Re: install of Aug 11 snapshot hangs

[Mark Bucciarelli]

On Thu, Aug 12, 2010 at 10:59 PM, Nick Holland
n...@holland-consulting.net wrote:
 On 08/12/10 13:26, Mark Bucciarelli wrote:

  boot disable acpi

 What's this about?


Tilting at windmills.


 I take it you are PXE booting because you don't have the lower thingie
 which has the floppy and CD for this machine


Correct.


 If you can't do that, could you do an sha256 against your tftp-delivered
 bsd.rd and see if it matches that on the FTP server?


Checked out ok.

 Have you successfully used your tftp server for anything else?

I successfully fetched the pxeboot file and diff said the two
were equal.


 Failing that, how about booting with a boot bsd.rd -c at the boot
 prompt, then doing a disable apm then quit


Same behavior.

Igor S. suggested upgrading the ancient bios, but I'm leery
of that with no bootable cd, no floppy, and no usb boot.
I can't have the laptop stop working.  I suspect pxeboot/tftpd
is a red herring and it's the bios.

Anyway, thanks for all your efforts.

m

install of Aug 11 snapshot hangs

[Mark Bucciarelli]

hi,

i downloaded a 4.8 snapshot this morning
and am trying to install via pxeboot on
an x30.

 boot disable acpi
 boot boot bsd.rd

ran fine until

 Which one is the root disk? [wd0]

I pressed enter, and sometime after fifteen
minutes had elapsed the system responded
with a series of Segmentation fault messages
and returned to the (I) install, ... prompt.

I've been using the x30 heavily for years,
most recently this morning with Ubuntu.

hand-typed dmesg below.

any suggestions?

