is there anything broken on http://ftp.openbsd.org/pub/OpenBSD/ ?
sorry, I've searched for announce, didn't find any. [image: image.png]
faq addition: working with mfs disks?
hello, what do you think of adding a faq item which will give example how /tmp (or any other write intensive temp disk partition) can be stored in mfs drive? Ilya Shipitsin
Re: why icmp timestamping is enabled by default ?
I apologise that I didn't predict such responces. I was looking for real life examples, i.e. we use icmp timestamps widely, because we use timed or a lot of devices like D-Link-NNN use icmp timestamps. I was not looking for theoretical possibilities that icmp timestamping gives. I should mention that of course. Sorry. 2013/10/14 Mihai Popescu mih...@gmail.com: it is famous your mother if fat openbsd community style. I was not asking whether it is secret or not. I was curious about common use scenarios, where icmp timestamping is involved. Hi, 1. Maybe I'm wrong but I think OpenBSD doesn't have a community like other praised OSes, so there is no style. 2. Looking at your thread it is very hard for me to figure out what the hell did you ask. 3. If you try to impress some developers of OpenBSD, try to attach something at your email. It doesn't work with opinions and subtle suggestions about what might be wrong. * this message might be bad at line length (i'm sorry).
Re: why icmp timestamping is enabled by default ?
2013/10/11 Christian Weisgerber na...@mips.inka.de: chipits...@gmail.com wrote: actually, I'm not going to block icmp at all, I was curious why net.inet.icmp.tstamprepl=1 by default. So you can run timed, of course. timed was removed from OpenBSD recently As others have said, the time is not a secret. it is famous your mother if fat openbsd community style. I was not asking whether it is secret or not. I was curious about common use scenarios, where icmp timestamping is involved. -- Christian naddy Weisgerber na...@mips.inka.de
Re: why icmp timestamping is enabled by default ?
2013/10/11 Claudio Jeker cje...@diehard.n-r-g.com: On Fri, Oct 11, 2013 at 08:44:36AM +0600, ??? wrote: 2013/10/10 Philip Guenther guent...@gmail.com: On Thu, Oct 10, 2013 at 4:30 AM, ??? chipits...@gmail.com wrote: I use ntp already. So everyone can predict what your machine would have sent in response to an ICMP timestamp query, meaning that turning it off doesn't hide anything. I am about to switch icmp timestamps off (security people are afraid of that setting), Cargo cult security. it is known behavior of security people. just curious what was the purpose of it. Oddly enough, the RFC that defines it (RFC792) has a reference about that. by purpose I mean common use scenarios, like we enable ssh by default, because it is used in routine administration and automation tasks, not because of RFC we enable icmp destination unreachable, because it is used commonly in PMTU mechanisms, not because it is mentioned in some RFC or you enable everything found in RFC ? you must be odd if so. I am not that odd. The better question is why block it? What is the attack vector? You start with ICMP timestamps, next you block ICMP echo then all of ICMP and by that break the internet. I waste way to much time with situations where I can't debug network issues because people block important internet control messages. So if there is not a well known threat (e.g. source routing or the fameous IPv6 rtr-0 header) it should not be disbale just for a bit of a warm fuzzy feeling. icmp dest unreach, frag required (3/4) is very important, I'm not going to block it. kinda fed up with poorly configured networks as well. icmp echo request/reply, i.e. ping/pong is also important, when people do not see ping responce, they beleive host is down. I'm also not going to block it. actually, I'm not going to block icmp at all, I was curious why net.inet.icmp.tstamprepl=1 by default. -- :wq Claudio
Re: why icmp timestamping is enabled by default ?
I use ntp already. I am about to switch icmp timestamps off (security people are afraid of that setting), just curious what was the purpose of it. 2013/10/10 Theo de Raadt dera...@cvs.openbsd.org: it turned out that OpenBSD allows icmp timestamping by default: net.inet.icmp.tstamprepl=1 what was that done for ? well, why not? if you have some program vulnerable to a the attacker knows the time attack, i don't think turning off icmp timestamps will save you. the attacker could reasonably guess that your system time is going to be close to his system time. unless you are going to deliberately set the clock wrong on all your systems. fixing the vulnerability seems like a better idea. there is also this thing called ntp that is becoming rather common. if you're not doing time distribution to your systems, ah, i see the problem.
Re: why icmp timestamping is enabled by default ?
2013/10/10 Philip Guenther guent...@gmail.com: On Thu, Oct 10, 2013 at 4:30 AM, Илья Шипицин chipits...@gmail.com wrote: I use ntp already. So everyone can predict what your machine would have sent in response to an ICMP timestamp query, meaning that turning it off doesn't hide anything. I am about to switch icmp timestamps off (security people are afraid of that setting), Cargo cult security. it is known behavior of security people. just curious what was the purpose of it. Oddly enough, the RFC that defines it (RFC792) has a reference about that. by purpose I mean common use scenarios, like we enable ssh by default, because it is used in routine administration and automation tasks, not because of RFC we enable icmp destination unreachable, because it is used commonly in PMTU mechanisms, not because it is mentioned in some RFC or you enable everything found in RFC ? you must be odd if so. I am not that odd. Philip Guenther
Re: why icmp timestamping is enabled by default ?
2013/10/11 Paul de Weerd we...@weirdnet.nl: On Thu, Oct 10, 2013 at 05:30:39PM +0600, ??? wrote: | I use ntp already. | I am about to switch icmp timestamps off (security people are afraid | of that setting), just curious what was the purpose of it. Uhm .. why? Is your pf broken somehow? it is not broken. block in on $interface inet proto icmp icmp-type { timereq, timerep } does PF perform better than net.inet.icmp.tstamprepl=0 ? I can understand you don't want to send anything in reply to spoofed packets, but you're really better off filtering those with a firewall instead of a knob per type of packet. If you think this is going to improve the security of your host, you're wrong (as pointed out by others). it is not about improving security, you got it wrong. I was just curious why that timestamping is enabled by default. If others tell you this improves the security of your host, tell them they're wrong. I wish they could understand what other people are talking about. If they are not open to sane arguments: run. Then, they can disable the sysctl themselves and wallow in their awesome security while their site is XSS'd by 10-year-olds. yeah, we found an XSS on their site couple of months ago :-) Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
why icmp timestamping is enabled by default ?
Hello! it turned out that OpenBSD allows icmp timestamping by default: net.inet.icmp.tstamprepl=1 what was that done for ? Cheers, Ilya Shipitsin
is it possible to block BT.UTP traffic in PF ?
Hello! I'm investigating whether it is possible to block certain UDP signatures ? Maybe, I'd like not to block them, but lower priority using ALTQ, for instance, this kind of traffic: http://www.wireshark.org/docs/dfref/b/bt-utp.html traffic signatures are known. Cheers, Ilya Shipitsin
strip down ECN flag in transit ?
Hello! after deploying windows 2012 we encountered that it enables ECN by default and sometime it is a problem. I studied pf guides, but I did not find whether it could strip ECN flag (we use OpenBSD as routers) or not. Cheers, Ilya Shipitsin
route get syntax fror ipv6 ?
Hello! # ping6 www.ripe.net PING6(56=40+8+8 bytes) 2001:1bb0:e000:d::2 -- 2001:67c:2e8:22::c100:68b ^C --- www.ripe.net ping6 statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss # route get 2001:67c:2e8:22::c100:68b route: 2001:67c:2e8:22::c100:68b: bad address # is there route get equivalent for ipv6 ? Cheers, Ilya Shipitsin
Re: respawn-like behaviour ?
hmm, I never had that crashy linux daemon becomes stable when it is started under OpenBSD. can you tell me how to enable that feature ? 2013/7/17 Jan Stary h...@stare.cz: On Jul 17 07:45:58, chipits...@gmail.com wrote: Hello! I used to run crashy daemons under respawn inittab capability on Linux. Is there similar thing on OpenBSD ? Sorry, we don't have crashy daemons here, you need to go back to linux for that.
respawn-like behaviour ?
Hello! I used to run crashy daemons under respawn inittab capability on Linux. Is there similar thing on OpenBSD ? Cheers, Ilya Shipitsin
Re: respawn-like behaviour ?
well, vnc repeater (which I'd like to run that way) crashes about once a week. I'm already debugging it (-ggdb + core dump settings). I need some way to respawn it until I'll find out the reason it crashes. 2013/7/17 Theo de Raadt dera...@cvs.openbsd.org: I used to run crashy daemons under respawn inittab capability on Linux. Is there similar thing on OpenBSD ? I try to attack a hole you've got... Oh damn I can't guess the propolice cookie or random addressing... But it crashes and restarts! I try to attack a hole you've got... Oh damn I can't guess the propolice cookie or random addressing... But it crashes and restarts! I try to attack a hole you've got... Oh damn I can't guess the propolice cookie or random addressing... But it crashes and restarts! I try to attack a hole you've got... Oh damn I can't guess the propolice cookie or random addressing... But it crashes and restarts! I try to attack a hole you've got... Oh damn I can't guess the propolice cookie or random addressing... But it crashes and restarts! I try to attack a hole you've got... Oh damn I can't guess the propolice cookie or random addressing... But it crashes and restarts! I try to attack a hole you've got... Oh damn I can't guess the propolice cookie or random addressing... But it crashes and restarts! I try to attack a hole you've got... Guessed enough win. Fail open methodology is not very smart.
why gmon.out is always limited to 470k ?
Hello! I'm trying to profile long running application, however gmon.out never grows more than 470k (I'm running OpenBSD-5.2/amd64 if that matters) is there special trick for long running application profiling ? Cheers, Ilya Shipitsin
Re: python GraphViz in ports ?
after playing with pip I came to: r1n1:/root/pygraphviz/pygraphviz-1.1# python setup.py install library_path=/usr/local/lib/graphviz include_path=/usr/local/include/graphviz running install running build running build_py creating build creating build/lib.openbsd-5.2-amd64-2.7 creating build/lib.openbsd-5.2-amd64-2.7/pygraphviz creating build/temp.openbsd-5.2-amd64-2.7/pygraphviz cc -pthread -fno-strict-aliasing -O2 -pipe -DNDEBUG -O2 -pipe -fPIC -fPIC -I/usr/local/include/graphviz -I/usr/local/include/python2.7 -c pygraphviz/graphviz_wrap.c -o build/temp.openbsd-5.2-amd64-2.7/pygraphviz/graphviz_wrap.o pygraphviz/graphviz_wrap.c:2519:20: error: cgraph.h: No such file or directory I can only find cgraph.h in gcc source subtree. google also says nothing. nobody is using pygraphviz under OpenBSD ? however, pygraphviz changelog says about OpenBSD. 2013/3/5 James Griffin j...@kontrol.kode5.net [- Tue 5.Mar'13 at 13:11:56 +0200 Gregory Edigarov :-] On 03/05/2013 11:49 AM, éÌØÑ ûÉÐÉÃÉÎ wrote: Hello! is there python GraphViz in ports ? if so, what is name of port (I couldn't find any) *type 'exceptions.ImportError'*: No module named gv Cheers, Ilya Shipitsin Seems like your problem is that you're looking in the wrong place. modules for python could be installed directly from it's packages repository via pip (or easy_install) utilities. you will need to install py-pip (py-pip-1.1p0.tgz) package first. easy_install come in the py-setuptools package. Personally, pip seems to be better. I have both installed though so just choose which you prefer after reading up a bit about them both.
python GraphViz in ports ?
Hello! is there python GraphViz in ports ? if so, what is name of port (I couldn't find any) *type 'exceptions.ImportError'*: No module named gv Cheers, Ilya Shipitsin
Re: python GraphViz in ports ?
math/p5-GraphViz http://openports.se/math/p5-GraphViz is for Perl. math/graphviz neither contains subpackage nor flavor for Python. how can I use information provided by you to install python bindings for graphviz, can you describe step by step ? 2013/3/5 Janne Johansson icepic...@gmail.com http://openports.se/search.php?so=graphviz yes there is. 2013/3/5 éÌØÑ ûÉÐÉÃÉÎ chipits...@gmail.com: Hello! is there python GraphViz in ports ? if so, what is name of port (I couldn't find any) *type 'exceptions.ImportError'*: No module named gv Cheers, Ilya Shipitsin -- May the most significant bit of your life be positive.
