Re: dnscrypt-proxy
Thanks! But can we now trust OpenDNS, etc in light of the recent news of net neutrality, etc? We probably can't trust our own DNS caches due to the issues of net neutrality, etc., either?? Thank you. On Tue, Dec 31, 2013 at 7:26 AM, Giancarlo Razzolini grazzol...@gmail.comwrote: Em 31-12-2013 05:34, nixlists escreveu: Hello, OpenBSD has this package. Is it trustworthy? Anyone uses here? I believe this works with OpenDNS, and a few other providers of secure recursive caches that support dnscurve through this package. DNS is probably never going to be secure against attacks in our lifetimes (but, hey, maybe not, due to the recent bruhaha), but at least protecting the last mile seems somewhat feasible with this. Any help would be greatly appreciated. Thanks. I've been using it, in conjunction with either named on base and unbound from ports, to encrypt the dns transmissions of my networks. But, the version in ports is rather old, 1.2.0 if I'm not mistaken. I compile the latest version and use either my own rc.d script or the one that ships with the package. Pay attention that it mostly protects, as you said, the last mile. It wont happen against local attacks on your network, because, unless you install it on all your machines, it still vulnerable to attacks. But there this added complexity of having to install a dns cache in all of them. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: dnscrypt-proxy
On Tue, Dec 31, 2013 at 2:17 PM, Nicolai nicolai-om...@chocolatine.org wrote: On Tue, Dec 31, 2013 at 02:34:10AM -0500, nixlists wrote: Hello, OpenBSD has this package. Is it trustworthy? Yes, it is. Fine, I'll believe you :D Have to trust someone at some point, and you don't sound like agent Smith. Anyone uses here? Yes; I installed the Windows client (same source as the unix dnscrypt-proxy) on a friend's machine and it works like a charm. For myself I just use a local DNSCurve resolver. I believe this works with OpenDNS, and a few other providers of secure recursive caches that support dnscurve through this package. That is basically correct. DNSCurve and DNSCrypt are very similar but they are not the same. OpenDNS supports both: DNSCrypt from you to them, and DNSCurve, when available, from their recursive resolvers to remote authoritative servers. Didn't know that OpenDNS supports DNSCurve. Does anyone else? With the recent *cough*storm about the certain entities planting implants and penetrating our collective mind-orifices through backdoors, and, subsequently, obviously, the bad guys (whom the entities employ, again, obviously (not the leaker) now having the keys to the kingdom of the locks that they themselves have forged, why shouldn't the whole kingdom adopt DNSCurve or something like it to protect itself? Even DNSSEC adoption has been ridiculously slow, but it doesn't offer privacy. Also DNSSEC uses poor by modern standards crypto, and suffers from amplification attacks. One would think that DNSCurve adoption at this point would take over IPv6. Ahhh, DNS fantasies... :)) Happy New Year! (Although something tells us all we should be worried about this one!) The integrity of the 'net is now futile.
dnscrypt-proxy
Hello, OpenBSD has this package. Is it trustworthy? Anyone uses here? I believe this works with OpenDNS, and a few other providers of secure recursive caches that support dnscurve through this package. DNS is probably never going to be secure against attacks in our lifetimes (but, hey, maybe not, due to the recent bruhaha), but at least protecting the last mile seems somewhat feasible with this. Any help would be greatly appreciated. Thanks.
Device busy
Hi. After an upgrade from an older snapshot of -current to the yesterday's snapshot any attempt to write to /dev/ulpt0 results in Device Busy. For example echo test /dev/ulpt0 returns Device busy. Older (several months old -current) kernel didn't have this problem. Thanks. OpenBSD 4.8-beta (GENERIC) #62: Mon Aug 2 19:22:46 MDT 2010 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 2.53GHz (GenuineIntel 686-class) 2.52 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM real mem = 267448320 (255MB) avail mem = 253116416 (241MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 09/13/02, BIOS32 rev. 0 @ 0xffe90, SMBIOS rev. 2.3 @ 0xf0450 (60 entries) bios0: vendor Dell Computer Corporation version A09 date 09/13/2002 bios0: Dell Computer Corporation Dimension 8200 acpi0 at bios0: rev 0 acpi0: tables DSDT FACP SSDT APIC BOOT acpi0: wakeup devices VBTN(S4) PCI0(S5) USB0(S3) USB1(S3) PCI1(S5) MOU_(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 132MHz ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 1 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 2 (PCI1) acpicpu0 at acpi0 acpibtn0 at acpi0: VBTN bios0: ROM list: 0xc/0x8000 0xc8000/0x4800 0xcc800/0x1800 0xce000/0x2000 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82850 Host rev 0x04 intelagp0 at pchb0 agp0 at intelagp0: aperture at 0xf800, size 0x200 ppb0 at pci0 dev 1 function 0 Intel 82850/82860 AGP rev 0x04 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 Matrox MGA G400/G450 AGP rev 0x04 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ppb1 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0x04 pci2 at ppb1 bus 2 pciide0 at pci2 dev 7 function 0 CMD Technology SiI3512 SATA rev 0x01: DMA pciide0: using apic 1 int 16 (irq 7) for native-PCI interrupt pciide0: port 0: device present, speed: 1.5Gb/s wd0 at pciide0 channel 0 drive 0: ST3250410AS wd0: 16-sector PIO, LBA48, 238475MB, 488397168 sectors wd0(pciide0:0:0): using BIOS timings, Ultra-DMA mode 6 pciide0: port 1: device present, speed: 1.5Gb/s wd1 at pciide0 channel 1 drive 0: ST3250824AS wd1: 16-sector PIO, LBA48, 238475MB, 488397168 sectors wd1(pciide0:1:0): using BIOS timings, Ultra-DMA mode 6 ral0 at pci2 dev 8 function 0 Ralink RT2561S rev 0x00: apic 1 int 17 (irq 10), address 00:1f:1f:1a:c4:3f ral0: MAC/BBP RT2561C, RF RT2527 em0 at pci2 dev 9 function 0 Intel PRO/1000MT (82546EB) rev 0x01: apic 1 int 18 (irq 5), address 00:11:0a:5c:20:06 em1 at pci2 dev 9 function 1 Intel PRO/1000MT (82546EB) rev 0x01: apic 1 int 19 (irq 11), address 00:11:0a:5c:20:07 ohci0 at pci2 dev 10 function 0 NEC USB rev 0x43: apic 1 int 19 (irq 11), version 1.0 ohci1 at pci2 dev 10 function 1 NEC USB rev 0x43: apic 1 int 16 (irq 7), version 1.0 ehci0 at pci2 dev 10 function 2 NEC USB rev 0x04: apic 1 int 17 (irq 10) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 NEC EHCI root hub rev 2.00/1.00 addr 1 usb1 at ohci0: USB revision 1.0 uhub1 at usb1 NEC OHCI root hub rev 1.00/1.00 addr 1 usb2 at ohci1: USB revision 1.0 uhub2 at usb2 NEC OHCI root hub rev 1.00/1.00 addr 1 ichpcib0 at pci0 dev 31 function 0 Intel 82801BA LPC rev 0x04 pciide1 at pci0 dev 31 function 1 Intel 82801BA IDE rev 0x04: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd2 at pciide1 channel 0 drive 0: WDC AC310100B wd2: 16-sector PIO, LBA, 9671MB, 19807200 sectors wd2(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide1 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: LITEON, DVD-ROM LTD163, GDHF ATAPI 5/cdrom removable cd0(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 31 function 2 Intel 82801BA USB rev 0x04: apic 1 int 19 (irq 11) ichiic0 at pci0 dev 31 function 3 Intel 82801BA SMBus rev 0x04: apic 1 int 17 (irq 10) iic0 at ichiic0 uhci1 at pci0 dev 31 function 4 Intel 82801BA USB rev 0x04: apic 1 int 23 (irq 9) isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 usb3 at uhci0: USB revision 1.0 uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1 usb4 at uhci1: USB revision 1.0 uhub4 at usb4 Intel UHCI root hub rev 1.00/1.00 addr 1 mtrr: Pentium Pro MTRR support ulpt0 at uhub0 port 2 configuration 1 interface 0 Hewlett-Packard hp LaserJet 2420 rev 2.00/1.00 addr 2 ulpt0: using bi-directional mode ugen0 at uhub1 port 2 American Power Conversion Back-UPS RS 700G FW:856.L1 .D USB FW:L1 rev 2.00/0.90 addr 2 uhidev0 at uhub3 port 1 configuration 1 interface 0 Plus More Enterprise LTD. USB-compliant keyboard rev
Usb printer problem after upgrade
Hi. I upgraded from a few months old -current snapshot to the August 1 i386 snapshot, and now any attempt to write to /dev/ulpt0 (my usb printer) results in Device busy. Booting with the old kernel - no problem, I can print. Is this a bug in the new snapshot? Is anyone else having issues with their USB printers with this snapshot? Thanks. ulpt0 at uhub0 port 2 configuration 1 interface 0 Hewlett-Packard hp LaserJet 2420 rev 2.00/1.00 addr 2 ulpt0: using bi-directional mode
Re: Shutdown fails intermittently with OpenBSD running off SD MMC card
FWIW if I connect (boot with) my RAID enclosure to my eSATA card, the problem goes away at shutdown time. Any ideas? On 3/14/10, Anders Langworthy lagrang...@gmail.com wrote: On Fri, Mar 5, 2010 at 7:44 PM, J.C. Roberts list-...@designtools.org wrote: Now getting back to the link/problem posted by Frank which mentions firefox, as well as your complaint about the speed of firefox... Yep, the final stop on the reality tour is most likely the fact that firefox might be *STILL* trying to shut down because the disk write speed sucks so bad. This of course means, sync is waiting on it. If you use a bloated Desktop like kde or gnome, they may also be a contributing factor to your shutdown times and for the same reason. I also experience this issue intermittently on my two 4.6 workstations, both with conventional HDDs. It either syncs instantly, or it never completes at all. I only weigh in because this was never a problem until 4.6 Firefox 3.5, and after jcr's points above I am highly inclined to blame the latter. Thank you for your suggestions. I will configure FF to not use a disc cache and report back after testing. Cheers, Anders
Shutdown fails intermittently with OpenBSD running off SD MMC card
Hi. I installed a recent -current on an SD MMC card. Boots just fine with an old SanDisk reader, but most times at the time of shutdown (shutdown -h now) the kernel hangs at Syncing disks., and I have to power down manually. When it comes back it has to fsck of course. Shut down works fine on a different computer with this SD card (laptop) with a built-in card reader. What may be a problem? My old reader is flaky? Also unrelated, but I am using FireFox in this install to write this message and it is painfully slow. This is on an Athlon 64 X2 4200+. I am using .mp kernel. Is it supposed to be this slow? It is using about 16% CPU with only one tab open. uhci0 at pci0 dev 16 function 0 VIA VT83C572 USB rev 0x81: apic 2 int 21 (irq 255) uhci1 at pci0 dev 16 function 1 VIA VT83C572 USB rev 0x81: apic 2 int 21 (irq 255) uhci2 at pci0 dev 16 function 2 VIA VT83C572 USB rev 0x81: apic 2 int 21 (irq 255) uhci3 at pci0 dev 16 function 3 VIA VT83C572 USB rev 0x81: apic 2 int 21 (irq 255) ehci0 at pci0 dev 16 function 4 VIA VT6202 USB rev 0x86: apic 2 int 21 (irq 255) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 VIA EHCI root hub rev 2.00/1.00 addr ... usb1 at uhci0: USB revision 1.0 uhub1 at usb1 VIA UHCI root hub rev 1.00/1.00 addr 1 usb2 at uhci1: USB revision 1.0 uhub2 at usb2 VIA UHCI root hub rev 1.00/1.00 addr 1 usb3 at uhci2: USB revision 1.0 uhub3 at usb3 VIA UHCI root hub rev 1.00/1.00 addr 1 usb4 at uhci3: USB revision 1.0 uhub4 at usb4 VIA UHCI root hub rev 1.00/1.00 addr 1 ... umass0 at uhub0 port 1 configuration 1 interface 0 SanDisk ImageMate 9 in 1 Reader/Writer rev 2.00/93.35 addr 2 umass0: using SCSI over Bulk-Only scsibus2 at umass0: 2 targets, initiator 0 sd0 at scsibus2 targ 1 lun 0: Generic, STORAGE DEVICE, 9335 SCSI0 0/direct removable sd0: 3814MB, 512 bytes/sec, 7811072 sec total Thanks.
