Re: Rackmount Server for NetBSD in 2023
Mark Davies wrote: > I've been quite happy with Dell PowerEdge boxes over the years. > Hardware RAID for the Dell PERC H7xx is provided via the mfii driver Thanks for your recommendation! I keep that in mind for our next acquirement. In this case I findally settled on a 2nd hand DL360 Gen8, which also has RAID support. -- Frank Wille
Re: Rackmount Server for NetBSD in 2023
Brett Lymn wrote: On 15.11.23 07:45:28 you wrote: > I tried a DL360 G10+ about a year ago and things mostly worked fine > apart from the raid controller, that has changed from ciss. Ok, that's what I feared. > I'm sorry, > I can't recall what the new one requires but it wasn't supported when I > tried. So when I buy a modern DL360 I better have to find out the exact model of the "HP Smart Array" and compare it with the source. Or switch to software RAID, which many already recommended to me. -- Frank Wille
Rackmount Server for NetBSD in 2023
Hi, our company is running a NetBSD mail/web/etc. server for many years now and I noticed that it starts generating kernel panics (every few weeks, ATM), so it's probably time to replace the machine. The current server is a HP ProLiant DL360 G5, Xeon 5160 3GHz, supporting the HP hardware RAID via ciss(4). Are there any recommendations for a more recent rackmount-server (prefarably 1u) where all important devices (including hardware RAID) are supported by NetBSD-10? We don't need a lot more CPU power and 16 or 32 GB RAM will be sufficient. Thanks in advance, -- Frank Wille
Re: Hundreds of crypto file descriptors for Apache httpd
Jeffrey Walton wrote: > On Tue, Mar 10, 2020 at 6:57 AM Frank Wille > wrote: >> But is it normal to create more than 200 crypto file descriptors for >> each httpd process? Then I would have to recompile PHP with a larger >> FD_SETSIZE, as it seems? > > If it is OpenSSL and /dev/crypto handles, then something sounds a bit > sideways. OpenSSL is supposed to open the device once and share it > internally. Strange. Maybe OpenSSL and/or PHP was started repeatedly by Apache? > I'm not sure what to do with OpenSSL 1.0.2 and earlier. It's OpenSSL 1.0.2k here. -- Frank Wille
Re: Hundreds of crypto file descriptors for Apache httpd
Michael van Elst wrote: > I think the only option you have now is to prevent access to /dev/crypto. Confirmed! I renamed /dev/crypto and all the 200+ file desciptors per apache process are gone. Horde also feels snappier again and the PHP warning about FD_SETSIZE disappeared as well. Thanks. Now I only have to remember that /dev/crypto is recreated with every new NetBSD update and MAKEDEV, which is a bit inconvenient... -- Frank Wille
Re: Hundreds of crypto file descriptors for Apache httpd
Michael van Elst wrote: >> frank%phoenix.owl.de@localhost (Frank Wille) writes: >> [...] >> Were do they come from? Is that some kind of leak? What can I do (besides >> restarting Apache or the whole server)? > > Something is using /dev/crypto. openssl would do that, but only if > you configure it. Yes, our web-server is also listening on port 443 for several virtual hosts, so SSL is configured. But is it normal to create more than 200 crypto file descriptors for each httpd process? Then I would have to recompile PHP with a larger FD_SETSIZE, as it seems? -- Frank Wille
Hundreds of crypto file descriptors for Apache httpd
Hi, I am running "Horde webmail" with Apache 2.4.33 and PHP5.6 (both from pkgsrc) on a NetBSD 8.1 server, which usually works pretty well, although a little bit slow when dealing with bigger mails. Today it became extremely slow. It requires nearly 60 seconds just to log in. And any small action within Horde also takes between 10 and 30 seconds. Other pages on this server are still fast (for example Typo3), so I was looking for a problem with Horde and found this in /var/log/messages: Mar 9 20:07:14 nerthus HORDE: [horde] PHP ERROR: stream_select(): You MUST recompile PHP with a larger value of FD_SETSIZE. It is set to 256, but you have descriptors numbered at least as high as 269. --enable-fd-setsize=1024 is recommended, but you may want to set it to equal the maximum number of open files supported by your system, in order to avoid seeing this error again at a later date. [pid 19351 on line 218 of "/var/www/vhosts/www.x.de/webmail/pear/php/Net/DNS2/Socket/Streams.php"] I wonder why there are so many file descriptors in use, so I checked with fstat(1). Indeed, all httpd processes showed around 264 file descriptors in use and 227 of them were "crypto" file descriptors: [...] apache httpd 5661 229* crypto 0xfe83c27af9d8 apache httpd 5661 230* crypto 0xfe83c27af930 apache httpd 5661 231* crypto 0xfe83c27af888 [...] Were do they come from? Is that some kind of leak? What can I do (besides restarting Apache or the whole server)? Thanks in advance! -- Frank Wille
Autoconfig message time stamps in 9.0
Hi, I might have missed a discussion about it, but what exactly was the reason to always have the time stamps on screen when booting a kernel? Is it such an important feature for everybody? When would I need that? -- Frank Wille
Re: Accessing a RAID disk attached externally via USB
Malcolm Herbert wrote: >On Tue, Jul 09, 2019 at 08:39:11PM -0400, Greg Troxel wrote: >|I am assuming that this is raidframe and the original system is NetBSD. Yes. RAID disk from a NetBSD/sandpoint NAS (Synology DS209J) and my analyzation system is a NetBSD/macppc iBook G4. So more or less the same architecture. >|If you have raid autoconfig enabled, I'd expect the raid set to just >|appear, similar to how I would expect the original setup worked. > >a note of caution on this however - I have had experience with >a external device and both my internal drive(s) using raidframe >autoconfigure ... during boot one or other will be remapped to different >raidN ID ... Yes. That's what I remembered too. Letting the RAID disk autonconfigure on a second system might modify it and causes trouble when I try to put it back into its original place. So I really want to avoid any write-operation to it. And I made sure that the kernel on my iBook has no RAID_AUTOCONFIG enabled. >|The raid header is 64 blocks, so a wedge that is like sd0a but starts >|64 sectors later and ends in the same place should function like >|raid0d. Then of course you may have a disklabel or gpt inside the raid. > >this seems the safest way ... Indeed. As Martin already told me in a private mail there is scan_ffs(8) to find the start sector and size of the partition. Then I had to create a wedge for it with dkctl(8). Unfortunately The Sleuth Kit's fls-tool cannot deal with dk(4) devices. It tells me that it cannot access anything in it, because the size it 0. :( Seems I have to write an image of that partition somewhere... -- Frank Wille
Accessing a RAID disk attached externally via USB
Hi, I'm trying to save some data from a RAID system. I removed one disk from the RAID1 and attached it via a SATA USB adapter on my workstation, where I have the required analyzation tools. It appears as sd0 with a RAID partition in sd0a. How can I access an FFS partition inside the RAID without changing anything on that RAID disk? -- Frank Wille
Re: Recover deleted FFS files
Michael van Elst wrote: > https://lists.freebsd.org/pipermail/freebsd-questions/2016-May/271785.html > has a list of tools that may help to recover data. Thanks. I already discovered The Sleuth Kit as a possible solution. Looks like a lot of work, when I have to recover hundreds of files. -- Frank Wille
Recover deleted FFS files
Hi, I found surpisingly few about the topic of undeleting files. Let's assume I have a FFSv2 WAPBL filesystem and made the big mistake to delete a whole directory with important data (simple "rm -rf", no -P). What options do I have for recovery? -- Frank Wille
Re: Horde Webmailer
Niels Dettenbach wrote: > Horde is a very (!) powerful PIM / > Groupware suite - installing it as an "webmailer" only may be a bit > over for someone. We are absolutely interested in the other groupware features, but webmailer was the core feature which should work. For example, it would be great to use the calendar and the CalDAV server. I only have to find out how to import data into Horde's CalDAV from an external source, as we already have an external database with calendar events for all employees, which is used by a VBA application. > It seems you want to use your IMAP server for auth to Horde and for > email - then you have to configure Horde to use IMAP / IMP for auth and > in IMP to use the Horde credentials Indeed. Thanks. >> - I can read and send IMAP mail, but I cannot really delete it. I >> remains in the list with trashcan in front of it. Probably a >> feature? > You have to expunge the deleted mails after deleting I didn't see the expunge function before yesterday. It's a little bit hidden. Ok, works. Thanks for all! -- Frank Wille
Re: Horde Webmailer
On Mon, 07 Jan 2019 11:20:11 +0100 Niels Dettenbach wrote: > https://www.horde.org/apps/horde/docs/INSTALL#installing-into-separate-pear > > which did not use any console installer. Except horde-db-migrate. But fortunately this worked over the console. Ok, after lots of trials and strange errors (web pages missing styles, couldn't log-in anymore because database tables were missing, I only found a way to disable the auto-administrator login by luck, etc.) the Horde system started working ... more or less. Thanks a lot for your help. I would have probably given up. And I cannot recommend this installation to anyone. :P Some problems I still have to fix: - I can log in with my IMAP users, but I have to do it twice. First for Horde and then for IMP (webmail). Even when I try to open the IMP application directly from the browser. (path: webmail/imp/ ). - Selected language in the login request is ignored. - I can read and send IMAP mail, but I cannot really delete it. I remains in the list with trashcan in front of it. Probably a feature? Any hints appreciated, but maybe I will find out over the next days... Thanks. -- Frank Wille
