Re: CARP best practices

[Peter Hessler]

Please keep in mind that if the cluster should fail over while you are
logged in via ssh, you will stop being logged in.



On 2013 Jan 30 (Wed) at 15:50:14 -0500 (-0500), System Administrator wrote:
:Thank you Alexander (and Johan) for confirming what I kinda suspected --
: use shared keys if it is a published (ie. failover required) service, 
:otherwise bind only to dedicated address(es) using dedicated keys.
:
:On 30 Jan 2013 at 18:33, Alexander Hall wrote:
:
:> On 01/30/13 17:56, System Administrator wrote:
:> > I finally got to deploy a CARP firewall cluster (HA failover for now).
:> > Using only the official OpenBSD.org documentation, everything went very
:> > smoothly even though the setup is not quite trivial (14 carp addresses
:> > on 6 active interfaces). I even got system replication going using
:> > rdist(1).
:> >
:> > While testing the failover and trying to ssh to a carp address I got
:> > hit with the server key mismatch; hence this email. What is considered
:> > best practice wrt ssh keys in a carp cluster -- install the same keys
:> > on all member nodes to avoid the alerts or just live with the
:> > occasional mismatch?
:> 
:> Is the ssh service one of the failover'able services?
:> 
:> If it is, I believe it makes sense to share the keys (that's what I do 
:> anyway), alternatively you could have a second sshd configured with a 
:> shared HostKey.
:> 
:> If it is not, I'd suggest letting sshd listen only on the host address 
:> and not on the carp address.
:> 
:> /Alexander
:

-- 
We can defeat gravity.  The problem is the paperwork involved.

Re: vnd and softraid panic

[Eivind Evensen]

On Thu, Jan 31, 2013 at 12:20:14AM +1100, Joel Sing wrote:
> On Wed, 30 Jan 2013, Eivind Evensen wrote:
> > On Wed, Jan 23, 2013 at 02:33:16AM +1100, Joel Sing wrote:
> > > On Thu, 3 Jan 2013, Eivind Evensen wrote:
> > > > On Mon, Dec 31, 2012 at 07:21:08PM +1100, Joel Sing wrote:
> > > > > On Mon, 31 Dec 2012, Eivind Evensen wrote:
> > > > > > Hello.
> > > > > >
> > > > > > Trying to play around a bit with softraid using vnd reliably
> > > > > > results in a panic when assembling the raid volume. I think the
> > > > > > first time I tried this was around 4.9 so it's not something new.
> > > >
> > > > ...
> > >
> > > FWIW this should now be rectified in -current.
> >
> > I tried a snapshot downloaded on 21.th
> > (OpenBSD 5.2-current (GENERIC) #17: Fri Jan 18 19:42:57 MST 2013)
> > which produced the same results. I waited a few days in case the snapshot
> > was too old and built from sources from yesterday, still giving
> > the same results. I don't need such a setup so it's not a big deal, but
> > here's output and dmesg in case it may be helpful:
> 
> Thanks for the report. For some reason I thought you had tried using softraid 
> crypto on a vnd and overlooked the fact that you were trying to use RAID 5 
> (and now RAID 1). To clarify, RAID 0, CONCAT and CRYPTO should all now work 
> on top of a vnd - RAID 1, RAID 4 and RAID 5 will still break in the manner 
> given below (panic related to active workunits). These disciplines require 
> the same changes that I've made to the other three, however they're a little 
> more complex and time consuming. I'll try to get to them fixed soon.

I see, thanks for the explanation.

Eivind.

Re: a possible rdist bug

[Philip Guenther]

On Wed, Jan 30, 2013 at 11:46 AM, System Administrator
 wrote:
> To simplify maintenance of a carp firewall cluster, I setup system
> replication with rdist(1), which works rather nicely with one notable
> exception where cmdspecial fires even when there are no updated files.
> It is the only instance of cmdspecial that misfires, it is also the
> only instance that specifies globbing explicitly.
>
> If this is known (or a feature), where is it documented? If this is a
> bug, how do I go about tracking it down?

My inclination would be to leave the behavior (I can see it as useful,
and actually wonder if I may have used this by accident in a past
life) as is but have your command check the $FILES env variable and do
nothing if it's empty:

 The cmdspecial command is similar to the special command, except it is
 executed only when the entire command is completed instead of after each
 file is updated.  The list of files is placed in the FILES environment
 variable.  Each file name in FILES is separated by a `:' (colon).


Philip Guenther

Re: npppd with tun interface not work on i386?

[YASUOKA Masahiko]

Hi,

On Tue, 29 Jan 2013 20:20:24 +0100
csszep  wrote:
> I tried to start npppd with the default config with tun0 interface on
> my Alix board:
> 
> I get the following error message:
> 
> # npppd -d
> 2013-01-29 19:54:38:NOTICE: Starting npppd pid=13464 version=5.0.0
> 2013-01-29 19:54:38:NOTICE: Load configuration
> from='/etc/npppd/npppd.conf' successfully.
> 2013-01-29 19:54:38:ERR: tun0 delete ipaddress tun0 failed: Device not
> configured

This was from a bug.  I fixed it on cvs.  Please update your source
code from cvs or apply a patch below.

