Re: Sending mail from external firewall to external mail server (behind firewall)
Hello, Original-Nachricht > Datum: Tue, 19 Feb 2008 22:36:20 -0600 > Von: Albert Chin <[EMAIL PROTECTED]> > An: misc@openbsd.org > Betreff: Sending mail from external firewall to external mail server (behind > firewall) > ... snip... > > rdr pass log on $ext_if inet proto tcp from any to $mail_ip \ > port = smtp -> $emma_gw > > >From the Internet, if I "telnet 67.95.107.111 25", everything works. > But, on hammer: > hammer% telnet 67.95.107.111 25 > Trying 67.95.107.111... > telnet: connect to address 67.95.107.111: Connection refused > > ... snip ... see "man pf.conf", especially paragraph "Translation rules apply only to packets that pass through the specified interface,..." Regards Stefan Kell
[ami] Unable to set "Hot Spare" from bioctl on a Dell PERC 4/Di
Hi there, I'm back with another LSI controller, and I'm experiencing problems with creating hot spares from bioctl. This seems to be the same problem that I posted to misc@ on Oct 16, 2006 with the subject line of: [ami] Unable to set "Hot Spare" on MegaRAID SATA 300-8x I've got the same symptoms, but now with a PERC 4/Di controller. [And this time I've found a better work around than just avoiding bioctl -H with this LSI controller :).] Problem summary === When I use bioctl to mark an Unused drive as a Hot Spare, that drive will fail to be integrated when another disk fails. The only way, that I've found, to make that drive properly act as a Hot Spare, is to only set it as such from the LSI boot menu. If you have already marked it as a Hot Spare from bioctl, pull the Hot Spare-marked drive, and replace it (it can be the same physical disk). At that point your disk should be showing up as an 'Unused' disk, from where you can go do the thing in the LSI boot menu. This is an improvement over my 2006 analysis of the situation, where I couldn't find a way to reset the drive back to Unused (after Hot Sparing it from bioctl). The LSI boot menu requires a drive to be in an Unused state before it will allow me to correctly mark it as a Hot Spare. If you're interested, please let me know what I can do to be of assistance in trouble shooting this. I have a limited window before this box will have to be pushed into production, and I can live with the current situation (an after hours reboot in the case of a drive failure is perfectly fine). Matthew Test case = s => step succeeded F => step failed Normal case (RAID 1 + one hot spare) --- s Configure array from the LSI boot menu s Clear configuration s New configuration s Disks 0, 1: RAID 1 array s Disk 2: Hot spare s Install OpenBSD-4.2 s Single disk failure s Disk 0: Fails (I pulled it from the hot swap cage) s Disk 2: Automatically replaces it s Observe the RAID 1 array get fully rebuilt s Replace failed disk s Replace Disk 0 with a new disk s Observe that Disk 0 is marked as "Unused" through bioctl s Set Disk 0 to be a hot spare (through bioctl) s Single disk failure s Disk 1: Fails (I pulled it) F Disk 0: FAILS TO GET INTEGRATED, DESPITE STILL BEING MARKED AS A HOT SPARE - Array is still degraded. s Reboot, enter into the LSI boot menu s Configure > View/Add Configurarion s Highlight disk 0 > F4 (hot spare) s "This Physical Drive is already a HOTSPARE\nPress any key to continue" s F10 (Configure), Esc, Esc s "Exit?" = YES s "Please REBOOT YOUR SYSTEM", CTRL-ALT-DEL s Recheck array F Disk 0: Still failing to integrate. Array still degraded. s Attempt to shake loose the 'Hot Spare' bit from disk 0 s Remove disk 0 s Replace disk 0 (with the same physical disk) s Disk 0 is *no longer* marked as a 'Hot Spare' (either through bioctl or through the LSI boot menu). Yeah! :) [I don't think I tested this method with my SATA 300-8x.] Log file # The output is generated by: # date; bioctl ami0 ## # Created a new RAID 1 array from the LSI boot menu and installed OpenBSD 4.2 Tue Feb 19 04:01:42 MST 2008 Volume Status Size Device ami0 0 Scrubbing146695782400 sd0 RAID1 3% done 0 Online 146811125760 0:0.0 safte0 1 Online 146811125760 0:1.0 safte0 ami0 1 Hot spare146811125760 0:2.0 safte0 Tue Feb 19 10:02:15 MST 2008 Volume Status Size Device ami0 0 Scrubbing146695782400 sd0 RAID1 94% done 0 Online 146811125760 0:0.0 safte0 1 Online 146811125760 0:1.0 safte0 ami0 1 Hot spare146811125760 0:2.0 safte0 Tue Feb 19 10:12:15 MST 2008 Volume Status Size Device ami0 0 Scrubbing146695782400 sd0 RAID1 97% done 0 Online 146811125760 0:0.0 safte0 1 Online 146811125760 0:1.0 safte0 ami0 1 Hot spare146811125760 0:2.0 safte0 ## # Mirroring complete Tue Feb 19 10:22:16 MST 2008 Volume Status Size Device ami0 0 Online 146695782400 sd0 RAID1 0 Online 146811125760 0:0.0 safte0 1 Online 146811125760 0:1.0 safte0 ami0 1 Hot spare146811125760 0:2.0 safte0 ## # Pulling Drive 0:0.0 Tue Feb 19 16:15:15 MST 2008 Volume Status Size Device ami0 0 Online 146695782400 sd0 RAID1 0 Online 146811125760 0:0.0 safte0 1 Online 146811125760 0:1.0 safte0 ami0 1 Hot spare146811125760 0:2.0 safte0 ## # LSI boot me
Re: What is our ultimate goal??
On Feb 20, 2008 12:52 PM, Duncan Patton a Campbell <[EMAIL PROTECTED]> wrote: > On Wed, 20 Feb 2008 08:47:54 +0530 > "Mayuresh Kathe" <[EMAIL PROTECTED]> wrote: > > > On Feb 20, 2008 2:59 AM, Ted Unangst <[EMAIL PROTECTED]> wrote: > > > On Feb 19, 2008 4:50 AM, Mayuresh Kathe <[EMAIL PROTECTED]> wrote: > > > > That's the reason I've been gathering good C developers, so that they > > > > could either; > > > > 1. take up complex projects like FireEngine/DTrace, > > > > 2. write replacements for as many GNU tools/utilities as possible, > > > > 3. be a landing stage for newer developers who get intimidated by the > > > > intensity of the core developers. > > > > > > good luck with that. be sure to let us know when it's all done, ok? > > > thanks. > > > > If thats sarcasm its really not warranted. > > If its not sarcasm, then we'll be posting to the list about our progress. > > > > Also, Ted, I'm sorry if you felt offended by my ranting about you not > > completing kernel threads, but the loss of those developers really > > felt bad. > > > > ~Mayuresh > > > > Looks to me like your "Tivo Box" project might need to actually pay someone > to write a threads library. This is the second time someone has mentioned about a project that does not exist. What's gotten into you people? ~Mayuresh
Re: take threads off the table
Geoff Steckel <[EMAIL PROTECTED]> writes: > Any argument to experience must be from similar actual implementations > using "threads" and another model, such as multiple processes with > interprocess communications. Sure. I'll pick up the challenge. At work we have a server that uses around 4GB RAM and runs on an 4 cpu machine. It serves millions of tcp connections per hour. sharing the memory without sharing pointer values is too inefficient since a big amount of the memory used is a pre-computed cache of most common query results. The service needs 4x4GB of RAM on the machine to be able to reload the data efficiently without hitting disk, since hitting the disk kills performance in critical moments and leads to inconsistencies between the four machines that run identical instances of this service. Therefore: - fork would not work because cache would not be shared and this would lead to too big cache miss ratio. - adding more RAM won't work because it would spend rack real estate and power and cooling budget which we can't do. - adding more machines will not solve the problem for the same reasons as RAM. - reducing the data set will not work because we kinda like to make lots of money, not just a little money. - partitioning the data does not work good because it causes a too high cost in performance and memory consumption. What works is threads. We've had one thread related bug in the past year. //art
Re: rtorrent + OpenBSD = freeze
On 16:43:00 Feb 19, Daniel Andersson wrote: > > Could you please elaborate? The only thing that was working after > the freeze was the routing. I guess I could try FreeBSD since they > have pf too. iptables is driving me nuts. > Sorry I was out and just came back home. I think my answer would be irrelevant now since many other people seem to be facing problems. So there seems to be something wrong somewhere. I did notice a freeze but I don't think it has anything to do with what others are saying. Almost in every case I thought it was due to the tracker being down or some such bittorrent issue. Since p2p networks have so much churn I am always wary of concluding anything based on this. Beyond this I have nothing more to add to this. As to iptables and pf, I honestly think comparing the two would be like comparing darkness to light. ;) On a different note, I have seen my OpenBSD box freeze badly whenever I access my Sony SATA DVD R/W drive. I never got time to diagnose the exact cause. It is a serious issue and something needs to be done about it soon. In fact I install using FTP or HTTP due to this hairy issue. Other than that I have seen OpenBSD freeze with the ImageMagick convert(1) program as well. Here goes one more freeze. I used to have trouble recording voice with the new Intel HDA driver, but nowadays that problem does not seem to be there. It is a little unnerving to note that OpenBSD userland code sometimes hangs the whole machine very much like Windoze but then...let us better be open about it and do something. I am quite well versed with OpenBSD's kernel code but I need experience with driver development and fixing such "freezes". If someone can throw some light on the debugging process I can definitely give it a shot. Would I have to use a serial console and run the kernel with ddb(4) ? Thanks. Best, Girish
Re: What is our ultimate goal??
