Re: Autoinstall
Am 2013-11-05 10:06, schrieb Peter Hessler: On 2013 Nov 04 (Mon) at 17:14:57 -0500 (-0500), Predrag Punosevac wrote: :I was driving last night so I have not had much sleep. I just want to :make sure that I am not hallucinating. Then minutes ago when I installed :the latest snapshot I was presented with an additional installation option : :Autoinstall [A] : :I picked out of curiosity but since I have not provided configuration :file I was dropped to the shell. : :I think I can see where is this going and I would like to thank you :everyone involved. : :Cheers, :Predrag : Yes, Autoinstall needs some configuration to work. Documentation is in progress. Very glad to see this coming! Thanks a million! :-) Cheers, Marian
Re: OpenBSD maintenance compared to FreeBSD
For FreeBSD: stay on -RELEASE and use freebsd-update(8) Nowadays no need to build world. -- sent via my mobile C64 Am 30.10.2013 um 03:44 schrieb David Noel david.i.n...@gmail.com: I started playing around with FreeBSD back in the 2.2.7 days. I'd describe myself as a casual desktop/workstation user. Back in the day I was attracted to OpenBSD's heavy focus on security but was pulled towards FreeBSD due to a good friend of mine being a FreeBSD contributor (dude, trust me, it's the way to go). Recently I've purchased a handful of servers for a software project I've been working on and have started reconsidering my choice of OS's. Administering a single FreeBSD workstation isn't too much of a headache; I've kind of gotten used to having to rebuild kernel and world every few months as security advisories are released. But now that I'm administering 6 of them I'm really starting to get annoyed by the whole process: rebuild kernel... rebuild world... reboot, and then pray that it doesn't blow up in my face (as it often does). That got me thinking about OpenBSD. Looking at the security advisories the last one I see was from nearly a year and a half ago! That's pretty incredible to me. Does this mean that I could theoretically have gotten away with a year and a half uptime? What's the catch here? I'm sorry but I'm incredulous by how good it sounds so I have to ask. For me the biggest selling points of an operating system are security and maintenance. I've been wowed by ZFS, but really how often do filesystems need to be fsck'd? --and I never take snapshots. I feel like I could do without it. UFS+J is good enough. Given my priorities, does it sound like OpenBSD could be the one for me?
Re: OpenBSD pxe automated install
Hi loic, Sorry for top posting. I need exactly the same for OpenBSD. Maybe we could work together... In my example all I need on top of it is some same network config and a first puppet run after reboot... But I hesitated to modify bsd.rd... Maybe it's more wise to create a netboot.rd and let bsd.rd alone. A starting point could be http://www.hiqu.biz/redux PM me if you have interest to work together with me :-) Cheers Marian -- sent via my mobile C64 Am 13.08.2013 um 08:37 schrieb Loïc BLOT loic.b...@unix-experience.fr: Hello Tito, thanks to give me another time the FAQ, you think i have never read. This boot process is okay for me but the problem is NOT the PXE boot process. The problem is to automate the installation. My OpenBSD pxeboot is chained after a pxelinux which already deserve automated installed debian. Now the goal is to deserve automated installed OpenBSD. I don't know if i don't choose the rights words to explain my need, or if nobody read all my answers to already answered questions... but i give a list of precision for future answers: 1. My problem is NOT PXE boot (http://www.openbsd.org/faq/faq6.html#PXE = NO) 2. My problem is NOT siteXX.tgz and customized installations with this mean (http://openbsd.org/faq/faq4.html#site = NO) 3. What i want is something like this: https://wiki.debian.org/DebianInstaller/Preseed or this https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5 /html/Installation_Guide/ch-kickstart2.html Then i ask @misc to know if an existing process exists, but now i think this doesn't exist and i must create a special bsd.rd PXE to do this (and share it to OpenBSD community, it will be great for deploy OpenBSD on several machines without doing anything. Have a nice day :) -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le mardi 13 août 2013 à 06:29 +0800, Tito Mari Francis Escaño a écrit : Please read http://www.openbsd.org/faq/faq6.html#PXE and hope this helps. You'd have been told with deliberately unpleasant choice of words if next time you don't research well before asking in the list. On Tue, Aug 13, 2013 at 4:57 AM, Loïc BLOT loic.b...@unix-experience.fr wrote: Thanks for the precision James, you confirmed what i have understood. I will search tomorrow. -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le lundi 12 août 2013 à 12:23 -0700, James A. Peltier a écrit : - Original Message - | read the FAQ, Loic. | | http://openbsd.org/faq/faq4.html#site | | Site*.tgz, install.site and upgrade.site are a good starting point. | | On Mon, Aug 12, 2013 at 11:59 AM, Loïc BLOT | loic.b...@unix-experience.fr wrote: | Hello @misc. | | Today i'm working on automated deploy with PXE. I have successful | found | and made automated PXE install on Debian with pxelinux. | | I know OpenBSD have a pxe boot image to netinstall the system | http://www.cyberciti.biz/faq/openbsd-boot-install-using-pxe-preboot-execution | -environment/ | | Is there any options to automate the installation ? | I want a machine to boot on bsd.rd, read a configuration file (url | passed by etc/boot.conf, for example) and install with the read | parameters. | Is there any issue to do this or i do it myself ? | | Thanks for advance | -- | Best regards, | Loïc BLOT, | UNIX systems, security and network expert | http://www.unix-experience.fr | | [demime 1.01d removed an attachment of type | application/pgp-signature which had a name of signature.asc] If you are looking for automated partitioning and the like the site.install and site.upgrade don't apply whatsoever. In order to fully automate the installation you will need to modify the bsd.rd file contents in order to do that. site.install and site.upgrade can be used to do other things like install packages or upgrade the OS as necessary. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: OpenBSD pxe automated install
Am 13.08.2013 um 10:07 schrieb Don Jackson openbsd-m...@clark-communications.com: Later, Nick did this: redux - fully automated OpenBSD installation - hiqu.biz We failed to get any sort of buy in to this approach into the main distribution… This is sad :-/ For any mass deployment I need this... I was okay with doing it semi automated for the first three boxes at work. But nowadays it's 10 boxes and we are going for full automation. Hm hm... Marian
Re: OpenBSD pxe automated install
Hi Nick, well, obviously you have a different opinion on automated installations. For me it's even crucial with just 10 boxes. I'm taking into account that I want to introduce more OpenBSD installations at work and that I also need to install QA environments. All of our infrastructure (2000+ servers) are fully automated installable. The lack of doing the same with OpenBSD is one reason to not introduce more OpenBSD installations. Long story short, your opinion on this topic differs to mine. Between OpenBSD 4.7 and 5.1 I had my own set of install scripts but I never came around to actually modify bsd.rd, or rather build my own one which starts the installation automatically. Looks like it's time to do this. And maybe I can sync up with some others in this thread and we could work together. Cheers, Marian PS.: For the interested reader, I always liked FAI for debian. My first scripted OpenBSD install was based on that. Am 13.08.13 13:52, schrieb Nick Holland: On 08/13/13 07:13, Marian Hettwer wrote: ... This is sad :-/ For any mass deployment I need this... I was okay with doing it semi automated for the first three boxes at work. But nowadays it's 10 boxes and we are going for full automation. Hm hm... Marian ten boxes. Um. Lets see. An OpenBSD install takes less than ten minutes (assuming small file systems. Yes the newfs step can take a while on big file systems). You can also do several installs at the same time. So you are trying to save at most 100 minutes. dang, I'm gonna spend much of that telling you how to do it. Sounds like you are about to spend a few weeks trying to save a few minutes. Do you think you can write some custom build scripting system in under two hours? Do you think you can LEARN a custom building system in under two hours? This isn't a long, painful, massively interactive Linux or Solaris install, your return on investment of time here is not going to come in 10 boxes. I doubt it would be there for 100 boxes (if you include the setup and infrastructure). Keep in mind, the OpenBSD install process is fairly simple. 1: (assuming appropriate) create fdisk partition. Most common case can be done on the command line. 2: disklabel (can be scripted; see softraid(4) man page. can also use a pre-defined template file, and predefined means before running disklabel). 3: newfs all partitions 4: mount 'em somewhere, presumably hanging off /mnt 5: untar all desired file sets 6: record a few key config files (network, machine name, etc.) 6a: might as well add your admin users? 7: MAKEDEV all 8: install boot loader (I probably forgot something. that was all from early morning memory) This is all easily scriptable. So, if you can define your task appropriately, you can write an install script, stick it in your own bsd.rd (yes, you will name it something other than bsd.rd) or build a install kernel which fetches the script from a master install server, and away you go. I can't get too excited about this, as your bulk install needs are probably very different than mine, and the marginal time savings per machine are going to be small. Nick.
Re: OpenBSD pxe automated install
Hi Loic, Am 13.08.13 15:43, schrieb � Blot: Hello Marian, i think you are right, because bsd.rd is required for last chance to repair system, among others. right. And I'd like to leave it untouched. This hopefully also increases the possibility that whatever we come up with might get added upstream... ;) My vision is to have a system like we have in debian, i think it's proper. In fact, the problem is not to modify the installer to use the configuration file, it's to setup network automaticly to get this file. On debian, URL is passed by a kernel variable on pxelinux (url=http/ftp/tftp://...). If we can pass this variable to OpenBSD boot.conf file (used for PXE), and setup URL + network method (we need to set the config URL, and network methods (iface + dhcp/static) to get this file), we can modify install script to use some obtained variabled, loaded into this file. Many people want this function, i think we must think together to see what everybody want. What do you think about my proposed method ? I agree that the most pressing point is automatic network configuration in order to be able to download additional configs, like disk config, package config, ... I believe it's save to assume that a DHCP server is around, since this one is needed anyways to pxeboot the box. So after the boot of our netboot.rd kernel, we need to figure out which interface was used for pxe config and then do a dhclient on this interface. IIRC detection of available NICs is part of install.sub, so we might just use that routine. If we got an IP address, dhcp should probably give extra options, like the config server url where we then can find and download the additional configs. From there it should be easy to do the fully automated installation. After that, before the reboot we might want to be able to set up things like: - serial console - some default/random root pw - some root ssh key - maybe additional packages (like puppet) then reboot. We can also pass config file by DHCP (string record ?) or DNS (special TXT record ?) but it's not really automated because it doesn't resolve the networking connection problem. We could and probably should use DHCP options, since as stated above, dhcp servers are available for the pxeboot anyways. Should we take this discussion off the list now? If so, who would like to be part of the next emails? I'd guess Loic, me, phessler (?), Nick Bender (?) and I will also add a colleague some might know (Uwe Stuehler uwe@). Cheers, ./Marian PS.: personal opinion: I like FAI (www.fai.org) much more then debians preseed.cfg... check it out ;)
Re: OpenBSD pxe automated install
Am 13.08.2013 um 19:08 schrieb Johan Beisser j...@caustic.org: On Tue, Aug 13, 2013 at 9:48 AM, Marian Hettwer m...@kernel32.de wrote: Hi Loic, Am 13.08.13 15:43, schrieb � Blot: PS.: personal opinion: I like FAI (www.fai.org) much more then debians preseed.cfg... check it out ;) http://fai-project.org/ is the correct URL. I've had some interesting problems with FAI in the past. Once it's working, it's quite wonderful. Oops. Sorry for taking the wrong URL... And thanks for correcting me :) Wrt fai and OpenBSD, I just like the concept of FAI. The several stages it uses. And everywhere one can hook in, if one needs something special. For instance are we using FAI to setup raid, do inventory run of new hardware or firmware upgrades of existing ones. For the latter too, FAI doesn't touch the disks... :)
Re: locate weirdness
Hi, Am 11.01.12 20:17, schrieb L. V. Lammert: At 01:04 PM 1/11/2012, Barry Grumbine wrote: Bite the bullet, upgrade, life is better at 5.0 Sorry, but *UPGRADING* isn't the question - the question is why locate is not working properly. No. You were advised to upgrade, since 4.3 is not supported anymore. Heck, probably nobody can even remember whether something was odd with locate in 4.3. Upgrade to a supported release and if you still face problems, come back to the list. Try to look from a different angle here. Say, you would have an old Debian Sarge release (years old) and you would approach a debian mailing list with something is weird with locate, pretty sure you would get a lot of advises to upgrade first, test then, and if problem persists, come back. All good and jolly! ./Marian
Re: locate weirdness
Am 11.01.12 22:34, schrieb Ted Unangst: On Wed, Jan 11, 2012, L. V. Lammert wrote: At 01:30 PM 1/11/2012, Jeremy O'Brien wrote: 4.3 was released May 1, 2008. That's almost 4 years old software. What are you expecting here? Someone to check out the code from that version and deeply inspect what may be causing your problem, that is more than likely already fixed in a later version? Another typical reply - the question was has anyone ever seen anything like this, .. or, perhaps, what could be causing it. No need for the off-topic diatribes - a simple no would more than suffice. okie, dokie. locate works for me! Ah! History Channel. /me too haz workin locate ([foobar@bistromath] ~)$ locate pfctl /sbin/pfctl /usr/sbin/ospfctl ([foobar@bistromath] ~)$ uname -a OpenBSD bistromath.meganet.local 4.0 GENERIC#1107 i386 ([foobar@bistromath] ~)$ time sudo /usr/libexec/locate.updatedb Password: real0m9.379s user0m1.453s sys 0m3.406s ([foobar@bistromath] ~)$ echo $? 0 I really should update this system ;-) ./Marian
Re: locate weirdness
Am 12.01.12 00:13, schrieb Philip Guenther: On Wed, Jan 11, 2012 at 3:02 PM, Marian Hettwerm...@kernel32.de wrote: ... ([foobar@bistromath]~)$ time sudo /usr/libexec/locate.updatedb Password: Ah, but that's *not* how locate.updatedb is invoked by the cronjob! There's a reason I called out the need to mimic that when trying to replicate the problem while walking through locate.updatedb manually... [root@bistromath] ~ # /bin/sh /etc/weekly Rebuilding locate database: Rebuilding whatis databases: [root@bistromath] ~ # echo $? 0 still on OpenBSD 4.0. And /etc/weekly looks like a reasonable easy straight forward shell script. (I would expect nothing else in OpenBSD). ./Marian
Re: Security over wireless.
Hi David, On Fri, 9 Sep 2011 21:45:52 +0930, David Walker davidianwal...@gmail.com wrote: Nick Holland nick () holland-consulting ! net define security :) I'm guessing that TLS is out and that IPsec might be in on that criteria. Is SSH out there too? I'd say SSH tunnels are still in. Your risks with wireless: * Unauthorized use to access Internet - use AuthPF so that you have to ssh authenticate to use the gateway. Yep. Too good to be true but it won't stop a persistent script kiddie from spoofing though right? No. IP spoofing won't help them script kiddy at all. To successfully authenticate via authpf, you need a valid ip adress for responses. With a fake source ip, the script kiddy won't even get a full tcp handshake ready... Additionally, you should configure your ssh server to only accept key based authentication. A script kiddy without a private key just wouldn't get in. If you are concerned of unsuccessful login attempts by script kiddies, you should throw in pf's overload function as well. To me that's best practice for any open ssh port. I like my logfiles clean. * Unauthorized use of local resources - Use strong authentication for anything internal Yep. No SSH server until I sit down and read the docs. Read about key based authentication. If you only allow keys, you're good to go. Don't lose your private key, though ;) * Packet sniffing - use encrypted communications for all you can, and everything important. SSH tunnels are your friend I'd like to encrypt everything. Thanks for the search term. :] Use SSH and/or IPSEC. * Uncontrolled access to network' - authenticate everything. Here's where the flags go up for authpf right? right. If I'm right the authentication is on the initial connection and everything subsequent is based on the associated IP address (or with noip the userid) which won't prevent a MITM from hijacking that IP and certainly won't prevent them from reading my packets. Is that right? Usually authpf is used to open a port to remote_ip after successful authentication. That port is usually used for ipsec. Your initial authentication connection is ssh, thus it's encrypted and packet sniffing is useless. Your second connection could be the ipsec tunnel. Again, it's encrypted and packet sniffing is useless. With regards to MITM and hijacking. No, isn't possible with an ssh2 connection. Well, at least I haven't heard of that. Basic trick for safer wireless is to assume your wireless devices and all devices that are accessible via wireless are raw on the Internet. As all your listed devices are OpenBSD, this is entirely possible. I guess that works both ways. I'm quite concerned about the youngsters down my street with too much time on their hands and not so much with some guy from the intarwebs using my wireless to attack them ... I'd like to see that. :] If your outside facing boxes are OpenBSD, locked down to only have tcp/22 open and the underlying sshd enforces key based authentication, I'd really to see a script kiddy getting beyond that. Can't think of a way, other then they are stealing your private key in the first place. Uh, yeah, when you generate keys, make sure to have a strong passphrase. This will give you some time ahead before a lost private key can get used. I'm under the impression that you have a huge journey of reading, reading and more reading ahead of you ;) Cheers, Marian
Re: Recompile OpenBSD without built-in Apache 1.3
Am 05.07.11 05:13, schrieb Henning Brauer: * Tito Mari Francis Escaqotitomarifran...@gmail.com [2011-06-29 03:31]: Is it possible to recompile the whole system while excluding the built-in Apache 1.3 web server? yes indeed. I was hoping to save a few more megabytes off the base installation of the system. I see. me too. In case it's not advisable indeed why? can you please discuss the bad side effects of doing so? you look like a retard. you too. we laugh about you. ha! you won't get any help. true. and much more. whut? BeSD regards, Marian PS.: Kabarett *swing swing along and sing sing along*
Re: OT:Re: How do I exclude a directory using tar in OpenBSD?
On Tue, 31 May 2011 17:05:55 -0400, Eric Furman ericfur...@fastmail.net wrote: On Tue, 31 May 2011 13:43 +0200, Marian Hettwer m...@kernel32.de Obviously not. I'm talking about shell scripts which should work in a multi unix environment. Namely, in my env, Debian, Solaris and OpenBSD. I tend to install gnu sed and gnu grep and gnu diff on all 3 named systems. I actually see nothing bad about it. Not at all. And what do you do when you are not in charge of the box you need your script to run on? It is not uncommon to work in an environment with many thousands of boxes most of which you have no control over. You cannot depend on gnu or any other tools being installed on them. Better to have your script detect which OS it's running on and take appropriate action. You are establishing a very bad habit... I can only partly agree. In my case, I am in charge of them boxes. And we are talking a thousand and a bit. However, if I'm not in charge of the box, I do make sure that my script will run with the native tools of whatever unix (well, Linux, FreeBSD, OpenBSD, Solaris) it should run on. I do disagree with regards to a bad habit. It isn't. It's pragmatic. That's what you do if you are in charge of the boxes. And yep, this is really OT now. Cheers, Marian
Re: How do I exclude a directory using tar in OpenBSD?
On Tue, 31 May 2011 17:02:16 +0200, Otto Moerbeek o...@drijf.net wrote: $ pax -vw -f t.tar -x ustar -s /skip.this// . Should be portable... Good to know! I put this into my list of one-liners. Thanks! :) ./Marian
Re: How do I exclude a directory using tar in OpenBSD?