Re: python GraphViz in ports ?
r1n1:/root# pkg_info -L py-dot-0.9.10p7 | grep gv.py r1n1:/root# gv.py still not found 2013/3/5 James Hartley jjhart...@gmail.com On Tue, Mar 5, 2013 at 4:12 AM, éÌØÑ ûÉÐÉÃÉÎ chipits...@gmail.com wrote: math/p5-GraphViz http://openports.se/math/p5-GraphViz is for Perl. math/graphviz neither contains subpackage nor flavor for Python. http://openports.se/graphics/py-dot how can I use information provided by you to install python bindings for graphviz, can you describe step by step ? http://www.openbsd.org/faq/faq15.html
Re: python GraphViz in ports ?
thank everybody, I'll continue with pip. or easy_install. 2013/3/5 James Griffin j...@kontrol.kode5.net [- Tue 5.Mar'13 at 13:11:56 +0200 Gregory Edigarov :-] On 03/05/2013 11:49 AM, éÌØÑ ûÉÐÉÃÉÎ wrote: Hello! is there python GraphViz in ports ? if so, what is name of port (I couldn't find any) *type 'exceptions.ImportError'*: No module named gv Cheers, Ilya Shipitsin Seems like your problem is that you're looking in the wrong place. modules for python could be installed directly from it's packages repository via pip (or easy_install) utilities. you will need to install py-pip (py-pip-1.1p0.tgz) package first. easy_install come in the py-setuptools package. Personally, pip seems to be better. I have both installed though so just choose which you prefer after reading up a bit about them both.
Re: how to use cpu affinity from user space
I meant OpenBSD feature to use only CPU00 for network things. and I am afraid it could cause network issues when some process works on CPU00 as well. 2013/1/22 Gregory Edigarov ediga...@qarea.com On 01/22/2013 12:55 PM, Gregor Best wrote: On Tue, Jan 22, 2013 at 07:56:22PM +1000, David Diggles wrote: Then if the scheduler always knows what's best, the backup process will be completely uninhibited, on a system maxed out on all cores. [...] What backup process? And why will it be uninhibited? If the system's maxed out, all processes will neccessarily suffer. I think he mean background processes. -- With best regards, Gregory Edigarov
any special trick to use hwfeatures on em ?
Hello! I'mtrying to figure out whether or not my em cards are set up for high performance. ifconfig em0 hwfeatures does not show nothing on rx/tx checksum, neither man pages on ifconfig and em explain how to do that. I notice network delays on very moderate bit rates, say 500mbit or even less, so I suspect em adapters are not working in the way they are expected to work. Cheers, Ilya Shipitsin
Re: how to use cpu affinity from user space
I appreciate your attention for homeopathy and astrology, however I see no relation of those to CPU00. Maybe modern processors will handle that stuff, I don't know. I'm running https web reverse proxy. at 200-500mbit scale, I see 3500 interrupts per second at em0, em1, also 12 cpus are running at 70-80%, CPU00 is running at interrupt level, also there're user processes at user and system levels. under such load server is experience somewhat to general network delays, network conections become slow (both incoming and outgoing), sometimes even 5 sec on 1G network. so, I'm looking into optimal em tuning and cpu affinity things. disk io is not affected. 2013/1/22 Marc Espie es...@nerim.net On Tue, Jan 22, 2013 at 05:37:42PM +0500, ??? wrote: I meant OpenBSD feature to use only CPU00 for network things. and I am afraid it could cause network issues when some process works on CPU00 as well. OpenBSD is not a real-time OS. As far as I know there's no intention to make it so. However, I will challenge your methodology. You're afraid does not sound like any kind of serious methodology. Do you also believe in astrology or homeopathy ? Did you actually try out what you want to do ? do you have any real reason to think that tying it to CPU00 will make things better ? do you have any actual idea what network handling entails ? cpu, network card, disk/io, there are lots of potential issues there. The best thing to do is to try things out first. Then come back with actual numbers if you feel it does not work like you want. On the other hand, if you're contracting for some work where you need real-time guarantees, well OpenBSD is probably not the OS for you. And your hardware might not be up to it either...
how to use cpu affinity from user space
Hello! I'm investigating how program should set cpu affinity, is there any examples ? (I didn't find any except the commit that adds cpu affinity thing, but there's no user space documentation, no utility, no man page). cheers, Ilya Shipitsin
Re: how to use cpu affinity from user space
I'm trying to keep CPU00 for network things, and avoid using it for user applications (there're lots of CPUs). is it possible to achive it without CPU affinity ? 2013/1/22 Brad Smith b...@comstyle.com On Tue, Jan 22, 2013 at 09:25:04AM +0500, ??? wrote: Hello! I'm investigating how program should set cpu affinity, is there any examples ? (I didn't find any except the commit that adds cpu affinity thing, but there's no user space documentation, no utility, no man page). As far as I know of it isn't possible to do so. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
is nat to (egress) possible ?
I'm running multi-homed firewal. at every single moment only one interface belongs to egress group. is it possible to do something like that match out from 192.168.0.0/16 to ! 192.168.0.0/16 nat-to (egress) ? Cheers, Ilya Shipitsin
Re: OpenBSD-5.1 hangs on Supermicro X9DR3-F
Yahoo!! 3 days without single hang when running apmd -H 2012/10/12 Peter Hessler phess...@theapt.org I have seen some hangs when apmd -C changes cpu speed in very specific situations. For testing purposes, switch to -L or -H. On 2012 Oct 12 (Fri) at 16:44:14 +0600 (+0600), éÌØÑ ûÉÐÉÃÉÎ wrote: :... and I'm running apmd -C if that matters. :could it cause problems ? : :2012/10/12 Christiano F. Haesbaert haesba...@haesbaert.org : : On 11 October 2012 08:30, ??? chipits...@gmail.com wrote: : Hello! : : we recently installed OpenBSD/amd64 on Supermicro X9DR3-F, it hangs : about 1 : times a day. : 5.1 does not understand i350 chip, so we put external Intel PRO/1000 MT : (82574L) nic. : : we have ddb.panic=1, but no ddb appears on screen on hang. : also, it says savecore: no core dump during boot. : : we tested RAM with memtest, so we do not suspect it for memory related : issue. : : : how can we diagnose those hangs ? : is it ok to run 5.1 on X9DR3-F ? : : do I need to provide dmesg output ? any other kind of diagnostics ? : : Cheers, : Ilya Shipitsin : : : If you can provide the dmesg I can help you, we have these at work: : hw.product=X9DRH-7TF/7F/iTF/iF : : Which should be similar, do you by any chance have a mfii(4) ? : Our machine had interrupt routing issues, maybe you're experiencing the : same. : Please provide a dmesg, even a picture should do and we can try something. : -- There's no trick to being a humorist when you have the whole government working for you. -- Will Rodgers
Re: CARP - Active/Active question
the tricky thing here is MAC-address. it is 01:00:5e, which mimics Microsoft NLB in multicast IGMP mode. first octet, 01, means it is multicast, which is very rare case (comparing to unicast and broadcast). most switches treat multicast in the same way as broadcast, i.e. delivering packets to all ports. also, there could be side effects in using multicast in routing mode. be careful with multicast things :-) 2012/10/15 Indunil Jayasooriya induni...@gmail.com Hi list, I configured CARP - Active/Active. ( Things work ) I have an question, When Both are Active/Active, Both should work simultaneously by balancing traffic. Am I right ? But, ifconfig on fw1 says, *status: master * and ifconfig on fw2 says, *status: backup Pls see the output of both fw1 and fw2 * *on fw1* carp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 01:00:5e:00:01:01 priority: 0 carp: carpdev em0 advbase 1 balancing ip * state MASTER vhid 1 advskew 0 state BACKUP vhid 2 advskew 100* groups: carp * status: master* inet6 fe80::a00:27ff:fe05:3294%carp1 prefixlen 64 scopeid 0x7 inet 192.168.0.100 netmask 0xff00 broadcast 192.168.0.255 *on fw2 * carp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 01:00:5e:00:01:01 priority: 0 carp: carpdev em0 advbase 1 balancing ip *state BACKUP vhid 1 advskew 100 state MASTER vhid 2 advskew 0* groups: carp *status: backup* inet6 fe80::a00:27ff:fe14:3690%carp1 prefixlen 64 scopeid 0x7 inet 192.168.0.100 netmask 0xff00 broadcast 192.168.0.255 Why is that? When* status is master and backup* , Do these 2 nodes ( fw1 and fw2 ) work simultaneously by balancing traffic? and one node goes down, all 100% traffic go via running node? That's What I want to achieve. Pls let me know. Here's the HOW TO, I performed. CARP - Active/Active configuration ( CARP, pfsync, PF and relayd ) -- -- | fw1 |-em1--em1-| fw2 | +-+ +-+ em0||em0 || ---+---Shared LAN---+--- fw1 em0 - 192.168.0.10 em1 - 192.168.9.67 ( for pfsync ) fw2 em0 - 192.168.0.11 em1 - 192.168.9.68 ( for pfsync ) carp1 - LAN shared IP: 192.168.0.100 on fw1 # hostname fw1.example.com # cat /etc/hostname.em0 inet 192.168.0.10 255.255.255.0 # cat /etc/hostname.em1 inet 192.168.9.67 255.255.255.0 on fw2 # hostname fw2.example.com # cat /etc/hostname.em0 inet 192.168.0.11 255.255.255.0 # cat /etc/hostname.em1 inet 192.168.9.68 255.255.255.0 net.inet.ip.forwarding=1 in /etc/sysctl.conf on both fw1 and fw2 with below command sysctl -w net.inet.ip.forwarding=1 Edit net.inet.ip.forwarding=1 in /etc/sysctl.conf file in this way # less /etc/sysctl.conf |grep net.inet.ip.forwarding=1 net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of IPv4 packets Configure fw1: ! enable preemption and group interface failover # sysctl -w net.inet.carp.preempt=1 Uncomment net.inet.carp.preempt=1 in /etc/sysctl.conf in this way # less /etc/sysctl.conf |grep net.inet.carp.preempt=1 net.inet.carp.preempt=1 # 1=Enable carp(4) preemption ! configure pfsync # ifconfig em1 192.168.9.67 netmask 255.255.255.0 # ifconfig pfsync0 syncdev em1 # ifconfig pfsync0 up ! configure CARP on the LAN side # ifconfig carp1 create # ifconfig carp1 192.168.0.100/24 carpnodes 1:0,2:100 balancing ip \ pass lanpasswd vi /etc/hostname.carp1 inet 192.168.0.100 255.255.255.0 192.168.0.255 carpnodes 1:0,2:100 balancing ip pass lanpasswd vi /etc/hostname.pfsync0 up syncdev em1 Configure fw2: ! enable preemption and group interface failover # sysctl -w net.inet.carp.preempt=1 Uncomment net.inet.carp.preempt=1 in /etc/sysctl.conf in this way # less /etc/sysctl.conf |grep net.inet.carp.preempt=1 net.inet.carp.preempt=1 # 1=Enable carp(4) preemption ! configure pfsync # ifconfig em1 192.168.9.68 netmask 255.255.255.0 # ifconfig pfsync0 syncdev em1 # ifconfig pfsync0 up ! configure CARP on the LAN side # ifconfig carp1 create # ifconfig carp1 192.168.0.100/24 carpnodes 1:100,2:0 balancing ip \ pass lanpasswd vi /etc/hostname.carp1 inet 192.168.0.100 255.255.255.0 192.168.0.255 carpnodes 1:100,2:0 balancing ip pass lanpasswd vi /etc/hostname.pfsync0 up syncdev em1 Scp pf.conf and relayd.conf files to fw2 from fw1 # hostname fw1.example.com # cd /etc/ # scp pf.conf relayd.conf root@192.168.0.11:/etc/ root@192.168.0.11's password: pf.conf 100% 1584 1.6KB/s 00:00 relayd.conf Pls run below command on both nodes ( fw1 and fw2 ) # pfctl -f /etc/pf.conf # relayd # pfctl -sr anchor
Re: OpenBSD-5.1 hangs on Supermicro X9DR3-F
... and I'm running apmd -C if that matters. could it cause problems ? 2012/10/12 Christiano F. Haesbaert haesba...@haesbaert.org On 11 October 2012 08:30, éÌØÑ ûÉÐÉÃÉÎ chipits...@gmail.com wrote: Hello! we recently installed OpenBSD/amd64 on Supermicro X9DR3-F, it hangs about 1 times a day. 5.1 does not understand i350 chip, so we put external Intel PRO/1000 MT (82574L) nic. we have ddb.panic=1, but no ddb appears on screen on hang. also, it says savecore: no core dump during boot. we tested RAM with memtest, so we do not suspect it for memory related issue. how can we diagnose those hangs ? is it ok to run 5.1 on X9DR3-F ? do I need to provide dmesg output ? any other kind of diagnostics ? Cheers, Ilya Shipitsin If you can provide the dmesg I can help you, we have these at work: hw.product=X9DRH-7TF/7F/iTF/iF Which should be similar, do you by any chance have a mfii(4) ? Our machine had interrupt routing issues, maybe you're experiencing the same. Please provide a dmesg, even a picture should do and we can try something.