Re: Horde Webmailer
can optionally use PHP extension "sockets" horde/Horde_Date can optionally use PHP extension "calendar" horde/Horde_Mime can optionally use package "pecl/idn" horde/Horde_Rpc can optionally use PHP extension "soap" horde/Horde_Rpc can optionally use PHP extension "xmlrpc" horde/Horde_Serialize can optionally use PHP extension "bz2" horde/Horde_Serialize can optionally use PHP extension "wddx" horde/Horde_Text_Filter can optionally use PHP extension "tidy" horde/Horde_Util can optionally use PHP extension "intl" horde/Horde_Vfs can optionally use PHP extension "ftp" pear/Services_Weather can optionally use package "pear/SOAP" (version >= 0.7.5) pear/Services_Weather can optionally use package "pear/XML_Serializer" (version >= 0.8) horde/Horde_Db can optionally use PHP extension "oci8" horde/Horde_Db can optionally use PHP extension "PDO" pear/Console_Table can optionally use package "pear/Console_Color2" (version >= 0.1.2) horde/Horde_Imap_Client can optionally use PHP extension "intl" horde/Horde_Cache can optionally use PHP extension "eaccelerator" (version >= 0.9.5, version <= 0.9.6, excluded versions: 0.9.6) horde/Horde_Cache can optionally use PHP extension "xcache" horde/Horde_HashTable can optionally use package "channel://pear.nrk.io/Predis" (version >= 0.8.3) horde/Horde_Kolab_Storage can optionally use PHP extension "imap" pear/Text_CAPTCHA can optionally use package "pear/Numbers_Words" pear/Text_CAPTCHA can optionally use package "pear/Image_Text" (version >= 0.7.0) pecl/pecl_http requires PHP (version >= 7.0.0), installed version is 5.6.36 horde/Horde_Idna can optionally use PHP extension "intl" pecl/xdiff requires PHP (version >= 7.0.0), installed version is 5.6.36 pear/Net_FTP requires PHP extension "ftp" [...] Installing skipped beta- and alpha-versions: # /var/www/vhosts/www.my.domain/webmail/pear/pecl -c /var/www/vhosts/www.my.domain/webmail/pear.conf install -a -B channel://pecl.php.net/sasl-0.1.0 # /var/www/vhosts/www.my.domain/webmail/pear/pear -c /var/www/vhosts/www.my.domain/webmail/pear.conf install -a -B channel://pear.horde.org/Horde_Backup-1.0.0RC1 horde/horde_core requires package "horde/Horde_Backup" (version >= 1.0.0, version <= 2.0.0alpha1, excluded versions: 2.0.0alpha1), downloaded version is 1.0.0RC1 horde/Horde_Backup cannot be installed, conflicts with installed packages # /var/www/vhosts/www.my.domain/webmail/pear/pear -c /var/www/vhosts/www.my.domain/webmail/pear.conf install -a -B -n channel://pear.horde.org/Horde_Backup-1.0.0RC1 # /var/www/vhosts/www.my.domain/webmail/pear/pear -c /var/www/vhosts/www.my.domain/webmail/pear.conf install -a -B channel://pecl.php.net/idn-0.2.0 # /var/www/vhosts/www.my.domain/webmail/pear/pear -c /var/www/vhosts/www.my.domain/webmail/pear.conf install -a -B channel://pear.php.net/SOAP-0.14.0 # /var/www/vhosts/www.my.domain/webmail/pear/pear -c /var/www/vhosts/www.my.domain/webmail/pear.conf install -a -B channel://pear.php.net/XML_Serializer-0.21.0 # /var/www/vhosts/www.my.domain/webmail/pear/pear -c /var/www/vhosts/www.my.domain/webmail/pear.conf install -a -B channel://pear.php.net/Console_Color2-0.1.2 # /var/www/vhosts/www.my.domain/webmail/pear/pear -c /var/www/vhosts/www.my.domain/webmail/pear.conf install -a -B channel://pear.php.net/Numbers_Words-0.18.2 # /var/www/vhosts/www.my.domain/webmail/pear/pear -c /var/www/vhosts/www.my.domain/webmail/pear.conf install -a -B channel://pear.php.net/Image_Text-0.7.0 At this point webmail/test.php works. Now installing the webmail package: # /var/www/vhosts/www.my.domain/webmail/pear/pear -c /var/www/vhosts/www.my.domain/webmail/pear.conf install -a -B horde/webmail Unknown remote channel: phpseclib.sourceforge.net WARNING: "pear/Net_Sieve" is deprecated in favor of "horde/Horde_ManageSieve" Failed to download pear/Date_Holidays within preferred state "stable", latest release is version 0.21.8, stability "alpha", use "channel://pear.php.net/Date_Holidays-0.21.8" to install WARNING: "pear/Auth_SASL" is deprecated in favor of "pear/Auth_SASL2" horde/imp can optionally use package "channel://phpseclib.sourceforge.net/File_ASN1" horde/kronolith can optionally use package "pear/Date_Holidays" (version >= 0.21.0, version <= 1.0.0alpha1, excluded versions: 1.0.0alpha1) [...] Finally fixing ownership for Apache and trying to run webmail-install: # export PHP_PEAR_SYSCONF_DIR=/var/www/vhosts/www.my.domain/webmail # chown -R apache:_httpd /var/www/vhosts/www.my.domain/webmail # /var/www/vhosts/www.my.domain/webmail/pear/webmail-install Which fails because of missing Horde_Bundle class... :| -- Frank Wille
Re: Horde Webmailer
Niels Dettenbach wrote: > you talk about Horde <= 3 - now is Horde 5, which uses/requires his > own, pear based installation environment and is not in pkgsrc. Ok. I was already confused that you suggested to reinstall www/horde from pkgsrc instead of using pear, yesterday. pkgsrc is 3.3.13 since six years. Looks abandoned. So I will try an installation into a separate directory with pear and all the horde/horde packages, and report back. -- Frank Wille
Re: Horde Webmailer
On Thu, 03 Jan 2019 14:35:19 +0100 Niels Dettenbach wrote: > i would recommend to install the whole Horde 5 (horde/horde) and then > (globally) "disable" unwanted Horde apps in admin. > > I had the effect that installations of Horde by pear (the official way as > in INSTALL) was "broken" if not. As you wrote the pear-installation might be broken, you're probably refering to www/horde vom pkgsrc as an alternative? I already wondered if this could be an easier way to make it work, but from the DESCR I am not sure what this "Framework" really installs and what would still be missing when I want webmail. And do I have to uninstall all currently present Horde packages, before installing everything from Horde 5? Is there an easy way to uninstall multiple packages with pear (like uninstall dependencies as well)? > Visit any warnings in the pear install output about resources to install > possibly by hand. Indeed, yesterday I noticed during installation that there were warnings and/or errors, although pear reported "install ok" in the last line. I had to add php-ldap and php-gettext from pkgsrc, for example. I really don't like pear. I would expect it to halt on such a problem. :| > Did you had runned the included "test.php" (by webserver) and checked the > required environment before config? Yes. Same problem. The browser shows: A fatal error has occurred Class 'Horde_Exception' not found Details have been logged for the administrator. It wouldn't surprise when not a single Horde class works, but Horde_Exception is just the first class referenced. > i use i.e. (pear instance in "separated" directory - this is untested from > mind!): > [...] I would prefer to make the global installation in /usr/pkg/lib/php. But I might try that for testing purposes. Thanks for your help! -- Frank Wille
Horde Webmailer
Hi, did anybody successfully install the Horde Webmailer https://www.horde.org/apps/webmail under NetBSD? I'm running GENERIC 8.0 with PHP 5.6.36, MySQL 5.6.39 and Apache 2.4.33 installed from pkgsrc 2018Q2. Typo3 works fine, so this configuration cannot be too bad. I installed the Horde Webmailer like this: # pear channel-update pear.php.net # pear install Date # pear channel-discover pear.horde.org # mkdir /var/www/vhosts/my.domain.name/webmail # chown apache:_httpd /var/www/vhosts/my.domain.name/webmail # pear install horde/horde_role # pear run-scripts horde/horde_role (Here I enter /var/www/vhosts/my.domain.name/webmail as installation directory.) # pear install -a -B horde/webmail Now everything is installed and I have to run "webmail-install" to finish it. Unfortunately I'm running into an error here, which I cannot solve: ---8<--- # webmail-install Installing Horde Groupware Webmail Edition PHP Fatal error: Class 'Horde_Exception' not found in /usr/pkg/lib/php/Horde/Exception/Wrapped.php on line 15 Fatal error: Class 'Horde_Exception' not found in /usr/pkg/lib/php/Horde/Exception/Wrapped.php on line 15 Jan 3 12:32:41 nerthus HORDE: Class 'Horde_Exception' not found [pid 4284 on line 15 of "/usr/pkg/lib/php/Horde/Exception/Wrapped.php"] Fatal Error: Class 'Horde_Exception' not found In /usr/pkg/lib/php/Horde/Exception/Wrapped.php on line 15 1. Horde_ErrorHandler::catchFatalError() 8<--- But Horde_Exception definitily exists, and is installed: # ls -d /usr/pkg/lib/php/Horde/Exception* /usr/pkg/lib/php/Horde/Exception/usr/pkg/lib/php/Horde/Exception.php # pear list -c horde | grep Exception Horde_Exception 2.0.8 stable I didn't find anything about this problem in the Web. Maybe NetBSD is missing a path? Although the include_path in php.ini is correct, of course: ; UNIX: "/path1:/path2" include_path = ".:/usr/pkg/lib/php" Any idea how to debug a PHP program missing a class? Thanks in advance! -- Frank Wille
ipnat redirect to external address