On Tue, 31 May 2011 10:53:58 +0200, LEVAI Daniel l...@ecentrum.hu wrote: On Tue, May 31, 2011 at 11:42:24 +0300, Michael Sioutis wrote: Hello! I can't find it in the man page, and it seems it is not supported (?) I am trying to backup some folders and want to exclude some and nth will work. I've tried: --exclude=/folder/ --exclude=/folder/ --exclude /folder --exclude folder I will get an error: --exclude... directory doesn't exist. Excluding will work in Linux. That is a GNU extension. You can work this around with find(1) and the tar(1)'s '-I' option. bsdtar from the FreeBSD project supports --exclude too. The OP could as well install gnu tar from packages. bsdtar doens't seem to exist... At least that's what I do at work (Debian, Solaris, OpenBSD env). It's a pain to walk around every nifty details of different unixes... Cheers, Marian
Re: How do I exclude a directory using tar in OpenBSD?
On Tue, 31 May 2011 11:39:41 +0200, Jeremie Courreges-Anglas ktulu+m...@wxcvbn.org wrote: Le 31/05/2011 11:23, Marian Hettwer a C)crit : That is a GNU extension. You can work this around with find(1) and the tar(1)'s '-I' option. Also tar cf /foo.tar /bar/!(folder|other_folder) using plain ksh that looks nice. bsdtar from the FreeBSD project supports --exclude too. The OP could as well install gnu tar from packages. bsdtar doens't seem to exist... At least that's what I do at work (Debian, Solaris, OpenBSD env). It's a pain to walk around every nifty details of different unixes... I'm wondering where does that logic stop... do you also install GNU ls to get colors? Obviously not. I'm talking about shell scripts which should work in a multi unix environment. Namely, in my env, Debian, Solaris and OpenBSD. I tend to install gnu sed and gnu grep and gnu diff on all 3 named systems. I actually see nothing bad about it. Not at all. Cheers, Marian
Re: How do I exclude a directory using tar in OpenBSD?
On Tue, 31 May 2011 12:39:15 + (UTC), Stuart Henderson s...@spacehopper.org wrote: On 2011-05-31, Marian Hettwer m...@kernel32.de wrote: bsdtar from the FreeBSD project supports --exclude too. The OP could as well install gnu tar from packages. bsdtar doens't seem to exist... At least that's what I do at work (Debian, Solaris, OpenBSD env). It's a pain to walk around every nifty details of different unixes... The other way you can do it is just use posix-specified options and not rely on vendor-specific extensions. But unfortunately many of the vendors (*cough*gnu*cough*) don't make it clear which options are standard and which are extensions... And, sadly, even some of the BSD-derived OS have replaced a bunch of their standard tools with GNU. You are right. One should rely on posix standards. However, reality most often proved that there will be GNU-ism all over the place. Time for a clean up task? Maybe. Going the easier road of just installing some gnu tools, why not? Talking about BSD specifics. I really like the possibility on my FreeBSD box with bsdtar to not specify -z or -j depending on the archived tar file. Instead, bsdtar just guesses for me what it'll be. tar -xvf foo.tar.gz or tar -xvf foo.tar.bz2 is all the same to me. However, I really try hard not to get the hang of it. This would never work with any other tar I encountered... And obviously I wouldn't to this in a shellscript ;) Cheers, Marian
Re: kern.maxcluster
Hej Henning, Am 25.03.11 17:03, schrieb Henning Brauer: * Marian Hettwerm...@kernel32.de [2011-03-25 13:59]: On Fri, 25 Mar 2011 09:24:16 -0300, Kleber Rochakli...@gmail.com wrote: Thanks all of you, I really don't know how some options of sysctl.conf works, I turn back the option to default values and follow the considerations of https://calomel.org/network_performance.html [1]. I'm using OpenBSD 4.8. As some pointed out, they take calomel.org's articles with scepticism. I had a good read of that article and it sounds reasonable to me. Question to the OpenBSD network gurus: Can one follow this specific article on calomel.org or not? no. If not, where are the mistakes? :) too much crap to list it. don't waste a second on it. I was referring to that specific article, but okay. I'll follow your advise... Hope I'm not asking too much here :) where does the desire to push buttons come from? deleted bad pun uh thanks a lot ;) just run the fucking defaults, we chose them carefully. if you run into a problem, THEN learn about its nature and wether there's a knob to help with it. I do actually do that. And if I'm not wrong, I also suggested that to the OP. So if you're talking to me, hell yeah, I don't go out and search for some websites telling me what to tune. I start fiddling around with knobs if I run into problems with the defaults. Never before! :) Cheers and thanks anyway, Marian
Re: a GOOD idea to harden OpenSSH!
On Wed, 30 Mar 2011 09:22:44 +0200, Alexander Schrijver alexander.schrij...@gmail.com wrote: On Wed, Mar 30, 2011 at 10:06:14AM +0300, Gregory Edigarov wrote: IMHO it is absolutelly useless, objections are: 1. You can limit connections using firewall. 2. You already have the feature by name limiting the number of retries 3. If you really want PROTECTION - you should turn off password authentication completelly and use RSA key with passphrase. On Wed, 30 Mar 2011 09:54:06 +0300 Mihai Militaru mihai.milit...@xmpp.ro wrote: It's a great way to keep someone out of their own system. Obviously, if you do limit the number of connections using pf(4) (or some other firewall), you should maintain a whitelist of good IP's who are always allowed to connect. I myself protect my servers tcp/22 with pf(4) and I do maintain a whiltelist. It contains the IP of my default gateway and one more IP from a trusted network. That way, I can't lock me out. Besides, if you have remote servers, you should have out of band management (speaks: serial console!). If you don't, well then, Amateur I say! Cheers, Marian
Re: kern.maxcluster
Hi there, On Thu, 24 Mar 2011 23:37:08 -0300, Kleber Rocha kli...@gmail.com wrote: Hi, I have two openbsd box with pf as firewall, with heavy load I get this error on message: Mar 24 19:13:29 fw01 /bsd: WARNING: mclpools limit reached; increase kern.maxclusters But, both firewalls crash, How can I fix this? By stop fiddling around with the sysctl's in case you're not sure what they do. Start with defaults! Then, if you hit scaling limits, change sysctls if you know what you do. If not, drop a mail to this list with more details. Like a pfctl -s all, your pf.conf and stuff like that. I bet the friendly folks on this list will come up with tips what you need to change and more importantly, with an explanation why. This way, you know what you do ;-) Cheers, Marian
Re: kern.maxcluster
On Fri, 25 Mar 2011 09:24:16 -0300, Kleber Rocha kli...@gmail.com wrote: Thanks all of you, I really don't know how some options of sysctl.conf works, I turn back the option to default values and follow the considerations of https://calomel.org/network_performance.html [1]. I'm using OpenBSD 4.8. As some pointed out, they take calomel.org's articles with scepticism. I had a good read of that article and it sounds reasonable to me. Question to the OpenBSD network gurus: Can one follow this specific article on calomel.org or not? If not, where are the mistakes? :) Hope I'm not asking too much here :) Cheers, Marian
Re: PHP mod for Apache
On Tue, 01 Mar 2011 08:45:58 -0800, Eric Kom eric...@kom.za.net wrote: Hi Please I have been try to find a php module for apache! if someone can help me? Thank you in advance Oh come on... http://lmgtfy.com/?q=OpenBSD+php Cheers, ./Marian
relayd dies lost child: socket relay engine terminated
Hi Folks,
I'm having some trouble at work with a pair of OpenBSD 4.8's doing
load balancing with relayd.
Pretty often, relayd dies. /var/log/syslog shows:
Feb 17 17:13:14 openlb38-2 relayd[24485]: check_child: lost child:
socket relay engine terminated; signal 11
I'm helping myself right now with this beauty of a one-liner:
root@openlb38-2:~ # while sleep 1; do pgrep -u _relayd /dev/null
continue; date ; echo restarted ; relayd; done
Thu Feb 17 17:13:15 CET 2011
restarted
Thu Feb 17 17:20:47 CET 2011
restarted
Thu Feb 17 17:23:43 CET 2011
restarted
As one can see, this counts as pretty often.
this is: OpenBSD 4.8 i386
relayd started acting like that one me after I added 3 groups for ssl
offloading.
Like that (from relayd.conf)
relay cimobilelbssl {
listen on $cimobilelb_addr port 443 ssl
protocol http_ssl
forward to front38 port 80 check tcp mode loadbalance
}
relay ciebayklbssl {
listen on $ciebayklb_addr port 443 ssl
protocol http_ssl
forward to front38 port 80 check tcp mode loadbalance
}
relay wikilbssl {
listen on $wikilb_addr port 443 ssl
protocol http_ssl
forward to front38 port 80 check tcp mode loadbalance
}
I really love OpenBSD + carp + relayd, ... so I really like to help
debugging this.
What datapoints do you need? Any hints?
Since relayd is failing pretty often, should I start it with ktrace
for a closer look?
I couldn't find a core dump or anything like that after relayd fails.
Any help and pointers are highly appreciated :)
best regards,
Marian
PS.: keep me CC'd, as I'm not subscribed
set block device timeout
Hi All, I'm wondering how I could configure scsi I/O timeout in OpenBSD. I need to fiddle around with that since I'm using OpenBSD at work in some heavy (over)loaded ESX vmware cluster. From to time to the disk backend may response really slow. A stock linux would remount the filesystem read/only, whereas my OpenBSD 4.7 boxes just paniced. (And Solaris 10 just kept on running. Probably some really high scsi i/o timeouts as default). In FreeBSD the sysctl kern.cam.da.default_timeout seems to do the trick. On Linux it's /sys/block/*/device/timeout. Is there an equivilant in OpenBSD? I couldn't find anything while searching the misc@ archives (using gmane.org). thanks in advance, Marian PS.: please keep me CC'd, I'm not subscribed.
Re: tcpdump no output on stdout
Hi Damien, Am 09.07.10 08:16, schrieb Damien Miller: On Thu, 8 Jul 2010, Marian Hettwer wrote: Hi all, I'm experiencing a rather strang behaviour with tcpdump on OpenBSD 4.7 i386 running on a vmware esx vsphere 4. My tcpdump gives no output at all on stdout, but if I use the very same command with -w foobar it actually does dump packages. I know that esx server are probably not supported, however, does anybody know a work around this behavior? Or out of curiosity, where is this behaviour coming from? See below: [r...@openlb38-1]~ # tcpdump tcpdump: listening on em0, link-type EN10MB ^C 198 packets received by filter 0 packets dropped by kernel aah, 198 packets I couldn't see... hm hm... Could be blocked on looking up hostnames. Try tcpdump -n Yeah, it was a faulty entry in my resolv.conf. My box couldn't resolve names. Using tcpdump -n or fixing resolv.conf fixed my issue. Thanks, Marian
tcpdump no output on stdout
Hi all, I'm experiencing a rather strang behaviour with tcpdump on OpenBSD 4.7 i386 running on a vmware esx vsphere 4. My tcpdump gives no output at all on stdout, but if I use the very same command with -w foobar it actually does dump packages. I know that esx server are probably not supported, however, does anybody know a work around this behavior? Or out of curiosity, where is this behaviour coming from? See below: [r...@openlb38-1] ~ # tcpdump tcpdump: listening on em0, link-type EN10MB ^C 198 packets received by filter 0 packets dropped by kernel aah, 198 packets I couldn't see... hm hm... [r...@openlb38-1] ~ # tcpdump -w foobar tcpdump: listening on em0, link-type EN10MB ^C 211 packets received by filter 0 packets dropped by kernel [r...@openlb38-1] ~ # ls -l foobar -rw-r--r-- 1 root wheel 16278 Jul 8 18:42 foobar [r...@openlb38-1] ~ # When I load that file in wireshark, I can certainly see the expected packets. Does that make sense?! Some details to the system: dmesg: http://crivens.kernel32.de/~rabauke/OpenBSD/dmesg-esx-openbsd47.txt [r...@openlb38-1] ~ # uname -a OpenBSD openlb38-1.mobile.rz 4.7 GENERIC#558 i386 [r...@openlb38-1] ~ # ifconfig lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33200 priority: 0 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:50:56:26:fc:2b priority: 0 media: Ethernet autoselect (1000baseT full-duplex,master) status: active inet6 fe80::250:56ff:fe26:fc2b%em0 prefixlen 64 scopeid 0x1 enc0: flags=0 mtu 1536 priority: 0 vlan132: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:50:56:26:fc:2b priority: 0 vlan: 132 priority: 0 parent interface: em0 groups: vlan inet6 fe80::250:56ff:fe26:fc2b%vlan132 prefixlen 64 scopeid 0x4 inet 10.38.132.100 netmask 0xfc00 broadcast 10.38.135.255 vlan252: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:50:56:26:fc:2b priority: 0 vlan: 252 priority: 0 parent interface: em0 groups: vlan egress inet6 fe80::250:56ff:fe26:fc2b%vlan252 prefixlen 64 scopeid 0x5 inet 10.38.252.100 netmask 0xff00 broadcast 10.38.252.255 pflog0: flags=141UP,RUNNING,PROMISC mtu 33200 priority: 0 groups: pflog Cheers, Marian
authpf per user rules
Hi Folks, I am about to introduce OpenBSD as an authentication layer in our company. While I read the manpage and did some initial testing with authpf, I'm not quite sure wether I can achieve what I need to. Let me describe the setup briefly: network1 connects via ssh to $ext_if of the OpenBSD box. network2 is behind $int_if of my openbsd box. User1 should be able to access box 1, 2 and 3 via ssh (these being behind $int_if). User2 should be able to access just box 2, 3, and 4 (again via ssh). It seems like the way to go via authpf would be a rules file for user1 like that: (/etc/authpf/users/User1/authpf.rules) rdr on $ext_if proto tcp from $user_ip to $ext_if port 10122 - 10.0.0.1 port 22 rdr on $ext_if proto tcp from $user_ip to $ext_if port 10222 - 10.0.0.2 port 22 rdr on $ext_if proto tcp from $user_ip to $ext_if port 10322 - 10.0.0.3 port 22 And User2, accordingly in his User2/authpf.rules file rdr on $ext_if proto tcp from $user_ip to $ext_if port 10222 - 10.0.0.2 port 22 rdr on $ext_if proto tcp from $user_ip to $ext_if port 10322 - 10.0.0.3 port 22 rdr on $ext_if proto tcp from $user_ip to $ext_if port 10422 - 10.0.0.4 port 22 And yes, 10.0.0.x being hosts in network2 which are not directly accessable from network2. That should work, right? However, to make thinks more complicated, outgoing connections from network1 are only possible with destination tcp/22. So that config wouldn't suite my environment. And while on the topic of a bit more complicated, the source IP of network2 is always the same, which makes the usage of $user_ip impossible (right?!). Problem 2 seems to be solvable by using $user_id and packet tagging. I'm not quite sure how to solve problem 1 (outgoing connections only to dest 22). Would it be possible to give that user a real login shell in combination with authpf loading $user_id based rules? Did anybody do a setup like that before? Any hints are greatly appreciated. A quick no, that doesn't seem to be possible is fine too ;) I'm going back to my test setup now and play around with authpf. Cheers, Marian PS.: Please keep me CC'ed, I'm (still) not subscribed to the list.
probable bug in relayctl monitor
Hi All,
I believe I found a strange bug in relayctl.
I'm running OpenBSD 4.5 (release) with quite a normal relay.conf (see
below).
[r...@openlb46-1] ~ # relayctl monitor
sync: imsg type 32 len 12 peerid 0 pid 16630
timestamp: 1249310943, Mon Aug 3 16:49:03 2009
host_status: imsg type 31 len 32 peerid 0 pid 16630
timestamp: 1249310943, Mon Aug 3 16:49:03 2009
id: 1
state: up
sync: imsg type 32 len 12 peerid 0 pid 16630
timestamp: 1249310948, Mon Aug 3 16:49:08 2009
host_status: imsg type 31 len 32 peerid 0 pid 16630
timestamp: 1249310948, Mon Aug 3 16:49:08 2009
id: 1
state: up
sync: imsg type 32 len 12 peerid 0 pid 16630
timestamp: 1249310953, Mon Aug 3 16:49:13 2009
host_status: imsg type 31 len 32 peerid 0 pid 16630
timestamp: 1249310953, Mon Aug 3 16:49:13 2009
id: 1
state: up
hitting CTRL+c
then, the same command again:
[r...@openlb46-1] ~ # relayctl monitor
unknown: imsg type 2 len 12 peerid 0 pid 12763
timestamp: 1249311051, Mon Aug 3 16:50:51 2009
[r...@openlb46-1] ~ #
it instantly quits. I guess that's not the way it should be, right?
Additionally relayctl continues to behave strange:
[r...@openlb46-1] ~ # relayctl host enable 2
relayctl: wrong message in summary: 17
id 2 is definetly correct:
[r...@openlb46-1] ~ # relayctl show hosts
Id TypeNameAvlblty Status
1 table msn_whitelabel:80 active (1
hosts)
1 host10.46.25.1 99.39% up
total: 86987/87520 checks
2 host10.46.25.2 disabled
I can pkill and start relayd again and the enable disable commands will
work.
[r...@openlb46-1] ~ # pkill relayd
[r...@openlb46-1] ~ # relayd
[r...@openlb46-1] ~ # relayctl host enable 2
command succeeded
[r...@openlb46-1] ~ # relayctl host disable 2
command succeeded
[r...@openlb46-1] ~ #
I wouldn't dare to use relayctl monitor right now, because of the
mentioned issue.
We're going to go live with two OpenBSD 4.5 boxes as a router and http load
balancer pretty soon. Once again, awesome work on everything. carp, pfsync,
relayd, vlan, trunk. woohoo :)
However, if this relayctl monitor thing is a bug, what should I do? File a
pr?
I would be able to get the 4.5-release sources, update them via cvsup to
somewhere else and test patches. Just tell me how and when. Or better,
verify that it's not a problem at my installation.
Some more facts figures:
[r...@openlb46-1] ~ # uname -a
OpenBSD openlb46-1.local 4.5 GENERIC.MP#108 i386
[r...@openlb46-1] ~ # cat /etc/relayd.conf
# $OpenBSD: relayd.conf,v 1.13 2008/03/03 16:58:41 reyk Exp $
#
# Macros
#
ext_addr=10.46.24.100
ext_whitelabel46_1=10.46.25.1
ext_whitelabel46_2=10.46.25.2
#
# Global Options
#
# interval 10
interval 5
timeout 2000
# prefork 5
prefork 20
log updates
#
# Each table will be mapped to a pf table.
#
table msn_whitelabel { $ext_whitelabel46_1 $ext_whitelabel46_2 retry 2 }
#
# Services will be mapped to a rdr rule.
#
redirect msn_whitelabel {
listen on $ext_addr port 80
# tag every packet that goes thru the rdr rule with RELAYD
tag RELAYD
sticky-address
forward to msn_whitelabel check http /relayd.txt code 200
}
hope that's enough.