On Wed, 20 Feb 2008 15:11:34 +0530 "Mayuresh Kathe" <[EMAIL PROTECTED]> wrote: > On Feb 20, 2008 12:52 PM, Duncan Patton a Campbell <[EMAIL PROTECTED]> wrote: > > On Wed, 20 Feb 2008 08:47:54 +0530 > > "Mayuresh Kathe" <[EMAIL PROTECTED]> wrote: > > > > > On Feb 20, 2008 2:59 AM, Ted Unangst <[EMAIL PROTECTED]> wrote: > > > > On Feb 19, 2008 4:50 AM, Mayuresh Kathe <[EMAIL PROTECTED]> wrote: > > > > > That's the reason I've been gathering good C developers, so that they > > > > > could either; > > > > > 1. take up complex projects like FireEngine/DTrace, > > > > > 2. write replacements for as many GNU tools/utilities as possible, > > > > > 3. be a landing stage for newer developers who get intimidated by the > > > > > intensity of the core developers. > > > > > > > > good luck with that. be sure to let us know when it's all done, ok? > > > > thanks. > > > > > > If thats sarcasm its really not warranted. > > > If its not sarcasm, then we'll be posting to the list about our progress. > > > > > > Also, Ted, I'm sorry if you felt offended by my ranting about you not > > > completing kernel threads, but the loss of those developers really > > > felt bad. > > > > > > ~Mayuresh > > > > > > > Looks to me like your "Tivo Box" project might need to actually pay someone > > to write a threads library. > > This is the second time someone has mentioned about a project that > does not exist. > What's gotten into you people? > > ~Mayuresh > It's a question of the "alienability" of the BSD License. Unlike Linux, the BSD license allows you the freedom of moving the software into a proprietary configuration which permits a conventional profit model. You are ragging on Ted for not having provided you with a feature for your "project" which is not seen to be of the widest possible utility, and which might adversley influence some of OBSD's more crucial feature if not implemented with enormous care. Basically you are asking him to provide your 4profit model with free work that would not necessarily benefit the project OR other 4profit models. Mebbe if you really need threads (because some code you intend to import uses them) then you should offer to PAY Ted to do this (for the project?). This would likely provide him with the kind of incentive he needs to do something seen as not crucial by his peers. Dhu
Re: What is our ultimate goal??
* Mayuresh Kathe <[EMAIL PROTECTED]> [2008-02-17 13:38]: > Wouldn't it be nice to have a high performance networking stack? yeah. guess what we have? exactly that. (which doesn't mean it could be even faster) -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Sending mail from external firewall to external mail server (behind firewall)
On Wed, Feb 20, 2008 at 08:55:44AM +0100, Stefan Kell wrote: > Original-Nachricht > > Datum: Tue, 19 Feb 2008 22:36:20 -0600 > > Von: Albert Chin <[EMAIL PROTECTED]> > > An: misc@openbsd.org > > Betreff: Sending mail from external firewall to external mail server > > (behind firewall) > > > ... snip... > > > > rdr pass log on $ext_if inet proto tcp from any to $mail_ip \ > > port = smtp -> $emma_gw > > > > >From the Internet, if I "telnet 67.95.107.111 25", everything works. > > But, on hammer: > > hammer% telnet 67.95.107.111 25 > > Trying 67.95.107.111... > > telnet: connect to address 67.95.107.111: Connection refused > > > > ... snip ... > > see "man pf.conf", especially paragraph "Translation rules apply > only to packets that pass through the specified interface,..." Thanks. I've changed my pf rule from: rdr pass log on $ext_if inet proto tcp from any to $mail_ip \ port = smtp -> $emma_gw to: rdr pass log inet proto tcp from any to $mail_ip \ port = smtp -> $emma_gw This certainly helps for hosts on the local network. But, the issue with "telnet 67.95.107.111 25" not working on hammer remains. BTW, we are running OpenBSD 4.0 on x86. -- albert chin ([EMAIL PROTECTED])
Re: What is our ultimate goal??
On Feb 20, 2008 4:58 PM, Henning Brauer <[EMAIL PROTECTED]> wrote: > * Mayuresh Kathe <[EMAIL PROTECTED]> [2008-02-17 13:38]: > > Wouldn't it be nice to have a high performance networking stack? > > yeah. > guess what we have? > exactly that. > (which doesn't mean it could be even faster) Pardon if I sound ignorant, but isn't our networking stack based on the 24 year old technology from Berkeley?
Re: take threads off the table
Artur Grabowski wrote: Geoff Steckel <[EMAIL PROTECTED]> writes: Any argument to experience must be from similar actual implementations using "threads" and another model, such as multiple processes with interprocess communications. Sure. I'll pick up the challenge. At work we have a server that uses around 4GB RAM and runs on an 4 cpu machine. It serves millions of tcp connections per hour. sharing the memory without sharing pointer values is too inefficient since a big amount of the memory used is a pre-computed cache of most common query results. The service needs 4x4GB of RAM on the machine to be able to reload the data efficiently without hitting disk, since hitting the disk kills performance in critical moments and leads to inconsistencies between the four machines that run identical instances of this service. Therefore: - fork would not work because cache would not be shared and this would lead to too big cache miss ratio. - adding more RAM won't work because it would spend rack real estate and power and cooling budget which we can't do. - adding more machines will not solve the problem for the same reasons as RAM. - reducing the data set will not work because we kinda like to make lots of money, not just a little money. - partitioning the data does not work good because it causes a too high cost in performance and memory consumption. What works is threads. We've had one thread related bug in the past year. Art, It sounds like your application is pretty reasonable. The benefits of much cash, the restrictions on what hardware can be used, and your willingness to keep the project under control make a big difference in the cost-benefit balance. I can think of one thing that might have made a difference: it's possible under most unix-style OSs to share memory at a fixed address I'm not entirely sure that how much of your database stays in the cache except possibly some of the root, but I hope you've got the tools to know that. Still, you're pushing the envelope very hard to get as much performance and you -need- the performance, and even a percent or two of performance matters your application is SIMD-like in the large you've considered the tradeoffs and accept the risk for the benefits And I infer from what you say: It sounds like most queries are read-only, so they do not affect any shared state, therefore locking issues are relatively few. It also sounds like the application itself is relatively static (or at least the query engine is). The programming team is relatively static due to large $$$ rewards I'm assuming that the query engine is well separated in the code from code which changes due to changes in the data being served All of this taken together puts this into an area where I'm willing to agree that threads are an acceptable solution if not a desirable one. If any of the points above were different (complex state changes, didn't need 100+%, not read-only, not static code, many hands changing on the engine code) I'd disagree. On a very superficial consideration of what you've said, I suspect I could get a multiprocess solution to come within a few percent of the threaded one, but you say you need that last few percent. There are a lot of possible memory architecture issues (4 x 4 GB memory gets me wondering about its exact physical layout and bus architecture). A form of pipelined processing might also partition well, but I don't know any details of what you're doing. Depending very much on the exact situation offloading the TCP handshaking onto the processors in GBit network cards ---might--- work - there are a lot of possible gotchas but ---if--- the cards are fast enough and have enough on-card memory, the payoff could be large of course, then the network cards would have all the threads in them! Good luck, and thanks for the useful example! geoff steckel
Re: What is our ultimate goal??
* Mayuresh Kathe <[EMAIL PROTECTED]> [2008-02-20 13:12]: > On Feb 20, 2008 4:58 PM, Henning Brauer <[EMAIL PROTECTED]> wrote: > > * Mayuresh Kathe <[EMAIL PROTECTED]> [2008-02-17 13:38]: > > > Wouldn't it be nice to have a high performance networking stack? > > > > yeah. > > guess what we have? > > exactly that. > > (which doesn't mean it could be even faster) > > Pardon if I sound ignorant, but isn't our networking stack based on > the 24 year old technology from Berkeley? so? isn't your computer running on >>100 years old technology called "electricity"? -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: What is our ultimate goal??
could you please stop this shit and continue the conversation privately? People registered at misc know well why they are using obsd. We don't need this discussion. 2008/2/20, Henning Brauer <[EMAIL PROTECTED]>: > * Mayuresh Kathe <[EMAIL PROTECTED]> [2008-02-20 13:12]: > > > On Feb 20, 2008 4:58 PM, Henning Brauer <[EMAIL PROTECTED]> wrote: > > > * Mayuresh Kathe <[EMAIL PROTECTED]> [2008-02-17 13:38]: > > > > Wouldn't it be nice to have a high performance networking stack? > > > > > > yeah. > > > guess what we have? > > > exactly that. > > > (which doesn't mean it could be even faster) > > > > Pardon if I sound ignorant, but isn't our networking stack based on > > the 24 year old technology from Berkeley? > > > so? > > isn't your computer running on >>100 years old technology called > "electricity"? > > > -- > Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] > BS Web Services, http://bsws.de > Full-Service ISP - Secure Hosting, Mail and DNS Services > Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: What is our ultimate goal??
Touchi! -- Thanks, Jordi Espasa Clofent
Re: What is our ultimate goal??