Re: Shutdown fails intermittently with OpenBSD running off SD MMC card
On 3/5/10, Christiano F. Haesbaert haesba...@haesbaert.org wrote: 2010/3/5 nixlists nixmli...@gmail.com: Also unrelated, but I am using FireFox in this install to write this message and it is painfully slow. This is on an Athlon 64 X2 4200+. I am using .mp kernel. Is it supposed to be this slow? It is using about 16% CPU with only one tab open. Put your gmail account in old style, I had the same problem, it's a gmail issue. Not specific to gmail, I don't think. FF just seems very slow in OpenBSD for some reason.
Re: -current or -stable [was: Not another Browser Question]
On 3/5/10, Marc Espie es...@nerim.net wrote: Well, sometimes we fuck up -current. Not on purpose, but it happens. If you run into a broken snapshot, you may have to wait a few days until a new snapshot hits the mirrors, usually with everything fixed. ... and so, your system may be fucked for a few days. That said, we never get enough tests before the release. So problems happen right after release, usually, because everyone was too lazy to test things. Developers get frustrated with that. Theo gets *very* cranky over that. The solution is probably to entice more test-bunnies into OpenBSD, so that more tests gets done. We're very far from lemmings-linux, aka debian, where very little engineering actually gets done, and where the whole development process relies on hordes of lemmings^Wusers going over the cliff to actually get things to work. ;-) Ok is that sarcasm, or are you for real? Anyway, at least one person has this opinion: Yes, a basic understanding, plus the understanding that you need to catch a set of commits completely. That requires some understanding of the code at some level. Fortunately messing that up only means that you have to wait and update again, and not make the mistake of posting on a mailing list that something is wrong. I just did this, with the new distributed package builder that Marc Espie has redone--had I paid more attention, I would have seen that new stuff was added, which fixed the particular problem I had. Would it be ok to say that -current is probably not a good idea on production systems, for some people (who for whatever reasons can't do what is recommended in the above comment). I am not a C/*nix developer, should I really risk running current in production because I may not understand which snapshot to run? The other problem, that gets mentioned is some people are forced to run -current because some packages will only work with -current, and backporting sucks for many reasons. Would it be possible to give at least some information about where the progress is when each snapshot is made, or should it be assumed that a snapshot represents the source tree at a relatively stable state most of the time? Just trying to figure this out. Thanks.
Re: -current or -stable [was: Not another Browser Question]
On Fri, Mar 5, 2010 at 2:08 PM, Bret S. Lambert bret.lamb...@gmail.com wrote: The other problem, that gets mentioned is some people are forced to run -current because some packages will only work with -current, and backporting sucks for many reasons. Unless you're running one of those, it doesn't affect you. Are you? You apparently don't know, no one is more qualified to answer these questions than you can. Not true. You don't know either. The only reason why I tried -current is because I couldn't run a package in 4.6. not when you write an endless series of emails. I am not the only one who is interested in understanding these issues, judging by the length of this thread.
Re: Shutdown fails intermittently with OpenBSD running off SD MMC card
On 3/5/10, J.C. Roberts list-...@designtools.org wrote: look for the `-p` flag. Know all about it. The problem is the kernel won't even get to that point - it hangs on syncing disks... stage.
Re: pf: blocklists
spamd is great, but I need to filter other traffic. I still wonder how people manage to download and convert blocklists for loading into pf in an automated way as a cron job. Has anyone attempted to do this? Often there are syntax errors in the lists, sometimes transfers fail. IOW it's unreliable, and I have to do it manually. I guess I could do it such that if a list fails download or conversion, then leave the old list alone, but that sucks too. Also, which lists do you use? Thanks.
Re: Best Mail Archive
Every time someone tells me to go search an archive, I want to use profanity. They never think of just how painful mail archive searching is, but I guess we all have to bite the bullet and use search systems that are bad at searching.
Re: Best Mail Archive
mailing.openbsd.tech is on Google groups, I don't see mailing.openbsd.misc. Searching on Google groups works quite well, would be nice to see this list there.
Re: pf: blocklists
2010/3/4 Iqigo Ortiz de Urbina tarom...@gmail.com: What are you trying to accomplish? I would be interested on helping you but first I would like to understand it better. I really think all those task can be easily automated via scripts and pfctl to load the netblocks on tables. Have a nice day, Iqigo Since the blocklists (take a look at okean.com and some stuff on other sites I won't mention) are distributed through http - downloads fail sometimes, so I am not sure how to make a reliable automated script that gets these lists periodically. Maybe it should just leave the old file in place when it can't get a new blocklist file. Some distribution sites are overloaded and flaky, downloads fail. Further, the lists needs to be converted from their formats to other formats. That's easy, except for the case when there are syntax errors in these list files, and I've seen quite a few. So automatic conversion fails as well :(
Re: Best Mail Archive
Odd. I search/browse a few months back into archive at least, and not because someone tells me to do it, and I still don't find answers sometimes (and searching still sucks, but ignore my whining).
Re: Best Mail Archive
Having contributed to MARC I think it's a pretty good site. Hank has also added lists, as in the PCC lists, when I requested. I didn't say MARC is a bad site.
Re: -current or -stable [was: Not another Browser Question]
On Thu, Mar 4, 2010 at 10:44 AM, Chris Bennett ch...@bennettconstruction.biz wrote: -current is typically safer by default since all those errata in release versions are already fixed in -current snapshots. No patches, no builds. just update to latest snapshots, other than time to update packages, maybe 10-15 minutes or less But where are the latest security issues and stability issues likely to be found? In either release or current or just current, since current is being developed?
Re: Best Mail Archive
But has a point. Mail archives are dead as an interface. Google knows all. We should be asking 'Did you ask Google?' rather than 'Did you search the mail archives.' I'm sure many people have to go Google 'mail archives' to figure out what they are anyway. :-). Ken I like it as much as you do, for the reasons we both know.
Re: -current or -stable [was: Not another Browser Question]
On Thu, Mar 4, 2010 at 11:35 AM, Chris Bennett ch...@bennettconstruction.biz wrote: You are talking about two separate issues. Stability is not related to security directly. The two are intricately combined but not the same. But both are related to downtime and data loss. I understand stability bugs are likely to pop-up more often with current, and this has been my experience. Weird freezes without panic that I did not have with release/stabe, and some pf-related panics that went away with recent current. Anyway, I am still not clear where most security bugs are more likely to pop-up - in release or current, or either? Thanks.
Re: -current or -stable [was: Not another Browser Question]
On Thu, Mar 4, 2010 at 11:58 AM, and...@msu.edu wrote: But both are related to downtime and data loss. I understand stability bugs are likely to pop-up more often with current, and this has been my experience. Weird freezes without panic that I did not have with release/stabe, and some pf-related panics that went away with recent current. Anyway, I am still not clear where most security bugs are more likely to pop-up - in release or current, or either? Thanks. For any established bug thats been around for a while before discovery, it will be in both -release and -current; established meaning existing for one more more releases. -Current can have bugs that are introduced during the development cycle. Typcially they are seen fairly quickly and stomped on quickly. I've lived on -current on my laptop for 8 years now, and the only time thats been a problem was rebuilding stuff during a hackathon. If you use -current, watch the pretty commits flow in, but refrain from jumping into the new code on your main machine, as I did. Test machines are of course a great idea. Thank you! Shouldn't this advice be good for inclusion on the following current page on the website? Also how does one find out when it's okay to jump into new code, given that one is a mortal sysadmin - not a C or system hacker who understands which commits could possibly be buggy?
Re: -current or -stable [was: Not another Browser Question]
On Thu, Mar 4, 2010 at 12:28 PM, and...@msu.edu wrote: If you don't have a good understanding of things, I'd say you should By good understanding do you mean ability to read and write system code, and intimate familiarity with *nix internals? ... not follow -current on machines that are critical to you. I do use -current ... It seems the opinion on running current in production ranges from being overly optimistic to being very cautious. If running -current in production is only recommended for people who are intimately familiar with the internals, doesn't that exclude many if not most users? ... You can learn tons from watching -current. I have. But till you have experience with it, don't make it your main system. So more suitable for learning and playing with the latest stuff, but less suitable for running production stuff at this point? I just feel like someone is going to yell curmudgeon again. Thanks.
pf: blocklists
Does anyone use blocklists of addresses for blocking spam and other unwanted traffic, such as those from okean and other places? How do you manage download and conversion/loading of blocklists? Automatically through scripts or manually? . Thanks.
Re: Average time for compiling userland? == benchmarking CPU/IO? best result for database hosting?