Thank you for your report.

Index: privsep.c
===
RCS file: /cvs/src/usr.sbin/npppd/npppd/privsep.c,v
retrieving revision 1.7
diff -u -p -r1.7 privsep.c
--- privsep.c   28 Sep 2012 23:46:00 -  1.7
+++ privsep.c   31 Jan 2013 02:03:36 -
@@ -463,7 +463,7 @@ priv_get_if_addr(const char *ifname, str
struct PRIVSEP_GET_IF_ADDR_RESP  r;
 
a.cmd = PRIVSEP_GET_IF_ADDR;
-   strlcpy(a.ifname, ifname, sizeof(ifname));
+   strlcpy(a.ifname, ifname, sizeof(a.ifname));
if ((retval = send(privsep_sock, &a, sizeof(a), 0)) < 0)
return retval;
if ((retval = recv(privsep_sock, &r, sizeof(r), 0)) < 0) {
@@ -488,7 +488,7 @@ priv_delete_if_addr(const char *ifname)
struct PRIVSEP_DEL_IF_ADDR_ARG   a;
 
a.cmd = PRIVSEP_DEL_IF_ADDR;
-   strlcpy(a.ifname, ifname, sizeof(ifname));
+   strlcpy(a.ifname, ifname, sizeof(a.ifname));
if ((retval = send(privsep_sock, &a, sizeof(a), 0)) < 0)
return retval;
retval = privsep_common_resp();
@@ -503,7 +503,7 @@ priv_set_if_addr(const char *ifname, str
struct PRIVSEP_SET_IF_ADDR_ARG   a;
 
a.cmd = PRIVSEP_SET_IF_ADDR;
-   strlcpy(a.ifname, ifname, sizeof(ifname));
+   strlcpy(a.ifname, ifname, sizeof(a.ifname));
a.addr = *addr;
if ((retval = send(privsep_sock, &a, sizeof(a), 0)) < 0)
return retval;
@@ -519,7 +519,7 @@ priv_get_if_flags(const char *ifname, in
struct PRIVSEP_GET_IF_FLAGS_RESP  r;
 
a.cmd = PRIVSEP_GET_IF_FLAGS;
-   strlcpy(a.ifname, ifname, sizeof(ifname));
+   strlcpy(a.ifname, ifname, sizeof(a.ifname));
if ((retval = send(privsep_sock, &a, sizeof(a), 0)) < 0)
return retval;
if ((retval = recv(privsep_sock, &r, sizeof(r), 0)) < 0) {
@@ -543,7 +543,7 @@ priv_set_if_flags(const char *ifname, in
struct PRIVSEP_SET_IF_FLAGS_ARG   a;
 
a.cmd = PRIVSEP_SET_IF_FLAGS;
-   strlcpy(a.ifname, ifname, sizeof(ifname));
+   strlcpy(a.ifname, ifname, sizeof(a.ifname));
a.flags = flags;
if ((retval = send(privsep_sock, &a, sizeof(a), 0)) < 0)
return retval;

frontiernet mirror

[Andrew Ngo]

I think the openbsd.mirror.frontiernet.net mirror is stale; its most recent
packages are dated Jan 8th to me. Does anyone else see this?


-- 
Sincerely,
Andrew Ngo

Re: mfs / mount_mfs(8) memory usage never shrinks?

[Stuart Henderson]

On 2013-01-30, Constantine A. Murenin  wrote:
> Hello misc@,
>
> On OpenBSD 5.2 amd64, I'm storing 1.4GB of source code files and about
> 8x 150MB indices on an mfs partition, plus a gig or two of other
> automatically-generated files.
>
> If I run mount_mfs to load all this stuff from a regular drive, then
> the amount of memory used by mount_mfs(8) is about the same as the
> amount of Used disc space as reported by df(1).
>
> However, if I re-run index generation on an mfs, then after it's all
> done, memory usage by mount_mfs(8) noticeably exceeds Used disc space.
>  As a workaround, I found that it's possible to copy all the files
> over to a new mount_mfs(8) process, after the indices have been
> re-generated, and the new process will at first have a much better
> memory usage, but this seems a little inconvenient and would also
> require a temporary burst of extra RAM to accomplish.
>
> Should I worry that on a 6GB partition that is only 4GB full,
> mount_mfs uses 5GB of memory after about 3GB of data gets mingled?  Is
> mount_mfs swappable?  If I end up being short on memory, would that
> extra 1GB from mount_mfs(8) be swapped out without affecting the
> performance?  Or is there a way to run some kind of garbage collector
> or otherwise improve on an mfs memory use?
>
> % df -hi | fgrep -e Used -e mfs ; mount | fgrep mfs ; ps aux | fgrep
> -e USER -e mfs
> Filesystem SizeUsed   Avail Capacity iused   ifree  %iused  Mounted on
> mfs:18610  5.9G4.1G1.5G73%  439864  35770255%   /grok/mfs
> mfs:18610 on /grok/mfs type mfs (asynchronous, local, nodev, nosuid,
> size=12582912 512-blocks)
> USER   PID %CPU %MEM   VSZ   RSS TT  STAT  STARTED   TIME COMMAND
> root 18610  0.0 40.2 6291936 5048352 ??  IsSun07PM0:22.56
> /sbin/mount_mfs -o rw -s6G -f2048
>
>
> Cheers,
> Constantine.
>
>

