MPLS mpe0 Throughput
Hello, I have recently (within the past few months) turned up an MPLS PE on a 1Gbps link in a L3VPN configuration with BGP and RDomains. I'm seeing some strange throughput numbers that I am seeking to get some help understanding. Now I am currently running OpenBSD 6.4 on the particular PE, and I realize that 6.5 has several MPLS updates and fixes, I have a maintenance window scheduled in a couple weeks where I'll be upgrading this particular system. Here's what I am seeing, with iperf: on flows that ingress the MPE interface I see around 750-900Mbps @~20k pps. for flows that egress the MPE interface, I see around 200Mbps @ ~2k pps. I realize that things like "throughput" are highly variable, but as I troubleshoot this - I am looking better understanding how and what is at play within OpenBSD itself, be it CPU limitations, etc. as I haven't ruled out the rest of the infrastructure at this point. Thanks for any insight you can provide.
Re: opensmtpd forwarding sent mail and extras-pgsql
On 6/06/2019 6:50 am, Gilles Chehade wrote: On Mon, Jun 03, 2019 at 05:44:41PM +, Benny wrote: Hi, Hi, I am planning a mail server of opensmtpd and dovecot. I'd be glad to know if there is any way to save a copy of mail to dovecot's "Sent" mail box before relaying them out. sorry, I don't know dovecot enough for tricks and hacks. it's possible that it's doable through some weird trick when smtpd would notify dovecot somehow of messages that were sent, but I doubt it and it is generally the mail user agent that does the link between mails it did send over SMTP and copies it stores through IMAP. I am also not about find any docs on opensmtpd-extra-pgsql. Is there any guide to link postgresql up with smtpd for virtual users? There's a man page but no guide no. There are several tutorials for using SQLite and MySQL if you google and they are pretty much identical in terms of configuration. Hi Benny. I use Cyrus and Postgresql with smtpd. Everything you need for virtual users is in table-sqlite(5), but you will want to use IDENTITY or SERIAL for the ID column. (There is a man page for table-postgres(5) in the source, but it isn't installed) I can't speak for Dovecot. But I use LMTP to deliver locally to the cyrus mailer. Two actions are needed (below) to route to the local mail store. is /etc/mail/aliases, is the database table. # incoming email action "cyrus" lmtp "127.0.0.1:2003" rcpt-to virtual # locally generated email (system /etc/mail/aliases - alias root to a some...@your.local.domain.com) action "cyrus_internal" lmtp "127.0.0.1:2003" rcpt-to alias match from local for local action "cyrus_internal" match from any for domain action "cyrus"
Re: opensmtpd forwarding sent mail and extras-pgsql
On Mon, Jun 03, 2019 at 05:44:41PM +, Benny wrote: > Hi, > Hi, > I am planning a mail server of opensmtpd and dovecot. I'd be glad to know if > there is any way to save a copy of mail to dovecot's "Sent" mail box before > relaying them out. > sorry, I don't know dovecot enough for tricks and hacks. it's possible that it's doable through some weird trick when smtpd would notify dovecot somehow of messages that were sent, but I doubt it and it is generally the mail user agent that does the link between mails it did send over SMTP and copies it stores through IMAP. > I am also not about find any docs on opensmtpd-extra-pgsql. Is there any > guide to link postgresql up with smtpd for virtual users? > There's a man page but no guide no. There are several tutorials for using SQLite and MySQL if you google and they are pretty much identical in terms of configuration. -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg
Behaviour of eval in sh(1) and ksh(1) in AND-OR list with set -e
When running under set -e, why does eval false || echo ok terminate the script with the execution of eval? As far as I know, the OpenBSD sh(1) and ksh(1) shells are the only ones doing that. If we take termination of the script as a given in the above scenario (even if it feel a bit odd since it's in an AND-OR list), then why does the below behave differently? eval ! true || echo ok This would not terminate the shell regardless of set -e or not. Is that a bug or is it a different interpretation of the standard? -- Kusalananda Sweden
Re: Filesystem corruption on OpenBSD routers after power outage?
On Jun 04 19:30:08, mogens-jen...@protonmail.com wrote: > Can anyone with experience running OpenBSD routers without UPS, tell if > filesystem corruption is going to be a problem after power outages I have been using various ALIXes with a CF card as storage, and in the 10+ years, I had to do a manual fsck on them about four times after a power outage. (Most often, the only indication of an outage is the SMS the router sends me upon reboot.) Jan
Re: Filesystem corruption on OpenBSD routers after power outage?