On Sun, Feb 28, 2010 at 4:56 PM, Aaron Mason simplersolut...@gmail.com wrote: On Mon, Mar 1, 2010 at 4:17 AM, Andres Salazar ndrsslz...@gmail.com wrote: On Sun, Feb 28, 2010 at 11:10 AM, Bret S. Lambert bret.lamb...@gmail.com wrote: ... Setting the controller to AHCI would give OpenBSD access to NCQ where available, but the driver would also have to be written to take advantage of this I would imagine. There would also have to *be* a driver for the controller, which wouldn't be needed if it's being run in legacy mode (IDE emulation essentially). If your hard drive comes up as wd0, it's set in Legacy mode. If it's sd0, it's in SATA/RAID/AHCI mode (dependant on manufacturer). Where one would find documentation that tells one which drivers support NCQ and which don't? Does the sili dirver support NCQ? sII3512 is supported by pciide, and not by the sili driver (drive gets detected wd0, it's a SATA 1), while sii3124 is handled by the sili driver, but the man page doesn't mention NCQ (this card supports it). Thanks.
route output
Could someone throw a clue stick? I've read the man pages for netstat and route, and I am still not clear what the output of netstat -r means exactly in OpenBSD. What does Link refer to exactly? It seems that many, if not most man pages do not describe utility output much.
Re: fsck segfault on a big partition, 4.6
On Thu, Jan 28, 2010 at 1:24 AM, Robert info...@die-optimisten.net wrote: nixlists wrote: The idea is to limit memory such that running out of RAM+swap is not possible, or unlikely. You can set the limit on the allowed number of processes as well. I do use ulimit / login.conf for some processes, but does anybody really use it for *all possible* processes on each production machine? I set memory limits on most daemons. Especially on the 'net-connected stuff for obvious reasons. Including the necessary research into what could be the max. memory they *might* need in a spike situation? I honestly doubt that... Better estimate/guesstimate and limit some services than not at all.
Re: rename(2) man page (was: Re: OpenSMTPd actual development and integration)
On Tue, Jan 26, 2010 at 8:27 AM, Kenneth R Westerback kwesterb...@rogers.com wrote: Exchange, Groupwise, Lotus, various Unix setups. You name it. Day to day, no errors, no hardware going flakey, then anything will work. In 'most' cases you will be suffering huge performance loses for negligable increases in safety by disabling your cache. What you call negligible is the fact that email being written into the queue from a remote machine will be lost from either disk or controller write-back cache during a crash. I don't know if that's important or not in your case. Maybe the email(s) that will be lost will not be important. How can we tell? How can we back up email while it's being sent from remote machines? Email queues are not bandwidth-bound, unless most of the messages are big files (which is rarely a case for email), they're seek-bound. If you are trying to create a system where hardware (or software) can never lose any of your data, you are Don Quixote and they are windmills. Follow normal practise, backup religiously and you will probably retire before the planets align and your data disappears. In most cases. That's my plan. Ken
Re: rename(2) man page (was: Re: OpenSMTPd actual development and integration)
On Tue, Jan 26, 2010 at 11:50 PM, J.C. Roberts list-...@designtools.org wrote: My anonymous friend, you need to accept *PEOPLE* write software. Those little things like experience, skills, and even personality are present in the output of programmers. Of course, but this was about his software, not him, and let's keep it this way. Label me heartless, but in the software world, and the arts BTW, often when a significant work or a body of work is widely used/known the author is not that important in discussions about the work. Ben Calvert stated infallibility, so I should have put it in quotes, or you should read more carefully. I refuted Ben's statement, since as far as I know, Dan has never claimed infallibility. Unfortunately, by using crash-proof as your description, you are in essence stating infallibility once again (sigh)... *THAT* is the trouble with Dan's writing; he expects you to understand that his code should be correct (and efficient) *WITHIN* certain bounds/limitations, albeit without stating the limitations. No, not my description. Right from his page: http://cr.yp.to/qmail/faq/reliability.html#filesystems Answer: qmail's queue, except for bounce message contents, is crashproof on the BSD FFS and most of its variants. Dan regularly does great work, and he explains his code operation far more elaborately than the vast majority of software developers, but if you keep repeatedly spouting nonsense like crash-proof on this list, then you're just repeatedly asking for an argument that you'll never win. Please stop. -jon
Re: rename(2) man page (was: Re: OpenSMTPd actual development and integration)
Just to remind: rename() causes the link named from to be renamed as to. If to exists, it is first removed. Both from and to must be of the same type (that is, both directories or both non-directories), and must reside on the same file system. rename() guarantees that if to already exists, an instance of to will al- ways exist, even if the system should crash in the middle of the opera- tion.
Re: rename(2) man page (was: Re: OpenSMTPd actual development and integration)
What are you running? Exchange?? Redundancy is nice, but email back-ups are futile. Backups might save from most, but not all lost messages after a crash. Anyway, before we divert to a some other topic, someone please answer the question for the simplest case - we've already decided that every RAID controller in the world cannot be trusted: Now SATA controller - no cache, SATA disk - write-back cache disabled. FFS mounted 'sync' on it. In most cases, can rename() provide the quarantee as its man page? By most cases I mean typical usage day-to-day usage without single-bit or other errors, or hardware going flaky. I do know errors happen, ok? Thanks!
Re: rename(2) man page (was: Re: OpenSMTPd actual development and integration)
On Mon, Jan 25, 2010 at 4:12 PM, Marco Peereboom sl...@peereboom.us wrote: You are positively ignorant. No need to regurgitate this all over again. Take your toy mail implementation and enjoy your hair. You are still refusing to give a direct answer to a direct question. How's that not ignorant? I wonder why that might be... All this well, we can't really tell what the hardware may do crap isn't enough. Perhaps you don't have an answer Now SATA controller - no cache, SATA disk - write-back cache disabled. FFS mounted 'sync' on it. In most cases, can rename() provide the quarantee as its man page? By most cases I mean typical usage day-to-day usage without single-bit or other errors, or hardware going flaky. I do know errors happen, ok? rename() causes the link named from to be renamed as to. If to exists, it is first removed. Both from and to must be of the same type (that is, both directories or both non-directories), and must reside on the same file system. rename() guarantees that if to already exists, an instance of to will al- ways exist, even if the system should crash in the middle of the opera- tion.
Re: rename(2) man page (was: Re: OpenSMTPd actual development and integration)
On Mon, Jan 25, 2010 at 5:09 PM, Bret S. Lambert bret.lamb...@gmail.com wrote: On Mon, Jan 25, 2010 at 04:35:48PM -0500, nixlists wrote: On Mon, Jan 25, 2010 at 4:12 PM, Marco Peereboom sl...@peereboom.us wrote: You are positively ignorant. No need to regurgitate this all over again. Take your toy mail implementation and enjoy your hair. You are still refusing to give a direct answer to a direct question. How's that not ignorant? I wonder why that might be... All this well, we can't really tell what the hardware may do crap isn't enough. Perhaps you don't have an answer Y'know, if you don't get the fact that the answer you're being given is that, ultimately, there really *isn't* an answer, you need some more zen in your diet. No, I've been given an answer for the RAID controllers (and even that was nebulous), now let's hear it for the SATA. Again. no write-back cache anywhere, no softupdates, no async mounts, does the guarantee in the rename(2) apply to this case? If it does, then say so . If it doesn't, then say so (and change the man page, maybe?).
Re: rename(2) man page (was: Re: OpenSMTPd actual development and integration)
On Mon, Jan 25, 2010 at 8:26 PM, Marco Peereboom sl...@peereboom.us wrote: I gave you the answer several times but I'll humor you and do it one more time. No, you didn't, see below. This thread started here: http://marc.info/?l=openbsd-miscm=126435421227560w=2 After I replied to that message (specifically asking and noting that the conditions are that write-back cache is disabled on both the controller and disk(s)), you tried to spin it by saying that write-back cache is enabled everywhere anyway and implying that rename(2) crash guarantee doesn't apply. Do I understand this correctly, or you meant something else, perhaps referring to the previous thread about DJB claimed qmail's crash-proof queue?: http://marc.info/?l=openbsd-miscm=126438080626509w=2 Then you said that no one disables WB cache, and that no RAID controllers are to be trusted, I assume for the same question about rename(2), or maybe you are talking about somethig else here again?: http://marc.info/?l=openbsd-miscm=126438645130701w=2 Then I asked http://marc.info/?l=openbsd-miscm=126439429105565w=2 Now the simplest case: a SATA controller as found on any recent motherboard, or a SATA add-on card, and a disk with write-back cache turned off. What are the problems there? AND YOU DIDN'T ANSWER THAT QUESTION. Instead you are throwing an insult. Usually people do this when they have nothing to answer: http://marc.info/?l=openbsd-miscm=126445421228585w=2 Your opinion about RAID controllers that do not disable drives' write-back cache (and some do disable it) does not directly apply to my question about a SATA controller with a drive with disabled write-back cache, which you are refusing to answer. Paul de Weerd did though, and I am grateful, but I'd rather see your explanation :) http://marc.info/?l=openbsd-miscm=126446163007758w=2
Re: rename(2) man page (was: Re: OpenSMTPd actual development and integration)
On Mon, Jan 25, 2010 at 9:11 PM, J.C. Roberts list-...@designtools.org wrote: DJB does great work and thinks about his code. Like every great programmer, DJB wants his code to be as correct as possible within the very well known bounding limitations (hardware, compilers, operating systems, file system code, and so forth). Though he knows the Could this thread please not be diverted to a discussion about the people behind the software? Otherwise flamewars and hate speech are looming. I am trying to understand the technical issues, not inter-personal quibbles. limitations better than most, his writings intend to *CONVINCE* you of the correctness of *his* code and methods (within said bounds), so he doesn't elaborate on the supposedly known limitations and he expects you to already understand them. Constantly bringing up all the limitations where things fail detracts from the intent to convince you of correctness. Though some consider not elaborating on the limitations as being incomplete or unfair, not mentioning them is actually a great application of rhetoric and serves his purpose very well. Rhetoric implies saying something. Not saying something means not using rhetoric. He is making claims about his software. The fact that what he says about queue reliability implies that FFS and hardware work as they should for the queue to be crash-proof. The fact that he does not talk much about hardware limitations isn't the same as using rhetoric. In any case this is a diversion of the thread to a different topic. If you don't already know the limitations, then you'll get the false impression of him claiming infallibility, and you'll be very easily Where did you see him mention infallibility? There's a difference between a crash-proof queue feature and infallibility. A long while ago someone wrote a very nice page about how qmail writes to the disk: http://untroubled.org/benchmarking/qmail-filesystems/operations.html : [quote] Critical qmail Operations A message managed by the typical qmail system goes through either two or three stages. 1. The message is either generated locally or received from a remote system and added to the queue. This stage causes the following disk write operations: 1. queue/pid/PID.TIMESTAMP.1 is created (and queue/pid is implicitly fsync'ed). 2. queue/pid/PID.TIMESTAMP.1 is linked to queue/mess/#/INODE (and queue/mess/# is implicitly fsync'ed). 3. queue/pid/PID.TIMESTAMP.1 is unlinked (and queue/pid is implicitly fsync'ed). 