Cheers and keep up the good work,
Marian
PS.: and keep me CC'ed, I'm not subscribed right now.
trunks and vlan madness
Hi *, I'm setting up a http load balancer group with OpenBSD. First of all, great work regarding pf + carp + relayd. That's a straight forward setup. Me like! :-) But now on topic. I'm getting a bit of a headache with my final setup. It'll be: 2 nic's (bge0, bge1) trunk those two nic's for failover throw the box into 2 vlan's, one being the one where traffic comes in, the other being the one traffic goes out to the later-to-be-loadbalanced servers. Yes, this IBM blade has just 2 physical nics and I know it would be easier if I had 4 physical nics. Right now, I configured the box like that: # cat /etc/hostname.bge0 up # cat /etc/hostname.bge1 up # cat /etc/hostname.trunk0 trunkproto failover trunkport bge0 trunkport bge1 up # cat /etc/hostname.trunk1 trunkproto failover trunkport bge0 trunkport bge1 up # cat /etc/hostname.vlan24 inet 10.46.24.101 255.255.255.0 10.46.24.255 vlan 24 vlandev trunk0 # cat /etc/hostname.vlan25 inet 10.46.25.101 255.255.255.0 10.46.25.255 vlan 25 vlandev trunk1 But after boot, it really looks like that is wrong -- ifconfig output: bge0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0d:60:9d:77:e8 priority: 0 trunk: trunkdev trunk0 media: Ethernet autoselect (1000baseSX full-duplex) status: active inet6 fe80::20d:60ff:fe9d:77e8%bge0 prefixlen 64 scopeid 0x1 bge1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0d:60:9d:77:e8 priority: 0 trunk: trunkdev trunk0 media: Ethernet autoselect (1000baseSX full-duplex) status: active inet6 fe80::20d:60ff:fe9d:77e9%bge1 prefixlen 64 scopeid 0x2 trunk0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0d:60:9d:77:e8 priority: 0 trunk: trunkproto failover trunkport bge1 trunkport bge0 master,active groups: trunk media: Ethernet autoselect status: active inet6 fe80::20d:60ff:fe9d:77e8%trunk0 prefixlen 64 scopeid 0x5 trunk1: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:00:00:00:00 priority: 0 trunk: trunkproto failover groups: trunk media: Ethernet autoselect status: no carrier vlan24: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0d:60:9d:77:e8 priority: 0 vlan: 24 priority: 0 parent interface: trunk0 groups: vlan egress inet6 fe80::20d:60ff:fe9d:77e8%vlan24 prefixlen 64 scopeid 0x7 inet 10.46.24.101 netmask 0xff00 broadcast 10.46.24.255 vlan25: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1496 lladdr 00:00:00:00:00:00 priority: 0 vlan: 25 priority: 0 parent interface: trunk1 groups: vlan inet 10.46.25.101 netmask 0xff00 broadcast 10.46.25.255 inet6 fe80::20d:60ff:fe9d:77e8%vlan25 prefixlen 64 scopeid 0x8 I noticed trunk1 isn't lucky. And I'm just plain puzzled how a correct configuration should look like. Help is really appreciated. Maybe it's just the heat today that makes my brain hurt. Dunno. Thanks in advance, Marian PS.: Please hit reply-all, I'm not subscribed right now. PPS.: introduction said, it'll be a http load balancer group, so after I get this trunk + vlan madness right, I'll dive into carp + pfsync on top of that. Uuhhh :)
Re: trunks and vlan madness
Hi Russel, Russell Howe schrieb: Marian Hettwer wrote, sometime around 23/07/09 16:07: Hi *, # cat /etc/hostname.bge0 up # cat /etc/hostname.bge1 up # cat /etc/hostname.trunk0 trunkproto failover trunkport bge0 trunkport bge1 up # cat /etc/hostname.trunk1 trunkproto failover trunkport bge0 trunkport bge1 up You can run both vlans over the one trunk. I'm not sure what happens if you have the same interface involved in more than one trunk, but it doesn't sound sensible to me. After I sent my mail and had a longer think and a break I came to the same conclusion. # rm /etc/hostname.trunk1 which I did. # cat /etc/hostname.vlan24 inet 10.46.24.101 255.255.255.0 10.46.24.255 vlan 24 vlandev trunk0 # cat /etc/hostname.vlan25 inet 10.46.25.101 255.255.255.0 10.46.25.255 vlan 25 vlandev trunk1 echo inet 10.46.25.101 255.255.255.0 10.46.25.255 vlan 25 \ vlandev trunk0 /etc/hostname.vlan25 did it too, and guess what, it works like a charm :) Thanks for your answer and sorry for the noise to the rest! best regards, Marian
Re: use 3 nics as hub / switch
Hi Nick, this sounds great. That's exactly what I was searching for. I wonder why I didn't hat this idea ;) Anyway, thanks for your reply! best regards, Marian On Fri, 02 Jan 2009 20:58:13 -0600, Nick Templeton n...@nicktempleton.com wrote: I'm doing what you're describing with a couple 4-port NICs. I assign an IP to one of the interfaces so dhcpd can run on that, then bridge all the interfaces together. Works like a charm. Your config files would look something like - hostname.rl1: inet 192.168.1.1 255.255.255.0 192.168.1.255 hostname.rl2 up bridgename.bridge0: add rl1 add rl2 up Then add dhcpd_flags=rl1 to rc.conf.local, dhcpd will respond to requests on either interface since it's a bridge. -Nick Marian Hettwer wrote: Hi All and a happy new year, got a short question here. I'm building a home router from a blue box (embedded pc), which has 3 nics (rl0, 1, 2). Internet drops in via dhcp client on rl0. Now I got 2 NICs left and I'd like to use them similar like a hub. Just use a cross over cable and plug in 2 more devices which can then talk through that router. My first try was to bridge rl1 and rl2, but then again, I want to use a dhcp server on both interfaces and it seems like I can't do that, since I can't give an ip on bridge0 and I wouldn't want to give an IP to rl1 and rl2. Any ideas to that setup? I thought about giving rl1 an IP adress and rl2 one from another network. Like rl1 with 192.168.1 and rl2 with 192.168.2 and then run dhcpd on rl1 and rl2 serving both subnets. However, that doesn't look like a good approach to me. Any other thoughts on that issue? Ah yes, it's OpenBSD 4.4 release :) best regards, Marian PS.: please CC me, I'm not subscribed to the list.
use 3 nics as hub / switch
Hi All and a happy new year, got a short question here. I'm building a home router from a blue box (embedded pc), which has 3 nics (rl0, 1, 2). Internet drops in via dhcp client on rl0. Now I got 2 NICs left and I'd like to use them similar like a hub. Just use a cross over cable and plug in 2 more devices which can then talk through that router. My first try was to bridge rl1 and rl2, but then again, I want to use a dhcp server on both interfaces and it seems like I can't do that, since I can't give an ip on bridge0 and I wouldn't want to give an IP to rl1 and rl2. Any ideas to that setup? I thought about giving rl1 an IP adress and rl2 one from another network. Like rl1 with 192.168.1 and rl2 with 192.168.2 and then run dhcpd on rl1 and rl2 serving both subnets. However, that doesn't look like a good approach to me. Any other thoughts on that issue? Ah yes, it's OpenBSD 4.4 release :) best regards, Marian PS.: please CC me, I'm not subscribed to the list.
OpenSSH ChrootDirectory oddities
Hi All, first of all, thanks for the Feature to chroot sftp users. I've been waiting for that one pretty long :) Today I came back to that feature since I probably need it at work and it'll be one more opportunity to not use a Linux system (Debian etch's openssh is too old). Anyway, back to the topic. What I wanted to achieve is pretty much the following: Have some users, all in the same group named sftp and if the log in via sftp they get chroot'ed to their home directory. However, I wind up after a login in /home not /home/$username Now regarding my sshd_config: Match Group sftp X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp ChrootDirectory /home and somewhere above: Subsystem sftpinternal-sftp The user is named sftp1, is in group sftp, has home dir set to /home/sftp1 and has nologin as shell. When I login via sftp, I wind up being in /home not /home/sftp1: [EMAIL PROTECTED] ~]# sftp [EMAIL PROTECTED] Connecting to localhost... Password: sftp ls -l drwxr-x---4 1002 1001 512 Sep 12 15:46 jobauer drwxr-x--- 101 1001 1001 6656 Sep 30 16:05 mhettwer drwxr-x---2 1003 1001 512 Sep 15 19:57 mt drwx--3 1005 1003 512 Sep 30 16:06 sftp1 drwxr-xr-x2 1006 1003 512 Sep 30 16:42 sftp2 sftp which really is: [EMAIL PROTECTED] ~]# ls -l /home/ total 16 drwxrwxr-x2 root operator 512 Sep 12 11:39 .snap drwxr-x---4 jobauer shellme512 Sep 12 15:46 jobauer drwxr-x--- 101 mhettwer shellme 6656 Sep 30 16:05 mhettwer drwxr-x---2 mtshellme512 Sep 15 19:57 mt drwx--3 sftp1 sftp 512 Sep 30 16:06 sftp1 drwx--2 sftp2 sftp 512 Sep 30 16:42 sftp2 [EMAIL PROTECTED] ~]# Of course I changed permission so that the only option is a cd sftp1 for the user sftp1. But I really don't want sftp1 to see all home dirs. I did try using /chroot as it was shown in examples on undeadly.org However, thats the same situation. (sshd_config changed to /chroot instead of /home) [EMAIL PROTECTED] ~]# ls -l /chroot/ total 4 drwxr-xr-x 2 sftp1 sftp 512 Sep 30 11:30 sftp1 drwxr-xr-x 2 sftp2 sftp 512 Sep 30 16:09 sftp2 [EMAIL PROTECTED] ~]# sftp [EMAIL PROTECTED] Connecting to localhost... tPassword: Password: sftp ls -la Couldn't get handle: Permission denied sftp Woopsie. Thats probably due to: [EMAIL PROTECTED] ~]# ls -ld /chroot/ drwx-- 4 root wheel 512 Sep 30 16:09 /chroot/ Permissions more open results in: [EMAIL PROTECTED] ~]# ls -ld /chroot/ drwxr-xr-x 4 root wheel 512 Sep 30 16:09 /chroot/ and via sftp: [EMAIL PROTECTED] ~]# sftp [EMAIL PROTECTED] Connecting to localhost... Password: sftp ls -la drwxr-xr-x4 00 512 Sep 30 16:09 . drwxr-xr-x4 00 512 Sep 30 16:09 .. drwxr-xr-x2 1005 1003 512 Sep 30 11:30 sftp1 drwxr-xr-x2 1006 1003 512 Sep 30 16:09 sftp2 Again, I'm in /chroot not /chroot/sftp1 where I think I should be, right? Okay... let's try /chroot/%u then in sshd_config... No, I can't login, 'cause sshd is complaining about the permissions of /chroot/sftp1: Sep 30 16:47:12 motor sshd[23190]: fatal: bad ownership or modes for chroot directory /chroot/sftp1 Fair enough... the manpage states, that it should belong root. Okay then: [EMAIL PROTECTED] ~]# ls -l /chroot/ total 4 drwxr-xr-x 2 root wheel 512 Sep 30 11:30 sftp1 drwxr-xr-x 2 root wheel 512 Sep 30 16:09 sftp2 [EMAIL PROTECTED] ~]# sftp [EMAIL PROTECTED] Connecting to localhost... Password: sftp ls -la drwxr-xr-x2 00 512 Sep 30 11:30 . drwxr-xr-x2 00 512 Sep 30 11:30 .. where am I now? Am I in /chroot/sftp1 ? Could be, but due to these permissions, I'm not able to do anything: sftp mkdir foo Couldn't create directory: Permission denied Okay, now it gets ugly. Maybe I can create a directoy named incoming in /chroot/sftp1. Would look like that: [EMAIL PROTECTED] ~]# ls -l /chroot/sftp1/ total 2 drwxr-xr-x 2 sftp1 sftp 512 Sep 30 16:49 incoming And then via sftp... [EMAIL PROTECTED] ~]# !sftp sftp [EMAIL PROTECTED] Connecting to localhost... Password: sftp ls -l drwxr-xr-x2 1005 1003 512 Sep 30 16:49 incoming sftp cd incoming sftp ls -l sftp mkdir foo lsftp ls -l drwxr-xr-x2 1005 1003 512 Sep 30 16:50 foo sftp Okay, this works. So back to my question... Is that really the way it's supposed to be? No write access for the user when being chrooted in a directory, but instead I have to create another sub directory where he has write permissions? Am I missing something obvious here or is this works as designed? Last information bits: Yes, thats a FreeBSD box, but that shouldn't make much of a difference for my testing purpose. The production box will be an OpenBSD one :) [EMAIL PROTECTED] ~]# ssh -V OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 Feb 2007 [EMAIL
Re: OpenBSD 4.3 on IBM HS20 Blade
Hi Ioan, On Tue, 08 Jul 2008 11:29:00 +1000, Ioan Nemes [EMAIL PROTECTED] wrote: marian, try this: boot boot -c disable apm disable acpi quit yeah, that got the kernel booting. More interesting, though, the MP kernel boots fine, without disabling apm, acpi. What way to go now? Stuart: Still interested in booting -current, UP kernel and do the acpi dance (according to your url)? :) Cheers, ./Marian PS.: Keep me CC'ed still :)
SerDes support for BCM5706S (Broadcom NetXtreme II GigE)
Hi OpenBSD devs, I wonder what would be needed to get SerDes support into bnx(4). According to webcvs, rev 1.52 of bnx: Add the BCM5709 PCI device Id. It is disabled for now since we do not support SerDes-based (1000base-SX fibre) bnx(4) devices yet. The reason is simple - we do not have any fibre bnx(4) to test and port the SerDes changes from the other bnx drivers. From brad found in the Linux driver I'm trying to install OpenBSD (4.3) on a HP BL465c G1 / G5 blade and those boxes have SerDes only. Since I'm really not a kernel developer, would it be possible to get SerDes support for these chipsets if I would donate a HP Bladecenter with at least one of those blades (and power supply and internal cisco switch obviously)? Yes, we're talking about a full functional HP Bladecenter, but probably just equipped with one or two of them blades... Right now I'm running FreeBSD on those blades without problems... I guess porting from FreeBSD could be easier than porting from Linux. Some informations about the hardware (taken from FreeBSD in that case): [EMAIL PROTECTED]:2:3:0:class=0x02 card=0x310c103c chip=0x16aa14e4 rev=0x02 hdr=0x00 vendor = 'Broadcom Corporation' device = 'BCM5706S NetXtreme II Gigabit Ethernet' class = network subclass = ethernet [EMAIL PROTECTED]:2:4:0:class=0x02 card=0x310c103c chip=0x16aa14e4 rev=0x02 hdr=0x00 vendor = 'Broadcom Corporation' device = 'BCM5706S NetXtreme II Gigabit Ethernet' class = network subclass = ethernet [EMAIL PROTECTED] ~uname -a FreeBSD db46-202.mobile.rz 7.0-STABLE FreeBSD 7.0-STABLE #0: Wed Jul 2 09:51:22 CEST 2008 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC amd64 [EMAIL PROTECTED] ~ifconfig bce0 bce0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=1bbRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4 ether 00:1c:c4:a8:9a:44 media: Ethernet autoselect (1000baseSX full-duplex) status: active lagg: laggdev lagg0 best regards and keep up the good work on OpenBSD, Marian PS.: I really can't promise the donation, but if it would get me closer to SerDes support, it'll be quite probable... :) PPS.: I'm giving the latest -current snapshot in amd64 a try today... perhaps I missed something and there already is SerDes support...
ciss on HP BL465c G1 (-current snapshot 07082008)
Hi All, I just tried a -current snapshot from today on one of our HP blades. The bnx0 SerDes network card works fine (at a first glance), but there seems to be another problem. This time it ciss. The boot hangs quite some time at: ciss0 at pci7 dev 8 function 0 Hewlett-Packard Smart Array rev 0x00: irq 11 and continues like that: ciss0: big map is not supported, flags=0 The installer bails out 'cause it can't find a hard disk to install to: You will now initialize the disk(s) that OpenBSD will use. To enable all available security features you should configure the disk(s) to allow the creation of separate filesystems for /, /tmp, /var, /usr, and /home. install: //install.sub[1359]: cannot open 1: No such file or directory Available disks are: . Which one is the root disk? (or 'done') And indeed, it seems he is right: # fdisk sd0 fdisk: sd0: Device not configured Any ideas someone? full dmesg follows: OpenBSD 4.4-beta (RAMDISK_CD) #75: Sun Jul 6 18:57:04 MDT 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/RAMDISK_CD real mem = 8576450560 (8179MB) avail mem = 8329629696 (7943MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xee000 (64 entries) bios0: vendor HP version A13 date 04/05/2007 bios0: HP ProLiant BL465c G1 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP SPCR MCFG HPET SPMI APIC SRAT acpiprt0 at acpi0: bus 2 (IPPB) acpiprt1 at acpi0: bus 0 (PCI0) acpiprt2 at acpi0: bus 5 (EXBA) acpiprt3 at acpi0: bus 12 (EXBB) acpiprt4 at acpi0: bus 20 (SASB) acpiprt5 at acpi0: bus 22 (EXBD) acpiprt6 at acpi0: bus 4 (PCI1) cpu0 at mainbus0: (uniprocessor) cpu0: Dual-Core AMD Opteron(tm) Processor 2218, 2600.49 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative pci0 at mainbus0 bus 0: configuration mode 1 iommu0 at cpu0: base 0x8000 length 512MB pte 0x10cb0 iommu1 at cpu1: base 0x8000 length 512MB pte 0x10cb0 vga1 at pci0 dev 3 function 0 ATI ES1000 rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) Compaq iLO rev 0x03 at pci0 dev 4 function 0 not configured Compaq iLO rev 0x03 at pci0 dev 4 function 2 not configured uhci0 at pci0 dev 4 function 4 Hewlett-Packard USB rev 0x00: irq 10 Hewlett-Packard IPMI rev 0x00 at pci0 dev 4 function 6 not configured ppb0 at pci0 dev 5 function 0 ServerWorks HT-1000 PCI rev 0x00 pci1 at ppb0 bus 1 ppb1 at pci1 dev 13 function 0 ServerWorks HT-1000 PCIX rev 0xc0 pci2 at ppb1 bus 2 bnx0 at pci2 dev 3 function 0 Broadcom BCM5706S rev 0x02: irq 10 bnx1 at pci2 dev 4 function 0 Broadcom BCM5706S rev 0x02: irq 7 pchb0 at pci0 dev 6 function 0 ServerWorks HT-1000 rev 0x00 ServerWorks HT-1000 LPC rev 0x00 at pci0 dev 6 function 2 not configured ohci0 at pci0 dev 7 function 0 ServerWorks HT-1000 USB rev 0x01: irq 5, version 1.0, legacy support ohci1 at pci0 dev 7 function 1 ServerWorks HT-1000 USB rev 0x01: irq 5, version 1.0, legacy support ehci0 at pci0 dev 7 function 2 ServerWorks HT-1000 USB rev 0x01: irq 5 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 ServerWorks EHCI root hub rev 2.00/1.00 addr 1 pchb1 at pci0 dev 24 function 0 AMD AMD64 0Fh HyperTransport rev 0x00 pci3 at pchb1 bus 4 ppb2 at pci3 dev 15 function 0 ServerWorks HT-2100 PCIE rev 0xa2 pci4 at ppb2 bus 5 ppb3 at pci3 dev 16 function 0 ServerWorks HT-2100 PCIE rev 0xa2 pci5 at ppb3 bus 12 ppb4 at pci3 dev 17 function 0 ServerWorks HT-2100 PCIE rev 0xa2 pci6 at ppb4 bus 19 ppb5 at pci6 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xb4 pci7 at ppb5 bus 20 ppb6 at pci7 dev 4 function 0 ServerWorks HT-1000 PCIX rev 0xb2 pci8 at ppb6 bus 21 ciss0 at pci7 dev 8 function 0 Hewlett-Packard Smart Array rev 0x00: irq 11 ciss0: big map is not supported, flags=0 ppb7 at pci3 dev 18 function 0 ServerWorks HT-2100 PCIE rev 0xa2 pci9 at ppb7 bus 22 ppb8 at pci3 dev 19 function 0 ServerWorks HT-2100 PCIE rev 0xa2 pci10 at ppb8 bus 25 pchb2 at pci0 dev 24 function 1 AMD AMD64 0Fh Address Map rev 0x00 pchb3 at pci0 dev 24 function 2 AMD AMD64 0Fh DRAM Cfg rev 0x00 pchb4 at pci0 dev 24 function 3 AMD AMD64 0Fh Misc Cfg rev 0x00 pchb5 at pci0 dev 25 function 0 AMD AMD64 0Fh HyperTransport rev 0x00 pchb6 at pci0 dev 25 function 1 AMD AMD64 0Fh Address Map rev 0x00 pchb7 at pci0 dev 25 function 2 AMD AMD64 0Fh DRAM Cfg rev 0x00 pchb8 at pci0 dev 25 function 3 AMD AMD64 0Fh Misc Cfg rev 0x00 usb1 at uhci0: USB revision 1.0 uhub1 at usb1 Hewlett-Packard UHCI root hub rev 1.00/1.00 addr 1 usb2 at ohci0: USB revision 1.0 uhub2 at usb2 ServerWorks OHCI root hub rev 1.00/1.00 addr 1 usb3 at ohci1: USB revision 1.0 uhub3 at usb3 ServerWorks OHCI root hub rev 1.00/1.00 addr 1 isa0 at mainbus0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
OpenBSD 4.3 on IBM HS20 Blade
Hi there, I succesfully installed OpenBSD 4.3 on above mentioned blade, using pxeboot and bsd.rd Everything went fine. But after rebooting, the kernel crashes with some weird ACPI stuff. Unluckily this bloody IBM blade has no serial console access, so all I can provide is a screenshot: http://crivens.kernel32.de/~rabauke/OpenBSD/acpi-blade-crash.jpg Any ideas anybody? I really do wonder why it was no problem to boot the bsd.rd image, but is to boot the /bsd one afterwards. Odd... any help appreciated. Cheers, Marian PS.: Please CC me, 'cause I'm not subscribed (I was... but somehow I am not anymore...)