thanks,

m

OpenBSD 4.8 (RAMDISK_CD) #88: Wed Aug 11 10:26:02 MDT 2010
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/RAMDISK_CD
cp0: Mobile Intel(R) Pentium(R) III CPU - M 1200MHz (GenuineIntel
686-class) 1.20 GHz
cp0: FPU,V86,DE,PSE,
TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PSE36,MMX,FXSR,SSE
real mem = 527306752 (502MB)
avail mem = 511774720 (488MB)
mainbus0 a t root
bios0 at mainbus0: AT/286+ BIO, date 09/13/02, BIO32 rev. 0 @ 0xfd7f0,
SMBIOS, rev. 2.31 @ 0x1f77c000 (46 entries)
bios0: vendor IBM version 1KET41WW (1.02 ) date 09/13/2002
bios0: IBM 26724BU
apm0 at bios0: Power Management spec V1.2
acpi at bios0 function 0x0 not configured
pcibios0 at bios0: rev 2.1 @ 0xfd780/0x880
pcibios0: PCI IRQ Routing Table rev. 1.0 @ 0xfdec0/240 (13 entries)
pcibios0: PCI Interrupt Router at 000:341:0 (Intel 82371FB ISA rev 0x00)
pcibios0: PCI bus #5 is the last bus
bios0: ROM list: 0xc/0xe000! 0xce000/0x1000 0xcf000/0x1000
0xdc000/0x4000! 0xe/0x1
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus 0 bus0: configuration mode 1 (bios)
mem address conflict 0x1f80/0x400
pchb0 at pci0 dev 0 function 0 Intel 82830M Host rev 0x04
vga1 at pci0 dev 2 function 0 Intel 82830M video rev 0x04
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
Intel 82830M Video rev 0x00 at pci0 dev 2 function 1 not configured
uhci0 at pci0 dev 29 function 0 Intel 82801CA/CAM USB rev 0x02: irq 11
uhci1 at pci0 dev 29 function 1 Intel 82801CA/CAM USB rev 0x02: irq 11
uhci2 at pci0 dev 29 function 2 Intel 82801CA/CAM USB rev 0x02: irq 11
ppb0 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0x42
pci1 at ppb0 bus 1
mem address conflict 0x5000/0x1000
mem address conflict 0x5010/0x1000
cbb0 at pci1 dev 0 function 0 Ricoh 5C476 CardBus rev 0xa8: irq 11
cbb1 at pci1 dev 0 function 1 Ricoh 5C476 CardBus rev 0xa8: irq 11
RIcoh 5C552 Firewire rev 0x00 at pci1 dev 0 function 2 not configured
iwi0 at pci1 dev 2 function 0 Intel PRO/Wireless 2915ABG rev 0x05:
irq 11, address 00:13:ce:66:14:3c
fxp0 at pci1 dev 8 function 0 Intel PRO/100 VE rev 0x42, i82562: irq
11, address 00:09:6b:a0:02:0c
inphy0 at fxp0 phy 1: i82562ET 10/100 PHY, rev. 0
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 2 device 0 cacheline 0x0, lattimer 0xb0
pcmcia0 at cardslot0
cardslot1 at ccb1 slot 1 flags 0
cardbus1 at cardslot1: bus 5 device 0 cacheline 0x0, lattimer 0xb0
pcmcia1 at cardslot1
ichpcib0 at pci0 dev 31 function 0 Intel 82801CAM LPC rev 0x02:
24-bit timer at 3579545Hz
pciide0 at pci0 dev 31 function 1 Intel 82801CAM IDE rev 0x02: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility
wd0 at pciide0 channel 0 drive 0: IC25N040ATMR04-0
wd0: 16-sector PIO, LBA, 34899MB, 71474162 sectors
wd0(pciide0:0:0) using PIO mode4, Ultra-DMA mode 5
pciide0: channel 1 disabled (no drives)
Intel 82801CA/CAM SMBus rev 0x02 at pci0 dev 31 function 3 not configured
Intel 82801CA/CAM AC97 rev 0x02 at pci0 dev 31 function 5 not configured
Intel 82801CA/CAM Modem rev 0x02 at pci0 dev 31 function 6 configured
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 Intel UHCI root hub rev 1.00/1.00 addr 1
usb1 at uhci1: USB revision 1.0
uhub1 at usb1 Intel UHCI root hub rev 1.00/1.00 addr 1
usb2 at uhci2: USB revision 1.0
uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbc0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
biomask fffd netmask fffd ttymask 
rd0: fixed, 3800 blocks
softraid0 at root
PXE boot MAC address 00:09:6b:a0:02:0c, interface fxp0
root on rd0a swap on rd0b dump on rd0b

free binary search tree

[Mark Bucciarelli]

Hi,

On GNU/Linux, _GNU_SOURCE enables
tdestroy().  How do I free a binary tree in
OpenBSD?

I grepped /usr/src and didn't find any
places tdelete( is used.

Thanks,

m

tools for finding a type of bug?

[Mark Bucciarelli]

Is there some set of tools you all use to
help find bad code?

Specifically, I'm working with a large code
base (monetdb), and have found two instances
where the fopen() return value was not
checked.

Now I'd like to search the tree and find all
instances of this bug.

How do you do this?  Must it be manual or
are there static analysis tools (e.g., grep 
awk or perhaps clang) that you use.

(I didn't mark as OT b/c I'm working towards
an OpenBSD port of this most-excellent db.)

Thanks,

m

Re: tools for finding a type of bug?

[Mark Bucciarelli]

On Fri, Mar 5, 2010 at 12:45 PM, Ted Unangst ted.unan...@gmail.com wrote:
 On Fri, Mar 5, 2010 at 12:32 PM, Mark Bucciarelli mkb...@gmail.com wrote:

 http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis


So which would you use to find all fopen()
calls where the return value was ignored?

m

[OT] integer overflows

[Mark Bucciarelli]

Hi,

Part 1:

How can I tell if casting a off_t (e.g, sb.st_size) to size_t risks
an overflow?

What about casting ptrdiff_to to a uint64_t or a long?

The full table of all such possible integer type casts must be large
(and full of dragons?).  How do you all keep it straight?

Part 2:

Can someone recommend a good mailng list for
these kinds of generic *nix questions, so I don't have to
abuse the generous hackers here on misc.