This is expected with mfs, don't set the filesystem to be larger
than the amount of memory you would like it to use.

I don't know how it behaves with swapping.

Re: CARP best practices

[Johan Beisser]

On Wed, Jan 30, 2013 at 2:03 PM, Jiri B  wrote:
> On Wed, Jan 30, 2013 at 09:29:42AM -0800, Johan Beisser wrote:
>> Don't monitor SSH on the CARP address.
>
> Doesn't it depend on the purpose of this SSH service?
> If it is to manage individual boxes, then sshd should not listen
> on CARP ip address.

Maybe.  Or, perhaps you have a pool of servers that are essentially
identical, and the failover service runs over SSH. In that case,
having identical host keys would clear up that specific error. But, if
a host fails out of the pool, you may not know right away.

> If it is authentication for external users like authpf,
> file uploads, I would create another sshd instance which would
> flow between boxes sharing same key, still keeping individual
> sshd for each box. We were doing this for a file upload cluster,
> though that was not OpenBSD but the issue about the key and "virtual"
> ip is the same.

Yes. I covered that in a later email. But, that's defined by the
function you're trying to use. The orginal complaint was "I'm sshing
in to the CARP address, and the host keys keep changing making SSH
throw an error."

Like any doctor who gets a complaint of "it hurts when I do this!",
the first answer is "well, don't do that." Until you get more
information, and can actually help the person out.

Re: CARP best practices

[Jiri B]

On Wed, Jan 30, 2013 at 09:29:42AM -0800, Johan Beisser wrote:
> On Wed, Jan 30, 2013 at 8:56 AM, System Administrator  
> wrote:
> > I finally got to deploy a CARP firewall cluster (HA failover for now).
> > Using only the official OpenBSD.org documentation, everything went very
> > smoothly even though the setup is not quite trivial (14 carp addresses
> > on 6 active interfaces). I even got system replication going using
> > rdist(1).
> >
> > While testing the failover and trying to ssh to a carp address I got
> > hit with the server key mismatch; hence this email. What is considered
> > best practice wrt ssh keys in a carp cluster -- install the same keys
> > on all member nodes to avoid the alerts or just live with the
> > occasional mismatch?
> 
> Don't monitor SSH on the CARP address.

Doesn't it depend on the purpose of this SSH service?
If it is to manage individual boxes, then sshd should not listen
on CARP ip address.

If it is authentication for external users like authpf,
file uploads, I would create another sshd instance which would
flow between boxes sharing same key, still keeping individual
sshd for each box. We were doing this for a file upload cluster,
though that was not OpenBSD but the issue about the key and "virtual"
ip is the same.

jirib

Re: CARP best practices

[System Administrator]

Thank you Alexander (and Johan) for confirming what I kinda suspected --
 use shared keys if it is a published (ie. failover required) service, 
otherwise bind only to dedicated address(es) using dedicated keys.

On 30 Jan 2013 at 18:33, Alexander Hall wrote:

> On 01/30/13 17:56, System Administrator wrote:
> > I finally got to deploy a CARP firewall cluster (HA failover for now).
> > Using only the official OpenBSD.org documentation, everything went very
> > smoothly even though the setup is not quite trivial (14 carp addresses
> > on 6 active interfaces). I even got system replication going using
> > rdist(1).
> >
> > While testing the failover and trying to ssh to a carp address I got
> > hit with the server key mismatch; hence this email. What is considered
> > best practice wrt ssh keys in a carp cluster -- install the same keys
> > on all member nodes to avoid the alerts or just live with the
> > occasional mismatch?
> 
> Is the ssh service one of the failover'able services?
> 
> If it is, I believe it makes sense to share the keys (that's what I do 
> anyway), alternatively you could have a second sshd configured with a 
> shared HostKey.
> 
> If it is not, I'd suggest letting sshd listen only on the host address 
> and not on the carp address.
> 
> /Alexander

mfs / mount_mfs(8) memory usage never shrinks?