Re: 2 internet connections on 1 router
Gregory Edigarov schrieb: Marian Hettwer wrote: Hi All, Question is: How do I fiddle around with my routing table, that basically the wget running on my router is using sis2 (with the pppoe uplink), while the rest (my existing working lan) is still using sis0 with my good-guys cable modem uplink? just do: route add som.eth.in.g your pppoe server ip and you're set This would basically mean, if som.eth.in.g is let's say 123.123.123.123, that every connection to that destination goes through my pppoe uplink. Right? Isn't there a way to say something like: if source is 127.0.0.1, then go via the pppoe uplink? I bet there's a way to do that via route. On the other hand, it may interfer with my existing setup. Thinking of the ftp proxy which connects from localhost to somewhere. hhmm... well, the host route setup is good enough for the moment. I'll write a small shellscript which does the downloading from different servers anyway, and well, I'll just setup the route before starting. thanks so far! ./Marian
2 internet connections on 1 router
Hi All, I'm using a Soekris box with OpenBSD 4.0 (sorry *g*) on my home soekris box. Actual setup is one interface with a cable modem connected for internet use. The cable modem provider talks dhcp, so no pppoe magic involved. Now I do have an old second DSL provider lying around, which I basically not use anymore. However, the old DSL provider tries to get on my ass, and I figured, okay boys, if you don't let me outta this contract, I'll use your uplink to the max 24/7 (while true; do wget -O /dev/null http://something.iso; done). I know my way to configure pppoe and to dial in (without having pppoe modifying my default gw). Question is: How do I fiddle around with my routing table, that basically the wget running on my router is using sis2 (with the pppoe uplink), while the rest (my existing working lan) is still using sis0 with my good-guys cable modem uplink? Any hints highly appreciated. Thanks in advance, Marian
Re: Rename multiple files at once
Hi Pieter,
On Wed, 27 Jun 2007 14:37:07 +0200, Pieter Verberne [EMAIL PROTECTED] wrote:
Hi there,
How do I rename multiple files at once? I want to rename a list of
files like:
file.jpg
file1.jpg
file_2.jpg
to:
file_thumb.jpg
file1_thumb.jpg
file_2_thumb.jpg
Assuming that your files have only one . in their filename (just foo.jpg, not
foo.bar.jpg), you could do this shell hack:
cd directory/with/your/files
for i in $(ls | cut -d. -f1); do echo renaming ${i}; mv ${i} ${i}_thumb.jpg;
done
This is bourne shell syntax (works in my bash) and assumes that you only have
one dot in your filename. Otherwise the ls | cut -d. -f1 thing wouldn't work
;)
Cheers,
./Marian
PS.: Yes, I know, there are probably safer ways of renaming :)
Re: postfix mailq command mixup on OpenBSD
Hej Timo, On Fri, 1 Jun 2007 16:34:41 +0200, Timo Schoeler [EMAIL PROTECTED] wrote: Thus Juan Miscaro [EMAIL PROTECTED] spake on Fri, 1 Jun 2007 09:21:27 -0400 (EDT): My findings: $ which mailq /usr/bin/mailq $ ls -l /usr/bin/mailq lrwxr-xr-x 1 root wheel21B Mar 6 08:23 /usr/bin/mailq - /usr/sbin/mailwrapper $ grep mailq /etc/mailer.conf mailq /usr/libexec/sendmail/sendmail Should this be pointing to /usr/local/sbin/mailq since $ pkg_info -L postfix-2.3.2-mysql | grep sbin/mailq /usr/local/sbin/mailq The /usr/local/sbin/mailq command does provide a correct view of my queues. you read what postfix-enable said? did you read his eMail? NOTE: do not forget to add sendmail_flags=-bd to /etc/rc.conf.local to startup postfix correctly. has nothing to do with his problem. NOTE: do not forget to add -a /var/spool/postfix/dev/log to syslogd_flags in /etc/rc.conf.local and restart syslogd. has nothing to do with his problem. NOTE: do not forget to remove the sendmail clientmqueue runner from root's crontab. has nothing to do with his problem. What he's pointing out is, that /etc/mailer.conf should probably point to /usr/local/sbin/mailq Although this seems to make no sense, either: ls -l /usr/local/sbin/mailq lrwxr-xr-x 1 root wheel 32 Jan 5 17:56 /usr/local/sbin/mailq - ../../../usr/local/sbin/sendmail Pointing it to /usr/local/sbin/postqueue makes no sense either, because running postqueue would need the parameter -p to get the same output as running mailq. So it would break POLA. hhmm... confusing. ./Marian
Re: Help needed with server setup at work
If you've never heard of it, chances are you've spent too much time in a stupid corporate messaging environment or using a retarded email client from a vendor that thinks they have to reinvent the conventions that electronic mail has followed for decades. I must be using a retarded mail client then, I am using sylpheed. Which I don't call retarded. My 0,02 cents, ./Marian
Re: HTTP URL filtering?
Toni Mueller schrieb: Hi, On Wed, 07.02.2007 at 19:08:46 +0100, Marian Hettwer [EMAIL PROTECTED] wrote: I had the same problem with botnets, attacking a specific URL. Even sending out 404 errors didn't help at all. I wouldn't recommend the pf overload feature, as this depends on the number of tcp connections to your webserver. [ mod_security ...] Anytime someone is accessing /phpbb2/posting.php the script fill-blacklist.sh is run: ([EMAIL PROTECTED] ~ $ cat /root/bin/fill-blacklist.sh and this doesn't dos the server? I guess in the case you mentioned, this script must be run _very_ often. Nope, it doesn't. In my case, luckily, the script gets triggered (and it's fast... hej, it's just a pfctl run) and every next call from the offending IP gets blocked by pf. Works like a charm. Pro: Every bot can access the url exactly one time, afterwards its blacklisted. Use expire-table to free the pf table occassionally and of course make sure that you don't block yourself - whitelist ip addresses like your standard gateway, otherwise you may DoS yourself ;) I'm researching the same problem and so far have arrived at the following conclusions (feedback improvement desired!): * Blacklisting individual IPs is a sharp edged knife, and cumbersome to handle. This won't help you against infected windows boxes around the world. * Some request storms appear to be triggered by a unlucky interaction between the server sending PDF files, and the client using Internet Exploder (which often breaks, see the discussion around range-requests). * Use a non-forking server. Well, if using Apache, I tend to use apache 2.2 with mpm-worker or mpm-event (experimental). * Rate limiting, or at least rate limiting per network (eg. per /16), would solve the problem for me, and is maintenance-free. Really? botnets doesn't use much bandwith. Or did you mean number of connections by netblock by time? Even that wouldn't help at all. Botnets filled up the rate you defined and no one else can connect from the same netblock. I wouldn't do this. * Use it with connection rate limiting in pf... Be aware with rate limiting http connections. Mease the number of tcp connections before you do that. One HTTP GET isn't equal to one TCP connection to port 80. Cheers, Marian
Re: cisco vpn gateway
Hi there, atstake atstake schrieb: I been given this Cisco VPN Client software version 4.8 where a vpnclient.ini file needs to be imported and authentication is done via username and password to a Cisco VPN gateway which (after authentication) drops me off to the internal network. ugh. That's Cisco's way of extended authentication. Does anyone know if it is at all possible to use OpenBSD's isakpmd or anything else to authenticate to the Cisco VPN gateway instead of using Cisco VPN Client software version 4.8 on Windows XP? To my knowledge, the extended authentication (username password in Cisco's VPN Client) is some propritary extension, therefor it won't work with isakmpd. If I'm wrong, I'd like to be corrected :-) Regards, ./Marian
Re: HTTP URL filtering?
Hej there,
Xavier Mertens schrieb:
Hi *,
I've a problem with an Apache web server hit by f*cking spammers...
I would like to filter some URLs (unused but still used by the bots) *BEFORE*
they reach the httpd processes. What could be the best method? pf? something
else?
I had the same problem with botnets, attacking a specific URL. Even
sending out 404 errors didn't help at all.
I wouldn't recommend the pf overload feature, as this depends on the
number of tcp connections to your webserver.
Say you have a webpage with 50 images, this would be 50 connections.
Another webpage may only have 2 images, this would lead to only 2
connections.
Here is what I did.
Install mod_security for apache.
Define rules like those:
IfModule security2_module
# Maximum request body size we will
# accept for buffering
SecRequestBodyAccess On
#SecRequestBodyLimit 131072
# Store up to 128 KB in memory
#SecRequestBodyInMemoryLimit 131072
# Buffer response bodies of up to
# 512 KB in length
SecResponseBodyAccess Off
SecResponseBodyLimit 524288
# Debug log
SecDebugLog /var/log/apache/modsec_debug.log
SecDebugLogLevel 0
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis
#SecAuditEngine Off
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus ^5
#SecAuditLogParts ABIFHZ
SecAuditLogParts A
SecAuditLogType Serial
# The name of the audit log file
SecAuditLog /var/log/apache/modsec_audit.log
# Default action set
#SecDefaultAction deny,log,auditlog,status:403
# Turn on Rule Engine
SecRuleEngine On
# Refuse to accept POST requests that do
# not specify request body length
# SecRule REQUEST_METHOD ^POST$ chain
# SecRule REQUEST_HEADER:Content-Length ^$
#
# Metal District Rules
#SecRule REQUEST_URI /phpbb2/posting\.php\(.*\)
deny,phase:1,exec:/root/bin/fill-blacklist.sh
#SecRule ARGS /phpbb2/posting.php
deny,phase:1,exec:/root/bin/fill-blacklist.sh
SecRule REQUEST_FILENAME /phpbb2/posting.php
deny,phase:1,exec:/root/bin/fill-blacklist.sh
SecRule REQUEST_FILENAME /phpBB2/posting.php
deny,phase:1,exec:/root/bin/fill-blacklist.sh
/IfModule
Anytime someone is accessing /phpbb2/posting.php the script
fill-blacklist.sh is run:
([EMAIL PROTECTED] ~ $ cat /root/bin/fill-blacklist.sh
#!/bin/sh
#
sudo pfctl -T add -t www-spammers $(echo ${REMOTE_ADDR})
echo ${REMOTE_ADDR} added to blacklist
The ip gets added to the table www-spammers.
My pf rules look like that:
# www-spammers table
table www-spammers persist file /etc/www-spammers
block in quick on $ext_if proto tcp from www-spammers to $ext_if port 80
Drawback: I need sudo to use pfctl as the user www (which apache runs
under).
Pro: Every bot can access the url exactly one time, afterwards its
blacklisted.
Use expire-table to free the pf table occassionally and of course make
sure that you don't block yourself - whitelist ip addresses like your
standard gateway, otherwise you may DoS yourself ;)
Of course this is just a hack, but it works in my case.
Any suggestions to improve this setup are welcome :)
best regards,
Marian
Re: HTTP URL filtering?
Hi, Karsten McMinn schrieb: On 2/6/07, Xavier Mertens [EMAIL PROTECTED] wrote: Hi *, I've a problem with an Apache web server hit by f*cking spammers... I would like to filter some URLs (unused but still used by the bots) *BEFORE* they reach the httpd processes. What could be the best method? pf? something else? I used snort to filter before httpd to build simple IP address lists to feed into a pf table. It was kinda clunky. Second time around I'd just parse my httpd log files and do the same thing. With apache configured right and a cron running every minute you'll get by with minimal work needed. I'd imagine. I tried the very same when a webserver of mine was hitted by some botnet. Unluckily, cron can only ran every minute as the fastest interval and within 1 minute I already had around 1000 connections from different IP addresses. Ergo: A one minute interval didn't help at all.. ./Marian
Re: http load balancing with pf (apache access log)
Hej Bob,
Bob Beck schrieb:
* Marian Hettwer [EMAIL PROTECTED] [2007-01-29 09:49]:
Hi OpenBSD'lers,
I'm about to use OpenBSD's pf(4) for load balancing some webservers. So
far, everything is looking just perfect.
Compared to pound, pf(4) is incredibly fast with few CPU and memory usage.
So I'd say: Thats great :)
However, one thing is bothering me.
Obviously, my apache access logs on those load balanced machines can
only show the IP address of my load balancer, not the real remote ip of
the request.
Completely untrue. if you are doing an rdr, it will change the
destination IP, not the source IP
Thats true so far... however, I was told by Stuart that the connections
are going like this:
quote
requests go like this:
origin - balancer - destination
replies like this:
destination - origin
but they need to go like this so they can be un-rdr'ed:
destination - balancer - origin
I'm not certain whether it will help so I won't bother posting to misc@
now, but you could try adding a NAT rule in addition to the RDR.
/quote
Unless in *addition* to load balancing you are doing NAT.
I do, which seems I have to.
My boxes are some dedicated servers with a standard network
configuration. Means, official IP address, some default gateway and off
they go.
However, I can't change the network configuration as those boxes are
rented servers with no possibility to mess around with the network config.
I'm not using NAT, my load balancer looks like this:
web2# more /etc/pf/webmail_servers
142.244.12.130
142.244.12.132
142.244.12.133
142.244.12.134
142.244.12.135
142.244.12.136
142.244.12.137
142.244.12.138
142.244.12.139
142.244.12.140
pf.conf:
table webmail_servers persist file /etc/pf/webmail_servers
WEBMAIL_IP = {129.128.98.89}
rdr pass on $ext_if proto tcp to $WEBMAIL_IP port 80 - webmail_servers port 8
0 round-robin sticky-address
rdr pass on $ext_if proto tcp to $WEBMAIL_IP port 443 - webmail_servers port
443 round-robin sticky-address
I get the real connection IP's in my apache log.
That looks interesting.
I wonder why I need NAT to get the communication working... strange...
How are you webmail servers configured (in regards to networking) ?
Regards,
./Marian
Re: http load balancing with pf (apache access log)
Henning Brauer schrieb: * Marian Hettwer [EMAIL PROTECTED] [2007-01-29 18:46]: Ah... there we go. I can't setup the webservers with their default gateway to my load balancer. The boxes are dedicated servers and I have no possibility to change the network settings. These are rented servers (dedicated boxes) at some cheap ISP and all they have is an official IP address. Changing the default gateway isn't possible... Sorry 'bout that. nothing you can d about it then. you get what you pay for... My bad... time to watch out for another ISP ;) It wasn't my decision to go with this cheap ISP (Strato), however, I'll have to live with it for the time being. ./Marian
Re: http load balancing with pf (apache access log)
Hej Stuart, Stuart Henderson schrieb: On 2007/01/29 16:21, Marian Hettwer wrote: Is there any possible way to get the real ip addresses in my apache access log? Readers who didn't see the earlier posts about setting this up, they're here: http://marc.theaimsgroup.com/?l=openbsd-miscm=116905272009036w=2 - it's not the standard setup with PF sitting directly on the route between client and webserver. That's the drawback to this method: in order to get that information you'd need to rearrange the network so the balancer is in the IP route between the webservers and the end users so you can skip the NATs. If moving to a more... flexible... ISP isn't an option, you may be able to do something with tunneling. You need to decide which method will suck the least in your situation. You're right. Both situations suck, but for now I'll have to go with that cheap ISP and therefor live with having a castrated access.log I'll buy me some security via mod_security on those remote apaches ;) (and of course, keep my fingers crossed that no bloody botnet tries to attack). Cheers, Marian
http load balancing with pf (apache access log)
Hi OpenBSD'lers, I'm about to use OpenBSD's pf(4) for load balancing some webservers. So far, everything is looking just perfect. Compared to pound, pf(4) is incredibly fast with few CPU and memory usage. So I'd say: Thats great :) However, one thing is bothering me. Obviously, my apache access logs on those load balanced machines can only show the IP address of my load balancer, not the real remote ip of the request. This is, to my knowledge, due to the fact that pf(4) is working on the TCP layer and is doing NAT. Is there any possible way to get the real ip addresses in my apache access log? I do need them for several reasons. - I'd like to see who's actually accessing the website - If there's some botnet attack, usually I'm using pf(4) to block the offending IP's for a specific time period. This can't be done if all I can see is the load balancers IP address. That's by any means not good and I'm thinking wether this could be a no-go for using pf as a load balancer :-( - web statistics: do look pretty bad too... Uh, see, there's only one user on our website *argh* Okay... anybody with any usable suggestions? There's the X-Forwarded-to Information in a http header, which can be set via some software load balancers. However, those are operating on the application layer, which pf isn't... too bad. best regards, ./Marian
Re: http load balancing with pf (apache access log)
Hej Berk,
Berk D. Demir schrieb:
Marian Hettwer wrote:
However, one thing is bothering me.
