[cryptography export] OpenBSD solution for usage within EAR/CRF defined rouge states.
Hi misc@ I have been assinged a task with an extremely short timeline. The objective is to produce a EAR/CRF compliant laptop based workplace solution with as much bells and whistles as possible (anything from vpn, mta, LibraOffice to SAPgui and more) on non-us produced OS and hardware. I have looked at mtier.org and expect that there are other vendors out there providing the same kind of service and solution, but with a two week timeline it is not even feasible to have any of these vendors processed for usage and I need to produce a stand-alone OpenBSD based laptop solution now. Anybody on the list that can offer some advice or experience ? This will be much appreciated. /Per Â
Could someone please tell Mark Kettenis that ..
Hi all, Could someone close to Mark Kettenis please tell Mark to get in touch with me directly/off-list, thank you. The best to you all, /per [EMAIL PROTECTED] -- The most worth-while thing is to try to put happiness into the lives of others. - Sir Robert Baden-Powell
Syskonnect [msk] problem
Hi all, i386 / 4.0 (Aug. 28 2006 23:10 snap) dmesg below. I am replacing a couple of high-traffic routers in our datacenter and have just received (among others) a bunch of Syskonnect SK-9X22 dual Gbit server adapters for the job. These nic's should be supported by the 'msk' driver from 3.9-current as of ~ Aug. 20 2006 and they are also recognized by the system ... sort of. For comparison please note the 'bge' nic's. Please note that on the Supermicro X6DH8-XB board I have disabled (in bios or by jumper): ACPI HTT COM2 onboard 'bge' nic's (enabled while debugging) Adaptec U320 controller Any kind of input that can bring me closer to a couple of working systems is appreciated a lot. From dmesg [...] OpenBSD 4.0 (GENERIC) #1097: Mon Aug 28 22:11:47 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(TM) CPU 3.20GHz (GenuineIntel 686-class) 3.21 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16 real mem = 2146484224 (2096176K) avail mem = 1949913088 (1904212K) using 4256 buffers containing 107425792 bytes (104908K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(ce) BIOS, date 01/24/06, BIOS32 rev. 0 @ 0xfd420, SMBIOS rev. 2.33 @ 0x7ff79000 (41 entries) bios0: Supermicro X6DH8-XB pcibios0 at bios0: rev 2.1 @ 0xfd420/0xbe0 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde20/448 (26 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #10 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 ipmi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel E7520 MCH rev 0x0c Intel E7520 MCH ERR rev 0x0c at pci0 dev 0 function 1 not configured Intel E7520 MCH DMA rev 0x0c at pci0 dev 1 function 0 not configured ppb0 at pci0 dev 2 function 0 Intel MCH PCIE rev 0x0c pci1 at ppb0 bus 1 ppb1 at pci1 dev 0 function 0 Intel PCIE-PCIE rev 0x09 pci2 at ppb1 bus 2 mskc0 at pci2 dev 1 function 0 Schneider Koch SK-9Sxx rev 0x14, Marvell Yukon-2 XL rev. A3 (0x3): irq 5 msk0 at mskc0 port A, address 00:00:5a:72:e0:4e msk0: phy failed to come ready msk0: no PHY found! msk1 at mskc0 port B, address 00:00:5a:72:e0:4f msk1: phy failed to come ready msk1: no PHY found! mskc1 at pci2 dev 3 function 0 Schneider Koch SK-9Sxx rev 0x14, Marvell Yukon-2 XL rev. A3 (0x3): irq 5 msk2 at mskc1 port A, address 00:00:5a:72:e1:7f msk2: phy failed to come ready msk2: no PHY found! msk3 at mskc1 port B, address 00:00:5a:72:e1:80 msk3: phy failed to come ready msk3: no PHY found! Intel IOxAPIC rev 0x09 at pci1 dev 0 function 1 not configured ppb2 at pci1 dev 0 function 2 Intel PCIE-PCIE rev 0x09 pci3 at ppb2 bus 3 mskc2 at pci3 dev 1 function 0 Schneider Koch SK-9Sxx rev 0x14, Marvell Yukon-2 XL rev. A3 (0x3): irq 5 msk4 at mskc2 port A, address 00:00:5a:72:e0:30 msk4: phy failed to come ready msk4: no PHY found! msk5 at mskc2 port B, address 00:00:5a:72:e0:31 msk5: phy failed to come ready msk5: no PHY found! Intel IOxAPIC rev 0x09 at pci1 dev 0 function 3 not configured ppb3 at pci0 dev 4 function 0 Intel MCH PCIE rev 0x0c pci4 at ppb3 bus 4 bge0 at pci4 dev 0 function 0 Broadcom BCM5721 rev 0x11, BCM5750 B1 (0x4101): irq 5, address 00:30:48:78:76:a8 brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 ppb4 at pci0 dev 5 function 0 Intel MCH PCIE rev 0x0c pci5 at ppb4 bus 5 bge1 at pci5 dev 0 function 0 Broadcom BCM5721 rev 0x11, BCM5750 B1 (0x4101): irq 5, address 00:30:48:78:76:a9 brgphy1 at bge1 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 ppb5 at pci0 dev 6 function 0 Intel MCH PCIE rev 0x0c pci6 at ppb5 bus 6 ppb6 at pci0 dev 7 function 0 Intel MCH PCIE rev 0x0c pci7 at ppb6 bus 7 ppb7 at pci7 dev 0 function 0 Intel PCIE-PCIE rev 0x09 pci8 at ppb7 bus 8 mskc3 at pci8 dev 1 function 0 Schneider Koch SK-9Sxx rev 0x14, Marvell Yukon-2 XL rev. A3 (0x3): irq 5 msk6 at mskc3 port A, address 00:00:5a:72:e0:42 msk6: phy failed to come ready msk6: no PHY found! msk7 at mskc3 port B, address 00:00:5a:72:e0:43 msk7: phy failed to come ready msk7: no PHY found! Intel IOxAPIC rev 0x09 at pci7 dev 0 function 1 not configured ppb8 at pci7 dev 0 function 2 Intel PCIE-PCIE rev 0x09 pci9 at ppb8 bus 9 Intel IOxAPIC rev 0x09 at pci7 dev 0 function 3 not configured uhci0 at pci0 dev 29 function 0 Intel 82801EB/ER USB rev 0x02: irq 5 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 Intel 82801EB/ER USB rev 0x02: irq 11 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 Intel 82801EB/ER USB rev 0x02: irq 7 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1
Re: OT Media-Converters, was Re: BGP router now running desp. low on mem.
Siegbert Marschall wrote: Hi, ## Physical connection: # ## We are terminating with this carrier in a FE port but due to the distance between them and us at the datacenter location, a FDDI connection was placed in between like: [our router][100baseTX][IMC**]//..fiber..//[IMC**][100baseTX][switch integrated in a Cisco 7200 iron][Cisco iron itself/router] * Attenuation on the FDDI part was 1.2db respectively 1.3db which is not brilliant, but okay. More importantly it's within the specifications of the IMC's. ** (IMC = MOXA Industrial Media Converter 101 a.k.a. IMC-101 for both Single- and Multi mode / SC connectors. We even replaced these with MOXA EDS-208-M-SC (larger model) as well). I think here you have the Problems. I can't see any FDDI stuff in this drawing so I will assume for the moment that is just a FDDI type fiber you are connected to and everything else is Ethernet. The IMC-101 is just a plain media-converter without any Layer-2 capabilities according to http://www.moxa.com/product/IMC-101.htm but they are not completely dumb devices, so one has to be careful with them. I chose Moxa because we have very good experiences with their other products (embedded solutions, RS-232 etc.) and because the IMC-101 (and EDS-208) all comply with the IEEE802.3 standard - and from the Moxa doc.:..provides industrial grade media conversion between 10/100BaseT(X) and 100BaseFX. Maybe I've presumed too much, but I took (from the above) layer-2 capabilities as granted. In the connection above there is something very important to know: Autonegotiation activated in any part of the setup is a bit like playing russian roulette. Either the whole chain supports it perfectly or you are fd. Make sure that you have Autonegotiation off _everywhere_ and everything is set and bolted to Fullduplex otherwise you might get the strangest and hard to trace errors. I helped someone troubleshoot a similar setup at his decix connection a few years ago and they've been swapping media-converters back and forth till we just used a switch as media converter catching the FDX/HDX issue in the middle so the end's where happy and some people where wondering for a few weeks to who the new mac address (of the switch) belonged which suddenly appeared in the decix mesh till the link got switched over to fiber end to end. I'm well aware of that particular problem which is why I gave the new carrier a list of termination settings firsthand and later we've also went up and down all the speed- and duplex-mode (and other) setting during the troubleshoot (another nice feature that initially added to the go-list on the Moxa IMC's was indeed the dip switch on Moxa's converters giving an opportunity to choose between 'auto' and 'full-duplex'). I think you are on to something / you are right about the (maybe) missing layer-2 feature and/or a faulty FDX/HDX issue. About the mac; I can almost picture the wrinkles in someones forehead :) I am not of the opinion of the other poster, media-converters are not bad. But the are devices which need to be treated with respect, not everything can be transparently converted to other media. there normally aren't any flp-pulses on fiber since it is FDX by nature, so FDX/HDX negotiation is troublesome. some converters emulate it or catch the autoneg but wether the equipment you connect to the converter is capable of actually talking to it is also not for sure. -sm Thank you very much for your thorough answer Siegbert and it's been nice to hear from someone who has been through the same exercise. /per [EMAIL PROTECTED]
Re: OT Media-Converters, was Re: BGP router now running desp. low on mem.
Diana Eichert wrote: Just wanted to throw in my US$.02 worth on the media converter issue. At my place of employment a facility design decision was taken a few years ago mandating all fiber buildings. It was pretty obvious they were clueless about commodity h/w so now we have this huge installation of IMC media converters. We have seen the exact same issues related to auto negotiation with a lot of our hosts. I know that we've been through all negotiation settings, which is why I think the problem is caused by some sort of TX/FX related error (unfortunately I'll never know for sure). Thank you for the input Diana. /per [EMAIL PROTECTED] diana
Re: BGP router now running desperately low on memory [epilogue]
Hi all, Just to make sure nobody's sitting and wondering what happened with this thread, then here's a final mail with a short description of what's cooking right now and what was boiling back then. Below you'll find: - case - situation - conclusion - physical connection - hardware - a few tips ## Case: # ## When I added another bgp peer to my router the overall network/routing performance on the server was brought to an almost staggering halt until I downed the bgp session again. ## Situation: # # At first I had warp-speed on the wire and all tests on the connection (*) seemed okay. Trivialities like speed-, duplex-, mtu settings etc. was agreed upon before the connections was established. The time elapsed from initiating the BGP session to severe performance degradation was 2 minutes and if I did not down the BGP session within the next minute (literally) then routing and network performance would drop like a piano out of the sky. In short I was using all mbuf (Kbytes allocated to network 97%). Raising kern.maxclusters stepwise gave me a short lived break until I reached a given point (see tips below). Above that I gained nothing and stopped raising it any further. The new carrier had a lot of alignment errors (CRC/FCS) and packet size problems (Jabbers/rxOversizedPkts) in their log / on their side. We both had heavy packelosses after these few minutes. 'tcpdump' did not reveal any significant signs of a sick connection on my side. A lot of testing has been done since. The connections however, is still not running but adjustments on the peers side and replacements on the connection itself has raised the panic-threshold from 2min. to around 18min. before disaster strikes. Conclusion: # ### I'll receive a fiber directly to my front door from the new peer shortly i.e. we'll bypass the copper-fiber-copper connection. I don't like not being able to pinpoint the problem before moving on, but I have no way of seeing what's going on on the other side. I have an idea that the Cisco box and the converters do not like each other, but again it's only a guess. What I do know is that an error-prone connection combined with a well connected BGP peer, can jeopardize an entire bgp routers performance. BGP can not see how well the connection is runing - it can only see link and link = traffic = congestion. I can not claim to have found the 'holy grale' in BGP troubleshooting but I can rightfully claim that I've eliminated my OpenBGPD as source of error (both as i386 and amd64) and I can also rightfully claim to have found a few settings that actually makes a difference. If the carrier find the problem and inform me, I will of course inform all of you as well. ## Physical connection: # ## We are terminating with this carrier in a FE port but due to the distance between them and us at the datacenter location, a FDDI connection was placed in between like: [our router][100baseTX][IMC**]//..fiber..//[IMC**][100baseTX][switch integrated in a Cisco 7200 iron][Cisco iron itself/router] * Attenuation on the FDDI part was 1.2db respectively 1.3db which is not brilliant, but okay. More importantly it's within the specifications of the IMC's. ** (IMC = MOXA Industrial Media Converter 101 a.k.a. IMC-101 for both Single- and Multi mode / SC connectors. We even replaced these with MOXA EDS-208-M-SC (larger model) as well). All Cat6 STP cables has been replaced more than once and the fiber once. ## Hardware: # ## My OpenBGPD setup is plain-vanilla with 4 BGP peers, one eBGP peer and two public networks on the inside (700+ servers). The BGP box I have (OpenBSD 3.9 -stable / amd64 / bsd.mp) is a serverworks based box with 2GB of ram per cpu, Intel PRO/1000MT dual and quard server nic's, U320 SCSI etc., etc. - i.e. this is not about exhaustion due to inferior or inadequate hardware. My network performance related sysctl settings: net.inet.ip.ifq.maxlen=250 kern.maxclusters=32768 (this has been tested stepwise (~6500 at a time) from the std. setting [6144] and up) Note_0: normally I run this on a i386 Xeon based box with 4GB of ram, but the box is down for upgrade/maintenance, hence the temporary amd64 arch. Note_1: the new boxes I'm building has a 64-bit Xeon cpu, 2GB of ram, Syskonnect nics and i386 as arch. ### A few tips: # ## The tips I've put below are all confirmed successes and a mixture of experience, what I've been told by Henning/Claudio and what I've seen on this list (some of the sysctl settings). The important thing is that they actually work. 0 - run busy BGP routers on i386 compared to amd64 1 - run busy BGP routers on [serverworks based] single cpu systems. 2 - run busy BGP routers on 2GB of memory at the most. On a healthy box going from 4 GB of ram to 2GB gives a drop on almost 20% in 'Kbytes
Re: BGP router now running desperately low on memory [epilogue]
Stuart Henderson wrote: On 2006/09/20 17:05, Per Engelbrecht wrote: The BGP box I have (OpenBSD 3.9 -stable / amd64 / bsd.mp) is a serverworks based box with 2GB of ram per cpu, Intel PRO/1000MT dual and quard server nic's, U320 SCSI etc., etc. - i.e. this is not about exhaustion due to inferior or inadequate hardware. which serverworks? I'm not entirely happy with my ht1000 boards. and, any particular reason you chose to run amd64 on them rather than i386? *ServerWorks BCM5785 (Tyan Thunder / Opteron200) respectively *Intel 7500 chipsets (SuperMicro / Xeon) Using serverworks kinda ensures a steady/fast platform with excellent bus IO. * *No it's the other way around - I prefer i386 on network critical installations like my BGP routers. The current amd64 box was what I had at the moment when I made a switch two weeks ago. thanks for the update. Anytime. /per [EMAIL PROTECTED]
BGP router running low on memory with 4GB of RAM ..!
