Re: ssl accelerator cards and jail?

2009-07-24 Thread Brian A. Seklecki
On Wed, 2009-07-08 at 16:45 -0400, Michael Scheidell wrote:
 has anyone done any work with hardware ssl accelerator cards and freebsd?
 

I'm pretty sure.  Because it is a;; one kernel, the userland-kernel
sysctls just fall through to the host.

I've been meaning to try the VMWare ESXi 4.0 PCI card passthrough
feature.

Let me pass my Sun Crypto 1000 (BCM5921/23) through to a Jailhost
FreeBSD 7.2, then try it within a jail.  Should be quite a head trip.

 ~BAS

 specifically, freebsd 7.1 amd64?
 
 and, is it transparent in 'jail' so all jailed servers can use the one card?
 
 


___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org


Re: ssl accelerator cards and jail?

2009-07-24 Thread Brian A. Seklecki
On Fri, 2009-07-24 at 12:11 -0400, Michael Scheidell wrote:
 thanks.  maybe I'll look into one of those and give it a try on 7.1
 (worries me that 7.2 has a shorted lifespan than 7.1...)

That's by design per the releng document.

Hey, my ESXi 4.0 machine is PCI-Express only.  My Broadcom cards are
32bit PCI-X.  I had a PCI-E but had to return it as a demo.

Give me a few days to hack some testing together.   ~BAS


___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org


bind()/sendto() behavior in RELENG_7

2009-05-08 Thread Brian A. Seklecki
All:

Did the behavior of bind()/sendto() functions WRT jails change in
proximity to the RELENG_7_2 branch?

I just spent 1.5 days chasing, what I thought was a bug in Courier-MTA's
IPv6 socket selection code within Jails, to realize a paradox of a
configuration scenario:

My ESTMP client libraries in Courier were programed to explicitly bind()
to a specific source address.  The system in question was RELENG_7 from
last month; but was upgraded to 7.2-R last week, when this problem was
observed.  After which, I began to receive:
   Can't assign requested address, as expected.

Unfortunately, we also enabled IPv6 on the system at the same time,
complicating troubleshooting.

The configuration for Courier in the jail is being rsync(1)'d every hour
from a production environment (where explicit binding for System-Service
abstraction is a security policy requirement) to a DRP system within a
Jail.

So as far as I know, the explicit bind was always present in the DRP
jail and in theory, should never have worked.

I hypothesize that after 7.2-R was installed, the correct behavior of
bind() began to occur, and that prior to that, it was gracefully
allowing Courier to bind() to an IP that wasn't present in the jail.

Unfortunately, I don't have any records of what the RELENG_7 build date
was of the original jail environment to test this hypothesis.

~BAS

___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org


Re: anyone using ssl accellorator cards in jail?

2009-04-06 Thread Brian A. Seklecki
On Tue, 2009-03-31 at 07:38 -0700, Michael Scheidell wrote:
 trying to speed things up.

I suspect that syscalls that support acceleration will simply fall right
through the jail into the host kernel.

I'll be testing that some time next week -- so I'll let you know.  I
don't think file handle access to /dev/crypto is required for Engine
support.   

Again, I'll let you know ~BAS



___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org


Re: HEADS UP: r185435 multi-IPv4/v6/no-IP jails in HEAD

2008-12-05 Thread Brian A. Seklecki
On Tue, 2008-12-02 at 21:00 -0500, alexus wrote:
 as far as I understood HEAD is 8.0-CURRENT

The trick is to bribe the right people to get it RFP'd into 7.2R. :)

~BAS

-- 
Brian A. Seklecki [EMAIL PROTECTED]
Collaborative Fusion, Inc.


signature.asc
Description: This is a digitally signed message part


Re: HEADS UP: r185435 multi-IPv4/v6/no-IP jails in HEAD

2008-12-05 Thread Brian A. Seklecki
On Fri, 2008-12-05 at 20:47 +0100, Dag-Erling Smørgrav wrote:
 The question is, does it change existing behavior, or just add new
 functionality?

The syntax semantics should be backward compatible, so likely the
latter.


-- 
Brian A. Seklecki [EMAIL PROTECTED]
Collaborative Fusion, Inc.


signature.asc
Description: This is a digitally signed message part


Re: Multiple IPS - Freebsd 7.1

2008-10-02 Thread Brian A. Seklecki
On Wed, 2008-10-01 at 12:39 +, Bjoern A. Zeeb wrote:
 thoughts on MFCing it to 7-STABLE so it could be in 7.2-R. I cannot

Someone might be encouraged by the idea of a nice 21 year scotch under
the Christmas tree.

Although I'm not holding my breath (Bjoern -- I have to talk to you
about that FAST_IPSEC NAT-T patch for FreeBSD), I'm just glad that this
wont involve / require  a full pullup of Julian Elischer's Vimage and
FIB+Multi-Routing-Table changes.

Chances of those making way into 7.x are low like Skylab.

-- 
Brian A. Seklecki [EMAIL PROTECTED]
Collaborative Fusion, Inc.




IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and delete 
this e-mail from your system.


___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to [EMAIL PROTECTED]