4. The message body is written to queue/mess/#/INODE (opened at stage #1) and explicitly fsync'ed. 5. queue/intd/INODE is created (and queue/intd is implicitly fsync'ed). 6. The message envelope is written to queue/intd/INODE and explicitly fsync'ed. 7. queue/intd/INODE is linked to queue/todo/INODE (and queue/todo is implicitly fsync'ed). In total, there are 7 synchronous disk operations done during the injection process. Of those, the synchronicity of operations 1, 3, and 5 is not required for reliability. 2. The message is processed and delivered by qmail-send. The processing stage causes the following disk write operations: 1. queue/info/#/INODE is created (and queue/info/# is implicitly fsync'ed). 2. If the message has local recipients, queue/local/#/INODE is created (and queue/local/# is implicitly fsync'ed). 3. If the message has remote recipients, queue/remote/#/INODE is created (and queue/remote/# is implicitly fsync'ed). 4. queue/info/#/INODE is written and explicitly fsync'ed. 5. If the message has local recipients, queue/local/#/INODE is written and explicitly fsync'ed. 6. If the message has remote recipients, queue/remote/#/INODE is written and explicitly fsync'ed. 7. queue/intd/INODE is unlinked by qmail-clean (and qmail/intd is implicitly fsync'ed). 8. queue/todo/INODE is unlinked by qmail-clean (and qmail/todo is implicitly fsync'ed). 9. if the message has local recipients, queue/local/#/INODE is unlinked (and queue/local/# is implicitly fsync'ed). 10. if the message has remote recipients, queue/remote/#/INODE is unlinked (and queue/remote/# is implicitly fsync'ed). 11. queue/info/#/INODE is unlinked (and queue/info/# is implicitly fsync'ed). 12. queue/mess/#/INODE is unlinked by qmail-clean (and queue/mess/# is implicitly fsync'ed). In total, there are 6, 9, or 12 synchronous disk operations done during the queue processing stage, depending on if the message had local or remote recipients. 3. For each local recipient, the message is delivered to a maildir. This stage causes the following disk write operations: 1. maildir/tmp/PID.TIMESTAMP.HOSTNAME is created (and maildir/tmp is implicitly fsync'ed). 2. The message is written to the above file and explicitly fsync'ed. 3. maildir/tmp/PID.TIMESTAMP.HOSTNAME is
Re: way to help: laptops and weekly
On Sun, Jan 24, 2010 at 3:15 PM, Ted Unangst ted.unan...@gmail.com wrote: On Sun, Jan 24, 2010 at 3:00 PM, Antoine Jacoutot ajacou...@bsdfrog.org wrote: On Sun, 24 Jan 2010, Ted Unangst wrote: sysutils/anacron Right, but I think this is something base should handle more gracefully. The locate database is part of the OS, therefore the OS should take the necessary steps to maintain it. Drawbacks of anacron: 1. GPL. Can't import in base. 2. Doesn't run things at a set time. You probably don't want weekly running when you're actually using the system. 'runwhen' is very good: http://code.dogmap.org/runwhen/ , but sigh it's GPL v.2, and the author is anal-retentive about distribution of modified versions. It probably has no chances of being in the base, but it is hopeful someone here could learn from its design and other tools from code.dogmap.org and related sites. Or maybe rewrite it under the BSD license... Yeah right! I wish I could, but again I am not a C or system hacker. Excerpt from http://code.dogmap.org/runwhen/overview/ But actually, there are some things runwhen does that at doesn't. You can interrupt its sleep and execute the job early by sending SIGALRM. You can have it wait indefinitely until SIGALRM. For cron-like jobs that run repeatedly, you can place an upper bound on the amount of time between runs, in case the system was off during the last scheduled run time, like anacron. If a job takes longer to run than the period between scheduled run times, then you can control on a per-job basis whether to wait for the previous run to finish or to run multiple instances concurrently. You can schedule as many jobs as you like, up to the kernel's maximum number of processes, instead of an arbitrary limit compiled into the scheduler. You can develop and use your own tools to modify the sleep duration, based on criteria I haven't thought of. An example of a 'runwhen' script: http://code.dogmap.org/runwhen/example/ No, you don't need 'daemontools' to run it, you can use 'runit' http://smarden.org/runit , It's under a BSD-like license, but sigh you guys probably have an aversion to the design as well since it's related to the 'daemontools' design... You can use 'runwhen' one-time jobs without 'daemontools' or 'runit'. 'sysutils/runit' is in ports. It's daemontools-compatible and more feature-rich. Other smarden.org tools are great too - socklog (also in ports) for example. It's really, what a surprise! MUCH better than syslog.
Re: rename(2) man page (was: Re: OpenSMTPd actual development and integration)
On Sun, Jan 24, 2010 at 12:22 PM, Jonathan Thornburg jth...@astro.indiana.edu wrote: In message http://marc.info/?l=openbsd-miscm=126356588306613w=1, Marco Peereboom slash () peereboom ! us wrote You can do everything right all day long in software but hardware does what it does and claiming that a piece of software is crash proof is naive at best. Hmm. Our rename(2) man page currently says: rename() guarantees that if _to_ already exists, an instance of _to_ will always exist, even if the system should crash in the middle of the operation. Should this perhaps be changed to read something like this? rename() tries to guarantee that if _to_ already exists, an instance of _to_ will always exist, even if the system should crash in the middle of the operation. However, in some cases the hardware may not provide the proper support, causing the guarantee to fail. Or do we (as a general policy) take this sort of escape clause taken to be implied to knowledgable readers, and thus need not be explicitly stated? It's of course implied that hardware and FFS work as they should for the guarantee to work, but... No one seems to want or be able to point out any particular hardware that rename() (and subsequently FFS and MTAs) fail on! When configured as documented - no controller write-back cache (maybe with a battery back-up, but batteries fail too), no drive write-back cache, no async mounts, no known buggy stuff. Which hardware??? Could someone at least point out one example of such hardware? I, and, I am sure many other people who run mail servers would love to know.
Re: rename(2) man page (was: Re: OpenSMTPd actual development and integration)
When configured as documented - no controller write-back cache (maybe with a battery back-up, but batteries fail too), no drive write-back cache, no async mounts, no known buggy stuff. Which hardware??? Could someone at least point out one example of such hardware? I, and, I am sure many other people who run mail servers would love to know. Also no softupdates of course.
Re: rename(2) man page (was: Re: OpenSMTPd actual development and integration)
On Sun, Jan 24, 2010 at 7:48 PM, Marco Peereboom sl...@peereboom.us wrote: On Sun, Jan 24, 2010 at 07:22:08PM -0500, nixlists wrote: On Sun, Jan 24, 2010 at 12:22 PM, Jonathan Thornburg jth...@astro.indiana.edu wrote: In message http://marc.info/?l=openbsd-miscm=126356588306613w=1, Marco Peereboom slash () peereboom ! us wrote You can do everything right all day long in software but hardware does what it does and claiming that a piece of software is crash proof is naive at best. Hmm. Our rename(2) man page currently says: rename() guarantees that if _to_ already exists, an instance of _to_ will always exist, even if the system should crash in the middle of the operation. Should this perhaps be changed to read something like this? rename() tries to guarantee that if _to_ already exists, an instance of _to_ will always exist, even if the system should crash in the middle of the operation. However, in some cases the hardware may not provide the proper support, causing the guarantee to fail. Or do we (as a general policy) take this sort of escape clause taken to be implied to knowledgable readers, and thus need not be explicitly stated? It's of course implied that hardware and FFS work as they should for the guarantee to work, but... Virtually all PATA SATA disks have write back cache enabled. Some FC, SCSI and SAS do too. No one seems to want or be able to point out any particular hardware that rename() (and subsequently FFS and MTAs) fail on! Virtually all PATA SATA disks have write back cache enabled. Some FC, SCSI and SAS do too. When configured as documented - no controller write-back cache (maybe with a battery back-up, but batteries fail too), no drive write-back cache, no async mounts, no known buggy stuff. I specifically wrote above When configured as documented. No admin will run a mail server with write-back cache enabled on either controller or drives (well, maybe with a battery back-up, but I'll say again that batteries fail too). You seem to be taking what I wrote out of context, or you are assuming that I am a moron who doesn't know the basics and run mail servers with write-back cache on controllers and drives. Hope you now know that virtually all PATA SATA have WB cache enabled. Of course I know, as was stated in the previous message, but of course, as most people, I disable it. Don't twist what I said. If you read the previous email again, you'll see that I say no write-back cache.. Please, point me to hardware that, when met all the above conditions, is still unreliable for rename(). It would benefit thousands of people running mail servers. Thanks!
Re: rename(2) man page (was: Re: OpenSMTPd actual development and integration)
On Sun, Jan 24, 2010 at 9:18 PM, Marco Peereboom sl...@peereboom.us wrote: I specifically wrote above When configured as documented. No admin will run a mail server with write-back cache enabled on either controller or drives (well, maybe with a battery back-up, but I'll say again that batteries fail too). You seem to be taking what I wrote out of context, or you are assuming that I am a moron who doesn't know the basics and run mail servers with write-back cache on controllers and drives. No one disables WB cache for 2 reasons: Are you speaking for everybody? This is simply not true. 1. They don't know how Unless I am missing something, this is not true... I disable it, It's right in my RAID controller's config. Or, are you trying to say that the RAID controller doesn't honor what I am telling it to do? A benchmark seems to tell me otherwise... Now, forget RAID, what about simple SATA controllers that are built into the motherboard? Simple SATA add-on cards (non-softRAID, non-RAID)? Do they even have cache? 2. They are disappointed with the floppy disk like performance. Bonus: drive vendors tell you not to do it. Performance and vendors are different issues. Let's stay on the topic of rename() guarantee as in the man page during a crash or powerfail, provided that the controller is configured not to write-back cache, the drives are configured not to write-back cache, the FS is mounted 'sync'. No softupdates. Let's not divert this to something tangential and unrelated. I'll take reliability over performance. Hope you now know that virtually all PATA SATA have WB cache enabled. Of course I know, as was stated in the previous message, but of course, as most people, I disable it. Don't twist what I said. If you read the previous email again, you'll see that I say no write-back cache.. And you can repeat this all day long but you simply can not make these assumptions. Yes in theory this would work but that damn reality is so freaking unpredictable. Someone write a patch for that. Let's all roll-over and die - we might die any second anyway because nothing is guaranteed, so why stay alive? Are thousands of people running mail servers losing messages in crashes all the time, and are unaware of it? Please, point me to hardware that, when met all the above conditions, is still unreliable for rename(). It would benefit thousands of people running mail servers. All RAID controllers. And I mean every single last one of them. Including external RAID cards too. You have exactly zero control as to what they do. Write/Back/Through etc they are going to sit on your data regardless of whatever the fruit you want. I am not sure what you are saying here. Are you saying people disable WB cache on controllers and disks (I know I do, and I know many others do), but it's still enabled? In other words, if I explicitly tell the controller and disks to disable write-back cache, and I can see it with benchmarks (write performance drops significantly,and the disk is much busier on writes), that they still do write-back caching? What about simple SATA? PATA? Granted I may not be aware of the nuances of controller and disk caching, but you I am sure do, and can can explain those. those can you write me some code that works around those annoying signaling issues? person. Nope. Thanks!
