Re: rcctl ansible service support
On Oct 13, 2014 10:40 PM, Patrik Lundin patrik.lundin@gmail.com wrote: On Sat, Sep 13, 2014 at 02:39:04AM +0200, Patrik Lundin wrote: armani@ has laid the groundwork for this and I recently started contributing to his fork as well. The work-in-progress can be found here: https://github.com/jarmani/ansible/tree/openbsd_rcctl/library/system Just a heads up: ansible has since had its modules split into two new repositories, core and extras. The current service module (with additional fixes that requires a recent rcctl(8)) can be found here: https://github.com/jarmani/ansible-modules-core/blob/openbsd_rcctl/system/service.py Regards, Patrik Lundin Thanks, I appreciate the heads up. I've been using this module for a few weeks and everything is working well. Is a recent rcctl post the 5.6 freeze or will this work with the next release? Thanks again.
rcctl ansible service support
Just a quick check to see if anyone is anyone working on this yet.. I can give a hand if someone is already working on it, otherwise I'm going to take a run at it.
Re: [Was: OT - gmail alternatives] PGP web mail anyone?
Dan Kaminsky (http://dankaminsky.com) has been working on Domain Key Infrastructure bootstrapped of of dnssec that looks pretty interesting. I'm not sure where the video is for this talk (it was at blackhat/defcon 2010), but I found the slides.. http://www.slideshare.net/dakami/phreebird-suite-10-introducing-the-domain-key-infrastructure On Tue, Dec 14, 2010 at 14:06, Tomas Vavrys vav...@cleancode.cz wrote: Is there a light at the end of the tunnel somewhere to make email secure even for amateurs who don't know how to use PGP? I'm very curious about the future of email, especially now. I would like to hear opinions of OpenBSD wizards. The thing is that it is very hard to persuade someone to use PGP all the time. 2010/12/13 Joel Wiramu Pauling j...@aenertia.net: On 13 December 2010 22:23, Joachim Schipper joac...@joachimschipper.nl wrote: On Sun, Dec 12, 2010 at 09:11:16PM -0700, Travis King wrote: Joel Wiramu Pauling j...@aenertia.net wrote: Marti Martinez ma...@ece.arizona.edu wrote: Ted Unangst ted.unan...@gmail.com wrote: At some point you're going to realize that the javascript that decrypts your mail has to come from someplace. A better alternative would be a PGP browser addon (...) [See] firegpg firegpg is the only way I can get friends and family to communicate with me securely. I don't even know what the interface looks like, but it does work (apparently). It's unmaintained. I would also be surprised if the server can't get at your plaintext (e.g. with Javascript, or even Java/Flash). You may want to look at http://rdist.root.org/2010/11/29/final-post-on-javascript-crypto/ and the comments (in particular, my http://rdist.root.org/2010/11/29/final-post-on-javascript-crypto/#comment-623 9). Summary: it doesn't work, and can't work unless you add a plugin with *many* restrictions. B B B B B B B B B B B B B B B Joachim -- PotD: devel/ivy - dependency manager for Java http://www.joachimschipper.nl/ Firegpg was basically just chrome extensions to local(read client) side gpg binaries. It wasn't insecure for the reasons you cite, the author just got sick of having to update it to work with gmail (it's initial target). It is still useful for easy access to gpg functions within firefox.