On Tue, Jun 4, 2019 at 3:34 PM Mogens Jensen wrote: > Can anyone with experience running OpenBSD routers without UPS, tell if > filesystem corruption is going to be a problem after power outages, or > if there are any officially supported ways to make the system resilient > enough to not break after a power outage? > > I'm using an mSATA disk with MLC flash in the router. > I have some OpenBSD routers without UPS protection (Soekris net6501 devices) and after using them for some years, I think it's not possible to have absolute 100% protection from filesystem corruption due to power problems, without causing other problems such as making the system overly fragile to upgrade or maintain. However, it works reasonably well to put /var/log on an MFS file system, and set up a cron job (as well as a line in /etc/rc.shutdown) to periodically rsync /var/log to another directory (so that logs will be preserved after a reboot). This works fairly well, and the system comes up properly after power failures easily over 98% of the time. Very rarely (i.e. I have seen it happen twice in a decade) you will get unlucky and have corruption anyway that requires you to run "fsck -y" manually. This is rare enough that I haven't bothered trying to automate it away. To accomplish this, I installed OpenBSD with /var/log being a separate filesystem, then edited /etc/fstab to rename /var/log to /mfs/log, and add a new entry for /var/log: swap /var/log mfs rw,nodev,nosuid,-s=128M,-P=/mfs/log 0 0 Initializing the MFS /var/log by loading from /mfs/log, combined with an rsync command in /etc/rc.shutdown, is what gives the illusion of /var/log being preserved across reboots. -ken
Re: Thinkpad donation
>Hi, > >I may have one spare Thinkpad X270 in mint conditions, which I would be >willing to donate to one of the OpenBSD developers. Not sure how to >proceed with this. >I would probably prefer a developer located somewhere close to me (Czech >Republic, eastern part of Germany,…) as it will be possible for me to >hand it over personally. > >Regards > >Jan TL;DR: email dera...@openbsd.org https://www.openbsd.org/want.html
Re: SSL_ERROR_DECODE_ERROR_ALERT in Fedora 30 Firefox when connecting to some OpenBSD servers
On 2019-06-05, Frank Groeneveld wrote: > On Wed, Jun 5, 2019, at 08:07, Frank Groeneveld wrote: >> After updating to Firefox 67.0 on Fedora 30 it seems some OpenBSD >> servers cannot be reached over HTTPS anymore. The error produced is >> SSL_ERROR_DECODE_ERROR_ALERT. I get this with some of my own servers, >> but also with https://cvsweb.openbsd.org/ >> Anybody know what is going on? Chromium and openssl s_client on the >> same system works fine and the same Firefox version in Ubuntu, Mac OS >> and Windows don't have this problem. >> >> Thanks in advance. > > Sorry for the noise, apparently there is a bug in the Fedora side when > connecting with newer versions of LibreSSL. Related bug report: > https://bugzilla.redhat.com/show_bug.cgi?id=1713777 The bug is server-side not client, looks like it would have been introduced around January, and fixed in lib/libssl/ssl_tlsext.c r1.49 revision 1.49 date: 2019/05/29 17:28:37; author: jsing; state: Exp; lines: +2 -5; commitid: DLpHk0vyoFEK0Baa; Relax parsing of TLS key share extensions on the server. The RFC does not require X25519 and it also allows clients to send an empty key share when the want the server to select a group. The current behaviour results in handshake failures where the client supports TLS 1.3 and sends a TLS key share extension that does not contain X25519. Issue reported by Hubert Kario via github. ok tb@
Re: OpenBSD 6.5 dumps to debugger when using ifconfig bridge command
Done.