[Constantine A. Murenin]

Hello misc@,

On OpenBSD 5.2 amd64, I'm storing 1.4GB of source code files and about
8x 150MB indices on an mfs partition, plus a gig or two of other
automatically-generated files.

If I run mount_mfs to load all this stuff from a regular drive, then
the amount of memory used by mount_mfs(8) is about the same as the
amount of Used disc space as reported by df(1).

However, if I re-run index generation on an mfs, then after it's all
done, memory usage by mount_mfs(8) noticeably exceeds Used disc space.
 As a workaround, I found that it's possible to copy all the files
over to a new mount_mfs(8) process, after the indices have been
re-generated, and the new process will at first have a much better
memory usage, but this seems a little inconvenient and would also
require a temporary burst of extra RAM to accomplish.

Should I worry that on a 6GB partition that is only 4GB full,
mount_mfs uses 5GB of memory after about 3GB of data gets mingled?  Is
mount_mfs swappable?  If I end up being short on memory, would that
extra 1GB from mount_mfs(8) be swapped out without affecting the
performance?  Or is there a way to run some kind of garbage collector
or otherwise improve on an mfs memory use?

% df -hi | fgrep -e Used -e mfs ; mount | fgrep mfs ; ps aux | fgrep
-e USER -e mfs
Filesystem SizeUsed   Avail Capacity iused   ifree  %iused  Mounted on
mfs:18610  5.9G4.1G1.5G73%  439864  35770255%   /grok/mfs
mfs:18610 on /grok/mfs type mfs (asynchronous, local, nodev, nosuid,
size=12582912 512-blocks)
USER   PID %CPU %MEM   VSZ   RSS TT  STAT  STARTED   TIME COMMAND
root 18610  0.0 40.2 6291936 5048352 ??  IsSun07PM0:22.56
/sbin/mount_mfs -o rw -s6G -f2048


Cheers,
Constantine.

a possible rdist bug

[System Administrator]

To simplify maintenance of a carp firewall cluster, I setup system 
replication with rdist(1), which works rather nicely with one notable 
exception where cmdspecial fires even when there are no updated files. 
It is the only instance of cmdspecial that misfires, it is also the 
only instance that specifies globbing explicitly.

If this is known (or a feature), where is it documented? If this is a 
bug, how do I go about tracking it down?

Relevant parts of Distfile:

(Yes, there is a bunch of pf.conf* files in addition to the main one -- 
each logical function of the firewall is in its own anchor loaded via a 
separate pf.conf. file.)

NOTIFY = ( root ad...@bitwise.net )
SAVED = ( \\.OLD\$ )# previously saved
TRASH = ( \\..*\\.swp\$ ~\$ )   # vim junk

USERS = ( /etc/{master.passwd,passwd,{,s}pwd.db} )
LOCAL = ( myname hostname.* ssh/ssh_host_*key* *.orig
  disklabels dumpdates iked isakmpd rndc.key )

etc:
/etc -> ${HOSTS}
install -compare,savetargets,updateperm,younger ;
notify  ( ${NOTIFY} )   ;
except  ( /etc/${LOCAL} ${USERS} )  ;
except_pat ( ${TRASH} ${SAVED} );
cmdspecial ( /etc/pf.conf* )"/sbin/pfctl -f /etc/pf.conf" ;
special /etc/relayd.conf"/usr/sbin/relayctl reload" ;
special /etc/syslogd.conf   "/etc/rc.d/syslogd reload" ;
special /etc/inetd.conf "/etc/rc.d/inetd reload" ;
special /etc/ntpd.conf  "/etc/rc.d/ntpd restart" ;
special /etc/ssh/sshd_config"/usr/sbin/sshd -qt
&& /etc/rc.d/sshd reload
|| mv -f \$FILE.OLD \$FILE" ;

Re: CARP best practices

[System Administrator]

On 30 Jan 2013 at 9:29, Johan Beisser wrote:

> On Wed, Jan 30, 2013 at 8:56 AM, System Administrator  
> wrote:
> > I finally got to deploy a CARP firewall cluster (HA failover for now).
> > Using only the official OpenBSD.org documentation, everything went very
> > smoothly even though the setup is not quite trivial (14 carp addresses
> > on 6 active interfaces). I even got system replication going using
> > rdist(1).
> >
> > While testing the failover and trying to ssh to a carp address I got
> > hit with the server key mismatch; hence this email. What is considered
> > best practice wrt ssh keys in a carp cluster -- install the same keys
> > on all member nodes to avoid the alerts or just live with the
> > occasional mismatch?
> 
> Don't monitor SSH on the CARP address.

Sorry, I'm not following you

Re: CARP best practices

[Johan Beisser]

On Wed, Jan 30, 2013 at 9:44 AM, System Administrator  wrote:
> On 30 Jan 2013 at 9:29, Johan Beisser wrote:
>

>> > While testing the failover and trying to ssh to a carp address I got
>> > hit with the server key mismatch; hence this email. What is considered
>> > best practice wrt ssh keys in a carp cluster -- install the same keys
>> > on all member nodes to avoid the alerts or just live with the
>> > occasional mismatch?
>>
>> Don't monitor SSH on the CARP address.
>
> Sorry, I'm not following you

Do you need to be able to ssh in to the firewall(s) via the CARP
addresses? If the answer is yes, share the host keys between them.