Thanks,

m

Re: [OT] integer overflows

[Mark Bucciarelli]

On Thu, Nov 12, 2009 at 11:41 AM, Ted Unangst ted.unan...@gmail.com wrote:

 The harder way: Why are you casting an off_t to a size_t?


I want to verify a file's size before mmap'ing it.

The file holds a number of structs each of size size_t.  I stat
the file, compute records_n, then make sure the product of
records_n and struct size is exactly equal to the file size.

The ptrdiff_t question is similar:

p0 = (mystruct *) mmap(...);
if (p0 == -1) err(1, boom!);
for (p = p0; p  p0 + records_n; p++)
   do_something_with(p);

Is there a portable way to code these two tasks?

Thanks for the suggestions on a mailing list.

m

Re: Way to tell ftpd to log IP of remote host?

[Mark Bucciarelli]

On Mon, Apr 20, 2009 at 11:35:22PM +0200, Ingo Schwarze wrote:
 Hi Mark,
 
 Mark Bucciarelli wrote on Fri, Mar 13, 2009 at 08:17:23AM -0500:
 
  But now you have given me another reason not to upgrade.  ;P
 
 
 Huh, what?


joke/needle.

Real reasons are:

  - low risk of remote exploit b/c OpenBSD is so strong

  - low cost if machine gets cracked (see backups)

  - strong passwords, strong limits on local users

  - physical protection to keyboard

  - paranoid logging of all unexpected messages via logsurfer

  - automated off-site backups

  - lots of other stuff on my plate that is higher risk

 
 Besides, see
   http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c
 

That's great, thanks for the heads up.  It syncs FTP's behavior
with the other daemons in base, w.r.t logging a client
connection.


 So, don't forget ordering the 4.6 CDs
 this autumn and doing the upgrade after November 1st.
 

Yup.  Or just use snapshots and donate.  (You can find my name
listed on the donations page.)

Thanks,

m

snapshot upgrades

[Mark Bucciarelli]

Is there danger in upgrading to the latest
snapshot using a script?

  - fetch tarballs and kernels
  - run sysmerge -s etc*.tgz
  - run sysmerge -x xetc*.tgz
  - extract tarballs to their place
  - copy over kernels to root dir
  - pkg_add -ui -F udate -F updatedepends
  - reboot

Thanks,

m

Re: Way to tell ftpd to log IP of remote host?

[Mark Bucciarelli]

On Thu, Mar 12, 2009 at 6:45 PM, Ingo Schwarze schwa...@usta.de wrote:

 Comments?


Mar 13 08:52:01 crosscutmedia ftpd[1728]:
connection from pool-68-239-27-14.bos.east.verizon.net [68.239.27.14]
Mar 13 08:52:09 crosscutmedia ftpd[4218]:
FTP LOGIN FROM pool-68-239-27-14.bos.east.verizon.net as google

But now you have given me another reason not to upgrade.  ;P

FWIW, the PTR was not spoofed and the remote host had an insecure
password on a test account that had been cracked.

Thanks,

m

Way to tell ftpd to log IP of remote host?

[Mark Bucciarelli]

Hi Misc'ers,

Can I tell ftpd to log the IP of the remote host instead of the
remote host name?

I suspect a forged PTR and can't find the remote host IP in the logs.

Current FTP options are -lDan on a 4.2 install.

Thanks,

m

Re: Way to tell ftpd to log IP of remote host?

[Mark Bucciarelli]

On Thu, Mar 12, 2009 at 4:42 PM, Ingo Schwarze schwa...@usta.de wrote:

 Mark Bucciarelli wrote on Thu, Mar 12, 2009 at 03:51:18PM -0500:

 Can I tell ftpd to log the IP of the remote host instead of the
 remote host name?

 No.


Is there any good reason to log the remote host name rather than
the IP?

The http, secure shell, network time protocol, and mail daemons
all log the IP of the remote host.

Is this ftpd code a legacy from when PTR records were not spoofed?