Russell P. Sutherland Email: russell . sutherland @ utoronto dawt ca
Network Engineer, I+TS Voice: +1.416.978.0470
4 Bancroft Ave., Rm. 102 Cell: +1.416.803.0080
University of TorontoFax: +1.416.978.6620
Toronto, ON M5S 1C1
From: owner-m...@openbsd.org on behalf of Hrvoje
Popovski
Sent: Wednesday, June 5, 2019 05:59
To: misc@openbsd.org
Subject: Re: OpenBSD 6.5 dumps to debugger when using ifconfig bridge command
On 4.6.2019. 21:22, Russell Sutherland wrote:
> I tried loading current on the device and the same result:
>
> OpenBSD 6.5-current (GENERIC.MP) #5: Mon Jun 3 07:46:49 MDT 2019
>
> # netstat -in
> NameMtu Network Address Ipkts IfailOpkts Ofail
> Colls
> lo0 327680 00 0 > 0
> lo0 32768 ::1/128 ::1 0 00 0 > 0
> lo0 32768 fe80::%lo0/ fe80::1%lo0 0 00 0 > 0
> lo0 32768 127/8 127.0.0.10 00 0 > 0
> em0 150000:0d:b9:43:9b:3031715 0 120479 7 > 0
> em1 150000:0d:b9:43:9b:31 123252 11630860 0 > 0
> em2 150000:0d:b9:43:9b:32 1672 0 625 0 > 0
> em2 1500 128.100.103 128.100.103.831672 0 625 0 > 0
> enc0* 00 00 0 > 0
> bridge0 1500152255 0 151339 0 > 0
> pflog0 331360 0 70 0 > 0
> freenas-fw# ifconfig bridge0
> bridge0: flags=4WARNING: SPL NOT LOWERED ON S1
> YSCALL 5index 6 llprio 34 3 EXIT 0
> groups: bridg 9
> e
> priorStopped at savectx+0xb1: movl$0,%gs:0x530
> ddb{2}>
Hi,
can you take a look at this link
https://www.openbsd.org/ddb.html
when your box is up and running execute sendbug -P > bridge-problem.txt
and when your box is in ddb type this commands
trace, ps
and send all those to b...@openbsd.org mailing list ...
Thinkpad donation
Hi, I may have one spare Thinkpad X270 in mint conditions, which I would be willing to donate to one of the OpenBSD developers. Not sure how to proceed with this. I would probably prefer a developer located somewhere close to me (Czech Republic, eastern part of Germany,…) as it will be possible for me to hand it over personally. Regards Jan
Re: OpenBSD 6.5 dumps to debugger when using ifconfig bridge command
On 4.6.2019. 21:22, Russell Sutherland wrote:
> I tried loading current on the device and the same result:
>
> OpenBSD 6.5-current (GENERIC.MP) #5: Mon Jun 3 07:46:49 MDT 2019
>
> # netstat -in
> NameMtu Network Address Ipkts IfailOpkts Ofail
> Colls
> lo0 327680 00 0 > 0
> lo0 32768 ::1/128 ::1 0 00 0 > 0
> lo0 32768 fe80::%lo0/ fe80::1%lo0 0 00 0 > 0
> lo0 32768 127/8 127.0.0.10 00 0 > 0
> em0 150000:0d:b9:43:9b:3031715 0 120479 7 > 0
> em1 150000:0d:b9:43:9b:31 123252 11630860 0 > 0
> em2 150000:0d:b9:43:9b:32 1672 0 625 0 > 0
> em2 1500 128.100.103 128.100.103.831672 0 625 0 > 0
> enc0* 00 00 0 > 0
> bridge0 1500152255 0 151339 0 > 0
> pflog0 331360 0 70 0 > 0
> freenas-fw# ifconfig bridge0
> bridge0: flags=4WARNING: SPL NOT LOWERED ON S1
> YSCALL 5index 6 llprio 34 3 EXIT 0
> groups: bridg 9
> e
> priorStopped at savectx+0xb1: movl$0,%gs:0x530
> ddb{2}>
Hi,
can you take a look at this link
https://www.openbsd.org/ddb.html
when your box is up and running execute sendbug -P > bridge-problem.txt
and when your box is in ddb type this commands
trace, ps
and send all those to b...@openbsd.org mailing list ...
Re: Filesystem corruption on OpenBSD routers after power outage?