Or set up a redirect for the CARP addresses that goes to an alternate
sshd port from port 22. Which uses the same host keys between the
systems.

Re: CARP best practices

[Alexander Hall]

On 01/30/13 17:56, System Administrator wrote:

I finally got to deploy a CARP firewall cluster (HA failover for now).
Using only the official OpenBSD.org documentation, everything went very
smoothly even though the setup is not quite trivial (14 carp addresses
on 6 active interfaces). I even got system replication going using
rdist(1).

While testing the failover and trying to ssh to a carp address I got
hit with the server key mismatch; hence this email. What is considered
best practice wrt ssh keys in a carp cluster -- install the same keys
on all member nodes to avoid the alerts or just live with the
occasional mismatch?


Is the ssh service one of the failover'able services?

If it is, I believe it makes sense to share the keys (that's what I do 
anyway), alternatively you could have a second sshd configured with a 
shared HostKey.


If it is not, I'd suggest letting sshd listen only on the host address 
and not on the carp address.


/Alexander

Re: CARP best practices

[Johan Beisser]

On Wed, Jan 30, 2013 at 8:56 AM, System Administrator  wrote:
> I finally got to deploy a CARP firewall cluster (HA failover for now).
> Using only the official OpenBSD.org documentation, everything went very
> smoothly even though the setup is not quite trivial (14 carp addresses
> on 6 active interfaces). I even got system replication going using
> rdist(1).
>
> While testing the failover and trying to ssh to a carp address I got
> hit with the server key mismatch; hence this email. What is considered
> best practice wrt ssh keys in a carp cluster -- install the same keys
> on all member nodes to avoid the alerts or just live with the
> occasional mismatch?

Don't monitor SSH on the CARP address.

OpenBSD 5.2, high idle interrupts with stable amd64 bsd.mp

[matyssik]

Running stable OpenBSD 5.2 and in the top I see high interrupt CPU
utilization despite machine being idle. I am not sure if I should be worried
or if the is some sort of bug. Please advise.