Hi, I have the following problem: There are two networks, 192.168.0.0/24 and 192.168.1.0/24. And we have a mail server running at a public address A.B.C.D, which only accepts mail via port 587 from 192.168.0.0/24. The 192.168.1 network is attached via VPN to 192.168.0 and would connect to the mail server A.B.C.D via the public internet, which we do not allow for port 587. Now I'm trying to use a machine in the 192.168.0 net to forward smtp connections from the 192.168.1 net. So I have enabled ipnat on 192.168.0.2 with the following rule (re0 is 192.168.0.2): rdr re0 0/0 port 5587 -> A.B.C.D port 587 tcp Testing the connection with "telnet 192.168.0.2 5587" from 192.168.1.220 immediately terminates with "Connection refused", although it works when doing "telnet A.B.C.D 587" on 192.168.0.2. ipnat -l shows the active session, though: List of active MAP/Redirect filters: rdr re0 0/0 port 5587 -> A.B.C.D/32 port 587 tcp List of active sessions: RDR A.B.C.D587 <- -> 192.168.0.2 5587 [192.168.1.220 59966] I guess that "rdr" only works in the same network? When trying to redirect to a machine in the 192.168.0-net, instead of an external IP-address, it connects. Is there any way to accomplish that? What can I do? Thanks in advance. -- Frank Wille
Re: Extremely poor disk performance on ProLiant DL360 G5 RAID
Hi, I just wanted to confirm that a write-cache battery for the P400i RAID is indeed the solution (although it was expensive, with 130 Euro). Write speed is 100 times faster now, and is in the expected range. Thanks for the hint! -- Frank Wille
Re: Extremely poor disk performance on ProLiant DL360 G5 RAID
On Fri, 20 Jul 2018 mlel...@serpens.de wrote: > Write operations on these servers have always been slow if the RAID > controller doesn't have a working battery backup unit (BBU). Good to know! Thanks. Which means, as soon as I install such a BBU, the write-operations would magically and immediately become fast? If only such a BBU wouldn't be so hard to find... :| Is there no hack to simulate the presence of a BBU? -- Frank Wille
Re: Extremely poor disk performance on ProLiant DL360 G5 RAID
On Thu, 19 Jul 2018 14:26:38 + m...@netbsd.org wrote: > On Thu, Jul 19, 2018 at 12:03:29PM +0200, Frank Wille wrote: > > ...and two 550 GB SAS RAID-1 disks, configured via the BIOS and appearing > > as a single SCSI disk: > > ciss0 at pci7 dev 0 function 0: HP Smart Array 3 > > ciss0: interrupting at ioapic0 pin 16 > > ciss0: 1 LD, HW rev 3, FW 5.20/5.20, 64bit fifo > > scsibus0 at ciss0: 1 target, 1 lun per target > > This might be relevant: > https://v4.freshbsd.org/commit/netbsd/src/a5QCd7STkggvNCqA Ok, I have built a new kernel with "options CISS_NO_INTERRUPT_HACK", but as expected that only makes things worse. Benchmark of extracting the 8.0 base.tgz set, with the original GENERIC kernel: 149.79 real 1.74 user 2.23 sys And with a CISS_NO_INTERRUPT_HACK kernel: 277.11 real 1.52 user 2.11 sys For comparison, the old server (Supermicro PDSM4+) with Adaptec RAID, Xeon 2.13 GHz, running NetBSD 6.1.5: aac0 at pci5 dev 14 function 0: Adaptec RAID 3405 aac0: interrupting at ioapic0 pin 18 aac0: Enabling 64-bit address support aac0: Enable 64-bit array support aac0: New comm. interface enabled aac0: XScale 80321 at 500MHz, 128MB mem (111MB cache), optional battery not installed aac0: Kernel 5.2-0 [Build 15323], Monitor 5.2-0 [Build 15323], S/N 12CB1D aac0: Controller supports: 0x7f1d7d ld0 at aac0 unit 0: RAID 1 (Mirror) ld0: 464 GB, 60700 cyl, 255 head, 63 sec, 512 bytes/sect x 975155200 sectors ppb5 at pci4 dev 0 function 2: Intel IOP333 PCI Express-to-PCI Bridge #1 (rev. 0x00) Same base.tgz extraction: real0m2.854s user0m1.545s sys 0m1.265s That's less than 3 seconds, compared to 150! -- Frank Wille
Re: Extremely poor disk performance on ProLiant DL360 G5 RAID
On Thu, 19 Jul 2018 14:26:38 + m...@netbsd.org wrote: > > ciss0 at pci7 dev 0 function 0: HP Smart Array 3 > > ciss0: interrupting at ioapic0 pin 16 > > ciss0: 1 LD, HW rev 3, FW 5.20/5.20, 64bit fifo > > scsibus0 at ciss0: 1 target, 1 lun per target > > This might be relevant: > https://v4.freshbsd.org/commit/netbsd/src/a5QCd7STkggvNCqA Hmm... I'm not sure. Looks like this is intended for XEN. Perhaps, because there is a problem with interrupts. I doubt that relying on polling via callout(9) is much better than interrupts - which seem to be working here. But I try that and report back! Thanks. -- Frank Wille
Extremely poor disk performance on ProLiant DL360 G5 RAID
Hi, I'm currently setting up a HP ProLiant DL360 G5 with NetBSD/amd64 8.0RC2. It has 16GB RAM... NetBSD 8.0_RC2 (GENERIC) #0: Tue Jul 3 07:13:41 UTC 2018 mkre...@mkrepro.netbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC total memory = 16381 MB avail memory = 15883 MB ...Xeon 5160 3GHz (2 cores with hyperthreading, I guess) cpu0 at mainbus0 apid 0 cpu0: Intel(R) Xeon(R) CPU5160 @ 3.00GHz, id 0x6f6 cpu0: package 0, core 0, smt 0 cpu1 at mainbus0 apid 6 cpu1: Intel(R) Xeon(R) CPU5160 @ 3.00GHz, id 0x6f6 cpu1: package 3, core 0, smt 0 cpu2 at mainbus0 apid 1 cpu2: Intel(R) Xeon(R) CPU5160 @ 3.00GHz, id 0x6f6 cpu2: package 0, core 1, smt 0 cpu3 at mainbus0 apid 7 cpu3: Intel(R) Xeon(R) CPU5160 @ 3.00GHz, id 0x6f6 cpu3: package 3, core 1, smt 0 ...and two 550 GB SAS RAID-1 disks, configured via the BIOS and appearing as a single SCSI disk: ciss0 at pci7 dev 0 function 0: HP Smart Array 3 ciss0: interrupting at ioapic0 pin 16 ciss0: 1 LD, HW rev 3, FW 5.20/5.20, 64bit fifo scsibus0 at ciss0: 1 target, 1 lun per target [...] sd0 at scsibus0 target 0 lun 0: disk fixed sd0: 558 GB, 65535 cyl, 255 head, 70 sec, 512 bytes/sect x 1172058032 sectors sd0: async, 8-bit transfers, tagged queueing I'm wondering about the extremely slow disk performance while extracting several pkgsrc archives. Especially the boost-jam (40 minutes) and boost-headers (35 minutes) archives take annoyingly long. The system is still in a freshly installed state with only default services running. The load is constantly 1.00 while extracting, but I don't see where the processing power is lost. bzcat and tar only use around 8%. load averages: 1.00, 1.00, 0.92; up 5+21:35:1211:37:06 32 processes: 30 sleeping, 2 on CPU CPU states: 2.4% user, 0.0% nice, 0.2% system, 0.0% interrupt, 97.2% idle Memory: 4622M Act, 212M Inact, 276K Wired, 14M Exec, 4795M File, 9833M Free Swap: 16G Total, 16G Free PID USERNAME PRI NICE SIZE RES STATE TIME WCPUCPU COMMAND 16121 root 85014M 4400K pipe_w/2 0:05 5.32% 5.32% bzcat 9938 root 85010M 1220K biowai/0 0:06 2.83% 2.83% tar 0 root 00 0K 102M CPU/3 24:25 0.00% 0.00% [system] 6716 frank 85082M 4888K select/1 0:06 0.00% 0.00% sshd 571 root 85048M 2420K kqueue/3 0:01 0.00% 0.00% master [...] No interrupt storm either: interrupt total rate TLB shootdown5945470 11 cpu0 timer 51075258 99 ioapic0 pin 1 16430 ioapic0 pin 16 32770906 ioapic0 pin 18 6109904 11 ioapic0 pin 22480 ioapic0 pin 14120 Total 66409425 129 Anybody knows why the disk operations on this servers are so slow? What can I check? -- Frank Wille
Re: mount_smbfs permission denied
On Tue, 2 May 2017 14:23:42 +0200 Frank Wille wrote: > Now I tested several dozen of servers in our network and mount_smbfs > works everywhere, except on two! Both are Active Domain Controllers > (one Server2003, the one I want to connect to, and the other Server2008). > > I can create new shares there with access rights for everybody, but still > no chance to mount them! > > Is there a known problem with such servers? Finally I found the problem: our domain controllers had SMB Server Packet Signing enabled (which mount_smbfs(8) does not support): https://www.rootusers.com/configure-smb-signing-via-group-policy/ Disabling the signing finally let me mount the shares. -- Frank Wille
Reason for Ierrs in netstat
Hi, one of our servers has some network issues. Symptoms are: Bad ping (twice as high as comparable machines on the same net), packet loss and increasing number of Ierrs in "netstat -i". Is there any chance I can find out the reason behind those Ierrs? I rebooted the system a few hours ago, and there are some Ierrs again already: tethys# netstat -i Name Mtu Network Address Ipkts IerrsOpkts Oerrs Colls wm0 1500 00:30:48:xx:xx:xx 2385235 714 1996966 0 0 [...] Some more information (system ist running NetBSD/amd64 6.1.5): wm0 at pci7 dev 0 function 0: Intel i82573E IAMT (rev. 0x03) wm0: interrupting at ioapic0 pin 16 wm0: PCI-Express bus wm0: 256 word (8 address bits) SPI EEPROM wm0: Ethernet address 00:30:48:xx:xx:xx makphy0 at wm0 phy 1: Marvell 88E Gigabit PHY, rev. 2 wm0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 capabilities=7ff80<TSO4,IP4CSUM_Rx,IP4CSUM_Tx,TCP4CSUM_Rx,TCP4CSUM_Tx,UDP4CSUM_Rx,UDP4CSUM_Tx,TCP6CSUM_Rx,TCP6CSUM_Tx,UDP6CSUM_Rx,UDP6CSUM_Tx,TSO6> enabled=3f80<TSO4,IP4CSUM_Rx,IP4CSUM_Tx,TCP4CSUM_Rx,TCP4CSUM_Tx,UDP4CSUM_Rx,UDP4CSUM_Tx> address: 00:30:48:xx:xx:xx media: Ethernet autoselect (100baseTX full-duplex,flowcontrol,rxpause,txpause) status: active inet 212.62.xx.xx netmask 0xfff8 broadcast 212.62.xx.xx inet6 fe80::230:48ff::%wm0 prefixlen 64 scopeid 0x1 -- Frank Wille
Re: uts(4) touchscreen calibration
On Fri, 15 Sep 2017 23:28:23 +1000 Nathanial Sloss <n...@netbsd.org> wrote: > ftp://ftp.netbsd.org/pub/NetBSD/misc/nat/mousepacketsniffer.c Great! That's what I needed. Thanks a lot! Will try it on Monday. I assume that the wmouse-device to open is the one which attaches directly to uts(4)? -- Frank Wille
uts(4) touchscreen calibration