Re: My pf.conf and an nmap scan
Try: set block-policy return You should get your proper closed messages in nmap On Fri, Nov 12, 2010 at 13:27, woolsherpahat woolsherpa...@gmail.com wrote: (please see my in-line comments) On Fri, Nov 12, 2010 at 12:09 PM, Kenneth Gober kgo...@gmail.com wrote: is it this? # redirect external ssh traffic from ? pass in log on $ext_if inet proto tcp to ($ext_if) port ?\ B B B rdr-to 127.0.0.1 port 22 to me, that rule looks like it will accept any inbound traffic on the external interface and redirect it to 127.0.0.1:22. B but I don't know what the question marks do; I've never seen them used in a pf rule before. B my guess is, if pf accepts them at all, it treats them as a wildcard. -ken The ? marks are just replacements for the actual port number. This rule should forward outside traffic from port ? to the SSH server but I think you are probably on the right track. I really don't understand the new rdr-to and match nat-to rules as well as the older pre 4.6 syntax. However, if I comment that rule out, an nmap still shows a bunch open ports. If I try manually connecting to one of the ports that are listed as open by nmap I get a Could not open connection to the host, on port 7800: Connect failed. Is it possible that nmap is just full of crap? On Fri, Nov 12, 2010 at 3:41 PM, woolsherpahat woolsherpa...@gmail.com wrote: Hello @misc! I have a lovely little Soekris 4501 running OpenBSD 4.7 (Release). However, I get some strange results if I run a nmap scan on it from work. I get hundreds of ports listed as open. Now it's likely that I have mis-configured my firewall but I can' see exactly where. Hopefully someone here on @misc can hit me with the clue stick. $ext_if (sis0) is my external facing interface. $int_if and $apple_if (sis1 and sis2, respectively) are my internal subnets. The Soekris is obviously doing NAT for all my internal subnets -- NAT works, as does the restrictions on sis1 and sis2 from being able to send traffic to sis0's subnet. Now unless I am terribly mistaken the 'block in log' should by default block any inbound packets on any interface unless there is a subsequent rule that matches that packet as the packet will do whatever the last matching rule told it too. So all inbound traffic will either A) be blocked or B) match an exception later on in the ruleset right? So how come a scan from the outside, reveals hundreds of unfiltered ports? Advice would be much welcome. Thank you! /etc/pf.conf: # macros ext_if=sis0 int_if=sis1 apple_if=sis2 wifi_if=ral0 table bogons persist file /etc/bogon-bn-agg.txt # options set require-order yes set block-policy drop set optimization normal set skip on lo0 # flag packets from all internal interfaces for NAT match out on $ext_if inet from !($ext_if:network) to any nat-to ($ext_if:0) # policy: default deny on all inbound traffic on all interfaces block in log # immediately pass out traffic on external interface, modulate state to make # ISNs (initial sequence numbers) harder to guess pass out quick on $ext_if proto tcp modulate state # policy: default allow on all outbound traffic on all interfaces pass out # antispoofing for internal interfaces antispoof quick for { $int_if $apple_if $wifi_if } # ingress/egress bogon filtering block in quick log on $ext_if from bogons block out quick log on $ext_if from bogons # allow internal traffic in, except from untrusted -- trusted pass in on $int_if from $int_if:network pass in on $apple_if from $apple_if:network to !$int_if:network pass in on $wifi_if from $wifi_if:network to !$int_if:network # allow ssh traffic on trusted interface pass in log on $int_if inet proto tcp from $int_if:network to $int_if port 22 # redirect external ssh traffic from ? pass in log on $ext_if inet proto tcp to ($ext_if) port ?\ B B B B rdr-to 127.0.0.1 port 22
Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?
On Thu, Oct 29, 2009 at 1:16 PM, Joachim Schipper joac...@joachimschipper.nl wrote: I believe that work is currently underway to make it possible for multiple SSL-enabled hostnames to share a single IP address, but it will probably be quite a few years before this is remotely common. There is an tls extension, defined in rfc 4366, called Server Name Indication for just the purpose. http://en.wikipedia.org/wiki/Server_Name_Indication http://en.wikipedia.org/wiki/Transport_Layer_Security#Support_for_name-based_virtual_servers
Re: Sendmail Locking Up System
On Mon, Oct 5, 2009 at 2:25 PM, Chris cjd...@brokensolstice.com wrote: Yes, I do run it as an hvm, and I have an AMD/Pacifica compliant chip Maybe if you can clarify what you meant by hardware support I think he means running OpenBSD as an hvm guest, not paravirtualized, which you are.
Re: small pc recommendation
I have a couple jetway mini-itx boxen I like. There are daughter boards for these guys, I put a 3x10/100/1000 card in there for 4 nics total. Boards: http://www.jetwaycomputer.com/VIA.html Daughter: http://www.jetwaycomputer.com/Daughter_Board.html Sample Dealer: http://www.logicsupply.com/ On Mon, May 19, 2008 at 7:51 PM, Lord Sporkton [EMAIL PROTECTED] wrote: I just figured out the slow usb speed im seeing is because my router/lan server only has usb1.0(optiplex GX100) so im looking for a recommendation of a small form computer to use as my home router/server, im going to ebay it until i can fund myself a soekris requirements are simple: usb 2.0 at least 1 pci slot free or 2 built in ethernet ports OpenBSD compatible cheap thank you -- -Lawrence
Re: 4.2 Errata 006 failed to compile.
Take a quick look in the archives talking about expat. It was in xbase for the 4.2 release, is moving to base IIRC, and it looks like you dont have it installed:/usr/bin/ld: cannot find -lexpat On Tue, Apr 1, 2008 at 8:56 AM, Sunnz [EMAIL PROTECTED] wrote: I am not sure what I did wrong, I simply followed the instruction in 006_xorg.patch today cd /usr/src/xenocara # Assuming Xenocara is in /usr/src/xenocara patch -p0 006_xorg.patch make build Thought I did not have xenocara till today, I just grabbed from my local mirror when I need to apply the patch and recompile it. The patch itself was applied fine, it is just not compiled... make build failed. This is where the error begins: cc -L/usr/src/xenocara/lib/expat/xmlwf/../obj -o xmlwf xmlwf.o xmlfile.o codepage.o unixfilemap.o -lexpat /usr/bin/ld: cannot find -lexpat collect2: ld returned 1 exit status *** Error code 1 Stop in /usr/src/xenocara/lib/expat/xmlwf (line 95 of /usr/share/mk/bsd.prog.mk). *** Error code 1 Stop in /usr/src/xenocara/lib/expat. *** Error code 1 Stop in /usr/src/xenocara/lib/expat (line 133 of /usr/X11R6/share/mk/bsd.xorg.mk). *** Error code 1 Stop in /usr/src/xenocara/lib. *** Error code 1 Stop in /usr/src/xenocara. # ld ld: no input files I am running OpenBSD 4.2 AMD64 release. I haven't used OpenBSD for that long... this is the first time I tried to learn about applying errata patches (for the sake of learning) and I might have made come common mistakes. And this might sound stupid... X was running when I was recompiling Xenocara, could that be the cause? I don't know I haven't thought of that till now... I will probably try that as soon as my next reboot. (got a few things running at the moment.) Thanks. -- This e-mail may be confidential. You may not copy, forward, distribute, or, use any part of it. If you have received this message in error, please delete it from your system and notify the sender immediately by return e-mail. The sender does not accept liability for any errors, or, omissions. Note, this text has no effective legal binding on your part. There is no obligation to abide any or all parts of this, just as any texts appended to e-mail messages on rest of the Internet. For more information about disclaimers, please see: http://www.goldmark.org/jeff/stupid-disclaimers/
Re: OpenBSD with pf on a mini-ITX?
I am running a couple jetway mini-itx c7 boxes with the 3x1Gig daughter boards running without any problems. I also have a couple stock via mini-itx boards that have run obsd in the past without problem also. On Tue, Mar 11, 2008 at 10:57 AM, Jordi Prats [EMAIL PROTECTED] wrote: Hi all, Have anyone tried to run OpenBSD with pf on a Jetway J7F2 (or similar) motherboard to act as a firewall and do NAT? Any inputs will be welcome! Thanks, -- Jordi
Re: named dhcpd network problems after update
Missed the misc@ CC:, sry richard On Wed, Feb 27, 2008 at 8:26 PM, Richard Daemon [EMAIL PROTECTED] wrote: SNIP For the dhcpd, /etc/dhcpd.interfaces is ok? or try 'dhcpd bge0' ? Specifiing bge0 on the command line has the same effect: root:/root:10# dhcpd -df bge0 Can't listen on bge0 - it has no IP address. No interfaces to listen on. exiting. For named, you're using /etc/named.conf instead of /var/named/etc/named.conf? named is reading /var/named/etc/named.conf, I think the log line says /etc/named.conf since it reads the config file after chroot() to /var/named/ I'm not sure about the [rt]xpause and what that means on the media: line from ifconfig; the man pages for bge, ifmedia, ifconfig don't mention anything.
named dhcpd network problems after update
Heya misc: Base dhcpd and named are failing to start after an update. I'm really confused at this point. Other daemons are working fine and I can't see anything else 'wrong' with the system. Any thoughts at all would be greatly appreciated. This was a 4.2-release system. I followed the standard process (build kernel, reboot, build userland). I've done it twice now figuring I screwed something up (which i still believe) I updated my source tree with: cvs -d$CVSROOT update -rOPENBSD_4_2 -Pd src cvs -d$CVSROOT update -rOPENBSD_4_2 -Pd ports Here is a snippit of /var/log/messages during bootup: Feb 27 15:54:49 vash named[21321]: starting BIND 9.3.4 Feb 27 15:54:50 vash named[21321]: /usr/src/usr.sbin/bind/lib/isc/unix/ifiter_getifaddrs.c:107: INSIST(ifa != 0L) failed Feb 27 15:54:50 vash named[21321]: exiting (due to assertion failure) Feb 27 15:54:51 vash savecore: no core dump Feb 27 15:54:52 vash dhcpd: Can't listen on bge0 - it has no IP address. Feb 27 15:54:52 vash dhcpd: No interfaces to listen on. Feb 27 15:54:52 vash dhcpd: exiting. Feb 27 15:54:54 vash squid[3353]: Squid Parent: child process 19826 started Trying to start named and dhcpd manually we get: root:/root/scripts:8# named -f -g -d7 Starting privilege seperation 27-Feb-2008 16:32:47.378 starting BIND 9.3.4 -f -g -d7 27-Feb-2008 16:32:47.381 loading configuration from '/etc/named.conf' 27-Feb-2008 16:32:47.397 set maximum stack size to 33554432: success 27-Feb-2008 16:32:47.397 set maximum data size to 1073741824: success 27-Feb-2008 16:32:47.397 set maximum core size to 9223372036854775807: success 27-Feb-2008 16:32:47.397 set maximum open files to 1024: success 27-Feb-2008 16:32:47.397 /usr/src/usr.sbin/bind/lib/isc/unix/ifiter_getifaddrs.c:107: INSIST(ifa != 0L) failed 27-Feb-2008 16:32:47.397 exiting (due to assertion failure) root:/root/scripts:9# dhcpd -d -f No interfaces to listen on. exiting. root:/root/scripts:10# Random pieces of possibly useful output follow root:/root/scripts:7# ifconfig -a lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33168 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 bge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0a:e4:26:dd:30 description: Internal to my cube media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active inet 192.168.24.5 netmask 0xff00 broadcast 192.168.24.255 inet6 fe80::20a:e4ff:fe26:dd30%bge0 prefixlen 64 scopeid 0x1 em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:11:0a:60:0d:82 description: Lans Scare Me groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.100.7.38 netmask 0xff00 broadcast 10.100.7.255 inet6 fe80::211:aff:fe60:d82%em0 prefixlen 64 scopeid 0x2 em1: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 lladdr 00:11:0a:60:0d:83 media: Ethernet autoselect (none) status: no carrier enc0: flags=0 mtu 1536 pflog0: flags=141UP,RUNNING,PROMISC mtu 33168 groups: pflog root:/root/scripts:3# uname -a OpenBSD vash.copart.com 4.2 GENERIC#2 amd64 root:/root/scripts:5# cat /var/run/dmesg.boot OpenBSD 4.2-stable (GENERIC) #2: Wed Feb 27 14:31:04 PST 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 1609551872 (1534MB) avail mem = 1549684736 (1477MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.33 @ 0xefeb0 (37 entries) bios0: vendor Sun Microsystems version R01-B5 S1 date 09/29/2006 bios0: Sun Microsystems W1100z/2100z acpi at mainbus0 not configured cpu0 at mainbus0: (uniprocessor) cpu0: AMD Opteron(tm) Processor 144, 1795.14 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,NXE,MMXX,LONG,3DNOW2,3 DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: AMD errata 86, 89, 97, 104 present, BIOS upgrade may be required pci0 at mainbus0 bus 0: configuration mode 1 ppb0 at pci0 dev 6 function 0 AMD 8111 PCI-PCI rev 0x07 pci1 at ppb0 bus 1 ohci0 at pci1 dev 0 function 0 AMD 8111 USB rev 0x0b: irq 11, version 1.0, legacy support ohci1 at pci1 dev 0 function 1 AMD 8111 USB rev 0x0b: irq 11, version 1.0, legacy support ohci2 at pci1 dev 3 function 0 NEC USB rev 0x43: irq 10, version 1.0, legacy support ohci3 at pci1 dev 3 function 1 NEC USB rev 0x43: irq 11, version 1.0, legacy support ehci0 at pci1 dev 3 function 2 NEC USB rev 0x04: irq 5 usb0 at ehci0: USB revision 2.0 uhub0 at usb0: NEC EHCI root hub, rev 2.00/1.00, addr 1 TI TSB43AB22 FireWire rev 0x00 at pci1 dev 4 function 0 not configured usb1 at ohci0: USB revision 1.0 uhub1 at usb1: AMD OHCI
Re: delete deleted data
On Dec 31, 2007 10:25 AM, Marco Peereboom [EMAIL PROTECTED] wrote: Grind them up. There is nothing else you can do to permanently wipe disks. Residual magnetism is always there provided good enough equipment. If your data is that sensitive there is nothing else but the grinder. Someone linked me this article a couple calling into question the ability to actually read overwritten data: http://www.nber.org/sys-admin/overwritten-data-guttman.html I'de love to read something from the other side, showing real examples of getting usable data off of a disk that has been overwritten / wiped / etc any links or info?
Re: This list: CC and TO fields
On Dec 3, 2007 5:04 AM, ropers [EMAIL PROTECTED] wrote: On 03/12/2007, L [EMAIL PROTECTED] wrote: I can't find the 'reply only to group' feature my mail client yet.. but I just started using this email client recently. It is Mozilla Thunderbird. Reply to all. Alpine is another good one for lists. http://www.washington.edu/alpine/ ropers, I think your time is a 'little' off.
Re: scp doesn´t recognizes 127.0.0.1* as filename
Giving a path should work (it did on my /tmp/127.0.0.1-2007-11-26-18:31/ dir I just tested with, and it failed the same way yours did without the ./ ) scp -r ./127.0.0.1-2007-11-26-18:31 [EMAIL PROTECTED]:/u02/snap On Nov 26, 2007 1:24 PM, Eduardo Alvarenga [EMAIL PROTECTED] wrote: Hi there, [EMAIL PROTECTED] crash]# scp -r 127.0.0.1-2007-11-26-18:31 [EMAIL PROTECTED]:/u02/snap ssh: 127.0.0.1-2007-11-26-18: Name or service not known 127.0.0.1-2007-11-26-18:31 is a directory It seems that scp is not understanding that 127.0.0.1-2007-11-26-18:31 is a directory. Can anyone help? This is an OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003 running on RHEL 4.4 Regards, -- Eduardo Alvarenga
Re: maybe openssh's bug
Not sure if it was gmail that blew chunks on your message or somewhere else along the way, but it seems some of your message lines were trunked. Either way, your attachment won't make it through... The only mailing list that allows attachments is the ports list, they will be removed from messages on the other mailing lists. http://openbsd.org/mail.html On Nov 26, 2007 6:14 PM, PowerBSD [EMAIL PROTECTED] wrote: pls read ssh.log attachment # ifconfig sis0 sis0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 150 lladdr 00:16:ec:b0:25:d groups: egres media: Ethernet autoselect (100baseTX half-duplex status: activ inet 192.168.1.248 netmask 0xff00 broadcast 192.168.1.25 inet6 fe80::216:ecff:feb0:25d7%sis0 prefixlen 64 scopeid 0x I use ssh connect to remote sshd server 192.168.1.191 , then i us # ssh 192.168.1.1911 The authenticity of host '192.168.1.1911 (202.102.2.116)' can't be established RSA key fingerprint is 88:43:7d:20:64:c8:40:bc:57:96:ac:12:cd:38:e3:c7 Are you sure you want to continue connecting (yes/no)? ^ # ssh 192.168.1.1912 ssh: 192.168.1.1912: non-recoverable failure in name resolutio # ssh 192.168.1.1913 ssh: 192.168.1.1913: non-recoverable failure in name resolutio # ssh 192.168.1.1914 The authenticity of host '192.168.1.1914 (202.102.2.116)' can't be established RSA key fingerprint is 88:43:7d:20:64:c8:40:bc:57:96:ac:12:cd:38:e3:c7 Are you sure you want to continue connecting (yes/no)? ^ # ssh 192.168.1.1915 The authenticity of host '192.168.1.1915 (202.102.2.116)' can't be established RSA key fingerprint is 88:43:7d:20:64:c8:40:bc:57:96:ac:12:cd:38:e3:c7 Are you sure you want to continue connecting (yes/no)? ^ # ssh 192.168.1.1916 ssh: 192.168.1.1916: non-recoverable failure in name resolutio # ssh 192.168.1.1917 ssh: 192.168.1.1917: non-recoverable failure in name resolutio # ssh 192.168.1.1918 The authenticity of host '192.168.1.1918 (202.102.2.116)' can't be established RSA key fingerprint is 88:43:7d:20:64:c8:40:bc:57:96:ac:12:cd:38:e3:c7 Are you sure you want to continue connecting (yes/no)? ^ at this line , when i input correct password , but authenticate is incorrec # ssh 192.168.1.1919 [EMAIL PROTECTED]'s password: Permission denied, please try again [EMAIL PROTECTED]'s password: # uname - OpenBSD EServer-01.evermoresw.com.cn 4.2 GENERIC#0 i38 # sysctl hw hw.machine=i38 hw.model=Intel(R) Pentium(R) 4 CPU 2.93GHz (GenuineIntel 686-class hw.ncpu= hw.byteorder=123 hw.physmem=46926643 hw.usermem=46926233 hw.pagesize=409 hw.disknames=cd0,wd hw.diskcount= hw.sensors.it0.temp0=48.00 deg hw.sensors.it0.temp1=39.00 deg hw.sensors.it0.temp2=22.00 deg hw.sensors.it0.fan0=1231 RP hw.sensors.it0.volt0=1.25 VDC (VCORE_A hw.sensors.it0.volt1=2.62 VDC (VCORE_B hw.sensors.it0.volt2=3.31 VDC (+3.3V hw.sensors.it0.volt3=5.00 VDC (+5V hw.sensors.it0.volt4=11.71 VDC (+12V hw.sensors.it0.volt5=2.01 VDC (Unused hw.sensors.it0.volt6=-0.77 VDC (-12V hw.sensors.it0.volt7=4.97 VDC (+5VSB hw.sensors.it0.volt8=4.08 VDC (VBAT hw.cpuspeed=293 hw.setperf=10 hw.vendor=Ace hw.product=Aspire SA80/AP S28 hw.version=R01-C hw.uuid=Not Se # ssh - OpenSSH_4.7, OpenSSL 0.9.7j 04 May 200
Re: About Xen: maybe a reiterative question but ..
On 10/23/07, Lars NoodC)n [EMAIL PROTECTED] wrote: Per-Erik Persson wrote: ... not being able to run inside a virtualized environment is not an option in the future. Virtualization is available already. See the package qemu. http://www.openbsd.org/4.1_packages/ Or are you aiming for Xen specifically? fwiw, kvm works well too if Xen isn't a hard requirement http://kvm.qumranet.com/kvmwiki
Re: Scaling DNS with CARP + pf (+ hoststated ?)
it is highly recommended you cruise the DNS rfcs and/or read the dns bible.. these are problems solved 20 years ago On 8/28/07, reje [EMAIL PROTECTED] wrote: In the sense of expanding DNS infrastructure, your comments seem sane enough (you definitely read that DNS BIND book :-) On the other side, I really need to introduce _additional_ availability of DNS servers/resolvers. This is especially true for resolvers as they are the first layer users are facing. Assume the situation when ordinary Windows user tries to access a web page not yet cached in his box local DNS cache. From my experience, it's needed up to 15 seconds for Windows box to contact the other resolver. And that is something I'm trying to avoid by using high-availability and load-balancing. As already seen, it cannot be done (yet) using hoststated or rdr alone because packet payload inspection and modification is needed for it to work, and it is a hack, etc.etc. I was also reading about new features of IP-based load-balancing in carp(4) in the upcoming release of OpenBSD (4.2). It seems that it would be enough to install a farm of OpenBSD resolver boxes with CARP and IP load balancing enabled on the boxes themselves. No external load-balancing boxes, no packet modifications required. Altough, it seems that it does require some extra configuring depending on network equipment being used. Also, IP load-balancing imposses additional load to network equipment. (I'm dealing with Cisco Catalyst 6500 series switches) To conclude my goals: - remove 15 second timeout for end users, - deal with only 2 resolver addresses, - use more than 2 resolver boxes. Anyone successfully running similar scenario ? Cheers (and thanks for all suggestions), r. reje wrote: Yes, we have that much DNS requests hiting our servers (we are not experiencing any DoS but from legitimate user requests :-) Furthermore, the DNS infrastructure tiemouts are unacceptable in our scenario. Registering additinal NS records is also unacceptable. FYI: our primary DNS experiences cca. 4000 requests per second, secondary goes with cca. 3000 req/sec. Primary server is SUN Fire V480 with 16GB RAM, secondary is also SUN Fire V480 with 8GB RAM. Both servers are running Solaris 9 + BIND 9. Firewall is PIX 535, works like a charm. Increase some of your heavily used records' TTLs. Add more public slave servers, 5-7 is a good number. Have them pull from a hidden master. Put some of the servers far away from you, but near your clients. e.g: London, Franfurt, Paris, Sydney, where ever (can't do that with load bal). If you have both of your only 2 servers in the same rack, you will have problems. I once saw one idiot put both DNS servers into Solaris 10 zones on a single box (e15k). What is the point?? I used to work for an ISP serving some popular domains. Used white i386 boxes in various colo racks (own and others), nae probs. Fire walling was done by Juniper, no load balancing. Go re-read the DNS and BIND book. -- Craig Skinner[EMAIL PROTECTED] Phone +44 (0) 1506 6730245-digit shortdial:x73024 Sun Remote Support Centre, Linlithgow, Scotland, UK Be a better Heartthrob. Get better relationship answers from someone who knows. Yahoo! Answers - Check it out. http://answers.yahoo.com/dir/?link=listsid=396545433
Re: pagedaemon: deadlock detected
What does df -i show? maybe you filled up a disk or ran out of inodes? On 8/2/07, Timo Schoeler [EMAIL PROTECTED] wrote: hi, i have an amd64 system running for about six months now flawlessly (however, due to following -current, not with uptimes 10 days). today it crashed twice when i had two torrents active (not very big ones, one 900MByte and one 1300MByte in size -- i did use this machine for far bigger ones, with rtorrent running several instances in parallel, without problems). the hardware is okay, i'm sure it is; the machine uses ECC RAM and is cooled very good (besides running on an Athlon64 3500+ EE SFF, which means a TDP of 35Watt) with several big fans and a gigantic copper/heatpipe heatspreader on the CPU to make it SILENT. unfortunately, the machine does NOT have a serial port that could provide some more information, i'm stuck on the console which spits out: 'pagedaemon: deadlock detected' in very high speed. i can still change between the tty's, but cannot type to login or anything else. ssh is dead. apache dies. didn't try ICMP, though. dmesg applied -- thanks for any hint! timo --- OpenBSD 4.2-beta (GENERIC) #6: Tue Jul 31 10:43:55 CEST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 1055444992 (1006MB) avail mem = 1013542912 (966MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xf (70 entries) bios0: ASUSTek Computer INC. M2NPV-VM acpi0 at mainbus0: rev 0 acpi0: tables DSDT FACP SSDT MCFG APIC acpitimer0 at acpi0: 3579545 Hz, 24 bits acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 4 (HUB0) acpicpu0 at acpi0 PSS acpicpu1 at acpi0 acpitz0 at acpi0, critical temperature: 75 degC acpibtn0 at acpi0: PWRB cpu0 at mainbus0: (uniprocessor) cpu0: AMD Athlon(tm) 64 Processor 3500+, 2204.92 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: PowerNow! K8 2204 MHz: speeds: 2200 2000 1800 1000 MHz pci0 at mainbus0 bus 0: configuration mode 1 NVIDIA C51 Host rev 0xa2 at pci0 dev 0 function 0 not configured NVIDIA C51 Memory rev 0xa2 at pci0 dev 0 function 1 not configured NVIDIA C51 Memory rev 0xa2 at pci0 dev 0 function 2 not configured NVIDIA C51 Memory rev 0xa2 at pci0 dev 0 function 3 not configured NVIDIA C51 Memory rev 0xa2 at pci0 dev 0 function 4 not configured NVIDIA C51 Memory rev 0xa2 at pci0 dev 0 function 5 not configured NVIDIA C51 Memory rev 0xa2 at pci0 dev 0 function 6 not configured NVIDIA C51 Memory rev 0xa2 at pci0 dev 0 function 7 not configured ppb0 at pci0 dev 2 function 0 NVIDIA C51 PCIE rev 0xa1 pci1 at ppb0 bus 1 ppb1 at pci0 dev 3 function 0 NVIDIA C51 PCIE rev 0xa1 pci2 at ppb1 bus 2 ppb2 at pci0 dev 4 function 0 NVIDIA C51 PCIE rev 0xa1 pci3 at ppb2 bus 3 vga1 at pci0 dev 5 function 0 NVIDIA GeForce 6150 rev 0xa2 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) NVIDIA MCP51 Host rev 0xa2 at pci0 dev 9 function 0 not configured pcib0 at pci0 dev 10 function 0 NVIDIA MCP51 ISA rev 0xa3 nviic0 at pci0 dev 10 function 1 NVIDIA MCP51 SMBus rev 0xa3 iic0 at nviic0 iic1 at nviic0 NVIDIA MCP51 Memory rev 0xa3 at pci0 dev 10 function 2 not configured ohci0 at pci0 dev 11 function 0 NVIDIA MCP51 USB rev 0xa3: irq 5, version 1.0, legacy support ehci0 at pci0 dev 11 function 1 NVIDIA MCP51 USB rev 0xa3: irq 10 usb0 at ehci0: USB revision 2.0 uhub0 at usb0: NVIDIA EHCI root hub, rev 2.00/1.00, addr 1 pciide0 at pci0 dev 13 function 0 NVIDIA MCP51 IDE rev 0xa1: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 disabled (no drives) atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: _NEC, DVD_RW ND-4570A, 1.02 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 pciide1 at pci0 dev 14 function 0 NVIDIA MCP51 SATA rev 0xa1: DMA pciide1: using irq 5 for native-PCI interrupt wd0 at pciide1 channel 0 drive 0: WDC WD2500YD-01NVB1 wd0: 16-sector PIO, LBA48, 239372MB, 490234752 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide2 at pci0 dev 15 function 0 NVIDIA MCP51 SATA rev 0xa1: DMA pciide2: using irq 11 for native-PCI interrupt ppb3 at pci0 dev 16 function 0 NVIDIA MCP51 PCI-PCI rev 0xa2 pci4 at ppb3 bus 4 TI TSB43AB22 FireWire rev 0x00 at pci4 dev 5 function 0 not configured pciide3 at pci4 dev 8 function 0 Promise PDC40718 rev 0x02: DMA wd1 at pciide3 channel 3 drive 0: WDC WD2500YD-01NVB1 wd1: 16-sector PIO, LBA48, 239372MB, 490234752 sectors wd1(pciide3:3:0): using BIOS timings,