Re: rename(2) man page (was: Re: OpenSMTPd actual development and integration)
On Sun, Jan 24, 2010 at 10:50 PM, Nick Holland n...@holland-consulting.net wrote: nixlists wrote: On Sun, Jan 24, 2010 at 9:18 PM, Marco Peereboom sl...@peereboom.us wrote: I specifically wrote above When configured as documented. No admin will run a mail server with write-back cache enabled on either controller or drives (well, maybe with a battery back-up, but I'll say again that batteries fail too). You seem to be taking what I wrote out of context, or you are assuming that I am a moron who doesn't know the basics and run mail servers with write-back cache on controllers and drives. No one disables WB cache for 2 reasons: Are you speaking for everybody? This is simply not true. 1. They don't know how Unless I am missing something, this is not true... I disable it, It's right in my RAID controller's config. you just proved Marco's point. No I didn't. He was talking about the writeback on the drive, you talked about it on the controller. Fine, you disabled it on the controller. Drive is That's not true. You are either sabotaging or haven't even read my initial email in this thread. I specifically mentioned the common, and the only case for mailservers that makes sense - write-back cache turned off on both controllers and drives. still doing write caching. Maybe. You don't really know. What do you No, I as already mentioned also disabled it on the drives. Please don't twist what I said around to sabotage. This is becoming hilarious, and shows OpenBSD's users/developers psychology. think that 2M-16+M cache on the drive is doing? How do you know? Nick. As I said - I may not know the controller/disk nuances, but at least I can run some simple benchmarks, and see how much slower the writes become after the cache is off (just to be sure no one pretends to have misread again - ON BOTH THE DRIVES AND THE CONTROLLER). Now it would be nice to hear Marco's answer whether the drives and the controller, as I already asked, continue caching or some such thing. This information is important for mail server admins.
Re: Books on reverse engineering?
On Fri, Jan 22, 2010 at 2:55 PM, James Hozier guitars...@yahoo.com wrote: I don't understand what a solution can be. If they're never going to release supporting documentation anyway, does it really make a difference for them? I don't know if I am buying into a troll or a flamebait, but what the heck?... How large is the OpenBSD user base that represents potential customers? For nVidia and such, it's probably not even a blip on the radar. These are greedy corporations - by their design their first concern is making money and satisfying shareholders - why should they care what a small bunch of nerds want? Complain all you want, but unless you can make a dent with money, or maybe, but unlikely bad PR, you won't be heard. This is also how politics work, BTW. After I recently finished high school (just barely; I'm not very smart Instead of going around saying you are stupid, let others judge that. I like to state the obvious: If you jump into it, I am sure even if you fail, you'll learn a lot in the process Don't let anyone discourage you. Even the longest journey must begin where you stand.
/usr/bin/ftp bug?
Hi. File doesn't exist locally, getting it: ftp -C -o somefile http://someserver/somefile -blah blah and progress bar- Got it, retrieve it again: ftp -C -o somefile http://someserver/somefile -blah blah and progress bar- ftp: File is already fully retrieved. Now over proxy: export http_proxy=http://127.0.0.1:8080 ftp -C -o somefile http://someserver/somefile -blah blah and progress bar- 2100 bytes received in 0.0 seconds (4.83 MB/s) In this case instead of ''ftp: File is already fully retrieved. the file from the server is appended to the already fully retrieved file. Is this a bug or an expected behavior?
Re: OpenSMTPd actual development and integration
On Fri, Jan 15, 2010 at 2:30 AM, Tomas Bodzar tomas.bod...@gmail.com wrote: qmail tries to be very careful that a message is on the disk. Does OpenSMTPD do this? The answer could be yes or no. How is that nonsensical? Thanks! Only very big fool can write e-mail SW which don't try to have messages on the disk ;-) Thanks for taking what I said out of context. Geez, all that crap I wrote about queuing is irrelevant! Good job.
Re: OpenSMTPd actual development and integration
On Fri, Jan 15, 2010 at 3:36 AM, Philip Guenther guent...@gmail.com wrote: On Thu, Jan 14, 2010 at 9:05 PM, nixlists nixmli...@gmail.com wrote: On Thu, Jan 14, 2010 at 07:55:37PM -0500, nixlists wrote: ... More like does OpenBSD have a similar reliability feature that qmail does - pertaining to writing messages into the queue? ... No offense, but I don't think the question was understood. qmail's qmail-queue does interesting, and a bit complicated things to deal with crashes while a message is being queued. ... qmail tries to be very careful that a message is on the disk. Does OpenSMTPD do this? The answer could be yes or no. How is that nonsensical? *This* question makes sense. Your question two messages back, quoted above (does OpenBSD have...) is what didn't make sense and sent Oops. Sorry, meant to say OpenSMTPD! Marco spinning into surrealist response. Perhaps you meant in that older message to instead say does OpenSMTPD have...? Yes!
Re: OpenSMTPd actual development and integration
On Fri, Jan 15, 2010 at 3:55 AM, Gilles Chehade gil...@openbsd.org wrote: qmail's queue, except for bounce message contents, is crashproof on the BSD FFS and most of its variants. smtp ensures reliability by working on a temporary queue during writes, then commiting messages (all of them, including bounces) to the real queue using an atomic rename. after a successful rename, smtpd tells the client it accepted the message. with this ordering, you can never have smtpd in a state where it has lost a message after accepting it or where a message is incomplete and corrupt in the queue because of a power shortage happening at a wrong timing. either the message is in queue or it's not, and if it's not then client/mua was not told message is accepted. This is the answer I was looking for. Thanks!
Re: OpenSMTPd actual development and integration
On Fri, Jan 15, 2010 at 9:22 AM, Marco Peereboom sl...@peereboom.us wrote: smtp ensures reliability by working on a temporary queue during writes, then commiting messages (all of them, including bounces) to the real queue using an atomic rename. after a successful rename, smtpd tells the client it accepted the message. Right and at this point you hand it off to the hardware and it does whatever it does and lies whenever it wants to about completions, etc. If it is a raid controller for example, you dont know if it is in cache, being coalesced with other IO, deferred waiting on another IO, got reordered for some sort of optimization, partial incomplete because a disk hasn't caught up etc etc. You do know if you know your hardware. How is this relevant to what MTA is supposed to do? You can do everything right all day long in software but hardware does what it does and claiming that a piece of software is crash proof is naive at best. I am not eluding to you Gilles, I am eluding to claims made in qmail and parroted by someone without a name on this list. I'd venture to say that the more magic one performs trying to force an OS and a piece of hardware to do something without having the proper dials is worse. Funny how these discussions quickly turn into personal attacks... Anything wrong with quoting someone? I am not making claims, the qmail's author does... He wrote qmail, it's up to him to explain what it does and doesn't do. Also, it's not the MTA's job to ensure the hardware does what it's supposed to. It neither obviously can even attempt to do that, nor is it's job to do that. I've never implied that it's MTAs job to control the kernel or hardware. It's the administrator's job to buy and configure the right kind of hardware for the MTA. It's his/her job to make sure it writes correctly to the disk. qmail's author says Queue reliability demands that single-byte writes be atomic. This is true for a fixed-block filesystem such as UFS, and for a logging filesystem such as LFS. This implies that the FS code and the hardware does the right thing for the queue to be reliable. http://www.qmail.org/man/misc/THOUGHTS.txt http://cr.yp.to/qmail/faq/reliability.html#filesystems He also writes You may encounter people who dispute one or more of the above statements. Those people don't know what they're talking about. A rather spectacular example appeared in February 2001, when someone wrote hundreds of lines of text in a dozen messages claiming that my FAQ was ``totally incorrect,'' claiming that the BSD FFS wrote data to disk in the wrong order, claiming that the BSD FFS was not crashproof, and claiming that qmail was not crashproof. He put a tremendous amount of effort into making his claims sound authoritative. ``I think there *might* be a dozen people in the world that understand UFS/FFS better then I do, but none of them have posted to this thread,'' he said. He repeatedly claimed that his assertions were well-known facts that had motivated the design of subsequent filesystems. Eventually, after a discussion with two people who understood FFS better than he did, he withdrew his claims and apologized.
Re: pf tables: memory
2010/1/15 Vadim Zhukov persg...@gmail.com:
On 14 January 2010 G. 00:44:06 nixlists wrote:
Hi.
How do I know how much memory I need to have on a machine to load a
table from a file (I don't have much RAM)?
Look at the /usr/src/sys/net/pfvar.h, you'll see definitions of all
structures used by pf.
How much memory does a single ip address take in the table?
Same here.
Do simple 'block quick' rule anchors use more or less memory than
tables (I presume more)?
Much more: compare definitions of pf_addr and pf_rule structs in pfvar.h.
Thanks a lot for this info.
Errm, 10.1.0.0/20 works perfectly, as it should... Looks like you missed
this in man page:
I wanted to just specify files to load from in pf.conf, and IIRC that
didn't work, but I am not sure if I had the files in the correct
format.
table private const { 10/8, 172.16/12, 192.168/16 }
Same syntax applies to loading tables from files. Reread TABLES section
in pf.conf(5).
Why does pfctl take such a very long time loading tables?
Possibly you're using domain names - they should be resolved before
adding to pf. But next time give more information, for example, the
address list you're talking about.
Thanks for your help.
No, I am not doing that (name resolution).
Having pfctl load tables by specifying the files in /etc/pf.conf takes
much longer than doing it by running cat filename | xargs pfctl -t
tablenam- Ta, and in the end fails with a memory error. Loading as
described above with xargs doesn't fail with a memory, and loads
larger tables just fine. Loading smaller tables by specifying files in
pf.conf works fine. I wish I could just have everything specified in
pf.conf, and not have to run pfctl through xargs, but that doesn't
work for larger tables - pfctl returns memory error. I set my table
entry limit very high to make sure that that's not the problem.
