett Lymn brett.l...@baesystems.com wrote: On Tue, Jun 25, 2013 at 10:33:23AM +0200, Ingo Schwarze wrote: Ioana b wrote on Mon, Jun 24, 2013 at 06:37:04AM -0700: is there any kind of name service cache system like nscd for linux available any time soon? It would be helpful to have a cache for the users password in case the authentication system is unavailable. Let's *not* do that. I experienced PITA many times on Linux because of outdated cache entries and users complaining thank you for changing/updating/fixing my account data, but somehow it still doesn't seem to work... - me: did you try on one of our OpenBSD hosts? - user: yes, it does work fine there. See the problem? Yup, lack of nscd -i by the sysadmin... Do you mean you have to run a command on a potentially large number of client machines to pick up the fact that you've just disabled a compromised account? That doesn't sound optimal.
Re: out-of-order TCP
* Stuart Henderson s...@spacehopper.org [2013-05-15 21:54]: per-packet load balanced ADSLs don't do that. per-packet is way too naive. there is no better answer. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Performance limits with OpenBSD, ToE, offloading, Intel ET2 cards
* andy a...@brandwatch.com [2013-05-15 11:31]: I run 12 OpenBSD firewalls, and I have an issue on my highest throughput boxes. I have HP DL160 G6 boxes with Intel ET2 4 port NIC's. I have a problem where I cannot run traffic any faster than ~700Mbit as I am hitting 100% utilisation on the first core due to the giant big lock trying to process the MSI interrupts. The traffic comprises of lots of small payload packets (currently running around 300,000 to 400,000 pps) and I cannot run any faster. I have tunned the boxes as much as possible using information from calomel.org etc and overall we have been extremely happy with them, expect for the performance limits. congratulations, by using information from a random idiot (who has very well and often demonstrated, last not least by the articles on said website, that he doesn't understand a single bit of what he's writing about) you made your systems slower. I understand the devs want to keep the network stack in-house as their are many network cards that simply screw things up, and it is this approach which has given OBSD the stability and security reputation it has. But this approach with the giant big lock limit imposes a hard performance limit for OBSD. But I do also understand that the devs realise this and as a short term solution until the kernel becomes true SMP, they have started to implement ToE and offloading for some NICs :D :) Can you please tell me when ToE support will be added for the Intel series of cards? We are going to have to abandon OBSD if it cannot perform at the throughputs we need but I really want to stay with OBSD? I am not a developer and so cannot contribute myself to any efforts (believe me I would if i could!).. now let's revisit that. 1) you have a performance problem 2) [ hint: you miss a step here ] 3) you think ToE is the solution (why?) hmpf. let me put it straight: your idea that ToE would be the answer is plain wrong. there is much more headroom in OpenBSD than what you are running, but that requires analysis, thought and probably help by an experienced person who really understands pf. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
softdep issue in 5.3-current ?
Hi, I'm running current snapshot of OpenBSD on amd64 architecture, MP kernel (Lenovo Thinkpad to be concrete). Based on the official docs tried to tune disk performance by adding `softdep' mounting option for ffs slices. After updating of /etc/fstab and clean reboot, checked all particular slices like /home, /usr etc. are really mounted with softdep. The issue is about much worse performance then with the default nosoftdep. Now, for example, when extracting ports.tar.gz snapshot in /usr, other process cann't open even small files without very long delays like vi $HOME/.profile takes about 2 minutes whereas cpu usage shown with top is about 5% only ! Turning off softdep redeems the access time of the previous example to about 4 seconds. I've searched mailing lists and read about softdep regression on OpenBSD 4.8 that was later fixed. Is this regression back. Does anybody else experiences similar behaviour ?