Re: OpenBSD-5.1 hangs on Supermicro X9DR3-F
ok. I figured out, it is X9DR3-F with a couple of external cards (NIC 82574L and RAID LSI 9261-8i, which I thougth is internal, because it identifies itself as megaide) I tried to run in UKCverbose, but it took me about an hour of debug without getting to Login: prompt, so I gave up with that idea. Didn't try recompiling kernel in DEBUG mode yet. also, I double-checked for newer firmware/bios, no updates available. here's dmesg: OpenBSD 5.1 (GENERIC.MP) #207: Sun Feb 12 09:42:14 MST 2012 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 137408897024 (131043MB) avail mem = 133736947712 (127541MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe9380 (135 entries) bios0: vendor American Megatrends Inc. version 1.0c date 06/29/2012 bios0: Supermicro X9DR3-F acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP APIC SRAT SLIT HPET PRAD SPMI SSDT MCFG DMAR EINJ ERST HEST BERT acpi0: wakeup devices BR20(S1) EUSB(S4) USBE(S4) PEX0(S4) PEX1(S1) PEX2(S1) PEX3(S1) PEX4(S1) PEX5(S1) PEX6(S1) PEX7(S1) GBE_(S4) NPE1(S4) NPE2(S4) NPE3(S4) NPE4(S4) NPE5(S4) NPE6(S4) NPE7(S4) NPE8(S4) NPE9(S4) NPEA(S4) SLPB(S0) NPE1(S4) NPE3(S4) NPE7(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz, 2000.27 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,ES T,TM2,SSSE3,CX16,xTPR,PDCM,DCA,S SE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF cpu0: 256KB 64b/line 8-way L2 cache cpu0: apic clock running at 100MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz, 2000.00 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,ES T,TM2,SSSE3,CX16,xTPR,PDCM,DCA,S SE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF cpu1: 256KB 64b/line 8-way L2 cache cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz, 2000.00 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,ES T,TM2,SSSE3,CX16,xTPR,PDCM,DCA,S SE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF cpu2: 256KB 64b/line 8-way L2 cache cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz, 2000.00 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,ES T,TM2,SSSE3,CX16,xTPR,PDCM,DCA,S SE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF cpu3: 256KB 64b/line 8-way L2 cache cpu4 at mainbus0: apid 8 (application processor) cpu4: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz, 2000.00 MHz cpu4: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,ES T,TM2,SSSE3,CX16,xTPR,PDCM,DCA,S SE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF cpu4: 256KB 64b/line 8-way L2 cache cpu5 at mainbus0: apid 10 (application processor) cpu5: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz, 2000.00 MHz cpu5: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,ES T,TM2,SSSE3,CX16,xTPR,PDCM,DCA,S SE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF cpu5: 256KB 64b/line 8-way L2 cache cpu6 at mainbus0: apid 32 (application processor) cpu6: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz, 2000.00 MHz cpu6: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,ES T,TM2,SSSE3,CX16,xTPR,PDCM,DCA,S SE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF cpu6: 256KB 64b/line 8-way L2 cache cpu7 at mainbus0: apid 34 (application processor) cpu7: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz, 2000.01 MHz cpu7: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,ES T,TM2,SSSE3,CX16,xTPR,PDCM,DCA,S SE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF cpu7: 256KB 64b/line 8-way L2 cache cpu8 at mainbus0: apid 36 (application processor) cpu8: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz, 2000.01 MHz cpu8: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,ES T,TM2,SSSE3,CX16,xTPR,PDCM,DCA,S SE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF cpu8: 256KB 64b/line 8-way L2 cache cpu9 at mainbus0: apid 38 (application processor) cpu9: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz, 2000.00 MHz
Re: OpenBSD-5.1 hangs on Supermicro X9DR3-F
pardon, didn't pay attention to mfii(4), what's that ? # man -k mfii mfii: nothing appropriate # grep -i mfii /var/run/dmesg.boot # 2012/10/12 Christiano F. Haesbaert haesba...@haesbaert.org On 11 October 2012 08:30, éÌØÑ ûÉÐÉÃÉÎ chipits...@gmail.com wrote: Hello! we recently installed OpenBSD/amd64 on Supermicro X9DR3-F, it hangs about 1 times a day. 5.1 does not understand i350 chip, so we put external Intel PRO/1000 MT (82574L) nic. we have ddb.panic=1, but no ddb appears on screen on hang. also, it says savecore: no core dump during boot. we tested RAM with memtest, so we do not suspect it for memory related issue. how can we diagnose those hangs ? is it ok to run 5.1 on X9DR3-F ? do I need to provide dmesg output ? any other kind of diagnostics ? Cheers, Ilya Shipitsin If you can provide the dmesg I can help you, we have these at work: hw.product=X9DRH-7TF/7F/iTF/iF Which should be similar, do you by any chance have a mfii(4) ? Our machine had interrupt routing issues, maybe you're experiencing the same. Please provide a dmesg, even a picture should do and we can try something.
OpenBSD-5.1 hangs on Supermicro X9DR3-F
Hello! we recently installed OpenBSD/amd64 on Supermicro X9DR3-F, it hangs about 1 times a day. 5.1 does not understand i350 chip, so we put external Intel PRO/1000 MT (82574L) nic. we have ddb.panic=1, but no ddb appears on screen on hang. also, it says savecore: no core dump during boot. we tested RAM with memtest, so we do not suspect it for memory related issue. how can we diagnose those hangs ? is it ok to run 5.1 on X9DR3-F ? do I need to provide dmesg output ? any other kind of diagnostics ? Cheers, Ilya Shipitsin
Re: the idea of /fastboot ?
ÓÒÅÄÁ, 10 ÏËÔÑÂÒÑ 2012 Ç. ÐÏÌØÚÏ×ÁÔÅÌØ Nick Holland ÐÉÓÁÌ: On 10/09/2012 12:55 PM, éÌØÑ ûÉÐÉÃÉÎ wrote: Hello! I'm investigating /etc/rc script. And I found the following there: if [ -e /fastboot ]; then echo Fast boot: skipping disk checks. elif [ X$1 = Xautoboot ]; then echo Automatic boot in progress: starting file system checks. hmm... if I put /fastboot, no filesystem will be checked ? so says the code, yes. how it supposed to work for non-nfs filesystems ? properly? they'll be not checked, too? Just one more question. If /fastboot presents, filesystem won't be checked, right? But how does fsck detects if there's /fastboot? Is it possible thing to do without actually mount it? Is it possible to mount dirty filesystem in read-only mode ? If not, it doesn't make sense at all.
Re: the idea of /fastboot ?
2012/10/11 Otto Moerbeek o...@drijf.net On Thu, Oct 11, 2012 at 05:10:19PM +0600, ??? wrote: ?, 10 ??? 2012 ?. Nick Holland ?: On 10/09/2012 12:55 PM, ??? wrote: Hello! I'm investigating /etc/rc script. And I found the following there: if [ -e /fastboot ]; then echo Fast boot: skipping disk checks. elif [ X$1 = Xautoboot ]; then echo Automatic boot in progress: starting file system checks. hmm... if I put /fastboot, no filesystem will be checked ? so says the code, yes. how it supposed to work for non-nfs filesystems ? properly? they'll be not checked, too? Just one more question. If /fastboot presents, filesystem won't be checked, right? But how does fsck detects if there's /fastboot? Is it possible thing to do without actually mount it? fsck does not do anything with /fastboot. The rc script (which calls fsck) does that. During boot, the / filesystem is initially mounted read-only, and then is possibly checked by the rc script. After that, the root filesystem ro status is updated to rw. thank you. it is clear now. very similar to Linux and FreeBSD. Is it possible to mount dirty filesystem in read-only mode ? If not, it doesn't make sense at all. Yes, you can mount dirty filesystem with -f. Even read-write iirc. Very dangerous. I'm struggling with 7Tb filesystems, it takes about 30 minutes to check them in case of cold reset. Too much. Very too much. and currently, no journals or anything else which could speed up 7Tb filesystems check ? -Otto
Re: the idea of /fastboot ?
2012/10/11 Jan Stary h...@stare.cz Is it possible to mount dirty filesystem in read-only mode ? If not, it doesn't make sense at all. Yes, you can mount dirty filesystem with -f. Even read-write iirc. Very dangerous. I'm struggling with 7Tb filesystems, it takes about 30 minutes to check them in case of cold reset. Too much. Very too much. and currently, no journals or anything else which could speed up 7Tb filesystems check ? man newfs, in particular the -i option. What does 'df -hi' say about your filesystem? # df -hi Filesystem SizeUsed Avail Capacity iused ifree %iused Mounted on /dev/sd0a 377G2.7G356G 1% 158121 24804949 1% / /dev/sd1a 6.7T331G6.1T 5%8041 228037269 0% /big
Re: the idea of /fastboot ?
2012/10/11 Nick Holland n...@holland-consulting.net ... I'm struggling with 7Tb filesystems, it takes about 30 minutes to check them in case of cold reset. Too much. Very too much. and currently, no journals or anything else which could speed up 7Tb filesystems check ? Almost always (in my mind/experience), file systems that big are bad design. Break your system into chunks, you will end up much happier, and I suspect your users will be, too. Advanced file systems have costs that have to be considered in system design. ZFS is everyone's favorite file system at the moment, but having played with it a bit, even if it re-released with a ISC/BSD license (don't wait up), I doubt it would ever be accepted into OpenBSD -- it's a knobfest, it's anything BUT set it and ignore it; it's job security for people setting up such systems. In your case...if you have multiple 500GB or 1TB file systems, you can hopefully mount most of them R/O, and not have to worry about fsck times at all. Nick. there are http access logs for half an year. it's easier to rotate them on a single filesystem from many points of view, we also share it via samba (very tricky to share many chunks). and it is bad idea to mount access logs R/O. difficult to rotate.
Re: the idea of /fastboot ?
2012/10/11 Jiri B ji...@devio.us On Thu, Oct 11, 2012 at 09:29:50PM +0600, �л�� Шипи�ин wrote: there are http access logs for half an year. it's easier to rotate them on a single filesystem from many points of view, we also share it via samba (very tricky to share many chunks). and it is bad idea to mount access logs R/O. difficult to rotate. Bad design totally! I remember struggling with backup/restore times to satisfy SLA with huge filesystems having many files... And those were logs. One of proposals we did was to split filesystem into smaller ones and keep old logs on filesystems with read-only. Backup would be skipped, and restore (in this it was TSM) would be much faster if image would be used. j. they are not old logs. generally, today's log is access.log, yesterday's log is access.log.0 and so on. every rotate renames all the logs. older logs are removed. too many tricks with r/o filesystems. also, when dealing with rotating logs within single filesystem, it's cheap, data is not moved. and what if I want to move/rotate many-many-gigabytes logs in case of better design when there're many chunks ? I guess it is hard (and pretty useless) operation from filesystem point of view. ok, I can change configs of web-server to store logs in different location every day. you call it better design ??
Re: OpenBSD-5.1 hangs on Supermicro X9DR3-F
2012/10/11 Kenneth R Westerback kwesterb...@rogers.com On Thu, Oct 11, 2012 at 12:30:56PM +0600, ??? wrote: Hello! we recently installed OpenBSD/amd64 on Supermicro X9DR3-F, it hangs about 1 times a day. 5.1 does not understand i350 chip, so we put external Intel PRO/1000 MT (82574L) nic. we have ddb.panic=1, but no ddb appears on screen on hang. also, it says savecore: no core dump during boot. we tested RAM with memtest, so we do not suspect it for memory related issue. how can we diagnose those hangs ? is it ok to run 5.1 on X9DR3-F ? do I need to provide dmesg output ? any other kind of diagnostics ? Cheers, Ilya Shipitsin http://openbsd.org/report.html Ken it just hangs silently. from http://openbsd.org/report.html point of view it is useless. the only thing I have is dmesg output. so, I'm asking, how to collect information in case of silent hang behaviour it will be very useless bug report without that information. like blah-blah-blah, it hangs about once a day. silently
Re: the idea of /fastboot ?
ÓÒÅÄÁ, 10 ÏËÔÑÂÒÑ 2012 Ç. ÐÏÌØÚÏ×ÁÔÅÌØ Nick Holland ÐÉÓÁÌ: On 10/09/2012 12:55 PM, éÌØÑ ûÉÐÉÃÉÎ wrote: Hello! I'm investigating /etc/rc script. And I found the following there: if [ -e /fastboot ]; then echo Fast boot: skipping disk checks. elif [ X$1 = Xautoboot ]; then echo Automatic boot in progress: starting file system checks. hmm... if I put /fastboot, no filesystem will be checked ? so says the code, yes. how it supposed to work for non-nfs filesystems ? properly? they'll be not checked, too? I think I'm missing part of your question...but the answer is in the code, which you are already reading. I meant, in case of NFS you don't need to fsck at all. However, there's no need to indicate such case. mount already knows if there nfs stuff. You don't normally fsck an nfs mount (that advisory has always satisfied my curiosity sufficiently, I've never actually tried it. I probably should). is mount able to work with dirty filesystem ? for some definition of work with -- default is to refuse to mount dirty file systems. what will happen if I put /fastboot and cold reset (which leaves filesystems dirty) occures ? try it and find out? /fastboot is a marker to indicate the system was shut down cleanly, not a user-knob to twist for giggles. If you deliberately place a marker that is supposed to indicate the file system was shut down cleanly when it wasn't, you will break things. The good news is, you get to keep all the pieces. The other good news is it will be fairly easy to fix. I got an idea. It won't help to mount dirty filesystems (like error-behavour flag in case of ext4), it is just a relic, which was occasionly removed :) Great news. Nick.
the idea of /fastboot ?