Obviously, my apache access logs on those load balanced machines can
only show the IP address of my load balancer, not the real remote ip
of the request.
This is, to my knowledge, due to the fact that pf(4) is working on the
TCP layer and is doing NAT.
Is there any possible way to get the real ip addresses in my apache
access log?
I don't know what you did for that balancing but surely you're doing it
wrong.
Take a look at the FAQ at
http://www.openbsd.org/faq/pf/pools.html#incoming
rdr just changes the destination address of the packets, not the source
address.
Well, what I did was actually this:
ext_if=fxp0
web_servers = { 193.99.144.85,66.135.208.93 }
#int_if=int0
set skip on lo
scrub in
nat on $ext_if proto tcp from !($ext_if) to $web_servers port 80 -
($ext_if)
rdr on $ext_if proto tcp from any to any port 80 - $web_servers \
round-robin sticky-address
And it seems that I need NAT, otherwise the communication wouldn't work...
see my eMails from 18.01.2007
cheers,
./Marian
Re: http load balancing with pf (apache access log)
Pierre-Yves Ritschard schrieb: On Mon, 29 Jan 2007 17:34:51 +0100 Marian Hettwer [EMAIL PROTECTED] wrote: You could also do an ugly hack which would consist of attaching a second network on your servers and load balancers (provided they are in the same (v)?lan) like 172.16.1.0/24 and use that for contacting the real, then you'll need to lookup another routing table when being contacted on the 172.16.1.0/24 network (using pf + alternate routing tables in openbsd or iproute2 in linux). Otherwise you're stuck with nat. Nah, can't do that... It looks like I'm stuck with NAT. And therefor stuck with the load balancers IP address in my access.log, right? too bad... ./Marian
Re: http load balancing with pf (apache access log)
Hi, Pierre-Yves Ritschard schrieb: On Mon, 29 Jan 2007 16:21:13 +0100 Marian Hettwer [EMAIL PROTECTED] wrote: However, one thing is bothering me. Obviously, my apache access logs on those load balanced machines can only show the IP address of my load balancer, not the real remote ip of the request. Why are you rewriting the source address ? A typical rule for redirecting web traffic would be: rdr on $ext0 from any to $www port 80 - webservers that's true, but then the communication would look like this: client -- load balancer -- webserver webserver -- client Which would mean, I send a SYN to my load balancer, which forwards the SYN to one of my webservers, and the webserver would send a SYN-ACK back to me. But my machine, obviously can't do anything with a SYN-ACK from an IP address it didn't even asked... The client would assume to get a SYN-ACK from the load balancer (which he asked...) understood? This rewrite the destination address, not the source. I know. But I have to use NAT... Your apache logs are the same than they would have been had you been directly reachable. Would be the same, yip... regards, ./Marian
Re: http load balancing with pf (apache access log)
Pierre-Yves Ritschard schrieb: On Mon, 29 Jan 2007 17:20:50 +0100 Marian Hettwer [EMAIL PROTECTED] wrote: Which would mean, I send a SYN to my load balancer, which forwards the SYN to one of my webservers, and the webserver would send a SYN-ACK back to me. But my machine, obviously can't do anything with a SYN-ACK from an IP address it didn't even asked... The client would assume to get a SYN-ACK from the load balancer (which he asked...) understood? no you don't get it. I believe I do get it. But I missed an important information about my load balancing setup. See below. you setup your webservers with the load balancer as default gateway then use rdr as I described in my previous mail. hence all the traffic goes through the load-balancer and real client ips are preserved. Ah... there we go. I can't setup the webservers with their default gateway to my load balancer. The boxes are dedicated servers and I have no possibility to change the network settings. These are rented servers (dedicated boxes) at some cheap ISP and all they have is an official IP address. Changing the default gateway isn't possible... Sorry 'bout that. ./Marian
Re: pf and load balancing some webservers
Hej Bryan, On Wed, 17 Jan 2007 16:32:43 -0500, Bryan Chapman [EMAIL PROTECTED] wrote: Do you have a pass rule along with that rdr rule? Nope. But IIRC it's pass in and pass out anyway by default. And I have no block rule (yet) :) Correct me if I'm wrong... ./Marian
Re: pf and load balancing some webservers
Hej Stuart,
On Thu, 18 Jan 2007 09:52:15 +, Stuart Henderson [EMAIL PROTECTED]
wrote:
On 2007/01/18 09:17, Marian Hettwer wrote:
That doesn't make sense to me... why should the destination reply
directly to the origin?
That's because rdr only rewrites the destination address, not the
source address.
I see...
The answer from the destination to the origin wouldn't be interpreted at
all by the origin...
That's exactly the problem. Run tcpdump on the origin host (or the
firewall before it) and you'll see those packets arrive straight from
the backend.
You are right :-)
I'm not certain whether it will help so I won't bother posting to
misc@
now, but you could try adding a NAT rule in addition to the RDR.
Any other way than using NAT?
Not without a userland proxy.
okay, that's even worse than nat ;) (performance wise)
Would it be a nat rule like that one?
nat on $ext_if proto tcp from any to $ext_if port 80 - $web_servers
Not quite; you need to rewrite the outgoing traffic to the backends
so that it has the load-balancer's address.
nat on $ext_if proto tcp from !($ext_if) to $web_servers port 80 -
($ext_if)
thanks for that rule!
I just tried this on my colo box and it works. (I assume you
already enabled ip forwarding, I think you must have done this to
get the packet trace you sent before).
If it works for you can you followup to misc@ for the archives, please?
And yes, it works. ip forwarding is set to 1
By the way, why do I need ip forwarding? I thought it's only needed if you are
using more than one interface. In my case, it's just one interface (fxp0)?
However, thanks for your help, it's working now :-)
For the archives, this is my pf.conf
ext_if=fxp0
web_servers = { 193.99.144.85,66.135.208.93 }
#int_if=int0
set skip on lo
scrub in
nat on $ext_if proto tcp from !($ext_if) to $web_servers port 80 - ($ext_if)
rdr on $ext_if proto tcp from any to any port 80 - $web_servers \
round-robin sticky-address
best regards and thanks again!
./Marian
PS.: although wrong thread, any chance to use the brand new hoststated in
OpenBSD 4.0 ?
If I get it via CVS, will it build? I don't like the idea to upgrade my
production box to -CURRENT at all ;)
pf and load balancing some webservers
Hi All,
I tried to setup a pf(4) based load balancer for some webservers.
I did follow the instructions from openbsd.org's pf FAQ.
However, I seem to make a stupid mistake and I can't see which one.
My Setup:
- OpenBSD 4.0 box, should be the load balancer
- 2 other boxes with official IP addresses somewhere in the
internet, acting as webservers and should be load balanced by
the OpenBSD box.
my pf.conf
ext_if=fxp0
#int_if=int0
set skip on lo
scrub in
web_servers = { 193.99.144.85,66.135.208.93 }
rdr on $ext_if proto tcp from any to any port 80 - $web_servers \
round-robin sticky-address
the two IP addresses are now www.heise.de and www.ebay.de (just for
testing).
-bash-3.1$ ifconfig fxp0
fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:30:48:52:c1:00
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::230:48ff:fe52:c100%fxp0 prefixlen 64 scopeid 0x1
inet 85.214.92.226 netmask 0x broadcast 85.214.92.226
and yep, the netmask needs to be like that (it's a bloody Strato box -
german el cheap'o ISP).
The OpenBSD box can indeed contact the IP addresses I'd like to load
balance to.
-bash-3.1$ telnet 193.99.144.85 80
Trying 193.99.144.85...
Connected to 193.99.144.85.
Escape character is '^]'.
-bash-3.1$ telnet 66.135.208.93 80
Trying 66.135.208.93...
Connected to 66.135.208.93.
Escape character is '^]'.
But when I try to access my OpenBSD box at port 80, nothing happens at all.
Nothing as in this tcpdump ouput:
-bash-3.1$ sudo tcpdump -vvv -i fxp0 port 80
tcpdump: listening on fxp0, link-type EN10MB
17:34:49.098464 194.50.69.62.4137 85.214.92.226.www: S [tcp sum ok]
2596160711:2596160711(0) win 65535 mss 1460,nop,wscale
1,nop,nop,timestamp 3827602433 0,sackOK,eol (DF) (ttl 54, id 18346, len 64)
17:34:52.097210 194.50.69.62.4137 85.214.92.226.www: S [tcp sum ok]
2596160711:2596160711(0) win 65535 mss 1460,nop,wscale
1,nop,nop,timestamp 3827605433 0,sackOK,eol (DF) (ttl 54, id 18348, len 64)
17:34:55.297352 194.50.69.62.4137 85.214.92.226.www: S [tcp sum ok]
2596160711:2596160711(0) win 65535 mss 1460,nop,wscale
1,nop,nop,timestamp 3827608633 0,sackOK,eol (DF) (ttl 54, id 18350, len 64)
17:34:58.497131 194.50.69.62.4137 85.214.92.226.www: S [tcp sum ok]
2596160711:2596160711(0) win 65535 mss 1460,sackOK,eol (DF) (ttl 54,
id 18356, len 48)
17:35:01.697134 194.50.69.62.4137 85.214.92.226.www: S [tcp sum ok]
2596160711:2596160711(0) win 65535 mss 1460,sackOK,eol (DF) (ttl 54,
id 18359, len 48)
17:35:04.974937 194.50.69.62.4137 85.214.92.226.www: S [tcp sum ok]
2596160711:2596160711(0) win 65535 mss 1460,sackOK,eol (DF) (ttl 54,
id 18368, len 48)
17:35:11.097441 194.50.69.62.4137 85.214.92.226.www: S [tcp sum ok]
2596160711:2596160711(0) win 65535 mss 1460,sackOK,eol (DF) (ttl 54,
id 18387, len 48)
This doesn't look good. Nothing gets forwarded at all...
And I can't see what I'm missing.
anybody any idea?
best regards,
Marian
teamspeak server - webinterface
Hi All, I'm trying to get a teamspeak server (linux binary) running under OpenBSD 4.0 I already digged the archives and teamspeak forums and it looks like nobody got it running yet. Well, my thought was: If it runs under FreeBSD's linux emulation, why shouldn't it run with OpenBSD's linux emulation? Actually getting it to start is pretty straight forward. But now it gets strange. It opened the port 14534 for its webinterface, but I just can't get a connection. tcpdump looks like that: [EMAIL PROTECTED] /emul/linux/lib # tcpdump -vvv -i fxp0 port 14534 tcpdump: listening on fxp0, link-type EN10MB 21:01:16.648401 91.64.139.194.56966 81.169.171.191.14534: S [tcp sum ok] 3861700237:3861700237(0) win 65535 mss 1460,nop,wscale 0,nop,nop,timestamp 1675052578 0,sackOK,eol (DF) (ttl 51, id 15498, len 64) 21:01:16.648478 81.169.171.191.14534 91.64.139.194.56966: S [tcp sum ok] 1066820290:1066820290(0) ack 3861700238 win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 3608973420 1675052578 (DF) (ttl 64, id 50636, len 64) 21:01:16.681719 91.64.139.194.56966 81.169.171.191.14534: . [tcp sum ok] 1:1(0) ack 1 win 65535 nop,nop,timestamp 1675052578 3608973420 (DF) (ttl 51, id 15499, len 52) 21:01:16.685012 91.64.139.194.56966 81.169.171.191.14534: P 1:252(251) ack 1 win 65535 nop,nop,timestamp 1675052578 3608973420 (DF) (ttl 51, id 15500, len 303) 21:01:16.884139 81.169.171.191.14534 91.64.139.194.56966: . [tcp sum ok] 1:1(0) ack 252 win 17125 nop,nop,timestamp 3608973421 1675052578 (DF) (ttl 64, id 36313, len 52) some packets are flying around but the connection doesn't get established at all. I even gave ktrace a try, but I'm pretty much unable to interpret the output ;) So if anybody wants to take a look, the ktrace (for using with kdump) is here: http://terrorteam.de/~rabauke/OpenBSD/ktrace.out-teamspeak Any help is very much appreciated. I can't see a reason at all why it's running under FreeBSD, but not under OpenBSD :-/ best regards, Marian
munin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Folks, does anybody use munin on OpenBSD? If not, I'll try do create a port... If somebody else already tried this and has an old port flying around, I'd be glad to use this one :) Background: We're using munin in our Datacenter to monitor all servers. Recently I installed some OpenBSD boxes and those need to be monitored by munin too... any hints? best regards, Marian PS.: Ah, yes, it's OpenBSD 4.0 and thanks to the maintainer of Nagios nrpe :-) (we need that one too) iD8DBQFFa/6HgAq87Uq5FMsRAmr2AKDcgH+L7AV+tU9UBG1ehILWrJcNewCdGQYU RPy6YNmZGsovrprfhibmA6E= =pQAL -END PGP SIGNATURE-
Re: Looking for HowTo instructions ...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Ingo, Ingo Schwarze wrote: I doubt the project is worth the effort at all. Whatever numbers might result will be heavily biased. Of course it's biased. It's statistics of running *BSD systems. How could that possibly not biased?! BSDstats is typical bloatware that lots of OpenBSD users will hate (not all, mind you, but many more than e.g. in Linuxland). Why could bsdstats be bloatware? It's a simple shellscript, telling a remote Server Hej, I'm an OpenBSD 3.9 on i386. Gooy Bye. Bloatware is something different... bsdstats could be bloatware if it would be a huge pile of python scripts ;) It's only shell... Besides, the OpenBSD community tends to just not care about marketing. OpenBSD is about correctness, simplicity, freedom and security. Popularity is *not* among the But OpenBSD needs funding too. And popularity is one instrument of a whole lot to get funds. Keep that in mind. project goals. Most of the developers work on it because they need good code themselves - and certainly not in order to become famous. While that is true, bsdstats is not about being famous. Thus, i should expect the following attitude from typical OpenBSD users: A software for measuring popularity? How It's your attitude! boring. What, it will even run cron scripts and open network connections? No way on my machine... uuuhhh... Security Issues, hm? Yeah, sure. Now go on and disable your sshd, as it's also opening a network connection. Better unplug your ethernet cable too (and of course disable your wireless card) *SCNR* Get Real! ./Marian PS.: It's been quite a while since I was reading that much crap in one eMail. If all you said is your opinion, well, that's okay. If you tend to talk for others, and you did, than please stop that. Yes, I'm an OpenBSD user (but also a FreeBSD user and at work a Linux user too). iD8DBQFFI3n6gAq87Uq5FMsRAuFbAJ978AUuZM5GS4PH49qcqs2YrzEO+wCfW5xb KiKYTkySHkbmTeYz6xW0q+o= =9zxy -END PGP SIGNATURE-
Re: soekris boot console
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Gustavo, Gustavo Rios wrote: It sound very strange, i see no soekris output. I am using a female-male cable connector with a gender changer adapter on one cable end. hm... that doesn't sound like a NULL-Modem cable to me... Are you 100% sure that you're using a Null Modem cable to connect between your Laptop/PC and the Soekris? Welcome to the world of RS-232 ;-) (may be the hell of RS-232) Could it be the problem ? most likely... If you have 2 serial ports on your PC running OpenBSD, you could try to enable the console on port 1 and use tip on port 2 to connect to port... just make sure it's not the soekris box... (which I doubt it is). regards, Marian iD8DBQFFEPB9gAq87Uq5FMsRAlscAKDVPbGghtB4S1vzd84XwyHyGKJypwCfdqXP aYCRu1sDaoviNY5uuqegUh0= =2JZ9 -END PGP SIGNATURE-
Re: Mysql in replication setup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Daniel, Daniel Ouellet wrote: Okay... but by looking in iostat, it looks like pretty low traffic. 1 to 2 MB/sec. A higher number of transfers per second, though. You are right! Yes But the question is also, is there something else then... A few ideas below. Sure not all apply for sure, but just to show you that assuming it's the same setup and from 4.1 to 5.0 makes no difference, or have no impact might not always be true. Well lets see... Well... it's getting data from the master all the time, so I guess, it will be in waiting for i/o all the time. However, this is by design (if you like to speak of design in regards to MySQL). And still I should be able to connect to mysql and do a show slave status\G quite fast (not waiting 6 seconds to complete that task...). It gets even worse, if I try to do a select on some database. Yeah, the database could be locked while I do that, but since there are 50 queries / second coming in, the database still should have enough time to answer (in between being locked). May be. But it may depend on many things including file system use too. Does you Linux version actually writes the data to the drive, or to cache and flush time to time. Meaning faster to process locks if you do use any? If it crash, do you actually lost some data that were not written to disk in that case? If it crash on OpenBSD, the data will/should be there. I am not saying this is THE reason, but consider it however. This could be a likely course. I'm not that familiar with the internals of Linux's VM. All I know is, we're using ext3 on those Linux boxes and yes, a hard crash will most likely render at least some tables (those who were opened? *g*) unuseable... Granted, it is an advantage if OpenBSD doesn't destroy the MyISAM files, however, this is a MySQL replication setup with backups and everything. The client replicants are available in quite a large number. You could speak of a read-only load balance cluster of MySQL machines. If one dies? Who cares, reinstall the machine, get your backup and back to work :) Also some design in MySQL might affect you too if you do use locks and you might here, I don't know the data you use: WRITE locks normally have higher priority than READ locks to ensure that updates are processed as soon as possible. This means that if one thread obtains a READ lock and then another thread requests a WRITE lock, subsequent READ lock requests wait until the WRITE thread has gotten the lock and released it. You can use LOW_PRIORITY WRITE locks to allow other threads to obtain READ locks while the thread is waiting for the WRITE lock. You should use LOW_PRIORITY WRITE locks only if you are sure that eventually there will be a time when no threads have a READ lock. I'll keep that in mind, thanks. Also something that may well apply to you as you refer to timezone table that you do not replicate over. Did you consider this when mixing 4.1 to 5.0: #If the master uses MySQL 4.1, the same system time zone should be set for both master and slave. Otherwise some statements will not be replicated properly, such as statements that use the NOW() or FROM_UNIXTIME() functions. You can set the time zone in which MySQL server runs by using the --timezone=timezone_name option of the mysqld_safe script or by setting the TZ environment variable. Both master and slave should also have the same default connection time zone setting; that is, the --default-time-zone parameter should have the same value for both master and slave. Note that this is not necessary when the master is MySQL 5.0 or later. This is some new info to me, and it looks like I really should fix this timezone issue. Thanks for pointing out. Anyways, many others issues you should/need to consider when mixing, or trying to mix version of master/slave 4.1 to 5.0: http://mysql.speedbone.de/doc/refman/5.0/en/replication-features.html Then do you use trigger as well? I am almost sure this doesn't apply to you, but needs to be consider when mixing version for replications setup. Nope, no triggers. Some more issues with mixing 4/1 version as master to 5.0 as slave: If the master uses MySQL 4.1, you must always use the same global character set and collation on the master and the slave, regardless of the MySQL version running on the slave. (These are controlled by the --character-set-server and --collation-server options.) Otherwise, you may get duplicate-key errors on the slave, because a key that is unique in the master character set might not be unique in the slave character set. Note that this is not a cause for concern when master and slave are both MySQL 5.0 or later. I did this. if using the wrong collation / character set, the MySQL 5.0 replicant won't even start to replicate... Also for speed improvements on slave: http://dev.mysql.com/doc/refman/5.0/en/insert-speed.html and a