Is there any way to tell the boot script to use the "-y" flag in fsck? If something goes wrong with simple fsck, I always simply do a "fsck -y". There is no other option for me. So, it would be VERY useful if this could be done automatically instead of interrupting the router startup. Thanks. On 6/5/19 1:30 AM, Nick Holland wrote: On 6/4/19 1:29 PM, Mogens Jensen wrote: I'm going to build a router for use in a remote location, and I have chosen OpenBSD 6.5 for the task. Unfortunately, it's not possible to protect the router with an UPS, so it will have to be resilient enough to survive sudden power outages and still boot without manual intervention. In the past I have built a few Linux based routers and they were configured to run from RAM. I have made some research to see if this is also possible on OpenBSD and found that, while there are solutions to have / read-only, none of this is officially supported. Can anyone with experience running OpenBSD routers without UPS, tell if filesystem corruption is going to be a problem after power outages, or if there are any officially supported ways to make the system resilient enough to not break after a power outage? I'm using an mSATA disk with MLC flash in the router. I realized a few decades ago that consumer UPSs are a bad investment. Industrial UPSs are a dubious idea in business unless you have a dual-power supply machine and can hook each PS to a DIFFERENT UPS -- in my area, grid power is more reliable than cheap UPSes (your mileage may vary). And you have to MAINTAIN your UPSs, otherwise after a few years, UPSs turn minor glitches into power outages (thank you very much). I'm also fond of proving my own claims, so I very often just yank the cord on my systems rather than doing orderly shutdowns. Yes, if you drop power on an OpenBSD system, you will get an fsck on reboot. Solution: Make your partitions as small as reasonable. Just because you got a 500G disk for cheap, no reason to allocate all 500G. For a router, 10G is PLENTY, and will fsck quickly. If you have slow media (i.e., flash drives), you might want to aim for 1G. Every once in a long while, you might catch a really bad time for the power to go out, and have to manually say "Fix it!" to fsck, but for the most part, the system will just come back up after the power comes back on. The less you write to disk, the less risk you have of having to manually intervene in your system's reboot. IF you want to do some fancy logging, keep the logging partition out of the fstab file, and have a script that brings it up with a "fsck -y" AFTER the system comes up, and start the fancy logging AFTER the big logging partition successfully mounts. But don't do stupid games to try to improve your chances, just make sure there's a monitor and keyboard available to fix any problems that might happen. Simple systems have simple problems. Complex systems break in complex ways. You want me to swear you'll never have to manually intervene in boot after an "event"? Nope. But I've walked non-technical people through single-user fsck's over the phone; when your bastardized system breaks, you will be down for a lot longer and you will be going on-site to fix. Nick.
Re: SSL_ERROR_DECODE_ERROR_ALERT in Fedora 30 Firefox when connecting to some OpenBSD servers
On Wed, Jun 5, 2019, at 08:07, Frank Groeneveld wrote: > After updating to Firefox 67.0 on Fedora 30 it seems some OpenBSD > servers cannot be reached over HTTPS anymore. The error produced is > SSL_ERROR_DECODE_ERROR_ALERT. I get this with some of my own servers, > but also with https://cvsweb.openbsd.org/ > Anybody know what is going on? Chromium and openssl s_client on the > same system works fine and the same Firefox version in Ubuntu, Mac OS > and Windows don't have this problem. > > Thanks in advance. Sorry for the noise, apparently there is a bug in the Fedora side when connecting with newer versions of LibreSSL. Related bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1713777 Regards, Frank
Re: How to synchronise 2 spamd instances
Op Fri, 31 May 2019 00:34:39 +0200 schreef Mik J : Hello, I'm back again with spamd synchronisation. I made further tests and it seems to me that only new entries in spamd are synchronised. All existing entries before the synchronisation and not sent to the other spamd instance. Is it supposed to work like that ? Yes. From the spamd(8) manual: "The databases are synchronised for greylisted and trapped entries; whitelisted entries and entries made manually using spamdb(8) are not updated." -- Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/
Re: Filesystem corruption on OpenBSD routers after power outage?
On Wed, Jun 05, 2019 at 05:12:20AM +, Roderick wrote: > > "-o union" was last in 3.7, disappeared in 3.8. Was there a reason? > > https://man.openbsd.org/OpenBSD-3.7/mount Yes, the developers felt we couldn't make it work without bugs in a sane way. Locks over locks is insanely hard to get right.
SSL_ERROR_DECODE_ERROR_ALERT in Fedora 30 Firefox when connecting to some OpenBSD servers
After updating to Firefox 67.0 on Fedora 30 it seems some OpenBSD servers cannot be reached over HTTPS anymore. The error produced is SSL_ERROR_DECODE_ERROR_ALERT. I get this with some of my own servers, but also with https://cvsweb.openbsd.org/ Anybody know what is going on? Chromium and openssl s_client on the same system works fine and the same Firefox version in Ubuntu, Mac OS and Windows don't have this problem. Thanks in advance. -- Frank