Hi! One year ago I successfully used uts(4) on a Raspberry-Pi with a ViewSonic touch screen monitor. It worked perfectly after eliminating the black borders in the RPi's config.txt. Now we got another ViewSonic touch screen (model TD2421), which is no longer correctly calibrated. Touching into the upper left quarter of the display seems to move the mouse in X11 over the whole screen. Both have a native resolution of 1920x1080. Is there any possibility to calibrate uts(4) or wsmouse to match this monitor? The dmesg-output of the working ViewSonic (Quanta): ---8<--- uhidev2 at uhub1 port 5 configuration 1 interface 0 uhidev2: Quanta OpticalTouchScreen, rev 1.10/2.26, addr 5, iclass 3/0 uhidev2: 18 report ids uts0 at uhidev2 reportid 1wsmouse0 at uts0 mux 0 uhid3 at uhidev2 reportid 2: input=0, output=0, feature=1 uhid4 at uhidev2 reportid 3: input=0, output=0, feature=71 uhid5 at uhidev2 reportid 4: input=0, output=0, feature=1023 uhid6 at uhidev2 reportid 5: input=0, output=0, feature=11 uhid7 at uhidev2 reportid 6: input=0, output=0, feature=1023 uhid8 at uhidev2 reportid 7: input=0, output=0, feature=15 uhid9 at uhidev2 reportid 8: input=0, output=0, feature=1023 uhid10 at uhidev2 reportid 9: input=0, output=0, feature=1023 uhid11 at uhidev2 reportid 10: input=0, output=0, feature=63 uhid12 at uhidev2 reportid 11: input=0, output=0, feature=1023 uhid13 at uhidev2 reportid 12: input=0, output=0, feature=2 ums0 at uhidev2 reportid 13: 2 buttons wsmouse1 at ums0 mux 0 uhid14 at uhidev2 reportid 14: input=0, output=0, feature=963 uhid15 at uhidev2 reportid 15: input=0, output=0, feature=1023 uhid16 at uhidev2 reportid 16: input=0, output=0, feature=899 uhid17 at uhidev2 reportid 17: input=0, output=0, feature=147 uhid18 at uhidev2 reportid 18: input=0, output=0, feature=1023 ---8<--- And the dmesg-output of the bad ViewSonic: ---8<--- uhidev3 at uhub2 port 3 configuration 1 interface 0 uhidev3: Wistron Corporation Optical Touch Screen, rev 1.10/20.37, addr 7, iclass 3/0 uhidev3: 13 report ids uts0 at uhidev3 reportid 1wsmouse1 at uts0 mux 0 uhid2 at uhidev3 reportid 2: input=0, output=0, feature=2 uhid3 at uhidev3 reportid 7: input=62, output=62, feature=62 uhid4 at uhidev3 reportid 8: input=0, output=0, feature=1 ums1 at uhidev3 reportid 13: 2 buttons wsmouse2 at ums1 mux 0 ---8<--- (Strange, that it doesn't list all of the 13 report ids.) -- Frank Wille
Re: mount_smbfs permission denied
On Wed, 26 Apr 2017 16:56:10 +0200 Frank Wille <fr...@phoenix.owl.de> wrote: > The same doesn't work with mount_smbfs, or am I missing something? > > tethys# mount_smbfs -I 192.168.0.251 -W WPSD > //administrator@wps-terminal/Allgemeines /mnt > Password: > mount_smbfs: unable to open connection: syserr = Permission denied > mount_smbfs: lookup 13: Permission denied > [...] Now I tested several dozen of servers in our network and mount_smbfs works everywhere, except on two! Both are Active Domain Controllers (one Server2003, the one I want to connect to, and the other Server2008). I can create new shares there with access rights for everybody, but still no chance to mount them! Is there a known problem with such servers? -- Frank Wille
mount_smbfs permission denied
Hi, I am trying to mount a SMB share from a Windows 2003 Server. It works with smbclient, but not with mount_smbfs. Samba 3.6.22 smbclient from pkgsrc: tethys# smbclient -I 192.168.0.251 -W WPSD -U administrator //wps-terminal/Allgemeines WARNING: The security=share option is deprecated Enter administrator's password: Domain=[WPSD] OS=[Windows Server 2003 R2 3790 Service Pack 2] Server=[Windows Server 2003 R2 5.2] smb: \> The same doesn't work with mount_smbfs, or am I missing something? tethys# mount_smbfs -I 192.168.0.251 -W WPSD //administrator@wps-terminal/Allgemeines /mnt Password: mount_smbfs: unable to open connection: syserr = Permission denied mount_smbfs: lookup 13: Permission denied A wrong password would result in... mount_smbfs: unable to open connection: syserr = Authentication error mount_smbfs: lookup 80: Authentication error ...so I assume it gets connected, but why is the permission denied? WPSD is an Active Directory Domain, not a workgroup. Is that a problem? I tried mount_smbfs on a Samba Server with a simple Workgroup and free share access, which worked fine. Same problem on different architectures I tried. ktrace shows that ioctl(SMBIOC_LOOKUP) returns with 13, Permission denied. Any help? :) -- Frank Wille
Re: Want to buy Notebooks with supported WLAN chip - Recommendations?
co...@sdf.org wrote: > On Sun, Aug 07, 2016 at 07:53:44AM +0930, Brett Lymn wrote: >> [...] >> One thing which may be acceptable (and, in fact, I have been doing for >> a while*) is to get a supported USB wireless dongle and use that. It >> is not ideal but you will get wireless network. Ok, that's right. This is always the last option. I already had some success with those tiny Edimax N150 dongles. But I was asking in the hope to find a notebook with supported internal WLAN. My company would then buy several of them. > I've removed the Broadcom wifi device inside my laptop and replaced it > with a more reasonable manufacturer's card. Now I am interested in the model and manufacturer of your laptop (always good to know which laptops don't whitelist) and the name of your replacement card. :) > not all laptops allow this, though, they may whitelist cards. I wonder how such a practice can be legal. But I have seen that too, and you never know before. A list with manufacturers/laptops which don't whitelist would be nice. -- Frank Wille
Want to buy Notebooks with supported WLAN chip - Recommendations?
Hi, I'm looking for a recent Notebook which runs NetBSD. In spent a lot of time to find out which drivers are needed for several models, and in nearly all cases the WLAN chip is not supported. Looking into the NetBSD-current source I hope that the new intel AC 3160 driver is partly working. Would that be an option? Otherwise I would be happy for recommendations. -- Frank Wille
Re: Automatic switching between PPP, LAN, WLAN
Petar Bogdanovic wrote: > I would not do any of that but rather leave both LAN and WLAN up, let > dhcpcd do the rest and *maybe* adjust route metric parameters in > dhcpcd.conf. Indeed, a few days later I accepted that this is the best option. It works very good. Thanks for the hint! -- Frank Wille
EIB/KNX bus
Hi, is there any kind of open source eibd (EIB daemon) running on NetBSD, to connect to a EIB/KNX bus for home automation? Thanks in advance. -- Frank Wille
Automatic switching between PPP, LAN, WLAN
Hi, I'm currently experimenting to find a way to make my notebook always select the best network connection possible. The priority should be: 1. LAN 2. WLAN 3. PPP (UMTS, LTE, etc.) With LAN and WLAN alone I can use ifwatchd(8) calling scripts for carrier and no-carrier detected, as suggested on hubertf's blog: http://www.feyrer.de/NetBSD/bx/blosxom.cgi/nb_20070816_1133.html The following example works more or less. gem0 is my LAN, bwi0 my WLAN interface: ---8<--- #!/bin/sh case $0 in *-up) pkill dhclient case $1 in gem*) logger LAN detected: stopping wpa_supplicant /etc/rc.d/wpa_supplicant stop ;; esac /etc/rc.d/network restart /sbin/dhclient $1 ;; *-down) pkill -x ssh case $1 in gem*) logger LAN disconnected: starting wpa_supplicant /etc/rc.d/wpa_supplicant start ;; esac ;; *) logger "$0 $@": unknown ;; esac logger "$0 $@" done. ---8<--- With PPP as third option it is getting complicated. I have to make sure that "/etc/rc.d/ppp start" is executed when both, LAN and WLAN lost carrier. And "/etc/rc.d/ppp stop" must be run when one of LAN or WLAN is becoming available again. How to do that? Has anybody already worked out a good solution? -- Frank Wille
Re: Automatic switching between PPP, LAN, WLAN
Timo Buhrmester wrote: >> I have to make sure that "/etc/rc.d/ppp start" is executed when both, >> LAN and WLAN lost carrier. And "/etc/rc.d/ppp stop" must be run when >> one of LAN or WLAN is becoming available again. How to do that? > Why not have your script keep track of - or use ifconfig to figure out > - which interfaces have a link? Yes, sure. I just asked to find out if there is a better solution. :) Thanks. -- Frank Wille
Re: Routing in a VPN-Roadwarrior configuration
Christos Zoulas wrote: > | # ping -I 192.168.45.21 8.8.8.8 > | PING google-public-dns-a.google.com (8.8.8.8): 56 data bytes > | 64 bytes from 8.8.8.8: icmp_seq=0 ttl=53 time=29.130956 ms > | ... > | > | 192.168.45.21 is my real LAN IP, while 192.168.0.213 was my VPN IP. > | The packet travels unenctypted over my usual private LAN gateway > | (192.168.45.254), which makes sense, as the policies affect packets > | from/to 192.168.0.213 only. > | > | So it is probably a matter of selecting the interface's alias or not. > | Currently it looks like the alias is always used, once it is present. > > Yes, since IPSEC is handled without an entry in the routing table, you One entry was added for IPsec by the phase1-up script: Destination 1.2.3.4 (VPN-gateway) over Gateway 192.168.45.254 (my real default gateway). But further tests show that it is not required to keep IPsec working. Indeed, no modification of the routing tables is needed. > need to make source that things originate in the interface it expects. This works for ping(8) with -I. It even works for ssh(1) with -b. But usual tasks like using a web browser are still difficult. Somehow the default routing is confused, when IPsec is active. Sursprisingly I can make it work when adding additional routes for the addresses I want to access: DestinationGatewayFlagsRefs UseMtu Interface default192.168.45.254 UGS -- -L re0 8.8.8.8192.168.45.254 UGHS-- -L re0 Looks stupid, but now pinging 8.8.8.8 works in parallel with IPsec. So the kernel seems to know that is has to use a 192.168.45.0/24 LAN source address to reach the gateway, but it does no longer work for the default route, where it prefers the alias. BTW, it doesn't seem to be a problem of the alias alone. I made a test with IPsec disabled and just added an alias. The default route still worked as intended! Is there already a PR about that? -- Frank Wille
Routing in a VPN-Roadwarrior configuration
Hi,
I have set up my NetBSD/amd64 7.0_STABLE notebook (including lastest
netipsec patches) with a Huawei E3131 UMTS surfstick to allow internet
connections via ppp0.