Hello! I'm investigating /etc/rc script. And I found the following there: if [ -e /fastboot ]; then echo Fast boot: skipping disk checks. elif [ X$1 = Xautoboot ]; then echo Automatic boot in progress: starting file system checks. hmm... if I put /fastboot, no filesystem will be checked ? how it supposed to work for non-nfs filesystems ? is mount able to work with dirty filesystem ? what will happen if I put /fastboot and cold reset (which leaves filesystems dirty) occures ? Cheers, Ilya Shipitsin
Re: kern.maxclusters vs syn proxy
Great! 04.10.2012 16:52 ÐÏÌØÚÏ×ÁÔÅÌØ Henning Brauer lists-open...@bsws.de ÎÁÐÉÓÁÌ: * Tyler Morgan tyl...@tradetech.net [2012-10-02 18:31]: which links to: http://www.openbsd.org/faq/pf/filter.html#synproxy which gets far from saying what Henning said. this has been fixed. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: kern.maxclusters vs syn proxy
2012/8/23 Claudio Jeker cje...@diehard.n-r-g.com On Thu, Aug 23, 2012 at 12:17:04AM +0600, ??? wrote: Hello! we are running high load https server on OpenBSD, so there are questions on performance: since we already had to increase kern.maxclusters value, I guess default OpenBSD settings are not very well for high load https server ? in order to protect our server from denial of service, we can either a) increase kern.maxclusters to some huge value It is OK to increase kern.maxclusters, the default is good enough for 90% of the people but some systems need more. Calculate how much memory will be consumed by the clusters and compare it to the free memory reported by top. You don't want to run userland out of memory by buffering in the kernel. On the other hand you want enough maxclusters to make the system run smoothly. so, there's no harm in huge kern.maxcluster values ? (until I keep enough memory for userland) b) turn on syn proxy in PF Syn proxy will only protect you from syn attacks. For this there is also the syn cache used by the network stack. The syn cache will only allocate a full PCB when the handshake completed so it behaves similar to the syn proxy in PF. is syn cache enabled by default ? am I right that syn cache does almost the same as syn proxy ? does someone have experience with such high load applications and tell me pro et contra for each solution? why syn proxy is not enabled by default ? Because it has bad side-effects. Like accepting a connection before the actual server accepted it. So it is hard to signal closed ports back. any other side-effect ? -- :wq Claudio
kern.maxclusters vs syn proxy
Hello! we are running high load https server on OpenBSD, so there are questions on performance: since we already had to increase kern.maxclusters value, I guess default OpenBSD settings are not very well for high load https server ? in order to protect our server from denial of service, we can either a) increase kern.maxclusters to some huge value b) turn on syn proxy in PF does someone have experience with such high load applications and tell me pro et contra for each solution? why syn proxy is not enabled by default ? Ilya Shipitsin
missing /etc/fstab
Hello! I remember some early 5.1 snapshot which installed and successfully run without /etc/fstab however, 5.1-RELEASE came with /etc/fstab it would be nice to move system from one server to another without having to bother about /etc/fstab (I moved several of them due to buggy hardware). is it possible to run without /etc/fstab ? is it supported configuration ? Cheers, Ilya Shipitsin
Re: Virtualizing firewalling scenarios in one physical OpenBSD host
Look at www.fwbuilder.org It is good. It even has commercial support if you like. ÓÒÅÄÁ, 4 ÉÀÌÑ 2012 Ç. ÐÏÌØÚÏ×ÁÔÅÌØ C. L. Martinez ÐÉÓÁÌ: Hi all, I wonder if with OpenBSD is possible to create virtualized firewalled implementations of conventional physical topologies and designs such as central and remote DMZs (my question has nothing to do with virtualization platforms like ESXi/vSphere or Xen or KVM), like for example CheckPoint VSX does: http://www.checkpoint.com/products/vpn-1-power-vsx/index.html. The idea is to configure different security scenarios on a single system. Is it possible?? Some example?? Thanks.
how to configure DHCP on trunk interfaces ?
Hello! it works for em0, if I put DHCP in hostname.em0 is it possible to do with trunk0 ? can anybody give working example ? Cheers, Ilya Shipitsin
PF and ftp: to use or not to use ftp-proxy ?
Hello! I managed to get ftp through PF working either without ftp-proxy ... match in inet proto tcp from any to $external port = ftp rdr-to $internal port 21 match in inet proto tcp from any port = ftp-data to $external port 1024:65535 rdr-to $internal port 1024:65535 match in inet proto tcp from any to $external port = ftp-data rdr-to $internal port 20 or with ftp-proxy... pass in quick on vlan5 inet proto tcp from any to $external port ftp divert-to 127.0.0.1 port 8021 /etc/rc.local: /usr/sbin/ftp-proxy -p 8021 -R $internal -P 21 -D7 -v I asked question is it possible to use multiple intances of ftp-proxy and it turned out that several people are running reverse ftp-proxy in production. so... can anybody help me to choose between two above options ? with ftp-proxy or without ftp-proxy ? Cheers, Ilya Shipitsin
multiple instances of ftp-proxy ?
Hello! is anybody running multiple instances of ftp-proxy in reverse mode? I'd afraid of anchor ftp-proxy/*, ftp-proxy doesn't allow to specify anchor, also, many instances of ftp-proxy can break each others anchors. can somebody provide me with example of multiple ftp-proxies ? Cheers, Ilya Shipitsin
how to use patterns with newsyslog ?
Hello! I tried to use /big/nginx/*.log644 100 10 * Z /var/run/nginx.pid SIGUSR1 in order to rotate many files at once, but even newsyslog -v show nothing. is it possible to use patterns with newsyslog ? Cheers, Ilya Shipitsin
similar behaviour to Linux netstat -lpn ?
Hello! I'd like to see every program (with program name) that listen something on network. I can achive that on Linux by running netstat -lpn, like that server:~# netstat -lpn Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp0 0 0.0.0.0:25 0.0.0.0:* LISTEN 411/master tcp0 0 0.0.0.0:445 0.0.0.0:* LISTEN 428/smbd tcp0 0 0.0.0.0:139 0.0.0.0:* LISTEN 428/smbd tcp0 0 0.0.0.0:111 0.0.0.0:* LISTEN 263/portmap tcp0 0 127.0.0.1:20209 0.0.0.0:* LISTEN 8547/dkim-filter tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN 343/sshd tcp6 0 0 :::22 :::* LISTEN 343/sshd udp0 0 0.0.0.0:111 0.0.0.0:* 263/portmap udp0 0 0.0.0.0:37764 0.0.0.0:* 8547/dkim-filter udp0 0 127.0.0.2:137 0.0.0.0:* 421/nmbd udp0 0 192.168.7.21:1370.0.0.0:* 421/nmbd udp0 0 0.0.0.0:137 0.0.0.0:* 421/nmbd udp0 0 127.0.0.2:138 0.0.0.0:* 421/nmbd udp0 0 192.168.7.21:1380.0.0.0:* 421/nmbd udp0 0 0.0.0.0:138 0.0.0.0:* 421/nmbd is there similar things for OpenBSD ? Cheers, Ilya Shipitsin
Re: Is nginx to complement or replace apache?
nginx is great piece of software, but it doesn't do CGI, how users will run bgplg, for example ? 28 MARTA 2012 G. 18:39 POLXZOWATELX Kevin Chadwick ma1l1i...@yahoo.co.ukNAPISAL: Knowing nginx is on it's way to base and having just seen some fixes for nginx on gentoo (some CVES from 2009). Is nginx going to complement apache in case users want features/prefer it or replace apache as apache can no longer have time spent on it? Also, does anyone know if there are any CVEs applicable to base apache currently?
Re: may 7 carp addresses be too much on 5.0/amd64 ?
it doesn't match the FAQ, but it works. my fail was using nat from 192.168.0.0/16 to !192.168.0.0/16 and it affected CARP traffic, because of its multicast nature (it matched ! 192.168.0.0/16) not many people read FAQ actually. I like the idea of OpenBSD just to work out of a box, it's more about how people think and do. 13 MARTA 2012 G. 14:52 POLXZOWATELX Janne Johansson icepic...@gmail.comNAPISAL: 2012/3/4 iLXQ {IPICIN chipits...@gmail.com: thank to Camiel Dobbelaar, carp log at 6 shown ip_output problem, which lead me to: pass quick proto carp no state Which doesn't match the PF FAQ which says: Since CARP is its own protocol it should have an explicit pass rule in filter rulesets: pass out on $carp_dev proto carp keep state I'll test the no state as soon as I can rig one of my previously failing boxes to not use my carppeer workaround. it did the job (I still do not understand how forewall passed 6 interfaces and blocked 7th, need to have a closer look, but after that rule everything became ok, pf stopped blocking carp announces) 2 MARTA 2012 G. 21:31 POLXZOWATELX favar 889...@gmail.com NAPISAL: hi list, we have same problem with carp. (with 45 ip addresses) and after reboot, host with advskew 200 became master, and with advskew 1 - slave. 2012/3/2 iLXQ {IPICIN chipits...@gmail.com: no, I copied hostname.carpXX, just added advskew 200 parameters are the same. 2 MARTA 2012 G. 15:25 POLXZOWATELX Otto Moerbeek o...@drijf.net NAPISAL: On Fri, Mar 02, 2012 at 01:53:17PM +0500, ??? wrote: hello! we are running CARP-ed load balancers (carp over different vlans). it was running just great with 6 carp addresses. when we added 7th, randomly we get MASTERs on both server for certain carp interface. After reboot we can get different carp interface on dual MASTER state, and so on. carp negotiations are ok, tcpdump shows them all. both peers see each other. if I put one interface to BACKUP state, it goes to mASTER soon. we are runnung 5.0/amd64 Cheers, Ilya Shipitsin Carefully compare the address lists (including masks) on both machines. Likely they are not the same. -Otto -- To our sweethearts and wives. May they never meet. -- 19th century toast
Re: Trusting the Installation
we tried those certs. they are not trusted by mobile devices. and those certificates are free only for 3 months (you are supposed to buy them after that). so, it's marketing stuff, not a real deal. 5 MARTA 2012 G. 13:49 POLXZOWATELX Hugo Osvaldo Barrera h...@osvaldobarrera.com.ar NAPISAL: On 2012-03-04 07:05, P P;Q Q P(P8P?P8Q P8P= wrote: if you mean public SSL certs, it's about $500/year. are you willing to pay for SSL certs ? I can do the rest. I have installed tens ssl-enabled services. Slightly OT: StartSSL offers free certificates trusted by every browser, so you're just exagerating - a lot. -- Hugo Osvaldo Barrera
Re: Trusting the Installation
I'd agree that 100% paranoic will never trust hardware vendor as well. Only own manufactured components should be used in conjunction with md5/sha1 checksum evaluation and source code audit. 5 MARTA 2012 G. 17:00 POLXZOWATELX Rudolf Leitgeb rudolf.leit...@gmx.atNAPISAL: Am Montag, 5. MC$rz 2012, 10:12:02 schrieb P P;Q Q P(P8P?P8Q P8P=: P.S. I'm not a paranoic, but I respect people to be paranoic if they want to. You can be paranoid about the sources and binaries all you want, but you still don't know the CPU which executes all that code. Even if Intel/AMD would give you full access to their CPU blue prints, the chip foundry could add things you would not notice. That's the reason why companies which make secure encryption devices would never trust any CPU/OS combo. Depending on paranoia they offer you either an FPGA based solution or a hard wired one from logic ICs. And even if you create the most trusted device, using nothing but 100 year old relays and passive components, you are still prone to the we will whack you with a wrench if you don't give me your keys attack. Very, very effective.