Re: Mysql in replication setup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Daniel Ouellet wrote: Marian Hettwer wrote: 060915 17:33:29 [Warning] /usr/local/libexec/mysqld: ignoring option '--low-priority-updates' due to invalid value 'ON' - -- Seems like that parameter doesn't exist anymore in MySQL 5.0 ... I'll look into it... Starting by looking at errors and then making sure a replication setup doesn't have any errors is always a good thing before saying it doesn't work. So, when no errors happen, may be many things will work just fine. I haven't said that it doesn't work. I said its bloody slow. Thats a huge difference... 060915 17:33:29 [Warning] Could not increase number of max_open_files to more than 8096 (request: 8192) - -- You mentioned something about that later in your mail. Could be a problem, eh? Go read it again. I think I pointed it many times so far. If you still have issue with this, I will be glad to point you in the right direction, but do your homework first and try it out. The answer was provided very clearly and repeated as well and IS in the document about it as well. Hold your breath. I read it, I changed the parameter down to 4096 and should be fine now. 060915 17:33:29 [Warning] mysql.user table is not updated to new password format; Disabling new password usage until mysql_fix_privilege_tables is run - -- Yeah well, I could run mysql_fix_privilege_tables, however, I bet it has nothing todo with my problem. That's not fix privilege. Men, go read please. Look for old_password. And again, this has most likely nothing to do with performance, so I stick with the old password scheme and nevermind (for now). 060915 17:33:29 [Warning] Can't open and lock time zone table: Table 'mysql.time_zone_leap_second' doesn't exist trying to live without them 060915 17:33:29 [Warning] Neither --relay-log nor --relay-log-index were used; so replication may break when this MySQL server acts as a slave and has his hostname changed!! Please use '--relay-log=babelfish45-relay-bin' to avoid this problem. - -- As I'm not about to change the hostname, I'll fix that problem later. That is not the host name here. Go read the manual. They tell you to configure the my.cnf to use a log file reflecting your host name, not to change your host name. I think spending some time reading will help you work on the software you want to use. This is well explain in the log as well as in the manual. They even tell you what to use: --relay-log=babelfish45-relay-bin Where does it say hostname needs to be changed? It said, if I don't configure the my.cnf accordingly, and then change my hostname, I'll be screwed. One way to fix, is using relay-log in my.cnf, but again, I can skip this as the whole setup is a Proof of Concept, nothing more. It's not in production so stay cool. Again, this has nothing to do with the performance issue encountered. Yes, I do know that it's not a clean setup and I should do it right. 060915 17:33:29 [Note] /usr/local/libexec/mysqld: ready for connections. Version: '5.0.22-log' socket: '/tmp/mysql.sock' port: 3306 OpenBSD port: mysql-server-5.0.22 060915 17:33:29 [Note] Slave SQL thread initialized, starting replication in log 'foo-bin.40' at position 358083515, relay log './babelfish45-relay-bin.04' position: 37101832 060915 17:33:29 [Note] Slave I/O thread: connected to master '[EMAIL PROTECTED]:3306', replication started in log 'foo-bin.40' at position 358083543 Look lie at a minimum this works. I haven't said that it doesn't work... I said it's working, but its slow. I have no clue how big your database might be or not. Nor how many tables, etc. all in all it's 175 MyISAM files, but only a small part of them are actually open and in use. As you see above, only 11 tables are open. But some of them are rather large (400 - 600 MB). But look like form previous errors that it try to use table that are not available. So, if you really want a good mirror, you need to make sure it will replicate all the tables it needs, or are link together, or the replication process will stop, only the bin log files will keep growing. Whut? It doesn't say that it can't replicate, because a table is missing. I think you're mixing something up. More over, I would see this error in show slave status\G. Clue on that is if you have more then one relay-bin file on the slave, then it is safe to assume the replications stop. Not the copy over of the data, but the update of the tables. the tables are updating, the replication is running. And as I said, access to MySQL itself is pretty slow. As in: getting a show slave status\G needs between 4 and 14 seconds, or a mysqladmin proc stat needs up to 16 seconds. And this has really nothing to do with how big is your database or how many open tables do you have. Not at all. I don't think I said it was normal. That's why I asked for the error logs first. See
Re: Mysql in replication setup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Daniel, Daniel Ouellet wrote: Marian Hettwer wrote: As soon as replication starts, mysql gets very unresponsive: - -bash-3.1$ time mysqladmin -uroot -p proc stat Enter password: ++-+---++-+--+---+--+ | Id | User| Host | db | Command | Time | State | Info | ++-+---++-+--+---+--+ | 4 | system user | || Connect | 204 | Waiting for master to send event | | | 5 | system user | || Connect | 8661 | Has read all relay log; waiting for the slave I/O thread to update it | | | 7 | root| localhost || Query | 0| | show processlist | ++-+---++-+--+---+--+ Uptime: 308 Threads: 1 Questions: 6328 Slow queries: 0 Opens: 0 Flush tables: 1 Open tables: 24 Queries per second avg: 20.545 real0m15.463s user0m0.010s sys 0m0.020s 15 bloody seconds to return mysqladmin proc stat ? That ain't good. Wasn't it that your slave actually catch up to the master and replicate all the tables your master had? well, not all tables, but quite a lot of them. Some are ignored. See the my.cnf I provided. You don't provide mysql.err logs, etc and we don't know if it actually replicate your tables or not. I guess from this it did. It is replicating the tables I have. my mysql.err file looks like that: 060915 17:33:29 mysqld started 060915 17:33:29 [Warning] /usr/local/libexec/mysqld: ignoring option '--low-priority-updates' due to invalid value 'ON' 060915 17:33:29 [Warning] /usr/local/libexec/mysqld: ignoring option '--low-priority-updates' due to invalid value 'ON' - -- Seems like that parameter doesn't exist anymore in MySQL 5.0 ... I'll look into it... 060915 17:33:29 [Warning] Could not increase number of max_open_files to more than 8096 (request: 8192) - -- You mentioned something about that later in your mail. Could be a problem, eh? 060915 17:33:29 [Warning] mysql.user table is not updated to new password format; Disabling new password usage until mysql_fix_privilege_tables is run - -- Yeah well, I could run mysql_fix_privilege_tables, however, I bet it has nothing todo with my problem. 060915 17:33:29 [Warning] Can't open and lock time zone table: Table 'mysql.time_zone_leap_second' doesn't exist trying to live without them 060915 17:33:29 [Warning] Neither --relay-log nor --relay-log-index were used; so replication may break when this MySQL server acts as a slave and has his hostname changed!! Please use '--relay-log=babelfish45-relay-bin' to avoid this problem. - -- As I'm not about to change the hostname, I'll fix that problem later. 060915 17:33:29 [Note] /usr/local/libexec/mysqld: ready for connections. Version: '5.0.22-log' socket: '/tmp/mysql.sock' port: 3306 OpenBSD port: mysql-server-5.0.22 060915 17:33:29 [Note] Slave SQL thread initialized, starting replication in log 'foo-bin.40' at position 358083515, relay log './babelfish45-relay-bin.04' position: 37101832 060915 17:33:29 [Note] Slave I/O thread: connected to master '[EMAIL PROTECTED]:3306', replication started in log 'foo-bin.40' at position 358083543 Let see 308 seconds up only for the server, did 20.5 query per seconds for that time with would be your 6328 queries there, of witch all finish based on this show process and also looks like it finish to mirror it and now is waiting for the master to send more. That's right. And according to the queries per second it's continuesly getting data from its master (approx. 49 queries per second, all through replication) Uptime: 231027 Threads: 1 Questions: 11540813 Slow queries: 0 Opens: 0 Flush tables: 1 Open tables: 11 Queries per second avg: 49.954 I have no clue how big your database might be or not. Nor how many tables, etc. all in all it's 175 MyISAM files, but only a small part of them are actually open and in use. As you see above, only 11 tables are open. But some of them are rather large (400 - 600 MB). The only think I know is that you did install from packages. Great. Then started master/slave and look like it worked. And as I said, access to MySQL itself is pretty slow. As in: getting a show slave status\G needs between 4 and 14 seconds, or a mysqladmin proc stat needs up to 16 seconds. And this has really nothing to do with how big is your database or how many open tables do you have. Not at all. Then you were trying to query the server I guess for data may
Re: Mysql in replication setup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hej Stuart, Stuart Henderson wrote: On 2006/09/18 11:46, Marian Hettwer wrote: Okay... but by looking in iostat, it looks like pretty low traffic. 1 to 2 MB/sec. A higher number of transfers per second, though. You only sent that to me Marian, did you mean to Cc: [EMAIL PROTECTED] looks like I hitted Reply, not Reply All. Sorry! Is disk i/o from other processes on the box also slow? I wonder if there's some more general problem with disk i/o with OpenBSD on that hardware, rather than some problem with mysql. Well, I did a dd and that looks okay: - -bash-3.1$ dd if=/dev/zero of=mybigimage.dd bs=64k count=2000 2000+0 records in 2000+0 records out 131072000 bytes transferred in 1.826 secs (71743184 bytes/sec) I don't know if there's any chance if it will help, but I also wonder if there would be any improvement with a single-processor kernel. If there is, at least it gives extra clues... I can't reboot right now, but I'll keep rebooting and booting a UP kernel in mind. Thanks, Marian iD8DBQFFDnp6gAq87Uq5FMsRAkMxAJ9lMy+o83OKDzSljr06Mz3fHHKG+wCgh0em IuVplRH00qJL4DL711yan/4= =ayrK -END PGP SIGNATURE-
Re: Mysql in replication setup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stuart Henderson wrote: 25222 _mysql-50 185M 50M sleep/0 biowai 0:14 1.42% mysqld Well... to me it looks like the box is idle... why is MySQL still pretty unresponsive (I tend to say slow). It's not idle, it's waiting for i/o to complete. Okay... but by looking in iostat, it looks like pretty low traffic. 1 to 2 MB/sec. A higher number of transfers per second, though. - - -bash-3.1$ iostat 1 ttysd0 cd0 fd0 cpu tin tout KB/t t/s MB/s KB/t t/s MB/s KB/t t/s MB/s us ni sy in id 01 16.85 15 0.25 0.00 0 0.00 0.00 0 0.00 0 0 0 0 99 0 1145 16.09 90 1.41 0.00 0 0.00 0.00 0 0.00 0 0 0 0 99 0 1022 16.52 77 1.24 0.00 0 0.00 0.00 0 0.00 2 0 0 0 97 0 158 16.21 82 1.29 0.00 0 0.00 0.00 0 0.00 0 0 0 0 99 0 213 16.00 92 1.44 0.00 0 0.00 0.00 0 0.00 0 0 0 0100 0 149 16.00 155 2.43 0.00 0 0.00 0.00 0 0.00 0 0 0 0100 0 229 15.93 181 2.81 0.00 0 0.00 0.00 0 0.00 1 0 0 0 99 0 657 16.97 82 1.35 0.00 0 0.00 0.00 0 0.00 1 0 0 0 99 0 217 16.37 85 1.35 0.00 0 0.00 0.00 0 0.00 2 0 1 0 97 0 155 16.71 78 1.27 0.00 0 0.00 0.00 0 0.00 2 0 0 0 97 0 209 16.61 78 1.27 0.00 0 0.00 0.00 0 0.00 1 0 1 0 98 0 257 16.64 74 1.20 0.00 0 0.00 0.00 0 0.00 2 0 0 0 97 0 188 16.00 90 1.40 0.00 0 0.00 0.00 0 0.00 0 0 0 0100 0 149 16.09 95 1.49 0.00 0 0.00 0.00 0 0.00 0 0 0 0100 0 140 16.00 212 3.31 0.00 0 0.00 0.00 0 0.00 0 0 0 0100 0 153 16.06 134 2.10 0.00 0 0.00 0.00 0 0.00 0 0 0 0100 0 150 16.08 99 1.55 0.00 0 0.00 0.00 0 0.00 1 0 0 0 99 0 151 16.72 88 1.43 0.00 0 0.00 0.00 0 0.00 1 0 0 0 98 0 150 16.24 98 1.55 0.00 0 0.00 0.00 0 0.00 1 0 0 0 98 0 221 16.42 75 1.20 0.00 0 0.00 0.00 0 0.00 1 0 1 0 97 Well... it's getting data from the master all the time, so I guess, it will be in waiting for i/o all the time. However, this is by design (if you like to speak of design in regards to MySQL). And still I should be able to connect to mysql and do a show slave status\G quite fast (not waiting 6 seconds to complete that task...). It gets even worse, if I try to do a select on some database. Yeah, the database could be locked while I do that, but since there are 50 queries / second coming in, the database still should have enough time to answer (in between being locked). Okay, flame me, but, the same replication setup like it is in use here on a Debian Woody with Linux 2.4.31 takes 0,00 seconds to do a select count(*) foo; while OpenBSD needs from 0,83 to 7,56 seconds to complete the request :-/ Strange... mysql select count(*) from foo; +--+ | count(*) | +--+ | 1389660 | +--+ 1 row in set (0.83 sec) mysql select count(*) from foo; +--+ | count(*) | +--+ | 1389665 | +--+ 1 row in set (3.70 sec) mysql select count(*) from foo; +--+ | count(*) | +--+ | 1389677 | +--+ 1 row in set (7.56 sec) mysql select count(*) from foo; +--+ | count(*) | +--+ | 1389697 | +--+ 1 row in set (6.52 sec) mysql select count(*) from foo; +--+ | count(*) | +--+ | 1389699 | +--+ 1 row in set (5.06 sec) mysql Linux 2.4.31: mysql select count(*) from foo; +--+ | count(*) | +--+ | 1405115 | +--+ 1 row in set (0.00 sec) The Linux box is running the same hardware like the OpenBSD box. Only difference is that the Linux box is running MySQL 4.1.14 whereas OpenBSD runs 5.0.22 Granted, you can't compare those two systems. On the other hand, the Linux box is in production, taking the 50 queries / second from replication while handling another 50 queries / second due to being in production. Counts up to 100 queries per second avg. Any more ideas? Should it be all related to the replication setup and Disk I/O ? I do know that MySQL is a bitch in regards to I/O and VM. 'tis no fun to handle huge files: - - -bash-3.1$ ls -l /usr/local/mysql/data/*relay* - - -rw-rw 1 _mysql _mysql 197288820 Sep 18 11:45 /usr/local/mysql/data/babelfish45-relay-bin.32 - - -rw-rw 1 _mysql _mysql 31 Sep 18 09:59 /usr/local/mysql/data/babelfish45-relay-bin.index - - -rw-rw 1 _mysql _mysql 72 Sep 18 11:45 /usr/local/mysql/data/relay-log.info - - -bash-3.1$ Yeah, the relay binlog is _that_ big... ./Marian - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFFDmr7gAq87Uq5FMsRAoYMAKCK8xsX+xsR5s7zlbcAC2bwkA8IKACgpW5v T2G5alP9I5IboDYbURweUEw= =cQNh - -END PGP SIGNATURE- iD8DBQFFDnqigAq87Uq5FMsRAoD1AKCECxcXefdpAD6qPEFS7tfFBBNDQgCfa5L7 ttSmr1SH+VPxJ77B31wkJzw= =+qcy
Dell 1650 serial console
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi All, I'm trying to pxeboot a Dell 1650 with OpenBSD 3.9. Console redirection of the BIOS is running without problems and pxeboot gets transmitted via tftp too. When I type in set tty com0, I get the following message: com0 console not present And of course when I say boot bsd.rd, bsd.rd is fetched via tftp but I have no output. That's kinda strange, because the BIOS is already redirected to the serial port and on the very same box I can install Debian Linux remotely, console always working flawlessly, from BIOS to Lilo and system itself. Now, obviously, I want to install OpenBSD 3.9 and not Debian Linux. Any idea why OpenBSD (pxeboot) is complaining about no com0 ? I can send debugging output as long as its required, 'cause like I said, I have remote serial access until I try to set tty com0 at the OpenBSD boot prompt ;) Thanks in advance, Marian iD8DBQFE9Xx4gAq87Uq5FMsRAiOeAKCP7FrE+kdUwkidfZzG0uZVWJBxegCghiLe VXkocOSyfOTc+nQd0IhqFyo= =6P3v -END PGP SIGNATURE-
Re: Dell 1650 serial console
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hej David, David Golden wrote: On Wednesday 30 August 2006 13:00, Marian Hettwer wrote: Don't have a Dell 1650 specifically, but most pre-boot console redirection I've seen on PCs is basically screen-scraping the VGA text buffer. When you are running Debian linux, is login via a getty on [linux] ttyS0 once that system has booted, or is the system perhaps still actually screen-scraping VGA text, so logging in on the serial port is actually via a getty on [linux] tty1 ? Actually, I suspect the latter, because usually you have to edit the inittab post-install to enable a getty on ttyS0... Nay. If I do a pxeboot of Linux, I use the CONSOLE=ttyS0,9600n81 as a Kernel Parameter and do get serial console output. getty is afterwards started on ttyS0 So it's from BIOS to full boot always ttyS0 in Linux... However, On our PC systems with redirection, there is a BIOS setting for when the redirection cuts out, something like: always pre-boot shared disabled I'll check that... maybe something is interfering. regards, Marian iD8DBQFE9ZJNgAq87Uq5FMsRAiQSAJ45GeI2owiWCSDtCDcHMfwICibbBQCgyNwT i4auwGJpcQ1BVXOi/PvY+KQ= =P+xM -END PGP SIGNATURE-
Re: Dell 1650 serial console
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hej David, second reply, after checking the BIOS settings. David Golden wrote: On our PC systems with redirection, there is a BIOS setting for when the redirection cuts out, something like: always pre-boot shared disabled The Dell only knows 3 Parameters for console redirection to serial port: enabled / disabled (is set do on obviously) Remote Terminal Type: ANSI or VT100 (is set to VT100) Redirection After Boot When I set the last paramter to disabled, I don't even see the pxeboot (pxe bootloader) of OpenBSD. Logically, I can't type in set tty com0. If I set this parameter to enabled, I can see the OpenBSD pxeboot and can type in stuff like set tty com0. But as mentioned earlier, the command is returned with com0 console not present. Damn... set tty com0 -- switching console to com0, com0 console not present Any more ideas? The server is remote, so I only have remote serial console and remote power. No KVM (and frankly, I don't want to have KVM for Unix systems anyway) ./Marian iD8DBQFE9ZUBgAq87Uq5FMsRAgL0AJsHvg5krFRWaP3NaCDM10DiTxBHdwCdG0xp r/C4VluNfZXvjcRmMwSUXdQ= =K/a1 -END PGP SIGNATURE-
Re: Dell 1650 serial console