dmesg:
OpenBSD 5.2-stable (MERCURY.MP) #0: Sun Jan 27 21:58:30 JST 2013
r...@mercury.askyan.com:/usr/src/sys/arch/amd64/compile/MERCURY.MP
real mem = 4149907456 (3957MB)
avail mem = 4017065984 (3830MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeb770 (76 entries)
bios0: vendor American Megatrends Inc. version "V1.1" date 07/30/2012
bios0: MSI MS-7808
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT MCFG HPET SSDT SSDT SSDT ASF!
acpi0: wakeup devices PS2K(S3) PS2M(S3) P0P1(S4) USB1(S3) USB2(S3) USB3(S3)
USB4(S3) USB5(S3) USB6(S3) USB7(S3) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4)
PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4) RP06(S4)
PXSX(S4) RP07(S4) PXSX(S4) RP08(S4) PEGP(S4) PEG0(S4) PEG1(S4) PEG2(S4)
PEG3(S4) GLAN(S4) EHC1(S4) EHC2(S4) XHC_(S4) HDEF(S4) PWRB(S3)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i3-3220T CPU @ 2.80GHz, 2794.06 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,XSAVE,AVX,NXE,LONG,LAHF
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: apic clock running at 99MHz
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i3-3220T CPU @ 2.80GHz, 2793.66 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,XSAVE,AVX,NXE,LONG,LAHF
cpu1: 256KB 64b/line 8-way L2 cache
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0 addr 0xf800, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 4 (P0P1)
acpiprt2 at acpi0: bus 2 (RP01)
acpiprt3 at acpi0: bus 3 (RP02)
acpiprt4 at acpi0: bus -1 (RP03)
acpiprt5 at acpi0: bus -1 (RP04)
acpiprt6 at acpi0: bus -1 (RP05)
acpiprt7 at acpi0: bus -1 (RP06)
acpiprt8 at acpi0: bus -1 (RP07)
acpiprt9 at acpi0: bus -1 (RP08)
acpiprt10 at acpi0: bus 1 (PEG0)
acpiprt11 at acpi0: bus -1 (PEG1)
acpiprt12 at acpi0: bus -1 (PEG2)
acpiprt13 at acpi0: bus -1 (PEG3)
acpiec0 at acpi0: Failed to read resource settings
acpicpu0 at acpi0: C3, C1, PSS
acpicpu1 at acpi0: C3, C1, PSS
acpipwrres0 at acpi0: FN00
acpipwrres1 at acpi0: FN01
acpipwrres2 at acpi0: FN02
acpipwrres3 at acpi0: FN03
acpipwrres4 at acpi0: FN04
acpitz0 at acpi0: critical temperature is 92 degC
acpitz1 at acpi0: critical temperature is 92 degC
acpibat0 at acpi0: BAT0 not present
acpibat1 at acpi0: BAT1 not present
acpibat2 at acpi0: BAT2 not present
acpibtn0 at acpi0: PWRB
acpibtn1 at acpi0: LID0
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD02
cpu0: Enhanced SpeedStep 2794 MHz: speeds: 2800, 2700, 2600, 2500, 2400,
2300, 2200, 2100, 2000, 1900, 1800, 1700, 1600 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Xeon E3-1200v2 Host" rev 0x09
ppb0 at pci0 dev 1 function 0 vendor "Intel", unknown product 0x0151 rev
0x09: msi
pci1 at ppb0 bus 1
em0 at pci1 dev 0 function 0 "Intel PRO/1000 PT (82571EB)" rev 0x06: apic 2
int 16, address 00:15:17:21:2a:3e
em1 at pci1 dev 0 function 1 "Intel PRO/1000 PT (82571EB)" rev 0x06: apic 2
int 17, address 00:15:17:21:2a:3f
vga1 at pci0 dev 2 function 0 "Intel HD Graphics 2500" rev 0x09
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
intagp at vga1 not configured
"Intel 7 Series xHCI" rev 0x04 at pci0 dev 20 function 0 not configured
"Intel 7 Series MEI" rev 0x04 at pci0 dev 22 function 0 not configured
ehci0 at pci0 dev 26 function 0 "Intel 7 Series USB" rev 0x04: apic 2 int 16
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb1 at pci0 dev 28 function 0 "Intel 7 Series PCIE" rev 0xc4: msi
pci2 at ppb1 bus 2
ppb2 at pci0 dev 28 function 1 "Intel 7 Series PCIE" rev 0xc4: msi
pci3 at ppb2 bus 3
re0 at pci3 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E-VL
(0x2c80), apic 2 int 17, address d4:3d:7e:35:62:7b
rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 5
ehci1 at pci0 dev 29 function 0 "Intel 7 Series USB" rev 0x04: apic 2 int 23
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb3 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xa4
pci4 at ppb3 bus 4
pcib0 at pci0 dev 31 function 0 "Intel B75 LPC" rev 0x04
ahci0 at pci0 dev 31 function 2 "Intel 7 Series AHCI" rev 0x04: msi, AHCI
1.3
scsibus0 at ahci0: 32 targets
sd0 at scsibus0 targ 0 lun 0:  SCSI3 0/direct
fixed naa.500a075109196cd0
sd0: 61057MB, 512 bytes/sector, 125045424 sectors, thi

CARP best practices

[System Administrator]

I finally got to deploy a CARP firewall cluster (HA failover for now). 
Using only the official OpenBSD.org documentation, everything went very 
smoothly even though the setup is not quite trivial (14 carp addresses 
on 6 active interfaces). I even got system replication going using 
rdist(1).

While testing the failover and trying to ssh to a carp address I got 
hit with the server key mismatch; hence this email. What is considered 
best practice wrt ssh keys in a carp cluster -- install the same keys 
on all member nodes to avoid the alerts or just live with the 
occasional mismatch?

Thanks in advance.

OpenBSD 5.2-stable (GENERIC.MP) #0: Tue Jan  1 19:44:42 EST 2013

OpenBSD 5.2 isakmpd sequence number problem

[Bartosz Brzozowski]

Hi Misc.

I have two location A i B in my lab.
In the location A there is isakmpd + carp + pfsync + sasync cluster on 
which there is installed OpenBSD 5.2 GENERIC.MP#339 i386

In the location B there is single OpenBSD 5.2 GENERIC#278 i386 installation.

I have successfully established IPsec site-to-site connection between 
those two location and everything works fine until failover occurs in 
the cluster in location A ( I am  using ifconfig -g carp carpdemote 128 
command on the MASTER node to force the failover).
When failover occurs pfsync increase sequence number on the new MASTER 
node by 16384 and cluster continues sending ESP packets with the new, 
increased value (for example if the last seq number on the old MASTER 
was sent with the value equal to 100 the new MASTER will send his first 
packet with seq number equal to 16484).
On the OpenBSD 5.2 in location B, using tcpdump I am able to see ESP 
packets, with the new increased seq number, on the phisical interface, 
but I do not see any transmition on enc0 interface. The ESP packets are 
continuously going out of the cluster A and are continuously, silently 
dropped on OpenBSD in location B. All IPsec transmition is broken until 
new SA are established and seq number is reset to 0.


I noted that starting from version OpenBSD 5.2 there is added support 
for Extended Sequence Numbers in the IPsec stack, so I go back with the 
version of OpenBSD on the server located in B from 5.2 to 5.1 
GENERIC#160 i386, copied all configuration files to it, established once 
again IPsec beetwen A and B and from that point everything started to 
work perfectly. Now I am able to switch nodes in cluster A (ofcourse seq 
number, everytime I switch nodes is increased by 16384) and OpenBSD 5.1 
in location B successfully decrypt and encrypt connection. I am able to 
see packets, going in both directions, on interface enc0 as well I am 
able to see ESP packet on phisical interface on OpenBSD 5.1.


Is there bug in inplementation ESN in new IPsec stack on OpenBSD 5.2 or 
do I need additional configuration to make above setup to started to 
work properly.

Please let me know if You need any additional information.

Thanks for advise regards,
Bartosz Brzozowski

Re: vnd and softraid panic

[Joel Sing]

On Wed, 30 Jan 2013, Eivind Evensen wrote:
> On Wed, Jan 23, 2013 at 02:33:16AM +1100, Joel Sing wrote:
> > On Thu, 3 Jan 2013, Eivind Evensen wrote:
> > > On Mon, Dec 31, 2012 at 07:21:08PM +1100, Joel Sing wrote:
> > > > On Mon, 31 Dec 2012, Eivind Evensen wrote:
> > > > > Hello.
> > > > >
> > > > > Trying to play around a bit with softraid using vnd reliably
> > > > > results in a panic when assembling the raid volume. I think the
> > > > > first time I tried this was around 4.9 so it's not something new.
> > >
> > > ...
> >
> > FWIW this should now be rectified in -current.
>
> I tried a snapshot downloaded on 21.th
> (OpenBSD 5.2-current (GENERIC) #17: Fri Jan 18 19:42:57 MST 2013)
> which produced the same results. I waited a few days in case the snapshot
> was too old and built from sources from yesterday, still giving
> the same results. I don't need such a setup so it's not a big deal, but
> here's output and dmesg in case it may be helpful:

Thanks for the report. For some reason I thought you had tried using softraid 
crypto on a vnd and overlooked the fact that you were trying to use RAID 5 
(and now RAID 1). To clarify, RAID 0, CONCAT and CRYPTO should all now work 
on top of a vnd - RAID 1, RAID 4 and RAID 5 will still break in the manner 
given below (panic related to active workunits). These disciplines require 
the same changes that I've made to the other three, however they're a little 
more complex and time consuming. I'll try to get to them fixed soon.

> root:skoeske> dd if=/dev/zero of=disk1 bs=1m count=100
> 100+0 records in
> 100+0 records out
> 104857600 bytes transferred in 2.875 secs (36462177 bytes/sec)
> root:skoeske> r disk1=disk2
> dd if=/dev/zero of=disk2 bs=1m count=100
> 100+0 records in
> 100+0 records out
> 104857600 bytes transferred in 3.219 secs (32567739 bytes/sec)
> root:skoeske> r disk2=disk3
> dd if=/dev/zero of=disk3 bs=1m count=100
> 100+0 records in
> 100+0 records out
> 104857600 bytes transferred in 3.569 secs (29378164 bytes/sec)
> root:skoeske> vnconfig vnd0 disk1
> root:skoeske> vnconfig vnd1 disk2
> root:skoeske> vnconfig vnd2 disk3
> root:skoeske> fdisk -iy vnd0
> Warning CHS values out of bounds only saving LBA values
> Writing MBR at offset 0.
> root:skoeske> fdisk -iy vnd1
> Warning CHS values out of bounds only saving LBA values
> Writing MBR at offset 0.
> root:skoeske> fdisk -iy vnd2
> Warning CHS values out of bounds only saving LBA values
> Writing MBR at offset 0.
> root:skoeske> printf "a\n\n\n\nRAID\nw\nq\n\n" | disklabel -E vnd0
> Label editor (enter '?' for help at any prompt)
>
> > partition: [a] offset: [128] size: [204672] FS type: [4.2BSD] > > No
> > label changes.
>
> root:skoeske> printf "a\n\n\n\nRAID\nw\nq\n\n" | disklabel -E vnd1
> Label editor (enter '?' for help at any prompt)
>
> > partition: [a] offset: [128] size: [204672] FS type: [4.2BSD] > > No
> > label changes.
>
> root:skoeske> printf "a\n\n\n\nRAID\nw\nq\n\n" | disklabel -E vnd2
> Label editor (enter '?' for help at any prompt)
>
> > partition: [a] offset: [128] size: [204672] FS type: [4.2BSD] > > No
> > label changes.
>
> root:skoeske> bioctl -c 1 -l /dev/vnd0a,/dev/vnd1a,/dev/vnd2a softraid0
> sd0 at scsibus1 targ 1 lun 0:  SCSI2 0/direct
> fixed sd0: 99MB, 512 bytes/sector, 204144 sectors
> softraid0: SR RAID 1 volume attached as sd0
> panic: softraid0: sr_wu_init got active wu
> Stopped at  Debugger+0x4:   popl%ebp
> RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
> DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
> ddb> trace
> Debugger(d08fcddc,f2087de8,d08d0da4,f2087de8,d0a7e540) at Debugger+0x4
> panic(d08d0da4,d0f8c014,f2087dfc,d036ccf3,d0fedab8) at panic+0x5d
> sr_wu_init(d1055000,d0fedab8,f2087e3c,d1055a30,d1057f00) at sr_wu_init+0x73
> sr_wu_put(d1055000,d0fedab8,f2087e3c,f2087e3c,d02030dd) at sr_wu_put+0x2f
> scsi_io_put(d1055a30,d0fedab8,8000,d0fedab8,d0fedab8) at scsi_io_put+0x19
> scsi_xs_put(f2027000,f2027000,f2087e8c,d041de18,d1055000) at
> scsi_xs_put+0x37 sr_raid1_intr(d1065000,f1fabdc4,f17dc000,200,52000) at
> sr_raid1_intr+0x107 vndstrategy(d1065000,0,0,50,d1065000) at
> vndstrategy+0x70
> spec_strategy(f2087f48,0,f2087f6c,d03f2c28,d1053d90) at spec_strategy+0x3d
> VOP_STRATEGY(d1065000,0,0,0,d0fedaf8) at VOP_STRATEGY+0x2c
> sr_startwu_callback(d1055000,d0fedab8,d02008bf,d1053d80,d03f2c50) at
> sr_startwu _callback+0x39
> workq_thread(d1053d80) at workq_thread+0x36
> Bad frame pointer: 0xd0bc8ed8
> ddb> ps
>PID   PPID   PGRPUID  S   FLAGS  WAIT  COMMAND
> *23369  0  0  0  70x100200srdis
>  19292   1571   6315   1000  30x80  ttyin less
>   1571   6315   6315   1000  30x88  pause sh
>   6315  30722   6315   1000  30x80  wait  man
>  30722  11048  30722   1000  30x88  pause ksh
>  11048   2130   2130   1000  30x80  selectsshd
>   2130   1703   2130  0  3

Re: npppd radius on current jan 21

[mxb]

Yasuoka forgot to commit his fix.
I have it working.

//maxim

On 30 jan 2013, at 11:54, Robert Blacquiere  wrote:

> Hi, 
> 
> I run in to a issue using npppd with radius. It look to me the parsing
> of radius port info is not working. 
> 
> I have: authentication section:
> 
> authentication RADIUS type radius {
>   authentication-server {
>   address 192.168.0.1 port 1812 secret "hogehoge"
>   }
>   accounting-server {
>   address 192.168.0.1 port 1813 secret "hogehoge"
>   }
> }
> 
> If i start npppd and try to authenticate is starts communicating with
> the radius server 192.168.0.1 on port 5127. 
> If i change port number to 1645  (old radius) i get 27910 ... 
> 
> It really looks like there is a bug of memory corruption. Also i tried
> for fun port 1 and got port 256 in tcpdump.
> 
> Also if 
> address 192.168.0.1 secret "hogehoge" 
> is used it completely does not talk to the radius server and in
> /var/log/daemon you get a message like 
> npppd[]: connect() failed in radius_prepare_socket: Can't assign requested 
> address
> 
> Authenticating with localfile works fine and is tested. 
> 
> I have looked at parse.y and serveral other items in
> /usr/src/usr.sbin/npppd/npppd but my C is not up to it yet :(
> 
> Can someone point me in direction to solve this. 
> 
> Note: It was working with the 5.1 release manual build and old
> config style. 
> 
> Regards
> 
> Robert

npppd radius on current jan 21

[Robert Blacquiere]

Hi, 

I run in to a issue using npppd with radius. It look to me the parsing
of radius port info is not working. 

I have: authentication section:

authentication RADIUS type radius {
   authentication-server {
   address 192.168.0.1 port 1812 secret "hogehoge"
   }
   accounting-server {
   address 192.168.0.1 port 1813 secret "hogehoge"
   }
}

If i start npppd and try to authenticate is starts communicating with
the radius server 192.168.0.1 on port 5127. 
If i change port number to 1645  (old radius) i get 27910 ... 

It really looks like there is a bug of memory corruption. Also i tried
for fun port 1 and got port 256 in tcpdump.

Also if 
 address 192.168.0.1 secret "hogehoge" 
is used it completely does not talk to the radius server and in
/var/log/daemon you get a message like 
npppd[]: connect() failed in radius_prepare_socket: Can't assign requested 
address

Authenticating with localfile works fine and is tested. 

I have looked at parse.y and serveral other items in
/usr/src/usr.sbin/npppd/npppd but my C is not up to it yet :(

Can someone point me in direction to solve this. 

Note: It was working with the 5.1 release manual build and old
config style. 

Regards

Robert