Re: Yerevan, Aremenia and OpenBSD Users
On Thu, Jan 14, 2010 at 7:36 AM, Inna Kholodova inna.kholod...@gmail.com wrote: Hi, Mark! I'm from Armenia :) And we are using OpenBSD on our production servers for a very long time. Are you working for the FSB?
Re: OpenSMTPd actual development and integration
Does it have the same reliability features as qmail on an FS without softupdates? What about with softupdates? http://cr.yp.to/qmail/faq/reliability.html
Re: OpenSMTPd actual development and integration
On Thu, Jan 14, 2010 at 4:26 PM, Denis Doroshenko denis.doroshe...@gmail.com wrote: On 1/14/10, nixlists nixmli...@gmail.com wrote: Does it have the same reliability features as qmail on an FS without softupdates? What about with softupdates? http://cr.yp.to/qmail/faq/reliability.html the very link you just provided contains the following sentence: Do not use async or softupdates filesystems. Sorry, forget I mentioned softupdates. Does it do what qmail does? Reliaibility-wise? qmail's queue, except for bounce message contents, is crashproof on the BSD FFS and most of its variants.
Re: OpenSMTPd actual development and integration
On Thu, Jan 14, 2010 at 6:24 PM, Ben Calvert b...@flyingwalrus.net wrote: On Jan 14, 2010, at 3:11 PM, Marco Peereboom wrote: On Thu, Jan 14, 2010 at 05:09:03PM -0500, nixlists wrote: Sorry, forget I mentioned softupdates. Does it do what qmail does? Reliaibility-wise? qmail's queue, except for bounce message contents, is crashproof on the BSD FFS and most of its variants. Nothing is crash prof. Can you please stop making these retarded statements? You are making a fool of yourself. If software people weren't so dangerous they'd be adorable. I don't think this is an original sentiment. I think he's quoting DJB's faq. Yes. Sorry if that was confusing, I thought quotes were enough. it's still an idiotic sentiment, but it does serve as a warning that his (DJB's) software should be treated with great care. Hmm. Not sure I agree. All he's saying is that qmail is designed to use FFS's atomic update stuff, and aims not to lose messages. Doesn't mean it's bug-free.
Re: OpenSMTPd actual development and integration
On Thu, Jan 14, 2010 at 5:34 PM, Ted Unangst ted.unan...@gmail.com wrote: On Thu, Jan 14, 2010 at 5:09 PM, nixlists nixmli...@gmail.com wrote: Sorry, forget I mentioned softupdates. Does it do what qmail does? Reliaibility-wise? qmail's queue, except for bounce message contents, is crashproof on the BSD FFS and most of its variants. Since the point of a mail server is to not lose mail, your question is basically does it have any bugs? That's kind of a silly question to More like does OpenBSD have a similar reliability feature that qmail does - pertaining to writing messages into the queue? I didn't ask whether OpenSMTPD has bugs! Thanks!
Re: OpenSMTPd actual development and integration
On Thu, Jan 14, 2010 at 9:16 PM, Marco Peereboom sl...@peereboom.us wrote: On Thu, Jan 14, 2010 at 07:55:37PM -0500, nixlists wrote: On Thu, Jan 14, 2010 at 5:34 PM, Ted Unangst ted.unan...@gmail.com wrote: On Thu, Jan 14, 2010 at 5:09 PM, nixlists nixmli...@gmail.com wrote: Sorry, forget I mentioned softupdates. Does it do what qmail does? Reliaibility-wise? qmail's queue, except for bounce message contents, is crashproof on the BSD FFS and most of its variants. Since the point of a mail server is to not lose mail, your question is basically does it have any bugs? That's kind of a silly question to More like does OpenBSD have a similar reliability feature that qmail does - pertaining to writing messages into the queue? qmail runs inside the os; it doesn't get to vote. How many more times do I need to repeat this? This is irrelevant. Of course it relies on the OS to work right. qmail's queuing reliability depends on FFS's atomicity, bugs in the kernel could of course screw anything up, or running queue with softupdates or async mount, or write-back cache without battery backup, but that's besides the point. This question is nonsensical so I'll answer accordingly. Yes, blue is a pretty day of the week. No offense, but I don't think the question was understood. qmail's qmail-queue does interesting, and a bit complicated things to deal with crashes while a message is being queued. See here: http://gd.tuwien.ac.at/infosys/mail/qmail/qmail-manual-html/misc/INTERNALS.ht ml qmail tries to be very careful that a message is on the disk. Does OpenSMTPD do this? The answer could be yes or no. How is that nonsensical? Thanks!
Re: Yerevan, Aremenia and OpenBSD Users
On Tue, Jan 12, 2010 at 11:14 AM, Mark Lumsden m...@cyodesigns.com wrote: Hi, Are there any OpenBSD users in Yerevan, Armenia? For work reasons, I'm moving there in a few days for probably the best part of six months. I know absolutely no-one there so it would be good to go for a beer with someone (do they have beer in Armenia?) Most likely you'll be the first one. If there are any BSD users, they're probably FreeBSD since it's the OS that was the first popular, and still is - Yandex, etc., Unix in the former USSR during the dot-bomb. That's right, FreeBSD, not Linux. Beer production and demand has exploded in the republics of former USSR in the last decade. I am sure Armenia is participating as well, although traditionally AFAIK they drank and made mostly wine. That whole stupid vodka stereotype no longer applies. All they do now in the former USSR is drown in beer and make their girlfriends cry (very beautiful girlfriends, assholes don't deserve them). You'll see a lot of that - just walk through some parks...
pf tables: memory
Hi. How do I know how much memory I need to have on a machine to load a table from a file (I don't have much RAM)? How much memory does a single ip address take in the table? Do simple 'block quick' rule anchors use more or less memory than tables (I presume more)? I couldn't find this in the pf.conf man page, so I guess the answer is no, but I'll ask anyway: can I somehow specify CIDR or some other way instead of the IP address list (one IP per line) for a table to load from a file, or at the time I have to use a large pf.conf include for that? Why does pfctl take such a very long time loading tables? Thanks.
pf: reassemble tcp
Hi. I have match in all scrub (tcp reassemble no-df random-id max-mss 1440) in my pf.conf (-current) Unless I remove 'tcp reassemble', one of the web sites (it's a Windows/IIS) site cannot communicate with me - it hangs loading a page. Any ideas?
Re: Maximizing File/Network I/O
On Tue, Jan 5, 2010 at 2:32 PM, Henning Brauer lists-open...@bsws.de wrote:
I really like the 275 - 420MBit/s change for 4.6 - current with pf.
Update: both machines run -current again this time. I think my initial
tcpbench results were poor because of running cbq queuing on 4.6. The
server has em NIC , the client has msk. Jumbo frames are set to 9000
on both, but don't make much difference. This is with a $20 D-link
switch.
tcpbench results:
pf disabled on both machines: 883 Mb/s
pf enabled on tcpbench server only - simple ruleset like the documentation
example: 619 Mb/s
pf enabled on both machines - the tcpbench client box has the standard
-current default install pf.conf: 585 Mb/s
pf enabled on just the tcpbench server: with cbq queuing enabled on
the internal interface as follows (for tcpbench only, not for real
network use) - no other queues defined on $int_if:
altq on $int_if cbq bandwidth 1Gb queue { std_in, ssh_im_in, dns_in }
queue std_inbandwidth 999.9Mb cbq(default,borrow)
401 Mb/s
Why is that? cbq code overhead? The machine doesn't have enough CPU?
Or am I missing something? Admittedly it's an old P4.
After a while, during benching, even if pf is disabled on both
machines the throughput drops to 587 Mbit/s. The only way to bring it
back up to 883 Mb/s is to reboot the tcpbench client. Anyone know why?
Thanks!
Re: Maximizing File/Network I/O
On Wed, Jan 13, 2010 at 8:39 PM, Henning Brauer lists-open...@bsws.de
wrote:
pf enabled on just the tcpbench server: with cbq queuing enabled on
the internal interface as follows (for tcpbench only, not for real
network use) - no other queues defined on $int_if:
altq on $int_if cbq bandwidth 1Gb queue { std_in, ssh_im_in, dns_in }
queue std_inbandwidth 999.9Mb cbq(default,borrow)
401 Mb/s
Why is that? cbq code overhead? The machine doesn't have enough CPU?
Or am I missing something? Admittedly it's an old P4.
test results on old P4 are unfortunately pretty much pointless.
Why?
cpu0: Intel(R) Pentium(R) 4 CPU 2.53GHz (GenuineIntel 686-class) 2.52 GHz
Isn't 2.52GHz fast enough for gigabit links? I know that's like half
that in P3 cycles, but still... What's the issue?
Thank you.
Re: Maximizing File/Network I/O
On Wed, Jan 13, 2010 at 11:43 PM, Henning Brauer lists-open...@bsws.de wrote: * nixlists nixmli...@gmail.com [2010-01-14 03:21]: test results on old P4 are unfortunately pretty much pointless. Why? cpu0: Intel(R) Pentium(R) 4 CPU 2.53GHz (GenuineIntel 686-class) 2.52 GHz Isn't 2.52GHz fast enough for gigabit links? I know that's like half that in P3 cycles, but still... What's the issue? cache What about it? Please elaborate. Thanks!
Re: Maximizing File/Network I/O
On Fri, Jan 8, 2010 at 10:13 PM, Henning Brauer lists-open...@bsws.de wrote: * nixlists nixmli...@gmail.com [2010-01-06 09:33]: On Wed, Jan 6, 2010 at 2:31 PM, Henning Brauer lists-open...@bsws.de wrote: I really like the 275 - 420MBit/s change for 4.6 - current with pf. Disabling pf gives a couple of MB/s more. really. what a surprise. Anything wrong with http://everything2.com/title/stating+the+obvious ? But I guess, there's nothing wrong with making fun of it, either...
Re: Which laptops do the developers use?
On Sat, Jan 9, 2010 at 7:40 PM, James Hozier guitars...@yahoo.com wrote: My MacBook Pro's wireless doesn't work, which is a big thing for me...I couldn't get X to work, either. Does MacBook Pro have one of those mini-ePCI cards that can be replaced, or is it soldered on-board?
Re: Which laptops do the developers use?
On Sun, Jan 10, 2010 at 6:12 PM, James Hozier guitars...@yahoo.com wrote: Either way, I'd either have to spend money on a replacement mini-PCI card or a USB wireless card. I'd rather just buy a new laptop; I don't like the hardware scheme anyway (with the EFI partition and all that instead of a BIOS). If I'd want to buy a laptop, I'd want nothing else than the recent MacBook or MacBook Pro, provided it runs everything I'd want it to run... How much is the replacement wireless? Around $30? The power adapter connector on the MacBook alone makes it better than anything out there, not to mention all the other innovation and design. Do you have people and/or animals running around, stumbling on the power cord? This might seem like the most irrelevant thing to worry about in a laptop, but to me it's quite important. Yes, I do know that Steve Jobs has a tyrannical streak - I am sure there are proprietary hardware issues - nVidia, etc.