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stuart Henderson wrote: On 2006/08/30 15:39, Marian Hettwer wrote: Redirection After Boot When I set the last paramter to disabled, I don't even see the pxeboot (pxe bootloader) of OpenBSD. Logically, I can't type in set tty com0. the console redirection is probably not sharing the serial port with the OS - try setting this to disabled and place set tty com0 in /etc/boot.conf (as is done when you answer yes to the do you want a serial console? question in the installer). Did that. And also set image bsd.rd and boot bsd.rd, as I can't see anything at this point of my installation if I disabled the console redirection after boot. I wouldn't consider disabled the console redirection altogether, 'cause then you wouldn't have a chance to get into the BIOS. And you do want to get into the BIOS. See my other mail and thanks for the (same) idea ;) ./Marian iD8DBQFE9ZxegAq87Uq5FMsRAkT0AKCUh7junbXAkBeg6XURH9ujEkrrvQCg48Vo KBcZp/TWoVqw6i1l/BE4xFg= =aske -END PGP SIGNATURE-
Re: Dell 1650 serial console
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Replying to myself for the archives: Marian Hettwer wrote: The Dell only knows 3 Parameters for console redirection to serial port: enabled / disabled (is set do on obviously) Remote Terminal Type: ANSI or VT100 (is set to VT100) Redirection After Boot When I set the last paramter to disabled, I don't even see the pxeboot (pxe bootloader) of OpenBSD. Logically, I can't type in set tty com0. If I set this parameter to enabled, I can see the OpenBSD pxeboot and can type in stuff like set tty com0. But as mentioned earlier, the command is returned with com0 console not present. Damn... set tty com0 -- switching console to com0, com0 console not present Any more ideas? Yeah, I have more ideas to my own question... I disabled the Redirection After Boot again and created a etc/boot.conf in my tfptroot, consisting of the following lines set tty com0 set image bsd.rd boot bsd.rd files in my tftproot are now looking like that bsd.rd etc/boot.conf openbsd-pxe (aka pxeboot) bootet the Dell via pxe and see... - - no serial output while PXE asked for a DHCP server - - serial output seen as soon as bsd.rd bootet thus I'd say, the set tty com0 was successfull and before the BIOS was blocking the serial port. Linux can cope with this situation and OpenBSD can't. That's not particulary beautiful, as I am now missing the PXE output (which has some information available), but at least I can pxeboot the Dell and install OpenBSD via network. All in All, I'd say: Was easy with Linux, was a bit harder with OpenBSD, and as I'm now reading the FreeBSD docs on PXE... ugh! wtf and omfg. Why making easy things hard?? ./Marian iD8DBQFE9Zv/gAq87Uq5FMsRAkFfAKDf2NDYJMFtEeRjCmlIHCXwartDFgCeKBOk vF1/Nvxytf5d+3vUSfiMhBM= =LeND -END PGP SIGNATURE-
Re: Dell 1650 serial console
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Golden wrote: On Wednesday 30 August 2006 15:09, Marian Hettwer wrote: Linux can cope with this situation and OpenBSD can't. Hmph. Could well just be because linux (or at least syslinux) blindly assumes something that openbsd (probably correctly) checks, though? In this specific case it's pxelinux.0 which gets loaded via PXE and then loads the kernel (linux itself) with some parameters for serial console output. In this regards, it's Linux itself doing something different than OpenBSD. What it is? Dunno... In an administrator standpoint, Linux is doing the better thing, attaching a serial console, although the BIOS is already using that serial port. (And no, this is not a flame bait. I do prefer OpenBSD (and FreeBSD) over Linux, a lot!) ./Marian iD8DBQFE9a1HgAq87Uq5FMsRAku6AJ9B1aVtwINGH3ve0yIFksatiYqeFQCdE/lf GetE/G4ke7ryYBfRdnZ/Ktw= =8EAx -END PGP SIGNATURE-
Re: Dell 1650 serial console
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hej Stuart, Stuart Henderson wrote: On 2006/08/30 16:10, Marian Hettwer wrote: Did that. And also set image bsd.rd and boot bsd.rd, as I can't see anything at this point of my installation if I disabled the console redirection after boot. ah, this is pre-install then? pre-install? Well, consider it a machine with a brand new hard disk with nothing one it what so ever :) are you sure boot.conf is being loaded from the tftp server? It is... (I'm probably stating the obvious here, but it should be in /tftpboot/etc/boot.conf not in /tftpboot/boot.conf, and of course needs to be readable by the tftp server) Of course it is $TFTPROOT/etc/boot.conf (in my case TFTPBOOT is /boot/fai) you only need set image, not boot, it should just timeout after 5 seconds and load whatever image is set. Okay... so my machine is booting 5 seconds earlier ;) As I can't access the bootloader to type in commands anyway, I'd rather force him too boot bsd.rd than wait 5 seconds, seeing nothing :( I wouldn't consider disabled the console redirection altogether, 'cause then you wouldn't have a chance to get into the BIOS. And you do want to get into the BIOS. well, depends where you expect to have a problem... if it's a choice of only one or the other, I'd rather have OS than BIOS, but BIOS is nice to have too. Well, if I want to check within the BIOS to play around with Console Redirection I need my BIOS output redirected to serial... so BIOS is not just a nice to have. Think further: SCSI controllers which you can access just after POST, but before OS... I'm still wondering, why OpenBSD complains about com0 and linux doesn't if console redirection after BOOT is enabled. hm hm hm... not 100% satisfying :-/ hopefully I can find enough arguments pro OpenBSD (in our company), as we are using Debian Linux only and I'd like to force alternatives (OpenBSD) :) ./Marian PS.: And since we are using FAI to automatically setup our servers, Debian already has a huge advantage. FAI is, to be honest, a beautiful piece of software (shell scripts) to do Fully Automated Installations. Unluckily it only supports Debian Linux... iD8DBQFE9ay/gAq87Uq5FMsRAmh0AJwOK+WPhwm2OsL+R1QFnA8PQx69FACgjIXW Tbl7V3XsE0iiH6e8B+bibr8= =ky0B -END PGP SIGNATURE-
Re: The future of NetBSD
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Charles, Charles M. Hannum wrote: popularity in 1993 and 1994) have suffered similar problems. FreeBSD and XFree86, for example, have both forked successor projects (Dragonfly and X.org) for very similar reasons. I don't agree that Dragonfly is a successor of FreeBSD. Not yet. Dragonfly is nowhere near the state of FreeBSD 6.x Will it get there? Time will tell... Were TNF comprised of a good set of leaders, this situation might be somewhat acceptable -- though certainly not ideal. The problem is, there are really no leaders at this point. Goals for releases are not based on customer feedback or looking forward to future needs, but solely on the basis of what looks like it's bubbled up enough that it might be possible to finish in time. There is no high-level direction; if you ask what about the problems with threads or will there be a flash-friendly file system, the best you'll get is we'd love to have both -- but no work is done to recruit people to code these things, or encourage existing developers to work on them. This would be the very same with Linux, if there would be the same amount of developers as in NetBSD. I promise that. I do know this attidute from reading FreeBSD mailing lists. However, this is pretty natural for OSS projects. If you don't have a guy/girl who's doing the job, the wishlist gets long and the manpower gets short. It is like that... and it's hard to change. Myself, I would like to have an easy to setup fully automated, serial console controlled, installation system of FreeBSD and OpenBSD. This doesn't exists. So it's in the end up to me to make up my mind, if nobody else does. This vacuum has contributed materially to the project's current stagnation. Indeed, NetBSD is very far behind on a plethora of very important projects. Threading doesn't really work across multiple CPUs -- and is even somewhat buggy on one CPU. There is no good flash file It is like that in Linux too, more or less. So don't worry ;-) For these reasons and others, the project has fallen almost to the point of irrelevance. (Some people will probably argue that it's beyond that point, but I'm trying to be generous.) This is unfortunate, especially since NetBSD usage -- especially in the embedded space -- was growing at a good rate in 2000 and 2001, prior to the aforementioned coup. Avocent's KVM over IP boards are based on NetBSD for instance :) 5) There are a number of aspects of the NetBSD architecture that are flat out broken, and need serious rehabilitation. Again, the leadership needs to recruit people to do these things. Some of them include: * serious problems with the threading architecture (including the user-kernel interface), as mentioned earlier; * terrible support for kernel modules; * the horrible mess that is 32/64-bit compatibility, resulting in 32-bit apps often not working right on 64-bit kernels; and * unbounded maintenance work due to inappropriate and rampant use of quirk tables and chip-specific tables; e.g. in SCSI, ATAPI, IDE, ACPI and SpeedStep support. (I actually did much of this work for SCSI, but am not currently able to commit it.) You really don't want to compare these facts against Linux. I promise you, despite how popular Linux is, they have the very same problems, and IMHO it's even worse. Much worse. The only luck the Linux project has, is a whole lot of more developers than any of the BSD's projects have. Does this produce better code? No! Does this produce more features? Yes. Does this produce a faster OS? Probably Yes. But under the hood, Linux is completely screwed. Ever tried to set up bonding (aka trunk(4)) ? You don't want to! It works, okay, but it's a rocky road... [I'm CCing this to FreeBSD and OpenBSD lists in order to share it with the wider *BSD community, not to start a flame war. I hope that people reading it have the tact to be respectful of their peers, and consider how some of these issues may apply to them as well.] I hope people did. Although I doubt that much read that far. You said true words, and false, and sometimes it looked like a flame war. But all in all, it was very sad to read. Go back to your work, and start changing things. Don't stop.. Keep on! best regards, Marian, FreeBSD and OpenBSD user/advocate (but payed at work to use Debian GNU/Linux...) iD8DBQFE9jJPgAq87Uq5FMsRAlSrAJ9ZTsNd8bh/szNUFooKe7EHugvDEQCgjs5w c3g8J3xKio5/zRnKkE1bjdA= =0PPc -END PGP SIGNATURE-
Re: Porting firewall/routing script to OpenBSD from linux?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matthew R. Dempsky wrote: On Sun, Aug 13, 2006 at 01:19:31PM -0400, Nick Guenther wrote: ip is from the iproute2 package. From the lartc.org manual, ``Why iproute2?''[1]: Most Linux distributions, and most UNIX's, currently use the venerable arp, ifconfig and route commands. While these tools work, they show some unexpected behaviour under Linux 2.2 and up. For example, GRE tunnels are an integral part of routing these days, but require completely different tools. With iproute2, tunnels are an integral part of the tool set. [1] http://lartc.org/howto/lartc.iproute2.html Oh yeah. That's just great and very typical linux. Don't get me started, but if you ever tried to use bonding (trunk(4)) under Linux and want to use VLAN tagging on those interfaces too it gets really really messy *ugh* I have no fucking clue why those Linux folks are not just fixing their ifconfig? Well, maybe because Linux is just the kernel and some other guy who doesn't like anyone is maintaining ifconfig. Who knows... ./Marian iD8DBQFE4sxTgAq87Uq5FMsRAo57AKDQghGzSsuyk5cJMn5lMaZx9CRx7gCeJ6pL l5AwK2i04jn9fD6mSaPvTYM= =9IAU -END PGP SIGNATURE-
Sun Cobalt RAQ4i
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi All, just a short question: Does anyone has OpenBSD 3.9 successfully up and running on a Sun Cobalt RAQ4i ? I searched the archives but couldn't find anything useful. Background. A co-worker of mine wants to setup a DSL router for 8 to 12 people and wanted to use Linux. Ha. I convinced him to give OpenBSD a shot to use all the beauty of pf(4) with altq (in comparison to the patched-to-hell iptables/netfilter setup). But he already bought this Cobalt RAQ4i, so before I make myself to much hopes... any experience with this piece of hardware? Thanks in advance, Marian iD8DBQFE4Yv3gAq87Uq5FMsRAldeAKCoyAe3PEHYPDSdLsbrasvyZpIrKwCgiFcP ++WY5C+9ggbcjf40qAUnGiE= =cbB1 -END PGP SIGNATURE-
Re: Sun Cobalt RAQ4i
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Nico, Nico Meijer wrote: Hi Marian, just a short question: Does anyone has OpenBSD 3.9 successfully up and running on a Sun Cobalt RAQ4i ? I searched the archives but couldn't find anything useful. I don't think it can be done. I had a RaQ3 once - way back when. The But the RaQ3 was MIPS based, wasn't it ? device specifically searches for some Linux kernel image at a very specific spot; I forgot what where, but I did run Debian on it once. Not worth the hassle... Nico Thanks for the info anyways... best regards, Marian iD8DBQFE4fAPgAq87Uq5FMsRAhEyAJ47cvROwNum+yoXHnOp6pSdOZC2AQCeKj8/ kBsL0gfJahfl6jjez23EcCU= =UQ5x -END PGP SIGNATURE-
Re: OpenBSD gets a poor score in security.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Spruell, Darren-Perot wrote: From: [EMAIL PROTECTED] garbage is third party garbage. One doesn't overlap the others. So if a third party package runs into a bug (security, stability, or otherwise), OpenBSD doesn't *have* to scramble to bring the application up to date because it's not wedged into the core OS. That's true words indeed. However, if I'm running, let's say a MySQL server, and I need to have security updates in time, it does matter wether I can get them from the OS I choosed to use. OpenBSD is secure in many ways, but if the third party app has a security flaw and released a bugfix, I'd like to see an updated package / port too. Otherwise I would need to compile the bugfixed version from source, which doesn't make sense at all. So I need to be a ports commiter or something, right? :) To sum it up: Security wise, it does matter how fast you can get the updates for your third party apps. Being still lucky that the foundation of my server (the OS itself) is secure already and doesn't need any patching -- OpenBSD :-) And yes, an apt-get update; apt-get upgrade is fast. But a make package and roll it out is fast too. ./Marian iD8DBQFEyVcjgAq87Uq5FMsRAnLrAJ0ep+32qWL/1IOeLRFqWKd4GTSpRQCgwCX6 9fKLdCqJljye+OkOek82TCQ= =F5CZ -END PGP SIGNATURE-
Re: Which WLAN mini PCI card to use?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hej Rod, on a side note... Rod.. Whitworth wrote: Do NOT CC me - I am subscribed to the list. I can't CC you. You're in the To: Header when I hit reply. Replies to the sender address will fail except from the list-server. oh. great! Your IP address will also be greytrapped for 24 hours after any attempt. Thats evil. Why don't you learn to configure your MUA correctly and use the Reply-To: field? If you would set the Reply-To correctly, you could skip your whole signature down here. Everybody hits reply and the mails are going back to the list, because your reply-to would be set to misc@openbsd.org But since you don't configure your MUA, you want us to do your work, replacing the To: field from Rod.. Whitworth [EMAIL PROTECTED] to misc@openbsd.org misc@openbsd.org BaaH! I am continually amazed by the people who run OpenBSD who don't take this advice. I always expected a smarter class. I guess not. Well, I would expect that someone talking about smarter classes is able to configure its own MUA. I don't mind wether you greylist my MTA or not. I suggest to set your Reply-To header correctly and everything is fine (fewer flames in your signature, less complains from others about being greylisted). read: http://www.ietf.org/rfc/rfc0822.txt Cheers so far, Marian iD8DBQFEvIZ0gAq87Uq5FMsRAo39AKC7/hgVsyDJo3auY7s1Hc4qIVhq7QCgoyas FWrHb7FV7sA0q4NGqg239PQ= =NfCd -END PGP SIGNATURE-
Re: Opinion of MySQL 5.xx on OpenBSD 3.9...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hej Daniel, Daniel Ouellet wrote: Marian Hettwer wrote: I'd love to have the time to give OpenBSD a chance on our production system. Seems unlikely, since we're running Linux only :( snipped install steps Really, a coffee break I tell you. That's all you need. The compare this with Fedora setup time on your Linux for fun. (: I do know how fast and easy it is to setup an OpenBSD box ;-) I just said, that I won't be allowed to deploy OpenBSD for our database servers. Besides, if you have 1000 servers (300 of 'em being MySQL boxes) then you do want something like kickstart, jumpstart, FAI, whatever. In our case, we're using FAI (Fully Automated Installer) which is based on and for Debian. It may be a coffee break to install one OpenBSD box and it may be just two coffee breaks to install two OpenBSD boxes, but you can't install the manual way 1000 servers with different purposes / configurations / packages. I do know, that some others did already some work in regards to auto deploying OpenBSD boxes. However, it's nowhere near the functionality of FAI. Different topic, though ;) ./Marian iD8DBQFEoQI6gAq87Uq5FMsRAjpAAKCsRIZ41EF0cS/3g/QRfCteAjsbCgCgqx/l 550x9GEAqa4RkCCjmm4fUMc= =bFg8 -END PGP SIGNATURE-
Re: Opinion of MySQL 5.xx on OpenBSD 3.9...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Daniel, Daniel Ouellet wrote: In the end, run what you fell comfortable with, but to the original question, is MySQL run good on OpenBSD. The answer to that is YES! ACK :) sorry, I was just out for some statistics. Did some not serious benchmarking myself with MySQL + FreeBSD and MySQL + Linux. Had no time yet to do it with OpenBSD, though... But nice to see statistics at all. I'd prefer to run OpenBSD or FreeBSD on our database servers anyway, but if you're searching the FreeBSD mail archives, Linux is still ahead in regards to speed with MySQL... Again, I don't think that was the question anyway. May be instead of speculating, it would be nice one day to have someone push each system to the limit and see witch crash, or doesn't keep up, but even that, wasn't the question. You are indeed right... but as usual on mailing list, one can fade away from the original question. Sorry if it was offending... To cut that short: I'd use Linux for MySQL if it is all about speed and not security. If performance ain't the first goal, go with OpenBSD (or FreeBSD) :) Again use what you like and see fit, but know for me, I sure wouldn't run my database on Linux. My data is to important for me to risk it and yes security is also very important in the picture and I get the benefit of having a system that is very stable as well. hehe, and you are right again. I'd love to have the time to give OpenBSD a chance on our production system. Seems unlikely, since we're running Linux only :( Hope this answer the original question. it did. ./Marian iD8DBQFEoG6qgAq87Uq5FMsRAtrgAJ9rQCGw9hp173BId2qqTxdk/3orGgCeJZW+ Yu75Q0w19EcUpmiYZflNYwo= =HtDJ -END PGP SIGNATURE-