Re: Google SoC 2012 is accepting open source organisations
5 MARTA 2012 G. 21:55 POLXZOWATELX Tomas Bodzar tomas.bod...@gmail.comNAPISAL: On Mon, Mar 5, 2012 at 3:27 PM, Kenneth R Westerback kwesterb...@rogers.com wrote: On Mon, Mar 05, 2012 at 07:04:06AM +0100, Tomas Bodzar wrote: On Mon, Mar 5, 2012 at 3:04 AM, Theo de Raadt dera...@cvs.openbsd.org wrote: But again. OpenBSD tried at least two times before to apply, but was not accepted by Google That is false. We were approached by Google people to participate, but we can find noone in our project who will accept signing their contract. We told them that was a problem. B They chose not to find a way around the problem. That is not the same as what you said, so what you said was false, yes, what you said was a lie. So probably Kenneth lie as well http://marc.info/?l=openbsd-miscm=120661469904489w=2 ;-) But I don't think so. 1) The OpenBSD Foundation is NOT OpenBSD. 2) That application never elicited a reply from Google, so no contract to read or sign was presented or known of. 3) At some later point the required contract was obtained and, as Theo has said, nobody in the OpenBSD project or at the OpenBSD Foundation was interested in signing it after reading it. Thx for your details about that particular case. Ken BTW https://groups.google.com/group/google-summer-of-code-discuss/msg/87feaa296ee 2792d?pli=1 Now I'm just curious why they don't have list of NOT accepted projects anywhere on their sites, but doesn't matter here of course. it was me :-) I was told by google people to work directly with community, but they said I could apply either for mentoring or for whatever I'm eligible to. Lot's of blah-blah-blah. they didn't say that Theo refused to sign any paper. Just wonder, what kind of responsibilty that paper was about ? Accepting student's code to OpenBSD code base or something ? Cheers, Ilya Shipitsin
Re: Google SoC 2012 is accepting open source organisations
6 MARTA 2012 G. 0:15 POLXZOWATELX Bob Beck b...@openbsd.org NAPISAL: they didn't say that Theo refused to sign any paper. Just wonder, what kind of responsibilty that paper was about ? Accepting student's code to OpenBSD code base or something ? No, it's actually about personal liability for the mentor (i.e. me) for taxes and other such nonsense. Google SOC actually does *not* require that the code be accepted into the project at the end. Fundamentally, I have no objections to the principle of summer of code, it's the byzantine paperwork and scary contract I have to sign as a mentor to do this for you. I'm more than willing to hang my personal ass out there a little bit for this, working at a university I can sort of blah blah blah a lot of the legal crap when it comes to students, but I do have my limits.. sorry... and as soon as I delete objectionable bits in the contract, the dialogue with the Googlers stops, I suspect because they can't get any traction with their internal legal people. as far as I understand, there're 5 parties: 1) government (they want taxes to be paid) 2) Google (they spent money on SoC) 3) opensource organizations 4) mentors 5) students at first, I'd notice, 3) != 4), right ? I can apply for mentoring after OpenBSD is in the list of opensource organizations, but it doesn't be mentoring itself ? at second, taxes are rather government thing, not googlish ? why should I sign something with Google about taxes ? It doesn't make any sense. Cheers, Ilya Shipitsin
Re: Trusting the Installation
29 FEWRALQ 2012 G. 8:44 POLXZOWATELX Nathan Stiles stiles.nat...@gmail.comNAPISAL: Hello, I've recently installed 5.0 and based upon my experience I expected a checksum to be posted for the ISO. Also I've noticed that HTTPS isn't implemented on openbsd.org. I was also expecting the checksum to be served over HTTPS. if you mean public SSL certs, it's about $500/year. are you willing to pay for SSL certs ? I can do the rest. I have installed tens ssl-enabled services. I'm sure theres a good reason why this isn't necessary? the reason is you can download source code, look at it, make sure for yourself there's no backdoors, build your own ISO from source code I wonder why you are not doing that with every ISO (which you prefer to download via torrent). I want to check the files I've downloaded against something? Obviously I can check a few random mirrors to ensure that files are identical. What are others doing? other are doing what they want :-) it's an opensource. you can also do what you want. Thanks, Nathan
Re: may 7 carp addresses be too much on 5.0/amd64 ?
thank to Camiel Dobbelaar, carp log at 6 shown ip_output problem, which lead me to: pass quick proto carp no state it did the job (I still do not understand how forewall passed 6 interfaces and blocked 7th, need to have a closer look, but after that rule everything became ok, pf stopped blocking carp announces) 2 MARTA 2012 G. 21:31 POLXZOWATELX favar 889...@gmail.com NAPISAL: hi list, we have same problem with carp. (with 45 ip addresses) and after reboot, host with advskew 200 became master, and with advskew 1 - slave. 2012/3/2 iLXQ {IPICIN chipits...@gmail.com: no, I copied hostname.carpXX, just added advskew 200 parameters are the same. 2 MARTA 2012 G. 15:25 POLXZOWATELX Otto Moerbeek o...@drijf.net NAPISAL: On Fri, Mar 02, 2012 at 01:53:17PM +0500, ??? wrote: hello! we are running CARP-ed load balancers (carp over different vlans). it was running just great with 6 carp addresses. when we added 7th, randomly we get MASTERs on both server for certain carp interface. After reboot we can get different carp interface on dual MASTER state, and so on. carp negotiations are ok, tcpdump shows them all. both peers see each other. if I put one interface to BACKUP state, it goes to mASTER soon. we are runnung 5.0/amd64 Cheers, Ilya Shipitsin Carefully compare the address lists (including masks) on both machines. Likely they are not the same. -Otto
how to update cpu microcode ?
Hello! I observe strange problem on Supermicro X8DTN+-F with OpenBSD-5.0/amd64, when I reboot it, sometime it gets broken, i.e. it doesn't start, I cannot manage it via IPMI. I suspect cpu microcode (it is put via ACPI into unconditional state), is there a way to install microcode on OpenBSD ? as far, as I understand, I need to load microcode every time cpu start. cheers, Ilya Shipitsin
Re: Trusting the Installation
I do not check the code :-) but every paranoid user who doesn't trust to ISP (they could swap ISO image), who doesn't trust to public SSL companies (they are known to sell google certificate to Iranian goverment), who doesn't trust post office (they could swap CDs), who doesn't trust to developers (they can leave backdoor in code) can do that. it is open source, you can do whatever you want actually. P.S. I'm not a paranoic, but I respect people to be paranoic if they want to. 4 PP0QQP0 2012 P3. 18:07 P?PP;QP7PP2P0QP5P;Q Martin SchrC6der mar...@oneiros.deP=P0P?P8QP0P;: 2012/3/4 P P;Q Q P(P8P?P8Q P8P= chipits...@gmail.com: the reason is you can download source code, look at it, make sure for yourself there's no backdoors, build your own ISO from source code Who does that? Did _you_ check the code? Best Martin
Re: may 7 carp addresses be too much on 5.0/amd64 ?
I permormed tcpdump on appropriate vlan on BOTH SERVERS, I see on advskew=200 announces. MASTER with advskew=0 does not do any advertisement. 22:22:37.296866 CARPv2-advertise 36: vhid=60 advbase=1 advskew=200 demote=2 (DF) [tos 0x10] 22:22:39.096900 CARPv2-advertise 36: vhid=60 advbase=1 advskew=200 demote=2 (DF) [tos 0x10] 2 MARTA 2012 G. 16:14 POLXZOWATELX Otto Moerbeek o...@drijf.net NAPISAL: On Fri, Mar 02, 2012 at 02:53:31PM +0500, ??? wrote: no, I copied hostname.carpXX, just added advskew 200 parameters are the same. To be 100% sure, also look at ifconfig carpXX on both machines. -Otto 2 MARTA 2012 G. 15:25 POLXZOWATELX Otto Moerbeek o...@drijf.net NAPISAL: On Fri, Mar 02, 2012 at 01:53:17PM +0500, ??? wrote: hello! we are running CARP-ed load balancers (carp over different vlans). it was running just great with 6 carp addresses. when we added 7th, randomly we get MASTERs on both server for certain carp interface. After reboot we can get different carp interface on dual MASTER state, and so on. carp negotiations are ok, tcpdump shows them all. both peers see each other. if I put one interface to BACKUP state, it goes to mASTER soon. we are runnung 5.0/amd64 Cheers, Ilya Shipitsin Carefully compare the address lists (including masks) on both machines. Likely they are not the same. -Otto
may 7 carp addresses be too much on 5.0/amd64 ?
hello! we are running CARP-ed load balancers (carp over different vlans). it was running just great with 6 carp addresses. when we added 7th, randomly we get MASTERs on both server for certain carp interface. After reboot we can get different carp interface on dual MASTER state, and so on. carp negotiations are ok, tcpdump shows them all. both peers see each other. if I put one interface to BACKUP state, it goes to mASTER soon. we are runnung 5.0/amd64 Cheers, Ilya Shipitsin
Re: may 7 carp addresses be too much on 5.0/amd64 ?
no, I copied hostname.carpXX, just added advskew 200 parameters are the same. 2 MARTA 2012 G. 15:25 POLXZOWATELX Otto Moerbeek o...@drijf.net NAPISAL: On Fri, Mar 02, 2012 at 01:53:17PM +0500, ??? wrote: hello! we are running CARP-ed load balancers (carp over different vlans). it was running just great with 6 carp addresses. when we added 7th, randomly we get MASTERs on both server for certain carp interface. After reboot we can get different carp interface on dual MASTER state, and so on. carp negotiations are ok, tcpdump shows them all. both peers see each other. if I put one interface to BACKUP state, it goes to mASTER soon. we are runnung 5.0/amd64 Cheers, Ilya Shipitsin Carefully compare the address lists (including masks) on both machines. Likely they are not the same. -Otto
carp and disk drive fault
hello! today we encountered situation with faulty drives. we met it earluer, but today was very strange, carp was running, but applications were not running due to disk failure. it seems that carp firewall/router is a good solution, but running applications on carp server is not very good. does anyone have an experience in ifstated + drive failure diagnostics ? Cheers, Ilya Shipitsin [demime 1.01d removed an attachment of type image/jpeg which had a name of openbsd-drive-fault.jpg]
Re: android sdk on openbsd
That worth publishing at undeadly.org, I think 16.02.2012 4:57 POLXZOWATELX frantisek holop min...@obiit.org NAPISAL: hi there, i wanted to try at least a hello world on android. so i installed some linux on a usb stick to use as a mobile development environment. it went rather well, using the official hello world tutorial, eclipse and ADT. but eclipse is not my thing really and as many components needed for android development run on openbsd, and there is linux emulation (must be on for this) i started wondering how far could i get on openbsd before using linux as a crutch. turns out, looong way. the development flow is basically: write code, make apk, install apk on phone/emulator, run apk, (get rich). first things first, had to cheat to get the SDK. the initial download android-sdk_r16-linux.tgz contains only scaffolding to get the real thing. it is in java, but unfortunately swt (part of eclipse) from ports is too old and i couldnt use the GUI or install ADT (Android Development Tools). TODO: try to update the eclipse port. but as i already had all of it on the linux stick, i simply rsync-ed it over under ~/adroid-sdk $ ls -1 android-sdk SDK Readme.txt add-ons/ docs/ platform-tools/ platforms/ samples/ sources/ system-images/ temp/ tools/ $ sudo pkg_add jdk apache-ant $ export PATH=$PATH:/usr/local/jdk-1.7.0/bin:$HOME/android-sdk/tools:$HOME/adroid-sdk/ platform-tools $ java -version openjdk version 1.7.0 OpenJDK Runtime Environment (build 1.7.0-b00) OpenJDK Server VM (build 21.0-b17, mixed mode) apply the attached patch to dx. these are the API's i have installed using linux: $ android list target | grep ^id id: 1 or android-3 id: 2 or Google Inc.:Google APIs:3 id: 3 or android-7 id: 4 or Google Inc.:Google APIs:7 id: 5 or android-15 id: 6 or Google Inc.:Google APIs:15 i will use id 3 (Android 2.1.x Eclair) HelloAndroid.java is also attached $ cd src/android/hello ~/src/android/hello$ android create project -t 3 -n HelloPuffy -p . -k com.puffy.hello -a HelloPuffy ~/src/android/hello$ cp ~/HelloAndroid.java src/com/puffy/hello/ ~/src/android/hello$ ant debug if i did not leave out something, the output should finish with: BUILD SUCCESSFUL Total time: 7 seconds for now i upload the apk files using ftp (swiftp on android). http://obiit.org/f/hello.png obviously, this is a suboptimal solution, and there is the emulator... let's see how far that goes. ~/src/android/hello$ android create avd -n puffy_avd -t 3 Auto-selecting single ABI armeabi Android 2.1 is a basic Android platform. Do you wish to create a custom hardware profile [no] Created AVD 'puffy_avd' based on Android 2.1, ARM (armeabi) processor, with the following hardware config: hw.lcd.density=240 vm.heapSize=24 unfortunately 'emulator' uses /proc to determine it's own path, so we need to trick it: ~/src/android/hello$ sudo ln -s ~/android-sdk/tools/emulator /proc/self/exe ~/src/android/hello$ emulator -avd puffy_avd emulator: ERROR: _camera_device_open: Cannot open camera device '/dev/video0': No such device or address emulator: warning: opening audio input failed emulator: WARNING: Unable to create sensors port: Connection refused masaka! stupefaction http://obiit.org/f/android-emulator-on-openbsd.jpg http://obiit.org/f/android-emulator-on-openbsd2.jpg and its fast compared to the linux stick. just wow. now the bad news. adb does not work. i have asked about it some time ago on ports@ as having a native adb just by itself would be great to push apk's, shell, root, etc. http://marc.info/?l=openbsd-miscm=131809077812364w=2 some responses indicated it's already work in progress. TODO: get adb to work adb source: https://github.com/android/platform_system_core so this is it, perhaps because i started out with zero expectations, this is a massive happy end. of course, hello world is just that. it remains to be seen if more complicated projects can be compiled. -f -- most days the only good thing on tv is the vase. --- android-sdk/platform-tools/dx.orig Wed Feb 15 21:42:04 2012 +++ android-sdk/platform-tools/dx Tue Feb 14 21:29:26 2012 @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh # # Copyright (C) 2007 The Android Open Source Project # @@ -56,6 +56,7 @@ # By default, give dx a max heap size of 1 gig. This can be overridden # by using a -J option (see below). defaultMx=-Xmx1024M +defaultMx=-Xmx512M # The following will extract any initial parameters of the form # -Jstuff from the command line and pass them to the Java package com.puffy.hello; import android.app.Activity; import android.os.Bundle; import android.widget.TextView; public class HelloPuffy extends Activity { /** Called when the activity is first created. */ @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.main);
linux xterm + openbsd vi
Hello! is anybody using linux xterm (or gnu terminal) + openbsd vi ? it breaks home/end keys. Google says things about utf-8 and non-utf8 terminals, some people tell to fix terminfo/termcap. I do not have any idea, what exactly to fix there. I tried things, without result. any advice ? Ilya Shipitsin
Re: how to move advskew out of hostname.carpXXX ?