Hi all, - OpenBSD 4.0 (build on snap from aug. 28 2006 23:10) - i386 - 'netstat -m', 'top' and 'dmesg' below. I've just rebuild one of my BGP routers and I'm having a real bad memory/performance issue with this box. (yes, Im running -current in production due to a Intel Pro/1000GT Quard card I've had to put in the box; only supported in -current). The box seems to choke on whatever once and awhile and the problem seems to be memory related. If I e.g. ping one of my peers, I see this: ... ping: Could only allocate a receive buffer of 8191 bytes (default 65535) ... Do not like the sound of that, so I did a netstat -m: 4517 mbufs in use: 4500 mbufs allocated to data 12 mbufs allocated to packet headers 5 mbufs allocated to socket names and addresses 4495/5886/6144 mbuf clusters in use (current/peak/max) 12988 Kbytes allocated to network (77% in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines ... I've made a sysctl change: net.inet.ip.ifq.maxlen=250 but resetting that to 50 (standard) does not help. Can anybody point me in the right direction ? Any help is appreciated. top load averages: 0.20, 0.17, 0.1611:13:28 27 processes: 26 idle, 1 on processor CPU states: 0.6% user, 0.0% nice, 0.4% system, 56.6% interrupt, 42.4% idle Memory: Real: 79M/369M act/tot Free: 3534M Swap: 0K/512M used/tot PID USERNAME PRI NICE SIZE RES STATEWAIT TIMECPU COMMAND 31095 _pflogd40 560K 344K sleepbpf 1:43 0.05% pflogd 29375 root 20 7088K 7312K sleeppoll 8:13 0.00% bgpd 4183 _bgpd 20 62M 63M sleeppoll 5:35 0.00% bgpd 30920 _syslogd 20 288K 544K sleeppoll 1:10 0.00% syslogd 16233 proxy 20 344K 740K sleepkqread 0:31 0.00% ftp-proxy 29026 _bgpd 20 1092K 1284K sleeppoll 0:09 0.00% bgpd 7885 root 20 1136K 1092K sleepselect 0:04 0.00% sendmail 23957 pere 20 3372K 1460K sleepselect 0:00 0.00% sshd 2921 root 20 324K 592K idle select 0:00 0.00% inetd 12586 named 20 2120K 2296K sleepselect 0:00 0.00% named 11677 _ntp 20 244K 592K sleeppoll 0:00 0.00% ntpd 23317 root 20 588K 676K idle select 0:00 0.00% cron 97 root 20 264K 508K sleeppoll 0:00 0.00% ntpd 28186 pere 180 660K 524K sleeppause0:00 0.00% ksh 18197 root 20 3332K 2180K idle netio0:00 0.00% sshd 4479 root 20 268K 552K idle netio0:00 0.00% syslogd 1 root 100 324K 356K idle wait 0:00 0.00% init 2759 pere 290 392K 900K onproc -0:00 0.00% top /top dmesg OpenBSD 4.0 (GENERIC) #0: Wed Aug 30 13:10:18 CEST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(TM) CPU 2.80GHz (GenuineIntel 686-class) 2.81 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID real mem = 4160319488 (4062812K) avail mem = 3818098688 (3728612K) using 4256 buffers containing 208117760 bytes (203240K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 09/18/03, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.3 @ 0xf84b0 (44 entries) bios0: Supermicro X5DPA pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf3000/176 (9 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801CA LPC rev 0x00) pcibios0: PCI bus #5 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x8e00 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel E7501 MCH Host rev 0x01 ppb0 at pci0 dev 2 function 0 Intel E7500 MCH rev 0x01 pci1 at ppb0 bus 2 Intel 82870P2 IOxAPIC rev 0x04 at pci1 dev 28 function 0 not configured ppb1 at pci1 dev 29 function 0 Intel 82870P2 PCIX-PCIX rev 0x04 pci2 at ppb1 bus 4 ppb2 at pci2 dev 1 function 0 Pericom PI7C21P100 PCIX-PCIX rev 0x01 pci3 at ppb2 bus 5 em0 at pci3 dev 4 function 0 Intel PRO/1000MT QP (82546GB) rev 0x03: irq 10, address 00:0e:0c:b5:e0:d0 em1 at pci3 dev 4 function 1 Intel PRO/1000MT QP (82546GB) rev 0x03: irq 10, address 00:0e:0c:b5:e0:d1 em2 at pci3 dev 6 function 0 Intel PRO/1000MT QP (82546GB) rev 0x03: irq 10, address 00:0e:0c:b5:e0:d2 em3 at pci3 dev 6 function 1 Intel PRO/1000MT QP (82546GB) rev 0x03: irq 10, address 00:0e:0c:b5:e0:d3 em4 at pci2 dev 2 function 0 Intel PRO/1000MT (82546GB) rev 0x03: irq 10, address 00:04:23:9e:f2:3a em5 at pci2 dev 2 function 1 Intel PRO/1000MT (82546GB) rev 0x03: irq 10, address 00:04:23:9e:f2:3b ahd0 at pci2 dev 3 function 0 Adaptec AIC-7902B U320 rev 0x10: irq 10 ahd0: aic7902, U320 Wide Channel A, SCSI Id=7, PCI-X 67-100Mhz, 512 SCBs scsibus0 at ahd0: 16 targets ahd1 at pci2 dev 3 function 1 Adaptec AIC-7902B U320 rev 0x10: irq 10 ahd1: aic7902, U320 Wide Channel B, SCSI Id=7,
Re: BGP router running low on memory with 4GB of RAM ..!
Henning Brauer wrote: * Per Engelbrecht [EMAIL PROTECTED] [2006-08-31 11:55]: Hi all, - OpenBSD 4.0 (build on snap from aug. 28 2006 23:10) - i386 - 'netstat -m', 'top' and 'dmesg' below. I've just rebuild one of my BGP routers and I'm having a real bad memory/performance issue with this box. (yes, Im running -current in production due to a Intel Pro/1000GT Quard card I've had to put in the box; only supported in -current). despite all the yammering by some pplz that is not a problem at all. I know, but to avoid the lecture I mentioned it up front. I've read the cvs logs as well and besides, both bgpd and pf has been running rock-steady for a very, very long time now so I was confident turning the power on .. as usual :) The box seems to choke on whatever once and awhile and the problem seems to be memory related. If I e.g. ping one of my peers, I see this: ... ping: Could only allocate a receive buffer of 8191 bytes (default 65535) ... so you are running out of mbufs. Do not like the sound of that, so I did a netstat -m: 4517 mbufs in use: 4500 mbufs allocated to data 12 mbufs allocated to packet headers 5 mbufs allocated to socket names and addresses 4495/5886/6144 mbuf clusters in use (current/peak/max) so, the reason is mbuf cluster use. two possibilities: 1) your mbuf cluster is high, but stable 2) it is constantly rising hope for 1). you have quite a few network interfaces in there. if =1 is connected to a slowish link and you have to buffer a lot, you could just use up that many mbuf clusters. try to raise kern.maxclusters. monitor your mbuf cluster usage using The kern.maxclusters are currently 6144 (standard) on the box. If I raise it to e.g. 16384 or 12288 I get a: sysctl: top level name 16384 is invalid - what would be a correct stepwise increasement of the state/value ? BTW, is kern.maxclusters a 'mbuf cluster' sysctl MIB analogy ? More BTW, what is the size of a 'mbuf cluster' i obsd ? netstat -m. if it is 2) there is a leak somewhere, and these are incredibly hard to track down. The first peer is running 100Mbps / 'ifconfig' = (100baseTX full-duplex) The second peer is running 60Mbps / 'ifconfig' = (1000baseT -duplex) The third peer is running 100Mbps / 'ifconfig' = (100baseTX full-duplex) Our second peer is running 60Mbps due to some sort of contract/pricing/whatever reason and this awkward speed mode is set on their side / their router. Could the be mbuf thief/reason ? Thank you Henning. /per [EMAIL PROTECTED]
Re: BGP router running low on memory with 4GB of RAM ..!