Re: Performance limits with OpenBSD, ToE, offloading, Intel ET2 cards
Hi Henning, Thank you for your reply. After looking back through our config's I have removed the cal* changes. The things I set (and have now removed) from that site were; # Custom Speed Tweaks kern.bufcachepercent=75# Allow the kernel to use up to 90% of the RAM for cache (default 10%) net.inet.ip.ifq.maxlen=1536# Maximum allowed input queue length (256*number of physical interfaces) net.inet.udp.recvspace=131072 # Increase UDP receive buffer size. Good for 200Mbit without packet drop. net.inet.udp.sendspace=131072 # Increase UDP send buffer size. Good for 200Mbit without packet drop. net.inet.tcp.mssdflt=1460 # Set the default MSS (MTU=1500) net.inet.tcp.rfc3390=1 # RFC3390 increasing TCP's Initial Congestion Window to 14600 for SPDY Removing these changes made no difference to the performance. I read 'The Book of PF' when I was first learning OBSD and how to write PF, HFSC etc etc and it all works beautifully. And I have also read the attached ps file 'tuning-openbsd.ps', and this page http://www.pantz.org/software/openbsd/runningandtunningopenbsd.html to name only a few of the sources I have read over the years (I know these references are very old now and not necessarily accurate). I have checked all the usual things to make sure that I have enough mbuffs and tables sizes etc etc and all seems well and I am not running out of any other resources. A look at all the pages from systat and top etc shows that PF barely registers a CPU percentage, while the interrupts on CPU0 stick to 100% when throughput goes over ~750MBits. The performance ceiling seems to correlate with CPU0's utilisation. I appreciate that you may be frustrated by the existence of bad advice on the internet. And as someone who is continually learning and only wants to do things right, could you instead of saying that he's an idiot who knows nothing, please provide some constructive examples of what sort of things cal have got wrong so we can all learn? I cannot see anything that stands out as bad advice but I appreciate their must be otherwise you wouldn't say that. I was asking about the ToE offloading etc in the hope that it might help a little bit to bring our interrupt CPU utilisation down, without better knowledge of the OBSD net stack internals. I changed the network card from an old legacy interrupt style card to a new Intel ET2 which uses the MSI (message signalled interrupts) style, but this made no improvement to the maximum throughput. Regarding the missed step, I don't know which diagnostics/stats to provide here in the hope of some help. What would be most useful? Is there a way of seeing what the interrupts are doing in more detail? systat shows I'm currently running on average 24k interrupts overall for 85% interrupt utilisation (~500Mbit). Someone did previously (and very helpfully) indicate that the ~400,000pps we are getting on our HP DL160 G6's is pretty good. Because I like OBSD so much I have managed to convince my manager to invest in faster hardware with the fastest single CPU speeds I can get my hands on, but I believe this is a poor approach to the problem (for the long term anyway). NB; This is all based on our traffic profile, which is not the same as others (the traffic we generate is the result of running ~40 servers behind the OBSD firewalls which scrape and crawl the internet (we are an internet social media search engine)). systat pf (currently only shifting around 500Mbits); TYPE NAME VALUE RATE NOTES pf Status Enabled pf Since 914:53:16 pf Debug err pf Hostid 0x7cee5e20 state Count616822 state searches 633323382K 196904.28 state inserts 19859725K6174.52 state removals 19859123K6174.33 src track Count 0 src track searches 0 0.00 src track inserts 0 0.00 src track removals 0 0.00 counter match 19986626K6213.97 counter bad-offset0 0.00 counter fragment 193784 0.06 counter short 4606 0.00 counter normalize243051 0.07 counter memory0 0.00 counter bad-timestamp 0 0.00 counter congestion178267231 54.13 counter ip-option567580 0.17 counter proto-cksum 0 0.00 counter state-mismatch 43494091 13.21
Re: softdep issue in 5.3-current ?
Update to something that has version 1.27 of sys/kern/vfs_biomem.c and tell me if you still have the issue. On Wed, Jun 26, 2013 at 4:35 AM, Tori Mus torimus...@gmail.com wrote: Hi, I'm running current snapshot of OpenBSD on amd64 architecture, MP kernel (Lenovo Thinkpad to be concrete). Based on the official docs tried to tune disk performance by adding `softdep' mounting option for ffs slices. After updating of /etc/fstab and clean reboot, checked all particular slices like /home, /usr etc. are really mounted with softdep. The issue is about much worse performance then with the default nosoftdep. Now, for example, when extracting ports.tar.gz snapshot in /usr, other process cann't open even small files without very long delays like vi $HOME/.profile takes about 2 minutes whereas cpu usage shown with top is about 5% only ! Turning off softdep redeems the access time of the previous example to about 4 seconds. I've searched mailing lists and read about softdep regression on OpenBSD 4.8 that was later fixed. Is this regression back. Does anybody else experiences similar behaviour ?