Re: Which laptops do the developers use?
On Sun, Jan 10, 2010 at 8:28 PM, Henning Brauer lists-open...@bsws.de wrote: * nixlists nixmli...@gmail.com [2010-01-11 02:20]: If I'd want to buy a laptop, I'd want nothing else than the recent MacBook or MacBook Pro stockholm syndrome Hostages don't shop around for captors. Nice try though.
Re: CUPS alternative
On Thu, Jan 7, 2010 at 7:23 AM, open...@pckswarms.ch wrote: Windows XP, vista, and 7 happily will print to a lpd printer. In the windows world this is called a port, and, lpd is one of the options. It's 12 pages of idiot blather, but, you can see the XP setup (or maybe 2000 setup) here: ftp://ftp.dlink.com/Printserver/dp300U/QIG/DP300U_QIG_100.zip Thanks!
Re: Which laptops do the developers use?
On Thu, Jan 7, 2010 at 12:57 PM, Marco Peereboom sl...@peereboom.us wrote: It was removed because it was out of date and didn't contain anything really useful. Laptops basically work just fine with OpenBSD minus some moody ones. MacBook? MacBook Air? PowerBook? Supported at all?
Re: Which laptops do the developers use?
On Thu, Jan 7, 2010 at 4:42 PM, Matthias Kilian k...@outback.escape.de wrote: MacBook? MacBook Air? PowerBook? Supported at all? PowerBook? Sure. But I don't see how this is related to i386-laptop.html. Oops. Meant MacBook Pro. Sorry.
Re: Maximizing File/Network I/O
On Wed, Jan 6, 2010 at 2:31 PM, Henning Brauer lists-open...@bsws.de wrote: I really like the 275 - 420MBit/s change for 4.6 - current with pf. Disabling pf gives a couple of MB/s more.
Re: Maximizing File/Network I/O
On Tue, Jan 5, 2010 at 1:45 AM, Bret S. Lambert blamb...@openbsd.org wrote: Start with mount_nfs options, specifically -r and -w; I assume that you would have mentioned tweaking those if you had already done so. Setting -r and -w to 16384, and jumbo frames to 9000 yields just a couple of MB/s more. Far from 10 MB/s more the network can do ;(
pf: match vs. pass - nat and rdr
Hi. I think I mentioned that I upgraded one of the machines running pf from 4.6 to -current. Noticed that pf rule order behavior has changed, so I had to move rules around and I of course had to change nat and rdr rules since the syntax is new. I've read the man page, but not clear on understanding the difference between 'match' and 'pass'. What's preferable for nat and rdrs - match or pass? What about regular rules? In what sort of situations should I use match rather than pass, vice/versa? An issue today was the box totally froze after I removed one of the redundant rules, did 'pfctl -f /etc/pf.conf', and ran 'systat queues'. As soon as I ran systat it froze dead. Not even a panic. Also there's a problem with http://www.openbsd.org/faq/pf/queueing.html , first example - unless I am confused it limits internal interface's bandwidth to that of external. Why would I want to slow down my inside connection to the local network? Thanks.
Re: pf: match vs. pass - nat and rdr
On Tue, Jan 5, 2010 at 8:34 PM, Robert rob...@openbsd.pap.st wrote: nat and rdr are now declared with match rules. But 'pass' still works: pass out on em0 inet from 192.168.1.0/24 to any flags S/SA keep state nat-to (em0) round-robin An issue today was the box totally froze after I removed one of the redundant rules, did 'pfctl -f /etc/pf.conf', and ran 'systat queues'. As soon as I ran systat it froze dead. Not even a panic. You say you killed a box by trying to load a ruleset? Checked the config with -n before loading? No, I am saying I killed the box by removing a single existing rule from the ruleset and running systat. it froze as soon as I ran 'systat queues' . After a reboot the box has no trouble running the ruleset. The queues on the internal interface in that example are used to limit download speeds from the internet. Can't do that on the external interface. And yes, if not done right those rules would mess with traffic that is internal and should not have hit those queues in the first place. Hmm... I simply copied the example, and my internal interface became bandwidth-limited as in the example. Thanks.
sili port multiplier support
Hi. I have: sili0 at pci4 dev 0 function 0 CMD Technology SiI3132 SATA rev 0x01: apic 3 int 8 (irq 11) scsibus0 at sili0: 2 targets The manual page does not mention it, but I guess the driver does not support port multipliers? It only detects one drive in my eSATA enclosure. There are two drives configured as JBOD. Connecting the enclosure to a Windows or Linux box shows two drives I assume the driver also somehow disables write cache on the disk by default - judging by performance? I cannot disable write cache on this enclosure's drives in either Linux, FreeBSD, or even Windows! It's also a sili enclosure - Rosewill R2-RAID. SiI5744 Storage Processor http://www.siliconimage.com/products/product.aspx?pid=105 Which controller drivers support port multiplying for eSATA? Thanks.
softraid rebuild
Hi. My softraid mirror went into degraded mode (on -current). How to rebuild? I am trying to follow the bioctl manual page, but I don't seem to understand the command to throw at it - syntax errors. Is it supported yet? Thanks.
Maximizing File/Network I/O
Hi. I have two machines one running 4.6, the other running a recent snapshot of current. tcpbench reports maximum throughput of 275 Mbit - that's around 34 MB/s between them over a gig-E link. What should one expect with an el-cheapo gig-e switch and 'em' Intel NIC and a msk NIC? Is that reasonable or too slow? The 4.6 machine has a softraid mirror and can read off it at around 55 MB/s as shown by 'dd', and the -current machine has an eSATA enclosure mounted async for the purpose of quickly backing up to it, that I can write to at around 45 MB/s as shown by 'dd'. However copying over the network to it - through NFS I can only get around 15 MB/s. Where is the bottleneck? How to fix?? Copying with rsync over ssh is even slower due to rsync and ssh eating quite a bit of CPU - but that's to be expected. Thanks a bunch.
CUPS alternative
Hi. I need to print from Windows machines to an OpenBSD box using IPP. Is CUPS the only software that will let me do this? CUPS is huge, buggy and full of security holes. Wants to only run as root as well. Thanks.
pf: state reuse
Hi. I am logging 'misc' messages from pf, and seeing a lot of state reuses. What does it mean, and do I need to fix anything? Many, many messages like pf: state reuse TCP out wire: (0) 2ipaddress:port_goes_here ip_address:port_goes_here stack: (0) ip_address:port_goes_here ip_address:port_goes_here [lo=39216066 high=39216068 win=16384 mo dulator=0] [lo=0 high=16384 win=1 modulator=0] 10:10 S And similar for 'in' wire Thanks.
newfs for large files
Hi. What are the recommended newfs tweaks for an FS that will store mostly large or very large files? Are defaults sufficient for optimum performance, or are they mostly a general case for typical OS small program/text files? Also my guess tweaking with tunefs is useless, since it's a very old tool? I tried tunefs with larger values than default, but that makes the kernel either freeze or panic :D Thanks.
Re: Maximizing File/Network I/O
On Tue, Jan 5, 2010 at 12:40 AM, Aaron Mason simplersolut...@gmail.com wrote: It would be best put this way - if you go for the lowest bidder, in most cases you get what you pay for. Your results aren't too bad considering what's in use. Thanks. Where could I find more info on tuning jumbo frames? Both cards support it... Update: after upgrading the other machine to -current. tcpbench performs around 420 Mbit/s now :D One of the machines is using pf...
Re: newfs for large files
On Tue, Jan 5, 2010 at 1:14 AM, Otto Moerbeek o...@drijf.net wrote: On Mon, Jan 04, 2010 at 10:28:28PM -0500, nixlists wrote: Hi. What are the recommended newfs tweaks for an FS that will store mostly large or very large files? Are defaults sufficient for optimum performance, or are they mostly a general case for typical OS small program/text files? Also my guess tweaking with tunefs is useless, since it's a very old tool? I tried tunefs with larger values than default, but that makes the kernel either freeze or panic :D Thanks. It will work with defaults, but you can use -f and -b to increase fragment and block sizes to a max of 65536. That will save space on metadata and make fsck_ffs faster and use less memory. No other performance benefits than fsck?
Re: ntp log rotation
It takes either a masochist to run original NTPD, or you are being tortured.
Re: Openssl patch breaks Tor
If I upgrade to -current, don't I risk stability and security issues; or are the chances of that are very low as far as this OS goes? Long time ago I did try development versions of NetBSD and FreeBSD because I needed support for hardware that -stable didn't have, and they were quite shaky. Or do you guys just want more people to use -current for the project progress reasons? I thought -current was for people who are more into hacking code than running a stable server. Thanks.
Re: Openssl patch breaks Tor
On 12/31/09, J.C. Roberts list-...@designtools.org wrote: On Wed, 30 Dec 2009 17:56:03 -0500 nixlists nixmli...@gmail.com wrote: On 12/30/09, Tasmanian Devil tasm.de...@googlemail.com wrote: Changes in version 0.2.1.21 - 2009-12-21 Downloaded, installed - same exact problem. Tried -alpha as well. Same problem. I assumed alpha worked... You're right! It seems I did give you bad advice. I'm sorry about that! I tried on a patched 4.6 machine, and my tor-0.2.2.6-alpha port which works fine on -current doesn't work on a patched 4.6. So the only options I see to run Tor on 4.6 at the moment is either not to patch OpenSSL or to upgrade to -current. Tas. Can't I use OpenSSL version from -current and force tor to use those libraries on 4.6 instead of the system libcrypto/libssl somehow? How would one go about doing that? Mixing and matching -CURRENT with -STABLE or -RELEASE is pure evil. Every overly curious person on this list has made this mistake, at least once. You will learn from this mistake/experiment, because you will make a serious mess. The right answer is backup your data, and do a fresh install of the most recent -CURRENT snapshot. I don't want to do that on this particular machine Oh well
Recommended mini-PCI wireless cards
Hi. What's recommended as far as recent mini PCI wireless cards go - compatibility and performance-wise? I'd like to upgrade my laptop from a /g to an /n card. Which n cards do you use and find fast/having good reception? Thanks.