Henning Brauer wrote: * Per Engelbrecht [EMAIL PROTECTED] [2006-08-31 13:45]: The kern.maxclusters are currently 6144 (standard) on the box. If I raise it to e.g. 16384 or 12288 I get a: sysctl: top level name 16384 is invalid - what would be a correct stepwise increasement of the state/value ? you have some misuse of sysctl. sysctl kern.maxclusters=12288 or the like. BTW, is kern.maxclusters a 'mbuf cluster' sysctl MIB analogy ? clusters are allocated dynamically (well, it's a little more complicated than that, but that's sufficiently close to reality). kern.maxclusters is the upper limit. Check. More BTW, what is the size of a 'mbuf cluster' i obsd ? 2048 bytes Check. netstat -m. if it is 2) there is a leak somewhere, and these are incredibly hard to track down. The first peer is running 100Mbps / 'ifconfig' = (100baseTX full-duplex) The second peer is running 60Mbps / 'ifconfig' = (1000baseT -duplex) The third peer is running 100Mbps / 'ifconfig' = (100baseTX full-duplex) sustained? No, that's what the contract says respectively what 'ifconfig' has negotiated on the wire/link. Our second peer is running 60Mbps due to some sort of contract/pricing/whatever reason and this awkward speed mode is set on their side / their router. Could the be mbuf thief/reason ? if you actually push more than 60 MBit/s, that might add up on usage. On this particular link I could very well have a very high utilization. I must shamefully admit that I've used 'netstat' statistics for here-and-now measurements on this box so fare ... and with a limited 32-bit netstat-buffer (4.294.967.296) I'll never know for sure when the buffer has turned = 'netstat' is not the tool to use on a busy box. /per [EMAIL PROTECTED]
Re: AS path prepending [OpenBGPD]
Claudio Jeker wrote: On Fri, Aug 18, 2006 at 07:25:17AM +0200, Per Engelbrecht wrote: Claudio Jeker wrote: On Thu, Aug 17, 2006 at 05:32:52PM +0200, Per Engelbrecht wrote: Hi all, (obsd3.8 / i386) So fare I've used 'weight' and 'localpref' between our peers in order to put one in favour of the other (mainly for pricing). Now I'm adding third peer and wan't to use AS path prepending in ordet to compensate for one of my old peer's inappropriate peering agreements in .eu making the old peer a sort of backup peer only. I expect that the attribute 'prepend-self' is the one I should use one the peer I wan't to prepend/prefix/make less attractive, like: neighbor $slowjoe { remote-as descr slowjoe set localpref 100 set weight 45 announce self announce IPv6 none tcp md5sig passwd x prepend-self 2 } ... right ? Nope. prepend-self is an outgoing thing. You most probably need to use prepend-neighbor. And while I'm at it: - if I wan't to make sure that $slowjoe is chosen as a last resort, how many times (0-9) should I prepend ? More than 5 is normaly not needed as the avarage path is about that long. Normaly it is easier to use localpref to make a backup session only eligible if no other route is aroung. Just lower the localpref of your backup neighbor. - in short, how will the 'prepend-[self|neighbor]' attributes affect the 'localpref' and/or 'weight' ? The decision path is roughly like this: 1. nexthop 2. localpref 3. aspath lenght 4. origin 5. MED/metric 6. EBGP/IBGP 7. weight - In contrast to 'prepend-self' when should the 'prepend-neighbor' attribute be used ? prepend-self is for outgoing filters (it adds your own AS) whereas prepend-neighbor is for incomming filters (it adds the AS of the neighbor). Prepend-self on incomming filters will render all sent prefixes invalid because the aspath is not loop free. Hi Claudio, Just to make absolutely sure: If I want to express a policy with prepend rules to prefer INCOMING traffic via my better-connected $primetime peer and only use my $slowjoe peer as a backup, I should do: ... prepend-neighbor 5 ... If I want to express a policy with prepend rules to prefer OUTGOING traffic via my better-connected $primetime peer and only use my $slowjoe peer as a backup, I should do: ... prepend-self 2 ... No, it is the other way around. Sorry to confuse you even more now. Consider the following simple config: AS 65001 neighbor 192.168.0.1 { remote-as 65002 set prepend-self 2 } neighbor 192.168.0.2 { remote-as 65003 set prepend-neighbor 5 } Now let's have a look what bgpd is doing with the config (bgpd -nv) AS 65001 ... neighbor 192.168.0.2 { remote-as 65003 ... } neighbor 192.168.0.1 { remote-as 65002 ... } match to 192.168.0.1 set { prepend-self 2 } match from 192.168.0.2 set { prepend-neighbor 5 } As you can see the set statements where replaced by filterrules. set prepend-self got replaced by a match to rule which changes outgoing updates and set prepend-neighbor got replaced by a match from rule which changes incomming updates. Now comes the twist. If you change incomming updates you actually modify your own routing table and so your OUTGOING traffic is influenced by this. If you change outgoing updates (your own network announcements) you influence the view of all other routers and so the INCOMMING traffic is modified. Okay, got it. In short to discriminate an uplink for OUTGOING traffic you need to use set prepend-neighbor 5. To discriminate an uplink for INCOMMING traffic you need to set prepend-self 5. Note: changing your incomming traffic is unprecise you normaly end up with some traffic comming in on the wrong link but there is nothing you can do about it because you can not control what the other ASs do. From time to time I actually see incoming traffic heading for/through one of our peers and then at the last core-router before reaching our network, changing direction and enter through our second peer. That's beyond me .. and beyond my reach as well. The last part of your reply: Prepend-self on incomming filters will render all sent prefixes invalid because the as path is not loop free. kind of confuses me, the filter-part that is. As shown above the set rules added to a neighbor are magically changed to filter rules. Now there everything is done correctly but if you add your own filter rule like match from any set prepend-self 1 you will see that your RIB will stay empty because all prefixes are invalid. The reason is that the resulting path is not loop free (it already has your AS in the path). i.e. my own crafted filter rules containing 'prepend-self' is where the loop could occur. You've just put 1 major and 2 minor building blocks in place!! :) Based on the syntax
AS path prepending [OpenBGPD]
Hi all, (obsd3.8 / i386) So fare I've used 'weight' and 'localpref' between our peers in order to put one in favour of the other (mainly for pricing). Now I'm adding third peer and wan't to use AS path prepending in ordet to compensate for one of my old peer's inappropriate peering agreements in .eu making the old peer a sort of backup peer only. I expect that the attribute 'prepend-self' is the one I should use one the peer I wan't to prepend/prefix/make less attractive, like: neighbor $slowjoe { remote-as descr slowjoe set localpref 100 set weight 45 announce self announce IPv6 none tcp md5sig passwd x prepend-self 2 } ... right ? And while I'm at it: - if I wan't to make sure that $slowjoe is chosen as a last resort, how many times (0-9) should I prepend ? - in short, how will the 'prepend-[self|neighbor]' attributes affect the 'localpref' and/or 'weight' ? - In contrast to 'prepend-self' when should the 'prepend-neighbor' attribute be used ? Thank you in advance. /per [EMAIL PROTECTED]
Re: AS path prepending [OpenBGPD]
Claudio Jeker wrote: On Thu, Aug 17, 2006 at 05:32:52PM +0200, Per Engelbrecht wrote: Hi all, (obsd3.8 / i386) So fare I've used 'weight' and 'localpref' between our peers in order to put one in favour of the other (mainly for pricing). Now I'm adding third peer and wan't to use AS path prepending in ordet to compensate for one of my old peer's inappropriate peering agreements in .eu making the old peer a sort of backup peer only. I expect that the attribute 'prepend-self' is the one I should use one the peer I wan't to prepend/prefix/make less attractive, like: neighbor $slowjoe { remote-as descr slowjoe set localpref 100 set weight 45 announce self announce IPv6 none tcp md5sig passwd x prepend-self 2 } ... right ? Nope. prepend-self is an outgoing thing. You most probably need to use prepend-neighbor. And while I'm at it: - if I wan't to make sure that $slowjoe is chosen as a last resort, how many times (0-9) should I prepend ? More than 5 is normaly not needed as the avarage path is about that long. Normaly it is easier to use localpref to make a backup session only eligible if no other route is aroung. Just lower the localpref of your backup neighbor. - in short, how will the 'prepend-[self|neighbor]' attributes affect the 'localpref' and/or 'weight' ? The decision path is roughly like this: 1. nexthop 2. localpref 3. aspath lenght 4. origin 5. MED/metric 6. EBGP/IBGP 7. weight - In contrast to 'prepend-self' when should the 'prepend-neighbor' attribute be used ? prepend-self is for outgoing filters (it adds your own AS) whereas prepend-neighbor is for incomming filters (it adds the AS of the neighbor). Prepend-self on incomming filters will render all sent prefixes invalid because the aspath is not loop free. Hi Claudio, Just to make absolutely sure: If I want to express a policy with prepend rules to prefer INCOMING traffic via my better-connected $primetime peer and only use my $slowjoe peer as a backup, I should do: ... prepend-neighbor 5 ... If I want to express a policy with prepend rules to prefer OUTGOING traffic via my better-connected $primetime peer and only use my $slowjoe peer as a backup, I should do: ... prepend-self 2 ... The last part of your reply: Prepend-self on incomming filters will render all sent prefixes invalid because the as path is not loop free. kind of confuses me, the filter-part that is. Based on the syntax in bgpd.conf how can I (from what you're saying) ever avoid creating a loop if/when using prepend-self ? example: neighbor $slowjoe { remote-as descr slowjoe set localpref 100 set weight 45 announce self announce IPv6 none tcp md5sig passwd x prepend-self 2 prepend-neighbor 5 } ... from what you're saying, I've just created at loop ? I would appreciate you answer very much. The best /per [EMAIL PROTECTED] Thank you in advance. /per [EMAIL PROTECTED]
Intel pro/1000GT quad adapter [not working]
Hi all, (obsd3.9 / i386) I'm beefing up two of our bgp routers i.e. replacing Intel Pro/1000MT dual port server adapters with Intel Pro/1000GT quad-port server adapters. The GT card is the MT cards successor and should be backwards compatible, but my vanilla 3.9 installation 'no habla GT'. I've talked to Intel several times without any luck. The persons I talked to did not know the difference between SysV and BSD yet alone the difference between GT and MT (fair should be fair and normally Intel tech's know what they're talking about, but not today). During install (with a dual and a quad card in the server) four 'em' interfaces was found, but none had link according to the installer! See first dmesg (dmesg_both) below and please note my lines on the MAC's. The second dmesg (dmesg_quadonly) is from when the system has a quad card (only) installed. The MT card has a single FW82546GB chip. The GT card has two NH82546GB chip. The 'em' driver support 'i82546'. http://www.openbsd.org/i386.html ... Intel i82540, i82541, i82542, i82543, i82544, i82545, i82546, i82547, i82571, i82572 and i82573 based adapters (em http://www.openbsd.org/cgi-bin/man.cgi?query=emarch=i386sektion=4), including: ... Intel PRO/1000 Gigabit Server Adapter (SX Fiber) (PWLA8490) Intel PRO/1000F Gigabit Server Adapter (SX Fiber) (PWLA8490SX) Intel PRO/1000T Server Adapter (PWLA8490T) Intel PRO/1000XT Server Adapter (PWLA8490XT) Intel PRO/1000XS Server Adapter (SX Fiber) (PWLA8490XF) Intel PRO/1000T Desktop Adapter (PWLA8390T) Intel PRO/1000XTL Low Profile PCI Server (PWLA8490XTL) Intel PRO/1000MT Desktop Adapter (PWLA8390MT) Intel PRO/1000MT Server Adapter (PWLA8490MT) Intel PRO/1000MT Dual Port Server Adapter (PWLA8492MT) Intel PRO/1000MF Server Adapter (SX Fiber) (PWLA8490MF) Intel PRO/1000MF Dual Port Server Adapter (SX Fiber) (PWLA8492MF) Intel PRO/1000MF Server Adapter (LX Fiber) (PWLA8490LX) Intel PRO/1000MT Quad PCI-X Adapter (PWLA8494MT) ... /http://www.openbsd.org/i386.html Below is two dmesg files. The first one is with a dual + a quad card installed. The second on is with a quad card only. Please note that the following two lines are the MAC's belonging to the dual card. em0 at pci2 dev 2 function 0 Intel PRO/1000MT (82546GB) rev 0x03: irq 10, address 00:04:23:9e:f2:3a em1 at pci2 dev 2 function 1 Intel PRO/1000MT (82546GB) rev 0x03: irq 10, address 00:04:23:9e:f2:3b Please note that the following two lines are the MAC's belonging to the quad card. em2 at pci4 dev 1 function 0 Intel PRO/1000MT (82541GI) rev 0x00: irq 10, address 00:30:48:71:3b:aa em3 at pci4 dev 2 function 0 Intel PRO/1000MT (82541GI) rev 0x00: irq 10, address 00:30:48:71:3b:ab [dmesg_both] OpenBSD 3.9 (GENERIC) #617: Thu Mar 2 02:26:48 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(TM) CPU 2.80GHz (GenuineIntel 686-class) 2.80 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,S BF,CNXT-ID real mem = 4160266240 (4062760K) avail mem = 3790917632 (3702068K) using 4278 buffers containing 208117760 bytes (203240K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 09/18/03, BIOS32 rev. 0 @ 0xf0010 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf3000/176 (9 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801CA LPC rev 0x00) pcibios0: PCI bus #5 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x8e00 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel E7501 MCH Host rev 0x01 ppb0 at pci0 dev 2 function 0 Intel E7500 MCH rev 0x01 pci1 at ppb0 bus 1 Intel 82870P2 IOxAPIC rev 0x04 at pci1 dev 28 function 0 not configured ppb1 at pci1 dev 29 function 0 Intel 82870P2 PCI-PCI rev 0x04 pci2 at ppb1 bus 2 ppb2 at pci2 dev 1 function 0 unknown vendor 0x12d8 product 0x01a7 rev 0x01 pci3 at ppb2 bus 3 vendor Intel, unknown product 0x10b5 (class network subclass ethernet, rev 0x03) at pci3 dev 4 function 0 not configu red vendor Intel, unknown product 0x10b5 (class network subclass ethernet, rev 0x03) at pci3 dev 4 function 1 not configu red vendor Intel, unknown product 0x10b5 (class network subclass ethernet, rev 0x03) at pci3 dev 6 function 0 not configu red vendor Intel, unknown product 0x10b5 (class network subclass ethernet, rev 0x03) at pci3 dev 6 function 1 not configu red em0 at pci2 dev 2 function 0 Intel PRO/1000MT (82546GB) rev 0x03: irq 10, address 00:04:23:9e:f2:3a em1 at pci2 dev 2 function 1 Intel PRO/1000MT (82546GB) rev 0x03: irq 10, address 00:04:23:9e:f2:3b ahd0 at pci2 dev 3 function 0 Adaptec AIC-7902B U320 rev 0x10: irq 10 ahd0: aic7902, U320 Wide Channel A, SCSI Id=7, PCI-X 67-100Mhz, 512 SCBs scsibus0 at ahd0: 16 targets ahd1 at pci2 dev 3 function 1 Adaptec AIC-7902B U320 rev 0x10: irq 10 ahd1: aic7902, U320 Wide Channel B, SCSI Id=7, PCI-X 67-100Mhz, 512