Should I submit a patch?  The change seems easy enough  :)

Thanks,

m

Re: Bottleneck in httpd. I need help to address capacity issues on max parallel and rate connections

[Mark Bucciarelli]

Hi,

On 2007-05-10 8:40:36 Claudio Jeker wrote:

 With many shortliving connections you have a lot of sockets in TIME_WAIT.
 Because you are testing from one host only you start to hit these entries
 more and more often this often results in a retry from the client.

I'm curious what you meant by:

Because you are testing from one host
 only you start to hit these entries more ...

Entries in what?

Why does it matter that the http requests come from the same host?

I'm pushing the stock Apache and 4.2 Generic with http_load and can
make the system unresponsive with a rate of 100 new connections/second
(for 20 seconds).For a short period of time (20s?), my ssh console
is non-responsive.   Sometimes SSH even times out.  If it comes back,
I can see lots of tcp sockets (1,500+) bound to www in TIME_WAIT.

I'm going to move to lighttpd, but it will have the same issue when
serving lots and lots of small responses.

Do I need to bump somaxmax?

Or are there other avenues I should pursue first?

Or is the test bogus because all connections come from the same IP?
(Host and client are different boxes, connected via the internet.)

Thanks,

m

 START DMESG 
OpenBSD 4.2 (GENERIC) #375: Tue Aug 28 10:38:44 MDT 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Celeron(R) CPU 2.66GHz (GenuineIntel 686-class) 2.67 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID
real mem  = 106412 (1015MB)
avail mem = 1021501440 (974MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 10/05/04, BIOS32 rev. 0 @
0xfd71c, SMBIOS rev. 2.31 @ 0xefa20 (47 entries)
bios0: vendor IBM version 2CKT19AUS date 10/05/2004
bios0: IBM 8085D5U
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xfd6b0/0x950
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf00/224 (12 entries)
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00)
pcibios0: PCI bus #3 is the last bus
bios0: ROM list: 0xc/0xa000! 0xca000/0x1000 0xcb000/0x1000 0xe/0x1!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82865G/PE/P CPU-I/0-1 rev 0x02
vga1 at pci0 dev 2 function 0 Intel 82865G Video rev 0x02: aperture
at 0xf000, size 0x800
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
uhci0 at pci0 dev 29 function 0 Intel 82801EB/ER USB rev 0x02: irq 11
uhci1 at pci0 dev 29 function 1 Intel 82801EB/ER USB rev 0x02: irq 10
uhci2 at pci0 dev 29 function 2 Intel 82801EB/ER USB rev 0x02: irq 5
uhci3 at pci0 dev 29 function 3 Intel 82801EB/ER USB rev 0x02: irq 11
ehci0 at pci0 dev 29 function 7 Intel 82801EB/ER USB2 rev 0x02: irq 3
usb0 at ehci0: USB revision 2.0
uhub0 at usb0: Intel EHCI root hub, rev 2.00/1.00, addr 1
ppb0 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xc2
pci1 at ppb0 bus 3
vendor Conexant, unknown product 0x2702 (class communications
subclass miscellaneous, rev 0x01) at pci1 dev 0 function 0 not
configured
acx0 at pci1 dev 1 function 0 TI ACX111 rev 0x00: irq 11
acx0: ACX111, radio Radia (0x16), EEPROM ver 5, address 00:0f:b5:4c:91:d7
ATT/Lucent FW322 1394 rev 0x61 at pci1 dev 2 function 0 not configured
fxp0 at pci1 dev 8 function 0 Intel PRO/100 VE rev 0x02, i82562: irq
9, address 00:0d:60:e1:10:85
inphy0 at fxp0 phy 1: i82562ET 10/100 PHY, rev. 0
ichpcib0 at pci0 dev 31 function 0 Intel 82801EB/ER LPC rev 0x02:
24-bit timer at 3579545Hz
pciide0 at pci0 dev 31 function 1 Intel 82801EB/ER IDE rev 0x02:
DMA, channel 0 configured to compatibility, channel 1 configured to
compatibility
wd0 at pciide0 channel 0 drive 0: ST3200822A
wd0: 16-sector PIO, LBA48, 190782MB, 390721968 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, DVDRAM GSA-4082B, A202 SCSI0
5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 4
ichiic0 at pci0 dev 31 function 3 Intel 82801EB/ER SMBus rev 0x02: irq 9
iic0 at ichiic0
adt0 at iic0 addr 0x2e: lm85 rev 0x62
auich0 at pci0 dev 31 function 5 Intel 82801EB/ER AC97 rev 0x02: irq
9, ICH5 AC97
ac97: codec id 0x41445374 (Analog Devices AD1981B)
ac97: codec features headphone, 20 bit DAC, No 3D Stereo
audio0 at auich0
usb1 at uhci0: USB revision 1.0
uhub1 at usb1: Intel UHCI root hub, rev 1.00/1.00, addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2: Intel UHCI root hub, rev 1.00/1.00, addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3: Intel UHCI root hub, rev 1.00/1.00, addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4: Intel UHCI root hub, rev 1.00/1.00, addr 1
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 