On Feb 20, 2008 5:52 PM, Henning Brauer <[EMAIL PROTECTED]> wrote: > * Mayuresh Kathe <[EMAIL PROTECTED]> [2008-02-20 13:12]: > > > On Feb 20, 2008 4:58 PM, Henning Brauer <[EMAIL PROTECTED]> wrote: > > > * Mayuresh Kathe <[EMAIL PROTECTED]> [2008-02-17 13:38]: > > > > Wouldn't it be nice to have a high performance networking stack? > > > > > > yeah. > > > guess what we have? > > > exactly that. > > > (which doesn't mean it could be even faster) > > > > Pardon if I sound ignorant, but isn't our networking stack based on > > the 24 year old technology from Berkeley? > > so? > > isn't your computer running on >>100 years old technology called > "electricity"? But that >100 year old technology used to be DC earlier, then it was converted to AC because of its inherent benefits. Similarly, wouldn't it have been beneficial to go for a modern approach for the network stack? (not that now I can do anything about it, all's lost for me) Could you please read http://research.sun.com/minds/2007-0710/ ~Mayuresh
Re: What is our ultimate goal??
* Mayuresh Kathe <[EMAIL PROTECTED]> [2008-02-20 14:07]: > On Feb 20, 2008 5:52 PM, Henning Brauer <[EMAIL PROTECTED]> wrote: > > * Mayuresh Kathe <[EMAIL PROTECTED]> [2008-02-20 13:12]: > > > On Feb 20, 2008 4:58 PM, Henning Brauer <[EMAIL PROTECTED]> wrote: > > > > * Mayuresh Kathe <[EMAIL PROTECTED]> [2008-02-17 13:38]: > > > > > Wouldn't it be nice to have a high performance networking stack? > > > > yeah. > > > > guess what we have? > > > > exactly that. > > > > (which doesn't mean it could be even faster) > > > Pardon if I sound ignorant, but isn't our networking stack based on > > > the 24 year old technology from Berkeley? > > so? > > isn't your computer running on >>100 years old technology called > > "electricity"? > But that >100 year old technology used to be DC earlier, then it was > converted to AC because of its inherent benefits. way over a hundred years ago, yes (except for some small irrelevant isles like parts of new york if memory serves). > Similarly, wouldn't it have been beneficial to go for a modern > approach for the network stack? we have a very modern approach: correct, secure and fast. > (not that now I can do anything about it, all's lost for me) > Could you please read http://research.sun.com/minds/2007-0710/ yeah, i did, lots of marketing blubber, lots of bla bla, lots of vague indications, nothing concrete, nothing technical. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: take threads off the table
On Wed, Feb 20, 2008 at 10:14:14AM +0100, Artur Grabowski wrote: > Geoff Steckel <[EMAIL PROTECTED]> writes: > > > Any argument to experience must be from similar actual > > implementations using "threads" and another model, such as multiple > > processes with interprocess communications. > > Sure. I'll pick up the challenge. > > At work we have a server that uses around 4GB RAM and runs on an 4 cpu > machine. It serves millions of tcp connections per hour. sharing the > memory without sharing pointer values is too inefficient since a big > amount of the memory used is a pre-computed cache of most common query > results. The service needs 4x4GB of RAM on the machine to be able to > reload the data efficiently without hitting disk, since hitting the > disk kills performance in critical moments and leads to > inconsistencies between the four machines that run identical instances > of this service. While this kind of setup is well beyond my pay-grade, looking just at the issue of, in effect, using threads to share a cache to avoid hitting the disk, I wonder why using a memory filesystem as the common cache wouldn't work. No threads, shared data via the filesystem but that filesystem is in memory and quite fast. Doug.
Re: What is our ultimate goal??
Henning Brauer wrote: * Mayuresh Kathe <[EMAIL PROTECTED]> [2008-02-20 14:07]: (not that now I can do anything about it, all's lost for me) Could you please read http://research.sun.com/minds/2007-0710/ yeah, i did, lots of marketing blubber, lots of bla bla, lots of vague indications, nothing concrete, nothing technical. Mostly "Lets fix Slow-aris" is what I saw. Unless you are in a "slow-aris" situation, moving to whatever they did might not be an improvement. ;)
Question about Implementing authpf, squid and ldap authentication....
Hello - I have been working on and actually making progress for writing a client for windows that will authenticate a user to authpf upon login thereby granting access to the network based on rules setup for each user/group. In addition we would love to be able to somehow transparently authenticate that user to the squid firewall tied back to the Active Directory on our network using LDAP. Just wondering if anyone has approached/done something like this already in the hopes of saving some time developing it. I would be more than happy to share my code for the windows side - needs to be cleaned up before I released it - if anybody is interested in assisting as well. My goal would be to have a small client that starts with windows that notes when a user logs onto the computer and automagically takes care of opening and holding open an ssh1 session to the firewall as well as someone allowing the user to be authenticated to the squid proxy transparently. Any advice (useful advice preferred - but other advice accepted without prejudice) would be appreciated. I have limited background in C and C++ and a fair amount of experience in Windows C# development. Thanks, Brian Shackelford
Re: What is our ultimate goal??
On 2008/02/20 14:14, Henning Brauer wrote: > * Mayuresh Kathe <[EMAIL PROTECTED]> [2008-02-20 14:07]: > > On Feb 20, 2008 5:52 PM, Henning Brauer <[EMAIL PROTECTED]> wrote: > > > isn't your computer running on >>100 years old technology called > > > "electricity"? > > But that >100 year old technology used to be DC earlier, then it was > > converted to AC because of its inherent benefits. > > way over a hundred years ago, yes (except for some small irrelevant > isles like parts of new york if memory serves). and, those data centres and telcos who have worked out that converting AC-DC-AC-DC (or DC-AC-DC-AC-DC when the power comes from something like PV cells...) is not the smartest thing they could be doing...
Re: [ami] Unable to set "Hot Spare" from bioctl on a Dell PERC 4/Di
My natural answer is that this is a firmware issue. But since you provided such good steps I will try to recreate this. Thank you for this outstanding report. On Wed, Feb 20, 2008 at 01:42:59AM -0700, Matthew Mulrooney wrote: > Hi there, I'm back with another LSI controller, and I'm experiencing > problems with creating hot spares from bioctl. This seems to be the same > problem that I posted to misc@ on Oct 16, 2006 with the subject line of: > > [ami] Unable to set "Hot Spare" on MegaRAID SATA 300-8x > > I've got the same symptoms, but now with a PERC 4/Di controller. [And this > time I've found a better work around than just avoiding bioctl -H with this > LSI controller :).] > > Problem summary > === > When I use bioctl to mark an Unused drive as a Hot Spare, that drive will > fail to be integrated when another disk fails. > > The only way, that I've found, to make that drive properly act as a Hot > Spare, is to only set it as such from the LSI boot menu. If you have > already marked it as a Hot Spare from bioctl, pull the Hot Spare-marked > drive, and replace it (it can be the same physical disk). At that point > your disk should be showing up as an 'Unused' disk, from where you can go > do the thing in the LSI boot menu. > > This is an improvement over my 2006 analysis of the situation, where I > couldn't find a way to reset the drive back to Unused (after Hot Sparing it > from bioctl). The LSI boot menu requires a drive to be in an Unused state > before it will allow me to correctly mark it as a Hot Spare. > > > If you're interested, please let me know what I can do to be of assistance > in trouble shooting this. I have a limited window before this box will > have to be pushed into production, and I can live with the current > situation (an after hours reboot in the case of a drive failure is > perfectly fine). > > Matthew > > > Test case > = > s => step succeeded > F => step failed > > Normal case (RAID 1 + one hot spare) > --- > s Configure array from the LSI boot menu > s Clear configuration > s New configuration > s Disks 0, 1: RAID 1 array > s Disk 2: Hot spare > > s Install OpenBSD-4.2 > > s Single disk failure > s Disk 0: Fails (I pulled it from the hot swap cage) > s Disk 2: Automatically replaces it > s Observe the RAID 1 array get fully rebuilt > > s Replace failed disk > s Replace Disk 0 with a new disk > s Observe that Disk 0 is marked as "Unused" through bioctl > s Set Disk 0 to be a hot spare (through bioctl) > > s Single disk failure > s Disk 1: Fails (I pulled it) > F Disk 0: FAILS TO GET INTEGRATED, DESPITE STILL BEING MARKED AS A > HOT SPARE - Array is still degraded. > > s Reboot, enter into the LSI boot menu > s Configure > View/Add Configurarion > s Highlight disk 0 > F4 (hot spare) > s "This Physical Drive is already a HOTSPARE\nPress any key to > continue" > s F10 (Configure), Esc, Esc > s "Exit?" = YES > s "Please REBOOT YOUR SYSTEM", CTRL-ALT-DEL > > s Recheck array > F Disk 0: Still failing to integrate. Array still degraded. > > s Attempt to shake loose the 'Hot Spare' bit from disk 0 > s Remove disk 0 > s Replace disk 0 (with the same physical disk) > s Disk 0 is *no longer* marked as a 'Hot Spare' (either through > bioctl or through the LSI boot menu). Yeah! :) > [I don't think I tested this method with my SATA 300-8x.] > > > Log file > > # The output is generated by: > # date; bioctl ami0 > > ## > # Created a new RAID 1 array from the LSI boot menu and installed OpenBSD 4.2 > Tue Feb 19 04:01:42 MST 2008 > Volume Status Size Device > ami0 0 Scrubbing146695782400 sd0 RAID1 3% done > 0 Online 146811125760 0:0.0 safte0 ATLAS10K5_146SCAJNZM> > 1 Online 146811125760 0:1.0 safte0 DS09> > ami0 1 Hot spare146811125760 0:2.0 safte0 IC35L146UCDY10-0S27F> > > Tue Feb 19 10:02:15 MST 2008 > Volume Status Size Device > ami0 0 Scrubbing146695782400 sd0 RAID1 94% done > 0 Online 146811125760 0:0.0 safte0 ATLAS10K5_146SCAJNZM> > 1 Online 146811125760 0:1.0 safte0 DS09> > ami0 1 Hot spare146811125760 0:2.0 safte0 IC35L146UCDY10-0S27F> > > Tue Feb 19 10:12:15 MST 2008 > Volume Status Size Device > ami0 0 Scrubbing146695782400 sd0 RAID1 97% done > 0 Online 146811125760 0:0.0 safte0 ATLAS10K5_146SCAJNZM> > 1 Online 146811125760 0:1.0 safte0 DS09> > ami0 1 Hot spare146811125760 0:2.0 safte0 IC35L146UCDY10-0S27F> > > ## > # Mirroring complete > Tue Feb 19 10:22:16 MST 2008 > Volume Status Size Device > ami0 0 Online 146695782400 sd0 RAID1 > 0 Online 14
Re: What is our ultimate goal??