Re: Intel pro/1000GT quad adapter [not working]
Stuart Henderson wrote: On 2006/08/03 15:54, Per Engelbrecht wrote: I'm beefing up two of our bgp routers i.e. replacing Intel Pro/1000MT dual port server adapters with Intel Pro/1000GT quad-port server adapters. The GT card is the MT cards successor and should be backwards compatible, but my vanilla 3.9 installation 'no habla GT'. GT PCI ID was added post-3.9. -current snapshot is probably the easy way, and since we're approaching 4.0 it shouldn't be too stressful. If you still have problems, maybe try adjusting irq settings in bios, when I've had multi-port em(4) unable to see all ports that has been the way to get them back. Hi Stuart, Thank you, appreciate it! Latest i386 snap (08/03/06 12:41:00) will have to do. real mem = 4160266240 (4062760K) hey, it's not cisco-eee :-) :) /per [EMAIL PROTECTED]
Re: x.org
[EMAIL PROTECTED] wrote: Strange problem which appeared in 3.8 and appears in 3.9. When I type startx it does nothing. After waiting for half a minute i press cancel and only then it begins to do something but fails to start. When I open another tty and type there startx it starts normally. The strangest thing is that I do nothing, X fails to start without any reason. Artyom Your mail is a little sparse on fact/information. First make sure that *machdep.allowaperture=2* is set in /etc/sysctl.conf I expect you (as root) have made a /root/xorg.conf.new by running: # xorgcfg - and have made corrections to the Display section at the end of xorg.conf (DefaultDepth and Modes) and then done: # cp /root/xorg.conf.new /etc/X11/xorg.conf If 'yes' you should be able to run 'startx'. Your /var/log/Xorg.0.log will give away what you need to know. /per [EMAIL PROTECTED]
Re: erratic networking problem
Han Boetes wrote: Ted Unangst wrote: On 12/22/05, Han Boetes [EMAIL PROTECTED] wrote: This problem has been bugging me for month now. It started happening a month after 3.8 got tagged. At least, that's when I started noticing it. So it might be anything. But I suspect the OpenBSD side the most since returning to an older Linux release on the client from a liveCD didn't fix the problem. The OpenBSD server doesn't have a CD-drive. OpenBSD server - linux client Both rtl8169 gigabit networkcards Uploading to the server goes with 11Mbytes/s, the speedlimit of the ide harddrives, but the downloading goes with erratic speeds. 1Mbyte/s at best, 100Kbyte/s most of the time, sometimes no more than 20Kbytes/s and if you use a different protocol (ftp, http)? Yes, I tried ftp and rsync over ssh and nfs. All three have the same problems. anything unusual in netstat -s? Have a look: ip: 1173210 total packets received 0 bad header checksums 0 with size smaller than minimum 0 with data size data length 0 with header length data size 0 with data length header length 0 with bad options 0 with incorrect version number 0 fragments received 0 fragments dropped (duplicates or out of space) 0 malformed fragments dropped 0 fragments dropped after timeout 0 packets reassembled ok 1164892 packets for this host 0 packets for unknown/unsupported protocol 0 packets forwarded 0 packets not forwardable 0 redirects sent 1182870 packets sent from this host 0 packets sent with fabricated ip header 0 output packets dropped due to no bufs, etc. 0 output packets discarded due to no route 0 output datagrams fragmented 0 fragments created 0 datagrams that can't be fragmented 0 fragment floods 0 packets with ip length max ip packet size 0 tunneling packets that can't find gif 0 datagrams with bad address in header 311675 input datagrams checksum-processed by hardware 0 output datagrams checksum-processed by hardware 0 multicast packets which we don't join icmp: 0 calls to icmp_error 0 errors not generated because old message was icmp 0 messages with bad code fields 0 messages minimum length 0 bad checksums 0 messages with bad length Input packet histogram: destination unreachable: 115 0 message responses generated igmp: 0 messages received 0 messages received with too few bytes 0 messages received with bad checksum 0 membership queries received 0 membership queries received with invalid field(s) 0 membership reports received 0 membership reports received with invalid field(s) 0 membership reports received for groups to which we belong 0 membership reports sent ipencap: 0 total input packets 0 total output packets 0 packets shorter than header shows 0 packets dropped due to policy 0 packets with possibly spoofed local addresses 0 packets were dropped due to full output queue 0 input bytes 0 output bytes 0 protocol family mismatches 0 attempts to use tunnel with unspecified endpoint(s) tcp: 878085 packets sent 458267 data packets (490187475 bytes) 1133 data packets (976692 bytes) retransmitted 0 fast retransmitted packets 362473 ack-only packets (294077 delayed) 0 URG only packets 0 window probe packets 54002 window update packets 2210 control packets 0 packets hardware-checksummed 860321 packets received 229685 acks (for 489089407 bytes) 16982 duplicate acks 0 acks for unsent data 0 acks for old data 469932 packets (416700992 bytes) received in-sequence 18457 completely duplicate packets (12118924 bytes) 44 old duplicate packets 1566 packets with some duplicate data (175713 bytes duplicated) 200639 out-of-order packets (153176788 bytes) 0 packets (0 bytes) of data after window 0 window probes 1109 window update packets 77 packets received after close 675 discarded for bad checksums 0 discarded for bad header offset fields 0 discarded because packet too short 0 discarded for missing IPsec protection 0 discarded due to memory shortage 860321 packets hardware-checksummed 0 bad/missing md5 checksums 0 good md5 checksums 742 connection requests
Re: erratic networking problem
Han Boetes wrote: per engelbrecht wrote: recently had a problem with a NFS server. Lousy performance when getting data (not putting) from most clients (but not all) until they discovered diffs in size of the transmit/receive bufferes. When fixed users felt like going from walking to flying both ways. They do not use OpenBSD but the have different arch and OS as well i.e. might be a similar/related problem. I read an article recently about the tux kernel hackers working on a auto sensing feature for the upcomming 2.6.whatever dealing with this. The test result was quite impressive with performance gains x 10-20 and above. I could be a victim of christmas-lag (too much food, dark strong beer and snaps [danish strong alcoholic drink]) or it could be related. Just a thought. Sounds interesting. But searching on google doesn't show any usefull links. Nor did I find out how to read/set the transmit/receive buffers for either OS. Can't find the article (typical!). Found this though; http://dsd.lbl.gov/TCP-tuning/linux.html It describe the topic yes, but it's not spot on. I know how to set them for nfs. But that was not related to my problem since it occured for ftp and ssh as well. And changing the sizes didn't change the behaviour at all. From mount_nfs(8) -r readsize Set the read data size to the specified value. It should normal- ly be a power of 2 greater than or equal to 1024. This should be used for UDP mounts when the ``fragments dropped after timeout'' value is getting large while actively using a mount point. (Use netstat(1) with the -s option to see what this value is.) See the -w option as well. -w writesize Set the write data size to the specified value. Ditto the com- ments w.r.t. the -r option, but using the ``fragments dropped after timeout'' value on the server instead of the client. Note that both the -r and -w options should only be used as a last ditch effort at improving performance when mounting servers that do not support TCP mounts. Makes sense doesn't it? Anyway, replacing my Gigabit NIC with a 100Mbit nic helped. I bet the old pII400 couldn't handle that little thing. I'm sure some of our commiters can elaborate further/completly on the gory details of why. I'm afraid I can not, sorry. /per [EMAIL PROTECTED] # Han
Re: ccd on active disks?
Markus Wernig wrote: Hi misc Is anybody aware of a document that describes how to ccd all slices (including /) after installation? I've installed 3.8 generic using just one of two identical disks. Now I need to mirror that disk onto the other one. I copied the disklabel from the active disk over. I can of course create ccd's for each slice, but this means newfs and data loss, and won't work because I can't umount the root. Now I assume that my approach was intrinsically bound to fail or just dumb wrong. I'm sorry if this is covered somewhere public - I found references to a FAQ on MARC, but was just unable to find my question covered in the related documentation. One thing I came up with was to boot from install media and do it from the shell there, then newfs and reinstall on the ccd devices. But I'm really not quite sure. The goal is to bring the box back online as fast as possible after a disk crash and replacement, and to be then able to rebuild the raidset online (dd is fine). thx /markus Hi Markus I've worked with 'ccd' on a number of systems, but only for the purpose of putting a number of slices into a single bigger one, most often /var. The easiest way of doint that is during install. If your want a raid mirror for the entire! disk(s) then have a look at bioctl. Yes, you can control how 'ccd' should write to the entries in your ccdconfig file, but it's still not a raid solution and 'ccd' on /root is not possible (not to my knowledge). /per [EMAIL PROTECTED]
Re: OpenBGPD and eBGP nexthop
Henning Brauer wrote: * per engelbrecht [EMAIL PROTECTED] [2005-11-07 19:01]: #neighbors and peers neighbor $peer0 { remote-as 6 descr eBGP local-address aaa.aaa.aaa.163 set nexthop aaa.aaa.aaa.161 multihop 10 set localpref 100 set weight 45 announce self } i highly doubt you want to manually set the nexthop. Hhhmm .. why not ? aside from that, we'll need logs and a tcpdump to see why the session does not get established. Next run will be in upcomming weekend. I'll gather and pile anything. Appreciate your input Henning. /per [EMAIL PROTECTED]
OpenBGPD and eBGP nexthop
Hi All [20051019 snap i386] Last night I switched from our old BGP setup (fbsd/zebra) to our new obsd/openbgpd. All but a single eBGP session to one of our peers was established. The eBGP peer switched between 'active' and 'connected' and I could ping both nexthop IP and peer IP but still no candy. (bgpctl == great) Getting 'established' to this peer normally takes from 4-6 min. Finally rolled back to our old setup. The [EMAIL PROTECTED] verified the IP part of my setup i.e. correct (new) nexthop IP etc. Below I've listed first the Zebra part on the neighbor and further down the OpenBGPD part. If someone can spot a misconfiguration (I can't) then please speak up. I'm in a tight spot / at a dead-end. Fictive info: 9 is our AS yyy.yyy.yyy.0 is the network that I announce yyy.yyy.yyy.1 is our router id 6 is the remote-as aaa.aaa.aaa.163 is the local IP [on em0] facing the neithbor/peer aaa.aaa.aaa.161 is the new nexthop IP to the neithbor/peer xxx.xxx.xxx.99 is the neithbor/peer IP snip from zebra.conf ... router bgp 9 no synchronization bgp log-neighbor-changes network yyy.yyy.yyy.0 mask 255.255.192.0 redistribute static neighbor xxx.xxx.xxx.99 remote-as 6 neighbor xxx.xxx.xxx.99 description eBGP neighbor xxx.xxx.xxx.99 ebgp-multihop 10 neighbor xxx.xxx.xxx.99 send-community both neighbor xxx.xxx.xxx.99 route-map BGPIN in neighbor xxx.xxx.xxx.99 route-map BGPOUT out (route-maps etc. left out) ... /snip from zebra.conf snip from bgpd.conf ... #macros peer0=xxx.xxx.xxx.99 #global conf AS 9 router-id yyy.yyy.yyy.1 listen on aaa.aaa.aaa.163 fib-update yes log updates network yyy.yyy.yyy.0/18 set localpref 200 #neighbors and peers neighbor $peer0 { remote-as 6 descr eBGP local-address aaa.aaa.aaa.163 set nexthop aaa.aaa.aaa.161 multihop 10 set localpref 100 set weight 45 announce self } #filter (Other that adding a few BOGON net from http://www.cymru.com/BGP/robbgp-bogon.html [double checked with IANA] then the original filter section is untouched) Any help is highly appreciated. /per [EMAIL PROTECTED]
Re: smartmontools (smartd) kills system [trace/gdb]