Re: Openssl patch breaks Tor
On 12/30/09, Tasmanian Devil tasm.de...@googlemail.com wrote: Changes in version 0.2.1.21 - 2009-12-21 Downloaded, installed - same exact problem. Tried -alpha as well. Same problem. I assumed alpha worked... You're right! It seems I did give you bad advice. I'm sorry about that! I tried on a patched 4.6 machine, and my tor-0.2.2.6-alpha port which works fine on -current doesn't work on a patched 4.6. So the only options I see to run Tor on 4.6 at the moment is either not to patch OpenSSL or to upgrade to -current. Tas. Can't I use OpenSSL version from -current and force tor to use those libraries on 4.6 instead of the system libcrypto/libssl somehow? How would one go about doing that?
Openssl patch breaks Tor
Hi. The OpenBSD 4.6 errata OpenSSL TLS renegotiation patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.6/common/004_openssl.patch breaks stable release of Tor as described here (exactly the same issue on FreeBSD): http://archives.seul.org/tor/relays/Dec-2009/msg00014.html Tor is not vulnerable to the attack when used with the broken OpenSSL, but the patch stops it from working correctly as described in the above thread. The issue is fixed only in the alpha version of Tor, and AFAIK won't be fixed in stable: https://blog.torproject.org/blog/tor-0226-alpha-released I don't want to run alpha Tor, or use broken OpenSSL. What should I do to make stable Tor run (I am not a coder, just a user - so I can't put up and hack up :) )? Are there any plans to replace OpenSSL with something more secure? Thanks.
Re: Openssl patch breaks Tor
On 12/29/09, Tasmanian Devil tasm.de...@googlemail.com wrote: It is fixed in Tor's stable release already: http://archives.seul.org/tor/announce/Dec-2009/msg0.html Changes in version 0.2.1.21 - 2009-12-21 Downloaded, installed - same exact problem. Tried -alpha as well. Same problem. I assumed alpha worked... Thanks.
Re: Web Browsers
On 12/20/09, Robert Bronsdon reash...@gmail.com wrote: Google are clearly clever enough to know that upsetting the 'tin-foiled' geeks, by 'spying' on them would be enough to disrupt its browser. Especially given its lowly market share, just a little bad press would stop this thing ever taking off. I highly doubt that. I think the browser will be adopted quickly and overtake the market. Neither the majority of browser users nor Google care about privacy or anonymity. Google also wants the browser to be used by businesses - so there will be many features similar to those IE has in the Windows version. There's a reason why Chromium/Chrome uses Windows' proxy crap on Windows, and the developers are refusing to change that despite many requests. http://code.google.com/p/chromium/issues/detail?id=266
Web Browsers
Hi. People on this list are security-conscious. I wonder what browsers they use? What browsers do you consider more secure than others? Granted, they're all full of all kinds of holes, but what do you do to tighten their security? Thanks.
Re: Web Browsers
On Fri, Dec 18, 2009 at 9:07 PM, Marco Peereboom sl...@peereboom.us wrote: firefox + adsuck What is your opnion on Chrome, OpenBSD gurus? Okay we all know about it's privacy and identity leakage concerns. It's designed by Google with this built-in - they want to know everything about you and don't care about your privacy, yada yada. But what about its supposedly more secure multi-process design. Is it really better than Firefox and others in this regard?
Re: softraid not building on boot
On Thu, Dec 10, 2009 at 10:12 AM, Marco Peereboom sl...@peereboom.us wrote: So softraid can't detect if the data is written differently to the drives? In what sort of cases would one expect the mirror to become corrupt? Kernel crash? Hardware crash? Does softraid detect this? What failures does it detect? I must not be making myself clear. No, softraid can and will not detect that. Even if you know you only know that the data is bad; there are no other hints that can be deduced from that knowledge. This can happen when a drive returns corrupt data for whatever reason, be it hardware failure or a failed previous write etc. So in what cases does softraid degrade the mirror then, other than pulling the disk out? How is hardware mirror raid different? Thanks.
Re: SMP
On Wed, Dec 9, 2009 at 12:03 PM, Daniel Gracia Garallar danie...@electronicagracia.com wrote: It is true, and AFAIK, todays it's a topper nice task... almost 20. Regards, Dani Donald Allen escribis: IMHO I hope OpenBSD doesn't use locks at all in the future taking FreeBSD's lesson, but does something what Dragonfly does - LWKT with message passing synchronisation. http://www.dcbsdcon.org/speakers/slides/luciani_dcbsdcon2009.pdf The fine-grained locking in FreeBSD is quite a crikey mess.
Re: softraid not building on boot
On Thu, Dec 10, 2009 at 3:37 PM, Marco Peereboom sl...@peereboom.us wrote: So in what cases does softraid degrade the mirror then, other than pulling the disk out? When an I/O fails. How is hardware mirror raid different? It isn't. Thanks. Does this mean there's little advantage of hardware mirror raid over software? So software mirror raid increases chances of data corruption while decreasing the chances of downtime. True for hardware as well? Hmmm. I've used hardware raid cards for mirrors that have the verify function. It would be interesting to know how and what those cards do.
Re: softraid not building on boot
On Thu, Dec 10, 2009 at 6:00 PM, Marco Peereboom sl...@peereboom.us wrote: Does this mean there's little advantage of hardware mirror raid over software? So software mirror raid increases chances of data corruption while decreasing the chances of downtime. True for hardware as well? There are pro and cons to both solutions. Pick what makes sense in your scenario. Hmmm. I've used hardware raid cards for mirrors that have the verify function. It would be interesting to know how and what those cards do. They read the data to make sure the disk is working. If one disk is failed they can rebuild that block from the remaining disk provided that the remaining disk isn't corrupt or broken too. They assume that the data that was read is accurate; if it isn't you are SOL. They either don't detect or ignore blocks that are different because they can not know which one is accurate (if any). Verify for RAID 1 is mostly marketing fluff. Thanks a lot for this info. In the past I've had weird corruption of files with a raid card - some files on the volume would become corrupt, but the corruption was limited to files only. IOW the whole volume would be intact and I could write and read new files to it but as the time went some individual files would contain garbage instead of real data. I wonder what that was all about.
Re: softraid not building on boot
On Thu, Dec 10, 2009 at 6:41 PM, Marco Peereboom sl...@peereboom.us wrote: probably a crappy card or disks. 3ware Escalade 8006-2LP :(. I know - not well supported because 3ware are the M$ of RAID.
Re: Used of dd for mirroring of quick disk replacement across servers, and second question for bigger drives?
On Thu, Dec 10, 2009 at 7:54 PM, Daniel Ouellet dan...@presscom.net wrote: Hi, I am pretty sure this is not possible at all, but again, may be something else is available that I haven't found/think yet. Two questions I have. 1. use of dd across servers. http://ultra.ap.krakow.pl/~bar/DOC/ssh_backup.html
softraid not building on boot
Hi. My 'softraid' mirror is not being detected and assembled at the boot time. I must run 'bioctl' to assemble it after a reboot. This started happening after I removed another softraid mirror from the box (physically - the card and the drives). Do I have to rebuild from scratch to make it detect automatically, or I can just run bioctl on every boot? Thanks.
Re: softraid not building on boot
On Wed, Dec 9, 2009 at 9:58 AM, Marco Peereboom sl...@peereboom.us wrote: I think you mean assemble instead of build. If I follow your meager description of the issue correctly this should work. You can move a softraid volume to another machine and it should auto assemble. The trick is to have all pieces in good shape. A dmesg might help because a disk that wasn't auto assembled will complain (unless it was deleted). On Wed, Dec 09, 2009 at 01:14:53AM -0800, nixlists nixlists wrote: Hi. My 'softraid' mirror is not being detected and assembled at the boot time. I must run 'bioctl' to assemble it after a reboot. This started happening after I removed another softraid mirror from the box (physically - the card and the drives). Do I have to rebuild from scratch to make it detect automatically, or I can just run bioctl on every boot? Thanks. 'softraid0 at root' dmesg shows that softraid is not complaining at all, just the standard 'softraid0 at root'. I may have ran 'bioctl -d' on the mirror, but I don't remember. There's no way to enable auto assembly after that, or can metadata be changed again so it gets auto assembled on boot? IIRC I didn't see anything in the docs. Thanks.
Re: softraid not building on boot
On Wed, Dec 9, 2009 at 4:30 PM, Marco Peereboom sl...@peereboom.us wrote: jsing is working on a add auto assemble flag back button. For now you are stuck with bioctl -c until that is done. 'softraid0 at root' dmesg shows that softraid is not complaining at all, just the standard 'softraid0 at root'. I may have ran 'bioctl -d' on the mirror, but I don't remember. There's no way to enable auto assembly after that, or can metadata be changed again so it gets auto assembled on boot? IIRC I didn't see anything in the docs. Thanks. Thank you! Could the documentation please reflect this fact?
Re: softraid not building on boot
Also if I am paranoid about mirror data being exactly the same on the two halves (yes, I understand softraid should guarantee it, but still...), how can I verify it? Or this functionality currently nonexistent? Or am I asking a stupid question because softraid is guaranteed to notice these things and yell at me about them? There's nothing in manual page about this. Can I do it with other utilities? tl;dr: How to verify softraid mirror integrity?
Re: SMP
On Wed, Dec 9, 2009 at 6:19 PM, Brad Tilley b...@16systems.com wrote: On Wed, Dec 9, 2009 at 4:56 PM, Daniel Ouellet dan...@presscom.net wrote: So, what's heavy for you may be just simple routine for others and no, I do not miss the fine lock either yet anyway. Would be nice, but really, I haven't run into it's need for me anyway yet. That's true for me as well. We use OpenBSD on some rather busy network links doing Snort, among other things, and I don't think we've used even a quarter of its potential. I've never actually seen OpenBSD fail (with regard to performance) in real-world settings. The OP should test it out... he'll be pleasantly surprised. Brad Soo... Your performance requirements may met by OpenBSD despite it's current poor SMP support - other OSes will scale on SMP. Trade-offs, trade-offs... It's a psychological issue. We have all this multicore hardware that doesn't get taken advantage of by this OS, and it's always in the backs of our minds, but the security and simplicity trade-offs may be worth it anyway, so screw the hardware.
Re: SMP
On Wed, Dec 9, 2009 at 6:46 PM, Theo de Raadt dera...@cvs.openbsd.org wrote: Soo... Your performance requirements may met by OpenBSD despite it's current poor SMP support - other OSes will scale on SMP. Trade-offs, trade-offs... It's a psychological issue. We have all this multicore hardware that doesn't get taken advantage of by this OS, and it's always in the backs of our minds, but the security and simplicity trade-offs may be worth it anyway, so screw the hardware. Or put it another way. I couldn't help but smile when someone told me their 16-way SMP box had been holed by a bug in their ld.so. Linux?