On Wed, Feb 20, 2008 at 02:14:31PM +0100, Henning Brauer wrote: > > But that >100 year old technology used to be DC earlier, then it was > > converted to AC because of its inherent benefits. > > way over a hundred years ago, yes (except for some small irrelevant > isles like parts of new york if memory serves). Even new york stopped doing it last year. There is no more DC current being served. > > > Similarly, wouldn't it have been beneficial to go for a modern > > approach for the network stack? There only is perceived benefit; which clearly mean you fell for the marketing bullets. Good, go buy sun stuff and run their OS. It is as nice a UNIX as you'll find. > > we have a very modern approach: correct, secure and fast. Amen! > > > (not that now I can do anything about it, all's lost for me) Maybe some drama classes are in order. > > Could you please read http://research.sun.com/minds/2007-0710/ > > yeah, i did, lots of marketing blubber, lots of bla bla, lots of vague > indications, nothing concrete, nothing technical. That piece was more than worthless. Some ding dong said "ooh ooh I made it faster". Well fantastic! Unfortunately there is no quantification of faster. 0 x fast is still 0. Besides if you actually understood the beauty and elegance that is the OpenBSD TCP/IP stack you wouldn't be yammering about marketing horseshit. Old != bad. Actually, over the last few years in computer land new == bad (java, xml, c++ etc).
Re: What is our ultimate goal??
On Wednesday 20 February 2008 13:14, Henning Brauer wrote: > * Mayuresh Kathe <[EMAIL PROTECTED]> [2008-02-20 14:07]: > > On Feb 20, 2008 5:52 PM, Henning Brauer <[EMAIL PROTECTED]> wrote: > > > * Mayuresh Kathe <[EMAIL PROTECTED]> [2008-02-20 13:12]: > > > > On Feb 20, 2008 4:58 PM, Henning Brauer <[EMAIL PROTECTED]> wrote: > > > > > * Mayuresh Kathe <[EMAIL PROTECTED]> [2008-02-17 13:38]: > > > > > > Wouldn't it be nice to have a high performance networking stack? > > > > > > > > > > yeah. > > > > > guess what we have? > > > > > exactly that. > > > > > (which doesn't mean it could be even faster) > > > > > > > > Pardon if I sound ignorant, but isn't our networking stack based on > > > > the 24 year old technology from Berkeley? > > > > > > so? > > > isn't your computer running on >>100 years old technology called > > > "electricity"? > > > > But that >100 year old technology used to be DC earlier, then it was > > converted to AC because of its inherent benefits. > > way over a hundred years ago, yes (except for some small irrelevant > isles like parts of new york if memory serves). > > > Similarly, wouldn't it have been beneficial to go for a modern > > approach for the network stack? > > we have a very modern approach: correct, secure and fast. > > > (not that now I can do anything about it, all's lost for me) > > Could you please read http://research.sun.com/minds/2007-0710/ > > yeah, i did, lots of marketing blubber, lots of bla bla, lots of vague > indications, nothing concrete, nothing technical. I did read this as well, and for my two tiny cents it has to be said that OBSD runs a great deal faster on my (admittedly rather elderly) Sun boxen than Solaris ever did. -- Fergus Wilde Chetham's Library Long Millgate Manchester M3 1SB Tel: 0161 834 7961 Fax: 0161 839 5797 http://www.chethams.org.uk
Re: What is our ultimate goal??
On Wednesday 20 February 2008, Mayuresh Kathe wrote: > > isn't your computer running on >>100 years old technology called > > "electricity"? > > But that >100 year old technology used to be DC earlier, then it was > converted to AC because of its inherent benefits. > Similarly, wouldn't it have been beneficial to go for a modern > approach for the network stack? > (not that now I can do anything about it, all's lost for me) > Could you please read http://research.sun.com/minds/2007-0710/ If you're going to ask people to read up on the Solaris networking stack, at least give them a technical document rather than a blog/marketing piece: http://www.sun.com/bigadmin/features/articles/solaris_networking.jsp The background section should explain to you why Solaris experienced performance issues with its STREAMS-based stack, which they have since replaced with ``FireEngine''. The OpenBSD stack does not exhibit these same performance problems. Have you done any benchmarks? -- => Joel Sing | [EMAIL PROTECTED] | 0419 577 603 <= "Real stupidity beats artificial intelligence every time." - Terry Pratchett, Hogfather
vpn client configuration
Hi, I'm trying to connect Checkpoint VPN-1 using OpenBSD 3.8. Basic set up is as follows: Host-A -> Gateway-A -- <- Gateway-B <- Host-B Gateway-A: OpenBSD3.8 Gateway-B: Checkpoint VPN1 Aim: Establish connection to Host-B from Host-A. I've no control on Gateway-B and Host-B. First of all, I'm able to connect Gateway-B from Gateway-A. Configuration files that I've used are as follows: === isakmpd.conf [Phase 1] IP-OF-GATEWAY-B=peer-machineB [Phase 2] Connections=VPN-A-B # ISAKMP phase 1 peers (from [Phase 1]) [peer-machineB] Phase= 1 Transport= udp Address=IP-OF-GATEWAY-B Configuration= Default-main-mode Authentication= PRESHAREDKEY # IPSEC phase 2 connections (from [Phase 2]) [VPN-A-B] Phase= 2 ISAKMP-peer=peer-machineB Configuration= Default-quick-mode Local-ID= machineA-internal-network Remote-ID= machineB-internal-network # ID sections (as used in [VPN-A-B]) [machineA-internal-network] ID-type=IPV4_ADDR Address= IP-OF-HOST-A [machineB-internal-network] ID-type=IPV4_ADDR Address=IP-OF-HOST-B # Main and Quick Mode descriptions (as used by peers and connections) [Default-main-mode] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA [Default-quick-mode] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-SUITE === === isakmpd.policy Keynote-version: 2 Authorizer: "POLICY" Conditions: app_domain == "IPsec policy" && esp_present == "yes" && esp_enc_alg != "null" -> "true"; === Using these files, when I run isakmpd (isakmpd -d -DA=90) I can successfully connect to GATEWAY-B. tcpdump output is as follows: === tcpdump: listening on em0, link-type EN10MB 14:44:40.315165 0:4:23:a7:f0:d3 0:4:23:c1:4c:57 0800 202: IP-OF-GATEWAY-A.500 > IP-OF-GATEWAY-B.500: [udp sum ok] isakmp v1.0exchange ID_PROT cookie: 07c9dbce8da4a5b1-> msgid: len: 160 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 32 transform: 0 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_1024 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 3600 payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports DPD v1.0) (ttl 64, id 25076, len 188) 14:44:40.333719 0:4:23:c1:4c:57 0:4:23:a7:f0:d3 0800 122: IP-OF-GATEWAY-B.500 > IP-OF-GATEWAY-A.500: [udp sum ok] isakmp v1.0exchange ID_PROT cookie: 07c9dbce8da4a5b1->b4278095f145b1b6 msgid: len: 80 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 32 transform: 1 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_1024 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 3600 (DF) (ttl 53, id 3115, len 108) 14:44:40.356321 0:4:23:a7:f0:d3 0:4:23:c1:4c:57 0800 222: IP-OF-GATEWAY-A.500 > IP-OF-GATEWAY-B.500: [udp sum ok] isakmp v1.0exchange ID_PROT cookie: 07c9dbce8da4a5b1->b4278095f145b1b6 msgid: len: 180 payload: KEY_EXCH len: 132 payload: NONCE len: 20 (ttl 64, id 1228, len 208) 14:44:40.376569 0:4:23:c1:4c:57 0:4:23:a7:f0:d3 0800 226: IP-OF-GATEWAY-B.500 > IP-OF-GATEWAY-A.500: [udp sum ok] isakmp v1.0exchange ID_PROT cookie: 07c9dbce8da4a5b1->b4278095f145b1b6 msgid: len: 184 payload: KEY_EXCH len: 132 payload: NONCE len: 24 (DF) (ttl 53, id 3116, len 212) 14:44:40.396111 0:4:23:a7:f0:d3 0:4:23:c1:4c:57 0800 134: IP-OF-GATEWAY-A.500 > IP-OF-GATEWAY-B.500: [udp sum ok] isakmp v1.0exchange ID_PROT encrypted cookie: 07c9dbce8da4a5b1->b4278095f145b1b6 msgid: len: 92 (ttl 64, id 23041, len 120) 14:44:40.617927 0:4:23:c1:4c:57 0:4:23:a7:f0:d3 0
Re: What is our ultimate goal??
On 02/20/08 15:00, Marco Peereboom wrote: > On Wed, Feb 20, 2008 at 02:14:31PM +0100, Henning Brauer wrote: >>> But that >100 year old technology used to be DC earlier, then it was >>> converted to AC because of its inherent benefits. Marketing blurb. >> way over a hundred years ago, yes (except for some small irrelevant >> isles like parts of new york if memory serves). > > Even new york stopped doing it last year. There is no more DC current > being served. Well http://www.economist.com/science/displaystory.cfm?story_id=9539765 > Put like this, a Europe-wide grid seems an obvious idea. That it has not > yet been built is because AC power lines would lose too much power over > such large distances. Hence the renewed interest in DC. > > Westinghouse won the battle of the currents in the 1880s because it is > easier to transform the voltage of an AC current than of a DC current. (Also debatable with switching power technologies we have now instead of the classical bulkey 50/60Hz transformers, often the first thing we do these days is making the AC DC...) > High voltage is the best way to transmit power (the higher the voltage, > the smaller the loss), but high voltage is not usually what the user > wants. Power is therefore transmitted along high-tension AC lines and > then stepped down to usable voltages in local sub-stations. > > Edison was right, however, to argue that DC is the best way to transmit > electricity of any given voltage. That is because the shifting current of > AC runs to earth more easily than DC does. To avoid this earthing, AC > lines have to be built a long way from the groundand the higher the > voltage, the farther away they need to be. At 400 kilovolts, a standard > value for long-distance transmission, an alternating current 30 metres > (100 feet) from the ground has a fortieth of the loss of a similar cable > at ground level. But even at this height an overhead DC line will beat an > AC line at distances more than 1,000km (600 miles), while ground-level DC > will beat AC at distances as short as 30km. +++chefren
Re: [ami] Unable to set "Hot Spare" from bioctl on a Dell PERC 4/Di
Woah, Has anyone "ever" provided such a detailed and thorough error report before? That was just amazing.. lol :) -Nix Fan. -Nix Fan.
Asian lang support with generic kernel
Hi All, I am new to OBSD but I like its secure and simple. Thanks everyone to make this happen!! I try to install obsd as my desktop workstation. I install from 4.2 release and now the X/KDE is running. After install KED-I18N-cn pkg, now I can open web pages in Chinese. I will deal with the fonts/inputmethod/tuneup later, even I don't know how to do that yet, but I think those are doable (it is X anyway). One problem I have is that I can't save local disk file with Chinese filename. Does generic kernel support Asian language? If so, there is any link/hint on how to config that. If not, is there anyway to patch it, and how. Google gave me some pages on how to patch older version of OBSD to support Asian language but I can't find any info regarding v4.2. Thank you. Arthur
syslog-ng and log analyzers
Hi All, I would like to see what you'd suggest as a log analyzer tool(s) on a centralized log server running syslog-ng. I also need to use a specific tool as PF log analyzer. What do you suggest for that purpose? Rami Sik
Re: rtorrent + OpenBSD = freeze
On Tue, 19 Feb 2008, Brian wrote: I have seen this freeze with both xl(4) and nfe(4). Maybe it's time folks start posting their dmesg. Brian I've seen this freeze, too. Seems to be related to rtorrent use. More prevalent when rtorrent is handling multiple torrents. The machine isn't setup as a router but after the freeze, the computer responds to pings, but neither console nor sshd responds leaving me no choice but hard reboot. I originally had assumed that this was due to me using an old -current, but since others seem to be experiencing similar freezes, it may be worthwhile to post my dmesg, too. I'd certainly be willing to help in any ongoing debugging effort. dmesg below: OpenBSD 4.2-current (GENERIC) #476: Fri Nov 2 14:41:26 MDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Sempron(tm) 2200+ ("AuthenticAMD" 686-class, 256KB L2 cache) 1.50 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 234385408 (223MB) avail mem = 218775552 (208MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 07/07/04, BIOS32 rev. 0 @ 0xfb590, SMBIOS rev. 2.2 @ 0xf (34 entries) bios0: vendor Phoenix Technologies, LTD version "6.00 PG" date 07/07/2004 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown pcibios0 at bios0: rev 2.1 @ 0xf/0xdf74 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdec0/176 (9 entries) pcibios0: PCI Exclusive IRQs: 3 5 10 11 pcibios0: PCI Interrupt Router at 000:17:0 ("VIA VT82C596A ISA" rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xda00 0xd/0x8000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "VIA VT8378 PCI" rev 0x00 ppb0 at pci0 dev 1 function 0 "VIA VT8377 AGP" rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 "VIA VT8378 VGA" rev 0x01: aperture at 0xe400, size 0x1000 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) uhci0 at pci0 dev 16 function 0 "VIA VT83C572 USB" rev 0x80: irq 11 uhci1 at pci0 dev 16 function 1 "VIA VT83C572 USB" rev 0x80: irq 3 uhci2 at pci0 dev 16 function 2 "VIA VT83C572 USB" rev 0x80: irq 10 ehci0 at pci0 dev 16 function 3 "VIA VT6202 USB" rev 0x82: irq 5 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "VIA EHCI root hub" rev 2.00/1.00 addr 1 viapm0 at pci0 dev 17 function 0 "VIA VT8235 ISA" rev 0x00 iic0 at viapm0 spdmem0 at iic0 addr 0x50: 256MB DDR SDRAM non-parity PC3200CL3.0 pciide0 at pci0 dev 17 function 1 "VIA VT82C571 IDE" rev 0x06: ATA133, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA48, 238475MB, 488397168 sectors wd1 at pciide0 channel 0 drive 1: wd1: 16-sector PIO, LBA48, 305245MB, 625142448 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 auvia0 at pci0 dev 17 function 5 "VIA VT8233 AC97" rev 0x50: irq 10 ac97: codec id 0x414c4760 (Avance Logic ALC655 rev 0) audio0 at auvia0 vr0 at pci0 dev 18 function 0 "VIA RhineII-2" rev 0x74: irq 11, address 00:11:5b:0a:44:14 ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 8: OUI 0x004063, model 0x0032 usb1 at uhci0: USB revision 1.0 uhub1 at usb1 "VIA UHCI root hub" rev 1.00/1.00 addr 1 usb2 at uhci1: USB revision 1.0 uhub2 at usb2 "VIA UHCI root hub" rev 1.00/1.00 addr 1 usb3 at uhci2: USB revision 1.0 uhub3 at usb3 "VIA UHCI root hub" rev 1.00/1.00 addr 1 isa0 at mainbus0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 it0 at isa0 port 0x290/8: IT87 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask ff6d netmask ff6d ttymask ffef mtrr: Pentium Pro MTRR support dkcsum: wd0 matches BIOS drive 0x80 dkcsum: wd1 matches BIOS drive 0x81 root on wd0a swap on wd0b dump on wd0b WARNING: / was not properly unmounted
Re: syslog-ng and log analyzers
On Wed, Feb 20 2008 at 32:08, Rami Sik wrote: > Hi All, Hi alone, > > I would like to see what you'd suggest as a log analyzer tool(s) on a > centralized log server running syslog-ng. In our network, I decided to analyse the logs received by syslog-ng with Prelude-LML. In fact, all logs are retransmitted to Prelude-LML syslog daemon binding on localhost. Prelude-LML can find security threats in logs of numerous products. It's easy to see them with the Prelude console (Prewikka). The fact that only a copy is sent to prelude-lml permits to store the logs as you want. This way you can analyse mail or web logs with your favorite log analyser. We intend to use awstats for this purpose. > I also need to use a specific tool as PF log analyzer. What do you > suggest for that purpose? For the moment, I didn't choose any product to analyse pf logs. I haven't found yet a firewall log analyser that emphase the important alerts and not summarise in a beautiful graph all the connections. Claer
Re: Question about Implementing authpf, squid and ldap authentication....
Hi, On Wed, 20 Feb 2008, Brian Shackelford wrote: I have been working on and actually making progress for writing a client for windows that will authenticate a user to authpf upon login thereby granting access to the network based on rules setup for each user/group. In addition we would love to be able to somehow transparently authenticate that user to the squid firewall tied back to the Active Directory on our network using LDAP. Just wondering if anyone has approached/done something like this already in the hopes of saving some time developing it. there was a discussion on openbsd-misc some days ago, see "http://thread.gmane.org/gmane.os.openbsd.misc/138273";, for LDAP and squid. Regarding authpf: I would not do this because you have the choice between organizing and handling many users and passwords on your openbsd firewall or only a few or one users and passwords and then you have probably no security. If possible I would not allow direct access to the internet but only via squid. regards Stefan Kell
OpenBSD 4.2 with ftp-proxy, named, spamd on Alix2c1 board (+dmesg)
Just for the records. The Alix2c1 board is from PC Engines, 3 LAN, 1 miniPCI, a 433 MHz AMD Geode LX700 with 128 MB DDR DRAM, CompactFlash socket (see http://pcengines.ch/alix2c1.htm). In short, I upgraded the BIOS, performed a PXE boot, did a normal install, configured afterwards the RAM-disk for /var and /tmp and made / readonly. Works great, thanks.. and BTW, Recurring PayPal Donations is a good idea. Now the longer story. The boards (two of them) are used for NAT, firewall, DNS, FTP-proxy and Spamd frontend for a mailserver that is behind the firewall. Its a small network for about 10 users. For bios upgrade, I used a ready-to-run freedos image from a korean host, http://210.109.84.3/download/freedos_alixupdate_16.img which I wrote with dd onto a 1GB CF card (using a PCMCIA adapter). You have to link the serial ports of your computer with the alix board using a nullmodem (crossover) serial cable. I use Linux as main OS and used minicom as terminal. Default settings for the Alix board are 38400-8-N-1. the serial port on my machine is /dev/ttyS0. For PXE boot you need some entries in /etc/dhcpd.conf: allow bootp; subnet 192.168.0.0 netmask 255.255.255.0 { range 192.168.0.200 192.168.0.250; default-lease-time 14400; max-lease-time 172800; next-server 192.168.0.10;# this is my machine filename "pxeboot"; } Put these files to the tftpboot directory: bsd.rd pxeboot etc/boot.conf # cat boot.conf set tty com0 stty com0 38400 boot bsd.rd Now I performed a normal 4.2 install with following deviations: - I cleared all partitions and created only wd0a using the whole disk. - No swap. - I left out comp42.tgz. - I had to add xbase42.tgz because of expiretable-0.6 (will change in 4.3). Next time I would make two partitions, one for installation, and a larger one so that I can store updated image files there, boot bsd.rd and copy the image over the primary partition... After installation comes: # /mnt/usr/sbin/chroot /mnt We need /tmp, /var and /dev writeable, but this would destroy the CompactFlash card. We move those three directories to a memory based file system that will be populated during startup. # mkdir /proto # cp -rp /var /proto/var # mkdir /proto/dev # cp /dev/MAKEDEV /proto/dev # cd /proto/dev # ./MAKEDEV all # rm -rf /tmp # ln -s /var/tmp /tmp Now i'm not quite sure whether the MAKEDEV worked out of the box; i think i had to reboot because I got lots of error messages. Lots of configuration work needs to be done: This sets the boot console to the serial port: # cat /etc/boot.conf set tty com0 stty com0 38400 Minicom only supports VT102: # cat /etc/ttys tty00 "/usr/libexec/getty std.38400" vt102on secure # cat /etc/fstab /dev/wd0a / ffs ro,noatime 1 1 swap /var mfs rw,-P=/ptype/var,-s=65536,noexec,nosuid,nodev 0 0 swap /dev mfs rw,-P=/ptype/dev,-s=4096,-i=128,noexec,nosuid 0 0 # cat /etc/rc.conf (only changes, YMMV:) named_flags="" ntpd_flags="" spamd_flags="" spamlogd_flags="-i pflog0" ftpproxy_flags="" Be careful not to set the ntpd-flags to "-s", in my tests, when the internet was not connected, ntpd would hang completely. I use rdate for that, see later. I added a single line in /etc/rc: mount -a -t nonfs,vnd mount -uw / # root on nfs requires this, others aren't hurt rm -f /fastboot # XXX (root now writeable) + sleep 1 # wait until mfs is populated # cat /etc/rc.conf.local expiretable=YES # cat /etc/rc.local echo -n 'rdate ' rdate -ncv pool.ntp.org if [ X"${expiretable}" == X"YES" ]; then echo -n 'expiretable ' /usr/local/sbin/expiretable -v -d -t 2h bruteforce fi Now something completely different, the packet filtering. The Mailserver sits in the local LAN and is protected by the firewall and spamd. I installed there the open source edition of zimbra.com, so there are plenty of ports redirected to the webserver. Aside from that, I decided to block SSH brute force attempts, but set it to tight - I locked myself out for 2 hours because I initiated several scp commands to fast... For the automatic unlocking to work, you need "expiretable-0.6". Additionally, I have a whitelist with IP addresses of known mail servers located in /var/db/whitelist. # cat /etc/pf.conf WORLD="vr2" LAN="vr0" IPEXT="a.b.c.d" IPINT="192.168.0.0/24" MAIL="192.168.0.104" MAILPTS=" { www, pop3, auth, https, pop3s, 7071 } " table persist { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/5, 169.254.0.0/16 } table persist file "/var/db/whitelist" table persist table persist table persist set loginterface $WORLD set limit table-entries 35 scrub on $WORLD all fragment reassemble random-id reassemble tcp nat-anchor "ftp-proxy/*" nat on $WORLD from $IPINT to any -> $IPEXT rdr-anchor "ftp-proxy/*" rdr pass on $LAN proto tcp from $IPINT to any port 21 -> 127.0.0.1 port 8021 # mail server and spamd rdr pass on $WORLD proto tcp from to $WORLD port smtp -> $MAIL port smtp rdr pass on $WORLD proto tcp from
Re: Sending mail from external firewall to external mail server (behind firewall)
Hello, On Wed, 20 Feb 2008, Albert Chin wrote: On Wed, Feb 20, 2008 at 08:55:44AM +0100, Stefan Kell wrote: Original-Nachricht Datum: Tue, 19 Feb 2008 22:36:20 -0600 Von: Albert Chin <[EMAIL PROTECTED]> An: misc@openbsd.org Betreff: Sending mail from external firewall to external mail server (behind firewall) ... snip... rdr pass log on $ext_if inet proto tcp from any to $mail_ip \ port = smtp -> $emma_gw From the Internet, if I "telnet 67.95.107.111 25", everything works. But, on hammer: hammer% telnet 67.95.107.111 25 Trying 67.95.107.111... telnet: connect to address 67.95.107.111: Connection refused ... snip ... see "man pf.conf", especially paragraph "Translation rules apply only to packets that pass through the specified interface,..." Thanks. I've changed my pf rule from: rdr pass log on $ext_if inet proto tcp from any to $mail_ip \ port = smtp -> $emma_gw to: rdr pass log inet proto tcp from any to $mail_ip \ port = smtp -> $emma_gw This certainly helps for hosts on the local network. But, the issue with "telnet 67.95.107.111 25" not working on hammer remains. BTW, we are running OpenBSD 4.0 on x86. Have a look at the pf-FAQ, see "http://www.openbsd.org/faq/pf/rdr.html";. Your problem is discussed there. I think you cannot test redirection on the firewall itself because the packets won't reach the redirection stuff in pf. Regards Stefan Kell
Re: take threads off the table
On Feb 20, 2008 5:48 AM, Douglas A. Tutty <[EMAIL PROTECTED]> wrote: > While this kind of setup is well beyond my pay-grade, looking just at > the issue of, in effect, using threads to share a cache to avoid hitting > the disk, I wonder why using a memory filesystem as the common cache > wouldn't work. No threads, shared data via the filesystem but that > filesystem is in memory and quite fast. Because the data structure actually used by your program is rarely bit for bit identical with the on disk representation of that same data. Memory filesystems impose all sorts of overhead like inodes, names, directories, modification times, sizes, owner id, group id, access time, permissions, superblocks, backup superblocks.
Re: syslog-ng and log analyzers
On Wed, Feb 20, 2008 at 08:32:31AM -0800, Rami Sik wrote: | I would like to see what you'd suggest as a log analyzer tool(s) on a | centralized log server running syslog-ng. | | I also need to use a specific tool as PF log analyzer. What do you | suggest for that purpose? I prefer to use a log notification tool instead of relying on a tool to figure out what is going on. Since I pretty much know what I'm looking out for, I can define certain things to watch for and then set up appropriate notifications. Check out tenshi -- written for Gentoo Linux, but is just Perl. http://www.gentoo.org/proj/en/infrastructure/tenshi/ later. ryanc
ssh_config, chroot, or user rights to restrict user access?
I'm taking a class on system security. We're in teams and we have to allow attacking teams ssh access to our devices. I'd like to limit the user account access for the other groups, permitting them a shell and a few commands, but no ability to browse the box or do things like cat or cp /etc/passwd. I'm running OpenBSD 4.2 on the server they'll be attacking. I'm an OpenBSD noob. Learning under fire. If someone can help me figure out whether using ssh_config, chroot, or just using permissions will be the easiest, most effective way to go about it, and how to proceed, it will be much appreciated. Alternatives would be great too. Thanks! Ted LeRoy
Re: syslog-ng and log analyzers
On Feb 20, 2008 10:51 AM, Ryan Corder <[EMAIL PROTECTED]> wrote: > > On Wed, Feb 20, 2008 at 08:32:31AM -0800, Rami Sik wrote: > | I would like to see what you'd suggest as a log analyzer tool(s) on a > | centralized log server running syslog-ng. > | > | I also need to use a specific tool as PF log analyzer. What do you > | suggest for that purpose? > > I prefer to use a log notification tool instead of relying on a tool > to figure out what is going on. Since I pretty much know what I'm looking > out for, I can define certain things to watch for and then set up > appropriate notifications. > > Check out tenshi -- written for Gentoo Linux, but is just Perl. Another vote for Tenshi. Probably the best way to do it with syslog-ng is to have syslog-ng forward logs to Tenshi (listening on loopback) because otherwise Tenshi won't be able to follow the logs (if you organize them by date, etc.). -Kian
Re: ssh_config, chroot, or user rights to restrict user access?
On Wed, Feb 20, 2008 at 2:02 PM, LeRoy, Ted <[EMAIL PROTECTED]> wrote: > I'm taking a class on system security. We're in teams and we have to > allow attacking teams ssh access to our devices. > > I'd like to limit the user account access for the other groups, > permitting them a shell and a few commands, but no ability to browse the > box or do things like cat or cp /etc/passwd. > > I'm running OpenBSD 4.2 on the server they'll be attacking. I'm an > OpenBSD noob. Learning under fire. > > If someone can help me figure out whether using ssh_config, chroot, or > just using permissions will be the easiest, most effective way to go > about it, and how to proceed, it will be much appreciated. Alternatives > would be great too. > The easiest way is to upgrade to -current, as openssh in -current has the ChrootDirectory option in sshd_config now. Look at: http://undeadly.org/cgi?action=article&sid=20080220110039&mode=expanded&count=5 for more details.
votre cadeau est arrive
Si ce message ne s'affiche pas correctement, vous pouvez le visualiser en suivant ce lien [IMAGE] TONER SERVICE, le spicialiste de la cartouche d'imprimante 1 cartouche achetie = 1 cadeau offert canon brother epson hp Pour vous, 1 superbe parure : itui + stylo bille + porte mine 3 cartouches acheties : frais de port gratuits lexmark ) CAPDICISION, Tous droits riservis Conformiment ` l'article 34 de la loi Informatique et Liberti du 6 janvier 1978, vous disposez d'un droit d'acchs, de modification, de rectification et de suppression des donnies vous concernant.Diclaration CNIL n01181416 Votre adresse email figure sur les listes de diffusion CDPRO car vous vous y jtes inscrit(e) ou une relation vous a parraini(e) ou encore vous avez participi aux nombreux ivhnements CDPRO dans l'univers de l'informatique d'iquipement. Conformiment ` l'article 34 de la loi Informatique et Liberti du 6 janvier 1978, vous disposez d'un droit d'acchs, de modification, de rectification et de suppression des donnies vous concernant. Pour l'exercer, et si vous ne disirez plus recevoir de telles offres par e-mail de CD PRO, merci d'utiliser le lien suivant
Motorcycle Links
Hi this is Iggy, how are you? I found immobat-maroc.com and I really enjoyed it. The information is great and the site is easy to navigate. Please consider adding the following info to your web site: http://www.ExoticSportbike.com ExoticSportbike.com - Motorcycle Parts and Accessories for all types of Sportbikes I noticed some other motorcycle related links on this page: http://www.immobat-maroc.com/p=10,index_protek.html, but any area on your site would be great. Let me know what you think. Thanks! Ride Safe, Iggy Calderone Exotic Sportbike [EMAIL PROTECTED] http://www.exoticsportbike.com 1-800-917-2453
Re: ssh_config, chroot, or user rights to restrict user access?
On Wed, 20 Feb 2008 14:02:34 -0500, LeRoy, Ted wrote > I'm taking a class on system security. We're in teams and we have to > allow attacking teams ssh access to our devices. > > I'd like to limit the user account access for the other groups, > permitting them a shell and a few commands, but no ability to browse > the box or do things like cat or cp /etc/passwd. > > I'm running OpenBSD 4.2 on the server they'll be attacking. I'm an > OpenBSD noob. Learning under fire. > > If someone can help me figure out whether using ssh_config, chroot, > or just using permissions will be the easiest, most effective way > to go about it, and how to proceed, it will be much appreciated. Alternatives > would be great too. > > Thanks! > > Ted LeRoy Ted, A new sftp chroot restriction environment is now available in -current; you may find the discussion at the OpenBSD Journal helpful: http://undeadly.org/cgi?action=article&sid=20080220110039
Re: Using CVS to back up /etc
> Currently I back up /etc on these machines using variants on rsync and > rsnapshot, and it works OK. However, I've got it into my head to shift > to using CVS to back up /etc on these machines. Advantages I think I see: http://www.infrastructures.org/papers/bootstrap/bootstrap.html might help in your research, i have not yet seein it mentioned here
Re: ssh_config, chroot, or user rights to restrict user access?
LeRoy, Ted escreveu: I'm taking a class on system security. We're in teams and we have to allow attacking teams ssh access to our devices. it`s not what you asked, but may be helpful to your task: http://www.securityfocus.com/infocus/1876 Tom Lobato
Re: syslog-ng and log analyzers
* Rami Sik <[EMAIL PROTECTED]> [2008-02-20 17:47]: > I would like to see what you'd suggest as a log analyzer tool(s) on a > centralized log server there's a very nice way to do that with the trustworthy syslogd (yeah, the one without that -ng suffix) we ship. just put the following line in your syslog.conf: *.* |/usr/local/sbin/logsurfer -d /picksomething -s the very nice part of the story is that syslogd will take care of forking logsurfer, and start a new one if it should die for whatever reason. it'll take you a while to write sensible logsurfer rules, but after a while of spamming you it'll nicely report anomalies. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
make release errors
Hello, Trying to do a "make release" apparently without success: = cp /usr/dest/snapshot/*BOOT* /usr/rel cp: /usr/dest/snapshot/*BOOT*: No such file or directory *** Error code 1 (ignored) cp /usr/dest/snapshot/cd*.iso /usr/rel cp /usr/dest/snapshot/Packages /usr/rel cp: /usr/dest/snapshot/Packages: No such file or directory *** Error code 1 (ignored) cp /usr/dest/snapshot/INSTALL.* /usr/rel cp /usr/dest/snapshot/*.fs /usr/dest/snapshot/*.fs.gz /usr/rel cp: /usr/dest/snapshot/*.fs.gz: No such file or directory *** Error code 1 (ignored) cd /usr/rel; md5 *bsd!(*.gz) *boot* cdbr *BOOT* INSTALL.* Packages *.fs *.iso *.gz *.tgz > MD5 md5: cannot open *BOOT*: No such file or directory md5: cannot open Packages: No such file or directory md5: cannot open *.gz: No such file or directory cd /usr/rel && sort -o MD5 MD5 = System started as a clean install from the 2/17/08 snapshot and upgraded to -current before doing "make release". I followed the instructions at: http://openbsd.org/faq/faq5.html#Release What did I miss? Thank you, -- Chris
Re: syslog-ng and log analyzers
On Wed, Feb 20, 2008 at 11:12:06AM -0800, Kian Mohageri wrote: | Another vote for Tenshi. Probably the best way to do it with | syslog-ng is to have syslog-ng forward logs to Tenshi (listening on | loopback) because otherwise Tenshi won't be able to follow the logs | (if you organize them by date, etc.). I have syslog-ng keep an additional 'catchall' log that only the tenshi user has access to. It is then rotated every 24 hours via logrotate. This method is no more or less secure, but in my mind it is one less process listening on a socket.
Re: Not updating .libs-XXXXX, remember to clean it (huh?)
On Tue, Feb 19, 2008 at 01:07:25PM -0500, Juan Miscaro wrote: > I am working with a recent snapshot installation (090208) and I have > some questions regarding updating packages with pkg_add. > > > ... > 1. I am shown the following: > > Not updating .libs-curl-7.16.2, remember to clean it > Not updating .libs-db-4.2.52p11, remember to clean it > Not updating .libs-pcre-7.1, remember to clean it > Not updating .libs-png-1.2.18, remember to clean it > > How do I "clean it"? By using pkg_delete > I have these files on my system. By "cleaning it" should I merely > delete the earlier version? If so, why doesn't pkg_add do it? Because you might have compiled stuff on your system manually, and then if you remove those libs, you will break it. But you're right, it's poorly documented...
Re: make release errors
On Wed, Feb 20, 2008 at 8:11 PM, Richard Daemon <[EMAIL PROTECTED]> wrote: > > On Wed, Feb 20, 2008 at 6:26 PM, Chris Smith <[EMAIL PROTECTED]> wrote: > > Hello, > > > > Trying to do a "make release" apparently without success: > > = > > cp /usr/dest/snapshot/*BOOT* /usr/rel > > cp: /usr/dest/snapshot/*BOOT*: No such file or directory > > *** Error code 1 (ignored) > > cp /usr/dest/snapshot/cd*.iso /usr/rel > > cp /usr/dest/snapshot/Packages /usr/rel > > cp: /usr/dest/snapshot/Packages: No such file or directory > > *** Error code 1 (ignored) > > cp /usr/dest/snapshot/INSTALL.* /usr/rel > > cp /usr/dest/snapshot/*.fs /usr/dest/snapshot/*.fs.gz /usr/rel > > cp: /usr/dest/snapshot/*.fs.gz: No such file or directory > > *** Error code 1 (ignored) > > cd /usr/rel; md5 *bsd!(*.gz) *boot* cdbr *BOOT* INSTALL.* Packages *.fs > > *.iso *.gz *.tgz > MD5 > > md5: cannot open *BOOT*: No such file or directory > > md5: cannot open Packages: No such file or directory > > md5: cannot open *.gz: No such file or directory > > cd /usr/rel && sort -o MD5 MD5 > > = > > > > System started as a clean install from the 2/17/08 snapshot and upgraded > > to -current before doing "make release". I followed the instructions > > at: http://openbsd.org/faq/faq5.html#Release > > > > What did I miss? > > > > Thank you, > > -- > > Chris > > > > > > Probably because the steps -> test -d ${DESTDIR} && mv ${DESTDIR} > ${DESTDIR}.old && rm -rf ${DESTDIR}.old & > > Skip that part or better yet, don't rm -rf until you're fully finished > everything... Especially if you want to make a full release(8) with X > sets too then you'll have OpenBSD in ${DESTDIR}.old and Xenocara in > ${DESTDIR}, if memory serves me correctly. It's kinda misleading and > the same goes with release(8). > > Just my $0.02, hope this helps. > whoops, i meant lower in the FAQ: # test -d ${DESTDIR} && mv ${DESTDIR} ${DESTDIR}- && \ rm -rf ${DESTDIR}- &
Re: make release errors
> On Wed, Feb 20, 2008 at 6:26 PM, Chris Smith <[EMAIL PROTECTED]> wrote: > > Hello, > > > > Trying to do a "make release" apparently without success: No these warnings are ok. You got the *.tgz didn't you? > > cp /usr/dest/snapshot/*BOOT* /usr/rel > > cp: /usr/dest/snapshot/*BOOT*: No such file or directory > > *** Error code 1 (ignored) > > cp /usr/dest/snapshot/cd*.iso /usr/rel > > cp /usr/dest/snapshot/Packages /usr/rel > > cp: /usr/dest/snapshot/Packages: No such file or directory > > *** Error code 1 (ignored) > > cp /usr/dest/snapshot/INSTALL.* /usr/rel > > cp /usr/dest/snapshot/*.fs /usr/dest/snapshot/*.fs.gz /usr/rel > > cp: /usr/dest/snapshot/*.fs.gz: No such file or directory > > *** Error code 1 (ignored) > > cd /usr/rel; md5 *bsd!(*.gz) *boot* cdbr *BOOT* INSTALL.* Packages *.fs > > *.iso *.gz *.tgz > MD5 > > md5: cannot open *BOOT*: No such file or directory > > md5: cannot open Packages: No such file or directory > > md5: cannot open *.gz: No such file or directory > > cd /usr/rel && sort -o MD5 MD5
Re: make release errors
Chris Smith wrote: Hello, Trying to do a "make release" apparently without success: = cp /usr/dest/snapshot/*BOOT* /usr/rel cp: /usr/dest/snapshot/*BOOT*: No such file or directory *** Error code 1 (ignored) cp /usr/dest/snapshot/cd*.iso /usr/rel cp /usr/dest/snapshot/Packages /usr/rel cp: /usr/dest/snapshot/Packages: No such file or directory *** Error code 1 (ignored) cp /usr/dest/snapshot/INSTALL.* /usr/rel cp /usr/dest/snapshot/*.fs /usr/dest/snapshot/*.fs.gz /usr/rel cp: /usr/dest/snapshot/*.fs.gz: No such file or directory *** Error code 1 (ignored) cd /usr/rel; md5 *bsd!(*.gz) *boot* cdbr *BOOT* INSTALL.* Packages *.fs *.iso *.gz *.tgz > MD5 md5: cannot open *BOOT*: No such file or directory md5: cannot open Packages: No such file or directory md5: cannot open *.gz: No such file or directory cd /usr/rel && sort -o MD5 MD5 = System started as a clean install from the 2/17/08 snapshot and upgraded to -current before doing "make release". I followed the instructions at: http://openbsd.org/faq/faq5.html#Release What did I miss? The "ignored" part in the error output. Those error messages are typical (dare I guess you're on i386?) and not critical. If these are the only errors you get, then you can go on with the rest of the release. /Alexander
Re: make release errors
On Wed, Feb 20, 2008 at 6:26 PM, Chris Smith <[EMAIL PROTECTED]> wrote: > Hello, > > Trying to do a "make release" apparently without success: > = > cp /usr/dest/snapshot/*BOOT* /usr/rel > cp: /usr/dest/snapshot/*BOOT*: No such file or directory > *** Error code 1 (ignored) > cp /usr/dest/snapshot/cd*.iso /usr/rel > cp /usr/dest/snapshot/Packages /usr/rel > cp: /usr/dest/snapshot/Packages: No such file or directory > *** Error code 1 (ignored) > cp /usr/dest/snapshot/INSTALL.* /usr/rel > cp /usr/dest/snapshot/*.fs /usr/dest/snapshot/*.fs.gz /usr/rel > cp: /usr/dest/snapshot/*.fs.gz: No such file or directory > *** Error code 1 (ignored) > cd /usr/rel; md5 *bsd!(*.gz) *boot* cdbr *BOOT* INSTALL.* Packages *.fs > *.iso *.gz *.tgz > MD5 > md5: cannot open *BOOT*: No such file or directory > md5: cannot open Packages: No such file or directory > md5: cannot open *.gz: No such file or directory > cd /usr/rel && sort -o MD5 MD5 > = > > System started as a clean install from the 2/17/08 snapshot and upgraded > to -current before doing "make release". I followed the instructions > at: http://openbsd.org/faq/faq5.html#Release > > What did I miss? > > Thank you, > -- > Chris > > Probably because the steps -> test -d ${DESTDIR} && mv ${DESTDIR} ${DESTDIR}.old && rm -rf ${DESTDIR}.old & Skip that part or better yet, don't rm -rf until you're fully finished everything... Especially if you want to make a full release(8) with X sets too then you'll have OpenBSD in ${DESTDIR}.old and Xenocara in ${DESTDIR}, if memory serves me correctly. It's kinda misleading and the same goes with release(8). Just my $0.02, hope this helps.
Re: make release errors
On Wednesday 20 February 2008, Stuart Henderson wrote: > No these warnings are ok. You got the *.tgz didn't you? Yes. Thank you. -- Chris
Re: make release errors
On Wednesday 20 February 2008, Richard Daemon wrote: > whoops, i meant lower in the FAQ: > > # test -d ${DESTDIR} && mv ${DESTDIR} ${DESTDIR}- && \ > B B B rm -rf ${DESTDIR}- & Thanks. I had just created these directories so they were empty to start with. -- Chris
Re: make release errors
On Wednesday 20 February 2008, Alexander Hall wrote: > The "ignored" part in the error output. Those error messages are > typical (dare I guess you're on i386?) and not critical. Yes, i386. > If these are the only errors you get, then you can go on with the > rest of the release. I get this as well: = # cd /usr/src/distrib/sets && sh checkflist 6455a6456 > ./usr/sbin/authpf-noip 13115a13117 > ./usr/share/man/cat4/wbsio.0 13442a13445 > ./usr/share/man/cat8/authpf-noip.0 = If I don't want X, am I basically done except for any third party packages desired? Thank you. -- Chris
inspircd + libunwind?
[EMAIL PROTECTED]:~ $ sysctl kern.version kern.version=OpenBSD 4.3-beta (GENERIC) #6: Wed Feb 20 19:23:25 PST 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC ...with an equally current userland. I am trying to get InspIRCd (http://www.inspircd.org/) 1.1.17 compiled but it requires libunwind. The InspIRCd website indicates that their code was working at one time on OpenBSD, but that was some time ago (3.7). Does anyone have information on either running inspircd or libunwind under OpenBSD? Is there such a thing as libunwind on OpenBSD? Google is turning up very little. Thanks.
Re: What is our ultimate goal??
On Thu, Feb 21, 2008 at 1:05 PM, ropers <[EMAIL PROTECTED]> wrote: > On 20/02/2008, Mayuresh Kathe <[EMAIL PROTECTED]> wrote: > > On Feb 20, 2008 4:58 PM, Henning Brauer <[EMAIL PROTECTED]> wrote: > > > * Mayuresh Kathe <[EMAIL PROTECTED]> [2008-02-17 13:38]: > > > > Wouldn't it be nice to have a high performance networking stack? > > > > > > yeah. > > > guess what we have? > > > exactly that. > > > (which doesn't mean it could be even faster) > > > > > > Pardon if I sound ignorant, but isn't our networking stack based on > > the 24 year old technology from Berkeley? > > Pardon if I sound ignorant, but isn't our Bugatti Veyron based on > the millennia old wheel technology? The wheel isn't the technology, it is a concept. An implementation of the wheel concept would be the technology. The concept is the same, but the technology is certainly different. Are you saying your Bugatti Veyron is running on wooden wheels? ~Mayuresh
Re: What is our ultimate goal??
On 20/02/2008, Mayuresh Kathe <[EMAIL PROTECTED]> wrote: > On Feb 20, 2008 4:58 PM, Henning Brauer <[EMAIL PROTECTED]> wrote: > > * Mayuresh Kathe <[EMAIL PROTECTED]> [2008-02-17 13:38]: > > > Wouldn't it be nice to have a high performance networking stack? > > > > yeah. > > guess what we have? > > exactly that. > > (which doesn't mean it could be even faster) > > > Pardon if I sound ignorant, but isn't our networking stack based on > the 24 year old technology from Berkeley? Pardon if I sound ignorant, but isn't our Bugatti Veyron based on the millennia old wheel technology?