Re: Bottleneck in httpd. I need help to address capacity issues on max parallel and rate connections

[Mark Bucciarelli]

On 12/15/07, Philip Guenther [EMAIL PROTECTED] wrote:
 On Dec 14, 2007 3:06 PM, Mark Bucciarelli [EMAIL PROTECTED] wrote:
  On 2007-05-10 8:40:36 Claudio Jeker wrote:
 
   With many shortliving connections you have a lot of sockets in TIME_WAIT.
   Because you are testing from one host only you start to hit these entries
   more and more often this often results in a retry from the client.
 
  Why does it matter that the http requests come from the same host?

 I believe OpenBSD limits such port assignments via the
 net.inet.ip.porthi{first,last} sysctl variables which give you a
 default range of only 16384 ports.  Putting that together with the
 normal TIME_WAIT period of 2 minutes means that a single OpenBSD
 machine connecting to a single port on a server is limited to 136
 connections per second on average.

Got it, thanks.  That explains the operation already in progress
message from http_load.  :)  I've increased the client port range and
those messages are gone.

I'm noticing that often there are three sockets bound to www port that
end up in a state of CLOSING for nearly ten minutes after running the
test.  (Their send queue is equal to 316.)

Is it unusual to have such a long timeout?

m

could not get a semaphore

[Mark Bucciarelli]

When starting symux (installed from packages), I run out of semaphores (see 
output below). 

I searched the archives, and found a post from Marco Pfatschbacher that 
included a patch to symon that reduced SYMUX_SHARESLOTS from 20 to 3. 

I'm curious as why am I running out of semaphores--don't I have slots for 60 
semaphores? 


20 symux (guess)
4 ipcs (see below)
---
24 

24  kern.seminfo.semmns, which is 60. 

If it matters, this is a GENERIC 4.1 kernel, rebuilt with profiling on. 

Please CC me, as I'm not subscribed. 

Thanks, 

m 



# symux -d
symux version 2.75
program id=30174
debug: size of churnbuffer = 902
debug: shm from 0x8395a000 to 0x83af1430
fatal: could not get a semaphore
# ipcs
Message Queues:
T   ID KEYMODE   OWNERGROUP 


Shared Memory:
T   ID KEYMODE   OWNERGROUP
m655365432001 --rw--- _postgresql _postgresql 


Semaphores:
T   ID KEYMODE   OWNERGROUP
s   327680  0 --rw---  www  www
s655375432001 --rw--- _postgresql _postgresql
s655385432002 --rw--- _postgresql _postgresql
s655395432003 --rw--- _postgresql _postgresql 


# sysctl -a | grep seminfo
kern.seminfo.semmni=10
kern.seminfo.semmns=60
kern.seminfo.semmnu=30
kern.seminfo.semmsl=60
kern.seminfo.semopm=100
kern.seminfo.semume=10
kern.seminfo.semusz=100
kern.seminfo.semvmx=32767
kern.seminfo.semaem=16384
#

Re: apache security

[Mark Bucciarelli]

On Tue, Jan 23, 2007 at 05:44:38PM +0100, Almir Karic wrote:

 is this possible? i've been looking at su-exec but it is for
 cgi scripts only :/, what other options there are?