For my problem it makes no difference whether internet access is via WWAN or
LAN, but WWAN is the configuration it is intended to work with in the end.
Without VPN, routing is fine and I can access all internet sites. The normal
routing table:
DestinationGatewayFlagsRefs UseMtu
Interface
default10.64.64.64UGS -- -L ppp0
10.64.64.64100.85.193.130 UH -- -L ppp0
127/8 127.0.0.1 UGRS-- 33648L lo0
127.0.0.1 127.0.0.1 UH -- 33648L lo0
192.168.45/24 link#1 UC -- -L re0
# ifconfig ppp0
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 100.85.193.130 -> 10.64.64.64 netmask 0xff00
inet6 fe80::2e56:dcff:fe04:a5ff%ppp0 -> prefixlen 64 scopeid 0x3
Now I establish the IPsec VPN connection with my gateway at 1.2.3.4 (not the
real address). I'm using more or less the default Phase1-Up script, which
does this:
if=`netstat -finet -rn|awk '($1 == "default"){print $7; exit}'`
ifconfig ${if} alias ${INTERNAL_ADDR4} netmask ${INTERNAL_NETMASK4}
route delete default
route add default ${DEFAULT_GW} -ifa ${INTERNAL_ADDR4}
route add ${REMOTE_ADDR} ${DEFAULT_GW}
The VPN is up and running and I can work with all sites in my VPN LAN
(192.168.0.0/24):
Mar 16 14:39:18 enceladus racoon: INFO: IPsec-SA established: ESP/Tunnel
100.85.193.130[4500]->1.2.3.4[4500] spi=11295294(0xac5a3e)
Mar 16 14:39:18 enceladus racoon: INFO: IPsec-SA established: ESP/Tunnel
100.85.193.130[4500]->1.2.3.4[4500] spi=259744464(0xf7b62d0)
My SPD entries:
192.168.0.0/24[any] 192.168.0.213[any] reserved
in ipsec
esp/tunnel/1.2.3.4-100.85.193.130/require
spid=12 seq=1 pid=1385
refcnt=1
192.168.0.213[any] 192.168.0.0/24[any] reserved
out ipsec
esp/tunnel/100.85.193.130-1.2.3.4/require
spid=11 seq=0 pid=1385
refcnt=1
My routing table looks the same. Just one entry for the VPN gateway was
added:
DestinationGatewayFlagsRefs UseMtu
Interface
default10.64.64.64UGS -- -L ppp0
10.64.64.64100.85.193.130 UH -- -L ppp0
127/8 127.0.0.1 UGRS-- 33648L lo0
127.0.0.1 127.0.0.1 UH -- 33648L lo0
192.168.45/24 link#1 UC -- -L re0
1.2.3.410.64.64.64UGHS-- -L ppp0
And the ppp0 interface got an alias. I tried it without the alias, but then
VPN doesn't work at all:
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 100.85.193.130 -> 10.64.64.64 netmask 0xff00
inet alias 192.168.0.213 -> netmask 0xff00
inet6 fe80::2e56:dcff:fe04:a5ff%ppp0 -> prefixlen 64 scopeid 0x3
Internet access within the VPN LAN 192.168.0 usually works through the
gateway 192.168.0.1. But also my own PPP gateway 100.85.193.130 should be
able to route packets into the internet. But it stops working, when
connected with VPN:
# ping 8.8.8.8
PING google-public-dns-a.google.com (8.8.8.8): 56 data bytes
The nameserver from the VPN (192.168.0.251) works, but there is no reply.
# tcpdump -n -i ppp0
14:55:49.410338 IP: IP 192.168.0.213 > 8.8.8.8: ICMP echo request, id 34226,
seq 0, length 64
14:55:50.414873 IP: IP 192.168.0.213 > 8.8.8.8: ICMP echo request, id 34226,
seq 1, length 64
14:55:51.425377 IP: IP 192.168.0.213 > 8.8.8.8: ICMP echo request, id 34226,
seq 2, length 64
Ok, the packet is not encrypted, which is ok, as the destination is not the
VPN LAN. But it uses my VPN alias address 192.168.0.213 for the sender.
Maybe this is the problem?
But what can I do to make it work? I tried to change my policies to route
everything encrypted over the VPN gateway, like this:
0.0.0.0/0[any] 192.168.0.213[any] reserved
in ipsec
esp/tunnel/1.2.3.4-100.85.193.130/require
spid=12 seq=1 pid=1385
refcnt=1
192.168.0.213[any] 0.0.0.0./0[any] reserved
out ipsec
esp/tunnel/100.85.193.130-1.2.3.4/require
spid=11 seq=0 pid=1385
refcnt=1
But then it still doesn't want to route my WAN packets:
# ping 8.8.8.8
PING google-public-dns-a.google.com (8.8.8.8): 56 data bytes
36 bytes from 192.168.0.1: Destination Host Unreachable for icmp_seq=0
36 bytes from 192.168.0.1: Destination Host Unreachable for icmp_seq=1
[...]
It works when logging in into a real 192.168.0.0/24 LAN host.