I wonder if /etc/rc.conf.local included into hostname.xxx scripts ? if so, I could use advskew=100 in rc.conf.local and $advskew in hostname.xxx later 14 FEWRALQ 2012 G. 23:29 POLXZOWATELX Stuart Henderson s...@spacehopper.orgNAPISAL: On 2012-02-13, P P;Q Q P(P8P?P8Q P8P= chipits...@gmail.com wrote: Hello! I'd like to sync /etc/hostname.carpXXX files between MASTER and BACKUP, the only difference, of course is advskew paramter. Is there a way to specify it in different config file ? I seen bug report on fwbuilder (www.fwbuilder.org), which describes something called create_args_carp0, but I didn't found any other presence of it: see #2636 carp : Incorrect output in rc.conf.local format. Should use create_args_carp0 instead of ifconfig_carp0 to set up CARP interface vhid, pass and adskew parameters. Cheers, Ilya Shipitsin Adding something like this currently seems to work, but it's pretty dirty: `cat /etc/advskew`
how to move advskew out of hostname.carpXXX ?
Hello! I'd like to sync /etc/hostname.carpXXX files between MASTER and BACKUP, the only difference, of course is advskew paramter. Is there a way to specify it in different config file ? I seen bug report on fwbuilder (www.fwbuilder.org), which describes something called create_args_carp0, but I didn't found any other presence of it: see #2636 carp : Incorrect output in rc.conf.local format. Should use create_args_carp0 instead of ifconfig_carp0 to set up CARP interface vhid, pass and adskew parameters. Cheers, Ilya Shipitsin
Google Summer of Code 2012 ?
Dear Sirs, I wonder .. if I apply for GSoC2012 mentoring (GVRP/MVRP for OpenBSD and BFD for OpenBSD), how does it look from OpenBSD point of view ? will code be accepted by community ? any licensing issue ? Cheers, Ilya Shipitsin
Re: locate weirdness
guys, it was so funny to see you biting each other. come on, can you do it one more time, please ? 2012/1/23 Nico Kadel-Garcia nka...@gmail.com On Sun, Jan 22, 2012 at 5:38 PM, L. V. Lammert l...@omnitec.net wrote: On Sun, 22 Jan 2012, Philip Guenther wrote: snip the BS There is no way of knowing if it would have found the problem, so why continue with this drivel? Contrary to the lengthy diatribes here trying to distract from the original problem an solution: 1) The problem with locate was traced to a bunch of session files; 2) The problem was fixed by cleaning them the hard way. There is no way to know if an upgrade would have fixed the problem, as upgrading is/was/would be just a distraction; it is not good practice to try and obscure the problem, and I do not understand why some people here like to expouse such practices. Sure, there is no support for 4.3, but, then I did not ASK for support on 4.3 (to read the OP). Don't bother to try and dixtract from the original problem - it juse makes it harder for those LOOKING for the problem and solution to find it in all the noise. As someone who's faced this kind of thing from both sides, I think you're going to have a long term problem with the just help me fix the system I have, don't bother with telling me to upgrade approach. Too many bugs are fixed as part of re-engineering or feature addition, and expecting even the authors, whom you are not paying for contracted work, to maintain the old releases becomes futile pretty quickly. It's difficult for them to maintain the old environments as test beds, or to dredge back that far into memory of how things used to be done. I've been running into this for decades, all the way back to the shift from BSD 4.2 to BSD 4.3. (Note that that is not OpenBSD, it's BSD.) The yelling and namecalling is unfortunate. But from observation and professional experience, if you want professional grade support for a software livecycle of over 3 years, you should be willing to pay for it.
something like glusterfs ?
Hello! we are running carp-ed load balancers on openbsd. we are pretty happy with fast switchover via carp. however, we'd like to serve static (uploaded via ftp) content from those servers. I see two scenarios a) files are uploaded to carp master, we run rsync every minute, which pushes content from master to backup b) something like glusterfs is there things like glusterfs ? I didn't find any for openbsd. cheers, Ilya Shipitsin
gvrp support
hello! does OpenBSD support GVRP ? Cheers, Ilya Shipitsin
CARP health check ?
Hello! I'm running OpenBSD with CARP (and because of CARP), 10 servers in total. Some of them preemt=1, some with preemt=0 I'd like to know that spare CARP server is up and running (and will play it part when master server die). questions are 1) how to detect that server is master? any other way except parsing ifconfig output ? 2) how to detect whether carp peer is alive ? Cheers, Ilya Shipitsin
Re: CARP health check ?
well, I need to make question more certain. we are using nagios for monitoring and it is running on separate server. we do not want to monitor server from inside. we want to run run something via ssh and see whether carp peer is dead or not. probably we do not want to determine that we are carp master, because we will always connect to master via ssh. 2012/1/13 Justin Jereza justinjer...@gmail.com I think ifstated is what you want to use. -- Composed on a phone. On Jan 13, 2012 2:07 AM, iLXQ {IPICIN chipits...@gmail.com wrote: Hello! I'm running OpenBSD with CARP (and because of CARP), 10 servers in total. Some of them preemt=1, some with preemt=0 I'd like to know that spare CARP server is up and running (and will play it part when master server die). questions are 1) how to detect that server is master? any other way except parsing ifconfig output ? 2) how to detect whether carp peer is alive ? Cheers, Ilya Shipitsin
Re: CARP health check ?
well, it's usually not possible. we use OpenBSD, because it supports carpdev option (FreeBSD does not support it) most of our carp clusters run on single address. no spare IP space. we could do ssh and ping carp peer (some trouble with preemption), but we do not want to stick with certain IP addresses. we would like to monitor in general 1) define new carp cluster for monitoring 2) ssh to it and monitorcarp peer in general without specifying it's address 2012/1/13 Simon Perreault simon.perrea...@viagenie.ca On 01/12/2012 01:18 PM, P P;Q Q P(P8P?P8Q P8P= wrote: we are using nagios for monitoring and it is running on separate server. we do not want to monitor server from inside. we want to run run something via ssh and see whether carp peer is dead or not. Give each server it's unique IP address. Use a third IP address for carp. Monitor all three addresses. Simon -- DTN made easy, lean, and smart -- http://postellation.viagenie.**cahttp://postellation.viagenie.ca NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca STUN/TURN server -- http://numb.viagenie.ca
Re: CARP health check ?
RFC1918 addreeses are not routable. there's no problem for carp peers to ping each other, I just cannot ping both of them from Internet (where nagios is located) the problem is to specify each peer's address in nagios config, I do not want to depend on 10.0.0.2 for cluster1 peer and so on. especially from preemption point of view. I want to keep things simple. 1) there's another carp cluster at x.y.z.t 2) either it is running in preemption mode or not, I connect to carp master from Internet 3) there should be alive carp backup (at some rfc1918 address, which I do not want to specifi in nagios) 4) if backup is unreacheble, we are in trouble 2012/1/13 Simon Perreault simon.perrea...@viagenie.ca On 01/12/2012 01:49 PM, iLXQ {IPICIN wrote: most of our carp clusters run on single address. no spare IP space. That's the root of the problem. Use IPv6 for the non-carp addresses? RFC 1918? rdr on some ports? Otherwise, you'll have to invent a hackish and fragile solution... Simon -- DTN made easy, lean, and smart -- http://postellation.viagenie.**cahttp://postellation.viagenie.ca NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca STUN/TURN server -- http://numb.viagenie.ca
Re: CARP health check ?
sounds nice. I came to somewhat similar. Just ssh to external address and ping both carp peers (via internal addresses), if there're less than 2 answers, we are in trouble. your idea is also good. 2012/1/13 Nick Holland n...@holland-consulting.net ok, let's try this idea... Your systems have ONE external address, but they can have as many internal addresses as desired, right? SO...let's say you have two CARP'd firewalls, FW1 and FW2. They share external address of x.x.x.x. FW1: FW2: Externalx.x.x.xx.x.x.x (same) Internal real 10.0.0.2 10.0.0.3 internal CARP 10.0.0.1 10.0.0.1 (same) port 22 gets you ssh on the active firewall...but which is that? How about a PF ruleset that redirects port 2202 to 10.0.0.2 port 22 and port 2203 to 10.0.0.3? Now you can find out anything you wish about either box ON DEMAND by selecting the port you ssh to? If 2202 doesn't answer, you've lost fw1, if 2203 doesn't answer, you have lost fw2 In addition to checking to see that the box is up, it's good to check for a sane CARP status -- i.e., all MASTER on one box, SLAVE on the other, plus other overall health issues. Nick. On 01/12/12 13:48, iLXQ {IPICIN wrote: well, it's usually not possible. we use OpenBSD, because it supports carpdev option (FreeBSD does not support it) most of our carp clusters run on single address. no spare IP space. we could do ssh and ping carp peer (some trouble with preemption), but we do not want to stick with certain IP addresses. we would like to monitor in general 1) define new carp cluster for monitoring 2) ssh to it and monitorcarp peer in general without specifying it's address 2012/1/13 Simon Perreault simon.perrea...@viagenie.ca On 01/12/2012 01:18 PM, P P;Q Q P(P8P?P8Q P8P= wrote: we are using nagios for monitoring and it is running on separate server. we do not want to monitor server from inside. we want to run run something via ssh and see whether carp peer is dead or not. Give each server it's unique IP address. Use a third IP address for carp. Monitor all three addresses. Simon -- DTN made easy, lean, and smart -- http://postellation.viagenie.**ca http://postellation.viagenie.ca NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca STUN/TURN server -- http://numb.viagenie.ca
Re: TCO, txpause, rxpause and other nice things on em adapters
2012/1/2 Christian Weisgerber na...@mips.inka.de: Ilya Shipitsin chipits...@gmail.com wrote: I'm running servers with em NICs. People on list reported things like hwfeatures=8037CSUM_IPv4,CSUM_TCPv4,CSUM_UDPv4,VLAN_MTU,VLAN_HWTAGGING,WOL , I do not see such options in ifconfig output. Try ifconfig em0 hwfeatures on -current. f2n0:/root#ifconfig em0 hwfeatures ifconfig: hwfeatures: bad value it doesn't work on 5.0RELEASE ? neither man page on em says anything about check sum offload. Liar. The em driver supports IPv4 receive IP/TCP/UDP checksum offload on all but 82542-based adapters, VLAN tag insertion and stripping, and Jumbo frames on all but 82562V, 82566DC/82566DM and 82573E/82573L/82573V-based adapters. em are advanced cards, do they already do all things out of a box? Yes. ifconfig also shows media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause), what is rxpause,txpause ? Ethernet flow control. -- Christian naddy Weisgerber na...@mips.inka.de
TCO, txpause, rxpause and other nice things on em adapters
Hello! I'm running servers with em NICs. People on list reported things like hwfeatures=8037CSUM_IPv4,CSUM_TCPv4,CSUM_UDPv4,VLAN_MTU,VLAN_HWTAGGING,WOL, I do not see such options in ifconfig output. neither man page on em says anything about check sum offload. em are advanced cards, do they already do all things out of a box? do I have to make special tuning for TCO ? ifconfig also shows media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause), what is rxpause,txpause ? cheers, Ilya Shipitsin
how to choose outgoing IPv4 address/interface ?