Kenneth R Westerback wrote: On Fri, Nov 04, 2005 at 03:22:33PM +0100, per engelbrecht wrote: Kenneth R Westerback wrote: On Fri, Nov 04, 2005 at 07:14:05AM +0100, per engelbrecht wrote: K WESTERBACK wrote: I'm interested. Ken Hi again Ken If you find anything of value it would be nice to know. (putting the box into production real soon) Thank you. /per [EMAIL PROTECTED] I hope to be able to investigate this weekend. I had a look at the code and, well, it looked pretty weird. :-). Ken Hi Ken When you say weird I get the same sensation as when my dentist say 'Uups' :-S That would be just brilliant if you could. If not, fine too. I just appresiate having you to on it. The best /per [EMAIL PROTECTED] The ahd timeout code is definately and completely borked. Thanks very much for finding a program that proved this. Hi Ken (damn, you move fast) I think of it as more of a coincidence, but you're welcome :) This diff puts ahd back to the primitive 'timeout == bus reset that most other drivers use. Now I can 'smartctl -a /dev/sd1c' many times without crashing or hanging the machine. Sounds like it's heading in the right direction. In addition I suppress a lot of useless verbiage so that you can actually read the program output. Nice. I'll be investigating further as to how much of this will committed, and trying to figure out why it's timing out in the first place, and why the results are inconsistant. The inconsistancy is that sometimes commands fail, sometimes 'SMART Health Status: OK' is displayed. A few times I've also seen 'SMART Health Status: OK' randomly displayed among lots of dump output. Unable to catch it though. Let me know if this helps you. I sure will. Can't do it right now, but I'll give it a go around 1800 CEST and give you the result. Thank you for your time so fare Ken. /per [EMAIL PROTECTED] Ken Index: aic79xx.c === RCS file: /cvs/src/sys/dev/ic/aic79xx.c,v retrieving revision 1.28 diff -u -p -r1.28 aic79xx.c --- aic79xx.c 4 Oct 2005 23:52:04 - 1.28 +++ aic79xx.c 5 Nov 2005 19:12:57 - @@ -253,9 +253,6 @@ u_int ahd_resolve_seqaddr(struct ahd_so void ahd_download_instr(struct ahd_softc *ahd, u_int instrptr, uint8_t *dconsts); intahd_probe_stack_size(struct ahd_softc *ahd); -intahd_other_scb_timeout(struct ahd_softc *ahd, - struct scb *scb, - struct scb *other_scb); intahd_scb_active_in_fifo(struct ahd_softc *ahd, struct scb *scb); void ahd_run_data_fifo(struct ahd_softc *ahd, @@ -3124,7 +3121,7 @@ ahd_set_syncrate(struct ahd_softc *ahd, ahd_send_async(ahd, devinfo-channel, devinfo-target, CAM_LUN_WILDCARD, AC_TRANSFER_NEG, NULL); #endif - if (1 /*bootverbose*/) { + if (bootverbose) { if (offset != 0) { int options; @@ -9148,305 +9145,41 @@ ahd_timeout(void *arg) { struct scb *scb = (struct scb *)arg; struct ahd_softc *ahd; + char channel; + long s; + int found; +#ifdef AHD_DEBUG + int was_paused; +#endif ahd = scb-ahd_softc; - if ((scb-flags SCB_ACTIVE) != 0) { - if ((scb-flags SCB_TIMEDOUT) == 0) { - LIST_INSERT_HEAD(ahd-timedout_scbs, scb, -timedout_links); - scb-flags |= SCB_TIMEDOUT; - } - ahd_recover_commands(ahd); - } -} - -/* - * ahd_recover_commands determines if any of the commands that have currently - * timedout are the root cause for this timeout. Innocent commands are given - * a new timeout while we wait for the command executing on the bus to timeout. - * This routine is invoked from a thread context so we are allowed to sleep. - * Our lock is not held on entry. - */ -void -ahd_recover_commands(struct ahd_softc *ahd) -{ - struct scb *scb; - struct scb *active_scb; - longs; - int found; - int was_paused; - u_int active_scbptr; - u_int last_phase; - ahd_lock(ahd, s); +#ifdef AHD_DEBUG + was_paused = ahd_is_paused(ahd); + printf(%s: SCB %d timed out - Card was %spaused\n, ahd_name(ahd), + SCB_GET_TAG(scb), was_paused ? : not ); + ahd_dump_card_state(ahd); +#endif + /* * Pause the controller and manually flush any * commands that have just completed but that our * interrupt handler has yet to see. */ - was_paused = ahd_is_paused(ahd); - - printf(%s: Recovery Initiated - Card was %spaused\n, ahd_name(ahd
Re: bgpd.conf md5sig, iBGP and redistributing routes to/from ospf
Jesper Louis Andersen wrote: per engelbrecht wrote: Q: setting up iBGP I've used our own AS as 'remote-as' but can't find a 'no synchronization' option for this connection. Do I need it at all. Been poking around in /usr/src/usr.sbin/bgpd without solving it, but it's needed in zebra and Cisco IOS hence the question. A: ? Using your own AS as an remote ASn will, per definition, make your BGP session into an internal BGP session. In the Ciscoeee world, no synchronization means to begin announcing your networks before higher priority network protocols are up and stabilized. Without you will wait for OSPF/IS-IS to stabilize first (For OSPF, there is a certain state in its state machine it has to reach for all broadcast clouds etc). Hi jlouis It was more of a what_can_option_[a-z] from Zebra be put on par with in OpenBGPD and/or do I need these options at all (different implementation) but thank you for your explanation. However, in modern BGP setups, you screw OSPF/IS-IS royally and ignore the stabilization. This is viable, since you ``nail down'' your networks as CIDR aggregates (to minimize the number of BGP prefixes you announce) and give a heck about internal reachability. Screwing IGP's from whitin EGP's keep things apart, buy they are (conceptually, at least in my head) still manipulating the same routing table. And yes of course I only announce our own net. Returning 120.000+ prefixes (at that time) to a eBGP peer with inferior Cisco hw works like magic - the phone rings within minutes .. and they're not returning a call :) Oh, and while we are at Zebra: Its crap, kill it as soon as possible or install quagga. Case in point: .. install quagga ? Nooope. mirah% pwd /usr/ports/net/zebra/w-zebra-0.93ap3/zebra-0.93a/ospfd mirah% grep OSPF_LSA_HEADER ospf_lsa.c ospf_output_forward (s, OSPF_LSA_HEADER_SIZE); assert (l1-data-length OSPF_LSA_HEADER_SIZE); if (memcmp (p1 + OSPF_LSA_HEADER_SIZE, p2 + OSPF_LSA_HEADER_SIZE, ntohs( l1-data-length ) - OSPF_LSA_HEADER_SIZE) != 0) mirah% Lets see... On the last line, we have identified that l1-data-length is in network byte order. But in the assert 2 lines up, we do _not_ have a ntohs() call. This took a medium sized ISP down in Denmark because Zebra suddenly died due to the fact, that certain packets, if certain size, will be caught by the assertion and ospfd gets to say hello to the kernel thread known as reaper man. Q: running ospf with all peers + carp intfaces in area 0.0.0.0 and internal intfaces in area 0.0.0.1 (and from ospfd.conf) [...] fib-update yes redistribute connected [...] This is about redistributing routes - will the above let BGP and OSPF play along in the same way a 'redistribute ospf' in Zebra/Cisco IOS A: ? It will push directly connected routes into OSPF. That is, if the machine has a network to which it has a direct connection in the routing table, then the rest of your OSPF speakers will learn that this network is reachable by going through this router. Which is also what I want. redistribute ospf in Ciscoee in the BGP section of the router configuration tells the IOS to take all OSPF learned routes and push them into BGP. This can be extremely dangerous to do, depending on the configuration. Yes that could easily have disaster written all over it. Q: default gateway is added to the routing table after all interfaces are configured. BGP is adding information into the routing table and so does OSPF (updates). That's 3 times redistributing of routes between different protocols and with 3 different administrative distances but still in/from the same table. Since directly connected (0) or static (1) connections are superior to e.g. eBGP (20) and OSPF (110) then should or shouldn't /etc/mygate be removed from a BGP router before putting it into production. Will it/can it mock the routing decision despite 'weight' in bgpd.conf due to the lower distance. A: ? A more specific route will always match. Normally, you do not need to redistribute routes between the protocols at all, considered all of your routers are running BGP as well as OSPF. BGP will then handle prefixes for external networks and OSPF will handle prefixes for internal ones in the case both BGP and OSPF have the route then BGP wins -- but note the note about specific matches ;) Thank you for joining in jlouis. /per [EMAIL PROTECTED]
smartmontools (smartd) kills system
Hi all [20051019 snap i386] Running smartd on a SCSI/U320 based single-disk system kills the system at once! - dmesg further down. (sysctl hw.disknames=sd0,cd0,fd0) Snip of /etc/smartd.conf [...] #DEVICESCAN /dev/sd0c /dev/sd0c -m [EMAIL PROTECTED] -M test /dev/sd0c -d scsi -H -l error -l selftest -t -m [EMAIL PROTECTED] /dev/sd0c -d scsi -s L/../../7/01 -m [EMAIL PROTECTED] [...] I can run: smartctl -i /dev/sd0c Device: SEAGATE ST336607LW Version: 0007 Serial number: 3JA6X87D7426SUX6 Device type: disk Transport protocol: Parallel SCSI (SPI-4) Local Time is: Thu Nov 3 15:07:14 2005 CEST Device supports SMART and is Enabled Temperature Warning Enabled smartctl -r scsiioctl /dev/sd0c [inquriy: 12 00 00 00 24 00 ] status=0 Incoming data, len=36: 00 00 00 03 12 8b 00 01 3e 53 45 41 47 41 54 45 20 10 53 54 33 33 36 36 30 37 4c 57 20 20 20 20 20 20 20 30 30 30 37 I can not run: smartctl -a /dev/sd0c *crash* smartctl -l selftest /dev/sd0c Device does not support Self Test logging ( and then locks up hard). Have added entries in syslog.conf and newsyslog.conf but the logfile is of course empty since the (damn) tool kills the server. Anybody with a clue (any) ? TIA Kernel have these changes: maxusers 64 option DUMMY_NOPS (that's it) dmesg: OpenBSD 3.8-current (BGP) #1: Thu Oct 20 18:06:54 CEST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/BGP cpu0: Intel(R) Xeon(TM) CPU 2.80GHz (GenuineIntel 686-class) 2.80 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID real mem = 3220807680 (3145320K) avail mem = 2931445760 (2862740K) using 4278 buffers containing 161144832 bytes (157368K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 09/18/03, BIOS32 rev. 0 @ 0xf0010 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf3000/176 (9 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801CA LPC rev 0x00) pcibios0: PCI bus #4 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x8e00 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel E7501 MCH Host rev 0x01 ppb0 at pci0 dev 2 function 0 Intel E7500 MCH rev 0x01 pci1 at ppb0 bus 1 Intel 82870P2 IOxAPIC rev 0x04 at pci1 dev 28 function 0 not configured ppb1 at pci1 dev 29 function 0 Intel 82870P2 PCI-PCI rev 0x04 pci2 at ppb1 bus 2 em0 at pci2 dev 1 function 0 Intel PRO/1000MT (82546GB) rev 0x03: irq 10, address 00:04:23:bb:29:fa em1 at pci2 dev 1 function 1 Intel PRO/1000MT (82546GB) rev 0x03: irq 10, address 00:04:23:bb:29:fb em2 at pci2 dev 2 function 0 Intel PRO/1000MT (82546GB) rev 0x03: irq 10, address 00:04:23:bb:27:94 em3 at pci2 dev 2 function 1 Intel PRO/1000MT (82546GB) rev 0x03: irq 10, address 00:04:23:bb:27:95 ahd0 at pci2 dev 3 function 0 Adaptec AIC-7902B U320 rev 0x10: irq 10 aic7902: U320 Wide Channel A, SCSI Id=7, PCI-X 67-100Mhz, 512 SCBs scsibus0 at ahd0: 16 targets ahd1 at pci2 dev 3 function 1 Adaptec AIC-7902B U320 rev 0x10: irq 10 aic7902: U320 Wide Channel B, SCSI Id=7, PCI-X 67-100Mhz, 512 SCBs scsibus1 at ahd1: 16 targets sd0 at scsibus1 targ 0 lun 0: SEAGATE, ST336607LW, 0007 SCSI3 0/direct fixed sd0: 35003MB, 49855 cyl, 2 head, 718 sec, 512 bytes/sec, 71687372 sec total Intel 82870P2 IOxAPIC rev 0x04 at pci1 dev 30 function 0 not configured ppb2 at pci1 dev 31 function 0 Intel 82870P2 PCI-PCI rev 0x04 pci3 at ppb2 bus 3 em4 at pci3 dev 1 function 0 Intel PRO/1000MT (82541GI) rev 0x00: irq 10, address 00:30:48:70:d7:30 em5 at pci3 dev 2 function 0 Intel PRO/1000MT (82541GI) rev 0x00: irq 10, address 00:30:48:70:d7:31 ppb3 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0x42 pci4 at ppb3 bus 4 vga1 at pci4 dev 4 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ichpcib0 at pci0 dev 31 function 0 Intel 82801CA LPC rev 0x02 pciide0 at pci0 dev 31 function 1 Intel 82801CA IDE rev 0x02: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus2 at atapiscsi0: 2 targets cd0 at scsibus2 targ 0 lun 0: LITEON, CD-ROM LTN526, YH0X SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 disabled (no drives) Intel 82801CA/CAM SMBus rev 0x02 at pci0 dev 31 function 3 not configured isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 sysbeep0 at pcppi0 lm0 at isa0 port 0x290/8: W83627HF npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4:
smartmontools (smartd) kills system [trace/gdb]
Hi again Followup on first mail with only trace/gdb info: GNU gdb 6.3 Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as i386-unknown-openbsd3.8. Core was generated by `smartctl'. Program terminated with signal 11, Segmentation fault. #0 0x06485b22 in ?? () (gdb) quit Running 'smartctl -t long /dev/sd0c | tee test.txt' gives: [...] smartctl version 5.33 [i386-unknown-openbsd3.8] Copyright (C) 2002-4 Bruce Allen Home page is http://smartmontools.sourceforge.net/ sd0(ahd1:0:0): host adapter code inconsistency Extended Background Self Test has begun Please wait 12 minutes for test to complete. Estimated completion time: Thu Nov 3 17:54:14 2005 Use smartctl -X to abort test [...] NB the 'sd0(ahd1...' line only appears on stdout, not in test.txt file and the test is not executed (seem obvious from the line). I have a ktrace file that's quite long (844 lines) but I think it's too long for a list mail. If anybody is interested I'll be happy to mail it. So fare smartd will not be running on this box. I'm a litte concerned about the 'adapter code inconsistency' part though. /per [EMAIL PROTECTED]
Re: bgpd.conf md5sig, iBGP and redistributing routes to/from ospf [forgot to sign it]