If you can run the app(s) with FastCGI (most PHP stuff I have
tried does), another option is to use suexec wrapper for dynamic
FastCGI processes.  If you configure the FastCGI processes to die
quickly, and you have many low volume sites, it is not a big RAM
hit.

m

Install question: FreeBSD installed, no CD drive

[Mark Bucciarelli]

I have a laptop with FreeBSD and no CD drive.  I'd like to
convert to OpenBSD.  I have the 4.0 CD.

What is the easiest path (other than buying a CD drive ;)?

For example, can I boot the OpenBSD bsd.rd from the second stage
of the FreeBSD bootstrap and install from there?

If this won't work, is it possible to PXE boot from a machine
that hosts bsd.rd but does not run OpenBSD?

Thanks,

m

Bind performance

[Mark Bucciarelli]

I have seen some benchmarking stat's on Bind [1] and NSD that
compare FreeBSD 6.1 to 4.11, and 4.11 kick 6.1's ass and then
wipes up the floor with it.

I'm going to be putting a DNS server in production soon and was
planning to use FreeBSD, but now I'm wondering if OpenBSD would
be a better choice from purely a performance perspective.

I understand performance is secondary to security for this
project, but I am curious what the numbers are in this specific
case.

Does anyone have stats on Bind performance on OpenBSD?  (I saw
the fefe page--looks old.)

And when does performance really start to matter for a DNS
server?  Say I host 500 web sites and 500 email domains with
average traffic, for some value of average.  Is a limit of
15,000 DNS queries/second ever going to be a problem?  If not,
when could it become a problem?

It will be my first DNS server, so I don't have a gut feel for
this stuff yet.

Thanks,

m

[1] http://lists.freebsd.org/pipermail/freebsd-net/2006-September/011748.html

Re: Bind performance

[Mark Bucciarelli]

On Wed, Nov 22, 2006 at 11:00:17PM +0200, Berk D. Demir wrote:
 Mark Bucciarelli wrote:
 
  And when does performance really start to matter for a DNS
  server?  
 
 15.000 queries/sec seems a bit unrealistic to me.  I bet even
 with 15.000 packets/sec your ethernet cards will create an
 interrupt storm and even pf won't be able to process packets
 because kernel will be loosing too much time handling the
 interrupts.

In benchmarking stats/lies I quoted in original post, that's the
slowest they got (6.1 SMP w/ Bind).  With NSD it was 30,000 on
6.1 and 59,000 on 4.11.  The full chart compares FreeBSD 6.1,
4.11 and Linux 2.6 (SMP vs. UP).

In any case, it's obvious DNS performance is not something I need
to worry about.  

Thanks for the help!

m

[OT] OpenBSD AJAX

[Mark Bucciarelli]

On Wed, Nov 01, 2006 at 07:20:05AM -0600, David Terrell wrote:
 On Wed, Oct 25, 2006 at 02:43:21PM +1000, Damien Miller wrote:
  
  I think you would be nuts to write your web applications in C, unless
  you are a master with a good reason.
 
 I just want to say, writing thick web-applications with C cgi isn't
 as crazy as it used to be, with the rise of client side javascript
 frameworks.  

Do you have a recommendation for a client-side Ajax lib to use
with C?

Other than OAT, most seem to be tied to some interpreted
language.

m

Re: best hardware plataform for openbsd

[Mark Bucciarelli]

On Sun, Oct 08, 2006 at 07:31:39AM -0600, Diana Eichert wrote:
 On Sun, 8 Oct 2006, Gustavo Rios wrote:
 
  I meant more CPU processing cycles per a given constant
  amount of money!  That's it.
 
 Hmmm, before I answer that question I'd like to know what are
 the intended uses?  For example, for a DNS server I would
 seriously consider some of the platforms recently added, armish
 for one.