Hello! I'm runnning BGP server which is also dns resolver. so, host can go to internet using 2 addresses a) vlan379, which is connected to bgp peer b) vlan200, which is my own routable network bgp peer is strange. it permits only bgp and icmp traffic over vlan379, the rest is silently dropped. I'd like to use vlan379 address for bgp communication and vlan200 for dns resolver (and the rest of the traffic), but OpenBSD simply uses vlan379 address. well, I can use NAT on outgoing traffic, but it doesn't seem to be a proper solution. why does OpenBSD choose vlan379 ? how can I make it use vlan200 for all outgoing traffic except bgp communication ? Cheers, Ilya Shipitsin
Re: strange tcp rst with rdomain
we hare 3 ISPs. and we are running haproxy (which is similar to relayd, proxies tcp connections from Internet to LAN). so, with rdomains we need to a) run 3 instances of haproxy (route -T 2 exec /usr/local/sbin/haproxy, and so on) b) all of haproxy will access LAN, which can belong to just one rdomain our situation is very tricky with rdomains. however, we are looking with interest at rdomains and will probably use for some other applications. 2011/12/23 Claudio Jeker cje...@diehard.n-r-g.com: On Thu, Dec 22, 2011 at 01:17:10PM +0500, ??? wrote: thank everyone. routing domains seem to be much more powerful than I need. I just needed outgoing packets through the appropriate interface, it can be achived by reply-to thing in PF. You can also use a simple additional routing table. route -T 1 add default X.Y.Z.1 this way the routing table will use routing table 0 to find the gateway (all interfaces are in the default rdomain 0) and pf will just tag the packets to use the other table for route lookups (adding rtable 1 to rules will send all traffic to X.Y.Z.1 for forwarding). For simple things route-to/reply-to is maybe easier to setup. -- :wq Claudio
ufs journal ?
Hello! I used to run FreeBSD and Linux for years, but not that familiar with OpenBSD yet. we are running buggy server (I suspect RAM), it hangs sometimes and it takes about 30 minutes to fsck 7Tb partition. however, there are very few files and folders yet. is there a way to speed up fsck ? some journalling like UFS2 for FreeBSD ? softupdates ? Cheers, Ilya Shipitsin
10G router without polling ?
am I right that OpenBSD does NOT use device polling like FreeBSD or Linux (called NAPI) do ? any router (even at 10G rate) will perfectly work without polling ? specially, I have a router (100-200Mb rate now) on Broadcom BCM5721 which is bge and Intel PRO/1000 QP (82571EB) which is em. those cards will perfectly work on any speed without any special tunung ? Cheers, Ilya Shipitsin
Re: strange tcp rst with rdomain
thank everyone. routing domains seem to be much more powerful than I need. I just needed outgoing packets through the appropriate interface, it can be achived by reply-to thing in PF. but I'll keep an eye on rdomains for some future use. 2011/12/21 Henning Brauer lists-open...@bsws.de: well that is how rdomains work, they are isolated from each other, pf can break that isolation up. an sshd in rdomain 0 is not reachable from another rdomain, except pf is used to allow that - or something external routes between them. * Russell Garrison russell.garri...@gmail.com [2011-12-20 21:50]: I was inspired and realized you can do better with pf: pass in on em5 proto tcp to 192.168.235.12 port 22 \ rdr-to 192.168.163.1 rtable 0 I am not using vlan and my interfaces have IP addresses assigned. 235.12 above is the management IP of the host in a non-zero rdomain and 163.1 is the IP of the host in rdomain 0 with sshd listener started. May still not be the best way, but I like this better than starting multiple sshd. That approach had an added problem that my tty would start in the rdomain local to where I connected, instead of using 0 as the default. On Tue, Dec 20, 2011 at 3:28 PM, Russell Garrison russell.garri...@gmail.com wrote: I have found that I need to add something like: !route -T 2 exec /usr/sbin/sshd To the pertinent hostname.if file to make sure sshd is listening in addtional routing tables, but I do not know if this is best. On Mon, Dec 19, 2011 at 1:02 PM, P P;Q Q P(P8P?P8Q P8P= chipits...@gmail.com wrote: Hello. I'm running multihomed OpenBSD server: vlan5/carp5 - default vlan2/carp2 and vlan4/carp4 are connected to other ISPs. when there's no rdomain thing, everything seems to be working, except all outgoing packets goes through vlan5/carp5. so, I did f2n0:/root#cat /etc/hostname.vlan2 vlan 2 vlandev trunk0 mtu 1300 up f2n0:/root#cat /etc/hostname.carp2 vhid 62 pass m1pass carpdev vlan2 X.X.X.X/26 rdomain 2 !/sbin/route -T 2 add 0.0.0.0/0 X.X.X.Z f2n0:/root#cat /etc/hostname.vlan4 vlan 4 vlandev trunk0 mtu 1300 up f2n0:/root#cat /etc/hostname.carp4 vhid 64 pass m1pass carpdev vlan4 Y.Y.Y.Y/26 rdomain 4 !/sbin/route -T 4 add 0.0.0.0/0 Y.Y.Y.Z f2n0:/root# also, I did f2n0:/root#grep -v ^# /etc/pf.conf set skip on lo pass in vlan2 rtable 2 pass in vlan4 rtable 4 pass pingis working good, packets go out via appropriate interface. however, ssh ends with tcp rst, for example. how can the reason for that tcp rst might be detected? am I doing anything wrong with rdomains? Ilya Shipitsin -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
reply-to rule and carp ?
hello! I'm running multihomed server (two servers in carp cluster). say carp5 is default route and carp2 is another ISP. I want to see outgoing packets in the interface they came in. I supposed, it could be done using reply-to pf keyword. however, I'm not sure reply-to is runnung well with carp. Can anyone proof such thing ? I did set skip on lo pass in to X.X.X.X reply-to (carp5 X.X.X.N) pass in to Y.Y.Y.Y reply-to (carp2 Y.Y.Y.N) pass# to establish keep-state and pfctl -sa -v shows zero packets and bytes (but a lot of evaluations) Cheers, Ilya Shipitsin
strange tcp rst with rdomain
Hello. I'm running multihomed OpenBSD server: vlan5/carp5 - default vlan2/carp2 and vlan4/carp4 are connected to other ISPs. when there's no rdomain thing, everything seems to be working, except all outgoing packets goes through vlan5/carp5. so, I did f2n0:/root#cat /etc/hostname.vlan2 vlan 2 vlandev trunk0 mtu 1300 up f2n0:/root#cat /etc/hostname.carp2 vhid 62 pass m1pass carpdev vlan2 X.X.X.X/26 rdomain 2 !/sbin/route -T 2 add 0.0.0.0/0 X.X.X.Z f2n0:/root#cat /etc/hostname.vlan4 vlan 4 vlandev trunk0 mtu 1300 up f2n0:/root#cat /etc/hostname.carp4 vhid 64 pass m1pass carpdev vlan4 Y.Y.Y.Y/26 rdomain 4 !/sbin/route -T 4 add 0.0.0.0/0 Y.Y.Y.Z f2n0:/root# also, I did f2n0:/root#grep -v ^# /etc/pf.conf set skip on lo pass in vlan2 rtable 2 pass in vlan4 rtable 4 pass pingis working good, packets go out via appropriate interface. however, ssh ends with tcp rst, for example. how can the reason for that tcp rst might be detected? am I doing anything wrong with rdomains? Ilya Shipitsin
Re: Automatic fsck -y at Boot
how fsck -p -y will work? manual says -p quits on major problem, will -y make it assume yes or just quit? 2011/12/15 Kenneth R Westerback kwesterb...@rogers.com: On Thu, Dec 15, 2011 at 09:55:47AM +0100, Sebastien Maerker, Continum wrote: Hello, it is possible, like in FreeBSD, to do an automatic fsck -y at boot time when the system hangs and need user intervention? In FreeBSD we have the possibility to edit the rc.conf and adding just these lines: ... background_fsck=NO fsck_y_enable=YES fsck_y_flags= ... Is there in OpenBSD such a similar thing? Thank you in advance SC)bastien Maerker You can change the 'fsck -p' in /etc/rc to whatever varient you wish. There is, to my knowledge, no knob. Ken
question about CARP/Trunk
Hello! we are using linux bonding (thing called trunk in openbsd) and there's very interesting feature called arp_ip_target, custom ip is being monitored via several links. can OpenBSD CARP or trunk work in that way ? cheers, Ilya Shipitsin
strange messages on the server screen (ichiic0: abort failed, status 0x41BUSY,INUSE
hello! screen and dmesg output attached. what could it mean ? Ilya Shipitsin OpenBSD 5.0 (GENERIC.MP) #63: Wed Aug 17 10:14:30 MDT 2011 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 137428860928 (131062MB) avail mem = 133756428288 (127560MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.6 @ 0x9ec00 (55 entries) bios0: vendor American Megatrends Inc. version 2.1c date 10/28/2011 bios0: Supermicro X8DTN+-F acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP APIC MCFG SLIT OEMB SRAT HPET DMAR SSDT EINJ BERT ERST HEST acpi0: wakeup devices NPE3(S4) NPE5(S4) NPE7(S4) NPE8(S4) NPE9(S4) P0P1(S4) UAR1(S4) UAR2(S4) PS2K(S1) PS2M(S1) USB0(S4) USB1(S4) USB2(S4) USB5(S4) EUSB(S4) USB3(S4) USB4(S4) USB6(S4) USBE(S4) P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4) P0P8(S4) P0P9(S4) NPE1(S4) SLPB(S4) PWRB(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E5645 @ 2.40GHz, 2400.39 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,NXE,LONG cpu0: 256KB 64b/line 8-way L2 cache cpu0: apic clock running at 133MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Xeon(R) CPU E5645 @ 2.40GHz, 2400.09 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,NXE,LONG cpu1: 256KB 64b/line 8-way L2 cache cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Xeon(R) CPU E5645 @ 2.40GHz, 2400.09 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,NXE,LONG cpu2: 256KB 64b/line 8-way L2 cache cpu3 at mainbus0: apid 16 (application processor) cpu3: Intel(R) Xeon(R) CPU E5645 @ 2.40GHz, 2400.09 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,NXE,LONG cpu3: 256KB 64b/line 8-way L2 cache cpu4 at mainbus0: apid 18 (application processor) cpu4: Intel(R) Xeon(R) CPU E5645 @ 2.40GHz, 2400.09 MHz cpu4: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,NXE,LONG cpu4: 256KB 64b/line 8-way L2 cache cpu5 at mainbus0: apid 20 (application processor) cpu5: Intel(R) Xeon(R) CPU E5645 @ 2.40GHz, 2400.09 MHz cpu5: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,NXE,LONG cpu5: 256KB 64b/line 8-way L2 cache cpu6 at mainbus0: apid 32 (application processor) cpu6: Intel(R) Xeon(R) CPU E5645 @ 2.40GHz, 2400.08 MHz cpu6: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,NXE,LONG cpu6: 256KB 64b/line 8-way L2 cache cpu7 at mainbus0: apid 34 (application processor) cpu7: Intel(R) Xeon(R) CPU E5645 @ 2.40GHz, 2400.09 MHz cpu7: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,NXE,LONG cpu7: 256KB 64b/line 8-way L2 cache cpu8 at mainbus0: apid 36 (application processor) cpu8: Intel(R) Xeon(R) CPU E5645 @ 2.40GHz, 2400.09 MHz cpu8: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,NXE,LONG cpu8: 256KB 64b/line 8-way L2 cache cpu9 at mainbus0: apid 48 (application processor) cpu9: Intel(R) Xeon(R) CPU E5645 @ 2.40GHz, 2400.09 MHz cpu9: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,NXE,LONG cpu9: 256KB 64b/line 8-way L2 cache cpu10 at mainbus0: apid 50 (application processor) cpu10: Intel(R) Xeon(R) CPU E5645 @ 2.40GHz, 2400.09 MHz cpu10: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,NXE,LONG cpu10: 256KB 64b/line 8-way L2 cache cpu11 at mainbus0: apid 52 (application processor) cpu11: Intel(R) Xeon(R) CPU E5645
why skip is not shown in pfctl -s rules ?