--
Frank Wille
Re: Simple IPSEC client with certificate - phase 1 time out
Greg Troxel wrote: > It seems to me that if a kernel with "option IPSEC" and w/o swcrypto > doesn't work, then perhaps it should fail to config, or log an error at > runtime. (Perhaps swcrypto isn't required, and it's just that there > must be some crypto provider.) As far as I understand swcrypto registers software encryption algorithms in the kernel for 3des, aes, blowfish, etc.. They are not explicitely required as you may also use hardware for that. -- Frank Wille
Re: Simple IPSEC client with certificate - phase 1 time out
Christos Zoulas wrote: > If your server is behind NAT, I think that got broken at some point. Oh no! :( > I meant to debug this... I guess I should just do it... That would be so great! I can provide you with any information you need and can do all sorts of tests. Also with big endian hardware. BTW, there is a strange problem with adding SAs in the 7.0 kernel. Maybe it doesn't work on big endian? 1. NetBSD/macppc 7.0 (PowerBook G4): # setkey -c add 10.0.0.1 10.0.0.2 esp 1234 -E aes-cbc "testtesttesttest"; Invalid argument. # setkey -D No SAD entries. 2. NetBSD/amd64 7.0 (Asus i3): # setkey -c add 10.0.0.1 10.0.0.2 esp 1234 -E aes-cbc "testtesttesttest"; # setkey -D 10.0.0.1 10.0.0.2 esp mode=any spi=1234(0x04d2) reqid=0(0x) E: aes-cbc 74657374 74657374 74657374 74657374 seq=0x replay=0 flags=0x0040 state=mature created: Mar 5 15:53:31 2016 current: Mar 5 16:20:54 2016 diff: 1643(s) hard: 0(s) soft: 0(s) last: Mar 5 11:41:33 2016 hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0hard: 0 soft: 0 sadb_seq=0 pid=2037 refcnt=1 So the "pfkey ADD failed" is not present on x86, but the "pfkey UPDATED failed" is still there. I was able to see the SA to be updated for a short time in "larval" state when phase 2 was established: # setkey -D 192.168.0.21[4500] 78.48.238.147[4500] esp-udp mode=tunnel spi=17572466(0x010c2272) reqid=0(0x) E: aes-cbc d5bd6bf8 2d5fd2f7 49c5ebdc d20c6299 A: hmac-md5 3bd33ccd cd06e211 b5b7b926 399089e7 seq=0x0002 replay=4 flags=0x state=mature created: Mar 5 14:57:06 2016 current: Mar 5 14:57:14 2016 diff: 8(s) hard: 28800(s) soft: 23040(s) last: Mar 5 14:57:07 2016 hard: 0(s) soft: 0(s) current: 320(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 2hard: 0 soft: 0 sadb_seq=1 pid=660 refcnt=2 78.48.238.147 192.168.0.21 esp mode=tunnel spi=120588728(0x073009b8) reqid=0(0x) seq=0x replay=0 flags=0x0000 state=larval sadb_seq=0 pid=660 refcnt=1 -- Frank Wille
Re: Simple IPSEC client with certificate - phase 1 time out
Brett Lynn wrote: On 04.03.16 09:20:12 you wrote: > Well, let's say packet loss from the point of view of racoon, ipsec can > be very sensitive to lossy networks so it is good the eliminate that as > a cause. The test with the windows client is valuable, it shows that > ipsec can work from where you are. Indeed. And I guess we can ignore a potential packet loss for now. I debugged Racoon and studied the source over several hours and came to the conclusion that IKE mode config only works with Hybrid authentication modes. No plain "rsasig", which is a pity. Might not be too difficult to add... > As for the keep alives, the > handling of those depends on the client and/or its configuration - > maybe the windows client is configured to ignore the keep alives? Now I guess that keep-alives are just sent to have some traffic, but no need to reply them. The Lancom gateway does not sent them itself My own NetBSD gateway generates them, but does not reply either. > I do recall being able to get logging out of racoon. Have you tried > running racoon in the foreground Correct. I discovered that in the meantime. "debug" output is never written to syslog for security reasons (contains hexdumps of keys and certificates). >> Also I'm getting doubt whether "authentication_method rsasig" is >> working at all. Until now I found no success stories with such a >> configuration on the net, especially when using mode_cfg. >> > > As for a lot of things, it is hard to find success stories on the net - True, but unfortunately I was right here. :| > I have only done hybrid-xauth, part of that was validating a > certificate. Now I tried "hybrid_rsa_client", which perfectly does mode config, calls my phase1-up script and adds the appropriate SPD entries. There is no phase 2 negotiation before I try to connect to any VPN address, but I think that's normal. Unfortunately even the proven hybrid authentication fails for me. The kernel cannot update or add keys for SAD: racoon: INFO: initiate new phase 2 negotiation: 192.168.1.5[4500]<=>77.182.71.224[4500] racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->3). racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1) /netbsd: key_set_natt_ports: type 2, sport = 4500, dport = 4500 /netbsd: key_update: no SA index found. /netbsd: key_set_natt_ports: type 2, sport = 4500, dport = 4500 /netbsd: key_setsaval: unable to initialize SA type 3. racoon: ERROR: pfkey UPDATE failed: No such file or directory racoon: ERROR: pfkey ADD failed: Invalid argument racoon: ERROR: 77.182.71.224 give up to get IPsec-SA due to time up to wait. On the other hand, the Racoon server/gateway has no problem. It may have something to do with NAT-T...? -- Frank Wille
Re: Simple IPSEC client with certificate - phase 1 time out
Thor Lancelot Simon wrote: > Consider disabling dead peer detection? Yes, tried that. The only difference is that "racoonctl vc 1.2.3.4" does not return, as it never realizes that the VPN server is dead. Otherwise the Lancom still terminates my connection after 30s. -- Frank Wille
Re: Simple IPSEC client with certificate - phase 1 time out
pecifies logging level. It is followed by either "notify", "debug"
# or "debug2".
log debug;
#timer
#{
# natt_keepalive 15 seconds;
#}
remote "wpsd"
{
remote_address 1.2.3.4;
exchange_mode main,base;
my_identifier asn1dn;
#peers_identifier asn1dn;
#verify_identifier on;
certificate_type x509 "vpnclient15.crt" "vpnclient15.key";
ca_type x509 "ca.crt";
mode_cfg on;# ISAKMP mode config
dpd_delay 20; # peer detection (alive check)
nat_traversal on; # force
ike_frag on;
esp_frag 552;
script "phase1-up.sh" phase1_up;
script "phase1-down.sh" phase1_down;
lifetime time 8 hour;
# phase 1 proposal (for ISAKMP SA)
proposal {
encryption_algorithm aes;
hash_algorithm md5;
authentication_method rsasig;
dh_group 2;
}
proposal_check obey;
}
# phase 2 proposal (for IPsec SA).
# actual phase 2 proposal will obey the following items:
# - kernel IPsec policy configuration (like "esp/transport//use)
# - permutation of the crypto/hash/compression algorithms presented below
sainfo anonymous
{
pfs_group 2;
lifetime time 8 hour;
encryption_algorithm aes;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
Unfortunately "log debug" doesn't work at all. I get no debug messages out
of racoon.
Also I'm getting doubt whether "authentication_method rsasig" is working at
all. Until now I found no success stories with such a configuration on the
net, especially when using mode_cfg.
Did anybody ever use "rsasig"?
--
Frank Wille
Re: Simple IPSEC client with certificate - phase 1 time out
Brett Lymn wrote: > OK, does phase 2 actually complete? I doubt that. Currently I'm not even sure whether phase 1 completes, because the phase1-up script is never called. On the other hand the phase1-down script is called, as soon as the connection is terminated. > What does a "setkey -aD" output? No SAD entries. And no SPD entries either. I guess they would be added by the phase1-up script...? > Have you tried a tcpdump to see what is going on at the network level? Yes, always. I have attached the tcpdump from my client and the vpn-status log of the Lancom-router (the VPN "server"). > You should expect encrypted packets, if you are seeing stuff in the > clear then check your routing and ensure the packets are properly > routed to the vpn tunnel end point. This is something to worry about as soon as both phases have been completed, which definitely is not the case. ;) > It has been a long while since I played with this but I seem to recall > that you do get a log of what is being proposed by both sides. The proposal is accepted (refer to the Lancom VPN log). Looking at the tcpdump I wonder why the NetBSD client says it is exchanging "isakmp: phase 2" packets, while the Lancom still calls these isakmp notifies "Phase-1 SA"? IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE sent for Phase-1 SA to peer VPNCLIENT15EF90, sequence nr 0x7a8b3f4b -- Frank Wille Mar 1 11:40:50 powerbook racoon: INFO: @(#)ipsec-tools cvs (http://ipsec-tools.sourceforge.net) Mar 1 11:40:50 powerbook racoon: INFO: @(#)This product linked OpenSSL 1.0.1p 9 Jul 2015 (http://www.openssl.org/) Mar 1 11:40:50 powerbook racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf" Mar 1 11:40:50 powerbook racoon: INFO: 192.168.1.5[500] used for NAT-T Mar 1 11:40:50 powerbook racoon: INFO: 192.168.1.5[500] used as isakmp port (fd=7) Mar 1 11:40:50 powerbook racoon: INFO: 192.168.1.5[4500] used for NAT-T Mar 1 11:40:50 powerbook racoon: INFO: 192.168.1.5[4500] used as isakmp port (fd=8) Mar 1 11:40:50 powerbook racoon: INFO: 127.0.0.1[500] used for NAT-T Mar 1 11:40:50 powerbook racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=9) Mar 1 11:40:50 powerbook racoon: INFO: 127.0.0.1[4500] used for NAT-T Mar 1 11:40:50 powerbook racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=10) Mar 1 11:52:06 powerbook racoon: INFO: accept a request to establish IKE-SA: 1.2.3.4 Mar 1 11:52:06 powerbook racoon: INFO: initiate new phase 1 negotiation: 192.168.1.5[500]<=>1.2.3.4[500] Mar 1 11:52:06 powerbook racoon: INFO: begin Identity Protection mode. Mar 1 11:52:06 powerbook racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Mar 1 11:52:06 powerbook racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 Mar 1 11:52:06 powerbook racoon: INFO: received Vendor ID: RFC 3947 Mar 1 