Re: Opinion of MySQL 5.xx on OpenBSD 3.9...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Daniel Ouellet wrote: mysql status; -- 44 Open tables: 455 Queries per second avg: 5.117 -- # dmesg OpenBSD 3.9 (GENERIC) #617: Thu Mar 2 02:26:48 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class) 844 MHz real mem = 2138677248 (2088552K) avail mem = 1945370624 (1899776K) 5 queries per second ain't that much. At work we use to have 40 queries/second on a dual xeon 3,2 box running Debian Linux (2.4.31). However, I guess I can't compare that at all. Would be like comparing apples to oranges. It all winds down to your database design... But nice to see statistics at all. I'd prefer to run OpenBSD or FreeBSD on our database servers anyway, but if you're searching the FreeBSD mail archives, Linux is still ahead in regards to speed with MySQL... To cut that short: I'd use Linux for MySQL if it is all about speed and not security. If performance ain't the first goal, go with OpenBSD (or FreeBSD) :) unluckily, I don't have a choice at work and it'll be Linux :-( ./Marian iD8DBQFEnfcPgAq87Uq5FMsRAuR4AJ0VnyuA2TMJedcOGgpkAkCT8eZHsgCg7ZLA OIl4NptdC2sOzKCLDbY0GFo= =RtEN -END PGP SIGNATURE-
Re: Opinion of MySQL 5.xx on OpenBSD 3.9...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Julian, Julian Bolivar wrote: I use MySQL 5.0.18 and OpenBSD 3.9 for AMD64 and work fine, and I used a lot of insert / hour in it, using Innodb tables. What means a lot ? Can you provide a mysqladmin status, or a show status from mysql? A dmesg would be great too :) regards, Marian iD8DBQFEm6fMgAq87Uq5FMsRAufCAJ0TvCRzyLNEuucFYX13ne7u3YwBrwCdHEiz RuWQpdhE52Ftv6f0yo7+VBE= =CcOr -END PGP SIGNATURE-
Re: Doubts about OpenBSD security.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi there, Joco Salvatti wrote: 1. Why doesn't passwd ask superuser's current password when it's run by the superuser to change its own password? May not it be considered a serious security flaw? No. If you are already root, you could add easily another user with uid 0. Or do you want to be asked for your root password anytime you use adduser? If so, you could add the user by manually editing the passwd... Generally, if someone is root who shouldn't be root, you're screwed ;) 2. Why doesn't the system ask the password, as a default action, to log in the system, when entering in single user mode? May not it also be considered a serious security flaw? And why doesn't exist a different password to log in single user mode, instead of using root's password? This can be enabled by changing /etc/ttys However, single user mode usually requires physical access to your box, but let's see your real world example... An real example: Let's suppose an attacker entered the room where an OpenBSD server is located in, and by mistake the system administrator has forgotten to logout the root login session. So the attacker could enter in single user mode, without the need for the root password, and load a malicious kernel module. He also could do millions of other things, but changing root's password, because the system administrator would notice it immediatelly. So? If your servers are not physically secure, there's not much the OS can do about. If an attacker could enter the room of your servers, he could easily reboot the box and boot of a floppy or cdrom into some live system (OpenBSD live CD, knoppix, whatever) and from there mount your disc and install it's evil evil additional software into your openbsd installation. Forget it. If your servers are not physically secure, you do have a huge security problem (which is not OpenBSD related). I believe it could be more difficult for the attacker if there were a different password to log in the system in single user mode. No. Not if the attacker is physically in front of the box... regards, Marian iD8DBQFEmjHugAq87Uq5FMsRAlixAKCsuf3TzGum0OlNXxe9V7xCqCWTbgCfZK7Y aPwVHe5F7HXyeflp/aMYNHs= =bf7g -END PGP SIGNATURE-
Re: Doubts about OpenBSD security.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Don Boling wrote: Wouldn't this be the main reason to use sudo? Not at all. If your box is not physically secure, even sudo wouldn't prevent an attacker of joking around with your server... Use sudo anyways, but keep your servers physically secure. ./Marian PS.: Please do not Top Post. http://en.wikipedia.org/wiki/Top-posting iD8DBQFEmjPlgAq87Uq5FMsRAmy4AJ9MRRuC4+plqCzKWNptg4kQz69v7QCfSry8 mPV+ojceHJF0seyDJVNfxWo= =J6LF -END PGP SIGNATURE-
Re: can't get soekris 4801 to boot via pxe
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Marc, Marc Peters wrote: hello misc, i bought a soekris 4801 from wim and wanted to install it via net. when i boot the box it gets it ip-address and when it comes to load bsd.rd it loads the kernel but hangs during load: OpenBSD/i386 PXEBOOT 1.07 switching console to com0 OpenBSD/i386 PXEBOOT 1.07 booting tftp:bsd.rd: 4435508+740284 [52+155376+141982]=0x538528 entry point at 0x100120 ~$f$~xxf$~$f$8~8~$f$f$ Just a wild guess, but to me this looks like the serial console tries to go out with 9600 baud, which is wrong. You get garbled output or no output. The soekris boards want to run 19200 baud IIRC. ~ # cat /tftpboot/etc/boot.conf set tty com0 boot bsd.rd you may want to define the speed of your console here :) stty com0 19200 :) good luck, Marian iD8DBQFEfDjJgAq87Uq5FMsRAl+hAKDPFF8hES45qSyCu2s4LpHph20+qACfR0JJ nKaTEuLno/rFRZuZwcaZjnk= =nm+y -END PGP SIGNATURE-
Re: they say openbsd is not as scalable as others
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Karsten McMinn wrote: Back to the OP: there isn't any situation in the net facing server world that is not best served with OpenBSD. best served in the net server world is pretty hard stuff. What is best served? In a business environment best served may be fast served and I doubt that I would like to run MySQL under OpenBSD if it comes to performance. I go with Linux (Debian Sarge or Gentoo Linux) for MySQL servers under heavy load. I'd go for FreeBSD for apache webservers (doing the usual perl, php, whatever stuff) and I'd go for OpenBSD for the mod_proxy Apache in front of these FreeBSD and Linux boxes... so what is best served? ./Marian iD8DBQFEeuSIgAq87Uq5FMsRAnAsAJ0dDkBl0EAaU5h0gRrNY9LbYrMXKwCfSAYX px17QInv9t9SDZs+1dy+M1U= =K91q -END PGP SIGNATURE-
Re: Recommended window manager for OpenBSD
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andris Delfino wrote: On 5/26/06, Roger Neth Jr [EMAIL PROTECTED] wrote: On 5/26/06, Alexander Hall [EMAIL PROTECTED] wrote: Christopher Nelson wrote: [...] I was wondering what window manager was recommended for use with OpenBSD 3.9? i.e, one that is reasonably current, and not broken. Am I the only one that is quite satisfied with fvwm? While not as keyboard-only-friendly as ion et al by default, it is quite decent. Furthermore, it comes with the base install, which is the main reason I stick with it. I've tried quite a few window managers (briefly), and I really did not find any reason to switch. /Alexander I have the same sentiment but never voiced it. I've using ion since a time ago, and I absolutely recommend it to everyone. At least, give it a try, it's pretty handy. I'm stuck with fluxbox and I'm quite happy. You can define your shortcuts at you wish, it's pretty fast and slim too. ./Marian iD8DBQFEevGTgAq87Uq5FMsRAtqgAKDIh2uShNRp8Y3Klo2NFnHV6tUC/ACgh1NP m5oNc1NXvpsn3g6Y6EK3nGs= =Zozp -END PGP SIGNATURE-
Re: newbie: panic question (azalia driver)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Joachim Schipper wrote:
On Mon, May 15, 2006 at 10:13:47AM +0200, Srebrenko Sehic wrote:
How do you debug/{copy,paste} a panic on pc or laptop that has no serial
ports?
I think IBM thinkpads docking stations have a serial port. Not sure
about the Lenovo.
Or you can just use a digital camera and take a picture of a panic/trace.
Posting such an image will not be accepted on most list, and most likely
either gets you flamed or ignored.
You could upload the picture on your own webspace somewhere and post the
link, though. I guess that won't get you flamed / ignored...
Transcribing from a photo might be a useful idea, though.
Well yeah, take the hard way if you're a masochist ;)
./Marian
iD8DBQFEaGvDgAq87Uq5FMsRAqZDAJ9cofi7DY6QBR9QcdMBgeYlEk4d0QCfWoWb
l4pTSj7CsuwiBqfnwAniGJk=
=0cyu
-END PGP SIGNATURE-
Re: /var filled up and can't login locally or remotely
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi there, Hannah Schroeter wrote: Hi! On Wed, May 10, 2006 at 04:17:11PM +0200, Marian Hettwer wrote: Even if you use the bash-static package, bash gets installed into /usr/local/bin (IIRC) and you may not have /usr while being in single user mode. The latter should not really be a problem. init prompts for the shell to execute anyway if you boot into single user, so you can say /bin/ksh then even if root's shell were changed. That's right too. Forgot about that :) However that point of mine isn't meant to imply that it were a good idea or necessary to change root's shell. I just plain think it's not a good idea. Period :) sudo works just fine. ACK. regards, Marian iD8DBQFEYu/ngAq87Uq5FMsRAs++AJ4/PBDggMbUp6YxVsXmdBGZ0XZDSQCePxWU HbdnAeVkVQVP4RjgIX08d88= =DA2F -END PGP SIGNATURE-
Re: OT: Serial2ssh device
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi there, [EMAIL PROTECTED]@mgEDV.net wrote: I am seeking advise prior to buying a serial to ssh device, sometimes refered to as serial server or serial port server. I am thinking of a black box 19 rack mount thing where I can plug in =16 cables from the serial ports of all my OpenBSD boxes (growing number ;) ). This 'thing' should then securely connect to ethernet and offer some openssh login. Any recommendations in addition to the colorful lies on the web from all the vendors? Experiences? Any pitfalls? blackbox i personally like, but lantronix i setup and never wanted blackbox is just a OEM of Cyclades ACS, IIRC. I don't like Lantronix though. Are they still around? to leave ;-) they work very well, ssh-access possible, rj45 ports are standard, many many supported protocols... right. give them a try, if it's for a serverfarm, it's worth it ;-) Cyclades ;-) ./Marian iD8DBQFEYzqbgAq87Uq5FMsRAvwrAKCMRC6VI60cKEgLWgfUwv3MrJxsWACePffc CZlCc8Gtz8zOh1AVsLxoMzc= =QRxS -END PGP SIGNATURE-
Re: OT: Serial2ssh device
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Andrew, Andrew Veitch wrote: On Thu, 11 May 2006, Stephan A. Rickauer wrote: Any recommendations in addition to the colorful lies on the web from all the vendors? Experiences? Any pitfalls? I've not had any problems with a Cyclades TS system. I don't know what their ACS range is like though. I strongly recommend and agree Cyclades Console Servers (aka Serial Console Server or Terminal Server). ACS range is basically just the successor of the TS series. Some nice new features and I bet the TS Series will go End of Life some day soon (as ACS series is around since 2003 and TS series since 2000). ACS and TS are in port density of 4, 8, 16, 32 and 48 serial ports. All being 19 and 1U :) Never had problems with a cyclades box. Support is for free and fast. We have some Digi console servers at work. They are troublesome sometimes, although Digi copied the cyclades firmware... http://www.cyclades.com/products/2/ts_series right :) regards, Marian iD8DBQFEYzpggAq87Uq5FMsRArLfAJ9Al0VvUprUkBRvIi057UeqSA9FDACgr5YN /lTdX2c3bLG6sz7m6CD9n7E= =xbnC -END PGP SIGNATURE-
Re: OT: Serial2ssh device
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Diana, Diana Eichert wrote: company doing the same thing called Logical Solutions (think logical). It would be nice if companies making money off of selling secure console servers would give some back to the OpenSSH project. Which reminds me to ask back at some of my ex-collueges at cyclades... Since Cyclades is quite open source friendly and they're using OpenSSH too... worth asking I guess :) regards, Marian iD8DBQFEYz2egAq87Uq5FMsRAvc4AJ4kwceAb679Y1HYkBgyMWigwRNIAwCg1MYS WKgVwBIlgSbWytUeBQf5Eps= =nowi -END PGP SIGNATURE-
Re: OT: Serial2ssh device
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Theo, Theo de Raadt wrote: They won't, if this is the only place this problem is mentioned. That's why all the large contributions that I have gotten, have been hard work of finding the right person to mention it to, and actually asking them for a reason (a quote) as to why they won't. But mentioning it here, on this mailing list? How will that affect anything? Well that's the reason why I wrote a mail just a few minutes ago to two ex colleagues of mine at cyclades. One being the CTO. I asked the very same when the OpenBSD project needed two PC300 (E1/T1 cards) and last time my (ex) CTO had no problem donating two of those cards. I hope that he's still in the same position at cyclades and I'm looking forward to his reply. In fact, the use of OpenSSH on Cyclades console servers gave them quite a big share in the console server market... So, let's wait for an answer :) regards, Marian iD8DBQFEY0vQgAq87Uq5FMsRAjaNAJoDhYayoRyJNgomFFFMbQ26api48gCffGD3 a0xRHa6dzcqKzpG3enm/G10= =0+0j -END PGP SIGNATURE-
Re: FYI, 1and1 hosting fun (ip subnet zero)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Timo Schoeler wrote: IDE. puke. 'ExelStore'. wtf? i wouldn't give such hardware to my enemies. ;D You're right with ExelStore ;) Anyway, my server at strato is running fine for 2,5 years now. FreeBSD 5.2.1, 5.3, 6.0, 6.1 ;) But I do have to make my mind up about backups... don't trust those ExelStore at all.. regards, Marian iD8DBQFEY8HcgAq87Uq5FMsRAh87AJ0fEiJ7/7As4LWNvCmgm9iILs7QwACguGKm lqQxTBAwqnv6dByNyvOjuFQ= =S6+A -END PGP SIGNATURE-
Re: /var filled up and can't login locally or remotely
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi there, Giancarlo Razzolini wrote: Paul de Weerd wrote: Don't change root's shell. It's set to a static shell (/bin/ksh these days) for a reason. Changing the root shell doesn't hurt. But you have to install your shell There is absolutely no reason to change root's shell. There is even no reason at all to work as root. Use sudo, or even su -m, or execute bash after you became root. Even if you use the bash-static package, bash gets installed into /usr/local/bin (IIRC) and you may not have /usr while being in single user mode. static. I use the bash-static from packages, and hadn't any problems. I think that booting in single and cleaning some trash, might solve the problem. Also you might want to consider installing the bash-static. You might consider leaving root untouched... regards, Marian iD8DBQFEYfXlgAq87Uq5FMsRAsqkAKDHnGW/2u+zvW/jRpqk1XSaHeNH0wCghnnv R1FTuxp8v+eiICa6TA8zTAo= =x40p -END PGP SIGNATURE-
Re: Compilers make a system less secure?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert C Wittig wrote: I have my MUA set so that this (and other) email-list sub-directories reply automatically to the list for which they receive email, and only noticed that you had emailed me off-list on the last email, so all my replies to you and everyone else on this and all other lists are sent to list, unless the email is marked 'off list' or some variation, in You should learn to configure your MUA correctly. If you set your Reply-To Header to [EMAIL PROTECTED], of course a reply won't be sent to misc@openbsd.org Set your Reply-To Header correctly and you'll see, mail will go to the list, not to you :) In any case, I do a reply-all. And if someone complains, set your Reply-To correctly... ./Marian iD8DBQFEWbZjgAq87Uq5FMsRAvWgAJ4pswQoHiIMYz9zVJPH/fSIkmuhOQCgiRm2 2aciyLnwhctI1z2KOk101wQ= =UqWh -END PGP SIGNATURE-
Re: Compilers make a system less secure?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Anton Karpov wrote: Maybe, because in some cases, it just takes a bit more time to 0wn your box if it has no compiler installed. No, not at all. You can't attack a compiler, it's not accessable from the outside. The only reason I can think of in regards to not installing a compiler is a simple one: If you don't need it, don't install it. On our webservers, we definetly need no compiler, so it's not installed. Does that increase security? No. Apart from the fact that you shouldn't install / run things you don't need on production systems :) ./Marian iD8DBQFEV2oOgAq87Uq5FMsRApM+AJ9vCVGvOQdIYu77fLMWkMo66ss6yQCgyoBV flxd/ClKy6tBfZPpUS/Vmjk= =XQE9 -END PGP SIGNATURE-
Re: Compilers make a system less secure?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hej Bob, Bob Beck wrote: In my experience it's simple. Generally speaking, not installing a compiler makes the system less secure. Why? real easy. Most systems I have ever seen without a compiler has software running on it that is behind on it's updates. When you ask the system administrator why, it is Oh I don't have the compiler installed Nah, I have to disagree. A production system shouldn't spend its time compiling software (to provide security updates). In a bigger environment (say 1000 servers) I will have a build system which compiles all the stuff needed for updating the servers. Hence I don't need / want a compiler on my production servers. Not giving the system administrator the tools to install security updates is a reciepe for a less secure system. That's true. However, see my statement above :) It's a waste of cpu time to do compiling on a server which is actually busy providing a database or having an apache up 'n running. Meanwhile, and attacker, if they need something compiled, can simply compile elsewhere and bring it in, or install the tool once the box is owned. True. I never argued against that :) -Bob (Yes there are exceptions to this if you have some other sort of update mechanism in place, blah blah blah. 90% of people don't, You simply want binary updates. If I would tell my boss, that we need n more servers, because they're busying all compiling the same stuff for them selves... well, I can imagine what answer I would get ;) because they run openbsd and never need to patch it, but then run other dubious stuff out of /usr/local/ and should be..) then this other stuff should be compiled centrally on a build server. ./Marian iD8DBQFEV3gngAq87Uq5FMsRAn2yAJ90ErA0XjQJpch5H+EMoiKWXUvmCwCg3i3u NfRbsN5ZyQPqrjcTtMTEOwc= =teWZ -END PGP SIGNATURE-
Re: rdesktop segmentation fault
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hej Chris, List, just a follow-up to my last mail for the archives: I'm now running rdesktop with -a 16 for 16bit, not with -a 24 anymore. Since using just 16bit rdesktop never crashed. So, this may be the solution ;) thanks so far, Marian (waiting for his 3.9 CD Set... hej Wim! ;) ) Chris Kuethe wrote: i usually run in 16bit, with -x m ... i don't need the eyecandy, i just need to get to a 'doze box every now and then. with regard to the port, i think CC=gcc -g make SUDO=sudo package should do it... On 4/10/06, Marian Hettwer [EMAIL PROTECTED] wrote: Hej Chris, Chris Kuethe wrote: Hnf. That's wierd. I'm the maintainer for the port, and I've never seen this happen. I used to start rdesktop with -a 24 to get 24bit colour depth. rdesktop is now running stable for some hours with -a 16bit Well, that's strange, eh? I'll observe that and if rdesktop is crashing again, I'll drop you a line. Can I get you rebuild the port with debug symbols, and send me a gdb backtrace from GDB? if it crashes again, I'll do so. Well... does the port itself (net/rdesktop) has a flag for a debug build? Or do I have to build it manually (as in, not from ports) Thanks so far, Marian -- GDB has a 'break' feature; why doesn't it have 'fix' too? iD8DBQFETMHggAq87Uq5FMsRAoSeAJ4nlwePhaeZZwi1Uepbd5UU1Cb00QCfUEUe gCvCN2Vhgn4QnqKXkWkanik= =9xqO -END PGP SIGNATURE-