What advantages do you see from building a DNS server using
armish?

m

Re: gcc and variable length arrays

[Mark Bucciarelli]

On Tue, Oct 10, 2006 at 02:42:12PM -0700, Joe wrote:
 
 By the way, if anyone has any pointers (no pun intended) for a
 CS newbie, any help and recommendations are always appeciated.
 I like the OpenBSD development community and hope to contribute
 some code and patches in the future.

Advanced UNIX Programming, by Stevens.

Very well written and organized.  The code samples are great too.

m

Re: Secure Apache Webserver

[Mark Bucciarelli]

On Thu, Sep 28, 2006 at 05:48:26PM +0200, Joachim Schipper wrote:
 On Thu, Sep 28, 2006 at 12:52:41PM +0200, Joachim Schipper wrote:
  On Thu, Sep 28, 2006 at 10:55:30AM +0200, Aiko Barz wrote:
   The issue: If my users start to install a php-Filebrowser, they are
   able to access the other Webdirectories and could read config.php,
   because they are doing it with the permissions of the webserver.
   Write access would be possible as well, since some parts need to have
   write access.

  suExec + PHP is not feasible for many people, due to the high webserver
  load incurred; suPHP may be less problematic, or not.
 
 It appears, from a quick web search, that FastCGI allows one to give
 each user its own PHP instance.

Yes--wrap fastCGI daemons in suExec.  Each fastcgi process runs
with uid/gid of site owner.

Use dynamic servers and make 'em die out fast.  If a site is
busy, servers will stay resident and site is fast.  Low volume
sites are slow on first hit, as new server needs to spawn.  A
side benefit is that you can specify a different php.ini for each
vhost. 

Fix your umask for FTP server so other doesn't have read
permissions for newly uploaded files. Turn search bit off for
other users in as many directories in your vhost tree as
possible.

Expect to spend a couple days getting it right.  ;)

m

Will spamd work with db on a RAM disk?

[Mark Bucciarelli]

Will spamd work if /var/db/spamd is a symbolic link to a file on a RAM 
disk?

I noticed that spamd uses quite a bit of disk I/O (on a box that is 
bound by disk I/O).

Is it safe to make a backup copy of the file while spamd is running?  

I'm willing to trade the possibility of losing 30 minutes of greylist 
data for a lower disk load.

I couldn't find any docs on the format of the db file spamd uses and I 
couldn't figure it out from a quick scan of the spamd.c source.

Awesome concept, btw.  

Thanks,

m

Re: Will spamd work with db on a RAM disk?

[Mark Bucciarelli]

On Mon, Dec 12, 2005 at 09:35:20AM -0700, [EMAIL PROTECTED] wrote:

 Spamd uses Berkeley DB - if your disk file is large you will use 
 plenty of I/O to it.

Ok, so looks like my options are:

(1) take spamd down, call db_checkpoint, copy files, restart spamd

(2) mess around with db_hotbackup.

 if your machine is just doing spamd, allocate a lot more of your ram 
 for this by increasing bufcachepct in the kernel

Unfortunately, it's doing a lot of other stuff at the moment so I don't 
think this will help much.

m

Re: Will spamd work with db on a RAM disk?

[Mark Bucciarelli]

On Mon, Dec 12, 2005 at 09:46:59AM -0800, J. C. Roberts wrote:

 Please think about what Bob suggested for a moment and then look at your
 reply. -The overhead and resource usage of creating/maintaining a ram
 disk is greater than simply increasing the physmem allocation for
 caching files.

I did think about it, but maybe incorrectly.

I figured the kernel would not be smart enough to give a strong 
preference to caching the files that are getting written to 
(/var/db/spamd) over those files that are getting read a lot 
(SpamAssassin and ClamAV).  I figured that's why he qualified his 
suggestion with spamd being the only running on the box.

Or are you saying that caching the reads would help with the I/O bottle 
neck just as effectively?  I would be surprised by that, especially 
since it's RAID1.

m