11:52:06 powerbook racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Mar 1 11:52:06 powerbook racoon: INFO: received Vendor ID: DPD Mar 1 11:52:06 powerbook racoon: [1.2.3.4] INFO: Selected NAT-T version: RFC 3947 Mar 1 11:52:06 powerbook racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[500] with algo #1 Mar 1 11:52:06 powerbook racoon: [192.168.1.5] INFO: Hashing 192.168.1.5[500] with algo #1 Mar 1 11:52:06 powerbook racoon: INFO: Adding remote and local NAT-D payloads. Mar 1 11:52:06 powerbook racoon: [192.168.1.5] INFO: Hashing 192.168.1.5[500] with algo #1 Mar 1 11:52:06 powerbook racoon: INFO: NAT-D payload #0 doesn't match Mar 1 11:52:06 powerbook racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[500] with algo #1 Mar 1 11:52:06 powerbook racoon: INFO: NAT-D payload #1 verified Mar 1 11:52:06 powerbook racoon: INFO: NAT detected: ME Mar 1 11:52:06 powerbook racoon: INFO: KA list add: 192.168.1.5[4500]->1.2.3.4[4500] Mar 1 11:52:07 powerbook racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/postalCode=32052/OU=IT/ST=NRW/L=HERFORD/C=DE/O=WPS/CN=ZENTRALE Mar 1 11:52:07 powerbook racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=DE/O=LANCOM SYSTEMS/CN=LANCOM CA Mar 1 11:52:07 powerbook racoon: [1.2.3.4] INFO: received INITIAL-CONTACT Mar 1 11:52:07 powerbook racoon: INFO: ISAKMP-SA established 192.168.1.5[4500]-1.2.3.4[4500] spi:4da2f5f910bbdf44:444ae08dd7de45a5 Mar 1 11:53:12 powerbook racoon: [1.2.3.4] INFO: DPD: remote (ISAKMP-SA spi=4da2f5f910bbdf44:444ae08dd7de45a5) seems to be dead. Mar 1 11:53:12 powerbook racoon: INFO: purging ISAKMP-SA spi=4da2f5f910bbdf44:444ae08dd7de45a5. Mar 1 11:53:12 powerbook racoon: INFO: purged ISAKMP-SA spi=4da2f5f910bbdf44:444ae08dd7de45a5. Mar 1 11:53:12 powerbook racoon: INFO: ISAKMP-SA deleted 192.168.1.5[4500]-1.2.3.4[4500] spi:4da2f5f910bbdf44:444ae08dd7de45a5 Mar 1 11:53:12 powerbook racoon: INFO: KA remove: 192.168.1.5[4500]->1.2.3.4[4500] 11:52:06.441891 IP
Re: Simple IPSEC client with certificate - phase 1 time out
Brett Lymn wrote: On 28.02.16 10:18:13 you wrote: > Once upon a time I did manage to get hybrid xauth working using a > NetBSD server and windows clients, so certificates did work for me. I don't even need hybrid or xauth. Just a plain signed certificate on both sides. A simple "road-warrior" client. Until now I found no example configurations for this case. > IIRC, looping in phase 1 means both ends cannot agree on an > authentication method or the credentials presented are not correct. Yes. But phase 1 is definitely ok in my case. I have now access to the VPN-status log of my office's Lancom router and it accepted everything: [VPN-Status] 2016/02/29 12:31:52,304 IKE info: Phase-1 [responder] for peer VPNCLIENT15EF90 initiator id CN=VPNCLIENT15,O=WPS,C=DE,L=HERFORD,ST=NRW,OU=IT,postalCode=32052, responder id CN=ZENTRALE,O=WPS,C=DE,L=HERFORD,ST=NRW,OU=IT,postalCode=32052 IKE info: initiator cookie: 0x4f5e1f08e12bd21c, responder cookie: 0x2e8dc875b4e07c26 IKE info: NAT-T enabled in mode rfc, we are not behind a nat, the remote side is behind a nat IKE info: SA ISAKMP for peer VPNCLIENT15EF90 encryption aes-cbc authentication MD5 IKE info: life time ( 28800 sec/ 0 kb) DPD 0 sec But after 30 seconds and a few Phase 2 Inf messages it just says: [VPN-Status] 2016/02/29 12:32:22,284 VPN: connection for VPNCLIENT15EF90 (91.56.236.148) timed out: no response [VPN-Status] 2016/02/29 12:32:22,284 VPN: Error: IFC-R-Connection-timeout-dynamic (0x1205) for VPNCLIENT15EF90 (91.56.236.148) > Try increasing the debug level on raccoon and see what it is offering > to the remote end and see if that matches what you expect. I tried everything. IPSEC_DEBUG in the kernel. "log debug2" in racoon.conf and starting the racoon daemon with -. I don't get any more information out of it. > If you have > control over the other end then try simplifying things by using a > pre-shared key (PSK) method of authentication Unfortunately that's not possible. I cannot change the configuration of my office's router, because it will break the working VPN connection of all Windows notebooks. Thanks, -- Frank Wille
Re: Simple IPSEC client with certificate - phase 1 time out
Andy Ruhl wrote: > It might be worth trying some other OS or device just to sanity check > it and make sure it CAN work before you assume it's a NetBSD issue. I know that this Lancom router successfully establishes a connection to several other Lancom routers and to dozends of Windows clients, running the Windows Lancom VPN client software. So the problem is the Racoon configuration under NetBSD. > Would be really nice if there was an IPSEC secret decoder ring for > device compatibility/setup. Indeed. Over the last days I wondered that there is only few information about IPSEC configuration on the net (especially with signed certificates), although the same Racoon software is used in all BSDs, Linux, Android and Mac OSX ... :| -- Frank Wille
Re: Simple IPSEC client with certificate - phase 1 time out
On 25.02.16 18:52:52 I wrote: > and the VPN connection > # racoonctl vc 1.2.3.4 > > ...it fails very early: > > [...] > Feb 25 17:24:08 arwen racoon: INFO: begin Identity Protection mode. > Feb 25 17:24:59 arwen racoon: ERROR: phase1 negotiation failed due to > time up. 05349d3fe352e138: Seems I forgot IPSEC_DEBUG, so I missed important information? I tried it again with a 7.0 kernel and IPSEC_DEBUG on my PowerBook and the cause turned out to be a bad "authentication_method" in my propsal: Feb 25 22:30:08 powerbook racoon: [1.2.3.4] ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange. I had to replace "hybrid_rsa_client" by "rsasig" - although I'm not completely sure about the difference. I have a signed certificate and don't want to use any username or password authentication with xauth, so "rsasig" is probably ok...? Now I reach phase 2 and it looks to me that the VPN connection is established for a second, but a few seconds later I get "DPD: remote seems to be dead". No idea at the moment. Do I have to worry about "WARNING: unable to get certificate CRL(3)" ? What does "KA" mean? ---8<--- Feb 25 22:31:25 powerbook racoon: INFO: @(#)ipsec-tools cvs (http://ipsec-tools.sourceforge.net) Feb 25 22:31:25 powerbook racoon: INFO: @(#)This product linked OpenSSL 1.0.1p 9 Jul 2015 (http://www.openssl.org/) Feb 25 22:31:25 powerbook racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf" Feb 25 22:31:25 powerbook racoon: INFO: 192.168.1.5[500] used for NAT-T Feb 25 22:31:25 powerbook racoon: INFO: 192.168.1.5[500] used as isakmp port (fd=7) Feb 25 22:31:25 powerbook racoon: INFO: 192.168.1.5[4500] used for NAT-T Feb 25 22:31:25 powerbook racoon: INFO: 192.168.1.5[4500] used as isakmp port (fd=8) Feb 25 22:31:25 powerbook racoon: INFO: 127.0.0.1[500] used for NAT-T Feb 25 22:31:25 powerbook racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=9) Feb 25 22:31:25 powerbook racoon: INFO: 127.0.0.1[4500] used for NAT-T Feb 25 22:31:25 powerbook racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=10) Feb 25 22:31:35 powerbook racoon: INFO: accept a request to establish IKE-SA: 1.2.3.4 Feb 25 22:31:35 powerbook racoon: INFO: initiate new phase 1 negotiation: 192.168.1.5[500]<=>1.2.3.4[500] Feb 25 22:31:35 powerbook racoon: INFO: begin Identity Protection mode. Feb 25 22:31:35 powerbook racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Feb 25 22:31:35 powerbook racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 Feb 25 22:31:35 powerbook racoon: INFO: received Vendor ID: RFC 3947 Feb 25 22:31:35 powerbook racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Feb 25 22:31:35 powerbook racoon: INFO: received Vendor ID: DPD Feb 25 22:31:35 powerbook racoon: [1.2.3.4] INFO: Selected NAT-T version: RFC 3947 Feb 25 22:31:35 powerbook racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[500] with algo #1 Feb 25 22:31:35 powerbook racoon: [192.168.1.5] INFO: Hashing 192.168.1.5[500] with algo #1 Feb 25 22:31:35 powerbook racoon: INFO: Adding remote and local NAT-D payloads. Feb 25 22:31:35 powerbook racoon: [192.168.1.5] INFO: Hashing 192.168.1.5[500] with algo #1 Feb 25 22:31:35 powerbook racoon: INFO: NAT-D payload #0 doesn't match Feb 25 22:31:35 powerbook racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[500] with algo #1 Feb 25 22:31:35 powerbook racoon: INFO: NAT-D payload #1 verified Feb 25 22:31:35 powerbook racoon: INFO: NAT detected: ME Feb 25 22:31:35 powerbook racoon: INFO: KA list add: 192.168.1.5[4500]->1.2.3.4[4500] Feb 25 22:31:36 powerbook racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/postalCode=32052/OU=IT/ST=NRW/L=HERFORD/C=DE/O=WPS/CN=ZENTRALE Feb 25 22:31:36 powerbook racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=DE/O=LANCOM SYSTEMS/CN=LANCOM CA Feb 25 22:31:36 powerbook racoon: [1.2.3.4] INFO: received INITIAL-CONTACT Feb 25 22:31:36 powerbook racoon: INFO: ISAKMP-SA established 192.168.1.5[4500]-1.2.3.4[4500] spi:554e0ed2b394bee9:df77769896bfb2bd Feb 25 22:32:42 powerbook racoon: [1.2.3.4] INFO: DPD: remote (ISAKMP-SA spi=554e0ed2b394bee9:df77769896bfb2bd) seems to be dead. Feb 25 22:32:42 powerbook racoon: INFO: purging ISAKMP-SA spi=554e0ed2b394bee9:df77769896bfb2bd. Feb 25 22:32:42 powerbook racoon: INFO: purged ISAKMP-SA spi=554e0ed2b394bee9:df77769896bfb2bd. Feb 25 22:32:42 powerbook racoon: INFO: ISAKMP-SA deleted 192.168.1.5[4500]-1.2.3.4[4500] spi:554e0ed2b394bee9:df77769896bfb2bd Feb 25 22:32:42 powerbook racoon: INFO: KA remove: 192.168.1.5[4500]->1.2.3.4[4500] ---8<--- -- Frank Wille
Simple IPSEC client with certificate - phase 1 time out
suppressed, use -v or -vv for full protocol decode listening on pppoe0, link-type PPP_ETHER (PPPoE), capture size 65535 bytes 17:24:08.847578 PPPoE [ses 0x9b9] IP 91.56.242.176.ipsec-nat-t > 212.62.95.76.isakmp: isakmp: 17:24:08.884661 PPPoE [ses 0x9b9] IP 212.62.95.76 > 91.56.242.176: ICMP 212.62.95.76 udp port isakmp unreachable, length 36 17:24:08.885322 PPPoE [ses 0x9b9] IP 212.62.95.76.isakmp > 91.56.242.176.ipsec-nat-t: isakmp: phase 1 I inf 17:24:18.906170 PPPoE [ses 0x9b9] IP 91.56.242.176.ipsec-nat-t > 212.62.95.76.isakmp: isakmp: 17:24:18.943086 PPPoE [ses 0x9b9] IP 212.62.95.76 > 91.56.242.176: ICMP 212.62.95.76 udp port isakmp unreachable, length 36 17:24:18.943549 PPPoE [ses 0x9b9] IP 212.62.95.76.isakmp > 91.56.242.176.ipsec-nat-t: isakmp: phase 1 I inf 17:24:28.966408 PPPoE [ses 0x9b9] IP 91.56.242.176.ipsec-nat-t > 212.62.95.76.isakmp: isakmp: 17:24:29.005141 PPPoE [ses 0x9b9] IP 212.62.95.76.isakmp > 91.56.242.176.ipsec-nat-t: isakmp: phase 1 I inf 17:24:29.005186 PPPoE [ses 0x9b9] IP 212.62.95.76 > 91.56.242.176: ICMP 212.62.95.76 udp port isakmp unreachable, length 36 17:24:39.027346 PPPoE [ses 0x9b9] IP 91.56.242.176.ipsec-nat-t > 212.62.95.76.isakmp: isakmp: 17:24:39.064511 PPPoE [ses 0x9b9] IP 212.62.95.76 > 91.56.242.176: ICMP 212.62.95.76 udp port isakmp unreachable, length 36 17:24:39.066388 PPPoE [ses 0x9b9] IP 212.62.95.76.isakmp > 91.56.242.176.ipsec-nat-t: isakmp: phase 1 I inf 17:24:49.126577 PPPoE [ses 0x9b9] IP 91.56.242.176.ipsec-nat-t > 212.62.95.76.isakmp: isakmp: 17:24:49.163077 PPPoE [ses 0x9b9] IP 212.62.95.76 > 91.56.242.176: ICMP 212.62.95.76 udp port isakmp unreachable, length 36 17:24:49.163787 PPPoE [ses 0x9b9] IP 212.62.95.76.isakmp > 91.56.242.176.ipsec-nat-t: isakmp: phase 1 I inf Regards, -- Frank Wille
UMTS/LTE support
Hi, I don't find much information about WWAN (UMTS, LTE) data card support in NetBSD. Do I have to be careful which one to select? Thanks in advance. -- Frank Wille
Re: NetBSD 7, Raspberry Pi 2, reboots instead of halting on poweroff
Mayuresh wrote: > Raspberry Pi 2, reboots after waiting for a while on poweroff. I can confirm a similar problem on the Raspberry Pi 1 B+. When waiting for a key to reboot the kernel crashes after a few seconds (I have shortly seen the debugger output) and reboots automatically. > The issue was previously discussed and reportedly fixed: > > https://mail-index.netbsd.org/current-users/2015/07/11/msg027722.html > > Is this fix not yet pulled up in 7.0? Maybe it's a different issue, as all modifications of arm32_reboot.c have been pulled up to NetBSD-7. -- Frank Wille
crash on fsck_root without swap
Hi, I'm running NetBSD/sandpoint 7.0 on a Synology NAS with 64 MB RAM and stupidly configured a Terabyte root partition. As as result, when I need to do an fsck on that partition, the system runs out of memory. Before repartitioning and reinstalling the whole system I had the idea to make /etc/rc.d/fsck_root depend on localswap (/etc/rc.d/swap1). It works fine when I do "swapctl -A -t blk" manually before fsck. Unfortunately /etc/rc.d/swap1 depends on the root file system being fsck'd and mounted as read-write. Why? -- Frank Wille
Re: RAIDframe changes its unit number
Robert Elz wrote: > In this case, rather than finding two different raid0's, and "fixing" > things by changing one of them (in this case, unfortunately it seems, > the "wrong" one) to raid1, a better solution would have been to just > blather on the console about the problem, and refuse to configure > either of them Indeed. I would prefer this behaviour over what happened to me now. > in this case, most likely, the boot would simply have failed (I'm > guessing) and the added drive with the irrelevant raid0 on it would > just have been removed again, and all would have reverted to normal The only problem I see here is: how to clear the RAID disklabel from it, when you can't get access to any of your file systems? You could only insert it into a second system, preferably one without RAID. -- Frank Wille
RAIDframe changes its unit number
Hi, these days I have set up a Synology DS209j with a RAID-1 kernelized RAIDframe, using the components /dev/wd0a and /dev/wd1a. All worked well, so I started to test some failure scenarios. Disconnecting wd0 was fine and the system boots from wd1a with "component0 failed". Then I replaced wd0 with another disk, which previously also has been auto-configured as /dev/raid0 during some tests, but is otherwise completely different. Now the system started with /dev/raid0 and /dev/raid1, where both showed a failed component. Ok, I realized my error and zeroed wd0's MBR and disklabel. But after a reboot my RAIDframe was still auto-configured as /dev/raid1, although raid0 no longer existed! Even disconnecting wd0 didn't change that. And, even worse, when I connect my original wd0a component again I get raid0 with wd0a and failed component1, and raid1 with wd1a and failed component0. Is it possible to change the "Last configured as..." setting on wd1 back to raid0? Or do I have to reconstruct wd1 from wd0 now? And wouldn't it be nice to fix RAIDframe, so that a previous /dev/raid1 is automatically configured as /dev/raid0 again, when raid0 does not exist in the system? Or doesn't that make sense for some reason? Regards, -- Frank Wille
Re: RAIDframe changes its unit number
Greg Oster wrote: >> And wouldn't it be nice to fix RAIDframe, so that a >> previous /dev/raid1 is automatically configured as /dev/raid0 again, >> when raid0 does not exist in the system? Or doesn't that make sense >> for some reason? > > Imagine a system where /dev/raid0a is /, /dev/raid1e is /tmp, > and /dev/raid2e is /bigdatabase. Further, suppose that raid1 'goes > away', and that now /dev/raid2e is magically configured as /dev/raid1e. > What happens on boot when /tmp is cleared, given that /etc/fstab hasn't > changed to reflect the new location of /bigdatabase? Ok, that's a valid reason. You really don't want that to happen. ;) > I agree that it'd be nice to have an IOCTL for raidctl to change which > device a RAID set will show up as on next reboot... It's not that hard > to do -- just requires time to do a little coding. Yes. I already had a look into the code myself. You only have to change the last_unit field in the ComponentLabel? And add a new option for raidctl? -- Frank Wille
Re: urtwn(4) narcolepsy
Hi! On 15.09.15 15:50:45 I wrote: > When I leave the system alone for some minutes or hours (don't know the > exact period, maybe it differs) then the WLAN connection falls asleep > and I can no longer connect from outside. Also a ping is not answered. Seems this is a common problem. See: https://www.raspberrypi.org/forums/viewtopic.php?t=61665 Linux solves it by adding the line options 8192cu rtw_power_mgnt=0 rtw_enusbss=0 into 8192cu.conf. As far as I can see it is impossible to change the power management settings in our urtwn(4) driver. -- Frank Wille
urtwn(4) narcolepsy
Hi, I'm using an Edimax EW-7811UN WLAN USB-stick on a Raspberry Pi (model B+). The WLAN module works fine and has a good range, despite its tiny size, but it suffers from some kind of narcolepsy. Did anybody ever notice this behaviour with the urtwn(4) driver? When I leave the system alone for some minutes or hours (don't know the exact period, maybe it differs) then the WLAN connection falls asleep and I can no longer connect from outside. Also a ping is not answered. Then I additionally connected an ethernet cable to analyze the situation. I can connect via LAN and see that the system is still up and running. And as soon as I use the WLAN interface from inside (e.g. with ping(8)) it wakes up, and also connections from outside are possible again. What's going on there? Is it the driver or the hardware? According to the access point, running hostapd(8), the RPi still does handshaking but does no longer allow any connects: Sep 15 15:00:36 alix hostapd: ath0: STA 74:da:38:3a:xx:xx WPA: group key handshake completed (WPA) Sep 15 15:10:36 alix hostapd: ath0: STA 74:da:38:3a:xx:xx WPA: group key handshake completed (WPA) Sep 15 15:20:36 alix hostapd: ath0: STA 74:da:38:3a:xx:xx WPA: group key handshake completed (WPA) Sep 15 15:30:37 alix hostapd: ath0: STA 74:da:38:3a:xx:xx WPA: group key handshake completed (WPA) [...] Same effect with urtwn(4) in -current. Is it a bug? -- Frank Wille
Re: 7.0_RC1 slow boot
Alan Barrett wrote: It's not just checking whether a pid is alive, it's checking whether the PID represents a shell running /etc/rc, to guard against pids being recycled. That part is probably unnecessary. I can also reduce the number of times _have_rc_postprocessor is called. Thanks. I can make comparison tests on some classic hardware, as soon as a new patch is available. I think this would be quite important to fix for 7.0, as it affects all hardware with a weaker CPU. And NetBSD runs on a lot of this hardware (embedded, NAS, etc.). -- Frank Wille
Re: 7.0_RC1 slow boot
On Sun, 12 Jul 2015 20:02:03 +0200 Martin Husemann mar...@duskware.de wrote: On Sun, Jul 12, 2015 at 08:47:13PM +0300, Arto Huusko wrote: I also tested 7.99.19, and it is just as slow to boot as 7.0_RC1, and vmstat numbers are pretty much the same. I'm happy to hear from more platforms confirming the problem. ;) It probably isn't noticable on modern multi-core CPUs, but only on older systems. Frank, can you file a PR please? Done. In the not very scientific qemu boot time test -current kernel is also unfortunately slightly slower to boot 6.1.5 userland than 6.1.5 or 7.0 kernel. I can also confirm that for Amiga. -- Frank Wille
named illegal instruction on i486
Hi! I have some trouble with named(8) after having updated my Soekris Net-4501 from 5.1.2 to 6.1.4. The Soekris is used as a router and has an AMD Elan SC (486-class) CPU. When launching the new named it runs into an illegal instruction very early and dumps a core into /etc/namedb. In this core file the top three functions from the backtrace were: atomic_cas_64_ni (libc) atomic_add_64_nv (libc) isc_stats_increment (libisc) ... The disassembly shows that the CPU fails on executing the instruction lock cmpxchg..., which is only available for Pentium CPUs and higher. Any idea what went wrong? Is it a general problem in libc or was named built for =Pentium? Thanks in advance. -- Frank Wille