Claudio Jeker wrote: On Wed, Nov 02, 2005 at 12:34:29AM +0100, per engelbrecht wrote: Hi all [20051019 snap i386] I've made a setup with two identical bgp routers. On each router there's 3 peers (BGP and eBGP), one failover (carp/iBGP/ospf) interconnecting these routers and finally pipes backwards to the internal nets. Part of bgpd.conf further down. I'm replacing a single router (no ospf) fbsd/zebra setup. That should be no problem. Q: setting up iBGP I've used our own AS as 'remote-as' but can't find a 'no synchronization' option for this connection. Do I need it at all. Been poking around in /usr/src/usr.sbin/bgpd without solving it, but it's needed in zebra and Cisco IOS hence the question. A: ? There is no 'no synchronization' option. We never enforce the synchronisation of iBGP with an IGP. That's retarded. Like pumping 170'000 routes into OSPF and thinking all will be fine. Sure you may get bitten if you have routers that do not run iBGP in between the two iBGP routers but that's more a design problem and is solvable. Hi Claudio Most documentation on BGP or OSPF is geared towards IOS systems or pro ISO systems like Zebra, with whatever options and syntax that comes with the territory. Finding alternatives for options like e.g. 'no synchronization' and'no auto-summary' when changing from (in my case) Zebra to OpenBGPD, is not covered too well in a otherwise fine documentation, but thank you for clarifying. A small paragraph in the bgpd.conf man page for people comming to OpenBGPD dealing with this would be nice. Q: adding md5sig password, how can I activate these stepwise without having to take bgpd down/up and affecting all connections - ospfctl does not seem have it as an option. Would like to add md5sig one carrier at a time on a live system. A: ? Just add the 'tcp md5sig password fluffy' to a neighbor and bgpctl reload. Afterwards a bgpctl neighbor fluffy_peer clear will clear the session and activate tcp md5. You can do that one peer at a time. Check. (thank you) Q: running ospf with all peers + carp intfaces in area 0.0.0.0 and internal intfaces in area 0.0.0.1 (and from ospfd.conf) [...] fib-update yes redistribute connected [...] This is about redistributing routes - will the above let BGP and OSPF play along in the same way a 'redistribute ospf' in Zebra/Cisco IOS A: ? redistribute ospf is currently not implemented. bgpd is currently not able to redistribute routes added by ospfd. This is on the todo list. Perfect. Q: default gateway is added to the routing table after all interfaces are configured. BGP is adding information into the routing table and so does OSPF (updates). That's 3 times redistributing of routes between different protocols and with 3 different administrative distances but still in/from the same table. Since directly connected (0) or static (1) connections are superior to e.g. eBGP (20) and OSPF (110) then should or shouldn't /etc/mygate be removed from a BGP router before putting it into production. Will it/can it mock the routing decision despite 'weight' in bgpd.conf due to the lower distance. A: ? Neither ospfd nor bgpd know about administrative distances. Currently it is only save to use the two together if there are no equal routes. If both bgpd and ospfd try to add the same route to the kernel routing table it will result in undefined behaviour. (mostly the first one wins). Again this is on the todo list (even before the redistribute thing). I guess reading BGP from Cisco literature would match learning TCP/IP with books from Microsoft ... The BGP implementation in Cisco IOS uses a administrative distance, hence the question. I you mean equal routes from a 'weight' point of view, then I have a problem. So fare all my peers have the same weight. Part of bgpd.conf: [...] neighbor $peer0 { remote-as ABCD descrebgp sucks set nexthop aaa.aaa.aaa.aab multihop 10 local-address aaa.aaa.aaa.aaa announce self announce IPv6 none enforce neighbor-as yes set weight 100 #tcp md5sig password HotPotatoes } ... ... neighbor $carp { remote-as our_own_AS descrinternal local-address 172.16.0.1 depend on em5 I think this is not doing what you think. depend on is only useful on carp(4) interfaces. It does not make sense for physical interfaces. I have carp1 on em5. I'll change em5 carp1 right away. Thank you. announce all That's actually the default :) I know. In every conf file I write what I want it to do (even defaults) and remove anything else. Makes it easy to parse for !me without having to know system 'default'. announce IPv6 none enforce neighbor-as no That one as well. Ditto. :) set weight 200 #tcp md5sig password NoPotatoes } I have a: deny from any prefix 172.16.0.0/12 prefixlen = 12 but the carp interface uses a /8 i.e. should be safe :) Iick. That will cause troubles
bgpd.conf md5sig, iBGP and redistributing routes to/from ospf
Hi all [20051019 snap i386] I've made a setup with two identical bgp routers. On each router there's 3 peers (BGP and eBGP), one failover (carp/iBGP/ospf) interconnecting these routers and finally pipes backwards to the internal nets. Part of bgpd.conf further down. I'm replacing a single router (no ospf) fbsd/zebra setup. Q: setting up iBGP I've used our own AS as 'remote-as' but can't find a 'no synchronization' option for this connection. Do I need it at all. Been poking around in /usr/src/usr.sbin/bgpd without solving it, but it's needed in zebra and Cisco IOS hence the question. A: ? Q: adding md5sig password, how can I activate these stepwise without having to take bgpd down/up and affecting all connections - ospfctl does not seem have it as an option. Would like to add md5sig one carrier at a time on a live system. A: ? Q: running ospf with all peers + carp intfaces in area 0.0.0.0 and internal intfaces in area 0.0.0.1 (and from ospfd.conf) [...] fib-update yes redistribute connected [...] This is about redistributing routes - will the above let BGP and OSPF play along in the same way a 'redistribute ospf' in Zebra/Cisco IOS A: ? Q: default gateway is added to the routing table after all interfaces are configured. BGP is adding information into the routing table and so does OSPF (updates). That's 3 times redistributing of routes between different protocols and with 3 different administrative distances but still in/from the same table. Since directly connected (0) or static (1) connections are superior to e.g. eBGP (20) and OSPF (110) then should or shouldn't /etc/mygate be removed from a BGP router before putting it into production. Will it/can it mock the routing decision despite 'weight' in bgpd.conf due to the lower distance. A: ? Part of bgpd.conf: [...] neighbor $peer0 { remote-as ABCD descr ebgp sucks set nexthop aaa.aaa.aaa.aab multihop 10 local-address aaa.aaa.aaa.aaa announce self announce IPv6 none enforce neighbor-as yes set weight 100 #tcp md5sig password HotPotatoes } ... ... neighbor $carp { remote-as our_own_AS descr internal local-address 172.16.0.1 depend on em5 announce all announce IPv6 none enforce neighbor-as no set weight 200 #tcp md5sig password NoPotatoes } I have a: deny from any prefix 172.16.0.0/12 prefixlen = 12 but the carp interface uses a /8 i.e. should be safe :)
bgpd.conf md5sig, iBGP and redistributing routes to/from ospf [forgot to sign it]
Hi all [20051019 snap i386] I've made a setup with two identical bgp routers. On each router there's 3 peers (BGP and eBGP), one failover (carp/iBGP/ospf) interconnecting these routers and finally pipes backwards to the internal nets. Part of bgpd.conf further down. I'm replacing a single router (no ospf) fbsd/zebra setup. Q: setting up iBGP I've used our own AS as 'remote-as' but can't find a 'no synchronization' option for this connection. Do I need it at all. Been poking around in /usr/src/usr.sbin/bgpd without solving it, but it's needed in zebra and Cisco IOS hence the question. A: ? Q: adding md5sig password, how can I activate these stepwise without having to take bgpd down/up and affecting all connections - ospfctl does not seem have it as an option. Would like to add md5sig one carrier at a time on a live system. A: ? Q: running ospf with all peers + carp intfaces in area 0.0.0.0 and internal intfaces in area 0.0.0.1 (and from ospfd.conf) [...] fib-update yes redistribute connected [...] This is about redistributing routes - will the above let BGP and OSPF play along in the same way a 'redistribute ospf' in Zebra/Cisco IOS A: ? Q: default gateway is added to the routing table after all interfaces are configured. BGP is adding information into the routing table and so does OSPF (updates). That's 3 times redistributing of routes between different protocols and with 3 different administrative distances but still in/from the same table. Since directly connected (0) or static (1) connections are superior to e.g. eBGP (20) and OSPF (110) then should or shouldn't /etc/mygate be removed from a BGP router before putting it into production. Will it/can it mock the routing decision despite 'weight' in bgpd.conf due to the lower distance. A: ? Part of bgpd.conf: [...] neighbor $peer0 { remote-as ABCD descrebgp sucks set nexthop aaa.aaa.aaa.aab multihop 10 local-address aaa.aaa.aaa.aaa announce self announce IPv6 none enforce neighbor-as yes set weight 100 #tcp md5sig password HotPotatoes } ... ... neighbor $carp { remote-as our_own_AS descrinternal local-address 172.16.0.1 depend on em5 announce all announce IPv6 none enforce neighbor-as no set weight 200 #tcp md5sig password NoPotatoes } I have a: deny from any prefix 172.16.0.0/12 prefixlen = 12 but the carp interface uses a /8 i.e. should be safe :) /per [EMAIL PROTECTED]
Re: ipmi(4)
Marco Peereboom wrote: Folks who keep track of cvs changes might have noticed a barrage of commits regarding ipmi(4). The driver is functionally complete but needs wide testing on both amd64 and i386 architectures. Jordan Hargrave (jordan@) wrote most of the code. Let's talk a bit about ipmi(4). What is it anyway? The ipmi term Intelligent Platform Management refers to autonomous monitoring and recovery features implemented directly in platform management hardware and firmware. The key characteristics of Intelligent Platform Management is that inventory, monitoring, logging, and recovery control functions are available independent of the main processor, BIOS, and operating system. (much more in ipmi(4)!) If your box supports IPMI you'll see a similar line in dmesg. ipmi0 at mainbus0: version 1.0 interface SMIC iobase 0xecf4/3 spacing 1 Great, now how does that help me? The driver retrieves ipmi readings and publishes them via the sysctl interface. Here is the output of a Dell PowerEdge 2650: # sysctl hw.sensors hw.sensors.0=ipmi0, ESM Frt I/O Temp, OK, temp, 24.00 degC / 75.20 degF hw.sensors.1=ipmi0, ESM Riser Temp, OK, temp, 26.00 degC / 78.80 degF hw.sensors.2=ipmi0, ESM CPU 1 Temp, OK, temp, 26.00 degC / 78.80 degF hw.sensors.3=ipmi0, ESM MB Bat Volt, OK, volts_dc, 3.18 V hw.sensors.4=ipmi0, ESM 3.3 FP Volt, OK, volts_dc, 3.23 V hw.sensors.5=ipmi0, ESM MB 3.3 Volt, OK, volts_dc, 3.27 V hw.sensors.6=ipmi0, ESM MB 5 Volt, OK, volts_dc, 4.99 V hw.sensors.7=ipmi0, ESM CPU Volt, OK, volts_dc, 1.47 V hw.sensors.8=ipmi0, ESM MB +12 Volt, OK, volts_dc, 11.90 V hw.sensors.9=ipmi0, ESM MB -12 Volt, OK, volts_dc, -11.97 V hw.sensors.10=ipmi0, ESM MB 2.5 Volt, OK, volts_dc, 2.52 V hw.sensors.11=ipmi0, ESM GB0 2.5 Volt, OK, volts_dc, 2.56 V hw.sensors.12=ipmi0, ESM GB1 2.5 Volt, OK, volts_dc, 2.56 V hw.sensors.13=ipmi0, ESM 5 AUX Volt, OK, volts_dc, 5.11 V hw.sensors.14=ipmi0, ESM ROMB PK Volt, OK, volts_dc, 3.96 V hw.sensors.15=ipmi0, ESM GB0 1.2 Volt, OK, volts_dc, 1.21 V hw.sensors.16=ipmi0, ESM GB1 1.2 Volt, OK, volts_dc, 1.22 V hw.sensors.17=ipmi0, ESM VTT Volt, OK, volts_dc, 1.27 V hw.sensors.18=ipmi0, ESM MB Fan1 RPM, OK, fanrpm, 4740 RPM hw.sensors.19=ipmi0, ESM MB Fan2 RPM, OK, fanrpm, 4800 RPM hw.sensors.20=ipmi0, ESM MB Fan4 RPM, OK, fanrpm, 7500 RPM hw.sensors.21=ipmi0, ESM MB Fan6 RPM, OK, fanrpm, 7140 RPM hw.sensors.22=ipmi0, ESM MB Fan7 RPM, OK, fanrpm, 7020 RPM hw.sensors.23=ipmi0, Power Supply - 1, OK, indicator, On hw.sensors.24=ipmi0, Power Supply - 2, CRITICAL, indicator, Off hw.sensors.25=ipmi0, Cover Intrusion, OK, indicator, Off hw.sensors.26=ipmi0, Bezel Intrusion, OK, indicator, Off hw.sensors.27=safte0, temp0, OK, temp, 22.78 degC / 73.00 degF hw.sensors.28=safte0, temp1, OK, temp, 24.44 degC / 76.00 degF Lots of stuff! In the list you'll find core voltage measurements, fan speeds, power supply readings etc. As you can see I do not have a 2nd power supply in this box. Nifty, now lets open up the chassis and see what happens. hw.sensors.25=ipmi0, Cover Intrusion, CRITICAL, indicator, On As you can see the Cover Intrusion went to critical. Now lets pull a fan. hw.sensors.18=ipmi0, ESM MB Fan1 RPM, CRITICAL, fanrpm, 0 RPM hw.sensors.19=ipmi0, ESM MB Fan2 RPM, OK, fanrpm, 7980 RPM hw.sensors.20=ipmi0, ESM MB Fan4 RPM, OK, fanrpm, 7380 RPM hw.sensors.21=ipmi0, ESM MB Fan6 RPM, OK, fanrpm, 7140 RPM hw.sensors.22=ipmi0, ESM MB Fan7 RPM, OK, fanrpm, 7020 RPM Fan1 went critical but also the speed of Fan2 went up to compensate. Lets pull another fan. hw.sensors.18=ipmi0, ESM MB Fan1 RPM, CRITICAL, fanrpm, 0 RPM hw.sensors.19=ipmi0, ESM MB Fan2 RPM, OK, fanrpm, 7980 RPM hw.sensors.20=ipmi0, ESM MB Fan4 RPM, CRITICAL, fanrpm, 0 RPM hw.sensors.21=ipmi0, ESM MB Fan6 RPM, OK, fanrpm, 7200 RPM hw.sensors.22=ipmi0, ESM MB Fan7 RPM, OK, fanrpm, 7020 RPM Now lets stick them back in. hw.sensors.18=ipmi0, ESM MB Fan1 RPM, OK, fanrpm, 4740 RPM hw.sensors.19=ipmi0, ESM MB Fan2 RPM, OK, fanrpm, 4800 RPM hw.sensors.20=ipmi0, ESM MB Fan4 RPM, OK, fanrpm, 7320 RPM hw.sensors.21=ipmi0, ESM MB Fan6 RPM, OK, fanrpm, 7140 RPM hw.sensors.22=ipmi0, ESM MB Fan7 RPM, OK, fanrpm, 7020 RPM Ah look at that, both fans are happy again and Fan2 slowed down. Lets put the cover back on. hw.sensors.25=ipmi0, Cover Intrusion, OK, indicator, Off And the box is all happy again. Combine this with sensorsd(8) and you can have email, pagers, sirens, fog horns and other alerting mechanisms go off. What's next? We'll continue to add sensor types that make sense to report. Another thing that needs to happen is the reporting of threshold values and a mechanism to change these values. All that is in the future though. Cool, what can I do? Test! We need wide testing on systems that have IPMI. I bet there has to be some tuning to work around timing differences between platforms. The current code was tested on Intel, Dell and Sun boards.
Re: congrats on OpenBSD SAN... one little question
Nick Holland wrote: Jason Dixon wrote: On Oct 20, 2005, at 1:49 PM, Joe Advisor wrote: Congrats on the cool OpenBSD SAN installation. I was wondering how you are dealing with the relatively large filesystem. By default, if you lose power to the server, OpenBSD will do a rather long fsck when coming back up. To alleviate this, there are numerous suggestions running around that involve mounting with softdep, commenting out the fsck portion of rc and doing mount -f. Are you doing any of these things, or are you just living with the long fsck? Thanks in advance for any insight into your installation you are willing to provide. This is just a subversion repository server for a bunch of developers. There are no dire uptime requirements, so I don't see a lengthy fsck being an issue. Not to mention the hefty UPS keeping it powered. Sorry if this doesn't help you out, but it's not a big problem on my end (thankfully). If it was, I would have just created many slices and distributed projects equally across them. I'm working on a couple big storage applications myself, and yes, this is what I'm planning on doing, as well. In fact, one app I'm going to be turning on soon will be (probably) using Accusys 7630 boxes with about 600G storage each, and I'll probably split that in two 300G pieces for a number of reasons: 1) shorter fsck 2) If a volume gets corrupted, less to restore (they will be backed up, but the restore will be a pain in the butt) 3) Smaller chunks to move around if I need to 4) Testing the storage rotation system more often (I really don't want my app bumping from volume to volume every six months...I'd rather see that the rotation system is Not Broke more often, with of course, enough slop in the margins to have time to fix it if something quit working.) 5) Cost benefit of modular storage. Today, I can populate an ACS7630 (three drive, RAID5 module) with 300G drives for probably $900. I could populate it with 400G drives for $1200. That's a lotta extra money for 200G more storage. Yet, if I buy the 300G drives in a couple storage modules today, and in about a year when those are nearing full, replace them with (then much cheaper) 500G (or 800G or ...) drives, I'll come out way ahead. Beats the heck out of buying a single 3+TB drive array now and watching people point and laugh at it in a couple years when it is still only partly full, and you can buy a bigger single drive at your local office supply store. :) With this system, I can easily add-on as we go, and more easily throw the whole thing away when I decide there is better technology available. Would I love to see the 1T limit removed? Sure. HOWEVER, I think I would handle this application the exact same way if it didn't exist (that might not be true: I might foolishly plowed ahead with the One Big Pile philosophy, and regretted it later). Hi Nick We can argue back and forth on the pros and cons of building 1TB partitions or not, but the need for these giant allocations are real enough and from a commen/broader view (small business) the demand is also moving closer and closer. At work we have a disk-to-disk backup server for (for customers) with one 1.5TB (SATA raid5) backup partition. The app works that way and if each customer start using it and used =20GB per customer, we would need at least 3.5TB more disk space. Breaking up in smaller chunks is not always possible/practical. I would appresiate an unlimited filesystem one day - but not at the cost of potentially losing data! I would also just love to see OpenBSD large-scale enterprise SAN/NAS solutions in the LISA program some day :) /per [EMAIL PROTECTED] For this application, the shorter fsck is not really an issue. In fact, as long as the archive gets back up within a week or two, it's ok -- the first stage system is the one that's time critical...and it is designed to be repairable VERY quickly, and it can temporarily hold a few weeks worth of data. :) Nick.
Re: iptables vs pf
Edy Purnomo wrote: i suggested to my friend to replace his linux box to openbsd. he uses mailnly for internet gateway : pf + squid proxy after 2 weeks later he switched it back linux and said : linux much faster to respond the http requests (he had a same configuration on openbsd, pf + squid proxy). is there any program that can proof what he says ? thanks. No. If your friend prefer Linux then fine, but his speed statement is wrong. (unless he'd misconfigured something due to a lack of knowlegde on OpenBSD .. or pf .. or squid .. or run unsupported hw .. or ..) BTW Edy, statements (in particular tux_userland_mock-up_no_79_glued_on_kernel_no_61_aka_slashdotoftheweek [heck, it even got its own place on securityfocus.com] vs. OpenBSD) without anything but the statement, is useless in any respect. In fact it appear borderline trollish. If this friend of yours have a problem with a OpenBSD installation, then tell him to address this list and he will get all the help he need. /per [EMAIL PROTECTED] -edy-
Re: pf and ospf
Claudio Jeker wrote: On Mon, Oct 17, 2005 at 04:32:26PM -0400, stan wrote: What ports do I need to open up on a pf firewall to allow it to send/recieve ospf? pass proto ospf Hm, that's very short (but parsing the rule work). Actually I'm building an OpenBSD/OpenBGPD/OSPF/PF [3.8 20051010 snap] as a replacement for a fbsd/zebra/ospf box. The pf setup is somewhat hairy with 3 peers, 1 subnet for hosting, 1 subnet for infrastructure, queueing, spamd (incomming only), carp (for the next obsd box with 3 more peers/redundancy) and what not. I've made rules for 179/tcp but could I actually just do: pass proto egp ? Would still like it more specific than the above, but maybe not as specific as I've made it so fare. My old setup has 3yrs on it's back and is a bit bulky (ipfw). The transition from fbsd to obsd will be: - switch cables - power on - check prefix/connections - check rules/availability - everybody's happy which is why a initial set of effective rules for bgp and ospf is mandatory (every ruls is mandatory, but I have plenty on my hands the first 10min besides lack of connection due to a too strict setup). Thank you very much. /per [EMAIL PROTECTED]
Re: pf and ospf
Henning Brauer wrote: * per engelbrecht [EMAIL PROTECTED] [2005-10-18 14:36]: Claudio Jeker wrote: On Mon, Oct 17, 2005 at 04:32:26PM -0400, stan wrote: What ports do I need to open up on a pf firewall to allow it to send/recieve ospf? pass proto ospf Hm, that's very short (but parsing the rule work). Actually I'm building an OpenBSD/OpenBGPD/OSPF/PF [3.8 20051010 snap] as a replacement for a fbsd/zebra/ospf box. The pf setup is somewhat hairy with 3 peers, 1 subnet for hosting, 1 subnet for infrastructure, queueing, spamd (incomming only), carp (for the next obsd box with 3 more peers/redundancy) and what not. I've made rules for 179/tcp but could I actually just do: pass proto egp ? bgp uses tcp, no special protocol. pass in on dc2 inet proto tcp from $workix_lan to $workix_ip port 179 keep state pass out on dc2 inet proto tcp to $workix_lan port 179 keep state Check. Thank you Henning. /per [EMAIL PROTECTED] etc
Re: OpenBSD's 10th birthday
On 10/18/05, Theo de Raadt [EMAIL PROTECTED] wrote: Now it is really OpenBSD's 10th birthday ;) Greetings from Denmark and thank you all for OpenBSD (The TAO of Operatingsystems) and anything related. /per [EMAIL PROTECTED]
Re: OpenBGPD sizing
Claudio Jeker wrote: On Thu, Sep 29, 2005 at 02:39:15AM +0200, per engelbrecht wrote: per engelbrecht wrote: Stuart Henderson wrote: How much RAM might I want in order to accept full views from 2-3 peers? Thanks. Running 3 peers, full table (170.097 prefixes) uses 317MB ram all included. Just to avoid any misinterpretation, that is for the BGP part only. (.. ram all included) Are you running -current or 3.7? The old pre mmap malloc had a nasty bug that caused memory fragmentation. Here is one of my boxes: [EMAIL PROTECTED]:~ ps axl | grep bgp 0 23225 1 0 2 20 6292 6636 poll Is?? 43:17.45 bgpd: paren 75 12481 23225 0 2 20 239896 240332 poll I ?? 167:21.94 bgpd: rout 75 16989 23225 0 2 20 1916 2304 poll I ?? 26:39.54 bgpd: sessi 240M RDE for 10 full views plus additional non full onesi (1.8Mio prefixes). I never got it to 300M with three full views. I'm not running obsd on neither of the boxes yet. Waiting for 3.8 (I prefere STABLE for production). I'm still running fbsd/zebra, but it'll give Stuart a in_the_neighborhood_off idea. /per [EMAIL PROTECTED]
Re: OpenBGPD sizing
per engelbrecht wrote: Stuart Henderson wrote: How much RAM might I want in order to accept full views from 2-3 peers? Thanks. Running 3 peers, full table (170.097 prefixes) uses 317MB ram all included. Just to avoid any misinterpretation, that is for the BGP part only. (.. ram all included) /per [EMAIL PROTECTED] /per [EMAIL PROTECTED]
Re: OpenBGPD sizing
Stuart Henderson wrote: How much RAM might I want in order to accept full views from 2-3 peers? Thanks. Running 3 peers, full table (170.097 prefixes) uses 317MB ram all included. /per [EMAIL PROTECTED]
Re: Nmap -O... will it be fixed some day?
Lukasz Sztachanski wrote: [...] doesn't think so; try to disable pf ;) Probably it's a matter of pf`s traffic normalization. [...] Or use; pass in quick on $xxx all allow-opts on int used specific(!) for nmap, snort et al. /per [EMAIL PROTECTED]
Re: ARP Poisoning
Artur Grabowski wrote: Miroslav Kubik [EMAIL PROTECTED] writes: Hello In our intranet is an attacker who flooding OpenBSD router by ARP requests. Due to this we have trouble with internet connection. Is there a way how to protect server against ARP poisoning attack? Excuse me? You have an attacker inside your intranet? The best way to protect against that kind of attack is a baseball bat. Or security guards who show the person where the door is and a lawyer who hands over the lawsuit. This is a social problem, don't solve it with a technical solution. //art messages in /var/log/messages Aug 6 23:33:53 host22 /bsd: arp info overwritten for 192.168.1.249 by 00:e0:98:be:d3:cd on rl0 Aug 6 23:33:53 host22 /bsd: arp info overwritten for 192.168.1.246 by 00:e0:98:c5:8b:b9 on rl0 Aug 6 23:33:53 host22 /bsd: arp info overwritten for 192.168.1.245 by 00:e0:98:c5:9b:c5 on rl0 Aug 6 23:33:53 host22 /bsd: arp info overwritten for 192.168.1.242 by 00:e0:98:c5:8b:b9 on rl0 and still continue S pozdravem / Best Regards Miroslav Kubik IT Specialist Enterprise Server Farms Have not read all mails in this thread (sorry) but an easy solution to this problem is to run 'static-mac' on all int on your switches a.k.a. mac-lockdown (require that you can manage your sw and the sw have this option). If you can't do that, you're in for a rough ride. If you can or can get help to do so, read on. For mac-lockdown to have max effect, you'll have to have a list of the original MAC connected to each int on each sw = you can't trust the current arp entries on the sw(s). The alternative is to extract the arp entries from the sw and use it to do the lockdown. If you allready have the fake MAC, then use the same table to find the int where the box is connected to. Downside to this approach is that you might lock a fake MAC to the int it is connected to, but don't worry, you can correct this later. Most (but not all) arp-cache-poisoning is done with a home-made script or tool e.g. 'angst' and is trickered as a cronjob and then followed by whatever the attacker will run with his/her new temporary 'identity'. This automation can be to your advantage. This first time a MAC is changed on a end-node after your've made the lockdown, the box will be blocked from the network. This is irreverseable and will be written to the security-log on the sw with date, int, MAC and so on and if the box is accessed remotely then the hunting is over. If the attacker is sitting in front of the box the MAC can be reversed, but it will not help the poor suckers kneecaps when you kick down the door with a slegdehammer in your hands. Happy hunting. P.S. arp entries don't live forever in the arp-table. When you hunt attackeres like this, move fast. /per [EMAIL PROTECTED]
Re: PHP or Mysql problem?
James Strandboge wrote: On Wed, 2005-06-15 at 11:30 +0200, Nico Meijer wrote: Hi Kiraly, mysql error: Can't create/write to file '/tmp/ #sql_4c99_0.MYD' (Errcode: 9) MySQL problem. Simple suggestions, not idiot-proof: I prefer this on OpenBSD 3.6 (should be same on 3.7): Add to /etc/login.conf: # # for mysql to work right # mysql:\ :datasize=infinity:\ :maxproc=infinity:\ :openfiles-cur=2048:\ :openfiles-max=8192:\ :stacksize-cur=8M:\ :localcipher=blowfish,8:\ :tc=default: sudo vipw and change the login class for _mysql to 'mysql'. Hmm .. why don't you just add a _mysql loginprofile in login.conf in the first place instead of adding oldstyle mysql and then change pw db. Seems backwards to me. /per [EMAIL PROTECTED] To use this class, you MUST use 'sudo -c mysql -u _mysql', like this (can be put in /etc/rc.local): sudo -c mysql -u _mysql /usr/local/sbin/mysql.server start This may be useful as well (can also put in /etc/sysctl.conf): sudo sysctl -w kern.maxfiles=16384 And finally, add to /etc/my.cnf on (OpenBSD 3.6 with mysql 4.0.20): [mysqld] ... open-files=1000 ... Jamie Strandboge
Re: MySQL issues
John Tate wrote: Right, I created a hardlink of the socket into /var/www/mysql/mysql.sock and changed this directive in php.ini to the following... mysql.default_socket = /var/www/mysql/mysql.sock I however could not find the my.cnf file, where is it on OpenBSD 3.6, I did a find / | grep my.cnf which showed up nothing. Hi John The 'my.cnf' is a file you make yourself (both on server and on clients) depending on your needs. A bit like you do with 'boot.conf' and 'mk.conf'. On the server you place it in /etc for global options. On the client you place it in ~ I use it for e.g. SSL (*.pem locations) on the server and client and on the client also for hosts, compress and other features. The mysql people has a brilliant site/documentation! I'm not particular thrilled about SAMS but they've published a few brilliant books on both MySQL and PostgreSQL. MySQL, 3ed (new) ISBN 0672326736 Paul DuBois PostgreSQL ISBN 0735712573 Korry Douglas/Susan Douglas /per [EMAIL PROTECTED] From phpinfo()... MySQL Support enabled Active Persistent Links 0 Active Links0 Client API version 4.0.20 MYSQL_MODULE_TYPE external MYSQL_SOCKET/var/run/mysql/mysql.sock MYSQL_INCLUDE -I/usr/local/include/mysql MYSQL_LIBS -L/usr/local/lib -lmysqlclient Directive Local Value Master Value mysql.allow_persistent On On mysql.connect_timeout 60 60 mysql.default_host no valueno value mysql.default_password no valueno value mysql.default_port no valueno value mysql.default_socket/var/www/mysql/mysql.sock /var/www/mysql/mysql.sock mysql.default_user no valueno value mysql.max_links Unlimited Unlimited mysql.max_persistentUnlimited Unlimited mysql.trace_modeOff Off
Re: MySQL upgrade to 4.1.12 packages files
Daniel Ouellet wrote: datasize, maxproc and openfiles values should then be ... ? Value really varies for your setup. But you can't run the full tests, or benchmark test with the default value. You can however run individual tests and they will terminate well, but the run-full-test will not until you increase the openfiles value and change the login.conf. I know these values depend on setup, utilization and more, but if you had the-perfect-blend for a workhorse for this new port, it would be nice. You've done some testing already. That's all. respectfully /per [EMAIL PROTECTED]
Re: MySQL upgrade to 4.1.12 packages files
Daniel Ouellet wrote: Hi, [...] So, here is my first port to bring the in tree MySQL version to the latest stable recommended version 4.1.12. All works on AMD64 and I386. I also added one more package for the benchmark as well as I use that too to test my port. It's complete then :) I did all the tests with the test suite, crash-me as well as the full benchmark and all pass very well after you adjust the max openfile as well as the resource in login.conf for the user _mysql. datasize, maxproc and openfiles values should then be ... ? Results for the test suite run: All 278 tests were successful. Summary results for the benchmark tests. All 9 test executed successfully Looking good Daniel. [...] I also have put the complete packages for amd64 here as well for testing if you like to do so. http://openbsdsupport.org/packages/amd64/ [...] Feedback, good or bad is welcome! I'll let you know by monday or tuesday. Regards. Daniel respectfully /per [EMAIL PROTECTED]
Re: Linuxwochen Vienna 2005, May 24 - 27, 2005, Vienna, Austria.
Wim Vandeputte wrote: Hey, I'm on my way to Vienna now for the Linuxwochen, May 24 - 27, 2005 Reinhard and me will be in the MuseumsQuartier from Wednesday 25 to answer your questions or just meet people for a chat and drinks Wim. Hi Wim A little off topic and for whatever it's worth; - I find all the work that you do (OpenBSD advocacy, support et al) and all the traveling (saw you last time in Copenhagen at LF05) very admirable. I do my part as well (another order of magnitude downscale) but you manage to be everywhere. Thumbs up Wim. respectfully /per [EMAIL PROTECTED]
Re: OBSD 3.7 ports -- mysql
Daniel Ouellet wrote: Just FYI. I am finishing up a port that hopefully will be put in for MySQL 4.1.12, their latest recommended stable version. Hi Daniel That's brilliant! So far all works well and pass all the tests suites stuff, with the exception that I have to create three hard link to make it work still, but I am working on correcting that. Would be nice to get some testing as well. I use it without problem so far. I'm about to launche a [3.7 AMD64 GENERIC.MP] mysql server (mysql backend for a lot of servers / production environment) and would like to test and use the new MySQL 4.1.12 I have the packages for i386 and amd64 ready for all clients, servers, and test, or the files if you want to make your own compile from source. pkg would be nice. I haven't send it in yet to port@ as I am almost all there, not to my liking yet, but it does work and is all complete for the clients and servers part. I am still struggling with the tests part a bit. I have amd64 done on stable 3.7 and i386 done on stable 3.6. Testing if you want, may be good to do! Gimmi, gimmi, gimmi. I can make the packages available if you like, or my files for making your own from source. Works for me... Keep up the good work. respectfully /per [EMAIL PROTECTED] Daniel
Re: OBSD 3.7 ports -- mysql
Daniel Ouellet wrote: Per Engelbrecht wrote: I'm about to launche a [3.7 AMD64 GENERIC.MP] mysql server (mysql backend for a lot of servers / production environment) and would like to test and use the new MySQL 4.1.12 I have the packages for i386 and amd64 ready for all clients, servers, and test, or the files if you want to make your own compile from source. pkg would be nice. You can get it from here for now for your amd64: http://openbsdsupport.org/packages/amd64/ Check and done. You will need to install the package p5-DBD-mysql-2.9004.tgz, but that's already available on the main site. So, get it from there. Then install the client and server. I didn't release the test suite as it doesn't go in the right place yet and I haven't finish the testing on it. Fine by me Daniel. You can use these, but it will be better in a few days. May be two or so. I don't expect any changes in these two, but you never know. The server should be running a.s.a.p (as usual) and I'll start working on the sql part now and do some testing. If you come up with radical changes within the next couple of days or so, I'll take it from there. Feedback would be welcome, but heavy testing would be best before using in production obviously! I'll give you feedback and yes, testing in a production is always a risky business. The other servers using the sql-server will be assigned one by one i.e. I have time to fix things with your help (*) before any major disaster strikes. (* = with your updates that is) Have fun! Thank you. Daniel PS: I will let you know when the final package are done if there is any changes on it. I would appreciate that very much. respectfully /per [EMAIL PROTECTED]
Re: apache2, webdav
Mike Gould wrote: Hi Has anyone got any advice for installing apache2 on openbsd 3.6 (stable). There seems to be a port for freebsd but nothing for openbsd. If I start from the apache source what kinds of things will I need to change? Hi Mike httpd on OpenBSD will get you all the way. It's integrated(*) fast and secure. Installing apache2 will be a step backwards. Search the list. The last time it was asked it was labeled kind of too much work and too little to gain * configure + start and your on your way. Also what's the consensus on webdav? Can it be made secure? By ssl and systrace maybe. /per [EMAIL PROTECTED] Thanks Mike
OpenBSD 3.7 and 'tcpdump' problems [amd64]
Hi all I'm having a peculiar problem with 'tcpdump' on a OpenBSD 3.7 (20050404 snap) amd64. ('dmesg, + 'sysctl' + 'fstab' are below) tcpdump with 0-2 flags = output. tcpdump with 3-x flags = no output. tcpdump with x flags and '-w' = non written at all. When 'tcpdump' is stopped I recive normal 'tcpdump' statistics i.e. something must be working. No error-logs to guide me. EXAMPLE: $ sudo tcpdump -n -i em1 = output. $ sudo tcpdump -e -n -i em1 -s 1515 src net xxx.xxx.xxx.0 and not arp = no output. $ sudo tcpdump -e -n -i em1 -s 1515 -w /data/tcpdumps/20050509_all.lpc src net xxx.xxx.xxx.0 and not arp = none written. Why in the name of somebody is 'tcpdump' semi-working and why can't 'tcpdump' write to a file. I have not seen this before, ever. I'm no tcpdump-newbie and this server has with OpenBSD 3.6 and single cpu and same nic's, been running tcpdump just fine. The extra cpu is for psql, syslog-ng, snort, honeyd et al, respectfully /per [EMAIL PROTECTED] ## dmesg, sysctl and fstab below: ## dmesg: OpenBSD 3.7-current (GENERIC.MP) #0: Thu Apr 14 23:24:22 CEST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 2147086336 (2096764K) avail mem = 1836515328 (1793472K) using 22937 buffers containing 214917120 bytes (209880K) of memory mainbus0 (root) mainbus0: Intel MP Specification (Version 1.1) (TYAN S2882 ) cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Opteron(tm) Processor 242, 1594.16 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,NXE,MMXX,LONG,3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: apic clock running at 199236672Hz cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD Opteron(tm) Processor 242, 1593.89 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,NXE,MMXX,LONG,3DNOW2,3DNOW cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu1: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative mpbios: bus 0 is type PCI mpbios: bus 1 is type PCI mpbios: bus 2 is type PCI mpbios: bus 3 is type PCI mpbios: bus 4 is type ISA ioapic0 at mainbus0 apid 2: pa 0x83875e24, version 11, 24 pins ioapic1 at mainbus0 apid 3: pa 0x83875d24, version 11, 4 pins ioapic2 at mainbus0 apid 4: pa 0x83875c24, version 11, 4 pins pci0 at mainbus0 bus 0: configuration mode 1 ppb0 at pci0 dev 6 function 0 AMD 8111 PCI-PCI rev 0x07 pci1 at ppb0 bus 3 ohci0 at pci1 dev 0 function 0 AMD 8111 USB rev 0x0b: apic 2 int 19 (irq 10), version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: AMD OHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 3 ports with 3 removable, self powered ohci1 at pci1 dev 0 function 1 AMD 8111 USB rev 0x0b: apic 2 int 19 (irq 10), version 1.0, legacy support usb1 at ohci1: USB revision 1.0 uhub1 at usb1 uhub1: AMD OHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub1: 3 ports with 3 removable, self powered pciide0 at pci1 dev 5 function 0 CMD Technology SiI3114 SATA rev 0x02: DMA pciide0: using apic 2 int 19 (irq 10) for native-PCI interrupt pciide0: port 0: device present, speed: 1.5Gb/s wd0 at pciide0 channel 0 drive 0: Maxtor 6B250S0 wd0: 16-sector PIO, LBA48, 239372MB, 490234752 sectors wd0(pciide0:0:0): using BIOS timings, Ultra-DMA mode 6 pciide0: port 1: device present, speed: 1.5Gb/s wd1 at pciide0 channel 1 drive 0: Maxtor 6B250S0 wd1: 16-sector PIO, LBA48, 239372MB, 490234752 sectors wd1(pciide0:1:0): using BIOS timings, Ultra-DMA mode 6 vga1 at pci1 dev 6 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) AMD AMD8111 LPC rev 0x05 at pci0 dev 7 function 0 not configured pciide1 at pci0 dev 7 function 1 AMD 8111 IDE rev 0x03: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide1 channel 0 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: TEAC, CD-232E, 1.0A SCSI0 5/cdrom removable cd0(pciide1:0:1): using PIO mode 4, Ultra-DMA mode 2 pciide1: channel 1 disabled (no drives) AMD 8111 SMBus rev 0x02 at pci0 dev 7 function 2 not configured AMD 8111 ACPI rev 0x05 at pci0 dev 7 function 3 not configured ppb1 at pci0 dev 10 function 0 AMD 8131 PCIX rev 0x12 pci2 at ppb1 bus 2 bge0 at pci2 dev 9 function 0 Broadcom BCM5704C rev 0x03, BCM5704 A3 (0x2003): apic 3 int 0 (irq 5) address 00:e0:81:2d:9d:5a brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 bge1 at pci2 dev 9 function 1 Broadcom