Dear Sirs, I added couple of rules to pf config file xxx:/root# grep skip /etc/pf.conf set skip on enc0 set skip on lo0 xxx:/root# pfctl -f /etc/pf.conf xxx:/root# but I do not find skip in pfctl -s rules output: xxx:/root# pfctl -s rules | grep skip xxx:/root# is it ok ? Cheers, Ilya Shipitsin
4.9 build problems
server is 4.9/amd64 source is CVS/4.9 cd /usr/src make build is it ok that system cannot build itself from source ? building shared object objc library ranlib libobjc_pic.a building shared objc library (version 5.0) cc -shared -fpic -o libobjc.so.5.0 `lorder archive.so class.so encoding.so gc.so hash.so init.so linking.so misc.so nil_method.so NXConstStr.so Object.so objects.so Protocol.so sarray.so selector.so sendmsg.so thr.so thr-objc.so exception.so|tsort -q` === libstdc++-v3 c++ -O2 -pipe -g -DIN_GLIBCPP_V3 -DHAVE_CONFIG_H -I/usr/src/gnu/lib/libstdc++-v3/../libstdc++-v3/ -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/libsupc++ -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/gcc -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/gcc/gcc/include -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include -I/usr/src/gnu/lib/libstdc++-v3/../libiberty/include -I. -frandom-seed=RepeatabilityConsideredGood -DIN_GLIBCPP_V3 -DHAVE_CONFIG_H -I/usr/src/gnu/lib/libstdc++-v3 -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/libsupc++ -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/gcc -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/gcc/gcc/include -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include -I/usr/src/gnu/lib/libstdc++-v3/../libiberty/include -I. -frandom-seed=RepeatabilityConsideredGood -fno-implicit-templates -ffunction-sections -fdata-sections -Wno-deprecated -fno-implicit-templates -ffunction-sections -fdata-sections -Wno-deprecated -idirafter /home/dest/usr/include/g++ -nostdinc -idirafter /home/dest/usr/include -c /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc -o bitmap_allocator.o In file included from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_allocator.h:37, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc:30: /home/dest/usr/include/g++/cstddef:50:28: error: bits/c++config.h: No such file or directory In file included from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_allocator.h:43, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc:30: /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/concurrence.h:41:24: error: bits/gthr.h: No such file or directory In file included from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_allocator.h:37, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc:30: /home/dest/usr/include/g++/cstddef:53: error: expected constructor, destructor, or type conversion before '(' token /home/dest/usr/include/g++/cstddef:58: error: '_GLIBCXX_END_NAMESPACE' does not name a type In file included from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_allocator.h:38, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc:30: /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/functexcept.h:93: error: '_GLIBCXX_END_NAMESPACE' does not name a type In file included from /home/dest/usr/include/g++/utility:66, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_allocator.h:39, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc:30: /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_relops.h:136: error: '_GLIBCXX_END_NAMESPACE' does not name a type In file included from /home/dest/usr/include/g++/utility:67, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_allocator.h:39, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc:30: /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:94: error: template with C linkage /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:96: error: expected ',' or '...' before '' token /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:96: error: 'bool operator==(int)' must have an argument of class or enumerated type /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:100: error: template with C linkage /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:102: error: expected ',' or '...' before '' token /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:102: error: 'bool operator(int)' must have an argument of class or enumerated type /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:107: error: template with C linkage /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:109: error: expected ',' or '...' before '' token
Re: 4.9 build problems
DESTDIR was the reason of mess. unset DESTDIR solved the problem 2011/10/10 Stuart Henderson s...@spacehopper.org: You polluted your source directory by building without 'make obj'. Simplest is to wipe it, make a fresh checkout, and this time follow section 5.3.5 from http://www.openbsd.org/faq/faq5.html On 2011-10-10, ??? chipits...@gmail.com wrote: server is 4.9/amd64 source is CVS/4.9 cd /usr/src make build is it ok that system cannot build itself from source ? building shared object objc library ranlib libobjc_pic.a building shared objc library (version 5.0) cc -shared -fpic -o libobjc.so.5.0 `lorder archive.so class.so encoding.so gc.so hash.so init.so linking.so misc.so nil_method.so NXConstStr.so Object.so objects.so Protocol.so sarray.so selector.so sendmsg.so thr.so thr-objc.so exception.so|tsort -q` === libstdc++-v3 c++ -O2 -pipe -g -DIN_GLIBCPP_V3 -DHAVE_CONFIG_H -I/usr/src/gnu/lib/libstdc++-v3/../libstdc++-v3/ -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/libsupc++ -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/gcc -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/gcc/gcc/include -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include -I/usr/src/gnu/lib/libstdc++-v3/../libiberty/include -I. -frandom-seed=RepeatabilityConsideredGood -DIN_GLIBCPP_V3 -DHAVE_CONFIG_H -I/usr/src/gnu/lib/libstdc++-v3 -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/libsupc++ -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/gcc -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/gcc/gcc/include -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include -I/usr/src/gnu/lib/libstdc++-v3/../libiberty/include -I. -frandom-seed=RepeatabilityConsideredGood -fno-implicit-templates -ffunction-sections -fdata-sections -Wno-deprecated -fno-implicit-templates -ffunction-sections -fdata-sections -Wno-deprecated -idirafter /home/dest/usr/include/g++ -nostdinc -idirafter /home/dest/usr/include -c /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc -o bitmap_allocator.o In file included from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_alloc ator.h:37, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc: 30: /home/dest/usr/include/g++/cstddef:50:28: error: bits/c++config.h: No such file or directory In file included from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_alloc ator.h:43, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc: 30: /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/concurrence. h:41:24: error: bits/gthr.h: No such file or directory In file included from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_alloc ator.h:37, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc: 30: /home/dest/usr/include/g++/cstddef:53: error: expected constructor, destructor, or type conversion before '(' token /home/dest/usr/include/g++/cstddef:58: error: '_GLIBCXX_END_NAMESPACE' does not name a type In file included from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_alloc ator.h:38, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc: 30: /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/functexcept .h:93: error: '_GLIBCXX_END_NAMESPACE' does not name a type In file included from /home/dest/usr/include/g++/utility:66, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_alloc ator.h:39, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc: 30: /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_relops. h:136: error: '_GLIBCXX_END_NAMESPACE' does not name a type In file included from /home/dest/usr/include/g++/utility:67, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_alloc ator.h:39, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc: 30: /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h: 94: error: template with C linkage /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h: 96: error: expected ',' or '...' before '' token /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h: 96: error: 'bool operator==(int)' must have an argument of class or enumerated type /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h: 100: error: template with C linkage /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h: 102: error: expected ',' or '...' before ''
any working example of IPv6 /etc/hostname.carpXXX ?
Dear Sirs, I need to configure ipv6 over carp interface. It seems that carp doesn't like things in one line ifconfig carp470 vhid 70 pass xxx carpdev vlan470 advskew 20 inet6 2a00:1a70:80:470::2 prefixlen 128 it says something wrong about ipv6. don't have any idea why. so, one-line config for hostname.carpXXX will not work. if I do two ifconfigs: ifconfig carp470 vhid 70 pass xxx carpdev vlan470 advskew 20 ifconfig carp470 inet6 2a00:1a70:80:470::2 prefixlen 128 everthing seems to be ok. but if I put stuff to hostname.carpXXX r1n0:/root# cat /etc/hostname.carp470 vhid 70 pass xxx carpdev vlan470 advskew 20 inet6 2a00:1a70:80:470::2 prefixlen 128 up I got no ipv6 address and carp is in INIT state (no RUNNING flag). is there a way to configure ipv6 + carp from /etc/hostname.XXX ? Cheers, Ilya Shipitsin
Re: question regarding bgpd
each single part is unclear 2011/2/6 Stuart Henderson s...@spacehopper.org: On 2011-01-27, ??? chipits...@gmail.com wrote: I tried to investigate a liitle... 2) my AS is 49675, 91.142.140.0/24 at location A and 193.169.238.0/24 at location B, there are announces on rib R0N0#bgpctl show rib | grep 49675 91.142.140.0/24 87.229.147.182 100 0 31359 3216 8342 49675 i 91.142.140.0/24 81.91.54.241 100 0 25086 12389 16083 49675 i 91.142.140.0/24 80.78.109.138 100 0 16285 20485 9002 16083 49675 i but no prefixes on fib what part of bgpd doesn't currently support this is unclear? On 2011-01-26, ??? chipits...@gmail.com wrote: Dear Sirs, we are running our AS in many locations (say AS65000) (location 1, AS65000, network n1.n1.n1.n1) Internet --- (location 2, same AS65000, network n2.n2.n2.n2) when we were running quagga, allowas-in made the work. otherwise there was no route except default between two locations. now we are replacing quagga with OpenBGPD, what is openbgpd's equivalent of allowas-in ? Cheers, Ilya Shipitsin P.S. just to make sure - I already read manuals and somehow I didn't find relevant information there. So, if all you can say is RTFM, please also say where exactly relevant information is located. bgpd doesn't currently support this.
Re: question regarding bgpd
I tried to investigate a liitle... 1) how do I enable logging ? I used log updates and -v flag. not a bunch of diagnostics... 2) my AS is 49675, 91.142.140.0/24 at location A and 193.169.238.0/24 at location B, there are announces on rib R0N0#bgpctl show rib | grep 49675 91.142.140.0/24 87.229.147.182 100 0 31359 3216 8342 49675 i 91.142.140.0/24 81.91.54.241 100 0 25086 12389 16083 49675 i 91.142.140.0/24 80.78.109.138 100 0 16285 20485 9002 16083 49675 i but no prefixes on fib R0N0#bgpctl show fib | grep 49675 R0N0# I do not see even a liitle complain why it refuses them. 2011/1/26 Stuart Henderson s...@spacehopper.org: On 2011-01-26, ??? chipits...@gmail.com wrote: Dear Sirs, we are running our AS in many locations (say AS65000) (location 1, AS65000, network n1.n1.n1.n1) Internet --- (location 2, same AS65000, network n2.n2.n2.n2) when we were running quagga, allowas-in made the work. otherwise there was no route except default between two locations. now we are replacing quagga with OpenBGPD, what is openbgpd's equivalent of allowas-in ? Cheers, Ilya Shipitsin P.S. just to make sure - I already read manuals and somehow I didn't find relevant information there. So, if all you can say is RTFM, please also say where exactly relevant information is located. bgpd doesn't currently support this.
Re: question regarding bgpd
Try bgpctl sh fib | grep your_prefix it's not there R0N0#bgpctl sh fib | grep 91.142.140 R0N0# it's reachable only via default route: R0N0#route -n get 91.142.140.254 route to: 91.142.140.254 destination: default mask: default gateway: 80.78.109.138 interface: carp102 if address: 80.78.109.137 priority: 48 (bgp) flags: GATEWAY,DONE use mtuexpire 6587265 0 0 R0N0# well, I didn't try suggested patch yet. need to upgrade to 4.8 first. I do not see even a liitle complain why it refuses them. 2011/1/26 Stuart Henderson s...@spacehopper.org: On 2011-01-26, ??? chipits...@gmail.com wrote: Dear Sirs, we are running our AS in many locations (say AS65000) (location 1, AS65000, network n1.n1.n1.n1) Internet --- (location 2, same AS65000, network n2.n2.n2.n2) when we were running quagga, allowas-in made the work. otherwise there was no route except default between two locations. now we are replacing quagga with OpenBGPD, what is openbgpd's equivalent of allowas-in ? Cheers, Ilya Shipitsin P.S. just to make sure - I already read manuals and somehow I didn't find relevant information there. So, if all you can say is RTFM, please also say where exactly relevant information is located. bgpd doesn't currently support this. Regards, Insan Praja -- Using Opera's revolutionary email client: http://www.opera.com/mail/
question regarding bgpd
Dear Sirs, we are running our AS in many locations (say AS65000) (location 1, AS65000, network n1.n1.n1.n1) Internet --- (location 2, same AS65000, network n2.n2.n2.n2) when we were running quagga, allowas-in made the work. otherwise there was no route except default between two locations. now we are replacing quagga with OpenBGPD, what is openbgpd's equivalent of allowas-in ? Cheers, Ilya Shipitsin P.S. just to make sure - I already read manuals and somehow I didn't find relevant information there. So, if all you can say is RTFM, please also say where exactly relevant information is located.
CARP-ed dns server ?
Hello! does anybody run dns server on CARP interface ? Cheers, Ilia Chipitsine
Re: CARP-ed dns server ?
hello! can you provide more details ? 1. what is dns software ? 2. how two copies of dns server (on master and backup) are replicated ? 3. any carp hooks on switching ? cheers, Ilia Chipitsine 2010/9/20 Henning Brauer lists-open...@bsws.de: * ??? chipits...@gmail.com [2010-09-20 08:35]: does anybody run dns server on CARP interface ? yup. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting